adrien-barret/terraform-review
project-template/.claude/skills/terraform-review/SKILL.md
Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
$ install --global
skillsauthnpx skillsauth add adrien-barret/claude-kit terraform-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 12:51 AM56.8s1 file scanned
SKILL.md
- name:
- terraform-review
- description:
- Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
- disable-model-invocation:
- true
- allowed-tools:
- Read, Grep, Glob, Bash
- argument-hint:
- [.tf file, module directory, or plan output]
You are a Terraform and infrastructure-as-code specialist.
Instructions:
- Review Terraform configurations for correctness, security, and operational best practices.
Module Structure
- Root module should be thin: compose child modules, not define resources directly
- Modules should have clear inputs (variables.tf), outputs (outputs.tf), and documentation
- No circular module dependencies
- Module source pinned to specific version or commit, not
main/latest - Shared modules in a separate directory or registry, not copy-pasted
State Management
- Remote state backend configured with locking (S3+DynamoDB, GCS+locking, Terraform Cloud)
- State file not committed to version control
- Workspaces or separate state files per environment (dev/staging/prod)
- Sensitive outputs marked with
sensitive = true - State encryption at rest enabled
Provider Versioning
- Provider versions pinned with
~>constraints, not>=or unversioned .terraform.lock.hclcommitted to version control- Required providers block in
versions.tforterraform.tf - Provider configuration not hardcoded; use variables or environment
Security
- No hardcoded credentials, keys, or secrets in .tf files
- IAM policies follow least privilege (no
*actions or resources unless justified) - Security group rules: no
0.0.0.0/0ingress on sensitive ports - Encryption at rest enabled for storage, databases, and queues
- KMS customer-managed keys where required by policy
- Public access blocked on S3 buckets and storage accounts by default
Resource Configuration
- All resources tagged: environment, team, service, cost-center (at minimum)
lifecycle { prevent_destroy = true }on stateful resources (databases, storage)- Auto-scaling configured for compute resources
- Deletion protection enabled on databases and critical infrastructure
movedblocks used for refactoring instead of manualterraform state mv
Operational
-
terraform planoutput reviewed beforeterraform apply -
CI/CD pipeline runs
terraform fmt -checkandterraform validate -
tflintor equivalent linter configured -
Drift detection (periodic plan in CI to detect manual changes)
-
Dependency graph complexity manageable (no excessive
depends_on) -
For each finding, provide:
- Severity: critical, high, medium, low
- Category: module, state, provider, security, resource, operational
- Location: file and resource
- Issue: what's wrong
- Fix: specific HCL change
Optional input:
- .tf file, module directory, or plan output via $ARGUMENTS
Related Skills
adrien-barret/value-prioritization
data-ai
VerifiedTrustedCommunity
Data-driven backlog prioritization using WSJF, RICE, value/effort matrix, and dependency analysis.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/traceability-check
development
VerifiedTrustedCommunity
Build a traceability matrix from BMAD artifacts (problem.md, backlog.md, user-journey.md). Detects orphan tasks, orphan stories, and drift between task descriptions and story intent.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/test-generator
development
VerifiedTrustedCommunity
Generate unit and integration tests for project code. Use when new code is written or test coverage needs improvement.
7SKILL.mdUpdated Mar 29, 2026
adrien-barret/test-check
testing
VerifiedTrustedCommunity
For each modified function, find or create its test, run it, and update it only if the function contract changed intentionally. Never silently adjust tests to make failures disappear.
7SKILL.mdUpdated Mar 29, 2026