agentdevsl/terraform-style-guide
docker/skills-cache/terraform-style-guide/SKILL.md
Generate Terraform HCL code following HashiCorp's official style conventions and best practices. Use when writing, reviewing, or generating Terraform configurations.
$ install --global
skillsauthnpx skillsauth add agentdevsl/agentpane terraform-style-guideInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 12:54 PM53.4s1 file scanned
SKILL.md
- name:
- terraform-style-guide
- description:
- Generate Terraform HCL code following HashiCorp's official style conventions and best practices. Use when writing, reviewing, or generating Terraform configurations.
- source:
- image
Terraform Style Guide
Generate and maintain Terraform code following HashiCorp's official style conventions and best practices.
Reference: HashiCorp Terraform Style Guide
Code Generation Strategy
When generating Terraform module code:
- Start with version constraints and provider requirements in
versions.tf - Create data sources before dependent resources
- Build resources in dependency order with conditional creation (
countorfor_each) - Add outputs for key resource attributes, using
try()for conditional resources - Use variables for all configurable values with secure defaults
- Use
thisas the primary resource name for single instances - Prefer
for_eachovercountfor resource iteration (stable addresses) - Provider configuration belongs in
examples/, NOT the root module
File Organization
| File | Purpose |
|------|---------|
| versions.tf | Terraform and provider version constraints (required_version + required_providers) |
| main.tf | Primary resources and data sources |
| variables.tf | Input variable declarations (alphabetical) |
| outputs.tf | Output value declarations (alphabetical) |
| locals.tf | Local value declarations |
Example Structure
# versions.tf
terraform {
required_version = ">= 1.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
# variables.tf
variable "environment" {
description = "Target deployment environment"
type = string
validation {
condition = contains(["dev", "staging", "prod"], var.environment)
error_message = "Environment must be dev, staging, or prod."
}
}
# locals.tf
locals {
common_tags = {
Environment = var.environment
ManagedBy = "Terraform"
}
}
# main.tf
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
tags = merge(local.common_tags, {
Name = "${var.project_name}-${var.environment}-vpc"
})
}
# outputs.tf
output "vpc_id" {
description = "ID of the created VPC"
value = aws_vpc.main.id
}
Code Formatting
Block Organization
Arguments precede blocks, with meta-arguments first:
resource "aws_instance" "example" {
# Meta-arguments
count = 3
# Arguments
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
# Blocks
root_block_device {
volume_size = 20
}
# Lifecycle last
lifecycle {
create_before_destroy = true
}
}
Variables
Every variable must include type and description:
variable "instance_type" {
description = "EC2 instance type for the web server"
type = string
default = "t2.micro"
validation {
condition = contains(["t2.micro", "t2.small", "t2.medium"], var.instance_type)
error_message = "Instance type must be t2.micro, t2.small, or t2.medium."
}
}
variable "database_password" {
description = "Password for the database admin user"
type = string
sensitive = true
}
Outputs
Every output must include description:
output "instance_id" {
description = "ID of the EC2 instance"
value = aws_instance.web.id
}
output "database_password" {
description = "Database administrator password"
value = aws_db_instance.main.password
sensitive = true
}
Dynamic Resource Creation
Prefer for_each over count
# Bad - count for multiple resources
resource "aws_instance" "web" {
count = var.instance_count
tags = { Name = "web-${count.index}" }
}
# Good - for_each with named instances
variable "instance_names" {
type = set(string)
default = ["web-1", "web-2", "web-3"]
}
resource "aws_instance" "web" {
for_each = var.instance_names
tags = { Name = each.key }
}
count for Conditional Creation
resource "aws_cloudwatch_metric_alarm" "cpu" {
count = var.enable_monitoring ? 1 : 0
alarm_name = "high-cpu-usage"
threshold = 80
}
Security Best Practices
Apply secure defaults per tf-security-baselines skill.
Version Pinning
terraform {
required_version = ">= 1.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0" # Minimum version supporting required features
}
}
}
Code Review Checklist
- [ ] Code formatted with
terraform fmt - [ ] Configuration validated with
terraform validate - [ ] Files organized according to standard structure
- [ ] All variables have type and description
- [ ] All outputs have descriptions
- [ ] Resource names use descriptive nouns with underscores
- [ ] Version constraints pinned explicitly
- [ ] Sensitive values marked with
sensitive = true - [ ] No hardcoded credentials or secrets
- [ ] Security best practices applied
Based on: HashiCorp Terraform Style Guide
Related Skills
agentdevsl/tf-security-baselines
development
VerifiedTrustedCommunity
AWS security assessment domains, risk rating framework, CIS/NIST reference baselines, and evidence-based finding format. Use when reviewing AWS security posture, assessing risk, or applying CIS/NIST baselines to Terraform configurations.
5SKILL.mdUpdated Apr 21, 2026
agentdevsl/docker/skills-cache/tf-runtask
testing
VerifiedTrustedCommunity
--- name: "tf-runtask" description: "Retrieve and display Terraform Cloud/Enterprise run task results for a given run. Use this skill whenever the user asks about run task results, run task checks, task stage statuses, or wants to inspect what run tasks reported for a Terraform Cloud/Enterprise run. Triggers on phrases like "check the run tasks", "what did the run tasks say", "show run task results", "get task results for run-xxx", or any reference to run task outcomes on a specific run." source
5SKILL.mdUpdated Apr 21, 2026
agentdevsl/tf-research
devops
VerifiedTrustedCommunity
Research strategies for AWS documentation, provider docs, and public registry patterns. Use when researching AWS services, investigating provider resources, or studying public registry modules for design patterns.
5SKILL.mdUpdated Apr 21, 2026
agentdevsl/tf-report-template
development
VerifiedTrustedCommunity
Validation results summary template for Phase 4 output. Provides the format for reporting terraform test, validate, fmt, tflint, pre-commit, trivy, and security checklist results.
5SKILL.mdUpdated Apr 21, 2026