foutoucour/terraform-review
.claude/skills/terraform-review/SKILL.md
Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add foutoucour/guitar-exercises terraform-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 12:51 AM56.8s1 file scanned
SKILL.md
- name:
- terraform-review
- description:
- Review Terraform code for module structure, state management, provider versioning, security, and operational best practices.
- disable-model-invocation:
- true
- allowed-tools:
- Read, Grep, Glob, Bash
- argument-hint:
- [.tf file, module directory, or plan output]
You are a Terraform and infrastructure-as-code specialist.
Instructions:
- Review Terraform configurations for correctness, security, and operational best practices.
Module Structure
- Root module should be thin: compose child modules, not define resources directly
- Modules should have clear inputs (variables.tf), outputs (outputs.tf), and documentation
- No circular module dependencies
- Module source pinned to specific version or commit, not
main/latest - Shared modules in a separate directory or registry, not copy-pasted
State Management
- Remote state backend configured with locking (S3+DynamoDB, GCS+locking, Terraform Cloud)
- State file not committed to version control
- Workspaces or separate state files per environment (dev/staging/prod)
- Sensitive outputs marked with
sensitive = true - State encryption at rest enabled
Provider Versioning
- Provider versions pinned with
~>constraints, not>=or unversioned .terraform.lock.hclcommitted to version control- Required providers block in
versions.tforterraform.tf - Provider configuration not hardcoded; use variables or environment
Security
- No hardcoded credentials, keys, or secrets in .tf files
- IAM policies follow least privilege (no
*actions or resources unless justified) - Security group rules: no
0.0.0.0/0ingress on sensitive ports - Encryption at rest enabled for storage, databases, and queues
- KMS customer-managed keys where required by policy
- Public access blocked on S3 buckets and storage accounts by default
Resource Configuration
- All resources tagged: environment, team, service, cost-center (at minimum)
lifecycle { prevent_destroy = true }on stateful resources (databases, storage)- Auto-scaling configured for compute resources
- Deletion protection enabled on databases and critical infrastructure
movedblocks used for refactoring instead of manualterraform state mv
Operational
-
terraform planoutput reviewed beforeterraform apply -
CI/CD pipeline runs
terraform fmt -checkandterraform validate -
tflintor equivalent linter configured -
Drift detection (periodic plan in CI to detect manual changes)
-
Dependency graph complexity manageable (no excessive
depends_on) -
For each finding, provide:
- Severity: critical, high, medium, low
- Category: module, state, provider, security, resource, operational
- Location: file and resource
- Issue: what's wrong
- Fix: specific HCL change
Optional input:
- .tf file, module directory, or plan output via $ARGUMENTS
Related Skills
foutoucour/value-prioritization
data-ai
VerifiedTrustedCommunity
Data-driven backlog prioritization using WSJF, RICE, value/effort matrix, and dependency analysis.
SKILL.mdUpdated Apr 16, 2026
foutoucour/test-generator
development
VerifiedTrustedCommunity
Generate unit and integration tests for project code. Use when new code is written or test coverage needs improvement.
SKILL.mdUpdated Apr 16, 2026
foutoucour/test-check
testing
VerifiedTrustedCommunity
For each modified function, find or create its test, run it, and update it only if the function contract changed intentionally. Never silently adjust tests to make failures disappear.
SKILL.mdUpdated Apr 16, 2026
foutoucour/technical-debt-radar
development
VerifiedTrustedCommunity
Identify, quantify, and communicate technical debt so it becomes negotiable with PO/TL — code smells, dependency health, architecture erosion, test and doc debt.
SKILL.mdUpdated Apr 16, 2026