guicedee/terraform-validator
skills/.curated/terraform-validator/SKILL.md
Validate Terraform code for syntax errors, best practices, security issues, and compliance with standards
$ install --global
skillsauthnpx skillsauth add guicedee/ai-rules terraform-validatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 3:31 PM22.3s3 files scanned
SKILL.md
- name:
- terraform-validator
- description:
- Validate Terraform code for syntax errors, best practices, security issues, and compliance with standards
- short-description:
- Validate Terraform code quality
- version:
- 1.0.0
- author:
- Custom Terraform Assistant
Terraform Validator
You are a Terraform code validation expert. When this skill is invoked, you help users validate their Terraform configurations for syntax correctness, best practices, security issues, and compliance with organizational standards.
Your Task
When a user requests Terraform validation:
-
Syntax Validation:
- Check HCL syntax correctness
- Verify resource type exists in provider
- Validate attribute names and types
- Check for missing required arguments
-
Best Practices Check:
- Naming conventions (snake_case)
- Variable descriptions present
- Output descriptions present
- Provider version pinning
- Backend configuration
- .gitignore completeness
-
Security Scan:
- Hardcoded secrets or credentials
- Overly permissive access rules
- Unencrypted storage
- Public access when not intended
- Missing security features
-
Performance & Cost:
- Resource sizing appropriateness
- Unnecessary resource creation
- Expensive resource configurations
Validation Levels
Level 1: Syntax Validation
Run terraform validate equivalent checks:
terraform init
terraform validate
Check for:
- Valid HCL syntax
- Valid resource types
- Valid argument names
- Type consistency
Level 2: Format Validation
Run terraform fmt equivalent checks:
terraform fmt -check -recursive
Check for:
- Consistent indentation
- Proper spacing
- Canonical format
Level 3: Best Practices
Check for:
- [ ] All variables have descriptions
- [ ] All outputs have descriptions
- [ ] Variables use appropriate types
- [ ] Validation rules on inputs
- [ ] Sensible default values
- [ ] Tags on all resources
- [ ] Resource naming follows convention
- [ ] Provider versions specified
- [ ] Terraform version specified
- [ ] Backend configured (non-local)
Level 4: Security Analysis
Check for:
- [ ] No hardcoded credentials
- [ ] No exposed secrets in variables
- [ ] Storage encryption enabled
- [ ] Network security groups configured
- [ ] Public access restricted
- [ ] HTTPS/TLS enforced
- [ ] Logging enabled
- [ ] Backup configured
Level 5: Compliance
Check against organization policies:
- [ ] Required tags present
- [ ] Approved resource types only
- [ ] Approved regions only
- [ ] Naming convention compliance
- [ ] Cost limits respected
Common Issues and Fixes
Issue: Missing Variable Descriptions
Problem:
variable "name" {
type = string
}
Fix:
variable "name" {
description = "Name of the resource"
type = string
}
Issue: Unpinned Provider Versions
Problem:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
}
}
Fix:
terraform {
required_version = ">= 1.6"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
}
}
Issue: Missing Resource Tags
Problem:
resource "azurerm_resource_group" "main" {
name = "my-rg"
location = "eastus"
}
Fix:
resource "azurerm_resource_group" "main" {
name = "my-rg"
location = "eastus"
tags = {
Environment = var.environment
ManagedBy = "Terraform"
Project = var.project_name
}
}
Issue: Hardcoded Secrets
Problem:
resource "azurerm_key_vault_secret" "db_password" {
name = "db-password"
value = "MyP@ssw0rd123!" # SECURITY ISSUE
key_vault_id = azurerm_key_vault.main.id
}
Fix:
variable "db_password" {
description = "Database password"
type = string
sensitive = true
}
resource "azurerm_key_vault_secret" "db_password" {
name = "db-password"
value = var.db_password
key_vault_id = azurerm_key_vault.main.id
}
Issue: Unencrypted Storage
Problem:
resource "azurerm_storage_account" "main" {
name = "mystorageaccount"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = "LRS"
}
Fix:
resource "azurerm_storage_account" "main" {
name = "mystorageaccount"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = "LRS"
# Enable encryption
enable_https_traffic_only = true
min_tls_version = "TLS1_2"
blob_properties {
versioning_enabled = true
delete_retention_policy {
days = 7
}
}
}
Issue: Public Network Access
Problem:
resource "azurerm_mssql_server" "main" {
name = "mysqlserver"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = var.admin_password
}
Fix:
resource "azurerm_mssql_server" "main" {
name = "mysqlserver"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = var.admin_password
# Restrict public access
public_network_access_enabled = false
}
# Add firewall rules if needed
resource "azurerm_mssql_firewall_rule" "allow_azure" {
name = "AllowAzureServices"
server_id = azurerm_mssql_server.main.id
start_ip_address = "0.0.0.0"
end_ip_address = "0.0.0.0"
}
Issue: Poor Naming Convention
Problem:
resource "azurerm_virtual_network" "VNet1" {
name = "MyVNet"
# ...
}
Fix:
resource "azurerm_virtual_network" "main" {
name = "vnet-${var.environment}-${var.project_name}"
# ...
}
Validation Tools Integration
TFLint
Use TFLint for advanced linting:
tflint --init
tflint
Common rules:
terraform_deprecated_syntaxterraform_unused_declarationsterraform_naming_conventionterraform_documented_variablesterraform_documented_outputs
Checkov
Use Checkov for security scanning:
checkov -d .
Scans for:
- Security misconfigurations
- Compliance violations
- Best practice deviations
Terraform Compliance
Policy-as-code validation:
terraform-compliance -f compliance/ -p plan.json
tfsec
Security scanner for Terraform:
tfsec .
Validation Workflow
Step 1: Format Check
terraform fmt -check -recursive
If issues found:
terraform fmt -recursive
Step 2: Syntax Validation
terraform init
terraform validate
Step 3: Linting
tflint
Step 4: Security Scan
tfsec .
checkov -d .
Step 5: Plan Review
terraform plan -out=tfplan
Review:
- Resources to be created
- Resources to be modified
- Resources to be destroyed
- Cost implications
- Security implications
Naming Convention Standards
Azure (azurerm)
| Resource Type | Pattern | Example |
|--------------|---------|---------|
| Resource Group | rg-{env}-{purpose} | rg-prod-webapp |
| Virtual Network | vnet-{env}-{purpose} | vnet-prod-main |
| Subnet | snet-{env}-{purpose} | snet-prod-web |
| Storage Account | st{env}{purpose} | stprodlogs |
| Key Vault | kv-{env}-{purpose} | kv-prod-secrets |
| Virtual Machine | vm-{env}-{purpose} | vm-prod-web01 |
AWS
| Resource Type | Pattern | Example |
|--------------|---------|---------|
| VPC | vpc-{env}-{purpose} | vpc-prod-main |
| Subnet | subnet-{env}-{az}-{purpose} | subnet-prod-1a-web |
| S3 Bucket | {org}-{env}-{purpose} | acme-prod-logs |
| EC2 Instance | {env}-{purpose} | prod-web-01 |
Best Practice Checklist
Code Quality
- [ ] Consistent formatting (terraform fmt)
- [ ] Valid syntax (terraform validate)
- [ ] No deprecated syntax
- [ ] No unused variables
- [ ] Descriptive resource names
Documentation
- [ ] README.md with usage examples
- [ ] All variables documented
- [ ] All outputs documented
- [ ] Comments for complex logic
- [ ] Examples provided
Security
- [ ] No hardcoded credentials
- [ ] Sensitive variables marked
- [ ] Encryption enabled
- [ ] Network security configured
- [ ] Principle of least privilege
Maintainability
- [ ] Modular structure
- [ ] DRY principle followed
- [ ] Version constraints specified
- [ ] State backend configured
- [ ] .gitignore complete
Operations
- [ ] Tags for all resources
- [ ] Logging enabled
- [ ] Monitoring configured
- [ ] Backup strategy defined
- [ ] Disaster recovery planned
Script Integration
If scripts/validate.js exists, use it:
node scripts/validate.js --path ./terraform --level security
Levels:
syntax: Basic syntax validationformat: Format checkingbest-practices: Best practice validationsecurity: Security scanningcompliance: Compliance checking
Output Format
Provide validation results in this format:
Validation Report
=================
Status: PASSED / FAILED / WARNING
Syntax Errors: {count}
{list of errors}
Best Practice Issues: {count}
{list of issues with severity}
Security Issues: {count}
{list of security issues with severity}
Compliance Issues: {count}
{list of compliance violations}
Recommendations:
1. {recommendation}
2. {recommendation}
Integration with CI/CD
GitHub Actions Example
name: Terraform Validation
on: [pull_request]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Terraform Format
run: terraform fmt -check -recursive
- name: Terraform Init
run: terraform init
- name: Terraform Validate
run: terraform validate
- name: Run tfsec
uses: aquasecurity/[email protected]
Reference Files
See references/ for:
- Azure best practices
- AWS best practices
- Security baseline
- Compliance requirements
Related Skills
guicedee/skill-installer
development
VerifiedTrustedCommunity
Install Codex skills into $CODEX_HOME/skills from a curated list or a GitHub repo path. Use when a user asks to list installable skills, install a curated skill, or install a skill from another repo (including private repos).
5SKILL.mdUpdated Apr 5, 2026
guicedee/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Codex's capabilities with specialized knowledge, workflows, or tool integrations.
5SKILL.mdUpdated Apr 5, 2026
guicedee/jwebmp-webawesome
development
VerifiedTrustedCommunity
WebAwesome icon integration for JWebMP — modern, open-source icon library. Provides 1,500+ icons with solid/regular styles, sizing, rotation, animation, and CSS utilities. Drop-in FontAwesome alternative with fresh designs. Use when working with WebAwesome icons, modern icon designs, or as FontAwesome alternative in JWebMP applications.
5SKILL.mdUpdated Apr 5, 2026
guicedee/jwebmp-webawesome-pro
development
VerifiedTrustedCommunity
WebAwesome Pro integration for JWebMP with premium icons and features. Extends jwebmp-webawesome with additional styles, premium icons, and advanced features. Use when working with WebAwesome Pro icons or premium WebAwesome features in JWebMP applications.
5SKILL.mdUpdated Apr 5, 2026