nickcrew/terraform-best-practices
skills/terraform-best-practices/SKILL.md
Terraform infrastructure-as-code best practices for scalable and maintainable cloud infrastructure. Use when writing Terraform modules, managing infrastructure state, or implementing infrastructure automation at scale.
$ install --global
skillsauthnpx skillsauth add nickcrew/claude-ctx-plugin terraform-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 12:07 PM9.2s7 files scanned
SKILL.md
- name:
- terraform-best-practices
- description:
- Terraform infrastructure-as-code best practices for scalable and maintainable cloud infrastructure. Use when writing Terraform modules, managing infrastructure state, or implementing infrastructure automation at scale.
Terraform Best Practices
Expert guidance for building production-grade Terraform infrastructure with enterprise patterns for module design, state management, security, testing, and multi-environment deployments.
When to Use This Skill
- Writing reusable Terraform modules for teams or organizations
- Setting up secure remote state management and backend configuration
- Designing multi-environment infrastructure (dev/staging/prod)
- Implementing infrastructure CI/CD pipelines with automated validation
- Managing infrastructure at scale across multiple teams or projects
- Migrating from manual infrastructure to infrastructure-as-code
- Refactoring existing Terraform for better maintainability
- Implementing security best practices for infrastructure code
Core Concepts
Module Design Philosophy
- Composition over monoliths: Break infrastructure into reusable child modules
- Standard structure: main.tf, variables.tf, outputs.tf, versions.tf, README.md
- Type constraints: Use validation blocks and complex types for safety
- Dynamic blocks: Enable flexible configuration without duplication
State Management Principles
- Remote backends: S3+DynamoDB or Terraform Cloud for team collaboration
- State encryption: KMS encryption at rest and in transit (mandatory)
- State locking: Prevent concurrent modifications with DynamoDB
- Workspace strategy: Directory-based for production, workspaces for similar envs
Security Fundamentals
- Secret management: AWS Secrets Manager, HashiCorp Vault (never hardcode)
- Least privilege: Separate IAM roles per environment
- Security scanning: tfsec, Checkov, Terrascan in CI/CD
- Resource tagging: Enable cost tracking, ownership, compliance
Testing & Validation
- Pre-commit hooks: Format, validate, lint before commits
- Plan review: Always save and review plans before apply
- Automated testing: Terratest for critical infrastructure modules
- Policy as code: OPA/Sentinel for compliance enforcement
Quick Reference
| Task | Load reference |
| --- | --- |
| Module structure, variables, outputs, dynamic blocks | skills/terraform-best-practices/references/module-design.md |
| Remote backends, state encryption, workspace strategies | skills/terraform-best-practices/references/state-management.md |
| Variable precedence, tfvars, Terragrunt DRY config | skills/terraform-best-practices/references/environment-management.md |
| Secrets, IAM, scanning tools, resource tagging | skills/terraform-best-practices/references/security.md |
| Pre-commit hooks, Terratest, policy as code | skills/terraform-best-practices/references/testing-validation.md |
| Comprehensive checklist for all areas | skills/terraform-best-practices/references/best-practices-summary.md |
Workflow
1. Project Setup
# Initialize directory structure
mkdir -p {modules,environments/{dev,staging,prod}}
# Set up remote backend (bootstrap S3 + DynamoDB first)
# Configure backend.tf with encryption and locking
2. Module Development
# Create module with standard structure
cd modules/my-module
touch main.tf variables.tf outputs.tf versions.tf README.md
# Add validation to variables
# Use complex types for structured inputs
# Document outputs with descriptions
3. Security Hardening
# Mark sensitive variables
# Use secret management for credentials
# Configure state encryption
# Set up security scanning in CI/CD
4. Testing Pipeline
# Install pre-commit hooks
pre-commit install
# Run validation locally
terraform init
terraform validate
terraform fmt -check
# Security scanning
tfsec .
checkov -d .
# Automated tests (critical modules)
cd tests && go test -v
5. Deployment Process
# Plan with output file
terraform plan -out=tfplan
# Review plan thoroughly
terraform show tfplan
# Apply only after approval
terraform apply tfplan
# Verify deployment
terraform output
6. Multi-Environment Management
# Use directory-based isolation for production
cd environments/prod
terraform init
terraform workspace list
# Or use Terragrunt for DRY backend config
terragrunt plan
Common Mistakes
❌ Hardcoding secrets in code → Use secret management services ❌ No state locking → Enable DynamoDB locking to prevent conflicts ❌ Skipping plan review → Always save and review execution plans ❌ No version constraints → Pin provider and module versions ❌ Local state in teams → Use remote backends for collaboration ❌ No security scanning → Integrate tfsec/Checkov in CI/CD ❌ Missing resource tags → Tag all resources for cost/ownership tracking ❌ No automated testing → Write Terratest for critical modules ❌ Monolithic modules → Break into composable child modules ❌ No backup strategy → Enable S3 versioning on state buckets
Resources
- Official Docs: https://developer.hashicorp.com/terraform/docs
- Style Guide: https://developer.hashicorp.com/terraform/language/syntax/style
- Module Registry: https://registry.terraform.io/
- Terragrunt: https://terragrunt.gruntwork.io/
- Terratest: https://terratest.gruntwork.io/
- tfsec: https://aquasecurity.github.io/tfsec/
- Checkov: https://www.checkov.io/
- Best Practices: https://www.terraform-best-practices.com/
- AWS Provider: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
Related Skills
nickcrew/writing-skills
testing
VerifiedTrustedCommunity
Use when creating new skills, editing existing skills, or verifying skills work before deployment - applies TDD to process documentation by testing with subagents before writing, iterating until bulletproof against rationalization
15SKILL.mdUpdated Apr 15, 2026
nickcrew/workflow-security-audit
testing
VerifiedTrustedCommunity
Comprehensive security assessment and remediation. Use for security reviews, compliance checks, vulnerability assessments.
15SKILL.mdUpdated Apr 15, 2026
nickcrew/workflow-performance
research
VerifiedTrustedCommunity
Systematic performance analysis and optimization. Use when things are slow, need optimization, or preparing for scale.
15SKILL.mdUpdated Apr 15, 2026
nickcrew/workflow-feature
development
VerifiedTrustedCommunity
Complete feature development workflow from design to deployment. Use when implementing new features or functionality.
15SKILL.mdUpdated Apr 15, 2026