terraform-best-practices
Terraform infrastructure-as-code best practices for scalable and maintainable cloud infrastructure. Use when writing Terraform modules, managing infrastructure state, or implementing infrastructure automation at scale.
$ Installieren
git clone https://github.com/NickCrew/claude-cortex /tmp/claude-cortex && cp -r /tmp/claude-cortex/skills/terraform-best-practices ~/.claude/skills/claude-cortex// tip: Run this command in your terminal to install the skill
SKILL.md
name: terraform-best-practices description: Terraform infrastructure-as-code best practices for scalable and maintainable cloud infrastructure. Use when writing Terraform modules, managing infrastructure state, or implementing infrastructure automation at scale.
Terraform Best Practices
Expert guidance for building production-grade Terraform infrastructure with enterprise patterns for module design, state management, security, testing, and multi-environment deployments.
When to Use This Skill
- Writing reusable Terraform modules for teams or organizations
- Setting up secure remote state management and backend configuration
- Designing multi-environment infrastructure (dev/staging/prod)
- Implementing infrastructure CI/CD pipelines with automated validation
- Managing infrastructure at scale across multiple teams or projects
- Migrating from manual infrastructure to infrastructure-as-code
- Refactoring existing Terraform for better maintainability
- Implementing security best practices for infrastructure code
Core Concepts
Module Design Philosophy
- Composition over monoliths: Break infrastructure into reusable child modules
- Standard structure: main.tf, variables.tf, outputs.tf, versions.tf, README.md
- Type constraints: Use validation blocks and complex types for safety
- Dynamic blocks: Enable flexible configuration without duplication
State Management Principles
- Remote backends: S3+DynamoDB or Terraform Cloud for team collaboration
- State encryption: KMS encryption at rest and in transit (mandatory)
- State locking: Prevent concurrent modifications with DynamoDB
- Workspace strategy: Directory-based for production, workspaces for similar envs
Security Fundamentals
- Secret management: AWS Secrets Manager, HashiCorp Vault (never hardcode)
- Least privilege: Separate IAM roles per environment
- Security scanning: tfsec, Checkov, Terrascan in CI/CD
- Resource tagging: Enable cost tracking, ownership, compliance
Testing & Validation
- Pre-commit hooks: Format, validate, lint before commits
- Plan review: Always save and review plans before apply
- Automated testing: Terratest for critical infrastructure modules
- Policy as code: OPA/Sentinel for compliance enforcement
Quick Reference
| Task | Load reference |
|---|---|
| Module structure, variables, outputs, dynamic blocks | skills/terraform-best-practices/references/module-design.md |
| Remote backends, state encryption, workspace strategies | skills/terraform-best-practices/references/state-management.md |
| Variable precedence, tfvars, Terragrunt DRY config | skills/terraform-best-practices/references/environment-management.md |
| Secrets, IAM, scanning tools, resource tagging | skills/terraform-best-practices/references/security.md |
| Pre-commit hooks, Terratest, policy as code | skills/terraform-best-practices/references/testing-validation.md |
| Comprehensive checklist for all areas | skills/terraform-best-practices/references/best-practices-summary.md |
Workflow
1. Project Setup
# Initialize directory structure
mkdir -p {modules,environments/{dev,staging,prod}}
# Set up remote backend (bootstrap S3 + DynamoDB first)
# Configure backend.tf with encryption and locking
2. Module Development
# Create module with standard structure
cd modules/my-module
touch main.tf variables.tf outputs.tf versions.tf README.md
# Add validation to variables
# Use complex types for structured inputs
# Document outputs with descriptions
3. Security Hardening
# Mark sensitive variables
# Use secret management for credentials
# Configure state encryption
# Set up security scanning in CI/CD
4. Testing Pipeline
# Install pre-commit hooks
pre-commit install
# Run validation locally
terraform init
terraform validate
terraform fmt -check
# Security scanning
tfsec .
checkov -d .
# Automated tests (critical modules)
cd tests && go test -v
5. Deployment Process
# Plan with output file
terraform plan -out=tfplan
# Review plan thoroughly
terraform show tfplan
# Apply only after approval
terraform apply tfplan
# Verify deployment
terraform output
6. Multi-Environment Management
# Use directory-based isolation for production
cd environments/prod
terraform init
terraform workspace list
# Or use Terragrunt for DRY backend config
terragrunt plan
Common Mistakes
â Hardcoding secrets in code â Use secret management services â No state locking â Enable DynamoDB locking to prevent conflicts â Skipping plan review â Always save and review execution plans â No version constraints â Pin provider and module versions â Local state in teams â Use remote backends for collaboration â No security scanning â Integrate tfsec/Checkov in CI/CD â Missing resource tags â Tag all resources for cost/ownership tracking â No automated testing â Write Terratest for critical modules â Monolithic modules â Break into composable child modules â No backup strategy â Enable S3 versioning on state buckets
Resources
- Official Docs: https://developer.hashicorp.com/terraform/docs
- Style Guide: https://developer.hashicorp.com/terraform/language/syntax/style
- Module Registry: https://registry.terraform.io/
- Terragrunt: https://terragrunt.gruntwork.io/
- Terratest: https://terratest.gruntwork.io/
- tfsec: https://aquasecurity.github.io/tfsec/
- Checkov: https://www.checkov.io/
- Best Practices: https://www.terraform-best-practices.com/
- AWS Provider: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
Repository
NickCrew
Author
NickCrew/claude-cortex/skills/terraform-best-practices
4
Stars
2
Forks
Updated2d ago
Added6d ago