home / skills / bobmatnyc / claude-mpm-skills / terraform

terraform skill

safe

This skill helps you implement Terraform workflows with safe plan/apply, state management, and CI guardrails for reliable infrastructure.

npx playbooks add skill bobmatnyc/claude-mpm-skills --skill terraform

Review the files below or copy the command above to add this skill to your agents.

Files (5)

SKILL.md

1.5 KB

---
name: terraform
description: "Terraform infrastructure-as-code workflow patterns: state and environments, module design, safe plan/apply, drift control, and CI guardrails"
version: 1.0.0
category: universal
author: Claude MPM Team
license: MIT
progressive_disclosure:
  entry_point:
    summary: "Manage infrastructure safely with Terraform: remote state, reproducible plans, reviewable changes, and guardrails"
    when_to_use: "When provisioning cloud or platform resources, standardizing environments, or building safe IaC workflows"
    quick_start: "1. Pin versions 2. terraform init/fmt/validate 3. Plan in CI 4. Review + approve 5. Apply with locking"
  token_estimate:
    entry: 140
    full: 8000
context_limit: 900
tags:
  - terraform
  - iac
  - infrastructure
  - provisioning
  - ci
  - state
requires_tools:
  - terraform
---

# Terraform

## Quick Start (workflow)

```bash
terraform init
terraform plan -out=tfplan
terraform apply tfplan
```

## Safety Checklist

- State: remote backend + locking; separate state per environment
- Reviews: plan in CI; apply from a trusted runner with approvals
- Guardrails: `prevent_destroy` and policy checks for prod

## Load Next (References)

- `references/state-and-environments.md` — backends, locking, workspaces vs separate state, drift
- `references/modules-and-composition.md` — module interfaces, versioning, composition patterns
- `references/workflows-and-guardrails.md` — CI plan/apply, policy-as-code, safe migrations

Overview

This skill captures proven Terraform infrastructure-as-code workflow patterns for safe, scalable, and auditable provisioning. It focuses on state and environment management, module design, safe plan/apply workflows, drift control, and CI guardrails. Use it to standardize Terraform operations and reduce risk during changes.

How this skill works

The skill inspects and codifies recommended practices: remote state backends with locking, environment separation, module interface and versioning patterns, and CI-driven plan/apply flows. It outlines safety controls such as plan reviews, restricted applies, prevent_destroy safeguards, and policy-as-code checks. It also guides drift detection and remediation approaches.

When to use it

When setting up Terraform for multiple environments (dev/stage/prod).
When designing reusable modules and versioned composition for teams.
When introducing CI pipelines for plan and apply stages.
When reducing risk of accidental resource destruction or unsafe migrations.
When implementing drift detection and automated remediation checks.

Best practices

Use a remote backend with state locking and store separate state per environment or purpose.
Keep modules small, versioned, and define clear inputs/outputs; favor composition over large, monolithic modules.
Require terraform plan output to be reviewed in CI; perform applies only from trusted runners with explicit approvals.
Enforce prevent_destroy where appropriate and implement policy-as-code (e.g., OPA/Conftest) for guardrails.
Monitor drift regularly and incorporate drift checks into pipelines or scheduled jobs for early detection.

Example use cases

Bootstrap new projects with a shared remote backend and environment-aware state layout.
Create a module registry with semver-tagged modules and example compositions for teams to consume.
Build CI pipelines that run terraform init and plan, upload artifacts, and gate apply behind approvals on a trusted runner.
Protect production by adding prevent_destroy on critical resources and failing CI on policy violations.
Run periodic drift detection jobs to compare live state with planned state and generate remediation tickets.

FAQ

Should I use workspaces or separate state files for environments?

Prefer separate state per environment or per component for clearer isolation and simpler lifecycle management; use workspaces for lightweight variations, not as a full environment isolation strategy.

How do I safely run terraform apply in CI?

Run plan in CI and store the plan artifact. Perform apply only from a trusted runner with manual approval or automated guardrails, and ensure state backend locking and policy checks are in place.