← 返回 Skills 市场
ia-terraform
作者
Ilia Alshanetsky
· GitHub ↗
· v3.0.4
· MIT-0
290
总下载
0
收藏
0
当前安装
11
版本数
在 OpenClaw 中安装
/install compound-eng-terraform
功能描述
Terraform and OpenTofu configuration, modules, testing, state management, and HCL review. Use when working with Terraform, OpenTofu, HCL, tfvars, tftest, sta...
使用说明 (SKILL.md)
Terraform & OpenTofu
File Organization & Naming
| File | Purpose |
|---|---|
terraform.tf |
Terraform + provider version requirements |
providers.tf |
Provider configurations |
main.tf |
Primary resources and data sources |
variables.tf |
Input variables (alphabetical) |
outputs.tf |
Output values (alphabetical) |
locals.tf |
Local values |
- Lowercase with underscores:
web_api, notwebAPIorweb-api - Descriptive nouns excluding resource type:
aws_instance.web_apinotaws_instance.web_api_instance - Singular, not plural
thisfor singleton resources (one of that type per module)- Contextual variable prefixes:
vpc_cidr_blocknotcidr
Block Ordering
Resources: count/for_each (blank line after) → arguments → nested blocks → tags → depends_on → lifecycle (last)
Variables: description → type → default → validation → nullable
Every variable needs type + description. Every output needs description. Mark secrets sensitive = true.
Module Structure
| Type | Scope | Example |
|---|---|---|
| Resource Module | Single logical group | VPC + subnets, SG + rules |
| Infrastructure Module | Collection of resource modules | Networking + compute for one region |
| Composition | Complete infrastructure | Spans regions/accounts |
module-name/
├── main.tf, variables.tf, outputs.tf, versions.tf
├── examples/
│ ├── minimal/
│ └── complete/
└── tests/
└── defaults.tftest.hcl
Keep modules small (single responsibility). examples/ double as documentation and integration test fixtures. Semantic versioning for all published modules.
count vs for_each
| Scenario | Use |
|---|---|
| Boolean toggle (create or skip) | count = condition ? 1 : 0 |
| Named/keyed items that may reorder | for_each = toset(list) or map |
| Fixed identical replicas | count = N |
Default to for_each -- removing a middle item from a count list recreates all subsequent resources. Use count only for boolean conditionals or truly identical replicas.
Testing
| Situation | Approach |
|---|---|
| Quick validation | terraform fmt -check && terraform validate |
| Pre-commit | + tflint + trivy config . / checkov -d . |
| Logic validation (1.6+) | Native terraform test with command = plan |
| Cost-free unit tests (1.7+) | Native tests + mock_provider |
| Real infra validation | Native tests with command = apply, or Terratest (Go) |
Native test essentials (.tftest.hcl in tests/):
command = planfor fast unit tests;command = applyfor integration (default)assert { condition = expr; error_message = "..." }-- multiple per run blockexpect_failures = [var.name]for negative testing (validate rejection of bad input)mock_provider "aws" { mock_resource "..." { defaults = { ... } } }-- plan-mode only, no credentials, fast CIvariables {}at file level (all runs) or within arunblock (override)- Reference prior run outputs:
run.setup.vpc_id parallel = trueon independent runs with separate state -- creates sync point at next sequential runstate_key = "name"required forparallel = trueruns with independent state- File naming:
*_unit_test.tftest.hcl(plan mode) vs*_integration_test.tftest.hcl(apply mode)
Version Pinning
| Component | Strategy | Example |
|---|---|---|
| Terraform | Pin minor | required_version = "~> 1.9" |
| Providers | Pin major | version = "~> 5.0" |
| Modules (prod) | Pin exact | version = "5.1.2" |
| Modules (dev) | Allow patch | version = "~> 5.1" |
Key modern features: moved blocks (1.1+), optional() with defaults (1.3+), native testing (1.6+), mock providers (1.7+), cross-variable validation (1.9+), write-only arguments (1.11+).
Stacks (HCP, preview): orchestrates multiple configs as a single deployment unit -- evaluate for multi-environment patterns.
State & Security
- Remote backend with locking: S3+DynamoDB, Azure Blob, GCS, or Terraform Cloud. Never local state for shared infrastructure.
- Encrypt state at rest. Never commit
.tfstate,.terraform/, or*.tfplan. Always commit.terraform.lock.hcl. default_tagson provider for consistent resource tagging.- Encryption at rest on all storage. Private networking by default -- public access is opt-in.
- Least-privilege security groups. No
0.0.0.0/0ingress without explicit justification. - Never hardcode credentials -- use assume_role, OIDC, or secrets managers.
- Pre-commit:
terraform fmt -recursive && terraform validate && trivy config . moved { from = old; to = new }for refactoring resource names/modules without destroy-recreate. Remove block after apply.
Troubleshooting
- State lock stuck:
terraform force-unlock \x3CID>-- only after confirming no other operation running - Resource drift:
terraform plan -refresh-onlyto detect,terraform apply -refresh-onlyto accept - Replace tainted:
terraform apply -replace=ADDR(not deprecatedterraform taint) - Import existing:
importblocks (1.5+) for declarative import, orterraform import ADDR ID
Dependency Management
Use locals with try() to control deletion ordering without explicit depends_on:
locals {
vpc_id = try(aws_vpc_ipv4_cidr_block_association.this[0].vpc_id, aws_vpc.this.id, "")
}
This forces Terraform to destroy subnets before CIDR associations -- prevents deletion errors.
cidrsubnet(var.vpc_cidr, 8, count.index)for calculated subnet CIDRs -- never hardcode subnets- Multi-region:
provider "aws" { alias = "eu_west_1" }+providers = { aws = aws.eu_west_1 }in module blocks
Verify
Run before declaring done:
terraform fmt -check && terraform validate && tflint && trivy config .
All commands must pass with zero errors.
安全使用建议
This skill is a purely instructional Terraform/OpenTofu style guide and appears coherent with that purpose. Before installing or enabling: (1) Understand that the guidance assumes you or the agent will run CLI tools (terraform, tflint, trivy, checkov, etc.); ensure those are installed from trusted sources and that you permit any commands that touch your local files/state. (2) The skill itself does not request credentials, but following some recommended operations (e.g., backend state operations, apply) requires cloud credentials — supply those only to trusted tooling and never paste secrets into prompts. (3) If you allow autonomous agent actions, consider limiting the agent's filesystem and network access (or require user confirmation) for destructive operations like apply, state unlock, replace, or import. Overall this skill is internally consistent and low-risk, but standard operational caution around running IaC commands and protecting state/credentials still applies.
功能分析
Type: OpenClaw Skill
Name: compound-eng-terraform
Version: 3.0.4
The skill bundle provides comprehensive and standard best practices for Terraform and OpenTofu development, including security guidelines like least-privilege and secret management. The instructions in SKILL.md and SPEC.md are well-structured for an AI agent and contain no evidence of malicious intent, data exfiltration, or harmful prompt injection. All shell commands provided are for standard linting and security scanning (e.g., terraform fmt, tflint, trivy).
能力评估
Purpose & Capability
The name and description match the SKILL.md content: Terraform/OpenTofu/HCL guidance, module patterns, testing, state guidance, and troubleshooting. There are no unrelated required binaries, env vars, or config paths that would contradict the stated purpose.
Instruction Scope
SKILL.md stays on-topic and gives operational guidance (commands like terraform fmt/validate, tflint, trivy, checkov, terraform test/apply, state operations). It does recommend running CLIs and manipulating state (e.g., force-unlock, apply/replace), but does not instruct reading or exfiltrating unrelated files or secrets. Note: the document references external tooling but the skill does not declare those binaries; installing/running those tools would be an external operation the user/agent must permit.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. There is nothing being downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables, secrets, or config paths. It explicitly advises against hardcoding credentials and against committing state files, which is consistent with its purpose.
Persistence & Privilege
always:false and default invocation settings are used. The skill does not request persistent presence or elevated privileges or attempt to modify other skills or global agent configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install compound-eng-terraform - 安装完成后,直接呼叫该 Skill 的名称或使用
/compound-eng-terraform触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.4
v3.0.4
v3.0.3
v3.0.3
v3.0.2
v3.0.2
v3.0.1
v3.0.1
v3.0.0
v3.0.0
v2.56.1
v2.56.1
v2.56.0
v2.56.0
v2.55.1
v2.55.1
v2.55.0
v2.55.0
v2.53.2
v2.53.2
v2.53.0
v2.53.0
元数据
常见问题
ia-terraform 是什么?
Terraform and OpenTofu configuration, modules, testing, state management, and HCL review. Use when working with Terraform, OpenTofu, HCL, tfvars, tftest, sta... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 290 次。
如何安装 ia-terraform?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install compound-eng-terraform」即可一键安装,无需额外配置。
ia-terraform 是免费的吗?
是的,ia-terraform 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ia-terraform 支持哪些平台?
ia-terraform 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ia-terraform?
由 Ilia Alshanetsky(@iliaal)开发并维护,当前版本 v3.0.4。
推荐 Skills