Terraform Iac Reviewer v2

About This Skill

# Terraform IaC Reviewer "Works in staging, breaks in prod" usually means someone forgot to add a tag, used a public S3 bucket, or hardcoded a secret. This skill is the pre-apply gate that catches all of that. ## What it does A complete IaC audit covering: - **Security** (20 checks) — public S3, open security groups, IAM wildcards, unencrypted storage, secrets in code - **Cost** (12 checks) — oversized instances, missing tags, no lifecycle, always-on resources - **Best practices** (18 checks) — state management, module hygiene, naming, drift - **Compliance** (10 checks) — CIS benchmarks, SOC2 controls, GDPR Works with: **Terraform**, **OpenTofu**, **Pulumi**, **CloudFormation**, **CDK**. ## When to use it - You're about to `terraform apply` and want a pre-flight check - Your security team wants CIS compliance for all IaC - Your cloud bill spiked and you need to find waste in code - You're scaling Terraform across teams and need consistent standards - You want a CI gate that blocks bad PRs ## Why it's better than ad-hoc prompting Most "review my Terraform" prompts give generic advice. This skill is different: - **50+ concrete checks** — not vibes - **Multi-tool** — Terraform, OpenTofu, Pulumi, CloudFormation - **CI-ready** — exit codes, JSON output, SARIF - **Auto-fixable** — many findings include the corrected HCL - **Compliance mapping** — CIS / SOC2 / GDPR ## Architecture ``` ┌─────────────────────────────────────────────────────────┐ │ Agent (Claude/Cursor) │ │ - Reads .tf / .yaml / .ts / .py files │ │ - Calls audit script │ │ - Synthesizes report with fix list │ └───────────────┬─────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ skills/terraform-iac-reviewer/ │ │ scripts/ │ │ ├── audit.py # 50+ checks │ │ ├── detect_provider.py # Identify tool │ │ ├── check_drift.py # Compare state vs code │ │ ├── cost_estimate.py # Rough $ from instance types│ │ ├── cis_compliance.py # CIS benchmark mapping │ │ └── fix_suggestions.py # Auto-fix for common issues │ │ references/ │ │ ├── checks-catalog.md # All 50+ checks detailed │ │ ├── cis-mapping.md │ │ ├── cost-playbook.md │ │ └── state-mgmt.md │ └─────────────────────────────────────────────────────────┘ ``` ## Quick start ```bash # 1. Install pip install hcl2 pyyaml # 2. Audit Terraform / OpenTofu python scripts/audit.py ./infra/ --tool terraform # 3. Audit CloudFormation python scripts/audit.py ./cfn/ --tool cloudformation # 4. Audit Pulumi (TypeScript or Python) python scripts/audit.py ./pulumi/ --tool pulumi # 5. Detect drift between state and code python scripts/check_drift.py --state terraform.tfstate --code ./ # 6. Cost estimate python scripts/cost_estimate.py ./infra/ # 7. CIS compliance report python scripts/cis_compliance.py ./infra/ --framework cis-aws-1.5 # 8. Get auto-fix suggestions python scripts/fix_suggestions.py audit-report.json ``` ## The 50+ checks (categories) ### Security (20) - S3 bucket public (acl = "public-read") → BLOCK - S3 bucket without encryption - S3 bucket without versioning - S3 bucket without access logging - Security group with 0.0.0.0/0 ingress on SSH/RDP - Security group with 0.0.0.0/0 egress - IAM policy with `Action: "*"` and `Resource: "*"` - IAM role with broad trust policy - RDS instance publicly accessible - RDS without encryption at rest - Lambda function with admin role - Secrets in env vars / plaintext - KMS key with no rotation - CloudFront without WAF - API Gateway without authentication - SQS without encryption - SNS topic without encryption - EFS without encryption at rest - EBS volume unencrypted - OpenSearch / Elasticsearch public endpoint ### Cost (12) - EC2 instance over-sized for workload - Instance without Savings Plans / Reserved - EBS volume over-provisioned IOPS - S3 bucket without lifecycle policy - CloudWatch log group without retention - Always-on resources in dev/staging - Missing `tags` (cost allocation broken) - NAT Gateway in every subnet - Unused Elastic IPs - Unattached EBS volumes - Old snapshots (>90 days unused) - Lambda over-provisioned memory ### Best practices (18) - State file in repo (not remote backend) - State in local file without encryption - No remote state locking - Hardcoded region in resources - No `.terraform.lock.hcl` - Module pinned to floating version - Count vs for_each misuse - Inline vs separate variable file - Missing `lifecycle { prevent_destroy = true }` on critical resources - No `data "aws_caller_identity"` for account ID - IAM policy attached directly to user (not role) - Random ID not used in resource names - Untagged resources - No output for important values - Variable without `description` and `type` - Sensitive values not marked - No `required_providers` block - `terraform { required_version }` missing ### Compliance (10) - CIS AWS 1.5 / 2.0 benchmarks - SOC2 CC6.1 (logical access) - SOC2 CC7.2 (system monitoring) - GDPR data residency - HIPAA encryption controls - PCI-DSS logging requirements - Tagging for compliance - Resource inventory - Change management (git history) - Audit trail (CloudTrail enabled) ## Sample output ``` ## Terraform Audit — ./infra/ **Files scanned**: 47 **Total checks**: 60 **Pass**: 38 | **Fail**: 22 **Critical**: 5 | **Major**: 9 | **Minor**: 8 ### ❌ Critical (BLOCK) - S3 bucket `prod-data-lake` has `acl = "public-read"` (CIS 2.1.5) Fix: Remove `acl` and use bucket policy with explicit deny - Security group `web-sg` allows 0.0.0.0/0 ingress on port 22 (CIS 4.1) Fix: Restrict to known IPs or remove SSH ingress - IAM policy `admin-policy` has `Action: "*"` + `Resource: "*"` Fix: Replace with specific actions + scoped resources - RDS instance `prod-db` is publicly accessible Fix: Set `publicly_accessible = false` - S3 bucket `customer-uploads` has no encryption Fix: Add `server_side_encryption_configuration` block ### ⚠️ Major - 3 EC2 instances over-sized (m5.4xlarge but avg CPU 8%) - 2 S3 buckets without lifecycle policy - NAT Gateway in every subnet ($0.045/hr × 4 = $130/mo wasted) ### 💡 Minor - 8 resources missing `tags` (cost allocation broken) - Variables missing `description` and `type` ### 💰 Estimated annual cost - Current: $48,200/yr - After fixes: $35,400/yr (saving $12,800/yr) ### Verdict: 🛑 BLOCK deploy ``` ## Pricing Single-purchase, lifetime access. $10.00. Includes: - 6 Python audit scripts - 4 reference docs (checks catalog, CIS mapping, cost playbook, state mgmt) - 50+ check library - CIS AWS 1.5 / 2.0 compliance pack - Future updates for the same major version ## Example usage > "Audit our AWS Terraform. Block any critical issues. Estimate cost savings." The skill will: 1. Parse all .tf files 2. Run 50+ checks 3. Identify CIS / SOC2 / GDPR compliance gaps 4. Estimate cost from instance types 5. Output `audit-report.md` with fix list ## Compatibility Works with any agent that supports the SKILL.md standard and can execute Python: Claude Code, OpenClaw, Codex CLI, Cursor, Gemini CLI, Cline, Windsurf, Aider. Supports Terraform 0.13+, OpenTofu 1.0+, Pulumi (TS/Py/Go), CloudFormation YAML/JSON, CDK. Tested on Linux, macOS, Windows. ## Tags terraform, iac, opentofu, pulumi, cloudformation, devops, security, aws, gcp, azure