Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.
Performs security scanning, cost analysis, and drift detection on Terraform infrastructure code.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are terraform-analyzer - a specialized skill for analyzing Terraform configurations and Infrastructure as Code. This skill enables AI-powered infrastructure analysis for security, cost, and compliance.
This skill enables comprehensive Terraform analysis including:
Parse and analyze Terraform configurations:
# Example configuration being analyzed
resource "aws_instance" "web" {
ami = var.ami_id
instance_type = var.instance_type
vpc_security_group_ids = [aws_security_group.web.id]
subnet_id = aws_subnet.private.id
root_block_device {
volume_size = 100
volume_type = "gp3"
encrypted = true
}
tags = {
Name = "web-server"
Environment = var.environment
}
}
resource "aws_security_group" "web" {
name = "web-sg"
description = "Security group for web servers"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Security finding: open to world
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Run tfsec security scan
tfsec . --format json --out tfsec-report.json
# Example findings
{
"results": [
{
"rule_id": "aws-vpc-no-public-ingress-sgr",
"severity": "CRITICAL",
"description": "Security group rule allows ingress from public internet",
"resource": "aws_security_group.web",
"location": {
"filename": "security.tf",
"start_line": 15
},
"resolution": "Restrict ingress to specific CIDR blocks"
}
]
}
# Run Checkov security and compliance scan
checkov -d . --output json > checkov-report.json
# Example findings
{
"passed": 45,
"failed": 3,
"skipped": 0,
"results": {
"failed_checks": [
{
"check_id": "CKV_AWS_23",
"check_name": "Ensure every security groups rule has a description",
"resource": "aws_security_group.web",
"guideline": "https://docs.bridgecrew.io/docs/..."
},
{
"check_id": "CKV_AWS_24",
"check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22",
"resource": "aws_security_group.web"
}
]
}
}
# Run Terrascan policy scan
terrascan scan -d . -o json > terrascan-report.json
Using Infracost for cost analysis:
# Generate cost breakdown
infracost breakdown --path . --format json > cost-report.json
# Example output
{
"version": "0.2",
"currency": "USD",
"projects": [
{
"name": "production",
"breakdown": {
"resources": [
{
"name": "aws_instance.web",
"monthlyQuantity": 730,
"unit": "hours",
"hourlyRate": "0.0416",
"monthlyCost": "30.37"
},
{
"name": "aws_ebs_volume.data",
"monthlyQuantity": 100,
"unit": "GB",
"monthlyCost": "10.00"
}
],
"totalMonthlyCost": "540.37",
"totalHourlyCost": "0.74"
}
}
],
"totalMonthlyCost": "540.37"
}
Detect configuration drift:
# Refresh and check for drift
terraform plan -refresh-only -json > drift-report.json
# Example drift detection
{
"resource_drift": [
{
"resource": "aws_instance.web",
"address": "aws_instance.web",
"changes": {
"before": {
"instance_type": "t3.medium"
},
"after": {
"instance_type": "t3.large"
},
"drift_reason": "Manual change via console"
}
}
],
"summary": {
"total_resources": 45,
"drifted_resources": 1,
"unchanged_resources": 44
}
}
Analyze and visualize Terraform plans:
# Generate plan
terraform plan -out=tfplan
terraform show -json tfplan > plan.json
# Plan analysis output
{
"format_version": "1.0",
"resource_changes": [
{
"address": "aws_instance.web",
"mode": "managed",
"type": "aws_instance",
"name": "web",
"change": {
"actions": ["update"],
"before": {
"instance_type": "t3.small"
},
"after": {
"instance_type": "t3.medium"
}
}
}
],
"summary": {
"add": 2,
"change": 1,
"destroy": 0
}
}
Analyze Terraform module structure:
// Module dependency analysis
{
"modules": {
"root": {
"path": ".",
"source": "local",
"version": null,
"dependencies": ["./modules/vpc", "./modules/compute"]
},
"vpc": {
"path": "./modules/vpc",
"source": "local",
"resources": ["aws_vpc", "aws_subnet", "aws_route_table"]
},
"compute": {
"path": "./modules/compute",
"source": "local",
"resources": ["aws_instance", "aws_autoscaling_group"],
"depends_on": ["vpc"]
}
},
"external_modules": [
{
"source": "terraform-aws-modules/vpc/aws",
"version": "5.0.0",
"registry": "registry.terraform.io"
}
]
}
Check compliance with organizational policies:
# Policy definition
policies:
- name: require-encryption
description: All storage must be encrypted
resource_types: [aws_ebs_volume, aws_rds_instance, aws_s3_bucket]
rules:
- attribute: encrypted
value: true
- attribute: storage_encrypted
value: true
- name: require-tags
description: All resources must have required tags
rules:
- attribute: tags
contains: [Environment, Owner, CostCenter]
- name: restrict-instance-types
description: Only allow approved instance types
resource_types: [aws_instance]
rules:
- attribute: instance_type
allowed_values: [t3.micro, t3.small, t3.medium, t3.large]
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| Terraform MCP Server (HashiCorp) | Official Terraform Registry integration | GitHub |
| AWS Terraform MCP Server | Terraform with Checkov and AWS best practices | AWS Labs |
workflow:
pre_commit:
- terraform fmt -check
- terraform validate
- tfsec --minimum-severity HIGH
ci_pipeline:
- terraform init
- terraform validate
- tfsec --format sarif
- checkov -d . --output sarif
- infracost breakdown --path .
pre_deploy:
- terraform plan -out=tfplan
- infracost diff --path tfplan
- manual_review_required: true
security_thresholds:
tfsec:
max_critical: 0
max_high: 0
max_medium: 5
checkov:
min_passed_percentage: 90
infracost:
max_monthly_increase_percentage: 20
require_approval_above: 1000 # USD
This skill integrates with the following processes:
iac-review.js - Primary IaC analysis workflowcloud-architecture-design.js - Architecture validationdevops-architecture-alignment.js - DevOps integrationWhen analyzing configurations, provide structured output:
{
"operation": "analyze",
"status": "completed",
"configuration": {
"path": "./infrastructure",
"provider": "aws",
"resources": 45,
"modules": 5
},
"security": {
"tool": "tfsec",
"findings": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 8
},
"passed": true,
"threshold_exceeded": false
},
"compliance": {
"tool": "checkov",
"passed": 42,
"failed": 3,
"skipped": 0,
"passed_percentage": 93.3
},
"cost": {
"tool": "infracost",
"monthly_estimate": "$540.37",
"hourly_estimate": "$0.74",
"change_from_baseline": "+$45.00"
},
"drift": {
"detected": true,
"resources_drifted": 1,
"total_resources": 45
},
"artifacts": [
"tfsec-report.json",
"checkov-report.json",
"cost-report.json"
],
"recommendations": [
{
"priority": "high",
"category": "security",
"description": "Restrict security group ingress rules",
"resource": "aws_security_group.web"
}
]
}
| Error | Cause | Resolution |
|---|---|---|
Provider not configured | Missing credentials | Configure provider credentials |
Module not found | Invalid source path | Check module source configuration |
State lock error | Concurrent access | Wait or force unlock |
Validation failed | Invalid HCL syntax | Fix syntax errors |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user wants to "create a skill", "add a skill to plugin", "write a new skill", "improve skill description", "organize skill content", or needs guidance on skill structure, progressive disclosure, or skill development best practices for Claude Code plugins.