From terraform-knowledge-patch
Provides Terraform 1.8-1.15 and OpenTofu 1.7-1.12 updates on ephemeral values, write-only arguments, Stacks, resource identity, and OpenTofu divergences for IaC tasks.
npx claudepluginhub nevaberry/nevaberry-plugins --plugin terraform-knowledge-patchThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Covers Terraform 1.8–1.15 and OpenTofu 1.7–1.12 (April 2024 – March 2026). Baseline knowledge: Terraform 1.7, OpenTofu 1.6.
| Topic | Reference | Key features |
|---|---|---|
| Ephemeral values | references/ephemeral-values.md | Ephemeral variables, resources, write-only arguments, new functions |
| Variable validation | references/variable-validation.md | Cross-object references in validation blocks |
| Import & identity | references/import-identity.md | Resource identity schema, import by identity attributes |
| Terraform Stacks | references/stacks.md | Component-based multi-environment deployments (HCP Terraform) |
| Terraform Actions | references/actions.md | Day 2 provider-defined operations (TF 1.14 preview) |
| New functions | references/new-functions.md | templatestring, ephemeralasnull, terraform.applying |
| OpenTofu divergences | references/opentofu.md | enabled meta-argument, destroy=false, const variables, prevent_destroy expressions |
New value category never persisted to plan or state. Three constructs:
| Construct | Syntax | Purpose |
|---|---|---|
| Ephemeral variable | variable "x" { ephemeral = true } | Accept secrets as input without state storage |
| Ephemeral output | output "x" { ephemeral = true } | Pass secrets between modules without state storage |
| Ephemeral resource | ephemeral "provider_type" "name" { } | Fetch secrets at plan/apply time, never stored |
Reference via ephemeral.<type>.<name>.<attribute>.
Ephemeral resources have an open/renew/close lifecycle — they run during every plan and apply, never persisted between runs. If an input references an unknown value, execution defers to apply.
Critical pattern — secrets in provider config:
ephemeral "aws_secretsmanager_secret_version" "db_master" {
secret_id = data.aws_db_instance.example.master_user_secret[0].secret_arn
}
locals {
credentials = jsondecode(ephemeral.aws_secretsmanager_secret_version.db_master.secret_string)
}
provider "postgresql" {
host = data.aws_db_instance.example.address
password = local.credentials["password"]
}
Resource attributes that accept ephemeral values and are never stored in state. Paired with a _wo_version argument to control updates.
resource "aws_db_instance" "main" {
# ...
password_wo = ephemeral.random_password.db.result
password_wo_version = 1 # Increment to trigger password rotation
}
Common write-only attributes:
| Resource | Write-only attribute |
|---|---|
aws_db_instance | password_wo |
aws_rds_cluster | master_password_wo |
aws_secretsmanager_secret_version | secret_string_wo |
aws_ssm_parameter | value_wo |
google_secret_manager_secret_version | secret_data_wo |
kubernetes_secret_v1 | data_wo |
See references/ephemeral-values.md for full examples.
Validation blocks can now reference other variables, data sources, and locals — not just the variable itself:
variable "cluster_endpoint" {
type = string
default = ""
validation {
condition = var.create_cluster == false ? length(var.cluster_endpoint) > 0 : true
error_message = "cluster_endpoint required when create_cluster is false."
}
}
See references/variable-validation.md for details.
Renders a template from a string value (not a file). Useful for templates from data sources:
locals {
rendered = templatestring(data.http.template.response_body, {
APP_NAME = var.app_name
PORT = var.port
})
}
Import blocks now support structured identity attributes instead of opaque ID strings:
import {
to = aws_instance.example
identity = {
id = "i-1234567890abcdef0"
}
}
See references/import-identity.md for details.
Component-based multi-environment deployments using new file types. Requires HCP Terraform.
# main.tfcomponent.hcl
component "networking" {
source = "./modules/networking"
inputs = { region = var.region, cidr = var.cidr }
}
component "cluster" {
source = "./modules/k8s"
inputs = { vpc_id = component.networking.vpc_id }
}
# deploy.tfdeploy.hcl
deployment "us-east" {
inputs = { region = "us-east-1", cidr = "10.0.0.0/16" }
}
deployment "eu-west" {
inputs = { region = "eu-west-1", cidr = "10.1.0.0/16" }
}
Limits: 20 deployments, 100 components, 10k resources per stack. See references/stacks.md.
Day 2 operations defined by providers — triggered before/after resource CRUD or ad hoc via CLI. Codifies operational tasks (Lambda invocations, cache invalidations, Ansible playbooks) alongside infrastructure. See references/actions.md.
| Function | Version | Purpose |
|---|---|---|
templatestring(str, vars) | TF 1.9 | Render template from string (not file) |
ephemeralasnull(value) | TF 1.10+ | Convert ephemeral value to non-ephemeral null |
terraform.applying | TF 1.10+ | Returns true during apply, false during plan |
See references/new-functions.md for examples.
| Feature | Version | Syntax |
|---|---|---|
enabled meta-argument | OT 1.11 | lifecycle { enabled = var.create } |
destroy = false | OT 1.12 | lifecycle { destroy = false } |
const variables | OT 1.12 | variable "x" { const = true } |
prevent_destroy expressions | OT 1.12 | lifecycle { prevent_destroy = var.protect } |
See references/opentofu.md for examples.