一键导入
terraform-modules
Design reusable, well-tested Terraform modules with cloud-agnostic interfaces and safe state management.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Design reusable, well-tested Terraform modules with cloud-agnostic interfaces and safe state management.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | terraform-modules |
| type | skill |
| description | Design reusable, well-tested Terraform modules with cloud-agnostic interfaces and safe state management. |
| related-rules | ["iac-standards.md","state-management.md","secret-hygiene.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Reusable module design, for_each patterns, remote state, data sources, module testing with Terratest.
When writing new Terraform, reviewing IaC PRs, designing module interfaces, or debugging plan/apply failures.
# variables.tf — define a clean, minimal interface
variable "project" {
description = "Project name used in resource naming and tags"
type = string
}
variable "environment" {
description = "Deployment environment (dev|staging|production)"
type = string
validation {
condition = contains(["dev", "staging", "production"], var.environment)
error_message = "environment must be dev, staging, or production."
}
}
variable "instance_count" {
description = "Number of instances to create"
type = number
default = 1
}
# outputs.tf — expose only what callers need
output "instance_ids" {
description = "List of created instance IDs"
value = aws_instance.this[*].id
}
output "private_ips" {
description = "Private IP addresses"
value = aws_instance.this[*].private_ip
sensitive = false
}
# ✅ for_each — stable keys, safe to add/remove
resource "aws_security_group_rule" "allow" {
for_each = var.allowed_ports # map: { "http" = 80, "https" = 443 }
type = "ingress"
from_port = each.value
to_port = each.value
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# ❌ count — index-based, removing item N shifts all subsequent items
resource "aws_instance" "this" {
count = var.instance_count # removing instance 0 destroys ALL and recreates
}
# ✅ for_each with map for instances
resource "aws_instance" "this" {
for_each = var.instances # map: { "web-1" = {...}, "web-2" = {...} }
instance_type = each.value.instance_type
}
resource "aws_security_group" "this" {
name = "${var.project}-${var.environment}-sg"
dynamic "ingress" {
for_each = var.ingress_rules
content {
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
}
}
}
# Latest Ubuntu 22.04 AMI (AWS)
data "aws_ami" "ubuntu" {
most_recent = true
owners = ["099720109477"] # Canonical
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
}
}
# Cross-stack reference via SSM (avoid terraform_remote_state across envs)
data "aws_ssm_parameter" "vpc_id" {
name = "/${var.environment}/network/vpc_id"
}
locals {
name_prefix = "${var.project}-${var.environment}"
common_tags = {
Project = var.project
Environment = var.environment
ManagedBy = "terraform"
Owner = var.owner
}
}
resource "aws_s3_bucket" "this" {
bucket = "${local.name_prefix}-assets-${random_id.suffix.hex}"
tags = local.common_tags
}
# When renaming a resource — prevents destroy+create
moved {
from = aws_instance.web
to = aws_instance.this["web-1"]
}
# Standard pipeline steps
terraform init -backend-config=environments/${ENV}/backend.hcl
terraform validate
terraform fmt -check -recursive
terraform plan -var-file=environments/${ENV}/terraform.tfvars -out=tfplan
# After approval:
terraform apply tfplan
| Anti-pattern | Fix |
|---|---|
count for multi-instance | Use for_each with map keys |
| Hardcoded region/AZ | Use data source or variable |
?ref=main module source | Pin to version tag |
| Provider config inside module | Provider in root module only |
terraform_remote_state across envs | SSM / Consul KV for cross-stack values |
Sensitive values in outputs without sensitive=true | Mark all secret outputs as sensitive |