Skip to content

aws-core: add a Terraform core skill #115

Description

@ajoshi01ai

Describe the feature

Add a terraform core skill to the aws-core plugin, covering how AI agents author, deploy, and troubleshoot AWS infrastructure with Terraform (using the hashicorp/aws provider).

It would mirror the existing aws-cdk skill anatomy — a SKILL.md (overview, critical warnings, workflow + troubleshooting tables, security considerations) plus reference files for:

  • project-setup — structure, version pinning, .terraform.lock.hcl, providers
  • module-authoring — input/output contracts, provider passing, composition, versioning
  • state-and-backends — S3 native locking, secrets-in-state, per-environment isolation
  • refactor-and-importmoved/import blocks, drift, replacement control
  • troubleshooting — state locks, credentials, plan/apply, destroy ordering, state-version mismatch

Scope is Terraform-on-AWS only. It would explicitly hand off to aws-cdk / aws-cloudformation for those tools, and scope out SAM, CDKTF, and Pulumi.

Use Case

The toolkit gives agents rich, guardrailed IaC guidance for AWS CDK and CloudFormation, but there is no Terraform skill. The aws-cdk skill explicitly scopes Terraform out ("Terraform/Pulumi ... Use builtin knowledge or specialized skills for these"), so the moment an agent works in a Terraform repo it falls back to ungrounded model knowledge — exactly where it can corrupt state, leak secrets stored in state, or destroy stateful resources through an accidental address change.

Terraform is one of the most widely used IaC tools on AWS, so this is a significant coverage gap for the largest IaC audience.

Proposed Solution

Add the skill under skills/core-skills/terraform/ and surface it through the aws-core plugin. Name it terraform (not aws-terraform) since Terraform is a HashiCorp tool, not an AWS service — the aws- prefix is reserved for AWS-owned skills.

Key guardrails the skill would enforce:

  • Remote, encrypted, locked state (S3 backend with use_lockfile, or DynamoDB) — never local state for shared/automated work
  • Treat state as secret-bearing (encrypt at rest, never commit *.tfstate)
  • Use moved/import blocks to avoid destroy+recreate of stateful resources on refactor
  • Pin the provider and modules; commit .terraform.lock.hcl
  • OIDC federation for CI/CD credentials over static keys

Other Information

Modeled directly on the structure and house style of the existing aws-cdk core skill (RFC 2119 keywords, workflow/troubleshooting tables, reference files with tables of contents). Passes the repo's tools/validate.py and markdownlint-cli2 checks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions