Describe the feature
Add a terraform core skill to the aws-core plugin, covering how AI agents author, deploy, and troubleshoot AWS infrastructure with Terraform (using the hashicorp/aws provider).
It would mirror the existing aws-cdk skill anatomy — a SKILL.md (overview, critical warnings, workflow + troubleshooting tables, security considerations) plus reference files for:
- project-setup — structure, version pinning,
.terraform.lock.hcl, providers
- module-authoring — input/output contracts, provider passing, composition, versioning
- state-and-backends — S3 native locking, secrets-in-state, per-environment isolation
- refactor-and-import —
moved/import blocks, drift, replacement control
- troubleshooting — state locks, credentials, plan/apply, destroy ordering, state-version mismatch
Scope is Terraform-on-AWS only. It would explicitly hand off to aws-cdk / aws-cloudformation for those tools, and scope out SAM, CDKTF, and Pulumi.
Use Case
The toolkit gives agents rich, guardrailed IaC guidance for AWS CDK and CloudFormation, but there is no Terraform skill. The aws-cdk skill explicitly scopes Terraform out ("Terraform/Pulumi ... Use builtin knowledge or specialized skills for these"), so the moment an agent works in a Terraform repo it falls back to ungrounded model knowledge — exactly where it can corrupt state, leak secrets stored in state, or destroy stateful resources through an accidental address change.
Terraform is one of the most widely used IaC tools on AWS, so this is a significant coverage gap for the largest IaC audience.
Proposed Solution
Add the skill under skills/core-skills/terraform/ and surface it through the aws-core plugin. Name it terraform (not aws-terraform) since Terraform is a HashiCorp tool, not an AWS service — the aws- prefix is reserved for AWS-owned skills.
Key guardrails the skill would enforce:
- Remote, encrypted, locked state (S3 backend with
use_lockfile, or DynamoDB) — never local state for shared/automated work
- Treat state as secret-bearing (encrypt at rest, never commit
*.tfstate)
- Use
moved/import blocks to avoid destroy+recreate of stateful resources on refactor
- Pin the provider and modules; commit
.terraform.lock.hcl
- OIDC federation for CI/CD credentials over static keys
Other Information
Modeled directly on the structure and house style of the existing aws-cdk core skill (RFC 2119 keywords, workflow/troubleshooting tables, reference files with tables of contents). Passes the repo's tools/validate.py and markdownlint-cli2 checks.
Describe the feature
Add a
terraformcore skill to theaws-coreplugin, covering how AI agents author, deploy, and troubleshoot AWS infrastructure with Terraform (using thehashicorp/awsprovider).It would mirror the existing
aws-cdkskill anatomy — aSKILL.md(overview, critical warnings, workflow + troubleshooting tables, security considerations) plus reference files for:.terraform.lock.hcl, providersmoved/importblocks, drift, replacement controlScope is Terraform-on-AWS only. It would explicitly hand off to
aws-cdk/aws-cloudformationfor those tools, and scope out SAM, CDKTF, and Pulumi.Use Case
The toolkit gives agents rich, guardrailed IaC guidance for AWS CDK and CloudFormation, but there is no Terraform skill. The
aws-cdkskill explicitly scopes Terraform out ("Terraform/Pulumi ... Use builtin knowledge or specialized skills for these"), so the moment an agent works in a Terraform repo it falls back to ungrounded model knowledge — exactly where it can corrupt state, leak secrets stored in state, or destroy stateful resources through an accidental address change.Terraform is one of the most widely used IaC tools on AWS, so this is a significant coverage gap for the largest IaC audience.
Proposed Solution
Add the skill under
skills/core-skills/terraform/and surface it through theaws-coreplugin. Name itterraform(notaws-terraform) since Terraform is a HashiCorp tool, not an AWS service — theaws-prefix is reserved for AWS-owned skills.Key guardrails the skill would enforce:
use_lockfile, or DynamoDB) — never local state for shared/automated work*.tfstate)moved/importblocks to avoid destroy+recreate of stateful resources on refactor.terraform.lock.hclOther Information
Modeled directly on the structure and house style of the existing
aws-cdkcore skill (RFC 2119 keywords, workflow/troubleshooting tables, reference files with tables of contents). Passes the repo'stools/validate.pyandmarkdownlint-cli2checks.