Terraform 与 OpenTofu 最佳实践指南：模块架构、测试策略与 CI/CD

terraform-skill by antonbabenko/terraform-skill

487 周安装量

1,400 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/antonbabenko/terraform-skill --skill terraform-skill

自动化云服务开发运维

🇨🇳中文介绍

Terraform 技能（适用于 Claude）

提供全面的 Terraform 和 OpenTofu 指导，涵盖测试、模块、CI/CD 和生产模式。基于 terraform-best-practices.com 和企业实践经验。

何时使用此技能

在以下情况激活此技能：

创建新的 Terraform 或 OpenTofu 配置或模块时
为 IaC 代码设置测试基础设施时
决定测试方法（验证、计划、框架）时
构建多环境部署结构时
为基础设施即代码实施 CI/CD 时
审查或重构现有 Terraform/OpenTofu 项目时
在模块模式或状态管理方法之间进行选择时

不要将此技能用于：

基础的 Terraform/OpenTofu 语法问题（Claude 已掌握）
特定于提供商的 API 参考（请链接到官方文档）
与 Terraform/OpenTofu 无关的云平台问题

核心原则

1. 代码结构哲学

模块层次结构：

类型	何时使用	范围
资源模块	一组相互关联的单一逻辑资源	VPC + 子网，安全组 + 规则
基础设施模块	为特定目的而收集的资源模块	一个区域/账户中的多个资源模块

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

决策矩阵：选择哪种测试方法？

你的情况	推荐方法	工具	成本
快速语法检查	静态分析	`terraform validate`, `fmt`	免费
预提交验证	静态分析 + 代码检查	`validate`, `tflint`, `trivy`, `checkov`	免费
Terraform 1.6+，简单逻辑	原生测试框架	内置 `terraform test`	免费-低
1.6 版本之前，或有 Go 专业知识	集成测试	Terratest	低-中
关注安全/合规性	策略即代码	OPA, Sentinel	免费
成本敏感的工作流	模拟提供程序 (1.7+)	原生测试 + 模拟	免费
多云，复杂	完整集成	Terratest + 真实基础设施	中-高

基础设施测试金字塔

        /\
       /  \          端到端测试（昂贵）
      /____\         - 完整环境部署
     /      \        - 类生产环境设置
    /________\
   /          \     集成测试（中等）
  /____________\     - 模块隔离测试
 /              \    - 测试账户中的真实资源
/________________\   静态分析（廉价）
                     - validate, fmt, lint
                     - 安全扫描

原生测试最佳实践 (1.6+)

生成测试代码前：

使用 Terraform MCP 验证模式：

Search provider docs → Get resource schema → Identify block types

选择正确的命令模式：
- command = plan - 快速，用于输入验证
- command = apply - 需要用于计算值和集合类型块
正确处理集合类型块：
- 不能使用 [0] 索引
- 使用 for 表达式进行迭代
- 或者使用 command = apply 来具体化

S3 加密规则：集合（使用 for 表达式）
生命周期转换：集合（使用 for 表达式）
IAM 策略声明：集合（使用 for 表达式）

有关详细的测试指南，请参阅：

测试框架指南 - 深入探讨静态分析、原生测试和 Terratest
快速参考 - 决策流程图和命令速查表

为保持一致性，采用严格排序：

count 或 for_each 在最前面（之后空一行）
其他参数
tags 作为最后一个实际参数
depends_on 在 tags 之后（如果需要）
lifecycle 在最后（如果需要）

# ✅ 良好 - 正确的排序
resource "aws_nat_gateway" "this" {
  count = var.create_nat_gateway ? 1 : 0

  allocation_id = aws_eip.this[0].id
  subnet_id     = aws_subnet.public[0].id

  tags = {
    Name = "${var.name}-nat"
  }

  depends_on = [aws_internet_gateway.this]

  lifecycle {
    create_before_destroy = true
  }
}

description（始终必需）
type
default
validation
nullable（当设置为 false 时）

variable "environment" {
  description = "用于资源标记的环境名称"
  type        = string
  default     = "dev"

  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "环境必须是以下之一：dev, staging, prod."
  }

  nullable = false
}

有关完整的结构指南，请参阅： 代码模式：块排序与结构

Count 与 For_Each：何时使用

场景	使用	原因
布尔条件（创建或不创建）	`count = condition ? 1 : 0`	简单的开关切换
简单的数字复制	`count = 3`	固定数量的相同资源
项目可能被重新排序/移除	`for_each = toset(list)`	稳定的资源地址
按键引用	`for_each = map`	对资源的命名访问
多个命名资源	`for_each`	更好的可维护性

# ✅ 良好 - 布尔条件
resource "aws_nat_gateway" "this" {
  count = var.create_nat_gateway ? 1 : 0
  # ...
}

使用 for_each 实现稳定寻址：

# ✅ 良好 - 移除 "us-east-1b" 仅影响该子网
resource "aws_subnet" "private" {
  for_each = toset(var.availability_zones)

  availability_zone = each.key
  # ...
}

# ❌ 不良 - 移除中间的可用区会重新创建所有后续子网
resource "aws_subnet" "private" {
  count = length(var.availability_zones)

  availability_zone = var.availability_zones[count.index]
  # ...
}

有关迁移指南和详细示例，请参阅： 代码模式：Count 与 For_Each

使用 Locals 进行依赖管理

使用 locals 确保正确的资源删除顺序：

# 问题：子网可能在 CIDR 块之后被删除，导致错误
# 解决方案：在 locals 中使用 try() 来提示删除顺序

locals {
  # 首先引用次要 CIDR，回退到 VPC
  # 强制 Terraform 在删除 CIDR 关联之前删除子网
  vpc_id = try(
    aws_vpc_ipv4_cidr_block_association.this[0].vpc_id,
    aws_vpc.this.id,
    ""
  )
}

resource "aws_vpc" "this" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_vpc_ipv4_cidr_block_association" "this" {
  count = var.add_secondary_cidr ? 1 : 0

  vpc_id     = aws_vpc.this.id
  cidr_block = "10.1.0.0/16"
}

resource "aws_subnet" "public" {
  vpc_id     = local.vpc_id  # 使用 local，而非直接引用
  cidr_block = "10.1.0.0/24"
}

防止销毁基础设施时的删除错误
确保正确的依赖顺序，无需显式 depends_on
对于具有次要 CIDR 块的 VPC 配置尤其有用

有关详细示例，请参阅： 代码模式：使用 Locals 进行依赖管理

my-module/
├── README.md           # 使用文档
├── main.tf             # 主要资源
├── variables.tf        # 带有描述的输入变量
├── outputs.tf          # 输出值
├── versions.tf         # 提供程序版本约束
├── examples/
│   ├── minimal/        # 最小工作示例
│   └── complete/       # 全功能示例
└── tests/              # 测试文件
    └── module_test.tftest.hcl  # 或 .go 文件

✅ 始终包含 description
✅ 使用显式 type 约束
✅ 在适当的地方提供合理的 default 值
✅ 为复杂约束添加 validation 块
✅ 对机密信息使用 sensitive = true

✅ 始终包含 description
✅ 使用 sensitive = true 标记敏感输出
✅ 考虑为相关值返回对象
✅ 记录使用者应如何处理每个输出

有关详细的模块模式，请参阅：

模块模式指南 - 变量最佳实践、输出设计、✅ 正确做法 vs ❌ 错误做法模式
快速参考 - 资源命名、变量命名、文件组织

应避免的常见问题

在变量中存储机密信息
使用默认 VPC
跳过加密
将安全组开放到 0.0.0.0/0

使用 AWS Secrets Manager / Parameter Store
创建专用 VPC
启用静态加密
使用最小权限安全组

有关详细的安全指导，请参阅：

安全与合规指南 - Trivy/Checkov 集成、机密信息管理、状态文件安全、合规性测试

version = "5.0.0"      # 精确版本（避免 - 不灵活）
version = "~> 5.0"     # 推荐：仅 5.0.x
version = ">= 5.0"     # 最低版本（有风险 - 破坏性变更）

按组件划分的策略

组件	策略	示例
Terraform	固定次要版本	`required_version = "~> 1.9"`
提供程序	固定主版本	`version = "~> 5.0"`
模块 (生产)	固定精确版本	`version = "5.1.2"`
模块 (开发)	允许补丁更新	`version = "~> 5.1"`

# 初始锁定版本
terraform init              # 创建 .terraform.lock.hcl

# 在约束范围内更新到最新版本
terraform init -upgrade     # 更新提供程序

# 审查和测试
terraform plan

有关详细的版本管理，请参阅： 代码模式：版本管理

现代 Terraform 特性 (1.0+)

各版本特性可用性

特性	版本	使用场景
`try()` 函数	0.13+	安全回退，替代 `element(concat())`
`nullable = false`	1.1+	防止变量中出现空值
`moved` 块	1.1+	重构而无需销毁/重新创建
带默认值的 `optional()`	1.3+	可选对象属性
原生测试	1.6+	内置测试框架
模拟提供程序	1.7+	免费单元测试
提供程序函数	1.8+	提供程序特定的数据转换
跨变量验证	1.9+	验证变量间的关系
只写参数	1.11+	机密信息永不存储在状态中

# try() - 安全回退 (0.13+)
output "sg_id" {
  value = try(aws_security_group.this[0].id, "")
}

# optional() - 带默认值的可选属性 (1.3+)
variable "config" {
  type = object({
    name    = string
    timeout = optional(number, 300)  # 默认值: 300
  })
}

# 跨变量验证 (1.9+)
variable "environment" { type = string }
variable "backup_days" {
  type = number
  validation {
    condition     = var.environment == "prod" ? var.backup_days >= 7 : true
    error_message = "生产环境要求 backup_days >= 7"
  }
}

有关完整的模式和示例，请参阅： 代码模式：现代 Terraform 特性

使用 Terratest 进行测试
无原生测试框架可用
专注于静态分析和计划验证

Terraform 1.6+ / OpenTofu 1.6+

新增： 原生 terraform test / tofu test 命令
考虑为简单测试从外部框架迁移
仅为复杂的集成测试保留 Terratest

Terraform 1.7+ / OpenTofu 1.7+

新增： 用于单元测试的模拟提供程序
通过模拟外部依赖来降低成本
使用真实的集成测试进行最终验证

Terraform 与 OpenTofu

此技能完全支持两者。有关许可、治理和特性比较，请参阅快速参考：Terraform 与 OpenTofu 比较。

此技能采用渐进式披露 - 基本信息在此主文件中，详细指南在需要时可用：

📚 参考文件：

测试框架 - 关于静态分析、原生测试和 Terratest 的深入指南
模块模式 - 模块结构、变量/输出最佳实践、✅ 正确做法 vs ❌ 错误做法模式
CI/CD 工作流 - GitHub Actions、GitLab CI 模板、成本优化、自动清理
安全与合规 - Trivy/Checkov 集成、机密信息管理、合规性测试
快速参考 - 命令速查表、决策流程图、故障排除指南

使用方法： 当你需要某个主题的详细信息时，请参考相应的指南。Claude 将按需加载它以提供全面的指导。

此技能根据 Apache License 2.0 授权。有关完整条款，请参阅 LICENSE 文件。

🇺🇸English

Terraform Skill for Claude

Comprehensive Terraform and OpenTofu guidance covering testing, modules, CI/CD, and production patterns. Based on terraform-best-practices.com and enterprise experience.

When to Use This Skill

Activate this skill when:

Creating new Terraform or OpenTofu configurations or modules
Setting up testing infrastructure for IaC code
Deciding between testing approaches (validate, plan, frameworks)
Structuring multi-environment deployments
Implementing CI/CD for infrastructure-as-code
Reviewing or refactoring existing Terraform/OpenTofu projects
Choosing between module patterns or state management approaches

Don't use this skill for:

Basic Terraform/OpenTofu syntax questions (Claude knows this)
Provider-specific API reference (link to docs instead)
Cloud platform questions unrelated to Terraform/OpenTofu

Core Principles

1. Code Structure Philosophy

Module Hierarchy:

Type	When to Use	Scope
Resource Module	Single logical group of connected resources	VPC + subnets, Security group + rules
Infrastructure Module	Collection of resource modules for a purpose	Multiple resource modules in one region/account
Composition	Complete infrastructure	Spans multiple regions/accounts

Hierarchy: Resource → Resource Module → Infrastructure Module → Composition

Directory Structure:

environments/        # Environment-specific configurations
├── prod/
├── staging/
└── dev/

modules/            # Reusable modules
├── networking/
├── compute/
└── data/

examples/           # Module usage examples (also serve as tests)
├── complete/
└── minimal/

Key principle from terraform-best-practices.com:

Separate environments (prod, staging) from modules (reusable components)
Use examples/ as both documentation and integration test fixtures
Keep modules small and focused (single responsibility)

For detailed module architecture, see: Code Patterns: Module Types & Hierarchy

2. Naming Conventions

Resources:

# Good: Descriptive, contextual
resource "aws_instance" "web_server" { }
resource "aws_s3_bucket" "application_logs" { }

# Good: "this" for singleton resources (only one of that type)
resource "aws_vpc" "this" { }
resource "aws_security_group" "this" { }

# Avoid: Generic names for non-singletons
resource "aws_instance" "main" { }
resource "aws_s3_bucket" "bucket" { }

Singleton Resources:

Use "this" when your module creates only one resource of that type:

✅ DO:

resource "aws_vpc" "this" {}           # Module creates one VPC
resource "aws_security_group" "this" {}  # Module creates one SG

❌ DON'T use "this" for multiple resources:

resource "aws_subnet" "this" {}  # If creating multiple subnets

Use descriptive names when creating multiple resources of the same type.

Variables:

# Prefix with context when needed
var.vpc_cidr_block          # Not just "cidr"
var.database_instance_class # Not just "instance_class"

Files:

main.tf - Primary resources
variables.tf - Input variables
outputs.tf - Output values
versions.tf - Provider versions
data.tf - Data sources (optional)

Testing Strategy Framework

Decision Matrix: Which Testing Approach?

Your Situation	Recommended Approach	Tools	Cost
Quick syntax check	Static analysis	`terraform validate`, `fmt`	Free
Pre-commit validation	Static + lint	`validate`, `tflint`, `trivy`, `checkov`	Free

Testing Pyramid for Infrastructure

        /\
       /  \          End-to-End Tests (Expensive)
      /____\         - Full environment deployment
     /      \        - Production-like setup
    /________\
   /          \      Integration Tests (Moderate)
  /____________\     - Module testing in isolation
 /              \    - Real resources in test account
/________________\   Static Analysis (Cheap)
                     - validate, fmt, lint
                     - Security scanning

Native Test Best Practices (1.6+)

Before generating test code:

Validate schemas with Terraform MCP:

Search provider docs → Get resource schema → Identify block types

Choose correct command mode:
- command = plan - Fast, for input validation
- command = apply - Required for computed values and set-type blocks
Handle set-type blocks correctly:
- Cannot index with [0]
- Use for expressions to iterate
- Or use command = apply to materialize

Common patterns:

S3 encryption rules: set (use for expressions)
Lifecycle transitions: set (use for expressions)
IAM policy statements: set (use for expressions)

For detailed testing guides, see:

Testing Frameworks Guide - Deep dive into static analysis, native tests, and Terratest
Quick Reference - Decision flowchart and command cheat sheet

Code Structure Standards

Resource Block Ordering

Strict ordering for consistency:

count or for_each FIRST (blank line after)
Other arguments
tags as last real argument
depends_on after tags (if needed)
lifecycle at the very end (if needed)

# ✅ GOOD - Correct ordering

resource "aws_nat_gateway" "this" {
  count = var.create_nat_gateway ? 1 : 0

  allocation_id = aws_eip.this[0].id
  subnet_id     = aws_subnet.public[0].id

  tags = {
    Name = "${var.name}-nat"
  }

  depends_on = [aws_internet_gateway.this]

  lifecycle {
    create_before_destroy = true
  }
}

Variable Block Ordering

description (ALWAYS required)
type
default
validation
nullable (when setting to false)

variable "environment" {

  description = "Environment name for resource tagging"
  type        = string
  default     = "dev"

  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Environment must be one of: dev, staging, prod."
  }

  nullable = false
}

For complete structure guidelines, see: Code Patterns: Block Ordering & Structure

Count vs For_Each: When to Use Each

Quick Decision Guide

Scenario	Use	Why
Boolean condition (create or don't)	`count = condition ? 1 : 0`	Simple on/off toggle
Simple numeric replication	`count = 3`	Fixed number of identical resources
Items may be reordered/removed	`for_each = toset(list)`	Stable resource addresses
Reference by key	`for_each = map`	Named access to resources
Multiple named resources	`for_each`

Common Patterns

Boolean conditions:

# ✅ GOOD - Boolean condition
resource "aws_nat_gateway" "this" {
  count = var.create_nat_gateway ? 1 : 0
  # ...
}

Stable addressing with for_each:

# ✅ GOOD - Removing "us-east-1b" only affects that subnet
resource "aws_subnet" "private" {
  for_each = toset(var.availability_zones)

  availability_zone = each.key
  # ...
}

# ❌ BAD - Removing middle AZ recreates all subsequent subnets
resource "aws_subnet" "private" {
  count = length(var.availability_zones)

  availability_zone = var.availability_zones[count.index]
  # ...
}

For migration guides and detailed examples, see: Code Patterns: Count vs For_Each

Locals for Dependency Management

Use locals to ensure correct resource deletion order:

# Problem: Subnets might be deleted after CIDR blocks, causing errors
# Solution: Use try() in locals to hint deletion order

locals {
  # References secondary CIDR first, falling back to VPC
  # Forces Terraform to delete subnets before CIDR association
  vpc_id = try(
    aws_vpc_ipv4_cidr_block_association.this[0].vpc_id,
    aws_vpc.this.id,
    ""
  )
}

resource "aws_vpc" "this" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_vpc_ipv4_cidr_block_association" "this" {
  count = var.add_secondary_cidr ? 1 : 0

  vpc_id     = aws_vpc.this.id
  cidr_block = "10.1.0.0/16"
}

resource "aws_subnet" "public" {
  vpc_id     = local.vpc_id  # Uses local, not direct reference
  cidr_block = "10.1.0.0/24"
}

Why this matters:

Prevents deletion errors when destroying infrastructure
Ensures correct dependency order without explicit depends_on
Particularly useful for VPC configurations with secondary CIDR blocks

For detailed examples, see: Code Patterns: Locals for Dependency Management

Module Development

Standard Module Structure

my-module/
├── README.md           # Usage documentation
├── main.tf             # Primary resources
├── variables.tf        # Input variables with descriptions
├── outputs.tf          # Output values
├── versions.tf         # Provider version constraints
├── examples/
│   ├── minimal/        # Minimal working example
│   └── complete/       # Full-featured example
└── tests/              # Test files
    └── module_test.tftest.hcl  # Or .go

Best Practices Summary

Variables:

✅ Always include description
✅ Use explicit type constraints
✅ Provide sensible default values where appropriate
✅ Add validation blocks for complex constraints
✅ Use sensitive = true for secrets

Outputs:

✅ Always include description
✅ Mark sensitive outputs with sensitive = true
✅ Consider returning objects for related values
✅ Document what consumers should do with each output

For detailed module patterns, see:

Module Patterns Guide - Variable best practices, output design, ✅ DO vs ❌ DON'T patterns
Quick Reference - Resource naming, variable naming, file organization

CI/CD Integration

Recommended Workflow Stages

Validate - Format check + syntax validation + linting
Test - Run automated tests (native or Terratest)
Plan - Generate and review execution plan
Apply - Execute changes (with approvals for production)

Cost Optimization Strategy

Use mocking for PR validation (free)
Run integration tests only on main branch (controlled cost)
Implement auto-cleanup (prevent orphaned resources)
Tag all test resources (track spending)

For complete CI/CD templates, see:

CI/CD Workflows Guide - GitHub Actions, GitLab CI, Atlantis integration, cost optimization
Quick Reference - Common CI/CD issues and solutions

Security & Compliance

Essential Security Checks

# Static security scanning
trivy config .
checkov -d .

Common Issues to Avoid

❌ Don't:

Store secrets in variables
Use default VPC
Skip encryption
Open security groups to 0.0.0.0/0

✅ Do:

Use AWS Secrets Manager / Parameter Store
Create dedicated VPCs
Enable encryption at rest
Use least-privilege security groups

For detailed security guidance, see:

Security& Compliance Guide - Trivy/Checkov integration, secrets management, state file security, compliance testing

Version Management

Version Constraint Syntax

version = "5.0.0"      # Exact (avoid - inflexible)
version = "~> 5.0"     # Recommended: 5.0.x only
version = ">= 5.0"     # Minimum (risky - breaking changes)

Strategy by Component

Component	Strategy	Example
Terraform	Pin minor version	`required_version = "~> 1.9"`
Providers	Pin major version	`version = "~> 5.0"`
Modules (prod)	Pin exact version	`version = "5.1.2"`
Modules (dev)	Allow patch updates	`version = "~> 5.1"`

Update Workflow

# Lock versions initially
terraform init              # Creates .terraform.lock.hcl

# Update to latest within constraints
terraform init -upgrade     # Updates providers

# Review and test
terraform plan

For detailed version management, see: Code Patterns: Version Management

Modern Terraform Features (1.0+)

Feature Availability by Version

Feature	Version	Use Case
`try()` function	0.13+	Safe fallbacks, replaces `element(concat())`
`nullable = false`	1.1+	Prevent null values in variables
`moved` blocks	1.1+	Refactor without destroy/recreate
`optional()` with defaults	1.3+	Optional object attributes
Native testing	1.6+

Quick Examples

# try() - Safe fallbacks (0.13+)
output "sg_id" {
  value = try(aws_security_group.this[0].id, "")
}

# optional() - Optional attributes with defaults (1.3+)
variable "config" {
  type = object({
    name    = string
    timeout = optional(number, 300)  # Default: 300
  })
}

# Cross-variable validation (1.9+)
variable "environment" { type = string }
variable "backup_days" {
  type = number
  validation {
    condition     = var.environment == "prod" ? var.backup_days >= 7 : true
    error_message = "Production requires backup_days >= 7"
  }
}

For complete patterns and examples, see: Code Patterns: Modern Terraform Features

Version-Specific Guidance

Terraform 1.0-1.5

Use Terratest for testing
No native testing framework available
Focus on static analysis and plan validation

Terraform 1.6+ / OpenTofu 1.6+

New: Native terraform test / tofu test command
Consider migrating from external frameworks for simple tests
Keep Terratest only for complex integration tests

Terraform 1.7+ / OpenTofu 1.7+

New: Mock providers for unit testing
Reduce cost by mocking external dependencies
Use real integration tests for final validation

Terraform vs OpenTofu

Both are fully supported by this skill. For licensing, governance, and feature comparison, see Quick Reference: Terraform vs OpenTofu.

Detailed Guides

This skill uses progressive disclosure - essential information is in this main file, detailed guides are available when needed:

📚 Reference Files:

Testing Frameworks - In-depth guide to static analysis, native tests, and Terratest
Module Patterns - Module structure, variable/output best practices, ✅ DO vs ❌ DON'T patterns
CI/CD Workflows - GitHub Actions, GitLab CI templates, cost optimization, automated cleanup
Security& Compliance - Trivy/Checkov integration, secrets management, compliance testing
Quick Reference - Command cheat sheets, decision flowcharts, troubleshooting guide

How to use: When you need detailed information on a topic, reference the appropriate guide. Claude will load it on demand to provide comprehensive guidance.

License

This skill is licensed under the Apache License 2.0. See the LICENSE file for full terms.

Weekly Installs

415

Repository

antonbabenko/te…rm-skill

GitHub Stars

1.3K

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykPass

Installed on

opencode318

claude-code282

codex279

gemini-cli278

github-copilot271

cursor224

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

100,500 周安装

Terraform 1.6+, simple logic

Terraform 与 OpenTofu 最佳实践指南：模块架构、测试策略与 CI/CD

🇨🇳中文介绍

Terraform 技能（适用于 Claude）

何时使用此技能

核心原则

1. 代码结构哲学

相关 Skills

2. 命名约定

测试策略框架

决策矩阵：选择哪种测试方法？

基础设施测试金字塔

原生测试最佳实践 (1.6+)

代码结构标准

资源块排序

变量块排序

Count 与 For_Each：何时使用

快速决策指南

常见模式

使用 Locals 进行依赖管理

模块开发

标准模块结构

最佳实践总结

CI/CD 集成

推荐的工作流阶段

成本优化策略

安全与合规

基本安全检查

应避免的常见问题

版本管理

版本约束语法

按组件划分的策略

更新工作流

现代 Terraform 特性 (1.0+)

各版本特性可用性

快速示例

版本特定指导

Terraform 1.0-1.5

Terraform 1.6+ / OpenTofu 1.6+

Terraform 1.7+ / OpenTofu 1.7+

Terraform 与 OpenTofu

详细指南

许可证

🇺🇸English

Terraform Skill for Claude

When to Use This Skill

Core Principles

1. Code Structure Philosophy

2. Naming Conventions

Testing Strategy Framework

Decision Matrix: Which Testing Approach?

Testing Pyramid for Infrastructure

Native Test Best Practices (1.6+)

Code Structure Standards

Resource Block Ordering

Variable Block Ordering

Count vs For_Each: When to Use Each

Quick Decision Guide

Common Patterns

Locals for Dependency Management

Module Development

Standard Module Structure

Best Practices Summary

CI/CD Integration

Recommended Workflow Stages

Cost Optimization Strategy

Security & Compliance

Essential Security Checks

Common Issues to Avoid

Version Management

Version Constraint Syntax

Strategy by Component

Update Workflow

Modern Terraform Features (1.0+)

Feature Availability by Version

Quick Examples

Version-Specific Guidance

Terraform 1.0-1.5

Terraform 1.6+ / OpenTofu 1.6+

Terraform 1.7+ / OpenTofu 1.7+

Terraform vs OpenTofu