Terraform 风格指南 - HashiCorp 官方代码规范与最佳实践

terraform-style-guide by hashicorp/agent-skills

2,300 周安装量

486 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/hashicorp/agent-skills --skill terraform-style-guide

开发云服务开发运维

🇨🇳中文介绍

Terraform 风格指南

遵循 HashiCorp 官方风格约定和最佳实践来生成和维护 Terraform 代码。

参考： HashiCorp Terraform 风格指南

代码生成策略

生成 Terraform 代码时：

从提供程序配置和版本约束开始
在依赖资源之前创建数据源
按依赖顺序构建资源
为关键资源属性添加输出
对所有可配置值使用变量

文件组织

文件	用途
`terraform.tf`	Terraform 和提供程序版本要求
`providers.tf`	提供程序配置
`main.tf`	主要资源和数据源
`variables.tf`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

find-skills 技能搜索工具 - Vercel Labs 开源智能体技能包管理器

733,500 周安装

Vercel React 最佳实践指南 | 58条Next.js性能优化规则与代码重构

252,100 周安装

Vercel Web界面规范检查工具 - 自动检测代码是否符合Web设计指南

202,600 周安装

agent-browser 浏览器自动化工具 - Vercel Labs 命令行网页操作与测试

133,200 周安装

# terraform.tf
terraform {
  required_version = ">= 1.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# variables.tf
variable "environment" {
  description = "目标部署环境"
  type        = string

  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "环境必须是 dev、staging 或 prod。"
  }
}

# locals.tf
locals {
  common_tags = {
    Environment = var.environment
    ManagedBy   = "Terraform"
  }
}

# main.tf
resource "aws_vpc" "main" {
  cidr_block           = var.vpc_cidr
  enable_dns_hostnames = true

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-vpc"
  })
}

# outputs.tf
output "vpc_id" {
  description = "创建的 VPC 的 ID"
  value       = aws_vpc.main.id
}

每个嵌套级别使用 两个空格（不使用制表符）
对齐连续参数的等号

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  subnet_id     = "subnet-12345678"

  tags = {
    Name        = "web-server"
    Environment = "production"
  }
}

参数位于块之前，元参数优先：

resource "aws_instance" "example" {
  # 元参数
  count = 3

  # 参数
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  # 块
  root_block_device {
    volume_size = 20
  }

  # 生命周期最后
  lifecycle {
    create_before_destroy = true
  }
}

所有名称使用 小写字母加下划线
使用 描述性名词，排除资源类型
要具体且有意义
资源名称必须是单数，而不是复数
当特定的描述性名称是冗余的或不可用时，默认使用 main，前提是只存在一个实例

# 错误示例
resource "aws_instance" "webAPI-aws-instance" {}
resource "aws_instance" "web_apis" {}
variable "name" {}

# 正确示例
resource "aws_instance" "web_api" {}
resource "aws_vpc" "main" {}
variable "application_name" {}

每个变量必须包含 type 和 description：

variable "instance_type" {
  description = "Web 服务器的 EC2 实例类型"
  type        = string
  default     = "t2.micro"

  validation {
    condition     = contains(["t2.micro", "t2.small", "t2.medium"], var.instance_type)
    error_message = "实例类型必须是 t2.micro、t2.small 或 t2.medium。"
  }
}

variable "database_password" {
  description = "数据库管理员用户的密码"
  type        = string
  sensitive   = true
}

每个输出必须包含 description：

output "instance_id" {
  description = "EC2 实例的 ID"
  value       = aws_instance.web.id
}

output "database_password" {
  description = "数据库管理员密码"
  value       = aws_db_instance.main.password
  sensitive   = true
}

优先使用 for_each 而非 count

# 错误示例 - 使用 count 创建多个资源
resource "aws_instance" "web" {
  count = var.instance_count
  tags  = { Name = "web-${count.index}" }
}

# 正确示例 - 使用 for_each 并命名实例
variable "instance_names" {
  type    = set(string)
  default = ["web-1", "web-2", "web-3"]
}

resource "aws_instance" "web" {
  for_each = var.instance_names
  tags     = { Name = each.key }
}

使用 count 进行条件创建

resource "aws_cloudwatch_metric_alarm" "cpu" {
  count = var.enable_monitoring ? 1 : 0

  alarm_name = "high-cpu-usage"
  threshold  = 80
}

生成代码时，应用安全加固：

默认启用静态加密
在适用的情况下配置私有网络
为安全组应用最小权限原则
启用日志记录和监控
切勿硬编码凭据或机密信息
使用 sensitive = true 标记敏感输出

示例：安全的 S3 存储桶

resource "aws_s3_bucket" "data" {
  bucket = "${var.project}-${var.environment}-data"
  tags   = local.common_tags
}

resource "aws_s3_bucket_versioning" "data" {
  bucket = aws_s3_bucket.data.id

  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.s3.arn
    }
  }
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

terraform {
  required_version = ">= 1.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"  # 允许次要版本更新
    }
  }
}

版本约束运算符：

= 1.0.0 - 精确版本
>= 1.0.0 - 大于或等于
~> 1.0 - 允许最右侧组件递增
>= 1.0, < 2.0 - 版本范围

provider "aws" {
  region = "us-west-2"

  default_tags {
    tags = {
      ManagedBy = "Terraform"
      Project   = var.project_name
    }
  }
}

# 用于多区域的别名提供程序
provider "aws" {
  alias  = "east"
  region = "us-east-1"
}

terraform.tfstate、terraform.tfstate.backup
.terraform/ 目录
*.tfplan
包含敏感数据的 .tfvars 文件

所有 .tf 配置文件
.terraform.lock.hcl（依赖项锁定文件）

terraform fmt -recursive
terraform validate

tflint - 代码检查和最佳实践
checkov / tfsec - 安全扫描

代码已使用 terraform fmt 格式化
配置已使用 terraform validate 验证
文件按标准结构组织
所有变量都有类型和描述
所有输出都有描述
资源名称使用带下划线的描述性名词
版本约束已明确固定
敏感值已用 sensitive = true 标记
没有硬编码的凭据或机密信息
已应用安全最佳实践

🇺🇸English

Terraform Style Guide

Generate and maintain Terraform code following HashiCorp's official style conventions and best practices.

Reference: HashiCorp Terraform Style Guide

Code Generation Strategy

When generating Terraform code:

Start with provider configuration and version constraints
Create data sources before dependent resources
Build resources in dependency order
Add outputs for key resource attributes
Use variables for all configurable values

File Organization

File	Purpose
`terraform.tf`	Terraform and provider version requirements
`providers.tf`	Provider configurations
`main.tf`	Primary resources and data sources
`variables.tf`	Input variable declarations (alphabetical)
`outputs.tf`	Output value declarations (alphabetical)
`locals.tf`	Local value declarations

Example Structure

# terraform.tf
terraform {
  required_version = ">= 1.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# variables.tf
variable "environment" {
  description = "Target deployment environment"
  type        = string

  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Environment must be dev, staging, or prod."
  }
}

# locals.tf
locals {
  common_tags = {
    Environment = var.environment
    ManagedBy   = "Terraform"
  }
}

# main.tf
resource "aws_vpc" "main" {
  cidr_block           = var.vpc_cidr
  enable_dns_hostnames = true

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-vpc"
  })
}

# outputs.tf
output "vpc_id" {
  description = "ID of the created VPC"
  value       = aws_vpc.main.id
}

Code Formatting

Indentation and Alignment

Use two spaces per nesting level (no tabs)
Align equals signs for consecutive arguments

resource "aws_instance" "web" { ami = "ami-0c55b159cbfafe1f0" instance_type = "t2.micro" subnet_id = "subnet-12345678"

tags = { Name = "web-server" Environment = "production" } }

Block Organization

Arguments precede blocks, with meta-arguments first:

resource "aws_instance" "example" {
  # Meta-arguments
  count = 3

  # Arguments
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  # Blocks
  root_block_device {
    volume_size = 20
  }

  # Lifecycle last
  lifecycle {
    create_before_destroy = true
  }
}

Naming Conventions

Use lowercase with underscores for all names
Use descriptive nouns excluding the resource type
Be specific and meaningful
Resource names must be singular, not plural
Default to main for resources where a specific descriptive name is redundant or unavailable, provided only one instance exists

Bad

resource "aws_instance" "webAPI-aws-instance" {} resource "aws_instance" "web_apis" {} variable "name" {}

Good

resource "aws_instance" "web_api" {} resource "aws_vpc" "main" {} variable "application_name" {}

Variables

Every variable must include type and description:

variable "instance_type" {
  description = "EC2 instance type for the web server"
  type        = string
  default     = "t2.micro"

  validation {
    condition     = contains(["t2.micro", "t2.small", "t2.medium"], var.instance_type)
    error_message = "Instance type must be t2.micro, t2.small, or t2.medium."
  }
}

variable "database_password" {
  description = "Password for the database admin user"
  type        = string
  sensitive   = true
}

Outputs

Every output must include description:

output "instance_id" {
  description = "ID of the EC2 instance"
  value       = aws_instance.web.id
}

output "database_password" {
  description = "Database administrator password"
  value       = aws_db_instance.main.password
  sensitive   = true
}

Dynamic Resource Creation

Prefer for_each over count

# Bad - count for multiple resources
resource "aws_instance" "web" {
  count = var.instance_count
  tags  = { Name = "web-${count.index}" }
}

# Good - for_each with named instances
variable "instance_names" {
  type    = set(string)
  default = ["web-1", "web-2", "web-3"]
}

resource "aws_instance" "web" {
  for_each = var.instance_names
  tags     = { Name = each.key }
}

count for Conditional Creation

resource "aws_cloudwatch_metric_alarm" "cpu" {
  count = var.enable_monitoring ? 1 : 0

  alarm_name = "high-cpu-usage"
  threshold  = 80
}

Security Best Practices

When generating code, apply security hardening:

Enable encryption at rest by default
Configure private networking where applicable
Apply principle of least privilege for security groups
Enable logging and monitoring
Never hardcode credentials or secrets
Mark sensitive outputs with sensitive = true

Example: Secure S3 Bucket

resource "aws_s3_bucket" "data" {
  bucket = "${var.project}-${var.environment}-data"
  tags   = local.common_tags
}

resource "aws_s3_bucket_versioning" "data" {
  bucket = aws_s3_bucket.data.id

  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.s3.arn
    }
  }
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Version Pinning

terraform {
  required_version = ">= 1.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"  # Allow minor updates
    }
  }
}

Version constraint operators:

= 1.0.0 - Exact version
>= 1.0.0 - Greater than or equal
~> 1.0 - Allow rightmost component to increment
>= 1.0, < 2.0 - Version range

Provider Configuration

provider "aws" {
  region = "us-west-2"

  default_tags {
    tags = {
      ManagedBy = "Terraform"
      Project   = var.project_name
    }
  }
}

# Aliased provider for multi-region
provider "aws" {
  alias  = "east"
  region = "us-east-1"
}

Version Control

Never commit:

terraform.tfstate, terraform.tfstate.backup
.terraform/ directory
*.tfplan
.tfvars files with sensitive data

Always commit:

All .tf configuration files
.terraform.lock.hcl (dependency lock file)

Validation Tools

Run before committing:

terraform fmt -recursive
terraform validate

Additional tools:

tflint - Linting and best practices
checkov / tfsec - Security scanning

Code Review Checklist

Code formatted with terraform fmt
Configuration validated with terraform validate
Files organized according to standard structure
All variables have type and description
All outputs have descriptions
Resource names use descriptive nouns with underscores
Version constraints pinned explicitly
Sensitive values marked with sensitive = true
No hardcoded credentials or secrets
Security best practices applied

Based on:HashiCorp Terraform Style Guide

Weekly Installs

2.1K

Repository

hashicorp/agent-skills

GitHub Stars

477

First Seen

Jan 26, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode1.8K

github-copilot1.8K

codex1.7K

gemini-cli1.7K

amp1.5K

kimi-cli1.5K

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装

Terraform 风格指南 - HashiCorp 官方代码规范与最佳实践

🇨🇳中文介绍

Terraform 风格指南

代码生成策略

文件组织

相关 Skills

示例结构

代码格式化

缩进和对齐

块组织

命名约定

变量

输出

动态资源创建