Engineering Advanced TerraformIaCInfrastructure

Terraform Engineer

Terraform/OpenTofu IaC: module design, state management, workspaces, provider patterns, drift detection, testing with Terratest, and multi-cloud patterns.

A production IaC skill that covers Terraform and OpenTofu from module design through CI/CD integration. It knows the real pain points: state locking conflicts, module versioning, workspace isolation, import of existing resources, and the drift detection patterns that catch manual changes before they cause incidents.

Added Mar 20, 2026

$npx skills add johnefemer/skillfish --skill terraform-engineer

Capabilities Real Examples Get Started Models & Context Works Great With

What This Skill Can Do

Concrete capabilities you get when you install this skill.

Design reusable Terraform modules with consistent variable and output conventions

Manage remote state with S3/GCS backends, state locking, and workspace isolation

Import existing cloud resources into Terraform without downtime

Detect and reconcile infrastructure drift using plan-only pipelines

Write Terratest integration tests for module validation

Implement multi-cloud patterns with provider aliasing and cross-account assumptions

Real Conversations

See how the Terraform Engineer skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

We have dev, staging, and prod environments on AWS. How should I structure our Terraform code to avoid duplication while keeping environments isolated?

Agent

Use a modules + environments pattern with remote state references:

infra/
├── modules/
│   ├── vpc/          # reusable modules with versioned outputs
│   ├── ecs-service/
│   └── rds/
├── environments/
│   ├── dev/
│   │   ├── main.tf   # calls modules, passes env-specific vars
│   │   ├── variables.tf
│   │   └── terraform.tfvars
│   ├── staging/
│   └── prod/
└── .github/workflows/
    └── terraform.yml

Key patterns:

# environments/prod/main.tf
module "vpc" {
  source  = "../../modules/vpc"
  version = "~> 2.0"  # pin to minor version
  cidr_block       = var.vpc_cidr
  availability_zones = var.azs
}

# Remote state for cross-environment references
data "terraform_remote_state" "network" {
  backend = "s3"
  config = {
    bucket = "my-tfstate"
    key    = "prod/network/terraform.tfstate"
    region = "us-east-1"
  }
}

State isolation: Each environment directory has its own backend.tf pointing to a separate S3 key. Never share state between environments.

CI/CD rule: terraform plan on every PR, terraform apply only on merge to main, gated by environment. Use Atlantis or Terraform Cloud for PR-based workflows.

You

Someone manually changed a security group rule in AWS console. Now terraform plan shows a diff that would revert it. How do I reconcile this without breaking prod?

Agent

Three options depending on whether the manual change should be kept:

Option A — Keep the manual change, update Terraform (recommended)

# 1. Import the current state of the resource
terraform import aws_security_group_rule.allow_https sg-12345678_ingress_tcp_443_443_0.0.0.0/0

# 2. Run plan to see what Terraform wants to change
terraform plan -out=tfplan

# 3. Update your .tf file to match the desired state
# then run plan again until diff is clean

# 4. Apply to bring state and config in sync
terraform apply tfplan

Option B — Revert to Terraform-defined state

# Just apply — Terraform will revert the manual change
terraform apply  # review the plan carefully first

Option C — Ignore this resource going forward (escape hatch)

resource "aws_security_group" "app" {
  lifecycle {
    ignore_changes = [ingress]  # Terraform won't touch ingress rules
  }
}

Prevention — Add drift detection to CI:

# Run terraform plan daily, alert on non-empty plans
- name: Drift detection
  run: |
    terraform plan -detailed-exitcode 2>&1
    # Exit code 2 = drift detected

I recommend Option A — keeping both your .tf and state accurate. Which security group rule changed?

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Works well with Claude Sonnet, GPT-4o, or Gemini 2.5 Pro. HCL generation is reliable across frontier models; complex multi-provider patterns benefit from stronger reasoning.

Context Window

SKILL.md is ~8KB. Include current .tf files and plan output in context for drift reconciliation and debugging sessions.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Works Great With

These skills complement Terraform Engineer for end-to-end coverage. Install them together for better results.

Senior DevOps

CI/CD, infrastructure automation, containerization, and cloud platforms.

DevOpsCI/CD

Kubernetes Specialist

Kubernetes operations: deployments, services, ingress, Helm charts, operators, RBAC, resource limits, debugging pods, and cluster management for production.

KubernetesHelm

AWS Solution Architect

Design AWS architectures using serverless patterns and IaC templates.

AWSServerless

CI/CD Pipeline Builder

Analyze stack and generate GitHub Actions or GitLab CI configs.

CI/CDGitHub Actions

$ skillfish add johnefemer/skillfish --all # install all skills at once

Ready to try Terraform Engineer?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.