Terraform Style Guide
Apply this checklist when writing or reviewing Terraform code.
Trigger Reference
- •Use
references/trigger-matrix.mdas the canonical trigger and co-activation matrix. - •Resolve skill activation from changed files with
python3 scripts/resolve_style_guides.py <changed-path>...when automation is available. - •Validate trigger matrix consistency with
python3 scripts/validate_trigger_matrix_sync.py.
Architecture and module design
Quality Gate Reference
- •Use
references/quality-gate-command-matrix.mdfor CI check-only vs local autofix command mapping.
- •Keep modules small, focused, and reusable by responsibility.
- •Separate environment composition from reusable module internals.
- •Expose clear module interfaces with typed inputs and minimal outputs.
- •Keep dependency direction explicit; avoid hidden cross-module coupling.
Naming and code structure
- •Use consistent
snake_casenames for variables, locals, resources, and outputs. - •Keep resource blocks readable with logical grouping.
- •Use
localsfor repeated expressions and derived values. - •Replace unexplained literals with named locals/constants and include units (
rotation_days).
Variables and configuration safety
- •Define variable types explicitly and add validation rules.
- •Mark sensitive values with
sensitive = true. - •Require critical inputs explicitly and fail plan/apply when missing.
- •Do not hardcode fallback defaults for required environment-derived values.
State and lifecycle discipline
- •Use remote state with locking for collaborative environments.
- •Keep state boundaries intentional to reduce blast radius.
- •Review lifecycle rules (
create_before_destroy,prevent_destroy) explicitly. - •Avoid unmanaged drift; reconcile differences intentionally.
Security and compliance
- •Enforce least-privilege IAM and narrow resource policies.
- •Enable encryption at rest and in transit where supported.
- •Avoid exposing secrets in plain text outputs or logs.
- •Run policy/security scanners before merge.
Performance and scalability
- •Avoid unnecessary resource churn by stabilizing identifiers and
for_eachkeys. - •Keep plans deterministic and readable in large stacks.
- •Split very large stacks to keep plan/apply time bounded.
- •Minimize provider/API call volume where possible.
Testing and verification
- •Run validation and lint checks on every change.
- •Review
terraform planoutput carefully for destructive actions. - •Add environment-specific integration checks for critical modules.
- •Document manual rollback/remediation steps for risky infra changes.
Observability and operations
- •Emit infrastructure changes through auditable pipelines.
- •Track drift, failed applies, and policy violations.
- •Ensure runbooks exist for failed deployment recovery.
- •Keep change approvals explicit for high-impact resources.
CI required quality gates (check-only)
- •Run
terraform fmt -check -recursive. - •Run
terraform validate. - •Run
tflint(or project linter equivalent). - •Run
tfsec/checkov(or project policy scanner equivalent).
Optional autofix commands (local)
- •Run
terraform fmt -recursiveto apply formatting.