AgentSkillsCN

terraform-atomic-commit

针对 IaC 仓库(fmt/validate/tflint/terraform-docs),以严格的原子性为核心,不使用 AI 提交签名,打造 Terraform 优先的预提交与原子提交技能。

SKILL.md
--- frontmatter
name: terraform-atomic-commit
description: "Terraform-focused pre-commit + atomic-commit Skill for IaC repos (fmt/validate/tflint/terraform-docs) with strict atomicity and no AI commit signatures."
allowed-tools: Bash Read Edit Glob Grep

Terraform Atomic Commit Skill

When to Use This Skill

Use this Skill in Terraform / Terragrunt repos (for example terraform-modules/ and infrastructure/) when you want:

  • /terraform:pre-commit – to actively fix formatting + lint issues and get the working tree into a clean, reviewable state.
  • /terraform:atomic-commit – to enforce atomicity of the staged diff, run the repo’s quality gates, and propose a commit message (no AI signatures).

Example Prompts

  • “Run /terraform:pre-commit and fix all issues in the files shown by git status (fmt, validate, docs).”
  • “Use /terraform:atomic-commit to confirm the staged diff is atomic and ready; propose a commit message.”
  • “We’re in a Terragrunt repo: enforce formatting, skip any apply, and run read-only validation checks where possible.”

Modes

This Skill behaves differently based on how it is invoked:

  • pre-commit mode:
    • Actively applies changes to make the working tree/staged files conform to repo standards.
    • Runs auto-fixers and focused validation.
    • Does not propose or drive a commit.
  • atomic-commit mode:
    • Runs everything from pre-commit mode.
    • Enforces atomicity of staged changes.
    • Requires all gates to be green.
    • Proposes a commit message without any AI signatures.

Severity Tags

  • [BLOCKING] – must fix before merge/commit (broken fmt/validate, dangerous workflow, non-atomic diff).
  • [SHOULD_FIX] – strongly recommended before merge (lint warnings, missing docs update, missing pins).
  • [NIT] – minor polish.

Core Priorities

  1. No hidden blast radius – prefer pinned refs, explicit versions, and documented breaking changes.
  2. Read-only by default – never run terraform apply / terragrunt apply as part of this Skill.
  3. Atomic diffs – split unrelated module/workflow changes into separate commits.
  4. Repo rules firstAGENTS.md, CLAUDE.md, .tool-versions, and .pre-commit-config.yaml override defaults here.
  5. Docs reflect reality – keep terraform-docs sections accurate when present.

Environment & Context Gathering

Start by gathering:

  • Git context:
    • git status --porcelain
    • git diff --stat
    • git diff --cached --stat
    • git diff --cached --name-only
  • Repo standards:
    • Read AGENTS.md / CLAUDE.md if present.
    • Detect .pre-commit-config.yaml, .tool-versions, Taskfile.yml.
  • Tooling:
    • terraform version
    • terragrunt --version (if present)
    • tflint --version (if present)
    • terraform-docs --version (if present)

If pre-commit hooks fail due to tool-version mismatch, prefer installing the repo’s pinned tool versions (e.g. via asdf install or a repo task install:tools) over bypassing checks.

Checks Pipeline (Both Modes)

  1. Scope changed files

    • Focus on changed .tf, .hcl, .json, .yml, and module README.md files.

  2. Formatting

    • Terraform modules:
      • Run terraform fmt -recursive (or repo-preferred equivalent) on changed module directories.
    • Terragrunt repos:
      • Prefer running repo pre-commit hooks for formatting.
      • If formatting is manual, use the Terragrunt formatting command compatible with the pinned Terragrunt version.

  3. Validate (focused, read-only)

    • Terraform modules:
      • For each changed module directory, run:
        • terraform init -backend=false
        • terraform validate
      • Clean up .terraform/ and lockfiles created during local validation.
      • Practical pattern (handles modules that reference an aws.global alias):
        • Create a temporary ci_providers.tf inside the module directory:
          • provider "aws" { region = "us-east-1" }
          • provider "aws" { alias = "global" region = "us-east-1" }
        • Then run init/validate, and delete ci_providers.tf afterwards.
      • Avoid committing .terraform/ directories. Only commit .terraform.lock.hcl if the repo explicitly wants lockfiles versioned.
    • Terragrunt repos:
      • Prefer focused validation/plans for only the changed stacks (avoid full run-all unless required).
      • If a pre-commit hook fails due to a Terragrunt CLI flag mismatch, treat it as a tool-version drift problem first:
        • Install the repo’s pinned Terragrunt version (e.g. via .tool-versions + asdf install).
        • Re-run pre-commit run.

  4. TFLint (when configured)

    • If the repo uses tflint (pre-commit hook or .tflint.hcl), run it on changed modules/stacks.
    • If not configured, do not introduce a brand-new tflint setup as part of a formatting-only commit unless explicitly requested.
      • If tflint is desired but missing, propose a separate, atomic commit that adds a baseline .tflint.hcl + CI gate.

  5. terraform-docs consistency (when used)

    • If a module README contains <!-- BEGIN_TF_DOCS -->, regenerate docs and ensure the resulting diff is committed.
    • Recommended command (adjust to repo conventions):
      • terraform-docs markdown table --output-file README.md --output-mode inject <module_dir>
    • If terraform-docs tries to generate provider lockfiles, prefer a repo-approved invocation (some repos use --lockfile=false).
    • After regeneration, check that git diff is clean (or explicitly commit the README changes as part of the same atomic change).
    • Treat “docs drift” as [SHOULD_FIX] (or [BLOCKING] when the repo enforces it in CI).

Atomic Commit Mode Additions

In atomic-commit mode, additionally:

  • Refuse to approve the commit if the staged diff includes unrelated changes (split commits).
  • Require all checks relevant to the touched files to pass (fmt/validate/lint/docs).
  • Propose a commit message with no AI signature.

Output Format

Return:

  • Verdict: READY or NOT READY
  • Checks: list of commands run + pass/fail
  • Changes made: brief list
  • Remaining issues: with [BLOCKING] / [SHOULD_FIX] / [NIT]
  • Proposed commit message: (atomic-commit mode only)