AgentSkillsCN

terraform-testing

运行 Terraform 验证、安全扫描、规划与部署测试。当用户要求测试 Terraform 代码、验证 Terraform 配置、运行 Terraform 检查,或在开发环境部署 Terraform 时,可使用此技能。可通过诸如“测试 Terraform”、“验证我的 Terraform”、“运行 Terraform 检查”、“在开发环境部署 Terraform”或“/test-terraform”等请求触发。

SKILL.md
--- frontmatter
name: terraform-testing
description: Run Terraform validation, security scanning, planning, and deployment testing. Use when the user asks to test Terraform code, validate Terraform configurations, run Terraform checks, or deploy Terraform to a dev environment. Triggers on requests like "test terraform", "validate my terraform", "run terraform checks", "deploy terraform to dev", or "/test-terraform".

Terraform Testing

Portable Terraform validation and deployment pipeline. Runs git-secrets, fmt, init, validate, tflint, security scanning (checkov/trivy), plan, and optionally apply/destroy via a single shell script.

Workflow

  1. Run the test script (scripts/test-terraform.sh)
  2. Review output — all critical steps must pass
  3. If deploy mode: review plan output before apply proceeds
  4. On success: update progress tracking and commit

Running the Script

The script lives at scripts/test-terraform.sh relative to this skill directory. Copy or reference it from the target project.

Common Invocations

bash
# Validate only (no plan, no deploy)
bash scripts/test-terraform.sh --no-plan

# Validate + plan (default)
bash scripts/test-terraform.sh

# Validate specific directory
bash scripts/test-terraform.sh --target modules/vpc

# Validate + plan + apply
bash scripts/test-terraform.sh --deploy

# Validate + plan + apply + destroy (ephemeral test)
bash scripts/test-terraform.sh --deploy-destroy

# Use specific AWS profile
bash scripts/test-terraform.sh --deploy --profile dev-account

# Security findings as warnings (don't fail)
bash scripts/test-terraform.sh --soft-fail

# Use trivy instead of checkov
bash scripts/test-terraform.sh --scanner trivy

Configuration

Place .test-terraform.conf in the project root to set defaults:

VariablePurpose
TF_TEST_DIRSSpace-separated directories to validate
TF_DEPLOY_DIRSSpace-separated directories eligible for plan/apply
AWS_PROFILEAWS CLI profile name
TFLINT_CONFIGPath to .tflint.hcl
TF_SCANNERcheckov or trivy
TF_OUTPUT_DIROutput directory for reports (default: ./test-results/)
TF_DESTROY_TIMEOUTSeconds before auto-destroy in CI (default: 60)

Precedence: CLI flags > environment variables > config file > defaults.

Pipeline Steps

StepToolCriticalPurpose
1git-secretsYesScan for hardcoded secrets
2terraform fmtYesCheck HCL formatting
3terraform initYesInitialize providers
4terraform validateYesSyntax and consistency
5tflintYesProvider-aware linting
6checkov/trivyNoSecurity scanning (warnings)
7terraform planYesGenerate deployment plan
8terraform applyYesDeploy (only with --deploy)
9terraform destroyYesTeardown (only with --deploy-destroy)

The script auto-detects OS (macOS, Debian, RHEL) and installs missing tools automatically.

Failure Handling

  • Critical step fails: Script exits immediately. Fix the error and re-run.
  • Security scan findings: Reported as warnings by default. Use --soft-fail to prevent blocking.
  • Suppressing false positives:
    • Checkov: # checkov:skip=CKV_AWS_XX:Reason inline comment
    • Trivy: .trivyignore file or # trivy:ignore:AVD-AWS-XXXX inline comment

Post-Test Commit Workflow

After all gates pass, complete these steps:

  1. Update progress.txt — change feature from [~] to [x], add completion date
  2. Update CHANGELOG.md — add entry: ## [Feature X.Y] — YYYY-MM-DD
  3. Create docs/FEATURE_X.Y.md if it doesn't exist
  4. Stage files individually (never git add .)
  5. Commit: feat: X.Y — [Brief description]
  6. Do NOT push

Output Format

text
GATE 1 & 2 — Validation, Plan & Apply: PASS
  - git-secrets: passed
  - terraform fmt: passed
  - terraform init: passed
  - terraform validate: passed
  - tflint: passed (or skipped)
  - checkov: completed with warnings (or passed)
  Plan: 3 to add, 0 to change, 0 to destroy
  Apply: completed successfully

GATE 3 — Commit: PASS (committed as feat: X.Y — ...)