Terraform Validation
This skill provides guidance for validating Terraform configurations using the comprehensive validation script.
When to Use This Skill
This skill is applicable for:
- •Validating Terraform configuration before committing
- •Running comprehensive infrastructure code quality checks
- •Ensuring security compliance
- •Verifying configuration correctness
⚠️ CRITICAL: Always Use the Validation Script
DO NOT run individual commands (terraform fmt, terraform validate, tflint, trivy) directly.
The validation script handles everything automatically.
Usage
# Full workspace validation (scans all Terraform directories) bash terraform-validation/scripts/validate.sh # Scope validation to specific directories (faster feedback) bash terraform-validation/scripts/validate.sh ./terraform/base/ ./terraform/application/ # Automatically fix formatting issues bash terraform-validation/scripts/validate.sh --fix # Generate documentation while validating bash terraform-validation/scripts/validate.sh --verbose --generate-docs
What the Script Does
The validation script performs all checks in the correct order:
- •
terraform fmt -check- Verify code formatting - •
terraform validate- Validate syntax and internal consistency - •
tflint- Static analysis and best practice enforcement - •
trivy config- Security vulnerability scanning
Validation Requirements
Before considering infrastructure code complete:
- •✅ All validation checks pass
- •✅ Code properly formatted
- •✅ No syntax or configuration errors
- •✅ No security misconfigurations
- •✅ Plan reviewed (if applicable)
Validation Workflow
Before Committing
- •Make changes - Edit Terraform files
- •Run validation (recommend scoped for faster feedback):
bash
bash terraform-validation/scripts/validate.sh ./terraform/path/to/module
- •Auto-fix formatting (if needed):
bash
bash terraform-validation/scripts/validate.sh --fix
- •Address other issues - Fix validation, lint, or security errors
- •Commit - Only commit when validation passes
Before Applying
- •Run validations - Ensure all checks pass
- •Plan changes:
bash
terraform plan -out=tfplan
- •Review plan - Verify expected changes
- •Apply (if plan looks correct):
bash
terraform apply tfplan
Common Failures & Quick Fixes
Formatting Errors
Error: terraform fmt check failed
Fix: Auto-format with --fix flag
bash terraform-validation/scripts/validate.sh --fix
terraform validate Errors
Error: Missing required argument
Fix: Read error message, add missing arguments, re-run validation
tflint Errors
Error: Deprecated syntax
Fix: Update code according to linter suggestions
trivy config Errors
HIGH: S3 bucket has block public access disabled
Fix: Add security controls as recommended (encryption, access restrictions)
Security Requirements
Required security measures:
- •✅ KMS encryption for S3, SNS, Logs, State Machines
- •✅ IAM policies follow least privilege
- •✅ Resource policies include
Conditionclauses - •✅ No plaintext secrets
- •✅ Logging enabled (CloudTrail, CloudWatch Logs)
- •✅ No default VPC usage
- •✅ No open security groups
- •✅ No public S3 buckets
trivy Severity Levels
- •CRITICAL: Immediate fix required
- •HIGH: Fix before production deployment
- •MEDIUM: Fix in next iteration
- •LOW: Consider fixing
Troubleshooting
Validation Script Not Found
# Navigate to project root cd /workspace # Verify script exists ls -la .github/skills/terraform-validation/scripts/validate.sh # Run with bash explicitly bash terraform-validation/scripts/validate.sh
Slow Validation
# Validate only changed directories (much faster) bash terraform-validation/scripts/validate.sh ./terraform/module/
Need More Details
For detailed information, see the reference documentation:
- •Individual Commands - Detailed command usage for debugging
- •Troubleshooting Guide - Comprehensive error resolution
- •Security Best Practices - Infrastructure security guidelines
Quick Reference
Essential Commands
# Full validation bash terraform-validation/scripts/validate.sh # Scoped validation bash terraform-validation/scripts/validate.sh ./terraform/module/ # Auto-fix bash terraform-validation/scripts/validate.sh --fix
Validation Checklist
Before committing:
- • Validation script passes
- • Plan reviewed (if applicable)
- • Security requirements met
- • No critical or high severity issues
Summary
Terraform validation ensures infrastructure code quality and security:
- •Always use the validation script - Never run individual commands
- •Validate frequently - Run during development, not just before commit
- •Fix issues promptly - Address validation failures as they occur
- •Enforce security - Scan for misconfigurations with trivy
- •Review plans - Always review terraform plan before apply
- •Never commit failing code - All checks must pass
For detailed debugging and advanced topics, see the reference documentation.