Validate Terraform configurations for q24 DevOps assignment. Run fmt, validate, security scans, and enforce best practices.
This skill validates Terraform configurations for Task 2 of the q24 DevOps assignment. It runs formatting checks, validation, linting, and security scans to ensure generated IaC meets quality standards.
Validation Checks:
terraform fmt)terraform validate)Invoke this skill when:
q24-terraform-generatorq24-terraform-generator)terraform apply directly)q24-k8s-debug)# Verify Terraform is installed
terraform version
# Check if iac/ directory exists
test -d iac/ || echo "ERROR: iac/ directory not found"
# Verify required files exist
test -f iac/main.tf || echo "WARN: main.tf not found"
test -f iac/versions.tf || echo "WARN: versions.tf not found"
cd iac/
# Check formatting (non-destructive)
terraform fmt -check -recursive
# If formatting issues found, optionally auto-fix:
# terraform fmt -recursive
Report formatting issues clearly:
FORMATTING ISSUES:
- main.tf: inconsistent indentation on line 15
- variables.tf: trailing whitespace on lines 8, 12
Auto-fix available: terraform fmt -recursive
cd iac/
# Initialize if not already done
if [ ! -d .terraform ]; then
terraform init -backend=false
fi
# Run validation
terraform validate
Capture and parse errors:
# Check for common HCL issues
grep -r "TODO\|FIXME\|XXX" *.tf || echo "No TODOs found"
# Check for hardcoded credentials
grep -riE "(password|secret|token|key)\s*=\s*\"[^$]" *.tf \
&& echo "SECURITY: Hardcoded credentials detected"
# Check for missing descriptions
grep -L "description\s*=" variables.tf \
&& echo "WARN: Variables without descriptions"
Trivy (preferred):
# If trivy is available
if command -v trivy &> /dev/null; then
trivy config --severity HIGH,CRITICAL iac/
else
echo "INFO: trivy not available, skipping security scan"
fi
Checkov (alternative):
# If checkov is available
if command -v checkov &> /dev/null; then
checkov -d iac/ --framework terraform
else
echo "INFO: checkov not available, skipping security scan"
fi
Manual security checks:
Assignment-Specific Checks:
# Verify README exists and is comprehensive
test -f iac/README.md || echo "ERROR: README.md missing"
grep -q "Prerequisites" iac/README.md || echo "WARN: README missing Prerequisites"
grep -q "GitOps" iac/README.md || echo "WARN: README missing tool justification"
# Check for required providers
grep -q "hashicorp/helm" iac/versions.tf || echo "ERROR: Helm provider not declared"
grep -q "hashicorp/kubernetes" iac/versions.tf || echo "WARN: Kubernetes provider recommended"
# Verify namespace resource exists
grep -q "kubernetes_namespace" iac/*.tf || echo "WARN: No namespace resource defined"
# Check helm_release configuration
grep -q "wait\s*=\s*true" iac/*.tf || echo "WARN: helm_release should use wait = true"
Generic Best Practices:
Generate comprehensive report:
=== TERRAFORM VALIDATION REPORT ===
Date: [timestamp]
Directory: iac/
FORMATTING: [PASS/FAIL]
- Issues: [count]
- Details: [list]
VALIDATION: [PASS/FAIL]
- Errors: [count]
- Warnings: [count]
- Details: [list]
SECURITY: [PASS/FAIL/SKIPPED]
- Critical: [count]
- High: [count]
- Medium: [count]
- Details: [list]
BEST PRACTICES: [PASS/FAIL]
- Violations: [count]
- Details: [list]
OVERALL STATUS: [PASS/FAIL]
REQUIRED ACTIONS:
1. [Action item]
2. [Action item]
OPTIONAL IMPROVEMENTS:
- [Suggestion]
- [Suggestion]
When called from q24-terraform-generator:
Communication Protocol:
{
"status": "fail",
"errors": [
{
"file": "main.tf",
"line": 15,
"severity": "error",
"message": "Missing required argument",
"fix": "Add 'namespace' argument to helm_release"
}
],
"warnings": [...],
"iteration": 1,
"max_iterations": 3
}
Update AI_assistance_log.md with validation results:
## Task 2: IaC - Terraform Validation
**Date:** [timestamp]
**Skill Used:** q24-terraform-validator
**Result:** [Pass/Fail]
**Validation Results:**
- Formatting: [Pass/Fail]
- Validation: [Pass/Fail]
- Security: [Pass/Fail/Skipped]
- Best Practices: [Pass/Fail]
**Errors Found:** [count]
**Warnings Found:** [count]
**Critical Issues:**
[List of critical issues that must be fixed]
**Actions Taken:**
[List of fixes applied]
**Skill Updates:**
[Any improvements made to validation logic]
Common errors and fixes:
| Error | Fix |
|---|---|
| Missing required argument | Add argument with appropriate value |
| Invalid resource reference | Correct resource name/path |
| Type mismatch | Convert value to expected type |
| Circular dependency | Refactor resource dependencies |
| Hardcoded value | Extract to variable |
| Missing provider | Add to required_providers |
| Incorrect version constraint | Update version string format |
Validation passes when:
Use consistent exit codes for automation:
0 - All validations passed1 - Formatting issues only2 - Validation errors3 - Security issues found4 - Best practices violations10 - Pre-flight checks failed