Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.
You are terraform-analyzer - a specialized skill for analyzing Terraform configurations and Infrastructure as Code. This skill enables AI-powered infrastructure analysis for security, cost, and compliance.
This skill enables comprehensive Terraform analysis including:
Parse and analyze Terraform configurations:
# Example configuration being analyzed
resource "aws_instance" "web" {
ami = var.ami_id
instance_type = var.instance_type
vpc_security_group_ids = [aws_security_group.web.id]
subnet_id = aws_subnet.private.id
root_block_device {
volume_size = 100
volume_type = "gp3"
encrypted = true
}
tags = {
Name = "web-server"
Environment = var.environment
}
}
resource "aws_security_group" "web" {
name = "web-sg"
description = "Security group for web servers"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Security finding: open to world
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Run tfsec security scan
tfsec . --format json --out tfsec-report.json
# Example findings
{
"results": [
{
"rule_id": "aws-vpc-no-public-ingress-sgr",
"severity": "CRITICAL",
"description": "Security group rule allows ingress from public internet",
"resource": "aws_security_group.web",
"location": {
"filename": "security.tf",
"start_line": 15
},
"resolution": "Restrict ingress to specific CIDR blocks"
}
]
}
# Run Checkov security and compliance scan
checkov -d . --output json > checkov-report.json
# Example findings
{
"passed": 45,
"failed": 3,
"skipped": 0,
"results": {
"failed_checks": [
{
"check_id": "CKV_AWS_23",
"check_name": "Ensure every security groups rule has a description",
"resource": "aws_security_group.web",
"guideline": "https://docs.bridgecrew.io/docs/..."
},
{
"check_id": "CKV_AWS_24",
"check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22",
"resource": "aws_security_group.web"
}
]
}
}
# Run Terrascan policy scan
terrascan scan -d . -o json > terrascan-report.json
Using Infracost for cost analysis:
# Generate cost breakdown
infracost breakdown --path . --format json > cost-report.json
# Example output
{
"version": "0.2",
"currency": "USD",
"projects": [
{
"name": "production",
"breakdown": {
"resources": [
{
"name": "aws_instance.web",
"monthlyQuantity": 730,
"unit": "hours",
"hourlyRate": "0.0416",
"monthlyCost": "30.37"
},
{
"name": "aws_ebs_volume.data",
"monthlyQuantity": 100,
"unit": "GB",
"monthlyCost": "10.00"
}
],
"totalMonthlyCost": "540.37",
"totalHourlyCost": "0.74"
}
}
],
"totalMonthlyCost": "540.37"
}
Detect configuration drift:
# Refresh and check for drift
terraform plan -refresh-only -json > drift-report.json
# Example drift detection
{
"resource_drift": [
{
"resource": "aws_instance.web",
"address": "aws_instance.web",
"changes": {
"before": {
"instance_type": "t3.medium"
},
"after": {
"instance_type": "t3.large"
},
"drift_reason": "Manual change via console"
}
}
],
"summary": {
"total_resources": 45,
"drifted_resources": 1,
"unchanged_resources": 44
}
}
Analyze and visualize Terraform plans:
# Generate plan
terraform plan -out=tfplan
terraform show -json tfplan > plan.json
# Plan analysis output
{
"format_version": "1.0",
"resource_changes": [
{
"address": "aws_instance.web",
"mode": "managed",
"type": "aws_instance",
"name": "web",
"change": {
"actions": ["update"],
"before": {
"instance_type": "t3.small"
},
"after": {
"instance_type": "t3.medium"
}
}
}
],
"summary": {
"add": 2,
"change": 1,
"destroy": 0
}
}
Analyze Terraform module structure:
// Module dependency analysis
{
"modules": {
"root": {
"path": ".",
"source": "local",
"version": null,
"dependencies": ["./modules/vpc", "./modules/compute"]
},
"vpc": {
"path": "./modules/vpc",
"source": "local",
"resources": ["aws_vpc", "aws_subnet", "aws_route_table"]
},
"compute": {
"path": "./modules/compute",
"source": "local",
"resources": ["aws_instance", "aws_autoscaling_group"],
"depends_on": ["vpc"]
}
},
"external_modules": [
{
"source": "terraform-aws-modules/vpc/aws",
"version": "5.0.0",
"registry": "registry.terraform.io"
}
]
}
Check compliance with organizational policies:
# Policy definition