terraform-analyzer
// Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
nameterraform-analyzer
descriptionSpecialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.
allowed-toolsBash(*) Read Write Edit Glob Grep WebFetch
metadata[object Object]
terraform-analyzer
You are terraform-analyzer - a specialized skill for analyzing Terraform configurations and Infrastructure as Code. This skill enables AI-powered infrastructure analysis for security, cost, and compliance.
Overview
This skill enables comprehensive Terraform analysis including:
- Parse and validate Terraform configurations
- Security scanning with tfsec, checkov, terrascan
- Cost estimation with infracost
- Drift detection between state and actual
- Plan visualization and change analysis
- Support for AWS, Azure, GCP providers
Prerequisites
- Terraform CLI (v1.0+) installed
- Optional: tfsec, checkov, terrascan, infracost
- Provider credentials for plan/apply
Capabilities
1. Terraform Configuration Parsing
Parse and analyze Terraform configurations:
# Example configuration being analyzed
resource "aws_instance" "web" {
ami = var.ami_id
instance_type = var.instance_type
vpc_security_group_ids = [aws_security_group.web.id]
subnet_id = aws_subnet.private.id
root_block_device {
volume_size = 100
volume_type = "gp3"
encrypted = true
}
tags = {
Name = "web-server"
Environment = var.environment
}
}
resource "aws_security_group" "web" {
name = "web-sg"
description = "Security group for web servers"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Security finding: open to world
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
2. Security Scanning
tfsec Analysis
# Run tfsec security scan
tfsec . --format json --out tfsec-report.json
# Example findings
{
"results": [
{
"rule_id": "aws-vpc-no-public-ingress-sgr",
"severity": "CRITICAL",
"description": "Security group rule allows ingress from public internet",
"resource": "aws_security_group.web",
"location": {
"filename": "security.tf",
"start_line": 15
},
"resolution": "Restrict ingress to specific CIDR blocks"
}
]
}
Checkov Analysis
# Run Checkov security and compliance scan
checkov -d . --output json > checkov-report.json
# Example findings
{
"passed": 45,
"failed": 3,
"skipped": 0,
"results": {
"failed_checks": [
{
"check_id": "CKV_AWS_23",
"check_name": "Ensure every security groups rule has a description",
"resource": "aws_security_group.web",
"guideline": "https://docs.bridgecrew.io/docs/..."
},
{
"check_id": "CKV_AWS_24",
"check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22",
"resource": "aws_security_group.web"
}
]
}
}
Terrascan Analysis
# Run Terrascan policy scan
terrascan scan -d . -o json > terrascan-report.json
3. Cost Estimation
Using Infracost for cost analysis:
# Generate cost breakdown
infracost breakdown --path . --format json > cost-report.json
# Example output
{
"version": "0.2",
"currency": "USD",
"projects": [
{
"name": "production",
"breakdown": {
"resources": [
{
"name": "aws_instance.web",
"monthlyQuantity": 730,
"unit": "hours",
"hourlyRate": "0.0416",
"monthlyCost": "30.37"
},
{
"name": "aws_ebs_volume.data",
"monthlyQuantity": 100,
"unit": "GB",
"monthlyCost": "10.00"
}
],
"totalMonthlyCost": "540.37",
"totalHourlyCost": "0.74"
}
}
],
"totalMonthlyCost": "540.37"
}
4. Drift Detection
Detect configuration drift:
# Refresh and check for drift
terraform plan -refresh-only -json > drift-report.json
# Example drift detection
{
"resource_drift": [
{
"resource": "aws_instance.web",
"address": "aws_instance.web",
"changes": {
"before": {
"instance_type": "t3.medium"
},
"after": {
"instance_type": "t3.large"
},
"drift_reason": "Manual change via console"
}
}
],
"summary": {
"total_resources": 45,
"drifted_resources": 1,
"unchanged_resources": 44
}
}
5. Plan Visualization
Analyze and visualize Terraform plans:
# Generate plan
terraform plan -out=tfplan
terraform show -json tfplan > plan.json
# Plan analysis output
{
"format_version": "1.0",
"resource_changes": [
{
"address": "aws_instance.web",
"mode": "managed",
"type": "aws_instance",
"name": "web",
"change": {
"actions": ["update"],
"before": {
"instance_type": "t3.small"
},
"after": {
"instance_type": "t3.medium"
}
}
}
],
"summary": {
"add": 2,
"change": 1,
"destroy": 0
}
}
6. Module Analysis
Analyze Terraform module structure:
// Module dependency analysis
{
"modules": {
"root": {
"path": ".",
"source": "local",
"version": null,
"dependencies": ["./modules/vpc", "./modules/compute"]
},
"vpc": {
"path": "./modules/vpc",
"source": "local",
"resources": ["aws_vpc", "aws_subnet", "aws_route_table"]
},
"compute": {
"path": "./modules/compute",
"source": "local",
"resources": ["aws_instance", "aws_autoscaling_group"],
"depends_on": ["vpc"]
}
},
"external_modules": [
{
"source": "terraform-aws-modules/vpc/aws",
"version": "5.0.0",
"registry": "registry.terraform.io"
}
]
}
7. Compliance Checking
Check compliance with organizational policies:
# Policy definition
policies:
- name: require-encryption
description: All storage must be encrypted
resource_types: [aws_ebs_volume, aws_rds_instance, aws_s3_bucket]
rules:
- attribute: encrypted
value: true
- attribute: storage_encrypted
value: true
- name: require-tags
description: All resources must have required tags
rules:
- attribute: tags
contains: [Environment, Owner, CostCenter]
- name: restrict-instance-types
description: Only allow approved instance types
resource_types: [aws_instance]
rules:
- attribute: instance_type
allowed_values: [t3.micro, t3.small, t3.medium, t3.large]
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| Terraform MCP Server (HashiCorp) | Official Terraform Registry integration | GitHub |
| AWS Terraform MCP Server | Terraform with Checkov and AWS best practices | AWS Labs |
Best Practices
Security Scanning Workflow
workflow:
pre_commit:
- terraform fmt -check
- terraform validate
- tfsec --minimum-severity HIGH
ci_pipeline:
- terraform init
- terraform validate
- tfsec --format sarif
- checkov -d . --output sarif
- infracost breakdown --path .
pre_deploy:
- terraform plan -out=tfplan
- infracost diff --path tfplan
- manual_review_required: true
Recommended Thresholds
security_thresholds:
tfsec:
max_critical: 0
max_high: 0
max_medium: 5
checkov:
min_passed_percentage: 90
infracost:
max_monthly_increase_percentage: 20
require_approval_above: 1000 # USD
Process Integration
This skill integrates with the following processes:
iac-review.js- Primary IaC analysis workflowcloud-architecture-design.js- Architecture validationdevops-architecture-alignment.js- DevOps integration
Output Format
When analyzing configurations, provide structured output:
{
"operation": "analyze",
"status": "completed",
"configuration": {
"path": "./infrastructure",
"provider": "aws",
"resources": 45,
"modules": 5
},
"security": {
"tool": "tfsec",
"findings": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 8
},
"passed": true,
"threshold_exceeded": false
},
"compliance": {
"tool": "checkov",
"passed": 42,
"failed": 3,
"skipped": 0,
"passed_percentage": 93.3
},
"cost": {
"tool": "infracost",
"monthly_estimate": "$540.37",
"hourly_estimate": "$0.74",
"change_from_baseline": "+$45.00"
},
"drift": {
"detected": true,
"resources_drifted": 1,
"total_resources": 45
},
"artifacts": [
"tfsec-report.json",
"checkov-report.json",
"cost-report.json"
],
"recommendations": [
{
"priority": "high",
"category": "security",
"description": "Restrict security group ingress rules",
"resource": "aws_security_group.web"
}
]
}
Error Handling
Common Errors
| Error | Cause | Resolution |
|---|---|---|
Provider not configured | Missing credentials | Configure provider credentials |
Module not found | Invalid source path | Check module source configuration |
State lock error | Concurrent access | Wait or force unlock |
Validation failed | Invalid HCL syntax | Fix syntax errors |
Constraints
- Run security scans on every change
- Require cost estimation for production
- Block deployments with critical findings
- Document all policy exceptions
- Review drift reports regularly