{"id":"b6facdf5-07dc-4cd8-bb65-06a110e9811e","shortId":"rKS2YV","kind":"skill","title":"terraform-audit","tagline":"Audit Terraform codebases for security, cost, code quality, and architecture issues. Use when reviewing Terraform projects, checking infrastructure-as-code compliance, or assessing AWS resource configurations for best practices.","description":"# Terraform Audit Skill\n\nPerform a comprehensive audit of a Terraform codebase across four dimensions: security & compliance, cost optimization, code quality, and architecture design. The audit produces a structured Markdown report with findings classified by severity. Rules are grounded in the CIS AWS Foundations Benchmark and the AWS Well-Architected Framework, with a primary focus on AWS resources.\n\n## Description\n\nPerform a comprehensive audit of a Terraform codebase covering four dimensions: security and compliance, cost optimization, code quality, and architecture design. Based on the CIS AWS Foundations Benchmark and the AWS Well-Architected Framework, output a structured Markdown audit report for AWS resources classified by Critical / Important / Minor severity levels.\n\n---\n\n## Execution Guidelines\n\n- Scan the project structure before auditing; determine scale by the number of `.tf` files (Small / Medium / Large) and choose the corresponding strategy\n- Execute the four dimensions in order: Security -> Cost -> Quality -> Architecture, reading the corresponding sub-module checklist for each\n- Every finding must include a severity level, affected file and line number, and specific remediation advice (including HCL code)\n- Use the [report-template.md](report-template.md) template for the report, saved to the project root directory\n- When cross-dimensional complementary rules exist (e.g., Multi-AZ in both architecture and cost), annotate the cross-reference context\n\n---\n\n## Examples\n\n### Bad\n\n```hcl\n# S3 bucket with no encryption, no versioning, public access\nresource \"aws_s3_bucket\" \"data\" {\n  bucket = \"my-data-bucket\"\n}\n\nresource \"aws_s3_bucket_public_access_block\" \"data\" {\n  bucket                  = aws_s3_bucket.data.id\n  block_public_acls       = false\n  block_public_policy     = false\n  ignore_public_acls      = false\n  restrict_public_buckets = false\n}\n```\n\n### ✅ Good\n\n```hcl\nresource \"aws_s3_bucket\" \"data\" {\n  bucket = \"${var.project}-${var.environment}-data\"\n}\n\nresource \"aws_s3_bucket_versioning\" \"data\" {\n  bucket = aws_s3_bucket.data.id\n  versioning_configuration { status = \"Enabled\" }\n}\n\nresource \"aws_s3_bucket_server_side_encryption_configuration\" \"data\" {\n  bucket = aws_s3_bucket.data.id\n  rule {\n    apply_server_side_encryption_by_default {\n      sse_algorithm     = \"aws:kms\"\n      kms_master_key_id = aws_kms_key.main.arn\n    }\n  }\n}\n\nresource \"aws_s3_bucket_public_access_block\" \"data\" {\n  bucket                  = aws_s3_bucket.data.id\n  block_public_acls       = true\n  block_public_policy     = true\n  ignore_public_acls      = true\n  restrict_public_buckets = true\n}\n```\n\n---\n\n## Audit Workflow\n\nCopy this checklist and update it as you progress:\n\n```\nAudit Progress:\n- [ ] Step 1: Scan project structure\n- [ ] Step 2: Security & compliance audit\n- [ ] Step 3: Cost optimization audit\n- [ ] Step 4: Code quality audit\n- [ ] Step 5: Architecture design audit\n- [ ] Step 6: Generate report\n```\n\n---\n\n## Step 1: Scan Project Structure\n\nUse Glob to find all `**/*.tf` files in the target project. Then determine:\n\n- **Module structure**: Identify root module, nested modules, and shared/reusable modules.\n- **Backend configuration**: Check for remote state backend (S3, GCS, Terraform Cloud, etc.) and state locking.\n- **Provider usage**: List providers and their version constraints.\n- **Terraform version**: Check `required_version` in `terraform {}` blocks.\n- **Project scale**:\n  - **Small**: < 10 `.tf` files — audit all files in a single pass.\n  - **Medium**: 10-30 `.tf` files — group by module, audit each module.\n  - **Large**: 30+ `.tf` files — prioritize root module and shared modules first, then environment-specific configs.\n\nRecord the scale; it determines the audit strategy in later steps.\n\n---\n\n## Step 2: Security & Compliance Audit\n\nRead [security-checklist.md](security-checklist.md) and apply each rule to the scanned codebase.\n\n**Categories covered**: IAM policies & roles, S3 bucket configuration, networking (security groups, NACLs, public access), encryption at rest and in transit, logging & monitoring, secrets management.\n\nClassify every finding as **Critical**, **Important**, or **Minor** per the severity table below.\n\n---\n\n## Step 3: Cost Optimization Audit\n\nRead [cost-optimization.md](cost-optimization.md) and apply each rule to the scanned codebase.\n\n**Categories covered**: Compute right-sizing, storage tiering & lifecycle, database instance sizing & reserved capacity, networking costs (NAT gateways, data transfer), tagging & cost governance.\n\nClassify every finding as **Critical**, **Important**, or **Minor**.\n\n---\n\n## Step 4: Code Quality Audit\n\nRead [code-quality.md](code-quality.md) and apply each rule to the scanned codebase.\n\n**Categories covered**: Modularity & reuse, naming conventions, variable & output hygiene, state management, provider & module version pinning, DRY principle adherence, file & directory structure.\n\nClassify every finding as **Critical**, **Important**, or **Minor**.\n\n---\n\n## Step 5: Architecture Design Audit\n\nRead [architecture-review.md](architecture-review.md) and apply each rule to the scanned codebase.\n\n**Categories covered**: High availability, disaster recovery, network design (VPC layout, subnet strategy, connectivity), environment isolation, scalability & auto-scaling readiness.\n\nClassify every finding as **Critical**, **Important**, or **Minor**.\n\n---\n\n## Issue Severity Classification\n\n| Level | Definition | Examples |\n|-------|-----------|----------|\n| **Critical** | Immediate security risk or data loss potential | Hardcoded secrets, publicly accessible S3 buckets, wildcard IAM permissions |\n| **Important** | Best practice violation with significant impact | Missing state locking, no version pins, oversized instances |\n| **Minor** | Style or optimization suggestion | Naming inconsistencies, missing variable descriptions |\n\n---\n\n## Step 6: Generate Report\n\nRead [report-template.md](report-template.md) for the exact output format.\n\n- Save the report to `{project_root}/terraform-audit-report.md`.\n- Within each dimension, sort findings by severity: Critical first, then Important, then Minor.\n- The executive summary must include total finding counts per severity level and an overall assessment (PASS / NEEDS ATTENTION / CRITICAL ISSUES).\n\n---\n\n## Project Scale Adaptation\n\n| Scale | Strategy |\n|-------|----------|\n| **Small** (< 10 `.tf` files) | Audit every file directly in one pass. |\n| **Medium** (10-30 files) | Group files by module. Audit each module as a unit. |\n| **Large** (30+ files) | Audit root module and shared modules first. Then audit environment-specific configurations. Summarize cross-cutting concerns at the end. |","tags":["terraform","audit","enterprise","harness","engineering","addxai","agent-skills","ai-agent","ai-engineering","claude-code","code-review","cursor"],"capabilities":["skill","source-addxai","skill-terraform-audit","topic-agent-skills","topic-ai-agent","topic-ai-engineering","topic-claude-code","topic-code-review","topic-cursor","topic-devops","topic-enterprise","topic-sre","topic-windsurf"],"categories":["enterprise-harness-engineering"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/addxai/enterprise-harness-engineering/terraform-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add addxai/enterprise-harness-engineering","source_repo":"https://github.com/addxai/enterprise-harness-engineering","install_from":"skills.sh"}},"qualityScore":"0.458","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 16 github stars · SKILL.md body (6,705 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T01:02:13.019Z","embedding":null,"createdAt":"2026-04-21T19:04:02.586Z","updatedAt":"2026-04-22T01:02:13.019Z","lastSeenAt":"2026-04-22T01:02:13.019Z","tsv":"'-30':482,825 '/terraform-audit-report.md':773 '1':380,409 '10':470,481,813,824 '2':385,519 '3':390,572 '30':492,838 '4':395,619 '5':400,664 '6':405,756 'access':253,269,345,547,724 'acl':276,284,352,360 'across':45 'adapt':809 'adher':651 'advic':202 'affect':194 'algorithm':332 'annot':236 'appli':325,527,580,627,672 'architect':83,126 'architectur':13,55,112,177,233,401,665 'architecture-review.md':669,670 'assess':27,801 'attent':804 'audit':3,4,35,40,58,96,132,151,366,377,388,393,398,403,473,488,513,522,575,622,667,816,831,840,848 'auto':696 'auto-sc':695 'avail':682 'aw':28,75,80,90,118,123,135,255,265,293,302,314,333,341 'aws_kms_key.main.arn':339 'aws_s3_bucket.data.id':273,308,323,349 'az':230 'backend':436,442 'bad':243 'base':114 'benchmark':77,120 'best':32,731 'block':270,274,278,346,350,354,466 'bucket':246,257,259,263,267,272,288,295,297,304,307,316,322,343,348,364,540,726 'capac':600 'categori':534,587,634,679 'check':20,438,461 'checklist':184,370 'choos':164 'cis':74,117 'classif':709 'classifi':66,137,558,610,655,699 'cloud':446 'code':10,24,52,109,205,396,620 'code-quality.md':624,625 'codebas':6,44,100,533,586,633,678 'complementari':224 'complianc':25,49,106,387,521 'comprehens':39,95 'comput':589 'concern':857 'config':506 'configur':30,310,320,437,541,852 'connect':691 'constraint':458 'context':241 'convent':639 'copi':368 'correspond':166,180 'cost':9,50,107,175,235,391,573,602,608 'cost-optimization.md':577,578 'count':794 'cover':101,535,588,635,680 'critic':139,562,614,659,703,713,781,805 'cross':222,239,855 'cross-cut':854 'cross-dimension':221 'cross-refer':238 'cut':856 'data':258,262,271,296,300,306,321,347,605,718 'databas':596 'default':330 'definit':711 'descript':92,754 'design':56,113,402,666,686 'determin':152,425,511 'dimens':47,103,171,776 'dimension':223 'direct':819 'directori':219,653 'disast':683 'dri':649 'e.g':227 'enabl':312 'encrypt':249,319,328,548 'end':860 'environ':504,692,850 'environment-specif':503,849 'etc':447 'everi':187,559,611,656,700,817 'exact':764 'exampl':242,712 'execut':144,168,788 'exist':226 'fals':277,281,285,289 'file':159,195,419,472,475,484,494,652,815,818,826,828,839 'find':65,188,416,560,612,657,701,778,793 'first':501,782,846 'focus':88 'format':766 'foundat':76,119 'four':46,102,170 'framework':84,127 'gateway':604 'gcs':444 'generat':406,757 'glob':414 'good':290 'govern':609 'ground':71 'group':485,544,827 'guidelin':145 'hardcod':721 'hcl':204,244,291 'high':681 'hygien':642 'iam':536,728 'id':338 'identifi':428 'ignor':282,358 'immedi':714 'impact':736 'import':140,563,615,660,704,730,784 'includ':190,203,791 'inconsist':751 'infrastructur':22 'infrastructure-as-cod':21 'instanc':597,744 'isol':693 'issu':14,707,806 'key':337 'kms':334,335 'larg':162,491,837 'later':516 'layout':688 'level':143,193,710,797 'lifecycl':595 'line':197 'list':453 'lock':450,739 'log':554 'loss':719 'manag':557,644 'markdown':62,131 'master':336 'medium':161,480,823 'minor':141,565,617,662,706,745,786 'miss':737,752 'modul':183,426,430,432,435,487,490,497,500,646,830,833,842,845 'modular':636 'monitor':555 'multi':229 'multi-az':228 'must':189,790 'my-data-bucket':260 'nacl':545 'name':638,750 'nat':603 'need':803 'nest':431 'network':542,601,685 'number':156,198 'one':821 'optim':51,108,392,574,748 'order':173 'output':128,641,765 'overal':800 'overs':743 'pass':479,802,822 'per':566,795 'perform':37,93 'permiss':729 'pin':648,742 'polici':280,356,537 'potenti':720 'practic':33,732 'primari':87 'principl':650 'priorit':495 'produc':59 'progress':376,378 'project':19,148,217,382,411,423,467,771,807 'provid':451,454,645 'public':252,268,275,279,283,287,344,351,355,359,363,546,723 'qualiti':11,53,110,176,397,621 'read':178,523,576,623,668,759 'readi':698 'record':507 'recoveri':684 'refer':240 'remedi':201 'remot':440 'report':63,133,213,407,758,769 'report-template.md':208,209,760,761 'requir':462 'reserv':599 'resourc':29,91,136,254,264,292,301,313,340 'rest':550 'restrict':286,362 'reus':637 'review':17 'right':591 'right-siz':590 'risk':716 'role':538 'root':218,429,496,772,841 'rule':69,225,324,529,582,629,674 's3':245,256,266,294,303,315,342,443,539,725 'save':214,767 'scalabl':694 'scale':153,468,509,697,808,810 'scan':146,381,410,532,585,632,677 'secret':556,722 'secur':8,48,104,174,386,520,543,715 'security-checklist.md':524,525 'server':317,326 'sever':68,142,192,568,708,780,796 'share':499,844 'shared/reusable':434 'side':318,327 'signific':735 'singl':478 'size':592,598 'skill':36 'skill-terraform-audit' 'small':160,469,812 'sort':777 'source-addxai' 'specif':200,505,851 'sse':331 'state':441,449,643,738 'status':311 'step':379,384,389,394,399,404,408,517,518,571,618,663,755 'storag':593 'strategi':167,514,690,811 'structur':61,130,149,383,412,427,654 'style':746 'sub':182 'sub-modul':181 'subnet':689 'suggest':749 'summar':853 'summari':789 'tabl':569 'tag':607 'target':422 'templat':210 'terraform':2,5,18,34,43,99,445,459,465 'terraform-audit':1 'tf':158,418,471,483,493,814 'tier':594 'topic-agent-skills' 'topic-ai-agent' 'topic-ai-engineering' 'topic-claude-code' 'topic-code-review' 'topic-cursor' 'topic-devops' 'topic-enterprise' 'topic-sre' 'topic-windsurf' 'total':792 'transfer':606 'transit':553 'true':353,357,361,365 'unit':836 'updat':372 'usag':452 'use':15,206,413 'var.environment':299 'var.project':298 'variabl':640,753 'version':251,305,309,457,460,463,647,741 'violat':733 'vpc':687 'well':82,125 'well-architect':81,124 'wildcard':727 'within':774 'workflow':367","prices":[{"id":"a5d2c886-9bba-4871-9faf-bc7f7b6d8ba8","listingId":"b6facdf5-07dc-4cd8-bb65-06a110e9811e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"addxai","category":"enterprise-harness-engineering","install_from":"skills.sh"},"createdAt":"2026-04-21T19:04:02.586Z"}],"sources":[{"listingId":"b6facdf5-07dc-4cd8-bb65-06a110e9811e","source":"github","sourceId":"addxai/enterprise-harness-engineering/terraform-audit","sourceUrl":"https://github.com/addxai/enterprise-harness-engineering/tree/main/skills/terraform-audit","isPrimary":false,"firstSeenAt":"2026-04-21T19:04:02.586Z","lastSeenAt":"2026-04-22T01:02:13.019Z"}],"details":{"listingId":"b6facdf5-07dc-4cd8-bb65-06a110e9811e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"addxai","slug":"terraform-audit","github":{"repo":"addxai/enterprise-harness-engineering","stars":16,"topics":["agent-skills","ai-agent","ai-engineering","claude-code","code-review","cursor","devops","enterprise","sre","windsurf"],"license":"apache-2.0","html_url":"https://github.com/addxai/enterprise-harness-engineering","pushed_at":"2026-04-17T08:57:37Z","description":"Enterprise-grade AI Agent Skills for software development, DevOps, SRE, security, and product teams. Compatible with Claude Code, Cursor, Windsurf, Gemini CLI, GitHub Copilot, and 30+ AI coding agents.","skill_md_sha":"760cddb47fc3dca754c8ca90ca108bfaaee6815d","skill_md_path":"skills/terraform-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/addxai/enterprise-harness-engineering/tree/main/skills/terraform-audit"},"layout":"multi","source":"github","category":"enterprise-harness-engineering","frontmatter":{"name":"terraform-audit","description":"Audit Terraform codebases for security, cost, code quality, and architecture issues. Use when reviewing Terraform projects, checking infrastructure-as-code compliance, or assessing AWS resource configurations for best practices."},"skills_sh_url":"https://skills.sh/addxai/enterprise-harness-engineering/terraform-audit"},"updatedAt":"2026-04-22T01:02:13.019Z"}}