scombat/tf-base

public

Published on 6/11/2025

Terraform Rules

Best practices for writing, structuring, and securing Terraform code. This rule set enforces clean HCL syntax, encourages modular design, validates safe resource lifecycle handling, and ensures secure cloud configurations. It also includes AI-specific response formatting for automated agents.

Rules

Syntax & Structure - Ensure code is valid HCL2 and correctly indented. - Avoid hardcoded values; prefer variables and data sources. - Avoid circular dependencies and unnecessary `depends_on`.

Provider & Modules - Define providers explicitly, including aliases when used. - Prefer modules for reusable infrastructure blocks. - Use local modules when specificity makes generalization pointless.

Variables & Outputs - Declare all used variables with `description`, `type`, and `default` if applicable. - Include meaningful `output` blocks for downstream use. - Mark sensitive outputs with `sensitive = true`.

Lifecycle & Safety - Add `prevent_destroy = true` for critical resources when applicable. - Use lifecycle rules and `depends_on` defensively, not by default.

IAM & Security - Never generate policies with `"Action": "*"` unless explicitly requested. - Respect least privilege principle in IAM definitions. - Do not expose secrets or credentials in code or output.

Documentation & Naming - Use consistent naming: `project-env-role` (e.g., `app-prod-db`). - Add optional inline comments if `documentation = true`. - Encourage documentation of module inputs and outputs.

Testing & Validation - Suggest `terraform validate` and `terraform plan` after each change. - Generate minimal `examples/` blocks if relevant for modules.

AI Response Formatting - If user requests code only, return clean Terraform blocks without explanation. - Never suggest destructive commands like `terraform destroy` without confirmation.

Syntax & Structure - Ensure code is valid HCL2 and correctly indented. - Avoid hardcoded values; prefer variables and data sources. - Avoid circular dependencies and unnecessary depends_on.

Provider & Modules - Define providers explicitly, including aliases when used. - Prefer modules for reusable infrastructure blocks. - Use local modules when specificity makes generalization pointless.

Variables & Outputs - Declare all used variables with description, type, and default if applicable. - Include meaningful output blocks for downstream use. - Mark sensitive outputs with sensitive = true.

Lifecycle & Safety - Add prevent_destroy = true for critical resources when applicable. - Use lifecycle rules and depends_on defensively, not by default.

IAM & Security - Never generate policies with "Action": "*" unless explicitly requested. - Respect least privilege principle in IAM definitions. - Do not expose secrets or credentials in code or output.

Documentation & Naming - Use consistent naming: project-env-role (e.g., app-prod-db). - Add optional inline comments if documentation = true. - Encourage documentation of module inputs and outputs.

Testing & Validation - Suggest terraform validate and terraform plan after each change. - Generate minimal examples/ blocks if relevant for modules.

AI Response Formatting - If user requests code only, return clean Terraform blocks without explanation. - Never suggest destructive commands like terraform destroy without confirmation.