MCP HubMCP Hub
Back to Skills

provision-infrastructure-terraform

pjt222
Updated 2 days ago
4 views
17
2
17
View on GitHub
Developmentautomation

About

This skill enables developers to provision and manage cloud infrastructure using Terraform's declarative IaC approach. It supports key features like HCL modules, remote state backends, and plan/apply workflows for team collaboration. Use it to replace manual ClickOps, manage multi-environment infrastructure, and enforce standards through reusable modules.

Quick Install

Claude Code

Recommended
Primary
npx skills add pjt222/agent-almanac -a claude-code
Plugin CommandAlternative
/plugin add https://github.com/pjt222/agent-almanac
Git CloneAlternative
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/provision-infrastructure-terraform

Copy and paste this command in Claude Code to install this skill

Documentation

Provision Infrastructure with Terraform

IaC via Terraform → provision, version, manage cloud resources across AWS, Azure, GCP, other providers.

Use When

  • New cloud infra (VPCs, compute, storage, DBs)
  • Migrate ClickOps/CloudFormation → declarative IaC
  • Multi-env infra (dev, staging, prod)
  • Reproducible infra patterns across teams
  • Version infra changes w/ app code
  • Enforce infra standards via reusable modules

In

  • Required: Terraform CLI installed (terraform --version)
  • Required: Cloud provider creds (AWS, Azure, GCP service accounts)
  • Required: Remote state backend config (S3, Azure Storage, Terraform Cloud)
  • Optional: Existing infra to import or migrate
  • Optional: Terraform Cloud/Enterprise for team collab
  • Optional: Pre-commit hooks for validation + formatting

Do

See Extended Examples for complete config files + templates.

Step 1: Init Terraform Project Structure

Organized dir structure w/ backend config + provider setup.

# Create project structure
mkdir -p terraform/{modules,environments/{dev,staging,prod}}
cd terraform

# Create backend configuration
cat > backend.tf <<'EOF'
terraform {
  required_version = ">= 1.6"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }

  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "infrastructure/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-lock"

    # Workspace-specific state files
    workspace_key_prefix = "env"
  }
}

provider "aws" {
  region = var.aws_region

  default_tags {
    tags = {
      ManagedBy   = "Terraform"
      Environment = terraform.workspace
      Project     = var.project_name
    }
  }
}
EOF

# Create variables file
cat > variables.tf <<'EOF'
variable "aws_region" {
  description = "AWS region for resources"
  type        = string
  default     = "us-east-1"
}

variable "project_name" {
  description = "Project name for resource naming and tagging"
  type        = string
  validation {
    condition     = length(var.project_name) > 0 && length(var.project_name) <= 32
    error_message = "Project name must be 1-32 characters"
  }
}

variable "environment" {
  description = "Environment name (dev, staging, prod)"
  type        = string
  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Environment must be dev, staging, or prod"
  }
}
EOF

# Initialize Terraform
terraform init

→ Terraform inits successfully, downloads provider plugins, configs remote backend. .terraform/ w/ provider binaries. State backend connection verified.

If err: backend init fails → verify S3 bucket exists + IAM perms allow s3:GetObject, s3:PutObject, dynamodb:GetItem, dynamodb:PutItem. Provider download fails → check network + corporate proxy. terraform init -upgrade to update.

Step 2: Create Reusable Infra Modules

Composable modules for VPC, compute, data infra w/ input validation.

# modules/vpc/main.tf
variable "vpc_cidr" {
  description = "CIDR block for VPC"
  type        = string
  default     = "10.0.0.0/16"
}

variable "availability_zones" {
  description = "List of AZs to use"
  type        = list(string)
}

variable "project_name" {
  description = "Project name for resource naming"
  type        = string
}

variable "environment" {
  description = "Environment name"
  type        = string
}

locals {
  common_tags = {
    Project     = var.project_name
    Environment = var.environment
    Module      = "vpc"
  }
}

resource "aws_vpc" "main" {
  cidr_block           = var.vpc_cidr
  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-vpc"
  })
}

resource "aws_subnet" "public" {
  count             = length(var.availability_zones)
  vpc_id            = aws_vpc.main.id
  cidr_block        = cidrsubnet(var.vpc_cidr, 8, count.index)
  availability_zone = var.availability_zones[count.index]

  map_public_ip_on_launch = true

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-public-${var.availability_zones[count.index]}"
    Type = "public"
  })
}

resource "aws_subnet" "private" {
  count             = length(var.availability_zones)
  vpc_id            = aws_vpc.main.id
  cidr_block        = cidrsubnet(var.vpc_cidr, 8, count.index + 100)
  availability_zone = var.availability_zones[count.index]

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-private-${var.availability_zones[count.index]}"
    Type = "private"
  })
}

resource "aws_internet_gateway" "main" {
  vpc_id = aws_vpc.main.id

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-igw"
  })
}

resource "aws_eip" "nat" {
  count  = length(var.availability_zones)
  domain = "vpc"

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-nat-eip-${var.availability_zones[count.index]}"
  })

  depends_on = [aws_internet_gateway.main]
}

resource "aws_nat_gateway" "main" {
  count         = length(var.availability_zones)
  allocation_id = aws_eip.nat[count.index].id
  subnet_id     = aws_subnet.public[count.index].id

  tags = merge(local.common_tags, {
    Name = "${var.project_name}-${var.environment}-nat-${var.availability_zones[count.index]}"
  })

  depends_on = [aws_internet_gateway.main]
}

# modules/vpc/outputs.tf
output "vpc_id" {
  description = "VPC ID"
  value       = aws_vpc.main.id
}

output "public_subnet_ids" {
  description = "List of public subnet IDs"
  value       = aws_subnet.public[*].id
}

output "private_subnet_ids" {
  description = "List of private subnet IDs"
  value       = aws_subnet.private[*].id
}

output "nat_gateway_ips" {
  description = "List of NAT Gateway public IPs"
  value       = aws_eip.nat[*].public_ip
}

→ Module creates VPC w/ public/private subnets across AZs, IGW, NAT GWs w/ EIPs. Outputs expose resource IDs for downstream modules.

If err: CIDR overlap → adjust cidrsubnet() calc or validate VPC CIDR doesn't conflict. Dependency errors → verify depends_on ensures proper creation order. terraform graph | dot -Tpng > graph.png to viz.

Step 3: Implement Env-Specific Configs

Env workspaces w/ var overrides + data sources.

# environments/prod/main.tf
terraform {
  required_version = ">= 1.6"
}

# Import shared backend and provider config
# ... (see EXAMPLES.md for complete configuration)

→ Env-specific config creates prod-sized infra w/ 3 AZs, larger instance types, prod security. Data sources resolve latest AMI. Templates render w/ env vars.

If err: workspace errors → terraform workspace new prod. Data source fails → verify AWS creds have ec2:DescribeImages perms. Template rendering errors → validate var types match template expectations.

Step 4: Execute Plan + Apply Workflow

Run plan, review changes, apply w/ approval.

# Format code
terraform fmt -recursive

# Validate configuration
terraform validate

# ... (see EXAMPLES.md for complete configuration)

CI/CD integration:

# .github/workflows/terraform.yml
name: Terraform

on:
  pull_request:
    paths:
# ... (see EXAMPLES.md for complete configuration)

→ Plan shows resource additions/changes/deletions. No drift detected. Apply creates/updates w/o errors. Outputs contain expected values. CI workflow comments plan on PRs, auto-applies on main merges.

If err: plan fails → terraform validate for syntax. State lock errors → identify holder via aws dynamodb get-item --table-name terraform-lock --key '{"LockID":{"S":"terraform-state-bucket/key"}}', force-unlock if stale. Apply fails → check CloudWatch for provider errors. terraform show to inspect current state.

Step 5: Manage State + Drift Detection

State locking, backup, automated drift detection.

# Create DynamoDB table for state locking
cat > state-backend.tf <<'EOF'
resource "aws_dynamodb_table" "terraform_lock" {
  name           = "terraform-lock"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "LockID"
# ... (see EXAMPLES.md for complete configuration)

Auto drift detection:

# Create drift detection script
cat > scripts/detect-drift.sh <<'EOF'
#!/bin/bash
set -euo pipefail

cd terraform
# ... (see EXAMPLES.md for complete configuration)

→ State backend w/ versioning + encryption. Drift detection IDs out-of-band changes. State ops (list, show, mv, import) w/o errors. Auto drift checks on schedule + alerts.

If err: state lock timeouts → verify DynamoDB table exists w/ correct key schema. Versioning issues → check S3 versioning via aws s3api get-bucket-versioning --bucket bucket-name. Import fails → verify resource exists + Terraform config matches actual attributes.

Step 6: Module Testing + Documentation

Auto tests w/ Terratest + generate docs.

// test/vpc_test.go
package test

import (
    "testing"

# ... (see EXAMPLES.md for complete configuration)

Generate docs:

# Install terraform-docs
go install github.com/terraform-docs/terraform-docs@latest

# Generate module documentation
terraform-docs markdown table modules/vpc > modules/vpc/README.md

# ... (see EXAMPLES.md for complete configuration)

→ Terratest validates module creates expected resources w/ correct config. Docs auto-gen from var descriptions + outputs. Pre-commit hooks enforce formatting + validation.

If err: Terratest fails → check AWS creds + quotas. Long tests → parallel via t.Parallel(). Doc gen errors → verify all vars have description. Pre-commit fails → manually terraform fmt + fix validation.

Check

  • Backend w/ encryption, versioning, state locking
  • All modules have input validation + outputs
  • Workspaces isolate env-specific state
  • terraform plan shows no unexpected changes after apply
  • Drift detection auto runs + alerts
  • Modules tested w/ Terratest or similar
  • Docs auto-gen + up-to-date
  • Secrets via AWS Secrets Manager, not hardcoded
  • Cost estimation integrated (Infracost or similar)
  • Blast radius min w/ separate state per env

Traps

  • Hardcoded values: Avoid AMI IDs, AZs, account-specific. Use data sources + vars.
  • Missing lifecycle blocks: Resources recreate unexpectedly. Add lifecycle { create_before_destroy = true } → prevent downtime during updates.
  • No state locking: Concurrent applies corrupt state. Always DynamoDB for locking w/ S3 backend.
  • Overly permissive IAM: Terraform service account full admin. Implement least-privilege scoped to managed resources.
  • No version constraints: Provider updates break infra. Pin via version = "~> 5.0" constraints.
  • Secrets in state: Sensitive values plaintext in state. Use sensitive = true on outputs, store in AWS Secrets Manager, ref via data sources.
  • No backup strategy: State file lost/corrupted, no recovery plan. Enable S3 versioning, regular backups, test recovery.
  • Monolithic config: Single state file manages everything. Split into logical boundaries (networking, compute, data) → reduce blast radius.

  • configure-git-repository — version control for Terraform code
  • build-ci-cd-pipeline — automated Terraform workflows w/ GitHub Actions
  • implement-gitops-workflow — ArgoCD/Flux integration w/ Terraform
  • manage-kubernetes-secrets — secrets mgmt in Terraform-provisioned clusters
  • deploy-to-kubernetes — Terraform Kubernetes provider usage

GitHub Repository

pjt222/agent-almanac
Path: i18n/caveman-ultra/skills/provision-infrastructure-terraform
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Related Skills

qmd

Development

qmd is a local search and indexing CLI tool that enables developers to index and search through local files using hybrid search combining BM25, vector embeddings, and reranking. It supports both command-line usage and MCP (Model Context Protocol) mode for integration with Claude. The tool uses Ollama for embeddings and stores indexes locally, making it ideal for searching documentation or codebases directly from the terminal.

View skill

subagent-driven-development

Development

This skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.

View skill

mcporter

Development

The mcporter skill enables developers to manage and call Model Context Protocol (MCP) servers directly from Claude. It provides commands to list available servers, call their tools with arguments, and handle authentication and daemon lifecycle. Use this skill for integrating and testing MCP server functionality in your development workflow.

View skill

adk-deployment-specialist

Development

This skill deploys and orchestrates Vertex AI ADK agents using A2A protocol, managing AgentCard discovery, task submission, and supporting tools like Code Execution Sandbox and Memory Bank. It enables building multi-agent systems with sequential, parallel, or loop orchestration patterns in Python, Java, or Go. Use it when asked to deploy ADK agents or orchestrate agent workflows on Google Cloud.

View skill