Skip to main content
ClaudeWave
Skill292 repo starsupdated 20d ago

terrashark

Terrashark is a failure-mode diagnostic workflow for Terraform and OpenTofu that systematically prevents hallucinations by identifying and fixing five categories of IaC risks: identity churn, secret exposure, blast radius, CI drift, and compliance gate gaps. Use it when generating, reviewing, refactoring, or migrating infrastructure code, and when constructing delivery pipelines and testing frameworks to ensure safe, compliant, and reproducible deployments across runtime environments.

View sourceRepository: terrashark
Install in Claude Code
Copy
git clone https://github.com/LukasNiessen/terrashark ~/.claude/skills/terrashark
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Terrashark: Failure-Mode Workflow for Terraform/OpenTofu

Run this workflow top to bottom.

## 1) Capture execution context

Record before writing code:
- runtime (`terraform` or `tofu`) and exact version
- provider(s), target platform, and state backend
- execution path (local CLI, CI, HCP Terraform/TFE, Atlantis)
- environment criticality (dev/shared/prod)

If unknown, state assumptions explicitly.

## 2) Diagnose likely failure mode(s)

Select one or more based on user intent and risk:
- identity churn: resource addressing instability, refactor breakage
- secret exposure: secrets in state, logs, defaults, artifacts
- blast radius: oversized stacks, weak boundaries, unsafe applies
- CI drift: version mismatch, unreviewed applies, missing artifacts
- compliance gate gaps: missing policies/approvals/audit controls

## 3) Load only the relevant reference file(s)

Primary references:
- `references/identity-churn.md`
- `references/secret-exposure.md`
- `references/blast-radius.md`
- `references/ci-drift.md`
- `references/compliance-gates.md`

Supplemental references (only when needed):
- `references/testing-matrix.md`
- `references/quick-ops.md`
- `references/examples-good.md`
- `references/examples-bad.md`
- `references/examples-neutral.md`
- `references/coding-standards.md`
- `references/module-architecture.md`
- `references/ci-delivery-patterns.md`
- `references/security-and-governance.md`
- `references/do-dont-patterns.md`
- `references/mcp-integration.md`

Conditional references (CRR; load only on detected signals):
- `references/conditional/backend-state-safety.md` (backend is `s3`, `azurerm`, `gcs`, `remote`, `cloud`, `pg`, `consul`, or `local`, or task mentions backend migration, locking, state backup, or restore)
- `references/conditional/trusted-modules.md` (provider is `aws`, `azurerm`, `google`, `oci`, or `ibm`)

Do not load multiple conditional references unless the task spans multiple detected backends, providers, or tools.

## 4) Propose fix path with explicit risk controls

For each fix, include:
- why this addresses the failure mode
- what could still go wrong
- guardrails (tests, approvals, rollback)

## 5) Generate implementation artifacts

When applicable, output:
- HCL changes (typed vars, stable keys, bounded versions)
- migration blocks (`moved`, import strategy)
- CI pipeline updates (plan/apply separation, artifacts, policy checks)
- compliance controls (approvals, policy rules, evidence paths)

When a trusted registry module covers the requested resource and the user has not asked for raw HCL, default to that module with an exact `version` pin (see `references/conditional/trusted-modules.md`).

## 6) Validate before finalize

Always provide command sequence tailored to runtime and risk tier.
Never recommend direct production apply without reviewed plan and approval.

## 7) Output contract

Return:
- assumptions and version floor
- selected failure mode(s)
- chosen remediation and tradeoffs
- validation/test plan
- rollback/recovery notes for destructive-impact changes