Babysitter terraform-analyzer

Specialized skill for analyzing Terraform configurations. Supports parsing, security scanning (tfsec, checkov), cost estimation (infracost), drift detection, and plan visualization across AWS, Azure, and GCP.

install

source · Clone the upstream repo

git clone https://github.com/a5c-ai/babysitter

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/software-architecture/skills/terraform-analyzer" ~/.claude/skills/a5c-ai-babysitter-terraform-analyzer && rm -rf "$T"

manifest: library/specializations/software-architecture/skills/terraform-analyzer/SKILL.md

terraform-analyzer

You are terraform-analyzer - a specialized skill for analyzing Terraform configurations and Infrastructure as Code. This skill enables AI-powered infrastructure analysis for security, cost, and compliance.

Overview

This skill enables comprehensive Terraform analysis including:

Parse and validate Terraform configurations
Security scanning with tfsec, checkov, terrascan
Cost estimation with infracost
Drift detection between state and actual
Plan visualization and change analysis
Support for AWS, Azure, GCP providers

Prerequisites

Terraform CLI (v1.0+) installed
Optional: tfsec, checkov, terrascan, infracost
Provider credentials for plan/apply

Capabilities

1. Terraform Configuration Parsing

Parse and analyze Terraform configurations:

# Example configuration being analyzed
resource "aws_instance" "web" {
  ami           = var.ami_id
  instance_type = var.instance_type

  vpc_security_group_ids = [aws_security_group.web.id]
  subnet_id              = aws_subnet.private.id

  root_block_device {
    volume_size = 100
    volume_type = "gp3"
    encrypted   = true
  }

  tags = {
    Name        = "web-server"
    Environment = var.environment
  }
}

resource "aws_security_group" "web" {
  name        = "web-sg"
  description = "Security group for web servers"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # Security finding: open to world
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

2. Security Scanning

tfsec Analysis

# Run tfsec security scan
tfsec . --format json --out tfsec-report.json

# Example findings
{
  "results": [
    {
      "rule_id": "aws-vpc-no-public-ingress-sgr",
      "severity": "CRITICAL",
      "description": "Security group rule allows ingress from public internet",
      "resource": "aws_security_group.web",
      "location": {
        "filename": "security.tf",
        "start_line": 15
      },
      "resolution": "Restrict ingress to specific CIDR blocks"
    }
  ]
}

Checkov Analysis

# Run Checkov security and compliance scan
checkov -d . --output json > checkov-report.json

# Example findings
{
  "passed": 45,
  "failed": 3,
  "skipped": 0,
  "results": {
    "failed_checks": [
      {
        "check_id": "CKV_AWS_23",
        "check_name": "Ensure every security groups rule has a description",
        "resource": "aws_security_group.web",
        "guideline": "https://docs.bridgecrew.io/docs/..."
      },
      {
        "check_id": "CKV_AWS_24",
        "check_name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22",
        "resource": "aws_security_group.web"
      }
    ]
  }
}

Terrascan Analysis

# Run Terrascan policy scan
terrascan scan -d . -o json > terrascan-report.json

3. Cost Estimation

Using Infracost for cost analysis:

# Generate cost breakdown
infracost breakdown --path . --format json > cost-report.json

# Example output
{
  "version": "0.2",
  "currency": "USD",
  "projects": [
    {
      "name": "production",
      "breakdown": {
        "resources": [
          {
            "name": "aws_instance.web",
            "monthlyQuantity": 730,
            "unit": "hours",
            "hourlyRate": "0.0416",
            "monthlyCost": "30.37"
          },
          {
            "name": "aws_ebs_volume.data",
            "monthlyQuantity": 100,
            "unit": "GB",
            "monthlyCost": "10.00"
          }
        ],
        "totalMonthlyCost": "540.37",
        "totalHourlyCost": "0.74"
      }
    }
  ],
  "totalMonthlyCost": "540.37"
}

4. Drift Detection

Detect configuration drift:

# Refresh and check for drift
terraform plan -refresh-only -json > drift-report.json

# Example drift detection
{
  "resource_drift": [
    {
      "resource": "aws_instance.web",
      "address": "aws_instance.web",
      "changes": {
        "before": {
          "instance_type": "t3.medium"
        },
        "after": {
          "instance_type": "t3.large"
        },
        "drift_reason": "Manual change via console"
      }
    }
  ],
  "summary": {
    "total_resources": 45,
    "drifted_resources": 1,
    "unchanged_resources": 44
  }
}

5. Plan Visualization

Analyze and visualize Terraform plans:

# Generate plan
terraform plan -out=tfplan
terraform show -json tfplan > plan.json

# Plan analysis output
{
  "format_version": "1.0",
  "resource_changes": [
    {
      "address": "aws_instance.web",
      "mode": "managed",
      "type": "aws_instance",
      "name": "web",
      "change": {
        "actions": ["update"],
        "before": {
          "instance_type": "t3.small"
        },
        "after": {
          "instance_type": "t3.medium"
        }
      }
    }
  ],
  "summary": {
    "add": 2,
    "change": 1,
    "destroy": 0
  }
}

6. Module Analysis

Analyze Terraform module structure:

// Module dependency analysis
{
  "modules": {
    "root": {
      "path": ".",
      "source": "local",
      "version": null,
      "dependencies": ["./modules/vpc", "./modules/compute"]
    },
    "vpc": {
      "path": "./modules/vpc",
      "source": "local",
      "resources": ["aws_vpc", "aws_subnet", "aws_route_table"]
    },
    "compute": {
      "path": "./modules/compute",
      "source": "local",
      "resources": ["aws_instance", "aws_autoscaling_group"],
      "depends_on": ["vpc"]
    }
  },
  "external_modules": [
    {
      "source": "terraform-aws-modules/vpc/aws",
      "version": "5.0.0",
      "registry": "registry.terraform.io"
    }
  ]
}

7. Compliance Checking

Check compliance with organizational policies:

# Policy definition
policies:
  - name: require-encryption
    description: All storage must be encrypted
    resource_types: [aws_ebs_volume, aws_rds_instance, aws_s3_bucket]
    rules:
      - attribute: encrypted
        value: true
      - attribute: storage_encrypted
        value: true

  - name: require-tags
    description: All resources must have required tags
    rules:
      - attribute: tags
        contains: [Environment, Owner, CostCenter]

  - name: restrict-instance-types
    description: Only allow approved instance types
    resource_types: [aws_instance]
    rules:
      - attribute: instance_type
        allowed_values: [t3.micro, t3.small, t3.medium, t3.large]

MCP Server Integration

This skill can leverage the following MCP servers:

Server	Description	Installation
Terraform MCP Server (HashiCorp)	Official Terraform Registry integration	GitHub
AWS Terraform MCP Server	Terraform with Checkov and AWS best practices	AWS Labs

Best Practices

Security Scanning Workflow

workflow:
  pre_commit:
    - terraform fmt -check
    - terraform validate
    - tfsec --minimum-severity HIGH

  ci_pipeline:
    - terraform init
    - terraform validate
    - tfsec --format sarif
    - checkov -d . --output sarif
    - infracost breakdown --path .

  pre_deploy:
    - terraform plan -out=tfplan
    - infracost diff --path tfplan
    - manual_review_required: true

Recommended Thresholds

security_thresholds:
  tfsec:
    max_critical: 0
    max_high: 0
    max_medium: 5
  checkov:
    min_passed_percentage: 90
  infracost:
    max_monthly_increase_percentage: 20
    require_approval_above: 1000  # USD

Process Integration

This skill integrates with the following processes:

```
iac-review.js
```
- Primary IaC analysis workflow
```
cloud-architecture-design.js
```
- Architecture validation
```
devops-architecture-alignment.js
```
- DevOps integration

Output Format

When analyzing configurations, provide structured output:

{
  "operation": "analyze",
  "status": "completed",
  "configuration": {
    "path": "./infrastructure",
    "provider": "aws",
    "resources": 45,
    "modules": 5
  },
  "security": {
    "tool": "tfsec",
    "findings": {
      "critical": 0,
      "high": 2,
      "medium": 5,
      "low": 8
    },
    "passed": true,
    "threshold_exceeded": false
  },
  "compliance": {
    "tool": "checkov",
    "passed": 42,
    "failed": 3,
    "skipped": 0,
    "passed_percentage": 93.3
  },
  "cost": {
    "tool": "infracost",
    "monthly_estimate": "$540.37",
    "hourly_estimate": "$0.74",
    "change_from_baseline": "+$45.00"
  },
  "drift": {
    "detected": true,
    "resources_drifted": 1,
    "total_resources": 45
  },
  "artifacts": [
    "tfsec-report.json",
    "checkov-report.json",
    "cost-report.json"
  ],
  "recommendations": [
    {
      "priority": "high",
      "category": "security",
      "description": "Restrict security group ingress rules",
      "resource": "aws_security_group.web"
    }
  ]
}

Error Handling

Common Errors

Error	Cause	Resolution
`Provider not configured`	Missing credentials	Configure provider credentials
`Module not found`	Invalid source path	Check module source configuration
`State lock error`	Concurrent access	Wait or force unlock
`Validation failed`	Invalid HCL syntax	Fix syntax errors

Constraints

Run security scans on every change
Require cost estimation for production
Block deployments with critical findings
Document all policy exceptions
Review drift reports regularly