--- name: terraform-generator description: Generate Terraform configurations for cloud infrastructure. Includes AWS, GCP, Azure modules and best practices for IaC. --- # Terraform Generator Infrastructure as Code generation for AWS, GCP, and Azure with Terraform best practices. ## Overview This skill provides: - Terraform module generation - Provider-specific configurations - Best practice templates - State management setup - CI/CD integration ## Quick Start ### Project Structure ``` terraform/ ├── environments/ │ ├── dev/ │ │ ├── main.tf │ │ ├── variables.tf │ │ └── terraform.tfvars │ ├── staging/ │ └── production/ ├── modules/ │ ├── vpc/ │ ├── eks/ │ ├── rds/ │ └── s3/ ├── main.tf ├── variables.tf ├── outputs.tf ├── providers.tf ├── versions.tf └── backend.tf ``` ## Module Templates ### 1. VPC Module ```hcl # modules/vpc/main.tf variable "name" { description = "Name prefix for resources" type = string } variable "cidr" { description = "VPC CIDR block" type = string default = "10.0.0.0/16" } variable "azs" { description = "Availability zones" type = list(string) } variable "private_subnets" { description = "Private subnet CIDR blocks" type = list(string) } variable "public_subnets" { description = "Public subnet CIDR blocks" type = list(string) } variable "enable_nat_gateway" { description = "Enable NAT Gateway" type = bool default = true } variable "single_nat_gateway" { description = "Use single NAT Gateway" type = bool default = false } variable "tags" { description = "Tags to apply to resources" type = map(string) default = {} } # VPC resource "aws_vpc" "main" { cidr_block = var.cidr enable_dns_hostnames = true enable_dns_support = true tags = merge(var.tags, { Name = "${var.name}-vpc" }) } # Internet Gateway resource "aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id tags = merge(var.tags, { Name = "${var.name}-igw" }) } # Public Subnets resource "aws_subnet" "public" { count = length(var.public_subnets) vpc_id = aws_vpc.main.id cidr_block = var.public_subnets[count.index] availability_zone = var.azs[count.index] map_public_ip_on_launch = true tags = merge(var.tags, { Name = "${var.name}-public-${var.azs[count.index]}" Type = "public" }) } # Private Subnets resource "aws_subnet" "private" { count = length(var.private_subnets) vpc_id = aws_vpc.main.id cidr_block = var.private_subnets[count.index] availability_zone = var.azs[count.index] tags = merge(var.tags, { Name = "${var.name}-private-${var.azs[count.index]}" Type = "private" }) } # NAT Gateway resource "aws_eip" "nat" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.azs)) : 0 domain = "vpc" tags = merge(var.tags, { Name = "${var.name}-nat-eip-${count.index + 1}" }) depends_on = [aws_internet_gateway.main] } resource "aws_nat_gateway" "main" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.azs)) : 0 allocation_id = aws_eip.nat[count.index].id subnet_id = aws_subnet.public[count.index].id tags = merge(var.tags, { Name = "${var.name}-nat-${count.index + 1}" }) depends_on = [aws_internet_gateway.main] } # Route Tables resource "aws_route_table" "public" { vpc_id = aws_vpc.main.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.main.id } tags = merge(var.tags, { Name = "${var.name}-public-rt" }) } resource "aws_route_table" "private" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.azs)) : 0 vpc_id = aws_vpc.main.id route { cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.main[var.single_nat_gateway ? 0 : count.index].id } tags = merge(var.tags, { Name = "${var.name}-private-rt-${count.index + 1}" }) } # Route Table Associations resource "aws_route_table_association" "public" { count = length(var.public_subnets) subnet_id = aws_subnet.public[count.index].id route_table_id = aws_route_table.public.id } resource "aws_route_table_association" "private" { count = length(var.private_subnets) subnet_id = aws_subnet.private[count.index].id route_table_id = aws_route_table.private[var.single_nat_gateway ? 0 : count.index].id } # Outputs output "vpc_id" { description = "VPC ID" value = aws_vpc.main.id } output "vpc_cidr" { description = "VPC CIDR block" value = aws_vpc.main.cidr_block } output "public_subnet_ids" { description = "Public subnet IDs" value = aws_subnet.public[*].id } output "private_subnet_ids" { description = "Private subnet IDs" value = aws_subnet.private[*].id } ``` ### 2. EKS Module ```hcl # modules/eks/main.tf variable "name" { description = "Cluster name" type = string } variable "vpc_id" { description = "VPC ID" type = string } variable "subnet_ids" { description = "Subnet IDs for the cluster" type = list(string) } variable "kubernetes_version" { description = "Kubernetes version" type = string default = "1.28" } variable "node_groups" { description = "Node group configurations" type = map(object({ instance_types = list(string) capacity_type = string min_size = number max_size = number desired_size = number labels = map(string) taints = list(object({ key = string value = string effect = string })) })) default = {} } variable "tags" { description = "Tags for resources" type = map(string) default = {} } # IAM Role for EKS Cluster resource "aws_iam_role" "cluster" { name = "${var.name}-cluster-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "eks.amazonaws.com" } }] }) tags = var.tags } resource "aws_iam_role_policy_attachment" "cluster_policy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.cluster.name } # EKS Cluster resource "aws_eks_cluster" "main" { name = var.name role_arn = aws_iam_role.cluster.arn version = var.kubernetes_version vpc_config { subnet_ids = var.subnet_ids endpoint_private_access = true endpoint_public_access = true } enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] tags = var.tags depends_on = [aws_iam_role_policy_attachment.cluster_policy] } # IAM Role for Node Groups resource "aws_iam_role" "node" { name = "${var.name}-node-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ec2.amazonaws.com" } }] }) tags = var.tags } resource "aws_iam_role_policy_attachment" "node_policies" { for_each = toset([ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", ]) policy_arn = each.value role = aws_iam_role.node.name } # Node Groups resource "aws_eks_node_group" "main" { for_each = var.node_groups cluster_name = aws_eks_cluster.main.name node_group_name = each.key node_role_arn = aws_iam_role.node.arn subnet_ids = var.subnet_ids instance_types = each.value.instance_types capacity_type = each.value.capacity_type scaling_config { min_size = each.value.min_size max_size = each.value.max_size desired_size = each.value.desired_size } labels = each.value.labels dynamic "taint" { for_each = each.value.taints content { key = taint.value.key value = taint.value.value effect = taint.value.effect } } update_config { max_unavailable_percentage = 25 } tags = var.tags depends_on = [aws_iam_role_policy_attachment.node_policies] } # Outputs output "cluster_endpoint" { description = "EKS cluster endpoint" value = aws_eks_cluster.main.endpoint } output "cluster_ca_certificate" { description = "EKS cluster CA certificate" value = aws_eks_cluster.main.certificate_authority[0].data } output "cluster_name" { description = "EKS cluster name" value = aws_eks_cluster.main.name } ``` ### 3. RDS Module ```hcl # modules/rds/main.tf variable "name" { description = "Database identifier" type = string } variable "engine" { description = "Database engine" type = string default = "postgres" } variable "engine_version" { description = "Database engine version" type = string default = "15" } variable "instance_class" { description = "Instance class" type = string default = "db.t3.micro" } variable "allocated_storage" { description = "Allocated storage in GB" type = number default = 20 } variable "database_name" { description = "Database name" type = string } variable "username" { description = "Master username" type = string } variable "password" { description = "Master password" type = string sensitive = true } variable "vpc_id" { description = "VPC ID" type = string } variable "subnet_ids" { description = "Subnet IDs for DB subnet group" type = list(string) } variable "allowed_security_groups" { description = "Security group IDs allowed to access the database" type = list(string) default = [] } variable "multi_az" { description = "Enable Multi-AZ" type = bool default = false } variable "backup_retention_period" { description = "Backup retention period in days" type = number default = 7 } variable "tags" { description = "Tags for resources" type = map(string) default = {} } # Subnet Group resource "aws_db_subnet_group" "main" { name = "${var.name}-subnet-group" subnet_ids = var.subnet_ids tags = merge(var.tags, { Name = "${var.name}-subnet-group" }) } # Security Group resource "aws_security_group" "main" { name_prefix = "${var.name}-db-" vpc_id = var.vpc_id description = "Security group for ${var.name} RDS instance" ingress { from_port = 5432 to_port = 5432 protocol = "tcp" security_groups = var.allowed_security_groups description = "PostgreSQL access from allowed security groups" } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } lifecycle { create_before_destroy = true } tags = var.tags } # RDS Instance resource "aws_db_instance" "main" { identifier = var.name engine = var.engine engine_version = var.engine_version instance_class = var.instance_class allocated_storage = var.allocated_storage max_allocated_storage = var.allocated_storage * 2 storage_type = "gp3" storage_encrypted = true db_name = var.database_name username = var.username password = var.password vpc_security_group_ids = [aws_security_group.main.id] db_subnet_group_name = aws_db_subnet_group.main.name multi_az = var.multi_az backup_retention_period = var.backup_retention_period backup_window = "03:00-04:00" maintenance_window = "sun:04:00-sun:05:00" skip_final_snapshot = true deletion_protection = false performance_insights_enabled = true tags = var.tags } # Outputs output "endpoint" { description = "RDS endpoint" value = aws_db_instance.main.endpoint } output "address" { description = "RDS address" value = aws_db_instance.main.address } output "port" { description = "RDS port" value = aws_db_instance.main.port } output "security_group_id" { description = "Security group ID" value = aws_security_group.main.id } ``` ## Generation Script ```python #!/usr/bin/env python3 """Generate Terraform configurations.""" import os from pathlib import Path from typing import Dict, List def generate_terraform_project( name: str, provider: str, modules: List[str], environments: List[str] = ["dev", "staging", "production"] ) -> Dict[str, str]: """Generate complete Terraform project structure.""" files = {} # versions.tf files["versions.tf"] = f'''terraform {{ required_version = ">= 1.0" required_providers {{ aws = {{ source = "hashicorp/aws" version = "~> 5.0" }} }} }} ''' # providers.tf files["providers.tf"] = f'''provider "aws" {{ region = var.region default_tags {{ tags = {{ Project = var.project_name Environment = var.environment ManagedBy = "terraform" }} }} }} ''' # backend.tf files["backend.tf"] = f'''terraform {{ backend "s3" {{ bucket = "{name}-terraform-state" key = "infrastructure/terraform.tfstate" region = "us-west-2" encrypt = true dynamodb_table = "{name}-terraform-locks" }} }} ''' # variables.tf files["variables.tf"] = '''variable "project_name" { description = "Project name" type = string } variable "environment" { description = "Environment (dev/staging/production)" type = string } variable "region" { description = "AWS region" type = string default = "us-west-2" } ''' # main.tf main_content = f'''# {name} Infrastructure locals {{ name = "${{var.project_name}}-${{var.environment}}" tags = {{ Project = var.project_name Environment = var.environment }} }} ''' if "vpc" in modules: main_content += '''module "vpc" { source = "./modules/vpc" name = local.name cidr = "10.0.0.0/16" azs = ["us-west-2a", "us-west-2b", "us-west-2c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true single_nat_gateway = var.environment != "production" tags = local.tags } ''' files["main.tf"] = main_content # Environment tfvars for env in environments: files[f"environments/{env}/terraform.tfvars"] = f'''project_name = "{name}" environment = "{env}" region = "us-west-2" ''' return files if __name__ == "__main__": import sys name = sys.argv[1] if len(sys.argv) > 1 else "myproject" files = generate_terraform_project( name=name, provider="aws", modules=["vpc", "eks", "rds"] ) for path, content in files.items(): full_path = Path(path) full_path.parent.mkdir(parents=True, exist_ok=True) full_path.write_text(content) print(f"Created: {path}") ``` ## Best Practices ### State Management - Use remote state (S3, GCS, Azure Blob) - Enable state locking - Use workspaces or directories for environments ### Security - Never commit secrets - Use variables for sensitive values - Enable encryption at rest ### Structure - Use modules for reusability - Separate environments - Keep resources small and focused