The Terraform Skill That
Prevents |
TerraShark is the open-source Terraform & OpenTofu skill for Claude Code. It diagnoses failure modes before generating code — eliminating hallucinations, secret exposure, identity churn, and blast-radius mistakes from your infrastructure.
$ claude "Create a multi-region S3 module"
❯ TerraShark activated
❯ Diagnosing failure modes...
⚠ Identity churn — for_each required
⚠ Secret exposure — encryption keys
✓ Blast radius — properly scoped
❯ Generating with guardrails...
✓ Plan complete — 0 hallucinations
Built to Fix How AI Writes Infrastructure Code
LLMs hallucinate extensively when generating Terraform. TerraShark teaches the model how to think about infrastructure problems through a structured 7-step diagnostic workflow.
Failure-Mode-First Diagnosis
Unlike traditional skills that dump examples, TerraShark diagnoses which failure modes apply to your specific task before generating any code.
7x More Token-Efficient
Empirically validated: only ~600 tokens for the core skill, with 18 granular reference files loaded on demand. No wasted context.
Anti-Hallucination Guardrails
Built-in checklists of known LLM mistakes for Terraform and OpenTofu. Catches errors like using count instead of for_each, missing moved blocks, and more.
Secret Exposure Prevention
Prevents secrets from leaking through state files, logs, default values, and CI artifacts. Includes rotation playbooks and workload identity patterns.
Structured Output Contracts
Every response includes assumptions, selected failure modes, remediation tradeoffs, validation plans, and rollback notes — fully auditable.
Production CI/CD Templates
Ready-to-use GitHub Actions, GitLab CI, and Atlantis templates with drift prevention, cost visibility, and policy gates baked in.
Every Terraform Pitfall, Diagnosed & Fixed
TerraShark identifies which failure modes apply to your task, then loads only the relevant guardrails. No wasted tokens, no missed risks.
Identity Churn
Resource addressing instability during refactors. Prevents destroy/create cycles with proper for_each usage and moved blocks.
- ✓ count vs for_each decision matrix
- ✓ Safe migration playbooks
- ✓ Index-based identity detection
Secret Exposure
Secrets leaking through state, logs, defaults, and artifacts. Ensures secrets stay out of version control and plan outputs.
- ✓ sensitive vs write_only guidance
- ✓ External secret manager patterns
- ✓ Rotation playbooks
Blast Radius
Oversized stacks with weak boundaries. Enforces proper ownership, change cadence, and recovery boundaries.
- ✓ Boundary model enforcement
- ✓ Environment separation
- ✓ State isolation rules
CI Drift
Version mismatches, unreviewed applies, and missing artifacts across your delivery pipeline.
- ✓ GitHub Actions templates
- ✓ GitLab CI templates
- ✓ Drift prevention baseline
Compliance Gaps
Missing policies, approvals, and audit controls for frameworks like SOC 2, ISO 27001, FedRAMP, and HIPAA.
- ✓ Framework-specific gate mappings
- ✓ Policy-as-code patterns
- ✓ Risk-classed approval models
A 6-Step Diagnostic Workflow
Instead of guessing, TerraShark follows a structured process based on HashiCorp's official best practices to produce safe, auditable Terraform code.
Capture Context
Documents your runtime, Terraform version, providers, backend, execution path, and risk level.
Diagnose Failure Modes
Identifies which of the 5 failure modes — identity churn, secret exposure, blast radius, CI drift, compliance gaps — apply to your task.
Load Targeted References
Pulls only the relevant guardrails from 18 focused reference files. No token waste.
Propose Fix Path
Suggests implementation with risk notes, required approvals, test plans, and rollback expectations.
Generate Artifacts
Produces HCL changes, migration blocks, CI/policy updates, and compliance documentation.
Validate & Deliver
Runs validation sequences, then delivers a complete output contract with assumptions, tradeoffs, and recovery notes.
Get Started in 30 Seconds
Three ways to install TerraShark — the Terraform & OpenTofu skill for Claude Code and Codex.
Option 1: Clone to Skills Directory
Auto-discovered by Claude Code on every session. No restart needed.
git clone https://github.com/LukasNiessen/terrashark.git \
~/.claude/skills/terrasharkgit clone https://github.com/LukasNiessen/terrashark.git \
~/.claude/skills/terrasharkgit clone https://github.com/LukasNiessen/terrashark.git `
"$env:USERPROFILE\.claude\skills\terrashark"Option 2: Marketplace (Claude Code)
Use the built-in plugin marketplace. Add the repo, then install. Or use the interactive plugin manager with /plugin and the Discover tab.
/plugin marketplace add LukasNiessen/terrashark
/plugin install terrasharkOption 3: OpenAI Codex
Codex has no global skill system. Clone into your project root, then reference it from your AGENTS.md.
git clone https://github.com/LukasNiessen/terrashark.git .terrasharkgit clone https://github.com/LukasNiessen/terrashark.git .terrasharkgit clone https://github.com/LukasNiessen/terrashark.git .terrashark## Terraform
When working with Terraform or OpenTofu, follow the workflow
in `.terrashark/SKILL.md`.
Load references from `.terrashark/references/` as needed.Once installed, just ask any Terraform or OpenTofu question naturally. TerraShark activates automatically — or invoke it explicitly:
$ claude "/terrashark Create a multi-region S3 module with replication"