Skip to content

feat: add terraform-modernize skill for ephemeral resources and write-only arguments#47

Open
garvitarai1 wants to merge 2 commits intohashicorp:mainfrom
garvitarai1:add-terraform-modernize-skill
Open

feat: add terraform-modernize skill for ephemeral resources and write-only arguments#47
garvitarai1 wants to merge 2 commits intohashicorp:mainfrom
garvitarai1:add-terraform-modernize-skill

Conversation

@garvitarai1
Copy link
Copy Markdown

@garvitarai1 garvitarai1 commented Mar 7, 2026

Summary

Adds a new terraform-modernize skill that helps modernize Terraform configurations to use ephemeral resources (Terraform 1.10+) and write-only arguments (Terraform 1.11+) for improved security and state management.

Motivation

As Terraform introduces new security features like ephemeral resources and write-only arguments, users need guidance on when and how to adopt them. This skill provides:

  • Automated detection of provider support via schema queries
  • Migration patterns for common scenarios (secrets, passwords, API keys)
  • Validation-first approach ensuring all transformations pass terraform validate
  • Security improvements by removing sensitive values from state files

Provider-Agnostic Design

This skill works with any Terraform provider, not just AWS:

  • Scripts query provider schemas dynamically via terraform providers schema -json
  • No hardcoded provider lists - automatically supports any provider that implements these features
  • Already documented support for: AWS, Azure, GCP, Random, TLS providers
  • Users can check any provider: ./check_ephemeral_support.sh <provider-name>

Examples use AWS for illustration since it has comprehensive support, but all workflows and patterns apply universally to any provider.

Key Features

1. Ephemeral Resources (Terraform 1.10+)

Replaces data sources with ephemeral resources for transient, sensitive data that shouldn't persist in state:

# BEFORE
data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "prod-db-password"
}

# AFTER
ephemeral "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "prod-db-password"
}

2. Write-only Arguments (Terraform 1.11+)

Uses _wo suffix arguments to accept sensitive values without storing them in state:

# BEFORE
resource "aws_db_instance" "main" {
  password = var.db_password  # Stored in state
}

# AFTER
resource "aws_db_instance" "main" {
  password_wo         = var.db_password  # Not stored in state
  password_wo_version = 1
}

3. Provider-Aware Detection

Includes scripts that query provider schemas to detect feature support:

  • check_ephemeral_support.sh - Lists ephemeral resources available in a provider
  • check_writeonly_support.sh - Lists write-only arguments available in a provider

Works with any provider: AWS, Azure, GCP, Random, TLS, and any future providers.

Skill Structure

Following the Agent Skills specification:

  • SKILL.md (596 lines) - Main skill with frontmatter, workflows, and examples
  • scripts/ - Provider schema query scripts
  • references/ - Deep-dive documentation:
    • ephemeral-resources.md - Lifecycle, contexts, edge cases
    • write-only-arguments.md - Syntax, versioning, state behavior
    • ephemeral-contexts.md - Valid usage contexts
    • migration-patterns.md - 5 comprehensive migration patterns

Testing

  • ✅ Skill achieves 80% Tessl review score (Description: 75%, Content: 85%)
  • ✅ Scripts successfully detect AWS provider support
  • ✅ Test configuration validates migration patterns
  • ✅ All transformations pass terraform validate

Related Work

  • Links to version-upgrades skill for prerequisite Terraform/provider upgrades
  • Follows pattern established by terraform-search-import skill for provider queries
  • Complements existing terraform-query-import and refactor-module skills

🤖 Generated with Claude Code

@garvitarai1 @claude
feat: add terraform-modernize skill for ephemeral resources and write…
f2e69b8 
…-only arguments

Add a new skill that helps modernize Terraform configurations to use:
- Ephemeral resources (Terraform 1.10+) for transient sensitive data
- Write-only arguments (Terraform 1.11+) to remove secrets from state

The skill includes:
- Main SKILL.md with workflows and migration patterns
- Scripts to check provider support for ephemeral and write-only features
- Comprehensive reference documentation
- 5 common migration patterns with before/after examples

Key features:
- Provider-aware: checks actual provider schema for feature support
- Validation-focused: emphasizes terraform validate at each step
- Security-first: shows how to eliminate secrets from state files
- Links to version-upgrades skill for prerequisites

Tested with AWS and Random providers. Achieves 80% Tessl review score.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@garvitarai1 garvitarai1 requested a review from a team as a code owner March 7, 2026 01:26
@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented Mar 7, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented Mar 7, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 7, 2026
edited
Loading

Tessl Skill Review Results

Skill Status Review Score
terraform/code-generation/skills/terraform-modernize PASSED 80%

Checks: frontmatter validity, required fields, body structure, examples, line count.
Review Score is informational — not used for pass/fail gating.

quixoticmonk
quixoticmonk reviewed Mar 9, 2026
View reviewed changes
Comment thread terraform/code-generation/skills/terraform-modernize/scripts/check_writeonly_support.sh Outdated
fi

# Get provider key
provider_key=$(terraform providers schema -json 2>/dev/null | jq -r '.provider_schemas | keys[]' | grep "/${PROVIDER}$" || true)
Copy link
Copy Markdown
Contributor

@quixoticmonk quixoticmonk Mar 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could have the schema command output saves for usage across the script once with something like ..

SCHEMA=$(terraform providers schema -json 2>/dev/null)
provider_key=$(jq -r '.provider_schemas | keys[]' <<< "$SCHEMA" | grep "/$1$")

Copy link
Copy Markdown
Author

@garvitarai1 garvitarai1 Mar 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ya thats a great idea! I'll make the update

@garvitarai1 @claude
refactor: optimize scripts to cache provider schema output
33e8e79 
- Cache terraform providers schema -json output once per execution
- Reuse cached SCHEMA variable instead of repeated calls
- Reduces schema queries from 3 calls to 1 per script run
- Addresses PR feedback from @quixoticmonk

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@quixoticmonk quixoticmonk quixoticmonk left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@garvitarai1 @quixoticmonk