diff --git a/terraform/code-generation/skills/terraform-search-import/SKILL.md b/terraform/code-generation/skills/terraform-search-import/SKILL.md
index 4a39391..72e9fa5 100644
--- a/terraform/code-generation/skills/terraform-search-import/SKILL.md
+++ b/terraform/code-generation/skills/terraform-search-import/SKILL.md
@@ -3,7 +3,7 @@ name: terraform-search-import
description: Discover existing cloud resources using Terraform Search queries and bulk import them into Terraform management. Use when bringing unmanaged infrastructure under Terraform control, auditing cloud resources, or migrating to IaC.
metadata:
copyright: Copyright IBM Corp. 2026
- version: "0.1.0"
+ version: "0.2.0"
compatibility: Requires Terraform >= 1.14 and providers with list resource support (always use latest provider version)
---
@@ -259,9 +259,13 @@ import {
Generated configuration includes all attributes. Clean up by:
1. Remove computed/read-only attributes
-2. Replace hardcoded values with variables
-3. Add proper resource naming
-4. Organize into appropriate files
+1. Replace hardcoded values with variables
+1. Remove computed sensitive values
+1. Remove non-computed sensitive values. If the provider still requires one of the removed arguments, use a write-only placeholder instead. If that write-only attribute requires a paired non-write-only attribute, ignore changes only to the paired non-write-only attribute, not to the write-only attribute itself.
+1. Remove top-level `timeout` blocks from all resources.
+1. Run `terraform validate` and resolve conflicting generated arguments.
+1. Add proper resource naming
+1. Organize into appropriate files
```hcl
# Before: generated
@@ -273,6 +277,12 @@ resource "aws_instance" "all_0" {
# ... many more attributes
}
+resource "aws_ssm_parameter" "all_0" {
+ type = "SecureString"
+ name = "AccessCode"
+ value = "secret" # Remove - sensitive
+}
+
# After: cleaned
resource "aws_instance" "web_server" {
ami = var.ami_id
@@ -284,6 +294,17 @@ resource "aws_instance" "web_server" {
Environment = var.environment
}
}
+
+resource "aws_ssm_parameter" "access_code" {
+ type = "SecureString"
+ name = "AccessCode"
+ value_wo = "__imported__"
+ value_wo_version = 1
+
+ lifecycle {
+ ignore_changes = [value_wo_version]
+ }
+}
```
## Import by Identity
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/SKILL.md b/terraform/code-generation/skills/terraform-tidy-before-import/SKILL.md
new file mode 100644
index 0000000..337e1b4
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/SKILL.md
@@ -0,0 +1,107 @@
+---
+name: terraform-tidy-before-import
+description: Prepares Terraform code for safe and correct import. Resolves validation errors, sensitive attributes, and computed attributes. De-duplicates literal values. Use this before committing generated Terraform code to version control and before importing resources into Terraform.
+license: MPL-2.0
+metadata:
+ copyright: Copyright IBM Corp. 2026
+ version: "0.0.1"
+---
+# Tidy generated Terraform code
+
+Generated Terraform configuration includes all resource attributes. For
+correctness, reliability, and security, we tidy Terraform code before we commit
+it to version control and before we run `terraform apply`.
+
+The user may specify a priority of either speed or thoroughness. Default to
+thoroughness. If the user prioritizes speed, then skip all schema-dependent
+work and simply use `terraform validate` as a feedback loop to converge on a
+validatable configuration.
+
+When editing Terraform `resource` blocks, honor the Terraform resource
+configuration model. Preserve any Terraform-supported built-in resource
+argument or nested block that is already present, including `count`,
+`depends_on`, `for_each`, `provider`, `lifecycle`, `connection`, and
+`provisioner`, along with supported nested arguments and blocks inside them.
+Never remove these Terraform language arguments or blocks during cleanup.
+
+When editing Terraform `import` blocks, honor the Terraform import
+configuration model. If an existing `import` block passes `terraform validate`,
+it does not need to be edited. Preserve all Terraform-supported `import` block
+arguments, including `to`, `id`, `identity`, `for_each`, and `provider`. Never
+remove a valid `import` block or remove the `provider` argument from one.
+
+
+Prioritize correctness when parsing Terraform code. To do so, use the
+python-hcl2 module in a virtualenv. This module includes the hq command line
+tool. Examples:
+
+* Convert to JSON: `hq '*' --json`
+* Identity resource blocks with top-level timeouts: `hq 'resource~[select(.timeouts)] | .labels' `
+* Identity null-valued attributes: `hq '*..attribute:*[select(.value == null)]' `
+
+Use generic tools such as grep, awk, and sed only as a last resort when parsing Terraform code.
+
+
+
+1. Temporarily rename the source file to a .tf.bak extension so that
+ `terraform` commands do not read it.
+1. Start a non-blocking background task in a temporary directory to build
+ resource schema lookup tables, as detailed in
+ [resource-schema-lookup-tables.md](references/resource-schema-lookup-tables.md).
+1. Run `terraform validate`. Resolve conflicting generated provider arguments
+ without removing Terraform-supported built-in resource arguments or blocks.
+ Resolve all other validation errors.
+1. Replace literal values with variables for values that are used 3 or more
+ times
+1. Remove top-level provider-defined `timeouts` blocks from all resources.
+1. Wait for the background schema-analysis task to finish, then use its lookup
+ tables for the remaining schema-dependent cleanup steps.
+1. Remove provider-defined attributes that are `computed` and not `optional` by
+ using the computed-attributes lookup table for each resource type. Preserve
+ provider-defined attributes that are both `computed` and `optional`, unless
+ the configuration explicitly sets them to `null`; in that case, remove the
+ null-valued argument.
+1. Remove non-computed sensitive provider-defined attributes. If the provider
+ requires one of the removed arguments, try to use an equivalent
+ write-only attribute, such as the `value_wo` and `value_wo_version` pair for
+ `value`. If the write-only attribute requires a non-write-only
+ paired attribute, use the `lifecycle` meta-argument to ignore changes only
+ to that paired non-write-only attribute, e.g. `value_wo_version`.
+1. Run `terraform validate` as the final validation step. Make a best effort to
+ resolve errors before continuing.
+1. On completion, restore the original source file name
+
+```hcl
+# Before: generated
+resource "aws_instance" "all_0" {
+ ami = "ami-0c55b159cbfafe1f0"
+ instance_type = "t2.micro"
+ arn = "arn:aws:ec2:..." # Remove - computed
+ id = "i-0abc123" # Remove - computed
+ # ... many more attributes
+}
+
+resource "aws_ssm_parameter" "all_0" {
+ type = "SecureString"
+ name = "AccessCode"
+ value = "secret" # Remove - sensitive
+}
+
+# After: tidied
+resource "aws_instance" "all_0" {
+ ami = var.ami_id
+ instance_type = var.instance_type
+ subnet_id = var.subnet_id
+}
+
+resource "aws_ssm_parameter" "access_code" {
+ type = "SecureString"
+ name = "AccessCode"
+ value_wo = "__imported__"
+ value_wo_version = 1
+
+ lifecycle {
+ ignore_changes = [value_wo_version]
+ }
+}
+```
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/evals/evals.json b/terraform/code-generation/skills/terraform-tidy-before-import/evals/evals.json
new file mode 100644
index 0000000..6081e9c
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/evals/evals.json
@@ -0,0 +1,27 @@
+{
+ "skill_name": "terraform-tidy-before-import",
+ "evals": [
+ {
+ "id": 1,
+ "prompt": "Tidy the generated Terraform in aws_thorough_before_cleanup.tf so it is ready for import and safe to commit. Use the default thoroughness level, keep valid import blocks intact, preserve Terraform language meta-arguments and nested language blocks, and organize the finished configuration into appropriate Terraform files before you wrap up. Keep terraform.tf in any terraform working directories for base provider configuration. Make a best effort: if the final file does not validate or does not meet all criteria, the computer should still present it as output for evaluation.",
+ "expected_output": "A cleaned AWS configuration as close to aws_thorough_after_cleanup.tf as possible. Expect absence of provider-defined computed attributes and top-level timeout blocks while preserving valid import blocks, lifecycle/meta-arguments, and connection timeouts.",
+ "files": [
+ "evals/files/aws_thorough_before_cleanup.tf",
+ "evals/files/aws_thorough_after_cleanup.tf",
+ "evals/files/terraform.tf"
+ ],
+ "expectations": [
+ "terraform validate exits with code 0 on the output .tf files",
+ "All 7 import blocks from the source are present across the output files",
+ "Every import block retains its provider argument",
+ "No resource block contains a top-level timeouts {} block",
+ "aws_ssm_parameter resources have no value = null attribute (sensitive attribute removed)",
+ "aws_ssm_parameter resources have value_wo set to a non-null string",
+ "Each aws_ssm_parameter resource has a lifecycle block with ignore_changes = [value_wo_version]",
+ "aws_ssm_parameter resources retain the arn attribute (it is computed+optional per schema, so must be preserved not removed)",
+ "At least 2 Terraform variables are defined for values used 3 or more times",
+ "aws_instance resources retain the tags_all attribute (it is computed+optional per schema and must be preserved)"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/aws_thorough_after_cleanup.tf b/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/aws_thorough_after_cleanup.tf
new file mode 100644
index 0000000..893f478
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/aws_thorough_after_cleanup.tf
@@ -0,0 +1,376 @@
+# __generated__ by Terraform
+# Please review these resources and move them into your main configuration files.
+
+# __generated__ by Terraform
+variable "aws_account_id" {
+ type = string
+ default = "904233096703"
+}
+
+variable "aws_primary_region" {
+ type = string
+ default = "us-east-2"
+}
+
+variable "aws_secondary_region" {
+ type = string
+ default = "us-west-2"
+}
+
+variable "azurerm_resource_group_name" {
+ type = string
+ default = "mapreduce"
+}
+
+variable "primary_owner_email" {
+ type = string
+ default = "noreply@example.org"
+}
+
+resource "aws_ssm_parameter" "unlock_code" {
+ provider = aws
+ arn = "arn:aws:ssm:us-east-2:904233096703:parameter/UnlockCode"
+ data_type = "text"
+ key_id = "alias/aws/ssm"
+ name = "UnlockCode"
+ region = var.aws_primary_region
+ tags = {}
+ tags_all = {}
+ tier = "Standard"
+ type = "SecureString"
+ value_wo = "__imported__"
+ value_wo_version = 1
+
+ lifecycle {
+ ignore_changes = [value_wo_version]
+ }
+}
+
+import {
+ to = aws_ssm_parameter.unlock_code
+ provider = aws
+ identity = {
+ account_id = var.aws_account_id
+ name = "UnlockCode"
+ region = var.aws_primary_region
+ }
+}
+
+resource "aws_ssm_parameter" "foo_parameter" {
+ provider = aws
+ arn = "arn:aws:ssm:us-east-2:904233096703:parameter/foo"
+ data_type = "text"
+ name = "foo"
+ region = var.aws_primary_region
+ tags = {}
+ tags_all = {}
+ tier = "Standard"
+ type = "String"
+ value_wo = "__imported__"
+ value_wo_version = 1
+
+ lifecycle {
+ ignore_changes = [value_wo_version]
+ }
+}
+
+import {
+ to = aws_ssm_parameter.foo_parameter
+ provider = aws
+ identity = {
+ account_id = var.aws_account_id
+ name = "foo"
+ region = var.aws_primary_region
+ }
+}
+
+# __generated__ by Terraform
+resource "awscc_autoscaling_auto_scaling_group" "terraform_20260412_group" {
+ provider = awscc
+ auto_scaling_group_name = "terraform-20260412125441192100000003"
+ availability_zone_distribution = {
+ capacity_distribution_strategy = "balanced-best-effort"
+ }
+ availability_zone_ids = ["use2-az3"]
+ availability_zones = ["us-east-2c"]
+ capacity_reservation_specification = {
+ capacity_reservation_preference = "default"
+ }
+ cooldown = "300"
+ desired_capacity = "1"
+ health_check_grace_period = 300
+ health_check_type = "EC2"
+ instance_lifecycle_policy = {
+ retention_triggers = {
+ terminate_hook_abandon = "terminate"
+ }
+ }
+ launch_configuration_name = "terraform-20260416020319060500000001"
+ max_size = "1"
+ min_size = "1"
+ new_instances_protected_from_scale_in = false
+ service_linked_role_arn = "arn:aws:iam::904233096703:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+ tags = [
+ {
+ key = "owner"
+ propagate_at_launch = true
+ value = var.primary_owner_email
+ },
+ ]
+ termination_policies = ["Default"]
+}
+
+import {
+ to = awscc_autoscaling_auto_scaling_group.terraform_20260412_group
+ provider = awscc
+ identity = {
+ account_id = var.aws_account_id
+ auto_scaling_group_name = "terraform-20260412125441192100000003"
+ region = var.aws_primary_region
+ }
+}
+
+# __generated__ by Terraform
+resource "aws_instance" "pi_in_the_sky" {
+ provider = aws
+ ami = "ami-0c13074f00e476295"
+ availability_zone = "us-east-2a"
+ disable_api_stop = false
+ disable_api_termination = false
+ ebs_optimized = false
+ get_password_data = false
+ hibernation = false
+ instance_initiated_shutdown_behavior = "stop"
+ instance_type = "t4g.nano"
+ monitoring = false
+ placement_partition_number = 0
+ region = var.aws_primary_region
+ security_groups = ["default"]
+ source_dest_check = true
+ subnet_id = "subnet-07dfd740d46f2971c"
+ tags = {
+ Name = "pi-in-the-sky"
+ owner = var.primary_owner_email
+ }
+ tags_all = {
+ Name = "pi-in-the-sky"
+ owner = var.primary_owner_email
+ }
+ tenancy = "default"
+ vpc_security_group_ids = ["sg-0ce804325eb0f5ca9"]
+
+ capacity_reservation_specification {
+ capacity_reservation_preference = "open"
+ }
+
+ cpu_options {
+ core_count = 2
+ threads_per_core = 1
+ }
+
+ credit_specification {
+ cpu_credits = "unlimited"
+ }
+
+ enclave_options {
+ enabled = false
+ }
+
+ maintenance_options {
+ auto_recovery = "default"
+ }
+
+ metadata_options {
+ http_endpoint = "enabled"
+ http_protocol_ipv6 = "disabled"
+ http_put_response_hop_limit = 2
+ http_tokens = "required"
+ instance_metadata_tags = "disabled"
+ }
+
+ private_dns_name_options {
+ enable_resource_name_dns_a_record = false
+ enable_resource_name_dns_aaaa_record = false
+ hostname_type = "ip-name"
+ }
+
+ root_block_device {
+ delete_on_termination = true
+ encrypted = false
+ iops = 3000
+ tags = {}
+ tags_all = {}
+ throughput = 125
+ volume_size = 8
+ volume_type = "gp3"
+ }
+}
+
+import {
+ to = aws_instance.pi_in_the_sky
+ provider = aws
+ identity = {
+ account_id = var.aws_account_id
+ id = "i-042b87bcd5bd6012c"
+ region = var.aws_primary_region
+ }
+}
+
+# __generated__ by Terraform
+resource "aws_instance" "computer_1" {
+ provider = aws
+ ami = "ami-0049c21f5d9fb57c2"
+ availability_zone = "us-west-2d"
+ disable_api_stop = false
+ disable_api_termination = false
+ ebs_optimized = false
+ get_password_data = false
+ hibernation = false
+ iam_instance_profile = "team-awesome"
+ instance_initiated_shutdown_behavior = "stop"
+ instance_type = "t4g.nano"
+ monitoring = false
+ placement_partition_number = 0
+ region = var.aws_secondary_region
+ security_groups = ["default"]
+ source_dest_check = true
+ subnet_id = "subnet-077c9d307457f4512"
+ tags = {
+ Name = "computer-1"
+ owner = "team-awesome@example.org"
+ }
+ tags_all = {
+ Name = "computer-1"
+ owner = "team-awesome@example.org"
+ }
+ tenancy = "default"
+ vpc_security_group_ids = ["sg-0d186b4390fe6e7b8"]
+
+ capacity_reservation_specification {
+ capacity_reservation_preference = "open"
+ }
+
+ cpu_options {
+ core_count = 2
+ threads_per_core = 1
+ }
+
+ credit_specification {
+ cpu_credits = "unlimited"
+ }
+
+ enclave_options {
+ enabled = false
+ }
+
+ maintenance_options {
+ auto_recovery = "default"
+ }
+
+ metadata_options {
+ http_endpoint = "enabled"
+ http_protocol_ipv6 = "disabled"
+ http_put_response_hop_limit = 2
+ http_tokens = "required"
+ instance_metadata_tags = "disabled"
+ }
+
+ private_dns_name_options {
+ enable_resource_name_dns_a_record = false
+ enable_resource_name_dns_aaaa_record = false
+ hostname_type = "ip-name"
+ }
+
+ root_block_device {
+ delete_on_termination = true
+ encrypted = false
+ iops = 3000
+ tags = {}
+ tags_all = {}
+ throughput = 125
+ volume_size = 8
+ volume_type = "gp3"
+ }
+}
+
+import {
+ to = aws_instance.computer_1
+ provider = aws
+ identity = {
+ account_id = var.aws_account_id
+ id = "i-06e6fc683132a44ff"
+ region = var.aws_secondary_region
+ }
+}
+
+# __generated__ by Terraform
+resource "azurerm_resource_group" "mapreduce" {
+ provider = azurerm
+ location = "westeurope"
+ name = var.azurerm_resource_group_name
+ tags = {
+ availability = "online"
+ }
+}
+
+import {
+ to = azurerm_resource_group.mapreduce
+ provider = azurerm
+ identity = {
+ name = var.azurerm_resource_group_name
+ subscription_id = "6365c18e-b304-4096-a2c5-56e6dd2dbbe7"
+ }
+}
+
+# __generated__ by Terraform
+resource "azurerm_storage_account" "mapreduce_garage" {
+ provider = azurerm
+ access_tier = "Hot"
+ account_kind = "StorageV2"
+ account_replication_type = "GRS"
+ account_tier = "Standard"
+ allow_nested_items_to_be_public = true
+ cross_tenant_replication_enabled = false
+ default_to_oauth_authentication = false
+ dns_endpoint_type = "Standard"
+ https_traffic_only_enabled = true
+ infrastructure_encryption_enabled = false
+ is_hns_enabled = false
+ large_file_share_enabled = false
+ local_user_enabled = true
+ location = "westeurope"
+ min_tls_version = "TLS1_2"
+ name = "mapreducegarage"
+ nfsv3_enabled = false
+ public_network_access_enabled = true
+ queue_encryption_key_type = "Service"
+ resource_group_name = var.azurerm_resource_group_name
+ sftp_enabled = false
+ shared_access_key_enabled = true
+ table_encryption_key_type = "Service"
+ tags = {
+ availability = "online"
+ }
+
+ blob_properties {
+ change_feed_enabled = false
+ last_access_time_enabled = false
+ versioning_enabled = false
+ }
+
+ share_properties {
+ retention_policy {
+ days = 7
+ }
+ }
+}
+
+import {
+ to = azurerm_storage_account.mapreduce_garage
+ provider = azurerm
+ identity = {
+ name = "mapreducegarage"
+ resource_group_name = var.azurerm_resource_group_name
+ subscription_id = "6365c18e-b304-4096-a2c5-56e6dd2dbbe7"
+ }
+}
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/aws_thorough_before_cleanup.tf b/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/aws_thorough_before_cleanup.tf
new file mode 100644
index 0000000..5808ae3
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/aws_thorough_before_cleanup.tf
@@ -0,0 +1,391 @@
+# __generated__ by Terraform
+# Please review these resources and move them into your main configuration files.
+
+# __generated__ by Terraform
+resource "aws_ssm_parameter" "by_aws_region_0_0" {
+ provider = aws
+ allowed_pattern = null
+ arn = "arn:aws:ssm:us-east-2:904233096703:parameter/UnlockCode"
+ data_type = "text"
+ description = null
+ key_id = "alias/aws/ssm"
+ name = "UnlockCode"
+ overwrite = null
+ region = "us-east-2"
+ tags = {}
+ tags_all = {}
+ tier = "Standard"
+ type = "SecureString"
+ value = null # sensitive
+ value_wo = null # sensitive
+ value_wo_version = null
+}
+
+import {
+ to = aws_ssm_parameter.by_aws_region_0_0
+ provider = aws
+ identity = {
+ account_id = "904233096703"
+ name = "UnlockCode"
+ region = "us-east-2"
+ }
+}
+
+resource "aws_ssm_parameter" "by_aws_region_0_1" {
+ provider = aws
+ allowed_pattern = null
+ arn = "arn:aws:ssm:us-east-2:904233096703:parameter/foo"
+ data_type = "text"
+ description = null
+ name = "foo"
+ overwrite = null
+ region = "us-east-2"
+ tags = {}
+ tags_all = {}
+ tier = "Standard"
+ type = "String"
+ value = null # sensitive
+ value_wo = null # sensitive
+ value_wo_version = null
+}
+
+import {
+ to = aws_ssm_parameter.by_aws_region_0_1
+ provider = aws
+ identity = {
+ account_id = "904233096703"
+ name = "foo"
+ region = "us-east-2"
+ }
+}
+
+
+
+# __generated__ by Terraform
+resource "awscc_autoscaling_auto_scaling_group" "global_0_0" {
+ provider = awscc
+ auto_scaling_group_name = "terraform-20260412125441192100000003"
+ availability_zone_distribution = {
+ capacity_distribution_strategy = "balanced-best-effort"
+ }
+ availability_zone_ids = ["use2-az3"]
+ availability_zones = ["us-east-2c"]
+ capacity_reservation_specification = {
+ capacity_reservation_preference = "default"
+ }
+ cooldown = "300"
+ desired_capacity = "1"
+ health_check_grace_period = 300
+ health_check_type = "EC2"
+ instance_lifecycle_policy = {
+ retention_triggers = {
+ terminate_hook_abandon = "terminate"
+ }
+ }
+ launch_configuration_name = "terraform-20260416020319060500000001"
+ max_size = "1"
+ min_size = "1"
+ new_instances_protected_from_scale_in = false
+ service_linked_role_arn = "arn:aws:iam::904233096703:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+ tags = [
+ {
+ key = "owner"
+ propagate_at_launch = true
+ value = "noreply@example.org"
+ },
+ ]
+ termination_policies = ["Default"]
+}
+
+import {
+ to = awscc_autoscaling_auto_scaling_group.global_0_0
+ provider = awscc
+ identity = {
+ account_id = "904233096703"
+ auto_scaling_group_name = "terraform-20260412125441192100000003"
+ region = "us-east-2"
+ }
+}
+
+
+
+# __generated__ by Terraform
+resource "aws_instance" "by_aws_region_0_0" {
+ provider = aws
+ ami = "ami-0c13074f00e476295"
+ associate_public_ip_address = false
+ availability_zone = "us-east-2a"
+ disable_api_stop = false
+ disable_api_termination = false
+ ebs_optimized = false
+ force_destroy = null
+ get_password_data = false
+ hibernation = false
+ instance_initiated_shutdown_behavior = "stop"
+ instance_type = "t4g.nano"
+ ipv6_address_count = 0
+ ipv6_addresses = []
+ monitoring = false
+ placement_partition_number = 0
+ private_ip = "172.31.3.80"
+ region = "us-east-2"
+ secondary_private_ips = []
+ security_groups = ["default"]
+ source_dest_check = true
+ subnet_id = "subnet-07dfd740d46f2971c"
+ tags = {
+ Name = "pi-in-the-sky"
+ owner = "noreply@example.org"
+ }
+ tags_all = {
+ Name = "pi-in-the-sky"
+ owner = "noreply@example.org"
+ }
+ tenancy = "default"
+ user_data_replace_on_change = null
+ volume_tags = null
+ vpc_security_group_ids = ["sg-0ce804325eb0f5ca9"]
+ capacity_reservation_specification {
+ capacity_reservation_preference = "open"
+ }
+ cpu_options {
+ core_count = 2
+ threads_per_core = 1
+ }
+ credit_specification {
+ cpu_credits = "unlimited"
+ }
+ enclave_options {
+ enabled = false
+ }
+ maintenance_options {
+ auto_recovery = "default"
+ }
+ metadata_options {
+ http_endpoint = "enabled"
+ http_protocol_ipv6 = "disabled"
+ http_put_response_hop_limit = 2
+ http_tokens = "required"
+ instance_metadata_tags = "disabled"
+ }
+ private_dns_name_options {
+ enable_resource_name_dns_a_record = false
+ enable_resource_name_dns_aaaa_record = false
+ hostname_type = "ip-name"
+ }
+ root_block_device {
+ delete_on_termination = true
+ encrypted = false
+ iops = 3000
+ tags = {}
+ tags_all = {}
+ throughput = 125
+ volume_size = 8
+ volume_type = "gp3"
+ }
+ timeouts {
+ create = null
+ delete = null
+ read = null
+ update = null
+ }
+}
+
+import {
+ to = aws_instance.by_aws_region_0_0
+ provider = aws
+ identity = {
+ account_id = "904233096703"
+ id = "i-042b87bcd5bd6012c"
+ region = "us-east-2"
+ }
+}
+
+
+
+# __generated__ by Terraform
+resource "aws_instance" "by_aws_region_2_0" {
+ provider = aws
+ ami = "ami-0049c21f5d9fb57c2"
+ associate_public_ip_address = true
+ availability_zone = "us-west-2d"
+ disable_api_stop = false
+ disable_api_termination = false
+ ebs_optimized = false
+ force_destroy = null
+ get_password_data = false
+ hibernation = false
+ iam_instance_profile = "team-awesome"
+ instance_initiated_shutdown_behavior = "stop"
+ instance_type = "t4g.nano"
+ ipv6_address_count = 0
+ ipv6_addresses = []
+ monitoring = false
+ placement_partition_number = 0
+ private_ip = "172.31.48.66"
+ region = "us-west-2"
+ secondary_private_ips = []
+ security_groups = ["default"]
+ source_dest_check = true
+ subnet_id = "subnet-077c9d307457f4512"
+ tags = {
+ Name = "computer-1"
+ owner = "team-awesome@example.org"
+ }
+ tags_all = {
+ Name = "computer-1"
+ owner = "team-awesome@example.org"
+ }
+ tenancy = "default"
+ user_data = null
+ user_data_replace_on_change = null
+ volume_tags = null
+ vpc_security_group_ids = ["sg-0d186b4390fe6e7b8"]
+ capacity_reservation_specification {
+ capacity_reservation_preference = "open"
+ }
+ cpu_options {
+ core_count = 2
+ threads_per_core = 1
+ }
+ credit_specification {
+ cpu_credits = "unlimited"
+ }
+ enclave_options {
+ enabled = false
+ }
+ maintenance_options {
+ auto_recovery = "default"
+ }
+ metadata_options {
+ http_endpoint = "enabled"
+ http_protocol_ipv6 = "disabled"
+ http_put_response_hop_limit = 2
+ http_tokens = "required"
+ instance_metadata_tags = "disabled"
+ }
+ private_dns_name_options {
+ enable_resource_name_dns_a_record = false
+ enable_resource_name_dns_aaaa_record = false
+ hostname_type = "ip-name"
+ }
+ root_block_device {
+ delete_on_termination = true
+ encrypted = false
+ iops = 3000
+ tags = {}
+ tags_all = {}
+ throughput = 125
+ volume_size = 8
+ volume_type = "gp3"
+ }
+ timeouts {
+ create = null
+ delete = null
+ read = null
+ update = null
+ }
+}
+
+import {
+ to = aws_instance.by_aws_region_2_0
+ provider = aws
+ identity = {
+ account_id = "904233096703"
+ id = "i-06e6fc683132a44ff"
+ region = "us-west-2"
+ }
+}
+
+
+
+# __generated__ by Terraform
+resource "azurerm_resource_group" "global_0_0" {
+ provider = azurerm
+ location = "westeurope"
+ managed_by = null
+ name = "mapreduce"
+ tags = {
+ availability = "online"
+ }
+ timeouts {
+ create = null
+ delete = null
+ read = null
+ update = null
+ }
+}
+
+import {
+ to = azurerm_resource_group.global_0_0
+ provider = azurerm
+ identity = {
+ name = "mapreduce"
+ subscription_id = "6365c18e-b304-4096-a2c5-56e6dd2dbbe7"
+ }
+}
+
+
+
+# __generated__ by Terraform
+resource "azurerm_storage_account" "by_resource_group_0_0" {
+ provider = azurerm
+ access_tier = "Hot"
+ account_kind = "StorageV2"
+ account_replication_type = "GRS"
+ account_tier = "Standard"
+ allow_nested_items_to_be_public = true
+ allowed_copy_scope = null
+ cross_tenant_replication_enabled = false
+ default_to_oauth_authentication = false
+ dns_endpoint_type = "Standard"
+ edge_zone = null
+ https_traffic_only_enabled = true
+ infrastructure_encryption_enabled = false
+ is_hns_enabled = false
+ large_file_share_enabled = false
+ local_user_enabled = true
+ location = "westeurope"
+ min_tls_version = "TLS1_2"
+ name = "mapreducegarage"
+ nfsv3_enabled = false
+ provisioned_billing_model_version = null
+ public_network_access_enabled = true
+ queue_encryption_key_type = "Service"
+ resource_group_name = "mapreduce"
+ sftp_enabled = false
+ shared_access_key_enabled = true
+ table_encryption_key_type = "Service"
+ tags = {
+ availability = "online"
+ }
+ blob_properties {
+ change_feed_enabled = false
+ change_feed_retention_in_days = 0
+ last_access_time_enabled = false
+ versioning_enabled = false
+ }
+ share_properties {
+ retention_policy {
+ days = 7
+ }
+ }
+ timeouts {
+ create = null
+ delete = null
+ read = null
+ update = null
+ }
+}
+
+import {
+ to = azurerm_storage_account.by_resource_group_0_0
+ provider = azurerm
+ identity = {
+ name = "mapreducegarage"
+ resource_group_name = "mapreduce"
+ subscription_id = "6365c18e-b304-4096-a2c5-56e6dd2dbbe7"
+ }
+}
+
+
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/terraform.tf b/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/terraform.tf
new file mode 100644
index 0000000..e29cedf
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/evals/files/terraform.tf
@@ -0,0 +1,35 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 6.0"
+ }
+
+ awscc = {
+ source = "hashicorp/awscc"
+ }
+
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "~> 4.0"
+ }
+
+ random = {
+ source = "hashicorp/random"
+ version = "~> 3.8"
+ }
+ }
+}
+
+provider "aws" {
+ region = "us-east-2"
+}
+
+provider "awscc" {
+ region = "us-east-2"
+}
+
+provider "azurerm" {
+ features {
+ }
+}
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/references/resource-schema-lookup-tables.md b/terraform/code-generation/skills/terraform-tidy-before-import/references/resource-schema-lookup-tables.md
new file mode 100644
index 0000000..6d7a661
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/references/resource-schema-lookup-tables.md
@@ -0,0 +1,6 @@
+The resource schema analysis needed for computed and sensitive attribute
+cleanup is time-consuming, due to the size of the resource schemas. In order to
+avoid slow model calls, schema analysis should use local tools to build a
+lookup table of sensitive attributes by resource type and to build a lookup
+table of computed attributes by resource type that also records whether each
+computed attribute is optional.
diff --git a/terraform/code-generation/skills/terraform-tidy-before-import/references/terraform-editing-correctness.md b/terraform/code-generation/skills/terraform-tidy-before-import/references/terraform-editing-correctness.md
new file mode 100644
index 0000000..4dd58e5
--- /dev/null
+++ b/terraform/code-generation/skills/terraform-tidy-before-import/references/terraform-editing-correctness.md
@@ -0,0 +1,25 @@
+When editing Terraform `resource` blocks, honor the Terraform resource
+configuration model. Preserve any Terraform-supported built-in resource
+argument or nested block that is already present, including `count`,
+`depends_on`, `for_each`, `provider`, `lifecycle`, `connection`, and
+`provisioner`, along with supported nested arguments and blocks inside them.
+Never remove these Terraform language arguments or blocks during cleanup.
+
+When editing Terraform `import` blocks, honor the Terraform import
+configuration model. If an existing `import` block passes `terraform validate`,
+it does not need to be edited. Preserve all Terraform-supported `import` block
+arguments, including `to`, `id`, `identity`, `for_each`, and `provider`. Never
+remove a valid `import` block or remove the `provider` argument from one.
+
+
+Prioritize correctness when parsing Terraform code. To do so, use the
+python-hcl2 module in a virtualenv. This module includes the hq command line
+tool. Examples:
+
+* Convert to JSON: `hq '*' --json`
+* Identity resource blocks with top-level timeouts: `hq 'resource~[select(.timeouts)] | .labels' `
+* Identity null-valued attributes: `hq '*..attribute:*[select(.value == null)]' `
+
+Use generic tools such as grep, awk, and sed only as a last resort when parsing Terraform code.
+
+