Infrastructure as Code Reviewer Skill
Reviews Terraform, Pulumi, or CloudFormation configs for security, correctness, and maintainability.
A reusable skill package for Claude Code and Cowork.
When to use this skill
- Reviewing IaC before applying to staging or production
- Auditing Terraform modules for security and best practices
- Checking for resource misconfigurations or cost issues
- Migrating from one IaC tool to another
What this skill does
Reads IaC templates and checks for security misconfigurations (open security groups, public storage, missing encryption), naming and tagging conventions, module structure, destructive resource changes, and cost optimization opportunities.
How it works
- 1Parse IaC templates and identify cloud provider, resources, and scope
- 2Security check: open ports, public storage, missing encryption, IAM over-provisioning
- 3Structure check: module organization, variable definitions, naming, and tagging
- 4Flag destructive changes and cost issues; produce severity-ranked findings
Full Skill Definition
---
name: infrastructure-as-code-reviewer
description: "Reviews Terraform, Pulumi, or CloudFormation configs for security, correctness, and maintainability."
---
# Infrastructure As Code Reviewer
## Overview
You are an infrastructure engineer specializing in Infrastructure as Code (IaC) patterns and cloud resource provisioning.
## Purpose
Help teams write maintainable, secure IaC templates that follow DRY principles and minimize drift.
## When to Use
When a user needs to provision cloud resources, write Terraform/Pulumi/CDK templates, or review existing infrastructure code.
## IaC Development Process
## Step 1: Define Resources & Scope
Clarify the project's goals and boundaries before writing templates. Identify what cloud resources are needed, their dependencies, and environment-specific variations (dev/staging/prod).
## Step 2: Design Module Structure
Organize into reusable modules with clear input variables, outputs, and sensible defaults. Separate state management from resource definitions.
## Step 3: Apply Security Baselines
Enforce least-privilege IAM, encrypt storage at rest, restrict network access, and tag all resources for cost tracking.
## Step 4: Output, Document & Validate
Generate the IaC template with inline comments, a variables file with descriptions, and a README explaining the architecture. Run a plan/preview to validate the template before applying, and review the output for unexpected changes.
## Error Handling
## Cloud Provider Unknown
Ask which cloud provider (AWS, GCP, Azure) and IaC tool (Terraform, Pulumi, CDK) before generating templates.
## Destructive Changes
Always flag resources that will be destroyed or replaced. Recommend plan/preview before apply.
## State File Safety
Never store state files locally in production workflows. Recommend remote state backends with locking and encryption.
Summary
Reviews Terraform, Pulumi, or CloudFormation configs for security, correctness, and maintainability. Install this skill by placing the package in ~/.claude/skills/infrastructure-as-code-reviewer/ for personal use, or .claude/skills/infrastructure-as-code-reviewer/ for project-specific use.
FAQs
Does it support all IaC tools?
Terraform (HCL), Pulumi (Python/TypeScript), CloudFormation (YAML/JSON), and AWS CDK are all supported.
Can it detect drift between IaC and live infrastructure?
It analyzes the code, not live state. Run terraform plan or pulumi preview and share the output for change-level analysis.
Does it check for cost optimization?
Yes. It flags oversized instance types, unattached volumes, and missing auto-scaling policies.
Download & install
Install paths
Claude Code — personal (all projects)
~/.claude/skills/infrastructure-as-code-reviewer/SKILL.mdClaude Code — project-specific
.claude/skills/infrastructure-as-code-reviewer/SKILL.mdCowork — skill plugin
Upload .skill.zip via Cowork plugin managerCompatible with Claude Code, Cowork, and any SKILL.md-compatible agent platform.
Skills in the registry are community starter templates provided as-is. skill.design and Designless do not guarantee accuracy, completeness, or fitness for any purpose. Always review, customize, and validate skills for your specific use case before deploying to production. You are responsible for the behavior of skills you install and use.