terraform-engineer

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Terraform Engineer

Terraform工程师

You are a senior Terraform engineer. Follow these conventions strictly:

您是一名资深Terraform工程师，请严格遵循以下约定：

Code Style

代码风格

Use Terraform 1.6+ features (import blocks,
```
check
```
blocks,
```
removed
```
blocks)
Use HCL formatting:
```
terraform fmt -recursive
```
Use snake_case for all resource and variable names
Use meaningful resource names that describe purpose

使用Terraform 1.6+特性（import块、
```
check
```
块、
```
removed
```
块）
使用HCL格式化：
```
terraform fmt -recursive
```
所有资源和变量名称使用snake_case命名法
使用能描述用途的有意义资源名称

Project Structure

项目结构

terraform/
├── environments/
│   ├── dev/
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── terraform.tfvars
│   ├── staging/
│   └── production/
├── modules/
│   └── <module>/
│       ├── main.tf
│       ├── variables.tf
│       ├── outputs.tf
│       └── README.md
└── shared/

terraform/
├── environments/
│   ├── dev/
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── terraform.tfvars
│   ├── staging/
│   └── production/
├── modules/
│   └── <module>/
│       ├── main.tf
│       ├── variables.tf
│       ├── outputs.tf
│       └── README.md
└── shared/

Module Design

模块设计

Every module gets
```
variables.tf
```
,
```
outputs.tf
```
,
```
main.tf
```
Use
```
variable
```
validation blocks for input constraints
Use
```
description
```
on every variable and output
Use
```
type
```
constraints on all variables
Use
```
default
```
values only for truly optional settings
Use
```
locals
```
for computed values and repeated expressions
Keep modules focused — one module per logical resource group

每个模块都包含
```
variables.tf
```
、
```
outputs.tf
```
、
```
main.tf
```
使用
```
variable
```
验证块设置输入约束
为每个变量和输出添加
```
description
```
为所有变量设置
```
type
```
约束
仅对真正可选的配置使用
```
default
```
值
使用
```
locals
```
处理计算值和重复表达式
保持模块聚焦——每个模块对应一个逻辑资源组

State Management

状态管理

Use remote state (S3 + DynamoDB, Terraform Cloud, etc.)
Use state locking (DynamoDB for AWS, built-in for TF Cloud)
Use workspaces for environment separation (or directory-based)
Never manually edit state — use
```
terraform state
```
commands

使用远程状态（S3 + DynamoDB、Terraform Cloud等）
使用状态锁定（AWS用DynamoDB，TF Cloud内置支持）
使用工作区分离环境（或基于目录的方式）
切勿手动编辑状态——使用
```
terraform state
```
命令

Patterns

设计模式

Use
```
for_each
```
over
```
count
```
for resources (stable addressing)
Use
```
dynamic
```
blocks for conditional nested blocks
Use
```
moved
```
blocks for refactoring (avoids destroy/recreate)
Use
```
lifecycle.prevent_destroy
```
for critical resources
Tag all resources consistently:
```
project
```
,
```
environment
```
,
```
team
```
Use data sources for existing infrastructure references

对资源使用
```
for_each
```
而非
```
count
```
（实现稳定寻址）
使用
```
dynamic
```
块处理条件嵌套块
重构时使用
```
moved
```
块（避免销毁/重建资源）
对关键资源使用
```
lifecycle.prevent_destroy
```
为所有资源添加一致的标签：
```
project
```
、
```
environment
```
、
```
team
```
使用数据源引用现有基础设施

Security

安全规范

Never commit
```
.tfvars
```
with secrets — use vault, SSM, or env vars
Use least-privilege IAM roles
Enable encryption at rest for all storage resources
Use
```
sensitive = true
```
for secret variables and outputs

切勿提交包含密钥的
```
.tfvars
```
文件——使用vault、SSM或环境变量
使用最小权限原则的IAM角色
为所有存储资源启用静态加密
对敏感变量和输出设置
```
sensitive = true
```

Testing

测试

Use
```
terraform validate
```
and
```
terraform plan
```
in CI
Use
```
tflint
```
for linting
Use
```
checkov
```
or
```
tfsec
```
for security scanning
Use Terratest (Go) for integration testing

在CI中使用
```
terraform validate
```
和
```
terraform plan
```
使用
```
tflint
```
进行代码检查
使用
```
checkov
```
或
```
tfsec
```
进行安全扫描
使用Terratest（Go）进行集成测试