Terraform Skill for Claude Code and Codex: TerraShark
The #1 Terraform skill for Claude Code and Codex, measured by GitHub stars.
Fixes Hallucinations.
LLMs hallucinate a lot when it comes to Terraform. This skill fixes it. It includes best practices for Terraform and OpenTofu - good, bad, and neutral examples so the AI avoids common mistakes. Using TerraShark, the AI keeps proven practices in mind, eliminates hallucinations, and defaults to modular, reusable, security-first design.
Very Token-Efficient.
Most Terraform skills dump huge text-of-walls onto the agent and burn expensive tokens - with no upside. LLMs don't need the entire Terraform docs again. TerraShark was aggressively de-duplicated and optimized for maximum quality per token.
Based on HashiCorp's Official Best Practices.
TerraShark is primarily based on HashiCorp official recommended practices. When guidance conflicts, it prioritizes HashiCorp's recommendations.
Quick Start • Why TerraShark? • Token Strategy • What's Included • How It Works • Philosophy
⚡ 2 min Quickstart
Option 1: Clone
macOS / Linux:
git clone https://github.com/LukasNiessen/terrashark.git ~/.claude/skills/terrashark
Windows (Powershell):
git clone https://github.com/LukasNiessen/terrashark.git "$env:USERPROFILE\.claude\skills\terrashark"
Windows (Command Prompt):
git clone https://github.com/LukasNiessen/terrashark.git "%USERPROFILE%\.claude\skills\terrashark"
That's it. Claude Code auto-discovers skills in ~/.claude/skills/ - no restart needed.
Option 2: Marketplace
Claude Code has a built-in plugin system with marketplace support. Instead of cloning manually, you can add TerraShark's marketplace and install directly from the CLI:
/plugin marketplace add LukasNiessen/terrashark
/plugin install terrashark
Or use the interactive plugin manager - run /plugin, switch to the Discover tab, and install from there. The marketplace reads the .claude-plugin/marketplace.json in this repo to register TerraShark as an installable plugin.
Option 3: Codex
Codex has no global skill system - setup is per-project. Clone TerraShark into your repo and reference it from your AGENTS.md:
# Clone into your project root
git clone https://github.com/LukasNiessen/terrashark.git .terrashark
Then add to your AGENTS.md (or create one in the repo root):
## Terraform
When working with Terraform or OpenTofu, follow the workflow in `.terrashark/SKILL.md`.
Load references from `.terrashark/references/` as needed.
That's it!
Done. Now ask Claude Code / Codex any Terraform question. TerraShark responses follow the 7-step failure-mode workflow and include an output contract with assumptions, tradeoffs, and rollback notes.
Invoke explicitly:
/terrashark Create a multi-region S3 module with replication
/terrashark Refactor our EKS stack into separate state files per environment, add moved blocks to avoid recreation, set up a GitHub Actions pipeline with plan on PR and gated apply on merge, and wire in Checkov for compliance scanning
Or just ask naturally - TerraShark activates automatically for any Terraform/OpenTofu task:
Review my main.tf for security issues
Migrate this module from count to for_each
🎬 Demo
https://github.com/user-attachments/assets/2bc4c9ff-9f54-4a49-8bf0-5cfc0f26dec6
📊 Library Comparison
Here's how TerraShark compares to other Terraform and OpenTofu agent skills:
| Feature | TerraShark | Anton Babenko terraform-skill | terraform-patterns | | -------------------------------- | ----------------------------------------------------- | --------------------------------- | ------------------------------------ | | Core Architecture | ✅ Failure-mode workflow | ⚠️ Static reference manual | ⚠️ Pattern checklist | | SKILL.md Activation Cost | ✅ ~600 tokens | ⚠️ ~4,400 tokens | ⚠️ Single broad reference | | Reference Granularity | ✅ 19 focused files | ⚠️ 6 large files | ❌ No focused reference library | | Token Burn Per Query | ✅ Low (load 1-2 small refs) | ⚠️ High for deep references | ⚠️ Loads broad guidance | | Diagnoses Before Generating | ✅ Step 2 requires diagnosis | ❌ No | ❌ No | | Hallucination Prevention | ✅ Core design goal | ⚠️ Indirect via best practices | ⚠️ Indirect via patterns | | Output Contract | ✅ Assumptions, tradeoffs, rollback | ❌ No | ❌ No | | Failure-Mode Coverage | ✅ Identity, secrets, blast radius, CI, compliance | ⚠️ General state/security advice | ⚠️ General anti-pattern summary | | Migration Playbooks | ✅ 5 dedicated playbooks | ⚠️ Partial inline snippets | ⚠️ Import and moved-block notes | | Good/Bad/Neutral Examples | ✅ 3 dedicated files | ⚠️ Inline DO/DON'T examples | ⚠️ Inline BAD/GOOD snippets | | Do/Don't Checklist | ✅ Dedicated file | ⚠️ Inline only | ⚠️ Inline only | | Compliance Framework Mapping | ✅ ISO 27001, SOC 2, FedRAMP, GDPR, PCI DSS, HIPAA | ⚠️ Scanner-oriented guidance | ❌ No | | Trusted Module Awareness | ✅ AWS, Azure, GCP, OCI, IBM loaded conditionally | ⚠️ AWS module context | ❌ No | | MCP Integration Guidance | ✅ Dedicated reference | ⚠️ Optional Terraform MCP mention | ❌ No | | Claude + Codex Support | ✅ First-class Claude Code and Codex setup | ⚠️ Broad multi-agent setup | ⚠️ Claude plugin oriented | | Security-First Defaults | ✅ Built into the workflow | ⚠️ Checklist-style | ⚠️ Style-guide based | | CI/CD Templates | ✅ GitHub Actions, GitLab CI, Atlantis, Infracost | ✅ GitHub Actions, GitLab CI | ⚠️ Pipeline rules only | | License | ✅ MIT | ⚠️ Apache 2.0 | ❌ Not highlighted in skill listing |
As you see in the table, there are some features that are only supported by us. Here is a brief highlight of those that we believe are the most critical of them:
-
Failure-mode workflow: TerraShark does not just give the agent Terraform facts. It forces the agent to identify the likely failure mode first, then load the exact reference material needed for that risk.
-
Output contract: TerraShark responses include assumptions, remediation choices, tradeoffs, validation steps, and rollback notes. Other skills leave that structure to the model.
-
Token efficiency: TerraShark keeps the activation path tiny and moves depth into focused references. This gives the agent the right Terraform context without turning every request into a large reference dump.
-
Compliance mapping: TerraShark includes explicit mappings for ISO 27001, SOC 2, FedRAMP, GDPR, PCI DSS, and HIPAA. Other skills focus more on scanners than audit-ready control mapping.
-
Trusted module awareness: TerraShark knows when to prefer mature vendor and community modules for AWS, Azure, GCP, Oracle Cloud, and IBM Cloud, reducing the surface area for hallucinated raw resources.
-
LLM-specific hallucination prevention: TerraShark is designed around the ways AI agents fail at infrastructure code: unstable identity, leaked secrets, wide blast radius, CI drift, and weak compliance gates.
TerraShark vs terraform-skill
The key difference is architectural. terraform-skill is a static reference manual: it dumps ~4,400 tokens into context on every activation, then loads additional reference files that can be over 1,000 lines each. It gives Claude information but never tells it how to think about a problem. There's no diagnosis step, no risk assessment, and no structured output - Claude reads the reference and generates whatever it thinks fits.
TerraShark takes the opposite approach. The core SKILL.md is an 86-line operational workflow that costs ~600 tokens on activation - over 7x leaner. Instead of front-loading a wall of text, it forces Claude through a diagnostic sequence: capture context → identify failure modes → load only the relevant references → propose fixes with explicit risk controls → validate → deliver a structured outp