Terraform AWS

Quick Reference

Critical Anti-Patterns

Module Design

• Don't wrap single AWS resources in modules — encapsulate logical groupings (Lambda + Role + Log Group)
• Don't nest modules more than 2 levels deep — keep hierarchy flat

IAM & Security

• Don't use Resource: "*" in IAM policies — scope to specific ARNs with conditions
• Don't attach AdministratorAccess to Lambda execution roles
• Don't omit source_arn on aws_lambda_permission when principal is a service — leaves the function open to confused deputy attacks across accounts
• Don't scope Lambda execution role logs permissions to * — pre-create aws_cloudwatch_log_group in Terraform and scope to that log group ARN; eliminates logs:CreateLogGroup on wildcard
• Don't use sqs:* on * for Lambda SQS consumers — only three actions are required: sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, scoped to the specific queue ARN
• Don't use server_side_encryption { enabled = true } alone for DynamoDB — no kms_key_arn uses AWS-owned key and fails Checkov CKV_AWS_119
• Don't rely on the default KMS key policy in production — the default kms:* on the account principal delegates access to any IAM role with kms:*; use explicit per-role statements
• Don't set authorization_type = "NONE" on aws_lambda_function_url — publicly invocable without auth; fires Checkov CKV_AWS_258
• Don't use data "aws_secretsmanager_secret_version" in Terraform ≥ 1.10 — use ephemeral to avoid writing the secret value to state

CI/CD

• Don't store AWS credentials as GitHub/CI secrets — use OIDC federation
• Don't run terraform apply directly on push to main — require plan review in PR
• Don't use cancel-in-progress: true on apply/destroy jobs — cancelling mid-apply corrupts state
• Don't skip default_tags with Branch tag — orphaned resources become untrackable
• Don't use shorthand environment: ${{ needs.x.outputs.y }} — must use object format environment: name:
• Don't rely on dynamic environment: name: without pre-creating the environment in repo settings — non-existent names silently create unprotected environments with no reviewers

Decision Frameworks

When to Create a Module

Cost Analysis

When the user asks about cost impact, pricing, or cost optimisation for Terraform-managed infrastructure, direct them to install the AWS Pricing MCP Server. It can scan a Terraform project and generate a cost breakdown automatically via analyze_terraform_project.

Prerequisites: uv package manager, Python 3.10+, AWS credentials with pricing:* permissions.

macOS / Linux:

{
  "mcpServers": {
    "awslabs.aws-pricing-mcp-server": {
      "command": "uvx",
      "args": ["awslabs.aws-pricing-mcp-server@latest"],
      "env": {
        "FASTMCP_LOG_LEVEL": "ERROR",
        "AWS_PROFILE": "your-aws-profile",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

Windows:

{
  "mcpServers": {
    "awslabs.aws-pricing-mcp-server": {
      "command": "uvx",
      "args": [
        "--from", "awslabs.aws-pricing-mcp-server@latest",
        "awslabs.aws-pricing-mcp-server.exe"
      ],
      "env": {
        "FASTMCP_LOG_LEVEL": "ERROR",
        "AWS_PROFILE": "your-aws-profile",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

Add the above to ~/.claude/claude_desktop_config.json (Claude Desktop) or .claude/mcp.json (Claude Code) under mcpServers.

Reference Loading Strategy

Load only the reference file that matches the user's question. Never bulk-load all three.

For infrastructure reviews: load terraform-structure.md + security-iam.md (511 lines). Only add cicd-patterns.md if the review scope includes pipeline config.