Originally published at claudeguide.io/claude-code-terraform-infrastructure
Claude Code for Terraform: IaC Generation Guide
Claude Code writes production-ready Terraform HCL from plain English. Describe your target infrastructure — a VPC, an EKS cluster, an S3-backed remote state — and Claude generates the module, variables, outputs, and provider config. A full AWS multi-tier environment that takes a senior engineer 4–6 hours to scaffold manually can be done in under 30 minutes. Claude also reviews terraform plan output, detects drift, generates IAM least-privilege policies, and integrates with Terragrunt DRY patterns.
This guide covers every stage of the Terraform workflow: module scaffolding, cloud resource generation, state management, plan review, drift detection, and security hardening.
Setup: Add Terraform Context to CLAUDE.md
Add your infrastructure conventions once so every subsequent prompt inherits them:
## Terraform Configuration
- Provider: AWS (primary), region: us-east-1
- State backend: S3 bucket `my-org-tfstate`, DynamoDB table `terraform-locks`
- Naming: {project}-{env}-{resource} (e.g., acme-prod-vpc)
- Tagging: Environment, Owner, CostCenter, ManagedBy=terraform (all required)
- Terraform
[→ Get Power Prompts 300 — $29](https://shoutfirst.gumroad.com/l/agfda?utm_source=claudeguide&utm_medium=article&utm_campaign=claude-code-terraform-infrastructure)
---
## Terragrunt Patterns
bash
claude "Refactor this flat Terraform repo into Terragrunt DRY structure.
- Root terragrunt.hcl with remote_state and generate blocks
- Folders: dev/, staging/, prod/ with account.hcl and region.hcl
- Each module has terragrunt.hcl with dependency blocks
- S3 backend config in exactly one place"
Claude generates the full directory tree with correct `dependency` and `inputs` blocks, plus `run_cmd` hooks for `aws-vault` credential injection.
---
## Security: IAM Least Privilege and No Hardcoded Secrets
### IAM Policy with Conditions
hcl
resource "aws_iam_policy" "eks_node" {
name = "${var.project_name}-${var.environment}-eks-node"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "ECRReadOnly"
Effect = "Allow"
Action = ["ecr:GetAuthorizationToken", "ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"]
Resource = ""
Condition = { StringEquals = {
"aws:ResourceAccount" = var.aws_account_id } }
},
{
Sid = "SSMParameterStore"
Effect = "Allow"
Action = ["ssm:GetParameter", "ssm:GetParameters"]
Resource = "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/acme/prod/"
}
]
})
}
Generate this with:
bash
claude "Write a least-privilege IAM policy for EKS nodes: ECR read access
scoped to this account, SSM GetParameter on /acme/prod/* only,
CloudWatch Logs scoped to this region. Add a Deny statement if the
request is not from our VPC endpoint."
For secrets and vulnerability scanning across your codebase, see [Claude Code Security Scanning](/claude-code-security-scanning).
---
## Greenfield Infrastructure in 30 Minutes
The full Claude Code prompt sequence for a production-ready AWS multi-tier setup:
**Step 1 — Bootstrap (2 min)**
bash
claude "Create a bootstrap module: S3 state bucket + DynamoDB lock table +
KMS key. Runs from local state first, then migrates. Include migrate.sh."
**Step 2 — Networking (8 min)**
bash
claude "VPC 10.0.0.0/16, 3 AZs, public/private/data subnets,
Route53 private hosted zone. Apply CLAUDE.md naming and tagging."
**Step 3 — Compute (10 min)**
bash
claude "EKS 1.30 on private subnets. IRSA OIDC provider,
Karpenter node provisioner, aws-load-balancer-controller IAM role."
**Step 4 — Data layer (7 min)**
bash
claude "RDS Aurora PostgreSQL 16 on data subnets: writer + reader,
auto-scaling read replicas up to 5, credentials in Secrets Manager
with automatic rotation, Performance Insights enabled."
**Step 5 — Security review (3 min)**
bash
claude "Audit all .tf files: no public S3 buckets, security groups
follow least privilege, encryption at rest on all storage, no hardcoded
values, all resources tagged per CLAUDE.md. Output a PASS/FAIL checklist."
---
## Frequently Asked Questions
### How does Claude Code work with Terraform vs Pulumi vs CDK?
Claude Code generates HCL for Terraform, TypeScript for CDK, and Python/TypeScript for Pulumi equally well. Specify your tool in CLAUDE.md and Claude applies it consistently. Terraform HCL currently yields the highest-quality output because of training data volume, but CDK and Pulumi are both well-supported. The IaC tool choice is independent of whether you use Claude Code.
### Can Claude Code run terraform apply for me?
Yes — if you grant shell execution permissions, Claude can run `terraform init`, `terraform plan`, and `terraform apply` in sequence. The recommended workflow: Claude generates and reviews the plan first, then asks for explicit confirmation before apply. Scope the IAM role Claude uses to only the resources it needs; never give it unrestricted Admin access.
### How does Claude handle existing Terraform state?
Provide context before changes: `claude "Read all .tf files and describe the current infrastructure before modifying anything."` Claude reads your existing resources and avoids generating conflicting configurations. For large codebases, point it to specific modules first.
### Does Claude Code work with the Terraform public registry?
Yes. Specify the source in your prompt: `"Use terraform-aws-modules/eks/aws version ~
[→ Get Power Prompts 300 — $29](https://shoutfirst.gumroad.com/l/agfda?utm_source=claudeguide&utm_medium=article&utm_campaign=claude-code-terraform-infrastructure)
Top comments (0)