If you've ever wanted your AI coding agent to do more than just write code — to actually plan, validate, and cost-estimate real cloud infrastructure — the new Terraform Ops Kit for Docker Sandbox (sbx) is here to make that happen.
This community-contributed kit, submitted to the docker/sbx-kits-contrib repository, brings a production-ready Infrastructure-as-Code (IaC) toolkit straight into the sandbox environment where agents like Claude, Gemini, GitHub Copilot, and Shell already run.
What Is a Sandbox Kit?
Docker Sandbox (sbx) is a runtime environment where AI agents operate. Kits are modular add-ons that extend the capabilities of those agents — think of them as pre-configured toolboxes that get installed automatically when a sandbox is created.
The Terraform Ops Kit is a mixin kit, meaning it can be layered on top of any existing agent setup without replacing or conflicting with other kits.
What's Inside the Kit?
When the Terraform Ops Kit is activated, six tools are pre-installed and ready to use inside the sandbox:
| Tool | Purpose |
|---|---|
| Terraform | Core IaC engine — plan, apply, and destroy infrastructure |
| Terragrunt | Terraform wrapper for DRY configurations and multi-account workflows |
| tflint | Linter for catching Terraform misconfigurations before they're applied |
| Checkov | Static analysis security scanner for IaC files |
| Infracost | Cost estimation — know the price tag before you deploy |
| AWS CLI | Interact with AWS services directly from the sandbox |
Together, these tools enable AI agents to autonomously carry out the full infrastructure development lifecycle: write Terraform code, lint it, scan it for security issues, estimate its cost, and plan the deployment — all without leaving the sandbox.
Why This Matters
Infrastructure work has traditionally required a human-in-the-loop at every step. You'd write the config, then manually run terraform plan, then check the security scan, then get a cost estimate — context switching across multiple tools.
With the Terraform Ops Kit, an AI agent can now:
- Autonomously validate Terraform code before it ever touches a real environment
- Catch security misconfigurations with Checkov as part of the planning phase
- Provide cost visibility with Infracost, so there are no billing surprises
- Work with complex multi-environment setups via Terragrunt
This is a meaningful step toward AI-assisted infrastructure operations, where the agent isn't just a code suggester but an active participant in the IaC workflow.
Smart Engineering Choices Under the Hood
The kit author made several deliberate technical decisions worth highlighting, especially for developers reviewing or adapting the kit:
Pinned versions instead of "latest" — Both Terragrunt (v0.59.3) and Infracost (v0.10.31) are pinned to specific releases. This is because GitHub's API is rate-limited inside sandboxes (no auth token available), making automatic "latest version" detection unreliable. Pinning guarantees reproducible installs.
APT for Checkov instead of pip — On Ubuntu 24.04, running pip3 install checkov throws a PEP 668 error due to the externally-managed-environment policy. The kit installs Checkov via apt (python3-checkov), which sidesteps the conflict cleanly.
/etc/os-release over lsb_release — The shell-docker image doesn't ship lsb_release, so the kit reads the OS release file directly for Ubuntu version detection.
curl over wget — The shell-docker image includes curl but not wget. A small detail, but the kind that causes frustrating install failures if overlooked.
These choices reflect the kind of environment-aware engineering that makes the difference between a kit that works reliably in production and one that breaks on edge cases.
File Structure
The kit follows the standard sbx kit layout:
terraform-ops-kit/
├── spec.yaml # Kit definition and install steps
└── README.md # Usage documentation
Simple, focused, and easy to fork or adapt for your own toolchain.
Tested and Validated
The kit has been validated using the sbx CLI:
-
sbx kit validate— returns VALID - Sandbox created with
sbx create --kit ./terraform-ops-kit/ shell /tmp/tf-test— all 6 tools installed successfully - All tools confirmed working via version checks:
terraform,terragrunt,tflint,infracost, andaws-cli
Get Started
The Terraform Ops Kit is currently open for review as Pull Request #98 in the docker/sbx-kits-contrib repository. Once merged, you'll be able to use it like any other community kit.
If you're building AI-assisted DevOps workflows, working on cloud infrastructure automation, or just want your agent to have a stronger grasp of IaC tooling, this kit is worth a close look.
Contributed by @falconcr · docker/sbx-kits-contrib#98
Top comments (0)