nexus/wiki/entities/Terraform.md

title, type, tags, created

title	type	tags	created
Terraform	entity	devops iac infrastructure automation	2026-04-25

Terraform

Definition

Terraform 是 HashiCorp 开源的基础设施即代码 (IaC) 工具，通过声明式配置文件管理云资源。Agentic AI 代理审查 Terraform 脚本，在执行前建议改进，确保基础设施配置的可靠性和安全性。

Aliases

• Terraform
• Terraform IaC
• Infrastructure as Code

Relationship with Infrastructure-as-Code

Terraform 是 Infrastructure-as-Code 实践的主要实现工具之一：

Infrastructure as Code Tools:
├── Terraform ←
├── CloudFormation (AWS)
├── Pulumi
├── Ansible
└── Pulumi

Agentic AI IaC Management

Agentic AI 在 Terraform 工作流中扮演审查者角色：

┌─────────────────────────────────────────────────┐
│        Agentic AI IaC Management Workflow        │
├─────────────────────────────────────────────────┤
│                                                  │
│  1. Developer writes Terraform                   │
│     ↓                                           │
│  2. Agentic AI reviews (auto)                   │
│     ├── Security scan (IAM policies)            │
│     ├── Cost estimation                         │
│     ├── Best practices check                    │
│     └── Compliance validation                   │
│     ↓                                           │
│  3. AI Suggestions                              │
│     ├── "S3 bucket should enable encryption"   │
│     ├── "Remove hardcoded credentials"         │
│     └── "Consider using modules for reuse"     │
│     ↓                                           │
│  4. Apply (after approval)                      │
│                                                  │
└─────────────────────────────────────────────────┘

AI Review Capabilities

Check Type	Description
Security	IAM 过度权限、公开 S3 访问、硬编码密钥
Cost	资源过度配置、未使用资源识别
Compliance	标签规范、资源命名、区域限制
Best Practices	模块化、状态管理、回滚计划

Example

Agentic AI reviews Terraform plan:

resource "aws_s3_bucket" "data" {
  bucket = "my-sensitive-data"
}

AI Detection:

• ⚠️ Security Risk: Bucket is public by default
• ⚠️ Missing: Encryption not enabled
• ⚠️ Missing: Versioning not enabled

AI Suggestions:

resource "aws_s3_bucket" "data" {
  bucket = "my-sensitive-data"
  
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

versioning { enabled = true }
acl = "private"  # Block public access

Related Concepts

• Infrastructure-as-Code — Terraform 是 IaC 的实现工具
• Automated Security Audit — AI 审查 Terraform 安全
• Cloud-Native — IaC 支持 Cloud-Native 实践
• Multi-Account Deployment — Terraform HCP/Cloud 多账户部署与 CloudFormation StackSets 对比
• AWS CloudFormation StackSets — AWS 原生多账户 IaC 部署工具，与 Terraform 有功能重叠

Related Entities

• AWS CloudFormation StackSets：AWS 原生多账户部署服务，与 Terraform 在多账户 IaC 场景形成对比

Related Sources

• how-agentic-ai-can-help-for-cloud-devops