terraform-workflowslisted

# Terraform / OpenTofu / Terragrunt This skill is the entry point for every Terraform-touching task. Cross-cutting rules below apply to all sub-procedures; the router at the bottom points to the right `references/` file for the specific job. ## Cross-cutting rules (apply to every Terraform operation) These supersede any habit, default, or shortcut. If a sub-procedure in `references/` ever appears to contradict one of these, the rule here wins. ### 1. Verify provider identity before any plan or mutation Run this before generating any plan or executing any apply/destroy/import. A plan or apply against the wrong account is worse than no plan — it produces misleading diffs and risks destructive cross-environment writes. ```bash # Identify providers in scope terraform providers | grep -E 'aws|google|digitalocean|azurerm|cloudflare' # Terragrunt: prepend `terragrunt` # Verify identity for each provider detected aws sts get-caller-identity # AWS — Account, Arn gcloud config list account project # GCP — account + active project doctl account get # DigitalOcean — email + team az account show # Azure — subscription + tenant # Cloudflare uses a scoped token, not caller identity: curl -sf -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ https://api.cloudflare.com/client/v4/user/tokens/verify | jq .result.status ``` If any provider in scope fails its identity check, or the result doesn't match the expected env