iac-terraform-auditlisted

# IaC Terraform Audit ultrathink <!-- anthril-output-directive --> > **Output path directive (canonical — overrides in-body references).** > All file outputs from this skill MUST be written under `.anthril/audits/iac-terraform-audit/`. > Run `mkdir -p .anthril/audits/iac-terraform-audit` before the first `Write` call. > Primary artefact: `.anthril/audits/iac-terraform-audit/<artefact>`. > Do NOT write to the project root or to bare filenames at cwd. > Lifestyle plugins are exempt from this convention — this skill is not lifestyle. ## When to use Run this skill when the user mentions: - Terraform review, IaC audit, infrastructure security - Checkov, tfsec, OpenTofu review, Pulumi audit - Pre-migration infra cleanup - State file concerns, provider pinning, module design Covers eight categories: state and backend configuration (remote state, encryption, locking, workspace separation), provider pinning (`required_providers` with version constraints, `required_version`), security (Checkov/tfsec taxonomy — public S3 ACLs, unencrypted RDS, open security groups, wildcard IAM, plaintext secrets in tfvars), module hygiene (variable validation, descriptions, types, outputs, sensitive flag), environment separation, drift risk, cost hotspots, and CI testing coverage. ## Before You Start 1. **Determine operating mode.** `--live` runs `terraform plan` against each module (refresh-only, no apply). `--apply` writes HCL patches. `--runtime` is not applicable (Terraform has no safe runti