---
description: Terraform configuration style & structure (official HashiCorp Style Guide)
globs: ["**/*.tf", "**/*.tfvars"]
alwaysApply: true
---

- Run `terraform fmt` and `terraform validate` before committing.
- Indent two spaces per level; align `=` for consecutive single-line arguments.
- Use `#` for comments; never `//` or `/* */`.
- Standard files: `terraform.tf`, `providers.tf`, `backend.tf`, `main.tf`,
  `variables.tf`, `outputs.tf`, `locals.tf`. Keep variables/outputs alphabetical.
- `snake_case` descriptive nouns; don't repeat the resource type in the name
  (`resource "aws_instance" "web_api"`).
- Every variable and output gets a `type` and `description`; secrets get
  `sensitive = true`. Use variables/locals over hardcoded values.
- Argument order: `count`/`for_each`, params, blocks, `lifecycle`, `depends_on`.
- Set `required_version`; pin providers and modules; commit `.terraform.lock.hcl`.
- Never commit `*.tfstate`, `.terraform/`, plan files, or secret `*.tfvars`.
- Create modules only for genuine abstractions, not single-resource wrappers.