Kiro has Terraform skills
Powers and now Skills. Kiro’s 1.24.0 version just added support for Skills, the new open spec for giving agents new capabilities and expertise. In a way. Let me explain.
Naturally, I started using the kiro skills when the HashiCorp Sr PM for Agentic Workflows and a dear friend Gautam pinged asking if I tried the HashiCorp agent skills. Here is how I got along with it on kiro-cli which is my daily driver.
HashiCorp’s agent-skills repository takes a more targeted approach - providing specialized skills for Terraform development that can be integrated into various AI coding assistants.
What are HashiCorp Agent Skills?
HashiCorp Agent Skills is a collection of specialized knowledge modules designed to enhance AI agents’ capabilities with HashiCorp products. Currently focused on Terraform, these skills can be integrated into most AI development tools.
The repository provides three main Terraform-focused plugins:
- terraform-code-generation: Core HCL code generation following HashiCorp style conventions and Terraform test
- terraform-module-generation: Module refactoring and Terraform Stacks.
- terraform-provider-development: If you are a provider developer or contributor, you should be looking at this. If you remember my HashiConf talks on Making AI work for you where we discussed how kiro ( then Q) was assisting provider development teams with Terraform actions which was an unknown construct at that point.
So why should you care ?
Skills, originally introduced by Anthropic is a new open spec for giving agents new capabilities and expertise. We can do with a lot more openness and consistency across these different ways of interacting with Generative AI agents. Sure, it is a markdown and you have the flexibility to add whatever details you need. But how much is always the question. And should all of it get loaded into context when the agent is starting up? If you use Terraform as a daily driver for your infrastructure provisioning, the HashiCorp suite of skills is something you should absolutely be considering with how it makes that context available for your agentic interactions.
How do you use it ?
Most of the skills, rules, instructions, MCP server are supposed to make our questions without a lot of context build that up as you interact with the coding agent of your choice. Much of what I am saying here is available in the public documentation; hence adding only the relevant ones for kiro-cli.
Skills Installation
If you have npx on your machine, it is as simple as:
npx skills add hashicorp/agent-skills
Or you can install a specific skill. Keep in mind that the installation step above does allow you to pick and choose the skills you want to install.
# Install a specific skill
npx skills add hashicorp/agent-skills/terraform/code-generation/skills/terraform-style-guide
The skills terminal interface shows the source of the repository from which you are installing these skills.
Select the ones you are interested in.
Now this is something I got confused about. I didn’t have 28 agents ( or did I ?)
◇ Detected 28 agents
│
◆ Install to
│ ● All agents (Recommended) (Install to all 28 detected agents)
│ ○ Select specific agents
└
These are not the custom kiro-cli agents, but the coding agents you use like Kiro, Kilo Code, Goose, Claude Code and so on.
Note the directory it is referencing here. This is the .kiro directory in your user space on a Mac.
◆ Select agents to install skills to (space to toggle)
│ ◻ Antigravity
│ ◻ Claude Code
│ ◻ Clawdbot
│ ◻ Cline
...
│ ◻ Goose
│ ◻ Kilo Code
│ ◼ Kiro CLI (.kiro/skills)
│ ◻ MCPJam
│ ◻ Mux
...
│ ◻ Zencoder
│ ◻ Neovate
Scope: I would choose Global here rather than having to install it in every project under a .kiro directory. I used to do that for rules before.
Installation method:
◆ Installation method
│ ● Symlink (Recommended) (Single source of truth, easy updates)
│ ○ Copy to all agents
└
So what did we select until now?
◇ Installation Summary ───────────────────╮
│ │
│ ~/.agents/skills/terraform-style-guide │
│ symlink → Kiro CLI │
│ overwrites: Kiro CLI │
│ │
│ ~/.agents/skills/terraform-test │
│ symlink → Kiro CLI │
│ overwrites: Kiro CLI │
│ │
│ ~/.agents/skills/refactor-module │
│ symlink → Kiro CLI │
│ overwrites: Kiro CLI │
│ │
│ ~/.agents/skills/terraform-stacks │
│ symlink → Kiro CLI │
│ overwrites: Kiro CLI │
│ │
├──────────────────────────────────────────╯
│
◆ Proceed with installation?
│ ● Yes / ○ No
Proceed with installation.
│
◇ Installed 4 skills to 1 agent ────────────╮
│ │
│ ✓ ~/.agents/skills/terraform-style-guide │
│ symlink → Kiro CLI │
│ ✓ ~/.agents/skills/terraform-test │
│ symlink → Kiro CLI │
│ ✓ ~/.agents/skills/refactor-module │
│ symlink → Kiro CLI │
│ ✓ ~/.agents/skills/terraform-stacks │
│ symlink → Kiro CLI │
│ │
├────────────────────────────────────────────╯
│
└ Done!
Are we done? With the skills installation. But not completely.
Kiro skills resource
Reference: https://kiro.dev/docs/cli/custom-agents/configuration-reference/#skill-resources
kiro-cli (as of now) expects the skill to be referenced in a similar way as your rules or other markdowns. With a twist, the skill:// prefix makes kiro understand you are looking to load these dynamically when needed so that all of the text in all of the markdowns in there are not loaded always. If you are installing any skills for the first time, the npx install prompts you to install a find_skills skill too :)
In my Kiro CLI setup, I’ve configured a custom agent that combines whatever tools I use for Terraform development. kiro-cli lets you generate an agent allowing you to create the json file required for agent config in your .kiro/agents directory.
Here’s how it’s configured on my end.
{
"name": "iac",
"description": "You are a specialist in infrastructure as code, especially with AWS.",
"prompt": "You are a specialist in infrastructure as code (IaC), with deep expertise in AWS services and best practices. You help users design, implement, and manage cloud infrastructure using code-based approaches like Terraform, CloudFormation, CDK, and other IaC tools. You provide guidance on AWS architecture patterns, security best practices, cost optimization, and automation strategies. You can assist with writing, reviewing, and troubleshooting infrastructure code, as well as helping users understand AWS services and how to effectively use them in their infrastructure deployments.",
"mcpServers": {
"awslabs.aws-documentation-mcp-server": {
"command": "uvx",
"args": ["awslabs.aws-documentation-mcp-server@latest"],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR",
"AWS_DOCUMENTATION_PARTITION": "aws"
}
},
"terraform": {
"command": "finch",
"args": ["run", "-i", "--rm", "hashicorp/terraform-mcp-server"],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
}
}
},
"tools": ["*"],
"toolAliases": {},
"allowedTools": [],
"resources": ["skill://~/.kiro/skills/**/SKILL.md"],
"hooks": {},
"toolsSettings": {},
"useLegacyMcpJson": false,
"model": null
}
Note the ["skill://~/.kiro/skills/**/SKILL.md"], it is installed in my .kiro directory under user. You could modify it based on your installation.
Skills in Action
With the custom agent called iac, I can either invoke the agent directly or switch to that agent.
kiro-cli --agent iac
✓ terraform loaded in 0.54 s
✓ Framelink MCP for Figma loaded in 1.49 s
⚠ 2 of 3 mcp servers initialized. Servers still loading:
- awslabs.aws-documentation-mcp-server
⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀ ⢀⣴⣶⣶⣦⡀⠀⠀⠀⢀⣴⣶⣦⣄⡀⠀⠀⢀⣴⣶⣶⣦⡀⠀⠀⢀⣴⣶⣶⣶⣶⣶⣶⣶⣶⣶⣦⣄⡀⠀⠀⠀⠀⠀⠀⢀⣠⣴⣶⣶⣶⣶⣶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀ ⢰⣿⠋⠁⠈⠙⣿⡆⠀⢀⣾⡿⠁⠀⠈⢻⡆⢰⣿⠋⠁⠈⠙⣿⡆⢰⣿⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⠻⣦⠀⠀⠀⠀⣴⡿⠟⠋⠁⠀⠀⠀⠈⠙⠻⢿⣦⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⣿⣇⣴⡿⠋⠀⠀⠀⢀⣼⠇⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⢠⣤⣤⣤⣤⣄⠀⠀⠀⠀⣿⡆⠀⠀⣼⡟⠀⠀⠀⠀⣀⣀⣀⠀⠀⠀⠀⢻⣧⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⣿⡿⠋⠀⠀⠀⢀⣾⡿⠁⠀⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⢸⣿⠉⠉⠉⣿⡇⠀⠀⠀⣿⡇⠀⣼⡟⠀⠀⠀⣰⡿⠟⠛⠻⢿⣆⠀⠀⠀⢻⣧⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⠙⠁⠀⠀⢀⣼⡟⠁⠀⠀⠀⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⢸⣿⣶⣶⡶⠋⠀⠀⠀⠀⣿⠇⢰⣿⠀⠀⠀⢰⣿⠀⠀⠀⠀⠀⣿⡆⠀⠀⠀⣿⡆
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⠀⠀⠀⠀⠹⣷⡀⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣼⠟⠀⢸⣿⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⣿⡇⠀⠀⠀⣿⡇
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⠀⣠⡀⠀⠀⠹⣷⡄⠀⠀⠀⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⠀⣤⣄⠀⠀⠀⠀⠹⣿⡅⠀⠀⠸⣿⠀⠀⠀⠸⣿⠀⠀⠀⠀⠀⣿⠇⠀⠀⠀⣿⠇
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⣾⡟⣷⡀⠀⠀⠘⣿⣆⠀⠀⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⠀⣿⡟⣷⡀⠀⠀⠀⠘⣿⣆⠀⠀⢻⣧⠀⠀⠀⠹⣷⣦⣤⣤⣾⠏⠀⠀⠀⣼⡟
⠀⠀⠀⠀⠀⠀⠀ ⢸⣿⠀⠀⠀⠀⣿⡇⠹⣷⡀⠀⠀⠈⢻⡇⠀⢸⣿⠀⠀⠀⠀⣿⡇⢸⣿⠀⠀⠀⠀⣿⡇⠹⣷⡀⠀⠀⠀⠈⢻⡇⠀⠀⢻⣧⠀⠀⠀⠀⠉⠉⠉⠀⠀⠀⠀⣼⡟
⠀⠀⠀⠀⠀⠀⠀ ⠸⣿⣄⡀⢀⣠⣿⠇⠀⠙⣷⡀⠀⢀⣼⠇⠀⠸⣿⣄⡀⢀⣠⣿⠇⠸⣿⣄⡀⢀⣠⣿⠇⠀⠙⣷⡀⠀⠀⢀⣼⠇⠀⠀⠀⠻⣷⣦⣄⡀⠀⠀⠀⢀⣠⣴⣾⠟
⠀⠀⠀⠀⠀⠀⠀ ⠀⠈⠻⠿⠿⠟⠁⠀⠀⠀⠈⠻⠿⠿⠟⠁⠀⠀⠈⠻⠿⠿⠟⠁⠀⠀⠈⠻⠿⠿⠟⠁⠀⠀⠀⠈⠻⠿⠿⠟⠁⠀⠀⠀⠀⠀⠈⠙⠻⠿⠿⠿⠿⠟⠋⠁
╭─────────────────────────────── Did you know? ────────────────────────────────╮
│ │
│ Enable workspace checkpoints to snapshot & restore changes. Just run │
│ kiro-cli settings chat.enableCheckpoint true │
│ │
╰──────────────────────────────────────────────────────────────────────────────╯
Model: claude-sonnet-4 (/model to change)
I haven’t yet found the command which told me what skills are available on load time. But introspect works in those cases.
[iac] > introspect are there any skills available for me to use ?
Introspecting to get you the right information (using tool: introspect) - Completed in 0.1s
> Based on the context entries you provided, yes, you have several skills available:
Available Skills:
1. find-skills - Helps you discover and install additional agent skills when you ask questions like "how do I do X" or "find a skill for X"
2. refactor-module - Transforms monolithic Terraform configurations into reusable, maintainable modules following HashiCorp's best practices
3. terraform-stacks - Comprehensive guide for working with HashiCorp Terraform Stacks, including creating and managing .tfcomponent.hcl and .tfdeploy.hcl files
4. terraform-style-guide - Generates Terraform HCL code following HashiCorp's official style conventions and best practices
5. terraform-test - Comprehensive guide for writing and running Terraform tests, including creating .tftest.hcl files and test scenarios
These skills are stored in your ~/.kiro/skills/ directory and are designed to help with infrastructure as code tasks, particularly around Terraform development and best practices.
If you're looking for additional skills beyond these, you can use the find-skills skill to discover and install more capabilities based on your specific needs.
▸ Time: 12s
Usage
What do you do? You ask your question which you know will trigger the skill which can answer this. I haven’t figured out how the default kiro_default agent can get these without creating another custom agent. Maybe that is not possible since we need the agent configuration to include skill resources right now.
Let’s do this without calling our agent first time. For the eagle eyed and folks familiar with TF stacks, the tfstacks.hcl is being referenced which is still the old norm of creating stacks (Yes, I am on the TF MCP server 0.3.x version now)
How do I create a Terraform stacks config for a VPC config from the private registry manu.example.com ?
> I'll help you create a Terraform stacks configuration for a VPC from your private registry. Let me first get the latest Terraform provider version and then show you the minimal configuration.
Running tool get_latest_provider_version with the param (from mcp server: terraform)
⋮ {
⋮ "namespace": "hashicorp",
⋮ "name": "aws"
⋮ }
Allow this action? Use 't' to trust (always allow) this tool for the session. [y/n/t]:
> y
- Completed in 3.778s
> Here's the minimal Terraform stacks configuration for a VPC from your private registry:
deployments.tfdeploy.hcl
hcl
deployment "vpc" {
inputs = {
regions = ["us-east-1"]
}
}
vpc.tfstack.hcl
hcl
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 6.28.0"
}
}
variable "regions" {
type = set(string)
}
component "vpc" {
source = "manu.example.com/your-namespace/vpc-module"
for_each = var.regions
Invoke the agent kiro-cli --agent iac or /agent swap iac from within the CLI.
How do I create a Terraform stacks config for a VPC config from the private registry manu.example.com ?
> I'll help you create a Terraform Stacks configuration for a VPC from your private registry. Let me first check the terraform-stacks skill for the specific syntax.
Reading file: /Users/abc123/.kiro/skills/terraform-stacks/SKILL.md, all lines (using tool: read)
✓ Successfully read 14349 bytes from /Users/abc123/.kiro/skills/terraform-stacks/SKILL.md
- Completed in 0.0s
> Based on the Terraform Stacks documentation, here's how to create a Stack configuration for a VPC from your private registry manu.example.com:
Component Configuration (components.tfcomponent.hcl):
hcl
component "vpc" {
source = "manu.example.com/vpc/aws"
version = "1.0.0"
inputs = {
cidr_block = var.vpc_cidr
region = var.aws_region
}
providers = {
aws = provider.aws.this
}
}
Provider Configuration (providers.tfcomponent.hcl):
hcl
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.7.0"
}
}
provider "aws" "this" {
config {
region = var.aws_region
assume_role_with_web_identity {
role_arn = var.role_arn
web_identity_token = var.identity_token
}
}
}
Variables (variables.tfcomponent.hcl):
hcl
variable "vpc_cidr" {
type = string
}
...
Deployment (deployments.tfdeploy.hcl):
hcl
identity_token "aws" {
audience = ["aws.workload.identity"]
}
deployment "production" {
inputs = {
vpc_cidr = "10.0.0.0/16"
aws_region = "us-west-1"
role_arn = "arn:aws:iam::123456789012:role/hcp-terraform-stacks"
identity_token = identity_token.aws.jwt
}
}
Key points for private registry sources:
- Use the full registry hostname in the source: manu.example.com/vpc/aws
- Include a version constraint
- Ensure you're authenticated to the private registry before running terraform stacks providers-lock
▸ Time: 19s
Bloopers
Without the agent invoked.
> Do I have any skills available ?
> Based on my review, you do not have any specific skills in the documents.
Looking Forward
With only Terraform in the current skill list, take a look at the branches and you will see some of the groundwork done before and how it evolved into what is available as version 0.0.1.
I do have an open question to the skills developers or contributors. How do we make sure that the responses we get for a set of questions after making changes to the existing skills are not worsened after those changes ? How can we automatically validate these are goind in the wrong direction
The future of infrastructure development is looking increasingly collaborative - with AI agents that understand not just syntax, but the deeper patterns and practices that make infrastructure reliable, secure, and maintainable. Yes, I had the kiro write the above line ;)
Other notable skills for your Terraform/OpenTofu exploits: