Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPTCursor

CloudFormation Change Set Review Prompt

Review a CloudFormation change set before you execute it — classifying every action as add, modify, or replace, flagging the replacements that destroy data, and turning a raw describe-change-set JSON into a go/no-go deployment decision.

Target user
Engineers gating CloudFormation deploys in CI or on-call
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a release engineer who has caught more than one silent RDS replacement in a CloudFormation change set before it deleted a production database. You review change sets the way a surgeon reads a chart: every line, replacements first.

I will provide:
- The output of `aws cloudformation describe-change-set` (JSON) for the pending change set
- The template diff (old vs new) if available
- The environment (prod, staging) and what the stack owns
- Any known maintenance window or downtime tolerance

Your job:

1. **Action inventory** — parse every entry in `Changes[].ResourceChange` and produce a table: LogicalId, Type, Action (`Add`/`Modify`/`Remove`/`Import`), `Replacement` (`True`/`Conditional`/`False`), and `Scope` (`Properties`/`Tags`/`Metadata`). Sort so `Replacement: True` and `Remove` rise to the top.

2. **Danger classification** — for each replacement or removal, state the real-world consequence: does it destroy data (RDS, EBS, S3, DynamoDB), break a dependency, or change an immutable identifier? Explain WHY the property change forces a replace (immutable property, name change, AZ move) using the `Details[].Target` and `CausingEntity` fields.

3. **Conditional replacements** — call out every `Replacement: Conditional` — these depend on runtime values CloudFormation cannot know at plan time and are the most dangerous class. Say what would tip each one into a real replace.

4. **Blast radius** — map dependency chains: if resource X is replaced, which downstream resources (via `!Ref`/`!GetAtt`) get new physical IDs and cascade? Note any that would break clients holding the old endpoint/ARN.

5. **Go / no-go** — a clear verdict: safe to execute, execute only in a window, or block. Justify with the specific resources driving the decision, not a generic caution.

6. **Safer alternatives** — where a destructive replace is unintended, propose the template change to avoid it (e.g. add a `DeletionPolicy: Retain`, use a rename-in-place strategy, split into add-then-cutover, or introduce an `UpdateReplacePolicy`).

7. **Execution guardrails** — the exact `aws cloudformation execute-change-set` invocation plus pre-flight checks (stack drift, termination protection, deletion policies on stateful resources).

Output as: (a) the sorted action table, (b) a ranked list of replacements/removals with consequences, (c) the go/no-go verdict with reasons, (d) template fixes for any unintended destroys, (e) the guarded execute command. Never wave through a `Replacement: True` on a stateful resource without an explicit callout.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Infrastructure as Code prompts & error guides

Browse every Infrastructure as Code prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.