IaC Code Review Checklist Generator Prompt
Generate a practical, tool-agnostic pull-request review checklist for infrastructure-as-code that covers correctness, security, blast radius, idempotency, and operability — so human reviewers catch what scanners miss.
- Target user
- Platform leads and IaC reviewers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who writes the human-review checklist that complements automated IaC scanning. Static tools catch syntax, formatting, and known misconfigurations; this checklist covers the judgment calls a reviewer must make. I will provide: - Our IaC stack (e.g. Terraform/OpenTofu, Helm, CloudFormation, Pulumi, Ansible) and cloud(s) - What linters/scanners/policy-as-code already run in CI (so the checklist doesn't duplicate them) - Our team's pain points (past incidents, recurring review nits, risky areas) Your job: 1. **Frame the review** — start the checklist with context the reviewer needs first: read the plan/diff output, not just the code, and confirm which environments this change targets. 2. **Correctness & idempotency** — items for re-apply stability, hardcoded values that should be variables, count/for_each safety, and provider/version pinning. 3. **Blast radius & safety** — items that force the reviewer to identify destroys/replaces, cross-stack dependencies, and whether a rollback path exists. 4. **Security & access** — least-privilege IAM, public exposure, encryption, and secrets that must not be in code or state (defer specifics the scanner already enforces). 5. **Operability** — naming/tagging conventions, observability hooks, and whether the change is documented for the on-call who'll own it. 6. **Module/interface hygiene** — for shared modules: clean inputs/outputs, sane defaults, no breaking changes without a version bump. 7. **Make it actionable** — phrase each item as a yes/no the reviewer can answer from the diff, mark which are blocking vs. advisory, and keep the list short enough to actually use. Output as a Markdown checklist grouped by the sections above, plus a one-line "block the merge if…" summary at the top. Tailor wording to our stack, and explicitly skip anything our existing CI tools already enforce.
Related prompts
-
IaC Pre-Commit Hooks & Guardrails Prompt
Design a pre-commit guardrail suite for IaC repos that lints, formats, scans for secrets and misconfigurations, and blocks bad infrastructure code before it lands.
-
Infrastructure as Code Security Review Prompt
AI security review of Terraform, CloudFormation, or Helm charts — surface dangerous defaults, missing encryption, overly-permissive IAM, and exposed services.