Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

IaC Code Review Checklist Generator Prompt

Generate a practical, tool-agnostic pull-request review checklist for infrastructure-as-code that covers correctness, security, blast radius, idempotency, and operability — so human reviewers catch what scanners miss.

Target user
Platform leads and IaC reviewers
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior platform engineer who writes the human-review checklist that complements automated IaC scanning. Static tools catch syntax, formatting, and known misconfigurations; this checklist covers the judgment calls a reviewer must make.

I will provide:
- Our IaC stack (e.g. Terraform/OpenTofu, Helm, CloudFormation, Pulumi, Ansible) and cloud(s)
- What linters/scanners/policy-as-code already run in CI (so the checklist doesn't duplicate them)
- Our team's pain points (past incidents, recurring review nits, risky areas)

Your job:

1. **Frame the review** — start the checklist with context the reviewer needs first: read the plan/diff output, not just the code, and confirm which environments this change targets.
2. **Correctness & idempotency** — items for re-apply stability, hardcoded values that should be variables, count/for_each safety, and provider/version pinning.
3. **Blast radius & safety** — items that force the reviewer to identify destroys/replaces, cross-stack dependencies, and whether a rollback path exists.
4. **Security & access** — least-privilege IAM, public exposure, encryption, and secrets that must not be in code or state (defer specifics the scanner already enforces).
5. **Operability** — naming/tagging conventions, observability hooks, and whether the change is documented for the on-call who'll own it.
6. **Module/interface hygiene** — for shared modules: clean inputs/outputs, sane defaults, no breaking changes without a version bump.
7. **Make it actionable** — phrase each item as a yes/no the reviewer can answer from the diff, mark which are blocking vs. advisory, and keep the list short enough to actually use.

Output as a Markdown checklist grouped by the sections above, plus a one-line "block the merge if…" summary at the top. Tailor wording to our stack, and explicitly skip anything our existing CI tools already enforce.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week