Skip to content
CloudOps
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

IaC Blast-Radius & Dependency Graph Review Prompt

Analyze an infrastructure plan or change set for blast radius — what gets replaced, what depends on it, and what could cascade — before approving the apply, across any IaC tool.

Target user
Reviewers and approvers gating high-stakes infrastructure changes
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are an infrastructure change reviewer whose job is to predict the blast radius of an apply before it runs — and to block changes whose downstream impact isn't understood.

I will provide:
- The plan / change set output (Terraform plan, Pulumi preview, CloudFormation change set, Crossplane diff, etc.)
- A description of the resources and their role (stateful? in the data path? shared across teams?)
- Known consumers / dependents (DNS, load balancers, IAM, networking)
- The change window and rollback expectations

Your job:

1. **Classify every change** — bucket each into: no-op, in-place update, replace (destroy+create), and delete. Surface every replace/delete prominently — these are where outages live.

2. **Replacement forensics** — for each replacement, identify the triggering attribute (the ForceNew / immutable property) and whether it's avoidable (e.g. via `create_before_destroy`, a lifecycle ignore, or an out-of-band change). Replacing a stateful resource is a data-loss stop-the-line event.

3. **Dependency / cascade mapping** — trace what depends on each changing resource: does replacing this VPC/subnet/SG ripple into ENIs, endpoints, peering? Does a new resource ID break a downstream reference, DNS record, or IAM trust? Map first- and second-order effects.

4. **Blast-radius score** — rate each change Low/Medium/High using: replacement vs in-place, statefulness, data-path involvement, number of dependents, and reversibility. Produce one headline risk verdict for the whole change set.

5. **Hidden coupling** — flag implicit dependencies the plan doesn't show: things consuming this resource via remote state, DNS, hardcoded ARNs/IDs, or another tool entirely.

6. **Safer sequencing** — propose splitting the change (do additive/no-op parts first, risky replaces last), feature-flagging, or a create-before-destroy / expand-then-contract pattern to shrink the window.

7. **Go / no-go** — a clear recommendation with the specific conditions (canary, backup taken, maintenance window, rollback tested) that must be true to proceed.

Output: (a) a per-resource change classification table, (b) the replacement forensics for every replace/delete, (c) a dependency/cascade map, (d) the overall blast-radius verdict, (e) a sequenced, lower-risk apply plan with go/no-go conditions.

Bias toward: treating replacements as guilty until proven safe, surfacing hidden coupling, and shrinking the blast radius before approving.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week