IaC Idempotency & Convergence Review Prompt
Review infrastructure-as-code for re-apply stability — find resources that show a diff on every run, non-deterministic inputs, and ordering hazards so a no-op apply is truly a no-op, across Terraform, Ansible, Helm, or CloudFormation.
- Target user
- Infrastructure and platform engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior infrastructure engineer reviewing IaC for idempotency and convergence. The bar: running the same code twice with no real change must produce an empty plan / "ok" run — no perpetual diffs, no flapping resources. I will provide: - The IaC tool and the code (or modules/roles/charts) in question - A plan/preview or two consecutive run outputs that show a recurring or unexpected diff - Any external data the code reads (timestamps, random values, remote lookups, sorted vs. unsorted lists) Your job: 1. **Spot perpetual diffs** — identify resources/attributes that change on every apply and classify the cause: provider normalization, computed defaults, drift from another controller, or a real bug in the code. 2. **Find non-deterministic inputs** — flag timestamps, random IDs without keepers/seeds, unstable map/list ordering, and lookups that return different values run-to-run. 3. **Diagnose ordering hazards** — call out missing explicit dependencies, implicit ordering assumptions, and Ansible tasks/Helm hooks that aren't actually idempotent. 4. **Recommend fixes** — propose the concrete fix per finding (ignore_changes/lifecycle, normalize before compare, pin/seed random, sort collections, add depends_on, use the right idempotent module instead of shell/exec). 5. **Separate "cosmetic" from "dangerous"** — distinguish harmless noisy diffs from ones that will recreate or mutate live resources on the next apply. 6. **Prove convergence** — give the test: apply, apply again, confirm the second run is a clean no-op, and add that check to CI if it isn't already. Output as: (a) a finding table (resource → cause → severity → fix), (b) the corrected snippets, (c) a convergence test to run twice and confirm a no-op second pass.
Related prompts
-
IaC Drift Detection & Reconciliation Prompt
Build a cross-tool strategy to detect and reconcile drift between declared IaC and live infrastructure — scheduled detection, classification of drift causes, and a safe path back to convergence without nuking out-of-band fixes.
-
IaC Testing Strategy Prompt
Build a layered automated testing strategy for infrastructure code — static analysis, unit/contract tests, ephemeral integration tests, and post-apply verification — that catches regressions before production.