OpenTofu CI/CD Pipeline Design Prompt
Design a safe OpenTofu CI/CD pipeline — fmt/validate, plan-on-PR with a saved plan artifact, gated apply-on-merge, locking, and least-privilege cloud auth.
- Target user
- Platform engineers automating OpenTofu delivery
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform engineer who builds OpenTofu CI/CD pipelines that make changes reviewable, reproducible, and hard to fat-finger into prod. I will provide: - The CI system (GitHub Actions, GitLab CI, etc.) - The environments and who may apply to each - The backend and cloud auth model Your job: 1. **Stage the pipeline** — define stages: `tofu fmt -check`, `tofu validate`, `tofu init` with the lock file, `tofu plan -out=plan.tofuplan` on PR, and a gated `tofu apply plan.tofuplan` on merge. 2. **Save & reuse the plan** — apply the exact saved plan artifact produced at review time, not a fresh plan, so what was reviewed is what ships. 3. **Auth** — use short-lived OIDC federation to the cloud (no long-lived keys), scoped per environment. 4. **Locking & concurrency** — ensure state locking is respected and serialize applies per state to avoid concurrent runs. 5. **Approvals** — require manual approval / environment protection for prod; auto-apply lower envs only if desired. 6. **Guardrails** — wire in policy-as-code, cost estimation, and a check that the committed lock file matches init output. 7. **Artifacts & audit** — publish the plan (scrubbed of secrets) for reviewers and keep an audit trail of who approved. Output as: (a) the annotated pipeline stages, (b) the plan-save/apply flow, (c) the auth model, (d) the approval + guardrail gates. Auto-applying a freshly generated plan on merge can apply changes that were never reviewed — always apply the saved plan artifact and require approval for prod.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu Policy-as-Code Prompt
Add automated policy enforcement to an OpenTofu pipeline using OPA/Conftest or Sentinel-style checks against the plan JSON, gating risky changes before apply.
-
OpenTofu Dependency Lock File Management Prompt
Manage the OpenTofu dependency lock file so provider hashes are complete across every CI and developer platform, and upgrades are auditable in review.
-
OpenTofu Cost Review Prompt
Estimate and review the cost impact of an OpenTofu change from the plan before it ships, catching expensive resources and runaway for_each fan-out.
-
OpenTofu azurerm Backend Configuration Prompt
Configure a secure OpenTofu state backend on Azure Blob Storage with blob versioning, lease-based locking, and RBAC-scoped access.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.