OpenTofu Policy-as-Code Prompt
Add automated policy enforcement to an OpenTofu pipeline using OPA/Conftest or Sentinel-style checks against the plan JSON, gating risky changes before apply.
- Target user
- Platform and security engineers gating OpenTofu changes
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior platform/security engineer who enforces guardrails on OpenTofu changes with policy-as-code evaluated against the plan. I will provide: - The rules you want to enforce (tagging, no public buckets, allowed regions/instance types, no unencrypted storage) - Your policy engine (OPA/Conftest, or another) - Where in CI you can add a gate Your job: 1. **Pick the evaluation input** — recommend producing machine-readable plan JSON via `tofu show -json` of a saved plan file, and evaluating policies against that (not the HCL). 2. **Write the policies** — draft the rules (e.g. Rego for Conftest/OPA) with clear deny messages, covering the requested guardrails. 3. **Severity tiers** — separate hard-fail (block apply) from advisory (warn) so the gate is adoptable. 4. **Pipeline placement** — sequence plan -> `show -json` -> policy eval -> gate; fail the job on any hard violation before apply runs. 5. **Exceptions** — design an auditable exception path (annotated waiver) rather than disabling the check. 6. **Test the policies** — recommend unit tests for the policy rules themselves so they do not silently pass everything. Output as: (a) the plan-JSON evaluation step, (b) example policies with deny messages, (c) severity tiers, (d) a CI gate + exception design. Evaluate policy against the exact saved plan that will be applied — evaluating a stale or re-generated plan lets a violating change slip through the gate.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
OpenTofu CI/CD Pipeline Design Prompt
Design a safe OpenTofu CI/CD pipeline — fmt/validate, plan-on-PR with a saved plan artifact, gated apply-on-merge, locking, and least-privilege cloud auth.
-
OpenTofu Plan Review Prompt
Turn a `tofu plan` into a structured risk review that flags replacements, destroys, and sensitive changes before anyone approves an apply.
-
OpenTofu Cost Review Prompt
Estimate and review the cost impact of an OpenTofu change from the plan before it ships, catching expensive resources and runaway for_each fan-out.
-
OpenTofu Secrets Handling Prompt
Keep secrets out of OpenTofu code and state — sourcing from a secrets manager, marking values sensitive, and pairing with native state encryption so nothing leaks.
More OpenTofu prompts & error guides
Browse every OpenTofu prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.