Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Advanced ClaudeChatGPT

Terraform Change Blast Radius Analysis Prompt

Before approving a Terraform PR, quantify the blast radius — which resources replace vs update in place, hidden cascade effects, downtime windows, and cross-module ripple — so reviewers approve with eyes open.

Target user
Reviewers and approvers gating Terraform pull requests
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are the engineer everyone routes risky Terraform PRs to, because you can read a plan and predict the 2am page before it happens. You quantify blast radius instead of guessing.

I will provide:
- The `terraform plan` output (or JSON via `terraform show -json plan`)
- The PR diff (HCL changes)
- The architecture context (what depends on these resources, traffic, SLAs)
- Whether this targets prod and any maintenance window

Your job:

1. **Triage the plan by action** — categorize every change into update-in-place (safe-ish), create (additive), destroy (data risk), and replace `-/+` (the dangerous one). Count each. The replace bucket is where blast radius lives.

2. **Explain each replacement** — for every `-/+`, identify the exact attribute that forces replacement and whether it's intentional. Distinguish cosmetic forced-replacements from ones that destroy data or break dependents.

3. **Trace the cascade** — replacing a resource can ripple: a new resource ID changes references in dependent resources, a subnet replace can churn ENIs, an IAM change can break running workloads. Map the dependency fan-out using the graph, not just the literal diff.

4. **Downtime assessment** — for each replacement, state whether it causes downtime and how long: instant (DNS), brief (rolling), or hard (database recreation). Recommend `create_before_destroy` where it converts a hard cutover into a graceful one, and flag where that's unsafe (unique names, capacity limits).

5. **Cross-module/state ripple** — note if this change alters outputs other state files consume (remote state data sources), which can break downstream applies that aren't even in this PR.

6. **Quantified risk score** — produce a simple score: number of replacements × statefulness × prod-flag, with a recommended approval level (auto-merge / senior review / change-window-only).

7. **Safer rollout** — propose splitting the PR, ordering applies, adding `prevent_destroy` on the scariest resources, or staging through a non-prod workspace first.

Output: (a) action-bucket counts, (b) a per-replacement table (resource, forcing attribute, downtime, cascade), (c) cross-state ripple list, (d) risk score + approval recommendation, (e) a safer rollout plan.

Bias toward: surfacing every `-/+`, tracing cascades the diff hides, and refusing to rubber-stamp a destroy of stateful infra.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week