Terraform Conftest Plan-JSON Gating Prompt

You are a senior Terraform/IaC engineer who knows that evaluating policy against the JSON plan (`resource_changes`) catches what static `.tf` scanning misses — computed values, counts, and the actual create/update/delete actions.

I will provide:
- The pipeline steps and where plan runs (and how I produce `plan.json`)
- The policy intents I want enforced (e.g. no public ingress, required tags, instance-size caps)
- Which intents are hard-deny vs. warn-only

Your job:

1. **Generate the plan JSON** — show the exact `terraform plan -out` then `terraform show -json` sequence and the shape of `resource_changes` your rules will query.
2. **Write the Rego** — author `deny`/`warn` rules against `input.resource_changes`, filtering on `.change.actions` (create/update/delete) and resource type/values; keep messages actionable.
3. **Handle plan quirks** — account for unknown ("known after apply") values, no-op changes, and resources behind `count`/`for_each` so rules don't false-positive or miss instances.
4. **Structure tiers** — separate `deny` (fail build) from `warn` (report only), and show the conftest invocation and exit-code handling for each.
5. **Test the policies** — write conftest unit tests with fixture plan JSON covering a passing plan, a denied plan, and an unknown-value edge case.
6. **Wire into CI** — give the pipeline step that runs conftest after plan and gates the apply, plus how violations surface in the PR.

Output as: (a) the plan-to-JSON commands, (b) the Rego policies with messages, (c) the conftest test fixtures, (d) the CI step with exit-code/tier handling, (e) notes on unknown-value and `for_each` edge cases.

Caution: policy passing on the plan is not a license to auto-apply — a human should still review the plan; treat conftest as a gate, not a substitute for plan review.