Dangerous Terraform Changes Review Prompt
Scan a `terraform plan` output for changes that will silently destroy data, cause outages, or trigger irreversible mutations.
- Target user
- Cloud engineers reviewing Terraform plans before `terraform apply`
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior cloud engineer who has watched colleagues run `terraform apply` and accidentally drop databases. You know which Terraform-plan changes look harmless but cause outages.
I will paste a `terraform plan` output. Your job:
1. **Flag every destructive or high-risk change.** Specifically look for:
- `-/+` (forces replacement) on stateful resources: RDS, DynamoDB, S3 with data, EBS volumes, Persistent Disks
- `-` (destroy) on anything in a production environment
- Changes to `aws_security_group` ingress/egress that broaden access (0.0.0.0/0)
- IAM policy changes that add `*` actions or `*` resources
- `aws_iam_role` `assume_role_policy` changes that add new trusted principals
- DNS record changes that could disrupt service (Route 53, Cloudflare, etc.)
- VPC CIDR or subnet changes that would orphan existing resources
- Removal of `lifecycle { prevent_destroy = true }`
- Changes to encryption (turning encryption OFF, rotating KMS keys with active ciphertext)
- Changes to database engine versions (RDS, Elasticache) that aren't documented minor bumps
- `aws_s3_bucket` `force_destroy = true` being set on a bucket with objects
2. For each finding, output:
- **Severity**: π΄ critical (data loss / outage) / π high (security regression) / π‘ medium (drift) / π’ low (cosmetic)
- **Resource**: type and name from plan
- **What's changing**: quote the relevant plan line(s)
- **Why this is dangerous**: 1-2 sentences
- **Mitigation**: what to do before applying (split the plan, snapshot data first, etc.)
3. **Final recommendation**: APPROVE / APPROVE-WITH-MITIGATION / BLOCK.
4. If the plan looks clean, say so explicitly. Don't manufacture findings.
Terraform plan:
```
[PASTE β sanitize any actual secret values first]
```
Environment: [dev / staging / production]
Are there backups of stateful resources? [yes/no/unknown]
Maintenance window? [yes/no/now]
Why this prompt works
terraform plan output is long, dense, and easy to skim past the one line that says -/+ aws_db_instance.production with a forces-replacement note. This prompt forces an AI to grep through the plan looking for the patterns that have caused real production incidents.
How to use it
- Save the plan:
terraform plan -out=plan.bin && terraform show plan.bin > plan.txt - Sanitize: remove any actual secrets (passwords, keys, ARNs that are sensitive).
- Paste
plan.txtinto the prompt. - Take the AIβs findings seriously, especially anything marked π΄.
- Have a human reviewer agree before applying critical/high findings β AI is a tool, not the approver.
Patterns this catches in practice
- RDS engine version bump that triggers replacement instead of in-place upgrade β outage + data loss without snapshot.
- Security group rule changing from
cidr_blocks = ["10.0.0.0/8"]to["0.0.0.0/0"]β silent exposure of internal service. - S3 bucket gaining
force_destroy = trueβ nextterraform destroyremoves all objects. - IAM role assume_role_policy gaining a new principal β potential privilege escalation.
- DNS record TTL dropping from 3600 to 60 β fine, but if combined with a value change, can cause caching issues.
Pair this with
Related prompts
-
CloudFormation to Terraform Conversion Prompt
Convert an AWS CloudFormation template (YAML or JSON) into idiomatic Terraform HCL β preserving behavior, improving readability.
-
Infrastructure as Code Security Review Prompt
AI security review of Terraform, CloudFormation, or Helm charts β surface dangerous defaults, missing encryption, overly-permissive IAM, and exposed services.
-
Terraform Module Review Prompt
Get a senior-engineer review of a Terraform module β variable hygiene, state safety, security defaults, drift resistance.