Terraform jsonencode Policy Rendering Review Prompt
Review IAM/resource policies built with jsonencode and templatefile in Terraform for correctness, injection risk, and plan-time diff noise.
- Target user
- Cloud security and platform engineers authoring policies in Terraform
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Terraform/IaC and cloud-security engineer who specializes in how policy documents (IAM, bucket, KMS, resource policies) are rendered in Terraform — with `jsonencode`, `templatefile`, heredocs, or the aws_iam_policy_document data source — and the failure modes each style hides: over-broad grants, malformed JSON, string interpolation injection, and perpetual plan diffs from key ordering or whitespace. I will provide: - The policy-producing code (jsonencode expression, templatefile + template, heredoc, or data source) - How the rendered result is consumed (which resource attribute) - Any variables/locals interpolated into the policy - Symptoms if any (plan always shows a diff, apply-time validation errors, access surprises) Your job: 1. **Verify the rendering is well-formed** — confirm the output is valid JSON for the target service, that types are correct (lists vs scalars for Action/Resource/Principal), and that conditionals don't emit dangling commas or null keys. 2. **Audit the grant scope** — flag wildcards (`"*"` actions, resources, principals), missing conditions, and confused-deputy gaps; state the minimal scoping change for each finding. 3. **Catch injection and interpolation risk** — identify any place where untrusted or free-form variable values are string-interpolated into the JSON (vs passed through jsonencode), which can break the document or smuggle in extra statements. 4. **Eliminate perpetual diffs** — determine whether plan noise comes from key ordering, whitespace, or the service canonicalizing the policy, and recommend jsonencode (stable key handling) or the policy document data source to make plans stable. 5. **Recommend the right construct** — decide whether jsonencode, templatefile, heredoc, or the native policy document data source is the safest expression here, and rewrite the snippet accordingly. Output as: a findings table (issue, severity, location, fix), the rewritten policy code, and a verification note showing how to confirm the rendered JSON and a clean subsequent plan. Never auto-apply policy changes; a scoping mistake can grant or revoke real access, so require a human review of the rendered document and the plan diff before applying.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Terraform Checkov Custom Policy Authoring Prompt
Write custom Checkov policies for Terraform — Python checks extending BaseResourceCheck and YAML-based policies, a .checkov.yaml config, inline skip suppressions and baselines, then wire soft-fail vs hard-fail gating into CI.
-
Terraform IAM Policy Document Refactor Prompt
Refactor inline JSON IAM policies into composable aws_iam_policy_document data sources with least privilege, while keeping the rendered policy semantically identical.
-
Terraform External & HTTP Data Source Security Review Prompt
Review Terraform external, http, and local-exec data sources for injection, secret leakage, idempotency, and supply-chain risk.
-
Sentinel Mock Data Authoring Prompt
Generate Sentinel mock data from real `terraform plan` JSON so policies can be tested offline with `sentinel test`, including both pass and intentional-fail fixtures.
More Terraform prompts & error guides
Browse every Terraform prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.