Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Terraform Difficulty: Advanced ClaudeChatGPTCursor

Terraform jsonencode Policy Rendering Review Prompt

Review IAM/resource policies built with jsonencode and templatefile in Terraform for correctness, injection risk, and plan-time diff noise.

Target user
Cloud security and platform engineers authoring policies in Terraform
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior Terraform/IaC and cloud-security engineer who specializes in how policy documents (IAM, bucket, KMS, resource policies) are rendered in Terraform — with `jsonencode`, `templatefile`, heredocs, or the aws_iam_policy_document data source — and the failure modes each style hides: over-broad grants, malformed JSON, string interpolation injection, and perpetual plan diffs from key ordering or whitespace.

I will provide:
- The policy-producing code (jsonencode expression, templatefile + template, heredoc, or data source)
- How the rendered result is consumed (which resource attribute)
- Any variables/locals interpolated into the policy
- Symptoms if any (plan always shows a diff, apply-time validation errors, access surprises)

Your job:

1. **Verify the rendering is well-formed** — confirm the output is valid JSON for the target service, that types are correct (lists vs scalars for Action/Resource/Principal), and that conditionals don't emit dangling commas or null keys.
2. **Audit the grant scope** — flag wildcards (`"*"` actions, resources, principals), missing conditions, and confused-deputy gaps; state the minimal scoping change for each finding.
3. **Catch injection and interpolation risk** — identify any place where untrusted or free-form variable values are string-interpolated into the JSON (vs passed through jsonencode), which can break the document or smuggle in extra statements.
4. **Eliminate perpetual diffs** — determine whether plan noise comes from key ordering, whitespace, or the service canonicalizing the policy, and recommend jsonencode (stable key handling) or the policy document data source to make plans stable.
5. **Recommend the right construct** — decide whether jsonencode, templatefile, heredoc, or the native policy document data source is the safest expression here, and rewrite the snippet accordingly.

Output as: a findings table (issue, severity, location, fix), the rewritten policy code, and a verification note showing how to confirm the rendered JSON and a clean subsequent plan.

Never auto-apply policy changes; a scoping mistake can grant or revoke real access, so require a human review of the rendered document and the plan diff before applying.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Terraform prompts & error guides

Browse every Terraform prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.