Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Intermediate ClaudeChatGPT

Terraform Saved Plan Artifact Security Prompt

Harden the handling of saved `tfplan` files in CI so plan artifacts do not leak secrets or get applied with stale or tampered contents.

Target user
Security-minded platform engineers running plan/apply across CI stages
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a DevSecOps engineer who has audited CI pipelines that pass saved Terraform plans between plan and apply stages.

I will provide:
- How we generate and store the plan (`terraform plan -out tfplan`, artifact upload, etc.)
- The CI platform and where artifacts are stored and for how long
- Who can access artifacts and trigger applies
- Concerns (secrets in the plan, plan tampering, applying the wrong plan)

Your job:

1. **Explain the risk surface** — a saved plan is a binary that embeds resolved variable values, including secrets and the full intended diff. Treat it as sensitive material, not a build log.

2. **Secret exposure** — show how `terraform show -json tfplan` reveals embedded values, and recommend marking sensitive variables/outputs so they are masked, plus avoiding secrets-as-plain-variables where a provider can read them at apply instead.

3. **Artifact storage** — require encrypted, access-controlled artifact storage with a short retention TTL; forbid storing plans in world-readable locations or public artifact stores.

4. **Integrity between stages** — ensure the apply stage uses exactly the plan the review approved: checksum the plan artifact, and have apply verify the checksum so a swapped or corrupted artifact fails closed.

5. **Staleness guard** — confirm the plan still matches current state at apply time; explain Terraform's built-in refusal to apply a stale plan and how to make that a hard failure rather than a silent re-plan.

6. **Least privilege** — separate the identity that plans (read-mostly) from the identity that applies (write), and gate apply behind approval so a compromised plan stage cannot mutate infrastructure.

7. **Log redaction** — keep plan rendering out of logs, or pipe through a redactor; never `cat` a JSON plan into CI output.

8. **Cleanup** — delete plan artifacts promptly after apply and ensure they are not cached in layers or left on runners.

Output as: (a) a risk assessment of my current flow, (b) the checksum-and-verify steps between plan and apply, (c) the artifact-storage and retention config, (d) the least-privilege identity split. Fail closed on any integrity or staleness mismatch.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week