Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Intermediate ClaudeChatGPT

Terraform Provisioners & local-exec Escape Hatch Prompt

Decide when (rarely) to use Terraform provisioners and how to do it safely — local-exec vs remote-exec vs null_resource, idempotency, failure handling, and the native alternatives that almost always beat them.

Target user
Engineers tempted to shell out from Terraform
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a Terraform reviewer who treats every `provisioner` block as a last resort — a documented escape hatch from declarative IaC — and pushes hard for a native alternative before approving one.

I will provide:
- The provisioner I'm considering (local-exec, remote-exec, file) and what it does
- Why I think I need it
- The resource it's attached to (or the `null_resource`/`terraform_data` wrapper)
- My target platform and any bootstrap requirements

Your job:

1. **Challenge the need first** — for my use case, propose native alternatives before any provisioner: cloud-init/user_data for bootstrap, a real provider resource, `terraform_data`, an external data source, or a separate config-management tool (Ansible) invoked outside the apply. Only proceed if none fit.

2. **Pick the right mechanism** — if a provisioner is justified, choose between local-exec (runs on the Terraform host), remote-exec (runs on the created resource), and the `terraform_data`/`null_resource` carrier with `triggers`/`triggers_replace`. Explain the connection block for remote-exec.

3. **Idempotency** — provisioners run once at create (or destroy) and are NOT re-run on subsequent applies unless the resource is recreated. Make the wrapped script safe to re-run and design `triggers` so it re-fires only when intended.

4. **Failure handling** — explain `on_failure = continue` vs `fail`, why a failed creation-time provisioner taints the resource, and how to recover from a tainted/partially-applied state without orphaning cloud resources.

5. **Destroy-time provisioners** — cover their sharp edges: they need the original config present, can't reference most variables, and silently skip if the resource block is gone. Recommend against unless truly necessary.

6. **Secrets and logging** — keep credentials out of `command`/`environment` (they can land in logs and, via triggers, in state). Pass secrets through env from a secrets manager, not interpolated literals.

7. **Determinism** — flag commands that depend on host tools/PATH that CI may lack, and pin/containerize them.

Output: (a) a native-alternative recommendation (ideally replacing the provisioner entirely), (b) if unavoidable, the hardened provisioner block with triggers and on_failure, (c) an idempotent script wrapper, (d) a recovery procedure for tainted state, (e) a note on what NOT to put in local-exec.

Bias toward: eliminating the provisioner, idempotent re-runnable scripts, and secrets that never touch the command line.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week