Claude Code skill · Terraform

Never ship a terraform apply that destroys prod.

Somewhere in those 80 lines of terraform plan is a -/+ on your production database, or a firewall rule opening 0.0.0.0/0. This reads the plan for you and answers one question — is this safe? — with a GO / NO-GO you can trust.

  • Zero dependencies · stdlib Python
  • CI gate with --fail-on=high
  • AWS + GCP out of the box
plan-review · ci
Plan: 8 to add, 3 to change, 1 to destroy
✗ NO-GO — 5 HIGH risks found
destroy google_sql_database_instance.main
↳ firewall ingress 0.0.0.0/0 → port 5432
↳ IAM binding grants allUsers
exit 1 · blocked the merge

Severity-ranked, with a one-line "why" for each finding.

Readsterraform show -json ·AWSGCP · pipe it in, gate CI, move on

You read the plan. It scrolls past. You apply.

The dangerous line is never the obvious one. It's a replace on a stateful resource, a public IP that wasn't there yesterday, or an IAM binding three modules deep. By the time you notice, it's applied.

destroy

a database or disk replaced in place — data gone, no undo.

expose

0.0.0.0/0 ingress or a public IP slips into the diff.

over-grant

allUsers or roles/owner buried in a module.

plan → analyze → decide

Three commands to a GO / NO-GO

Export the plan

terraform plan -out=tf.plan && terraform show -json tf.plan > plan.json

Run the analyzer

python3 review-plan.py plan.json

Pure stdlib — nothing to pip install.

Gate the merge

--fail-on=high → exit 1

Drop it in CI and risky plans can't merge.

What it catches

Heuristic, severity-ranked HIGH → MED → LOW, each with a one-line reason.

What's in the pack

  • review-plan.py — the analyzer, pure stdlib, path arg or stdin, --json
  • rules.py — every risk rule as editable data; add your org's policies in minutes
  • --fail-on=high — the CI gate that blocks a destructive merge
  • SKILL.md — a real Claude Code skill: "review my terraform plan"
  • examples/ — a realistic AWS + GCP plan fixture and its exact report
  • INSTALL.md — install, pipe a live plan, gate CI, extend rules
Terraform Plan Reviewer — cover showing a NO-GO verdict on a risky plan

one-time · yours forever

$19no subscription
  • Runs anywhere Python 3 runs
  • Editable rules — make them yours
  • Real GO / NO-GO + CI exit code
  • AWS + GCP coverage included
  • Free updates to this product
  • 14-day refund, no questions

A static review, not OPA/Sentinel — a fast sanity check that stops the obvious disasters.

Questions, answered

Do I need to install anything?

Just Python 3.7+. The analyzer is pure standard library — no pip install, no lockfile, nothing to vendor. Terraform CLI is only needed to generate a live plan.

Which providers does it understand?

AWS and GCP common resource types out of the box. Rules live in rules.py as plain data, so adding Azure or your own resources is a few lines.

Can it gate my CI?

Yes — --fail-on=high exits non-zero when a HIGH-severity risk is present, so a plan that would destroy prod or open a port simply can't merge.

Is GO a guarantee it's safe?

No — GO means "no obvious red flags found." It's a heuristic second pair of eyes, not a policy engine. A human still owns the apply.

Read the next plan with confidence.

Two seconds to a GO / NO-GO. Never get surprised by an apply again.

Plan Reviewer
$19