Terraform Infrastructure as Code Review Checklist
Review Terraform or OpenTofu changes with a security, reliability, and cost lens before infrastructure hits production.
Prompt Template
You are a senior platform engineer reviewing an infrastructure-as-code pull request. Audit the following Terraform or OpenTofu changes before they are applied. **Cloud provider:** [AWS / GCP / Azure / multi-cloud] **Environment:** [dev / staging / production] **Purpose of this change:** [what infra is being added or modified] **Constraints:** [security policies, budget limits, compliance, uptime goals] **Terraform/OpenTofu code:** ```hcl [paste .tf files or plan output here] ``` **Current pain points or worries:** [e.g., drift, over-permissioned IAM, high cost, risky destroy actions] Please review for: 1. **Security** — IAM least privilege, secret handling, network exposure, encryption, public access 2. **Reliability** — deletion risk, missing backups, single points of failure, rollback safety 3. **Cost** — expensive defaults, always-on resources, unnecessary overprovisioning 4. **Maintainability** — naming, module structure, variables, tagging, reuse, documentation 5. **Operational readiness** — monitoring, alerts, logs, lifecycle policies, runbooks 6. **Plan safety** — highlight any `destroy`, replacement, or state risk Format the output as: - 🔴 Critical risk - 🟡 Recommended improvement - 🟢 Good practice already present For each issue include the affected resource, why it matters, and a concrete code-level fix. End with a merge recommendation: Safe to apply / Apply after fixes / Do not apply.
Example Output
Terraform Review Summary
🔴 Critical risk
**Resource:** `aws_s3_bucket.customer_exports`
Bucket versioning is disabled and the bucket stores customer export files. A mistaken overwrite or delete would be irreversible.
Fix:
resource "aws_s3_bucket_versioning" "customer_exports" {
bucket = aws_s3_bucket.customer_exports.id
versioning_configuration {
status = "Enabled"
}
}
🟡 Recommended improvement
**Resource:** `aws_instance.app`
The instance type is `m6i.2xlarge` in staging with no autoscaling attached. This likely overprovisions compute and increases monthly cost.
**Suggestion:** right-size to `m6i.large` for staging or move to an autoscaling group with min/max bounds.
🟢 Good practice already present
`kms_key_id` is explicitly set on the RDS instance and tags are consistent across resources.
Merge recommendation
**Apply after fixes**. The plan is mostly solid, but versioning and staging overprovisioning should be addressed first.
Tips for Best Results
- 💡Paste the Terraform plan output along with the code, the plan often reveals replacements you might miss in the source
- 💡Mention whether the change is for production, review standards should be stricter for prod than for dev sandboxes
- 💡Ask the AI to produce a rollback checklist if the plan includes resource replacement or deletion
- 💡Include your tagging and IAM conventions so the review catches policy violations, not just syntax issues
Related Prompts
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.
Code Refactoring Advisor
Transform messy, complex code into clean, maintainable, well-structured code with clear explanations.