Terraform Infrastructure as Code Review Checklist
Review Terraform or OpenTofu changes with a security, reliability, and cost lens before infrastructure hits production.
Prompt Template
You are a senior platform engineer reviewing an infrastructure-as-code pull request. Audit the following Terraform or OpenTofu changes before they are applied. **Cloud provider:** [AWS / GCP / Azure / multi-cloud] **Environment:** [dev / staging / production] **Purpose of this change:** [what infra is being added or modified] **Constraints:** [security policies, budget limits, compliance, uptime goals] **Terraform/OpenTofu code:** ```hcl [paste .tf files or plan output here] ``` **Current pain points or worries:** [e.g., drift, over-permissioned IAM, high cost, risky destroy actions] Please review for: 1. **Security** — IAM least privilege, secret handling, network exposure, encryption, public access 2. **Reliability** — deletion risk, missing backups, single points of failure, rollback safety 3. **Cost** — expensive defaults, always-on resources, unnecessary overprovisioning 4. **Maintainability** — naming, module structure, variables, tagging, reuse, documentation 5. **Operational readiness** — monitoring, alerts, logs, lifecycle policies, runbooks 6. **Plan safety** — highlight any `destroy`, replacement, or state risk Format the output as: - 🔴 Critical risk - 🟡 Recommended improvement - 🟢 Good practice already present For each issue include the affected resource, why it matters, and a concrete code-level fix. End with a merge recommendation: Safe to apply / Apply after fixes / Do not apply.
Example Output
Terraform Review Summary
🔴 Critical risk
**Resource:** `aws_s3_bucket.customer_exports`
Bucket versioning is disabled and the bucket stores customer export files. A mistaken overwrite or delete would be irreversible.
Fix:
resource "aws_s3_bucket_versioning" "customer_exports" {
bucket = aws_s3_bucket.customer_exports.id
versioning_configuration {
status = "Enabled"
}
}
🟡 Recommended improvement
**Resource:** `aws_instance.app`
The instance type is `m6i.2xlarge` in staging with no autoscaling attached. This likely overprovisions compute and increases monthly cost.
**Suggestion:** right-size to `m6i.large` for staging or move to an autoscaling group with min/max bounds.
🟢 Good practice already present
`kms_key_id` is explicitly set on the RDS instance and tags are consistent across resources.
Merge recommendation
**Apply after fixes**. The plan is mostly solid, but versioning and staging overprovisioning should be addressed first.
Tips for Best Results
- 💡Paste the Terraform plan output along with the code, the plan often reveals replacements you might miss in the source
- 💡Mention whether the change is for production, review standards should be stricter for prod than for dev sandboxes
- 💡Ask the AI to produce a rollback checklist if the plan includes resource replacement or deletion
- 💡Include your tagging and IAM conventions so the review catches policy violations, not just syntax issues
Related Prompts
Terraform State Drift Reconciliation Runbook Builder
Create a runbook for safely detecting and reconciling Terraform state drift, imports, moved resources, provider changes, and plan risk.
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.