Terraform Plan Risk Viewer
Classify Terraform plan changes by risk level, highlighting destructive operations on sensitive resources
Paste the JSON output from terraform show -json or terraform plan -json
What is the Terraform Plan Risk Viewer?
The Terraform Plan Risk Viewer parses your terraform plan JSON output and classifies
every resource change by risk level. It highlights destructive operations — deletions and replacements —
on sensitive resources like IAM roles, Security Groups, RDS instances, S3 buckets, and KMS keys,
giving you a clear risk summary before you run terraform apply.
How to Use
- Generate plan JSON:
terraform plan -out=plan.tfplan && terraform show -json plan.tfplan - Paste the JSON output into the input field
- Review the color-coded risk breakdown (Critical, High, Medium, Low)
- Pay attention to destructive operations on sensitive resources
- Use the summary to make an informed decision about applying changes
Example: Terraform Plan JSON
This is what a typical Terraform plan JSON structure looks like:
{
"format_version": "1.2",
"terraform_version": "1.5.7",
"resource_changes": [
{
"address": "aws_security_group.web",
"type": "aws_security_group",
"name": "web",
"change": { "actions": ["delete", "create"] }
},
{
"address": "aws_instance.app",
"type": "aws_instance",
"name": "app",
"change": { "actions": ["update"] }
},
{
"address": "aws_s3_bucket.logs",
"type": "aws_s3_bucket",
"name": "logs",
"change": { "actions": ["create"] }
}
]
}Risk Level Classification
- Critical — Destructive operations (delete/replace) on sensitive resources: IAM, Security Groups, RDS, S3, KMS
- High — Destructive operations on non-sensitive resources, or updates to sensitive resources
- Medium — Updates to non-sensitive resources
- Low — New resource creation (generally safe)
Sensitive Resource Types
The following AWS resource types are classified as sensitive due to the potential blast radius of destructive changes:
- IAM —
aws_iam_*(roles, policies, users, groups) - Security Groups —
aws_security_group*(network access controls) - RDS —
aws_db_instance,aws_rds_cluster(databases) - S3 —
aws_s3_bucket*(object storage) - KMS —
aws_kms_*(encryption keys)
Best Practices for Terraform Plan Review
- Always run
terraform planbeforeapplyand review changes carefully - Pay special attention to replace operations — they destroy and recreate resources
- Use lifecycle
prevent_destroyon critical resources to guard against accidental deletion - Consider using
-targetflags to limit the scope of risky applies - Enable deletion protection on RDS instances and S3 buckets where possible
- Keep Terraform state locked during apply to prevent concurrent modifications
Privacy and Security
All analysis happens entirely in your browser using JavaScript. Your Terraform plan JSON — which may contain resource addresses, infrastructure details, and configuration values — is never transmitted to any server. No data is stored, logged, or shared.
Frequently Asked Questions
What does the Terraform Plan Risk Viewer do?
The Plan Risk Viewer parses Terraform plan JSON output and classifies every resource change by risk level. It highlights destructive operations (delete, replace) on sensitive resources like IAM roles, Security Groups, RDS instances, S3 buckets, and KMS keys, giving you a clear risk summary before you apply changes.
How are risk levels determined?
Risk classification combines the action type with resource sensitivity. Destructive operations (delete/replace) on sensitive resources (IAM, Security Groups, RDS, S3, KMS) are Critical. Destructive operations on other resources or updates to sensitive resources are High. Updates to non-sensitive resources are Medium. New resource creation is Low risk.
What format does the input need to be in?
The tool expects the JSON output from 'terraform show -json <planfile>' or 'terraform plan -json'. This is the standard Terraform plan JSON format containing a resource_changes array with action details for each resource.
Is my Terraform plan data sent to any server?
No. All analysis happens entirely in your browser using JavaScript. Your plan data — which may contain resource addresses, configuration values, and infrastructure details — never leaves your device. No data is stored, logged, or transmitted.
Which resources are considered sensitive?
The viewer treats the following AWS resource types as sensitive: IAM resources (aws_iam_*), Security Groups (aws_security_group*), RDS instances and clusters (aws_db_instance, aws_rds_cluster), S3 buckets (aws_s3_bucket*), and KMS resources (aws_kms_*). Destructive operations on these resources are flagged as critical risk.
What is the difference between delete and replace?
A delete action removes a resource entirely. A replace action (shown as ['delete', 'create'] in the plan) destroys the existing resource and creates a new one — this happens when Terraform cannot update a resource in-place due to immutable attributes. Both are classified as destructive operations.
What is the maximum input size supported?
The viewer accepts plan JSON up to 2MB. Files between 200KB and 2MB will show a warning that processing may be slow. For typical Terraform plans, analysis is instant.
How do I generate Terraform plan JSON?
Run 'terraform plan -out=plan.tfplan' to save the plan, then 'terraform show -json plan.tfplan' to convert it to JSON. Alternatively, use 'terraform plan -json' to get JSON output directly (note: this format includes streaming messages and may need filtering).