Use when analyzing Terraform plan output for security, cost, and operational impact — parses terraform plan JSON to surface destructive changes, IAM modifications, cost-impacting resources, and drift before apply
From shieldnpx claudepluginhub infraspecdev/tesseract --plugin shieldThis skill uses the workspace's default tool permissions.
reference-tables.mdtemplates.mdObserves Claude Code sessions via hooks to create atomic project-scoped instincts with confidence scores, evolving them into skills, commands, or agents.
Automatically extracts reusable patterns like error resolutions, workarounds, and debugging techniques from Claude Code sessions via Stop hook, saving them as learned skills for reuse.
Provides patterns for continuous autonomous agent loops with loop selection, quality gates, evals, recovery controls, and failure mitigation. Useful for production AI agent workflows.
Analyzes terraform plan -json output to surface security-sensitive changes, cost-impacting resources, destructive actions, and drift before terraform apply. Complements static code review by showing what will actually change.
Core principle: Review the plan, not just the code. Static analysis catches bad patterns; plan analysis catches bad outcomes.
terraform apply on any environmentterraform init has not been run and no plan JSON is availableDetect Plan Source -> Parse Plan JSON -> Analyze Changes -> Write Report -> Present Summary
Plan source priority: user-provided JSON > existing .tfplan file (convert via terraform show -json) > generate via terraform plan -json -lock=false (requires .terraform/). If none available, prompt user to run terraform init or provide CI output.
terraform apply — This skill is read-only. Only plan and show commands.-lock=false — Don't acquire state lock for analysis.terraform plan.Locate plan data using the priority from the Workflow section above. Ask user before generating a new plan.
Extract resource changes, output changes, and diagnostics. Format differs between streamed plan -json (line-delimited) and show -json (single object with resource_changes[]). See reference-tables.md for message types and extraction details.
Five analysis passes: change summary (by action type), destructive action warnings (risk-classified), security-sensitive changes (IAM/network/encryption/public access), cost-impacting changes (with estimates), and drift detection. See reference-tables.md for all classifications and thresholds.
Write to claude/infra-review/plan-analysis.md. Include all analysis sections plus a verdict (Safe to Apply / Review Required / Do Not Apply). See templates.md for format and reference-tables.md for verdict criteria.
| Mistake | Why It Fails | Do Instead |
|---|---|---|
Running terraform apply | Causes real infrastructure changes | Only use plan and show commands |
Omitting -lock=false | Blocks other operations by holding state lock | Always pass -lock=false |
| Skipping report when no changes | No record the analysis was performed | Write report documenting "no changes" |
| Treating all destroys equally | Destroying a security group differs from a database | Use risk-level classifications from reference-tables.md |
| Ignoring drift entries | Out-of-band changes may conflict | Always surface drift with likely cause |