Claude/ChatGPT Prompt to Build a Terraform CI/CD Plan-Review Pipeline

What this prompt does

This prompt frames the model as a senior DevOps engineer designing a Terraform CI/CD pipeline as a GitHub Actions workflow -- a working YAML file with least-privilege auth, not a sketch. You set [aws_auth_method], [state_backend], [approval_gate], and [notify_channel], and it returns a PR plan job, keyless AWS auth, a gated apply job, concurrency control, plan-artifact passing, and notifications.

The structure works because the rule is that nobody applies from their laptop -- the pipeline owns the credentials. [aws_auth_method] (typically GitHub OIDC assuming an IAM role) eliminates long-lived keys, and the prompt also returns the IAM trust policy for it. [approval_gate] controls what must happen before apply runs, and [state_backend] provides the lock during apply. Plan/apply artifact passing ensures apply runs the exact reviewed plan rather than re-planning, which is what makes the review meaningful instead of a rubber stamp on a plan that changes before it runs.

When to use it

• You want plan-on-PR with apply gated behind review, not applies from laptops.
• You need keyless AWS auth via OIDC so there are zero static keys lying around.
• You want the IAM trust policy generated alongside the workflow.
• You need concurrency control so two applies never run against the same state.
• You want the apply job to run the exact reviewed plan, not re-plan.
• You want apply success/failure announced to a chat channel.
• You want fmt and validate running on every PR before any plan is even posted.

Example output

You get the complete .github/workflows YAML: a PR job running terraform fmt, validate, and plan and posting the plan as a PR comment; AWS auth via your chosen method with no long-lived credentials; an apply job gated on your approval gate and merge to main with a state lock; concurrency control; artifact passing so apply uses the reviewed plan; and notifications to your channel. The IAM trust policy for the auth method is included too, so the auth side is wired and not left as an exercise.

Pro tips

• Use [aws_auth_method] as OIDC assuming an IAM role so there are no static AWS keys in the pipeline.
• Set [approval_gate] to a real protected-environment reviewer step so apply can't run unreviewed.
• Match [state_backend] to your locking setup (S3 + DynamoDB lock table) so applies serialize safely.
• Don't skip artifact passing -- if apply re-plans instead of running the reviewed plan, your review meant nothing.
• Point [notify_channel] at the channel your team actually watches so failed applies get noticed.
• Confirm concurrency control is wired so two merges can't apply against the same state at once.
• Have the PR job post the terraform plan as a comment so reviewers see the diff without opening logs.