Terraform plan risk explainer — reads `terraform plan` and classifies each change as safe/review/dangerous/irreversible. Pre-MVP namespace placeholder.
Project description
readtheplan
Read the plan. Every time. For real.
readtheplan is a Terraform plan risk explainer. It reads terraform plan output, classifies each change as safe / review / dangerous / irreversible based on the action × resource type × what compliance context it touches, and posts a markdown summary your release manager (or auditor, or AI agent) can read in 30 seconds.
status
🚧 Pre-MVP. This namespace is locked but no functional release exists yet. Watch / star to follow.
why this exists
Terraform's plan/apply separation exists so a human reviews changes before they hit prod. In practice:
- the diff in code ≠ the diff in plan (renames show as destroy+create, provider bumps mutate untouched resources,
apply_immediatelyflips have hidden timing implications) - AI agents now write Terraform PRs — most don't read the plan critically, they apply because "the test passed"
- compliance reviewers (FinServ, healthcare, government) need a structured risk classification, not a 4,000-line text blob
- existing tools either show prettier plans (Spacelift, env0) or scan code for policy violations (tflint, tfsec, checkov). Nobody opinionates the plan diff with blast-radius context.
philosophy
Anchored in this field note: terraform-apply-is-roulette. If you've ever shipped a panic on terraform validate or watched a forward-fix cascade into a longer outage, this tool is built for you.
planned MVP scope
- CLI:
readtheplan analyze plan.json→ markdown table of changes with risk levels - plain-english explainer per resource type (top ~30 high-risk patterns covered out of the box: KMS, IAM, RDS replacements, S3 bucket destroys, EKS node-group replacements, route53 zone deletes, network ACL strips)
- AI-agent attestation header — flag whether an agent claims to have read the plan
- GitHub Action wrapper: install as
uses: readtheplan/action@v1, posts a markdown PR comment - YAML rule customization: define org-specific rules ("anything in account 1234 is
review")
what's not in scope (and won't be)
- multi-cloud beyond AWS (initial focus)
- a SaaS dashboard (defer until revenue justifies)
- a policy-as-code engine (OPA / Sentinel already exist)
- competing with Spacelift / env0 / Snyk IaC on overlapping features
license
MIT — see LICENSE.
contact
OSS contributions welcome once the v0.1 lands. Until then, this is a namespace placeholder. Author: @texasich.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file readtheplan-0.0.1.tar.gz.
File metadata
- Download URL: readtheplan-0.0.1.tar.gz
- Upload date:
- Size: 3.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1df9d89aae7f492cae09529bdf9bd20e9deac302047c5c61f8ee47b4e2db8cca
|
|
| MD5 |
34a69d41960c9b788a81a450ac8e8b21
|
|
| BLAKE2b-256 |
2d506bc439feff118e577012801296c4f242e045d747485d61a841de7c947e14
|
File details
Details for the file readtheplan-0.0.1-py3-none-any.whl.
File metadata
- Download URL: readtheplan-0.0.1-py3-none-any.whl
- Upload date:
- Size: 3.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
62a2fe8c09a5bf62d01296be9e8555c2d3f646a1129db019b66d511eb5ecda29
|
|
| MD5 |
0e1f8904975ebc1eec2ce6a00f8188a7
|
|
| BLAKE2b-256 |
e0af091872b5f609305536b5a2a31bf8252d702fa7743158a316d53b90d87cfa
|
