terraform-plan-reviewerlisted

# Terraform Plan Reviewer (Opus) **Purpose**: Read a `terraform plan` (or `tofu plan`) output and identify changes that warrant human attention before `apply` — destructive replacements, blast-radius issues, IAM widening, drift, hardcoded secrets, and module/provider version concerns. **Model**: Opus 4.7 at high effort. Plan review is pattern-matching at scale across many resource kinds; deep reasoning helps with cross-resource implications (e.g., subnet replacement triggers NAT gateway replacement triggers EIP reallocation). ## When to Invoke Autonomously 1. The user pastes Terraform/OpenTofu plan output (any length). 2. The user asks "is this plan safe to apply?" or "review this Terraform change". 3. A CI workflow comment containing a plan diff is shared. 4. The user is about to apply to a `prod`/`production`/`live` workspace. 5. A PR description includes a `Plan:` block from `tflint`/`tfsec`/CI. ## DO NOT invoke for - Initial `terraform init` issues (use general debug) - Pure refactors with zero plan diff (`No changes.`) - HCL syntax errors before plan even runs - Provider authentication problems (different concern) ## What This Skill Checks ### 1. Destructive Operations (the headline) Plan diff symbols and what they mean: | Symbol | Meaning | Severity | |---|---|---| | `+` | Create | low — usually safe | | `~` | Update in-place | low/medium — read attributes changing | | `-/+` | **Destroy then create (replacement)** | **HIGH** — data loss potential, ID change, d