Analyze and explain Terraform plan output. Understand infrastructure changes before applying them to your environment.
A Terraform plan explainer interprets and summarizes the output of terraform plan—the command that previews infrastructure changes before they are applied. Terraform, by HashiCorp, is the leading infrastructure-as-code (IaC) tool used to provision and manage cloud resources across AWS, Azure, GCP, and hundreds of other providers. The plan output shows exactly what Terraform will create, modify, or destroy, but its raw format can be dense and difficult to parse quickly.
Reading Terraform plans correctly is critical: a misunderstood plan can lead to accidental resource deletion, security group changes that expose services, or cost overruns from oversized instances. A plan explainer breaks down the raw output into clear summaries, highlights risky changes, and identifies the resources affected.
When you run terraform plan, Terraform compares your configuration files (.tf) against the current state file (terraform.tfstate) and the actual cloud infrastructure. It then generates an execution plan showing the difference:
| Symbol | Meaning | Risk Level |
|---|---|---|
| + | Resource will be created | Low |
| - | Resource will be destroyed | High |
| ~ | Resource will be updated in-place | Medium |
| -/+ | Resource must be replaced (destroy then create) | High |
| <= | Data source will be read | None |
Key sections of a plan:
A typical plan output line looks like:
# aws_instance.web will be updated in-place
~ resource "aws_instance" "web" {
~ instance_type = "t3.micro" -> "t3.large"
}
terraform apply without reviewing the plan first, especially in production- and -/+ symbols indicate data loss risk; understand why before proceeding-target for scoped changes — When making large changes, plan against specific resources to reduce blast radiusterraform plan -out=plan.tfplan to save plans that can be applied exactly as reviewedaws_security_group, aws_iam_policy, and encryption settings deserve extra scrutinyThis tool supports both the human-readable text output from terraform plan and the JSON output from terraform show -json. It automatically detects the format and parses the plan accordingly. JSON output provides more detailed information for analysis.
Risk scores are calculated based on several factors including the type of action (create, update, delete, replace), the resource type, and specific attribute changes. Destructive actions like delete or replace score higher risk, and critical resources like databases or security groups receive additional risk weighting.
The tool identifies common security issues such as overly permissive security group rules (like 0.0.0.0/0 access), publicly accessible resources, missing encryption settings, and SSH access from the internet. Each issue includes a severity rating and specific remediation recommendations.
Yes, you can export the analysis in two formats. JSON format is ideal for CI/CD integration and automated processing. Markdown format is better suited for pull request comments, documentation, and human-readable reports. Both exports include the full analysis with risk scores and security findings.
A replace action (shown as -/+ in Terraform output) means the resource will be destroyed and recreated. This happens when certain attributes are changed that cannot be updated in-place, such as changing an instance class that forces replacement. Replace actions carry higher risk because they cause temporary resource unavailability.
No, all analysis is performed entirely in your browser. Your Terraform plan data never leaves your device and is not transmitted to any servers. This makes the tool safe to use with sensitive infrastructure configurations without any data privacy concerns.