Terraform Plan Summary Analyzer

Workspace or stack:

Name the Terraform workspace, stack, environment, or pipeline plan under review.

Destructive review threshold:

Trip the review gate when deletes plus replacements exceed this count.

resources

Plan JSON:

Paste `terraform show -json tfplan` output, browse a plan JSON file, or drop a JSON/TXT plan onto the textarea.

Drop plan JSON or TXT onto the textarea.

Plan input needs attention

{{ error }}

Ledger row limit:

Show the highest-risk resource rows first when large plans are pasted.

rows

Include no-op/read rows:

Keep off for review queues; turn on when read/no-op context belongs in the ledger export.

{{ params.include_noop ? 'No-op and read rows included' : 'Changed resources only' }}

Check	Value	Review note	Copy
{{ row.check }}	{{ row.value }}	{{ row.note }}

Resource	Action	Provider	Reason	Review step	Risk	Copy
{{ row.resource }}	{{ row.action }}	{{ row.provider }}	{{ row.reason }}	{{ row.reviewStep }}	{{ row.risk }}

Resource	Action	Type	Provider	Reason	Signals	Risk	Copy
{{ row.resource }}	{{ row.action }}	{{ row.type }}	{{ row.provider }}	{{ row.reason }}	{{ row.signals }}	{{ row.risk }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Terraform planning is the review point where desired infrastructure, current state, provider behavior, and pending changes meet. The plan does not simply say that code changed. It describes the operations Terraform is preparing to take, including new resources, in-place updates, deletes, replacements, output changes, and differences detected while refreshing state.

A good plan review separates volume from risk. Ten creates for a new monitoring module may be routine, while one replacement of a database, load balancer, subnet, certificate, or identity-bearing resource can require a maintenance window and a rollback plan. The action word matters because Terraform can represent a replacement as a destroy-and-create sequence, which has a different operational meaning from an update that keeps the existing object alive.

Common Terraform plan review signals
Review signal	Why it matters	Common mistake
Delete or replacement	The existing object may disappear, move, or lose attached state.	Treating a replacement like a harmless update because a new object will be created.
Unknown value	A provider-computed value is not available until apply.	Assuming the plan has already proven every final attribute value.
Drift	Real infrastructure has moved away from Terraform's last known state.	Approving the plan without deciding whether to absorb or revert the outside change.
Output change	Other modules, scripts, dashboards, or people may consume the changed value.	Reviewing only resources and missing downstream dependency effects.

Machine-readable plan JSON gives reviewers the most dependable evidence because it keeps resource addresses, provider names, action lists, replacement paths, unknown markers, sensitive markers, drift entries, and output changes in separate fields. Terminal text is still useful during an incident handoff or quick chat review, but it loses structure. Text can show the broad add/change/destroy counts while hiding the reasons and metadata that explain why a row needs human attention.

Plan review also has a timing problem. A saved plan can be handed from a planning job to an approval job, but reviewers still need to know which workspace, stack, or CI run produced it. If the real environment changes after the plan was created, a later apply may not carry the same assumptions unless the workflow applies the saved plan artifact or regenerates a fresh plan.

A summary should therefore be treated as a triage record, not as a final authorization. It can focus attention on destructive work, provider concentration, drift, and output changes, but it cannot confirm backups, service-specific safety, policy decisions, owner approval, or whether a maintenance window is acceptable.

How to Use This Tool:

Start from the plan artifact you would normally review before apply. For the strongest result, save a Terraform plan and convert it with terraform show -json <planfile>, then paste the JSON, browse for the file, or drop a JSON/TXT plan onto the input area.

Fill Workspace or stack with the environment, Terraform workspace, stack name, or CI job under review. The value appears in copied rows, report subtitles, filenames, and the summary line.
Set Destructive review threshold. Use 0 when every delete or replacement should trip review. Use a higher number only when that stack has an agreed tolerance for destructive resource count.
Paste Plan JSON, choose Browse plan, or drag a file onto the textarea. Selected files are read locally in the browser and must stay under 8 MiB. Load sample restores a representative plan for testing the result surfaces.
Use Format JSON only after valid JSON is present. If JSON parsing fails, the page switches to text scanning and reports the parse warning while still looking for recognizable Terraform action lines and the classic plan summary count.
Open Apply Gate Snapshot first. Confirm the parse mode, planned resource action count, deletes plus replacements, output changes, drift entries, and review load score before moving to detailed rows.
Use Destructive Review Queue for deletes, replacements, unknown actions, unknown-value markers, and sensitive markers. Use Resource Change Ledger for the wider row list, and adjust Ledger row limit when a large plan needs more visible rows.
Keep Include no-op/read rows off for ordinary approval review. Turn it on when data-source reads or unchanged rows belong in the audit record, then use the tables, chart tabs, and JSON view to copy or download the evidence needed for the review packet.

Interpreting Results:

The first result to trust is the parse mode. plan JSON means structured Terraform plan fields were available. text scan means the page inferred actions from terminal-style lines, so provider names, replacement paths, drift rows, output changes, unknown markers, and sensitive markers may be missing.

Apply Review Required means deletes plus replacements are above the selected threshold. Destructive Signal Found means at least one delete or replacement exists but the threshold was not exceeded. Terraform Plan Summary means the parsed planned-resource actions did not include destructive rows, but creates, updates, drift, outputs, and provider concentration still need normal review.

Terraform plan result interpretation cues
Output cue	What it suggests	What to verify
`Deletes plus replacements` above threshold	The configured approval gate has tripped.	Confirm removal intent, lifecycle settings, backups, dependency impact, and cutover timing.
`Replacement count` above zero	At least one resource will be destroyed and recreated.	Read the replacement reason or path and decide whether identity, state, or traffic will be affected.
`Drift entries` above zero	Terraform detected changes outside the planned configuration edit.	Decide whether the outside change should be absorbed into state, reverted, imported, or investigated.
`Output changes` above zero	Consumers of Terraform outputs may receive different values.	Check downstream modules, automation jobs, dashboards, inventory, and runbooks that read those outputs.
High `Provider Blast Radius` concentration	Most planned work or risk is clustered under one provider name.	Review provider-specific behavior, service quotas, rate limits, maintenance windows, and rollback path.

A clear gate is not proof that the plan is safe. It only says the delete-plus-replacement count is at or below the chosen threshold. Use the queue, ledger, charts, policy checks, and team approval process together before applying.

Technical Details:

The analyzer treats structured Terraform plan JSON as the primary input. It reads planned resource changes, drift changes, output changes, Terraform and format version fields, provider names, resource addresses, action reasons, replacement paths, unknown-value markers, and sensitive-value markers. Unknown JSON properties are ignored so newer minor-format additions do not prevent a summary.

When JSON parsing fails, the fallback path scans text lines for common Terraform phrases and symbols such as resources that will be created, updated in-place, destroyed, replaced, or read, plus the aggregate Plan: ... to add, ... to change, ... to destroy line. That fallback is intentionally lower confidence because plain text cannot reliably reconstruct structured plan evidence.

Action Classification

Terraform action classification rules
Parsed action	Rule	Base review weight
`replace`	The action list contains both `delete` and `create`.	7
`delete`	The action list contains `delete` without a paired create.	6
`create`	The action list contains `create` without delete.	1
`update`	The action list contains `update`.	2
`read` or `noop`	Data-source reads and unchanged rows are informational unless the no-op/read option is enabled.	0
`unknown`	No supported action is found, or text scanning cannot classify the line safely.	3

Gate and Review Load

The destructive gate is count-based and deliberately simple. A replacement is counted with deletes because the existing object is removed as part of the operation.

destructive = delete_count + replace_count

gate_tripped = destructive > threshold

{risk}_{total} = \sum_{r = 1}^{n} (w_{action} + unknown_leaves + sensitive_leaves + drift_bonus) + output_changes

Boundary behavior is strict greater-than. With threshold 0, one delete or replacement trips the gate. With threshold 3, exactly three destructive resources stay at or below threshold, while four trips review. The review load score adds the action weight for each resource row, one point per unknown or sensitive leaf marker, two extra points for drift rows, and one point for each output change.

Signals Used in Rows and Charts

Terraform plan signals used in rows and charts
Signal	How it is handled	Review meaning
Replacement path	Shown when Terraform reports the attribute path that forced replacement.	Points reviewers to the setting most likely to explain destroy-and-recreate behavior.
Unknown leaves	Counted from unknown markers and added to row risk.	Final values may only become known during apply.
Sensitive leaves	Counted from sensitive markers without exposing the protected values.	Secrets or protected fields participate in the change, so copied reports need access control.
Drift rows	Included in the ledger with a drift signal and extra risk weight.	State, configuration, and real infrastructure may need reconciliation before approval.
Provider grouping	Planned resource rows are grouped by shortened provider name for the provider chart.	Risk concentrated under one provider may deserve provider-specific review.

The visible ledger is sorted by risk, then action priority, then resource address. The ledger row limit accepts values from 10 through 500. JSON output keeps the parsed resource data and warnings, while the visible table reflects the current row-limit and no-op/read settings.

Privacy and Safety Notes:

Terraform plan and state artifacts can contain detailed infrastructure metadata and sensitive values. Pasted text and selected files are analyzed in the browser, and the share URL does not include the plan body, but copies, downloads, screenshots, browser memory, and shared reports can still expose private environment details.

Handle saved plans and plan JSON with the same care as state files, deployment records, and CI artifacts.
Do not paste plans from environments you are not allowed to inspect or share.
Use a clear gate as a review cue, not as permission to apply.
Check policy-as-code results, backups, ownership, dependency impact, and maintenance timing outside this page.

Worked Examples:

Replacement in a production network stack

A prod-network plan contains one security group update, one instance replacement, one IAM role delete, and one output change. With Destructive review threshold set to 0, Apply Gate Snapshot shows two destructive resources and Apply Review Required. Destructive Review Queue should list the replacement and delete rows with provider, reason, risk, and review step.

Threshold edge in a batch cleanup

A cleanup plan has exactly three deletes and no replacements. With threshold 3, Deletes plus replacements remains at or below threshold and the gate stays clear. If one more replacement appears, the destructive count becomes four and the gate trips. That boundary matters when a team uses a numeric approval rule instead of a strict zero-destruction rule.

Large non-destructive module rollout

A module version bump creates 36 resources and updates 18, with no deletes or replacements. Terraform Plan Summary can still show many planned resource actions even though the destructive count is zero. Plan Action Mix shows the rollout size, and Provider Blast Radius can reveal that most work sits under one cloud provider, which may still deserve quota and timing review.

Drift and output changes during normal planning

A plan includes a drift row for a manually changed security group rule and output changes for a load balancer name. The destructive gate may stay clear, but Drift entries and Output changes are still non-zero in Apply Gate Snapshot. Reviewers should decide whether to absorb the outside change, update configuration, or revert the manual edit before approving apply.

Terminal text pasted during an incident

A responder pastes terminal output with Plan: 3 to add, 2 to change, 1 to destroy but no structured JSON. The page reports text scan, may create aggregate ledger rows, and cannot recover replacement paths or provider names. Use the result to organize the incident conversation, then request terraform show -json output before final approval.

FAQ:

Does a clear gate mean the plan is safe to apply?

No. A clear gate only means deletes plus replacements are at or below the selected threshold. Review updates, creates, drift, output changes, policy results, backups, and team approval separately.

Why are replacements counted with deletes?

A replacement destroys the existing resource and creates another one. That can affect identity, state, traffic, or dependencies even when the final configuration still contains a resource with the same logical address.

What should I do when JSON parsing fails?

Check that the input came from terraform show -json <planfile> and use Format JSON after valid JSON is present. Text scanning is useful for triage, but final approval should use structured plan JSON when possible.

Why does the text scan show less detail?

Terminal output does not reliably expose every structured field. The fallback can infer common actions and summary counts, but provider names, replacement paths, drift rows, output changes, unknown markers, and sensitive markers may be absent.

Are plan files uploaded anywhere?

No. Pasted text and selected files are read in the browser for analysis, and the plan body is not placed in the URL. Downloaded files, copied rows, and screenshots still need normal access control.

Why are sensitive markers shown without secret values?

The useful review fact is that protected fields participate in the change. The values themselves should stay hidden and should be handled under the same controls you use for Terraform state and plan artifacts.

Glossary:

Plan JSON: Machine-readable Terraform plan output produced from a saved plan with terraform show -json.
Saved plan: A plan artifact written by Terraform that can be reviewed and later applied by the same workflow.
Replacement: A change where Terraform destroys and recreates a resource, usually represented as delete plus create.
Destructive threshold: The maximum delete-plus-replacement count allowed before the apply gate trips.
Drift: A difference detected between real infrastructure and Terraform's expected state or configuration.
Unknown value: A value Terraform cannot determine until apply, marked separately in structured plan output.
Sensitive marker: A structured indicator that a protected value is involved without exposing the value itself.
Provider blast radius: The concentration of planned actions and risk under one provider name.

References:

terraform plan command, HashiCorp Developer.
terraform show command, HashiCorp Developer.
JSON output format, HashiCorp Developer.
Manage sensitive data in your configuration, HashiCorp Developer.
Manage resource drift, HashiCorp Developer.