Overview

terraform-ui automatically classifies every planned change by risk level based on the resource type and action. This surfaces dangerous changes immediately without requiring you to scan hundreds of lines of plan output.

How It Works

Risk Levels

Level Meaning Example
Critical Data loss or encryption key destruction likely Deleting an RDS instance, replacing a KMS key
High Infrastructure disruption or access change Deleting a VPC, modifying IAM roles, destroying load balancers
Medium Security rule or DNS change Updating security groups, modifying Route53 records
Low Safe change with minimal blast radius Creating a new resource, updating tags

Classification Rules

Delete / Replace actions:

  • Critical-type resource → Critical
  • High-risk resource → Critical
  • Medium-risk resource → High
  • Everything else → High

Update actions:

  • Critical-type resource → High
  • High-risk resource → High
  • Medium-risk resource → Medium
  • Everything else → Medium

Create actions:

  • Critical/high-risk resource → Medium
  • Everything else → Low

Resource Type Categories

Critical (data-bearing / encryption):

  • AWS: aws_db_instance, aws_rds_cluster, aws_dynamodb_table, aws_s3_bucket, aws_efs_file_system, aws_redshift_cluster, aws_elasticache_cluster, aws_kms_key
  • GCP: google_sql_database_instance, google_storage_bucket, google_kms_key_ring, google_kms_crypto_key
  • Azure: azurerm_sql_server, azurerm_cosmosdb_account, azurerm_storage_account, azurerm_key_vault

High (access / networking / compute):

  • AWS: aws_iam_role, aws_iam_policy, aws_vpc, aws_subnet, aws_eks_cluster, aws_lambda_function, aws_cloudfront_distribution
  • GCP: google_compute_network, google_container_cluster, google_project_iam_member
  • Azure: azurerm_virtual_network, azurerm_kubernetes_cluster, azurerm_role_assignment

Medium (security rules / DNS / messaging):

  • AWS: aws_security_group, aws_route53_record, aws_sns_topic, aws_sqs_queue
  • GCP: google_compute_firewall, google_dns_record_set
  • Azure: azurerm_network_security_group, azurerm_dns_zone

In the TUI

Press R from the home screen after running a plan to see the risk analysis view. Changes are grouped by risk level with color coding:

  • Critical – red
  • High – orange
  • Medium – yellow
  • Low – green

Configuration

# tfui.hcl
plugin "risk" {
  enabled = true
}

Risk levels are built-in and not currently configurable. See the Risk Analysis plugin for the full TUI reference.


This site uses Just the Docs, a documentation theme for Jekyll.