Blog

Claude Code and Terraform: Infrastructure Reviews

July 2026 · 6 min read · Technical

Notebook illustration of a magnifying glass reviewing a stack of infrastructure blocks with a terracotta checkmark
← Back to all posts

Terraform gives an infrastructure team something rare: a written record of what your cloud is supposed to look like. But the moment a plan runs, the risk moves from the code to the review. A single mistyped CIDR range, a security group left open to the world, or a state file quietly drifting from reality can turn a routine change into an incident. For most Australian teams the bottleneck is not writing Terraform. It is finding a senior engineer with an hour free to read the diff properly before it merges.

This is where Claude Code earns its place. It can read an entire Terraform repository, hold the module structure in context, and reason about a terraform plan the way an experienced reviewer would. Not as a linter checking syntax, but as a second set of eyes that understands what a change actually does to your running environment.

Why Terraform reviews quietly get skipped

Infrastructure reviews are the first thing to fall off when a team is busy. The plan output is long, most of it is noise, and the genuinely risky line is often buried in the middle of forty resource changes. Reviewers skim. They approve. And the one change that mattered slips through.

The cost of a missed review is not abstract. A public storage bucket or an over-permissive IAM role that exposes customer records can trigger a notifiable breach under the Privacy Act, and the response effort alone can run past A$45,000 once you count legal review, forensic work, and customer notification. For a Sydney fintech under APRA CPS 234 obligations, an unreviewed change to a production security control is also a compliance problem, not just an engineering one.

What Claude Code actually checks in a plan

Point Claude Code at your repository and hand it the plan output, and it reviews against the things human reviewers care about but rarely have time to trace by hand:

  • Network exposure: security groups or firewall rules that open ports to 0.0.0.0/0, public IP assignments, and load balancers that lose TLS.

  • Identity and access: IAM policies with wildcard actions, roles that gain admin scope, and service accounts that quietly widen their permissions.

  • State and drift: resources being destroyed and recreated when an in-place update was intended, and changes that do not match the stated purpose of the pull request.

  • Data protection: storage buckets or databases losing encryption, backups being disabled, or deletion protection being removed.

  • Blast radius: how many resources a change touches, and whether a small config edit is silently forcing a replacement of something stateful.

The value is in the reasoning, not the pattern match. Claude Code can tell you that a change looks harmless on its own but becomes dangerous because of a variable set three modules away. That cross-file understanding is exactly what a tired reviewer scanning a raw diff tends to miss.

A review workflow that fits a small team

You do not need a platform team to get value here. A workable pattern for a team of three to ten engineers looks like this. An engineer opens a pull request with their Terraform change and the plan output attached. Claude Code reads the plan alongside the full repository, then writes a plain-English summary: what changes, what the risk is, and which two or three lines a human should look at closely. The human reviewer starts from that summary instead of a wall of HCL.

The result is not a rubber stamp. It is a faster, better-aimed human review. A change that used to sit for two days waiting for someone senior to find an hour can be sanity-checked in fifteen minutes, because the reviewer is told where to look. Teams running this pattern often find the review itself costs them less than A$120 of engineer time per change, against the days of delay it removes.

Guardrails: what to keep human

Claude Code is a reviewer, not an approver. Some things stay firmly with a person. It should never hold your cloud credentials or run terraform apply on production by itself. Treat its output as advice, not authority, and keep the merge and apply steps behind a human who has read the summary and agrees with it.

The other guardrail is scope. Claude Code is strong at reasoning over what a change does, but it does not know your business context unless you tell it. A resource being destroyed might be a mistake or a deliberate cleanup. Give it the pull request description and any relevant runbook so it reviews against intent, not just mechanics. Used this way it catches the errors that matter while leaving the judgment calls where they belong.

If your team is drowning in infrastructure changes and short on senior review time, this is a practical place to start with Claude. We help Australian teams set up review workflows like this without handing over the keys to production. If that sounds useful, you can book a short call with us and we will map out what it would take for your stack.

Ready to move from AI pilot to production?

We help mid-market Australian businesses deploy AI automations that actually reach production and deliver measurable ROI.