Paste your plan output above and select Analyze plan to see the blast radius.
About the terraform plan blast radius card
The terraform plan blast radius card turns pasted plan output into a quick risk read before you approve an apply. Paste the human-readable output from terraform plan or tofu plan, select analyze, and the tool lists every resource change with an action, a risk level, and a short reason. It then gives you a markdown card to drop into a pull request and a CSV of the findings for a review log.
The point is to make the dangerous changes easy to spot. A destroy or a forced replacement, a security group opening to 0.0.0.0/0, or a change to an identity or policy resource is flagged high so it does not get lost in a long plan. The parse runs entirely in your browser. The plan text is not uploaded, logged, or stored, which matters because plans can contain account ids, hostnames, resource names, and policy details. This is a review aid, not a policy engine, so read the full plan before you apply.
How to use
- Run terraform plan or tofu plan and copy the human-readable output, including the lines that start with a hash and a resource address.
- Paste the output into the box. A sample plan is loaded so you can see the format the tool expects.
- Select analyze plan to see the change counts, the risk counts, and a per-resource findings table.
- Review the high-risk rows first. These cover destroys, forced replacements, public network exposure, and identity or policy changes.
- Copy the markdown card into your pull request or download the CSV for your review log, then read the full plan before you approve the apply.
Worked examples
A database resource marked must be replaced
A forced replacement destroys the existing resource and creates a new one, so it is flagged high risk. Expect downtime and a new resource identity, and check whether stored data needs a snapshot first.
A security group changing cidr_blocks to 0.0.0.0/0
Opening an ingress rule to the public internet is flagged high risk even on an in-place update, because it widens the network exposure of whatever the group protects.
A plain compute instance marked will be created
A new resource with no destroy, no replacement, and no public or identity markers is flagged low risk so your attention stays on the changes that can break or expose something.
Frequently asked questions
- Does it work with OpenTofu plans?
- Yes. OpenTofu prints plan output in the same human-readable format as Terraform, so paste the output from either tofu plan or terraform plan. The tool reads the per-resource change lines the same way for both.
- How does it decide the risk level?
- It uses deterministic heuristics. Destroys and forced replacements are high risk. Public network exposure such as 0.0.0.0/0 or ::/0, and changes to identity, role, or policy resources, are high risk. In-place changes to stateful resources like databases and storage, or to security groups and firewalls, are medium. Plain creates and other in-place updates are low.
- Is my plan text uploaded anywhere?
- No. The parse runs entirely in your browser. The plan text and resource names are never uploaded, logged, or stored, and they are not included in any analytics. Only coarse, anonymous counts are recorded so we can tell how often the tool is used.
- Can I paste a JSON plan?
- Not yet. The first version reads the human-readable plan output. JSON plan support, produced by terraform show -json, is a planned follow-up. For now, paste the standard text output.
- Does this replace reading the plan or a policy tool?
- No. It is a fast triage aid that surfaces the changes most likely to cause damage or exposure. It does not enforce policy and it does not understand every provider. Always read the full plan, and keep using a policy-as-code tool if your team has one.
- Is the terraform plan blast radius card free?
- Yes. It is free to use and does not require an account.
Use this again tomorrow
Save this page so it's one tap away when you need a quick result.
Take a 2-minute brain break.
Play Daily Challenge on sts.games