$ shellfirm
Protection Coverage

Terraform

Protection patterns for Terraform operations including apply, state, and workspace commands

The terraform check group covers Terraform operations that can destroy infrastructure or modify state without review.

Terraform checks

Apply with auto-approve

IDterraform:apply_with_auto_approve
SeverityCritical
Alternativeterraform plan -out=plan.tfplan && terraform apply plan.tfplan -- review the plan first, then apply from the saved plan file

The -auto-approve flag skips the interactive confirmation that Terraform normally requires. This is the most dangerous Terraform command because it applies changes without any review.

# Triggers
terraform apply -auto-approve
terraform apply -auto-approve -var="env=production"

State move / replace-provider

IDterraform:state
SeverityHigh
FilterNotContains -dry-run
Alternativeterraform state <cmd> -dry-run -- preview the state change before actually modifying state
# Triggers
terraform state mv aws_instance.old aws_instance.new
terraform state replace-provider hashicorp/aws registry.example.com/aws

# Does NOT trigger
terraform state mv -dry-run aws_instance.old aws_instance.new

Workspace delete with force

IDterraform:workspace_delete_with_force_flag
SeverityHigh
# Triggers
terraform workspace delete -force staging

Workspace delete without lock

IDterraform:workspace_delete_without_lock
SeverityHigh
# Triggers
terraform workspace delete -lock=false staging

Force unlock

IDterraform:force_unlock_with_force_flag
SeverityHigh

Manually unlocking state without confirmation can lead to state corruption if another operation is in progress.

# Triggers
terraform force-unlock -force LOCK_ID

Summary table

IDCommandSeverityFilterAlternative
terraform:apply_with_auto_approveterraform apply -auto-approveCritical--Plan + apply from plan file
terraform:stateterraform state mv/replace-providerHighNotContains -dry-run-dry-run flag
terraform:workspace_delete_with_force_flagterraform workspace delete -forceHigh----
terraform:workspace_delete_without_lockterraform workspace delete -lock=falseHigh----
terraform:force_unlock_with_force_flagterraform force-unlock -forceHigh----

Best practices with shellfirm

  1. Never use -auto-approve in interactive sessions. Use terraform plan -out=plan.tfplan followed by terraform apply plan.tfplan. shellfirm catches this at Critical severity.

  2. Always dry-run state modifications. The NotContains -dry-run filter means terraform state mv -dry-run passes through without a challenge, encouraging the safe workflow.

  3. Combine with team policies. In a .shellfirm.yaml, you can deny terraform:apply_with_auto_approve outright:

version: 1
deny:
  - terraform:apply_with_auto_approve

This prevents anyone on the team from using -auto-approve in the project directory, regardless of their personal settings.

Azure & GCP

Protection patterns for Azure CLI and Google Cloud CLI operations

Databases

Protection patterns for SQL, PostgreSQL, MySQL, MongoDB, and Redis operations

On this page

Terraform checksApply with auto-approveState move / replace-providerWorkspace delete with forceWorkspace delete without lockForce unlockSummary tableBest practices with shellfirm