Problem
The team needs to add or modify infrastructure but wants a reviewable artifact before any provider API write runs.
Example workflow
Review before applying a Terraform change
Use this workflow when a team wants AI help changing infrastructure but refuses silent apply behavior.
Clanker Cloud separates intent, plan, cost estimate, review, and apply so humans can inspect what will happen before anything changes.
Answer first: generate the plan, estimate the cost, inspect the blast radius, and only then run apply with an approved plan file.
App workflow or query
Copy the app query below, then adjust context names, profiles, namespaces, and provider scopes for your environment.
Safety boundary
Maker mode in the app generates reviewable plan output. Apply mode is separate. Destructive operations require the explicit destroyer flag and should not be enabled through ambient config.
Next step
Commit the reviewed plan or Terraform output to the normal review path, then apply from the approved artifact and re-check the live environment.
Proof artifact
Problem, app query, context, output, and safety
Problem
The team needs to add or modify infrastructure but wants a reviewable artifact before any provider API write runs.
App workflow/query
Clanker Cloud app:
1. Open Maker mode or CommandDeck.
2. Choose the AWS provider context.
3. Ask:
Create a private S3 bucket for app uploads with versioning and least-privilege IAM for checkout-api.
4. Review the plan and estimate in the app before choosing apply.Open-source CLI equivalent
clanker ask --aws --maker "Create a private S3 bucket for app uploads with versioning and least-privilege IAM for checkout-api" > plan.json
clanker maker estimate plan.json
clanker ask --apply --plan-file plan.jsonInput context
Clanker Cloud app connected to the target provider, workspace or account profile, naming conventions, required tags, expected environment, and any blast-radius constraints such as no public access and no destructive operations.
Output example
Plan: create aws_s3_bucket app-uploads-prod, enable versioning, block public access, add IAM policy scoped to checkout-api role, and tag Owner=platform. Estimate: low monthly storage cost before usage. Apply is shown separately and no change is executed until the reviewed plan is approved.Safety boundary
Maker mode in the app generates reviewable plan output. Apply mode is separate. Destructive operations require the explicit destroyer flag and should not be enabled through ambient config.
Supported providers
Next step
Commit the reviewed plan or Terraform output to the normal review path, then apply from the approved artifact and re-check the live environment.
Related examples
Keep going
Debug Kubernetes 502 responses
Users get HTTP 502 from a Kubernetes app even though DNS and the public load balancer are reachable.
Find an AWS cost spike
AWS spend is up sharply this week and the team needs to know which resources, services, and changes explain it.
Scan Cloudflare and EKS together
The team needs to know which Cloudflare routes reach EKS workloads and whether any public paths skip expected authentication or WAF controls.
FAQ
Common questions
Does this workflow change infrastructure?
Maker mode in the app generates reviewable plan output. Apply mode is separate. Destructive operations require the explicit destroyer flag and should not be enabled through ambient config.
Can the same pattern run from the open-source CLI?
Yes. The examples lead with the Clanker Cloud app because that is the product workflow. The public Clanker CLI powers the local runtime and remains the equivalent path for terminals, automation, and MCP clients.
Next step
Want the full example library?
Browse the proof-oriented examples for Kubernetes, cost, Cloudflare, MCP, and review-before-apply workflows.