# Review before applying a Terraform change

Answer first: generate the plan, estimate the cost, inspect the blast radius, and only then run apply with an approved plan file.

## Problem

The team needs to add or modify infrastructure but wants a reviewable artifact before any provider API write runs.

## App workflow/query

```text
Clanker Cloud app:
1. Open Maker mode or CommandDeck.
2. Choose the AWS provider context.
3. Ask:
Create a private S3 bucket for app uploads with versioning and least-privilege IAM for checkout-api.
4. Review the plan and estimate in the app before choosing apply.
```

## Open-source CLI equivalent

```bash
clanker ask --aws --maker "Create a private S3 bucket for app uploads with versioning and least-privilege IAM for checkout-api" > plan.json
clanker maker estimate plan.json
clanker ask --apply --plan-file plan.json
```

## Input context

Clanker Cloud app connected to the target provider, workspace or account profile, naming conventions, required tags, expected environment, and any blast-radius constraints such as no public access and no destructive operations.

## Output example

```text
Plan: create aws_s3_bucket app-uploads-prod, enable versioning, block public access, add IAM policy scoped to checkout-api role, and tag Owner=platform. Estimate: low monthly storage cost before usage. Apply is shown separately and no change is executed until the reviewed plan is approved.
```

## Safety boundary

Maker mode in the app generates reviewable plan output. Apply mode is separate. Destructive operations require the explicit destroyer flag and should not be enabled through ambient config.

## Supported providers

AWS, GCP, Azure, Cloudflare, DigitalOcean, Hetzner, Vercel, Railway, Verda, Terraform.

## Next step

Commit the reviewed plan or Terraform output to the normal review path, then apply from the approved artifact and re-check the live environment.