How to Gate terraform apply in AI Agent Workflows

SafeClaw by Authensor blocks terraform apply and other mutating Terraform commands by default, preventing AI agents from provisioning, modifying, or destroying cloud infrastructure without explicit authorization. Install SafeClaw with npx @authensor/safeclaw and every Terraform mutation is intercepted, denied, and audit-logged before any cloud resources are affected.

Why terraform apply Is Dangerous When AI Agents Do It

terraform apply translates infrastructure-as-code into real cloud resources — VMs, databases, load balancers, IAM roles, VPCs, and DNS records. An AI agent that can run terraform apply can provision expensive compute resources (incurring unbounded costs), create publicly accessible storage buckets (exposing data), modify IAM policies (granting unauthorized access), or destroy production infrastructure. Terraform changes are often irreversible: a destroyed RDS instance with no snapshot is gone permanently. A modified security group takes effect immediately. An agent might generate valid HCL that passes terraform plan but contains subtle misconfigurations — an S3 bucket with acl = "public-read" or a security group allowing 0.0.0.0/0 on all ports.

The Exact SafeClaw Policy to Gate terraform apply

Add these rules to .safeclaw/policy.yaml:

rules:
  # Permanently deny terraform destroy
  - id: deny-terraform-destroy
    action: shell.exec
    match:
      command: "terraform destroy*"
    effect: deny
    audit: true
    message: "terraform destroy is permanently denied for AI agents."

# Block terraform apply
  - id: deny-terraform-apply
    action: shell.exec
    match:
      command: "terraform apply*"
    effect: deny
    audit: true
    message: "terraform apply requires human execution or approval."

# Block terraform import (can modify state)
  - id: deny-terraform-import
    action: shell.exec
    match:
      command: "terraform import*"
    effect: deny
    audit: true
    message: "terraform import is blocked."

# Block state manipulation
  - id: deny-terraform-state
    action: shell.exec
    match:
      command: "terraform state*"
    effect: deny
    audit: true
    message: "terraform state manipulation is denied."

# Allow read-only commands
  - id: allow-terraform-plan
    action: shell.exec
    match:
      command: "terraform plan*"
    effect: allow
    audit: true

- id: allow-terraform-fmt
    action: shell.exec
    match:
      command: "terraform fmt*"
    effect: allow
    audit: true

- id: allow-terraform-validate
    action: shell.exec
    match:
      command: "terraform validate*"
    effect: allow
    audit: true

- id: allow-terraform-init
    action: shell.exec
    match:
      command: "terraform init*"
    effect: allow
    audit: true

This policy creates a clear separation: destructive operations (destroy) are permanently denied, mutating operations (apply, import, state) are blocked, and safe operations (plan, fmt, validate, init) are allowed. The agent can generate and validate Terraform code but cannot apply it.

What Happens When the Agent Tries

When an agent attempts terraform apply -auto-approve:

1. SafeClaw intercepts the shell.exec action.
2. The deny-terraform-apply rule matches terraform apply*.
3. The command is blocked. No API calls to AWS, GCP, or Azure.
4. Audit entry:

{
  "timestamp": "2026-02-13T11:55:42Z",
  "action": "shell.exec",
  "command": "terraform apply -auto-approve",
  "effect": "deny",
  "rule": "deny-terraform-apply",
  "agent": "infra-agent-02",
  "hash": "m2o8r5...chain"
}

The -auto-approve flag — which skips Terraform's built-in confirmation — is captured in the audit log, revealing that the agent intended to bypass even Terraform's own safety mechanism.

How to Allow terraform apply with Approval

For infrastructure teams that want agents to propose and apply changes with human oversight:

rules:
  - id: deny-terraform-destroy
    action: shell.exec
    match:
      command: "terraform destroy*"
    effect: deny
    audit: true
    message: "terraform destroy is permanently denied."

- id: deny-terraform-apply-auto-approve
    action: shell.exec
    match:
      command: "terraform apply-auto-approve"
    effect: deny
    audit: true
    message: "Auto-approve is permanently denied. Use plan-then-approval workflow."

- id: approve-terraform-apply
    action: shell.exec
    match:
      command: "terraform apply*"
    effect: approval
    audit: true
    approvers:
      - role: platform-engineer
    timeout: 600
    message: "terraform apply requires platform engineer review. Run terraform plan first."

- id: allow-terraform-plan
    action: shell.exec
    match:
      command: "terraform plan*"
    effect: allow
    audit: true

This workflow lets the agent run terraform plan to generate a preview, then submit terraform apply for approval. The platform engineer reviews the plan output before approving. -auto-approve is hard-denied to ensure Terraform's own confirmation prompt remains active as a second safety layer.

Verification

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'terraform apply -auto-approve'
Expected: deny, rule: deny-terraform-apply

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'terraform plan'
Expected: allow, rule: allow-terraform-plan

Related Pages

• How to Gate kubectl apply in AI Agent Deployments
• How to Gate AWS CLI Commands in AI Agents
• Infrastructure Agent Recipe
• DevOps Agent Safety
• Prevent Agent Cloud Cost Runaway