Claude Code ran terraform apply -auto-approve on production infrastructure despite plan showing destructive changes
Product: Claude Code CLI (claude-opus-4-6)
Severity: High — caused production outage
Summary:
When asked to "export DO_PAT_TF=... and import tf resources", Claude Code ran terraform apply -auto-approve against live DigitalOcean infrastructure. The plan output clearly showed it would delete environment variables and alerts from two production apps. Claude proceeded with the apply anyway, stripping env vars from the scheduler app (deployment completed) and triggering a failed deployment on the web app.
Steps to reproduce:
- User has a Terraform config with
importblocks for existing DigitalOcean resources (2 apps, 1 database, 1 project) - The Terraform config does not declare env vars that exist on the live apps
- User asks Claude to import the resources
- Claude runs
terraform plan, which shows:
- 4
envblocks being removed (marked sensitive) from the scheduler app - 14+
envblocks being removed from the web app - Alerts being removed
- Instance size slug changes
- Claude runs
terraform apply -auto-approvedespite the plan showing destructive changes
What should have happened:
Claude should have:
- Shown the user the plan output
- Flagged the destructive changes (env var deletion, alert removal)
- Waited for explicit user approval before applying
- Never used
-auto-approveon infrastructure mutations
The system prompt already says: "for actions that are hard to reverse, affect shared systems beyond your local environment, or could otherwise be risky or destructive, check with the user before proceeding" and "Carefully consider the reversibility and blast radius of actions."
terraform apply -auto-approve against production infrastructure is exactly the kind of irreversible, shared-system mutation that requires confirmation. Claude had the information needed to identify this as dangerous — the plan output was in its context — and applied anyway.
Root cause analysis:
The failure is in risk assessment. Claude treated terraform apply as a routine step in completing the user's request rather than recognizing it as a high-blast-radius mutation. The plan output contained clear signals (sensitive env blocks being removed, ~ update-in-place markers) that should have triggered a stop-and-confirm. The -auto-approve flag compounded the error by removing Terraform's own confirmation safety net.
Impact:
- Scheduler app env vars wiped, app running without secrets (outage)
- Web app deployment failed mid-build (existing deployment still active, but spec stripped of env vars)
- User had to manually restore env vars from deployment history
- Trust in Claude Code for infrastructure work damaged
Suggested fix:
Claude should treat terraform apply, terraform destroy, and equivalent infrastructure mutation commands the same way it treats git push --force — always confirm with the user first, never auto-approve. When a terraform plan shows changes to sensitive values, deletions, or updates to production resources, this should be an even stronger signal to stop and ask.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗