I’m an engineer using Terraform and Claude Code as well in a much larger and more expensive setup than his.
You do not let Claude Code run terraform apply, it has zero benefits. All it does is that it runs the command and obscures the output. Most of the time is going to be spent in waiting for the automation anyway, most of the effort that you can spare is before running apply.
Also:
applying delete protections to Terraform and AWS permissions, and moving the Terraform state file to S3 storage instead of his local machine
These both take like 20 seconds, and should be in the getting started manual of Terraform and AWS databases respectively. Setting up remote state is 5 minutes in vanilla Terraform, 30 seconds in something like Terragrunt.
Also, use OpenTofu, stop supporting corporate acquisitions, also takes zero effort and money.
And finally:
most sysadmins will spot the baseline issues with Grigorev’s approach, including granting wide-ranging permissions to what’s effectively a subordinate of his, as well as not scoping permissions in a production environment to begin with.
No, not subordinate. Tool. Two big differences with it. A subordinate might understand more than you do about the code, a tool will guess and rely on you. And the second one is that you practically can’t separate your and your tools’ permissions, I mean Claude Code will supposedly ask you if it can use some tool or another and you can whitelist actions it can take, but it will never be completely locked out of destroying your database the way you can lock another user out.
I’m an engineer using Terraform and Claude Code as well in a much larger and more expensive setup than his.
You do not let Claude Code run
terraform apply, it has zero benefits. All it does is that it runs the command and obscures the output. Most of the time is going to be spent in waiting for the automation anyway, most of the effort that you can spare is before running apply.Also:
These both take like 20 seconds, and should be in the getting started manual of Terraform and AWS databases respectively. Setting up remote state is 5 minutes in vanilla Terraform, 30 seconds in something like Terragrunt.
Also, use OpenTofu, stop supporting corporate acquisitions, also takes zero effort and money.
And finally:
No, not subordinate. Tool. Two big differences with it. A subordinate might understand more than you do about the code, a tool will guess and rely on you. And the second one is that you practically can’t separate your and your tools’ permissions, I mean Claude Code will supposedly ask you if it can use some tool or another and you can whitelist actions it can take, but it will never be completely locked out of destroying your database the way you can lock another user out.