the point about keeping `terraform apply` human-only is the right instinct, but I think the conversation is missing a structural layer.

The real issue isn't "don't let agents touch prod." It's that terraform destroy and terraform apply share the same permission scope. There's no blast radius boundary. If an agent (or a tired human) can run `apply`, they can destroy anything in that state file. renewiltord touched on this too, always forward-evolving infra instead of running destroy directly.

I got curious about this pattern and started thinking about it differently: what if agent-accessible Terraform operations were scoped to a read-only plan phase by default? The agent generates the plan, a human reviews the diff, and only then does apply run. You'd essentially treat the agent like a junior engineer who can write PRs but can't merge to main.

The deeper problem is that most IaC tools weren't designed with the assumption that the operator might be an LLM with no concept of irreversibility.

Has anyone implemented a plan-only mode for agents that's actually held up in practice?