readtheplan
sample 001

Demo issue only

Sample Weekly Terraform/SOC 2 Change Brief 001.

This sample shows the weekly paid-output format. Items are evergreen demo examples, not assertions about current external news. No raw Terraform plan upload, hosted analyzer, account, billing flow, backend, or storage is used.

Top 5 changes Why they matter Terraform/SOC2 risk angle Action checklist

Audience: platform/SRE teams, DevOps consultancies, SOC 2 consultants, and seed-stage infra/devtool startups that need a repeatable review artifact.

Top 5 infra/compliance changes

Demo signals to review this week.

Item Why it matters Terraform/SOC2 risk angle
Terraform/OpenTofu provider constraint drift Demo issue: a provider version range can silently alter plan output after a lockfile or mirror change. Require reviewed lockfile updates; preserve change-management evidence and plan reproducibility.
AWS logging retention decrease Demo issue: shorter CloudWatch log retention can reduce incident investigation and audit lookback. Flag retention decreases as review-tier or dangerous for security monitoring and availability evidence.
AWS IAM trust policy broadening Demo issue: wildcard principals or looser conditions can expand who may assume a role. Map to logical access, least privilege, and privileged-change approval controls.
Security group ingress opened for operations Demo issue: emergency access rules can linger after a release window. Require owner, expiration, ticket reference, and post-apply verification evidence.
GitHub Actions permission expansion Demo issue: adding write scopes to CI can turn build jobs into deployment or token-risk paths. Review workflow permissions, fork behavior, artifact trust, and release approval boundaries.

SOC 2 evidence

Evidence notes for control owners.

  • Capture the approved Terraform plan summary, reviewer, ticket, and production impact.
  • Keep raw Terraform plan JSON in CI artifacts or local workstations, not in the brief.
  • Group evidence by access control, change management, monitoring, confidentiality, and availability.
  • Record compensating controls when a risky change is approved for a time-limited release window.

readtheplan progress

Product signal to include.

This issue can point teams back to the local setup generator, Terraform risk calculator, SOC 2 cloud control mapper, and local MCP preview. The CTA stays local-first and does not ask readers to submit raw plan files.

Open setup generator

Action checklist

What to do before the next apply window.

  • Confirm provider lockfile changes are reviewed with the same rigor as Terraform resource changes.
  • Add a reviewer note for any logging retention decrease, IAM trust broadening, or public ingress expansion.
  • Verify GitHub Actions jobs use least-privilege permissions and trusted artifact boundaries.
  • Ask control owners which changes need SOC 2 evidence before the release is approved.
  • Run readtheplan locally or in CI against the real plan JSON; do not send raw plan data to this brief workflow.

Private pilot

Want the first private weekly brief?

Request first brief / private pilot to define source categories, control themes, and delivery format. The private pilot can be customized without raw Terraform plan upload, file submission, backend storage, accounts, or billing.

Request first brief / private pilot

Placeholder inbox: pilot-contact@example.com.

  • This sample is not a current-news report.
  • No cron or delivery automation runs in this static slice.
  • No hosted analyzer, hosted MCP service, API endpoint, account, billing, backend, or storage.