Atlantis-native · Drop-in · 5 min setup

Your Terraform plan,
explained.

AI-narrated plan summaries with risk scoring — posted directly to your PR. Know what's changing. Know what it means. Apply with confidence.

Start free — no card required See how it works
Works with Atlantis, GitHub Actions, GitLab CI
terraform plan output 
Terraform will perform the following actions:

  # aws_security_group.api will be updated in-place
  ~ resource "aws_security_group" "api" {
        id          = "sg-0a1b2c3d4e5f"
        name        = "api-sg"
      ~ ingress {
          ~ cidr_blocks      = [
              - "10.0.0.0/8",
              + "0.0.0.0/0",
            ]
            from_port        = 5432
            protocol         = "tcp"
            to_port          = 5432
        }
    }

  # aws_db_instance.primary must be replaced
  -/+ resource "aws_db_instance" "primary" {
      ~ engine_version       = "14.6" -> "15.4"
      ~ identifier           = "prod-db" -> "prod-db-v2"
      + deletion_protection  = true
        ...
        allocated_storage    = 100
        instance_class       = "db.t3.large"
    }

  # aws_ecs_service.api will be updated in-place
  ~ resource "aws_ecs_service" "api" {
      ~ desired_count = 2 -> 4
        id            = "arn:aws:ecs:..."
    }

Plan: 1 to add, 2 to change, 0 to destroy.
DriftWise analysis
Medium risk
3 changes · 1 needs immediate review before applying
One change opens database access to the public internet — likely unintentional and should be reviewed before apply. The RDS replacement will cause a brief outage during the upgrade window. The ECS scaling change is safe.
aws_security_group.api modified Review
Port 5432 (Postgres) ingress changed from internal VPC range to 0.0.0.0/0. This opens your database port to the public internet.
Confirm this is intentional — public database exposure is a common misconfiguration.
aws_db_instance.primary replace Downtime
Postgres upgrade from 14.6 to 15.4 requires instance replacement. Expect 2–5 minutes of downtime. Deletion protection will be enabled on the new instance.
aws_ecs_service.api modified Safe
Desired count doubled from 2 to 4. No replacement. Traffic will be served continuously during the update.
5min
to integrate with Atlantis
5
risk levels scored
0
workflow changes required
plans on the Team tier
How it works

Three lines of config.
Instant intelligence.

Step 01
Add to atlantis.yaml
Drop a single run step into your existing workflow. No new tools, no new UI, no migration. Atlantis keeps doing what it does.
run: |
  terraform show -json $PLANFILE \
    | jq -Rs '{plan_json: .}' \
    | curl -sX POST \
    https://app.driftwise.ai/api/v2/orgs/$ORG/analyze \
    -H "X-API-Key: $KEY" \
    -H "Content-Type: application/json" \
    -d @-
Step 02
Plan runs as normal
DriftWise receives the plan, parses the structured diff, and sends only what's relevant to the LLM. No secrets, no state files — just the change data.
Parsing plan...
Detected: 3 changes
Risk signals: 2 found
Generating narrative...
Step 03
Review the narrative
A plain-English summary with risk scoring is returned in the response — Atlantis includes it in the plan output on your PR. Your team can review and decide in seconds.
DriftWise Analysis
Risk: Medium
3 changes · 1 flagged
→ View full analysis
Bring your own LLM

Your model.
Your API key.

Anthropic
OpenAI
AWS Bedrock
Google Gemini
Azure OpenAI

Keys never stored

Your API key is held in memory for a single request only. Never logged, never written to disk, never persisted to our database.

Your data, your perimeter

Route LLM calls through your own cloud accounts. Plan data goes directly from DriftWise to your provider — no third-party relay.

Control your costs

Use your existing API credits and volume pricing. No markup on LLM usage — you pay your provider directly.

One field in the API

Add llm_config to your request. DriftWise handles prompt construction and response parsing. Provider errors surface directly — we never silently retry against our own account.

Data handling

What we send.
What we don't.

Plan data only. Sensitive values are redacted at the parser, before anything reaches the LLM. Your state files never leave your CI runner.

What reaches the LLM
  • Resource address (e.g. aws_security_group.web)
  • Action: create, update, delete, or replace
  • Resource type
  • Attribute diffs — with Terraform-marked sensitive values replaced by (sensitive) before the prompt is built
  • Risk flags from our static analyzer
What we never touch
  • Terraform state files (*.tfstate)
  • Cloud provider credentials
  • Raw HCL source and variable values
  • Sensitive attributes — we honor Terraform's sensitive = true markers natively
  • Hardcoded AWS access keys and Azure credential patterns — stripped from prompts as a second-layer defense, even if you forget to mark them sensitive

Retention

Scan history

Free: 24 hours · Team: 30 days · Enterprise: unlimited or custom.

LLM prompt traces

Debug records of the exact bytes sent to the model. Auto-deleted after 30 days for every plan.

BYOK direct path

If you bring your own key, prompts go straight from DriftWise to your provider — never relayed through a third-party model.

Risk scoring

Five levels.
Zero ambiguity.

None
No changes detected. Empty plan or no-op — nothing to review.
Low
Changes with no risk flags triggered. Routine config updates that don't trip our rules.
Medium
Side effects you should expect. Security group rule changes, logging disabled, deletion protection removed, backup retention reduced, cross-region moves.
High
Weakened security boundary or exposed data. Public ingress, public access enabled, encryption disabled, short KMS deletion windows, or forced replacement causing downtime.
Critical
Destructive or exposure-level changes. Stateful resource destruction (RDS, DynamoDB, S3, EFS, KMS, Secrets Manager), wildcard IAM permissions, or SSH open to the public internet.
Pricing

Start free.
Pay when it saves you.

Annual pricing: Team $1,490/yr (save 17%), +$120/yr per extra seat.

Free
$0
forever
  • 10 plan analyses / month
  • 1 seat
  • 24-hour run history
  • Atlantis + GitHub Actions
  • Risk scoring
  • PR comment output
  • Bring your own LLM
  • SSO / SAML
  • Audit log
Get started free
Most popular
Team
$149
per workspace / month
  • Unlimited plan analyses
  • 10 seats (+$12/mo each)
  • 30-day run history
  • All integrations
  • Risk scoring
  • PR comment output
  • Bring your own LLM
  • SSO / SAML
  • Audit log
Start 14-day trial
Enterprise
Talk to us
custom contract
  • Everything in Team
  • Bring your own LLM
  • Unlimited seats
  • Unlimited run history
  • Audit & compliance rules
  • SCIM provisioning
  • SLA + dedicated support
Contact us

Apply with confidence.

Add DriftWise to your Atlantis workflow in 5 minutes. Free forever, no card required.

Start free Read the docs