Infra
Validate Terraform plans, Helm releases, and Kubernetes manifests before apply.
annave infra validate inspects infrastructure definitions and flags issues grouped by severity. The target type is auto-detected from the file or directory — no --type flag needed in most cases.
Usage
bash
annave infra validate [target] [flags]Flags
| Flag | Short | Default | Description |
|---|---|---|---|
| --type | auto | Validate type: terraform, helm, k8s | |
| --format | plain | Output format: plain, json, table |
Auto-detection
| Target | Detected as |
|---|---|
| *.json or *.tfplan | terraform |
| Directory with Chart.yaml | helm chart lint |
| *.yaml, *.yml, or directory | Kubernetes manifests |
| No target given | helm release list (helm list -A) |
Terraform rules
Requires terraform show -json plan.tfplan output. Reads the JSON plan — Terraform CLI must be installed.
| Rule | What it flags |
|---|---|
| TF001 | Destructive change — resource will be deleted or replaced |
| TF002 | IAM resource modification (aws_iam_role, aws_iam_policy, etc.) |
| TF003 | Network or firewall change (aws_security_group, aws_vpc, etc.) |
| TF004 | Data resource deletion risk |
| TF005 | Database resource modification (aws_db_instance, aws_rds_cluster) |
Helm rules
Release list mode (helm list -A) requires Helm CLI. Chart lint mode runs helm lint against a chart directory.
| Rule | What it flags |
|---|---|
| HELM001 | Release in `failed` state |
| HELM002 | Release in `pending-install`, `pending-upgrade`, or `pending-rollback` state |
| HELM003 | Chart lint error (would prevent install) |
| HELM004 | Chart lint warning |
| HELM005 | Chart lint info |
Kubernetes manifest rules
| Rule | What it flags |
|---|---|
| K8S101 | Deprecated apiVersion (e.g. extensions/v1beta1, apps/v1beta1) |
| K8S102 | Missing metadata.name |
| K8S103 | Image tag is `:latest` or missing |
| K8S104 | Deployment with replicas: 1 and no matching PodDisruptionBudget |
| K8S105 | Container missing CPU or memory resource limits |
| K8S106 | Container missing liveness probe |
Examples
Validate a Terraform plan
bash
terraform show -json plan.tfplan > plan.json
annave infra validate plan.jsonCheck all deployed Helm releases
bash
annave infra validateLint a Helm chart
bash
annave infra validate ./charts/myappValidate Kubernetes manifests
bash
annave infra validate ./k8s/Table output grouped by severity
bash
annave infra validate plan.json --format tablePlain output
text
Infra validation — plan.json
validated at 2026-05-16 10:42:07
result FAILED (3 issue(s))
[1] CRITICAL TF001 Destructive change: aws_db_instance.production (replace)
[2] HIGH TF002 IAM modification: aws_iam_role.app_role (update)
[3] MEDIUM TF003 Security group change: aws_security_group.web (update)JSON output shape
json
{
"target": "plan.json",
"validated_at": "2026-05-16T10:42:07Z",
"passed": false,
"issues": [
{
"rule": "TF001",
"severity": "critical",
"message": "Destructive change: aws_db_instance.production (replace)",
"resource": "aws_db_instance.production"
}
]
}What to watch
- Terraform validation requires the Terraform CLI to be in
$PATHto runterraform show -json. If not found, anERR_IO_FAILUREis returned with a PATH hint. - Helm validation requires the Helm CLI in
$PATHfor both release listing and chart linting. - K8S manifest validation processes multi-document YAML files separated by
---. Each document is validated independently. - A
passed: falseresult in JSON does not cause exit code1. Only execution errors (missing tool, unreadable file) produce a non-zero exit. - Deprecated apiVersion detection (K8S101) covers versions removed in Kubernetes 1.25 and later. Ensure your cluster version is taken into account before acting on these findings.