v0.1 · Terraform · AWS

terraform plan tells you what will change. RecourseOS tells you what you can't get back.

A static analyzer for Terraform plans that classifies every destructive change by recoverability — so you know what's reversible, what's restorable, and what's gone forever before you apply.

$ npx recourse-cli plan plan.json
Sample output

What you actually see.

~/infra · zsh
$ recourse plan terraform.tfplan
DESTRUCTIVE CHANGES
DELETE aws_db_instance.main
recoverability: unrecoverable · skip_final_snapshot=true, no backup retention
DELETE aws_s3_bucket.logs
recoverability: unrecoverable · bucket deletion is permanent; versioning does not survive
!DELETE aws_kms_key.encryption
recoverability: recoverable-with-effort · 7-day deletion window; can be cancelled
DELETE aws_s3_object.archive[0]
recoverability: recoverable-from-backup · versioning enabled, prior version retained
SUMMARY
unrecoverable: 2  ·  recoverable-with-effort: 1  ·  recoverable-from-backup: 1
⚠ this plan contains unrecoverable changes · exit 1
Coverage

What it checks.

01 RDS deletion protection, snapshots, retention
02 S3 versioning, MFA delete, object lock
03 DynamoDB PITR, deletion protection, backups
04 KMS deletion windows, dependent resources
05 EBS snapshots, AMI backing
06 CloudWatch Logs retention, S3 export
07 IAM cascade impact across resources
08 + 8 more EC2, Lambda, VPC, ELB, Route53, SNS, SQS
Design principles

What it doesn't do.

no inference
It doesn't guess that something "looks like" a production database. It reads the values in your plan and reports on them.
no severity-by-vibes
Verdicts are factual: recoverable, recoverable-with-effort, recoverable-from-backup, unrecoverable, or blocked. Each maps to specific configuration. You can check the work.
no opinions on your config
It doesn't suggest you should set deletion_protection. It tells you what would change the verdict if you did.
no agents, no SaaS, no signup
It's a CLI. It runs on your machine or in your CI. No data leaves the process.
Honest limits

What v0.1 doesn't cover.

Terraform plans only. Not Pulumi, CloudFormation, or raw API calls — yet.

AWS only. GCP and Azure are on the roadmap. The classifier framework is provider-agnostic; the resource libraries take time.

Plan-file analysis, no live state. If a backup vault exists outside your Terraform configuration, RecourseOS can't see it. --live-state is in development.

Static analysis, not gating. v0.1 flags. It exits non-zero in CI on unrecoverable changes. Approval workflows come later, after the labels have earned trust.