The Pre-Deploy Review Problem
Infrastructure changes carry outsized risk. A single misconfigured security group, an unintended resource replacement, or a quiet cost escalation can take down production or blow through a budget. Every team needs a pre-deploy review step -- but the tools they use for that review vary dramatically in what they show, how they show it, and what happens when something goes wrong.
The four most common approaches solve different parts of the same problem:
| Approach | DeployDiff | Terraform Plan | Pulumi Preview | Infracost |
|---|---|---|---|---|
| What it does | CLI: render diff, generate rollback, estimate cost, gate CI | HashiCorp-native: plan + show changes | Pulumi-native: stack preview + diff | Cloud cost estimation from IaC |
| Primary focus | Full pre-deploy review | State reconciliation | Stack diff output | Cost impact only |
| Setup time | 30 seconds | 0 (built in) | 0 (built in) | 10-15 minutes |
Tool 1: DeployDiff -- Pre-Deploy Diff, Rollback, and Cost in One CLI
DeployDiff -- Preview Infrastructure Changes Before You Apply
preview-- Render infrastructure diffs with color-coded actions and grouped change typesrollback-- Generate provider-specific undo commands from your plan file- Cost estimation per resource change
--exit-on-destroyCI gating for destructive changes- Works with Terraform, CloudFormation, and Pulumi plan outputs
DeployDiff is a CLI tool that takes the output of your infrastructure planning step (Terraform plan, CloudFormation changeset, Pulumi preview) and renders a review-ready diff. It shows what will change, groups changes by type (create, update, replace, destroy), highlights destructive actions, generates rollback commands, and estimates cost impact -- all before you apply.
Core workflow
# Install
pip install deploydiff-cli
# Preview: render a Terraform plan as a readable diff
terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
deploydiff preview plan.json
# + aws_instance.web create (t3.medium, $30.38/mo)
# ~ aws_security_group.web update ingress: +0.0.0.0/0 -> +10.0.0.0/8
# - aws_db_instance.old destroy (was db.t3.small, -$24.50/mo)
#
# Summary: 1 create, 1 update, 1 destroy
# Cost delta: +$5.88/mo
# ⚠ Destructive: 1 resource will be destroyed
# Gate CI on destructive changes
deploydiff preview plan.json --exit-on-destroy
# Exit code 1 if any resource is scheduled for destruction
# Generate rollback commands BEFORE you apply
deploydiff rollback plan.json
# # Rollback commands for Terraform:
# terraform destroy -target=aws_instance.web
# terraform apply -target=aws_db_instance.old
# CloudFormation support
aws cloudformation describe-change-set --change-set-name my-change > changeset.json
deploydiff preview changeset.json --provider cloudformation
deploydiff rollback changeset.json --provider cloudformation
# Pulumi support
pulumi preview --json > preview.json
deploydiff preview preview.json --provider pulumi
# Estimate cost only
deploydiff preview plan.json --cost-only
# Total monthly cost delta: +$5.88/mo
What DeployDiff gets right
- Review-ready output. Terraform plan output is JSON for machines. DeployDiff renders it for humans: color-coded action symbols, grouped change types, and per-resource cost impact. You can scan 200 changes in 30 seconds instead of scrolling through raw JSON.
- Rollback command generation. The only tool that generates provider-specific undo commands before you apply. If a deploy goes wrong at 2 AM, you run the pre-generated rollback commands instead of reconstructing them from state files and documentation.
- Cost estimation built in. Every resource change includes its monthly cost impact. You see the total cost delta at the bottom. No separate tool needed for cost review.
- CI gating.
--exit-on-destroyfails CI if any resource is scheduled for destruction. Prevents accidental data loss without manual review. - Multi-provider. Reads Terraform plan JSON, CloudFormation changesets, and Pulumi preview JSON. One tool for your entire IaC stack.
- Zero-config. Pipe a plan file, get a review. No policy files, no configuration, no API keys required for basic diff rendering.
Where DeployDiff is limited
- Requires a plan file. DeployDiff reads existing plan output -- it doesn't run Terraform plan or Pulumi preview itself. You still need your IaC tool's native planning step.
- No policy engine. DeployDiff gates on destructive changes, but it doesn't enforce organizational policies (e.g., "no public S3 buckets"). Use Open Policy Agent or HashiCorp Sentinel for policy enforcement.
- Cost estimates are directional. Based on instance types and resource configurations, not actual billing data. For precise cost prediction, Infracost's policy engine and real pricing data are more accurate.
- CLI only. No UI or PR integration natively. For PR comments, pair with GitHub Actions.
Tool 2: Terraform Plan -- The HashiCorp-Native Approach
Terraform Plan -- See What Terraform Will Change Before You Apply
- Built-in:
terraform planis part of every Terraform workflow - Shows create, update, delete, replace actions per resource
- Saved plan files for apply-time verification
Terraform Plan is the default pre-deploy review for any team using Terraform. It compares desired state (your .tf files) with actual state (the state file) and produces a list of actions Terraform will take. It's built into Terraform itself -- no installation or configuration needed. Every Terraform user already runs it.
Core workflow
# Plan and review
terraform plan
# aws_instance.web will be created
# aws_security_group.web will be updated in-place
# aws_db_instance.old will be destroyed
# Save plan for later apply
terraform plan -out=plan.tfplan
terraform apply plan.tfplan
# JSON output for programmatic access
terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
# In Terraform Cloud: plan runs automatically on PR
# Cost estimation available in Terraform Cloud (Business tier)
What Terraform Plan gets right
- Always available. It's built into Terraform. No installation, no configuration, no extra cost. Every Terraform workflow starts with
terraform plan. - Authoritative. The plan output is exactly what Terraform will apply (within state drift). If the plan says "no changes," there are no changes.
- Saved plan files. A saved plan file (
-out=plan.tfplan) guarantees thatterraform applyexecutes exactly what was planned. No surprise changes between plan and apply. - Policy integration. HashiCorp Sentinel (Terraform Enterprise) can enforce policies on plan output. Open Policy Agent can evaluate plan JSON. Terraform Cloud runs policy checks automatically.
- JSON output.
terraform show -jsonproduces machine-readable output that other tools (including DeployDiff) can consume.
Where Terraform Plan falls short for review
- Not designed for human review at scale. The default output is a sequential list of changes. For 200+ resources, you scroll through pages of text looking for the one destructive change. No grouping, no color-coding, no cost context.
- Terraform only. Doesn't work with CloudFormation, Pulumi, CDK, or any other IaC tool. If you have a multi-tool stack, you need separate review workflows for each.
- No cost estimation. The open-source version doesn't show cost impact. Terraform Cloud's cost estimation is Business-tier only ($70+/user/month).
- No rollback commands. The plan tells you what will change, but not how to undo it. When an apply goes wrong, you're reconstructing rollback commands from documentation and state files.
- No CI gating. The plan exits 0 regardless of what changes it contains. A plan with 50 destructive resources exits with the same code as a plan with 1 harmless update. CI gating requires custom scripts or paid Terraform Cloud features.
Best for: Teams using Terraform exclusively who need authoritative plan output and have policy enforcement via Sentinel or OPA. Pair with DeployDiff for human-readable rendering and rollback commands.
Tool 3: Pulumi Preview -- The Pulumi-Native Stack Diff
Pulumi Preview -- See Stack Changes Before You Deploy
- Built-in:
pulumi previewis part of every Pulumi workflow - Shows create, update, delete, replace, same for each resource
- JSON output for programmatic consumption
Pulumi Preview is to Pulumi what Terraform Plan is to Terraform -- the native way to see what will change before you deploy. It compares your Pulumi program's desired state with the current stack state and produces a list of actions. If you're in the Pulumi ecosystem, you already run it.
Core workflow
# Preview stack changes
pulumi preview
# Previewing update (dev):
# Type Name Plan
# pulumi:pulumi:Stack my-stack-dev
# ~ aws:ec2:Instance web-instance update
# + aws:ec2:SecurityGroup new-sg create
# - aws:rds:Instance old-db delete
# JSON output
pulumi preview --json > preview.json
# In Pulumi Cloud: preview runs automatically on PR
# Shows diff in PR comments (Team tier)
What Pulumi Preview gets right
- Always available for Pulumi users. Built into the Pulumi CLI. No additional setup.
- General-purpose IaC. Pulumi supports AWS, Azure, GCP, Kubernetes, and 100+ providers from a single program. Preview covers your entire stack.
- Programming language flexibility. Write infrastructure in TypeScript, Python, Go, C#, or Java. Preview works regardless of language.
- Pulumi Cloud integration. PR comments with diffs, policy enforcement, and approval workflows (Team tier and above).
Where Pulumi Preview falls short for review
- Pulumi only. Doesn't read Terraform plans, CloudFormation changesets, or any other IaC format. If you have Terraform and Pulumi in the same organization, you need separate review tools.
- Basic diff output. The default preview shows a table of actions but no detailed before/after values for each property change. You need
--jsonand a custom script to see property-level diffs. - No cost estimation. Pulumi Cloud doesn't include cost estimation in any tier. You need a separate tool (Infracost or DeployDiff) for cost impact.
- No rollback commands. Preview shows what will change, but doesn't generate undo commands. Pulumi's state rollback (
pulumi stack export/import) is manual and error-prone. - No CI gating on destructive changes. Preview exits 0 regardless of what it finds. You need custom scripting to fail CI on destructive changes.
Best for: Teams using Pulumi exclusively who need native stack preview. Pair with DeployDiff for human-readable rendering, cost estimation, and rollback commands across your Pulumi stack.
Tool 4: Infracost -- Cloud Cost Estimation for IaC
Infracost -- See Cloud Costs Before You Deploy
- Cost estimation from Terraform, Terragrunt, CFN, Pulumi, K8s manifests
- Policy engine: fail CI on cost thresholds
- PR comments with cost breakdown
Infracost is a specialized tool that estimates cloud cost impact from infrastructure-as-code changes. It reads your Terraform, CloudFormation, or Pulumi code, queries real cloud pricing APIs, and produces a detailed cost breakdown. It also has a policy engine that can fail CI when cost changes exceed thresholds. It's the go-to tool for cost governance in IaC workflows.
Core workflow
# Install
pip install infracost
# Generate cost breakdown from Terraform
infracost breakdown --path=.
# Name Monthly Qty Unit Monthly Cost
# aws_instance.web (t3.medium) 730 hours $30.38
# aws_ebs_volume.data (100 GP3) 1 months $8.00
# Total monthly cost: $38.38
# Compare costs between current and planned state
infracost diff --path=plan.json
# Name Monthly Qty Unit Monthly Cost Change
# aws_instance.web (t3.medium) 730 hours $30.38 +$15.19
# aws_db_instance.old -$24.50
# Monthly cost change: +$5.88
# CI: fail on cost threshold
infracost breakdown --path=. --policy=policy.rego
# Policy check: monthly cost increase of $5.88 exceeds $5.00 threshold
# PR integration via GitHub Actions
# Posts cost breakdown as PR comment
What Infracost gets right
- Accurate cost estimation. Queries real cloud pricing APIs (AWS, Azure, GCP) for precise cost calculations. Supports 2,000+ cloud resources with real pricing data.
- Policy engine. OPA-based policy engine that can fail CI on cost thresholds, require approvals for large increases, or block specific resource types. Fine-grained cost governance.
- PR integration. GitHub Actions integration posts cost breakdowns as PR comments. Reviewers see cost impact directly in the PR.
- Multi-IaC support. Terraform, Terragrunt, CloudFormation, Pulumi, and Kubernetes manifests. Works across your entire IaC stack.
- Open source core. The CLI is open source and free. Cloud tier adds policy management, team dashboards, and PR integration.
- Usage-based estimates. Can factor in usage patterns (e.g., 1M API calls/month, 100GB data transfer) for more accurate serverless and variable-cost estimates.
Where Infracost is limited for change review
- Cost only. Infracost estimates cost impact. It doesn't show what resources will change, what properties are being modified, or whether destructive changes are planned. It's a cost lens, not a full diff.
- No diff rendering. Infracost shows cost lines, not infrastructure diffs. You can't see that a security group is being opened to 0.0.0.0/0 from Infracost output -- you only see that it costs $0.00 more.
- No rollback commands. Purely a cost estimation tool. No undo paths for failed deploys.
- No destructive change detection. Infracost flags cost increases, but doesn't detect or gate on destructive resource changes (replacements, deletions). You can lose data and Infracost will only note the cost savings.
- Policy engine requires OPA knowledge. Writing cost policies in Rego is non-trivial. Teams without OPA experience need to learn a new policy language.
- API key requirement. Requires a free Infracost API key for pricing data. Doesn't work fully offline.
Best for: Teams that need cost governance for IaC changes. Pair with DeployDiff for infrastructure diff rendering, destructive change detection, and rollback command generation.
Feature Comparison
| Capability | DeployDiff | Terraform Plan | Pulumi Preview | Infracost |
|---|---|---|---|---|
| Human-readable diff rendering | Yes (color-coded, grouped) | No (sequential list) | No (basic table) | No (cost lines only) |
| Destructive change detection | Yes (--exit-on-destroy) | No (manual review) | No (manual review) | No (cost focus) |
| Rollback command generation | Yes (provider-specific) | No | No | No |
| Cost estimation | ~ (directional, per-resource) | No (Business tier only) | No | Yes (real pricing API) |
| CI/CD gating | Yes (--exit-on-destroy) | No (exit 0 always) | No (exit 0 always) | Yes (OPA policies) |
| Multi-IaC support | Yes (TF/CFN/Pulumi) | Terraform only | Pulumi only | Yes (TF/CFN/Pulumi/K8s) |
| PR comment integration | ~ (via GitHub Actions) | ~ (Terraform Cloud) | ~ (Pulumi Cloud) | Yes (built-in action) |
| Policy engine | No | ~ (Sentinel, paid) | ~ (Pulumi Cloud, paid) | Yes (OPA-based) |
| Works offline | Yes | Yes | Yes | No (needs API key) |
| Setup time | 30 seconds | 0 (built in) | 0 (built in) | 10-15 minutes |
| Open source | Yes (MIT) | Yes (BSL) | Yes (Apache 2.0) | Yes (Apache 2.0) |
Use Case Comparison
| Use Case | DeployDiff | Terraform Plan | Pulumi Preview | Infracost |
|---|---|---|---|---|
| Review 200+ resource changes quickly | Ideal | No (scroll through text) | No (basic table) | No (cost only) |
| Generate rollback commands before apply | Ideal | No | No | No |
| Gate CI on destructive changes | Ideal | No (custom script) | No (custom script) | No |
| Estimate precise cloud cost impact | ~ (directional) | No | No | Ideal |
| Enforce cost governance policies | No | No | No | Ideal |
| Review multi-IaC stack (TF + CFN + Pulumi) | Ideal | Terraform only | Pulumi only | Yes (cost focus) |
| Authoritative plan output | Reads plan, doesn't create it | Ideal | Ideal | No (cost only) |
| Post cost breakdowns in PR comments | ~ (via Actions) | ~ (TF Cloud) | ~ (Pulumi Cloud) | Ideal |
Cost Comparison
| Cost Factor | DeployDiff | Terraform Plan | Pulumi Preview | Infracost |
|---|---|---|---|---|
| CLI license | MIT (free tier) | Free (BSL) | Free (Apache 2.0) | Free (Apache 2.0) |
| Dev time per review | 5 minutes | 15-30 minutes (manual) | 15-30 minutes (manual) | 10 minutes (cost focus) |
| Paid tier | $9/mo or $49/mo Suite | TF Cloud from $0 | Cloud from $0 | Cloud from $0 (5 repos) |
| Full suite (11 tools) | $49/mo | N/A | N/A | N/A |
| Cost estimation accuracy | Directional | N/A (Business tier) | N/A | Pricing API (precise) |
When to Use Which
Use DeployDiff when:
You need a human-readable pre-deploy review that shows what will change, highlights destructive actions, generates rollback commands, and estimates cost -- all from one CLI command. Especially valuable when you have multiple IaC tools (Terraform + CloudFormation + Pulumi) and need a consistent review experience across them. The rollback command generation is unique -- no other tool gives you undo paths before you apply.
Use Terraform Plan when:
You're using Terraform and need the authoritative plan output. You pair it with policy enforcement (Sentinel or OPA) for governance. Terraform Plan is the source of truth for what will change -- but it's not designed for human review at scale. Pair with DeployDiff for readable rendering and rollback commands.
Use Pulumi Preview when:
You're using Pulumi and need the native stack diff. Pulumi Preview is the source of truth for Pulumi stacks -- but like Terraform Plan, it's not designed for human review at scale. Pair with DeployDiff for readable rendering, cost estimation, and rollback commands.
Use Infracost when:
You need precise cloud cost estimation and cost governance policies. Infracost's pricing API queries and OPA-based policy engine are best-in-class for cost control. But cost is only one dimension of pre-deploy review -- pair with DeployDiff for infrastructure diff rendering, destructive change detection, and rollback commands.
The Complementary Stack
These four tools solve different parts of the pre-deploy review problem. Here's how they fit together:
| Layer | Tool | Purpose |
|---|---|---|
| 1. Plan generation | Terraform Plan or Pulumi Preview | Authoritative source of truth for what will change. Generate the plan file that other tools consume. |
| 2. Human review | DeployDiff | Render the plan as a review-ready diff. Group changes, highlight destructive actions, show cost per resource. 200 changes scannable in 30 seconds. |
| 3. Rollback readiness | DeployDiff rollback | Generate provider-specific undo commands before apply. When a deploy fails at 2 AM, you run pre-generated commands instead of reconstructing them. |
| 4. Cost governance | Infracost | Precise cost estimation from real pricing APIs. OPA-based policy engine for cost thresholds and approval workflows. PR comment integration. |
The key insight: Terraform Plan and Pulumi Preview generate the plan. DeployDiff makes the plan readable and actionable. Infracost adds precise cost governance. They're complementary, not competing.
Most teams start with just terraform plan and review the raw output. As their infrastructure grows to 50+ resources, they add DeployDiff for human-readable diffs and rollback commands. As cost governance becomes a priority, they add Infracost for precise cost estimation and policy enforcement. The three tools together give you a complete pre-deploy review: what will change, what it will cost, and how to undo it.
Install DeployDiff
# Install via pip
pip install deploydiff-cli
# Or via Homebrew (macOS/Linux)
brew tap Coding-Dev-Tools/tap
brew install deploydiff
# Or via Scoop (Windows)
scoop bucket add Coding-Dev-Tools https://github.com/Coding-Dev-Tools/scoop-bucket
scoop install deploydiff
# Preview your next Terraform plan
terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
deploydiff preview plan.json
Star DeployDiff on GitHub
Related Reading
- Review Every Infrastructure Change Before It Ships -- DeployDiff preview tutorial
- Infrastructure Rollback Commands That Actually Work -- rollback generation
- Config Drift Detection Compared -- ConfigDrift vs driftctl vs Terraform Plan vs Checkov
- Before You Deploy: Config Drift and Cost -- pre-deploy safety net
- Preview Infrastructure Cost Before Deploy -- cost estimation workflow