Built-in scenarios
These demos are pulled from the same checked-in fixture plans used to exercise the analyzer in the repo. They make the project scope legible without asking someone to prepare Terraform first.
Quiet reference architecture
sample_aws_safe_plan.jsonPrivate-by-default AWS infrastructure with guarded storage, private database access, and no active findings.
Calibrated baseline
sample_aws_baseline_plan.jsonMostly segmented AWS infrastructure with a small IAM hygiene issue and a non-obvious private-data path.
Representative mixed case
sample_aws_plan.jsonPublic exposure, permissive database access, risky IAM, and broad trust in one reviewable plan.
Stress-case fixture
sample_aws_nightmare_plan.jsonStacked public access, wildcard IAM, exposed storage, and high blast radius across the stack.
Common architecture
sample_aws_alb_ec2_rds_plan.jsonA common web architecture where an internet-facing load balancer still composes into a private RDS access path.
Container workload
sample_aws_ecs_fargate_plan.jsonInternet-facing ALB, private ECS tasks, RDS security-group trust, and Secrets Manager access through the task role.
Control-plane focus
sample_aws_lambda_deploy_role_plan.jsonPrivate Lambda deployment path with scoped S3 access and deliberate trust-chain review points.
Trust expansion
sample_aws_cross_account_trust_unconstrained_plan.jsonMinimal assume-role trust without narrowing conditions to exercise the IAM trust path directly.
Narrowed trust
sample_aws_cross_account_trust_constrained_plan.jsonThe same trust edge narrowed by ExternalId, SourceArn, and SourceAccount conditions.