CLI Tool (tc)
The Terracotta CLI (tc) brings AI-powered Terraform analysis to your local terminal and CI/CD pipelines. Run code reviews and plan analysis without opening a pull request.
🚀 Installation
Install the CLI globally via npm:
npm install -g @terracotta/cliOr run via npx without installing:
npx @terracotta/cli reviewRequirements: Node.js 18 or later.
🔑 Authentication
tc login
tc loginAuthenticate with your Terracotta API key. The key is validated against the Terracotta API and stored locally.
tc login
# Prompts for your API key (masked input)
# Validates the key and stores it in ~/.terracotta/config.jsonTo get an API key: navigate to Settings → API Keys in the Terracotta dashboard and click Create API Key.
tc logout
tc logoutClear stored credentials:
tc logout
# Removes ~/.terracotta/config.json🔍 tc review
tc reviewRun an AI-powered code review on Terraform files.
# Auto-detect changed .tf files via git (staged + unstaged)
tc review
# Review specific files
tc review main.tf variables.tf
# Review with glob patterns
tc review "modules/**/*.tf"How auto-detection works
When no files are specified, tc review uses git diff to find all changed .tf, .tf.json, and .cdktf files (both staged and unstaged). This is the most common usage in local development.
Options
| Flag | Description | Default |
|---|---|---|
--format <type> | Output format: terminal, json, markdown | terminal |
--detail-level <level> | Analysis depth: low, medium, high | medium |
--ci | CI mode — exit code 0 (clean) or 1 (issues at threshold) | off |
--fail-on <severity> | Severity threshold for CI failure | critical |
Examples
# Quick review with high detail
tc review --detail-level high
# CI pipeline — fail on high+ severity
tc review --ci --fail-on high
# JSON output for downstream tooling
tc review --format json > review-results.json📋 tc plan
tc planAnalyze a Terraform plan for security, cost, blast radius, and best practices.
# Run terraform plan automatically and analyze the result
tc plan
# Analyze an existing plan file (binary .tfplan)
tc plan terraform.tfplan
# Analyze a JSON plan (from terraform show -json)
tc plan plan.jsonHow it works
- If no
[planfile]argument is given,tc planrunsterraform planin the current directory (or--working-dir) and captures the output. - If a planfile is given, it detects whether it's binary (
.tfplan) or JSON and parses accordingly. Binary plans are converted viaterraform show -json. - Secret scrubbing: Before upload, sensitive attribute values (passwords, tokens, keys, credentials) are replaced with
[REDACTED]. Variable values are never sent — only variable names. - No-op filtering: Resources with only
no-opactions are excluded to reduce noise. - The structured payload is sent to the Terracotta API for analysis.
Options
| Flag | Description | Default |
|---|---|---|
--format <type> | Output format: terminal, json, markdown | terminal |
--detail-level <level> | Analysis depth: low, medium, high | medium |
--ci | CI mode — exit code 0 (clean) or 1 (issues at threshold) | off |
--fail-on <severity> | Severity threshold for CI failure | critical |
--working-dir <path> | Override working directory for plan generation | . |
--var <key=value> | Pass Terraform variable (repeatable) | — |
--var-file <path> | Pass Terraform variable file (repeatable) | — |
Examples
# Analyze plan with markdown output
tc plan --format markdown
# CI pipeline with custom working directory
tc plan --ci --fail-on high --working-dir infra/prod
# Pass variables
tc plan --var "environment=staging" --var-file secrets.tfvars⚙️ Configuration
The CLI loads configuration from multiple sources, in order of priority (highest first):
| Priority | Source | Example |
|---|---|---|
| 1 | Environment variables | TERRACOTTA_API_KEY, TERRACOTTA_API_URL |
| 2 | CLI flags | --format json |
| 3 | Project config file | .terracottarc.json in project root |
| 4 | User config file | ~/.terracotta/config.json (created by tc login) |
| 5 | Built-in defaults | — |
Environment variables
| Variable | Description |
|---|---|
TERRACOTTA_API_KEY | API key for authentication (overrides stored credential) |
TERRACOTTA_API_URL | API base URL (default: https://api.tryterracotta.com) |
Project config (.terracottarc.json)
.terracottarc.json)Create a .terracottarc.json file in your project root to set defaults for all team members:
{
"format": "terminal",
"detailLevel": "high",
"failOn": "high"
}🔄 CI/CD Integration
GitHub Actions
- name: Terracotta Review
run: |
npx @terracotta/cli review --ci --fail-on high
env:
TERRACOTTA_API_KEY: ${{ secrets.TERRACOTTA_API_KEY }}GitLab CI
terracotta-review:
script:
- npx @terracotta/cli review --ci --fail-on high
variables:
TERRACOTTA_API_KEY: $TERRACOTTA_API_KEYExit Codes
| Code | Meaning |
|---|---|
0 | No issues found at or above the --fail-on severity threshold |
1 | Issues found at or above the threshold |
📋 TL;DR
- Install:
npm install -g @terracotta/cli - Authenticate:
tc login - Review local changes:
tc review - Analyze a plan:
tc plan - Use
--ci --fail-on <severity>for pipeline integration - Config priority: env vars > flags >
.terracottarc.json>~/.terracotta/config.json> defaults
Updated 1 day ago