Guides
Start typing to search…

Guardrails

Setting Up Guardrails in Terracotta AI

Terracotta AI Guardrails allow you to apply custom standards, security requirements, and internal conventions to every Terraform or CDKTF pull request—automatically.

This guide covers:

  • How to create a new Guardrail
  • The difference between rule, scope, and source views
  • How enforcement works during PR reviews

🚧 Creating a New Guardrail

To get started, navigate to the Guardrails tab in the top menu, then click the orange New Guardrail button.

You’ll be taken to the Guardrail creation screen, where you can configure:

1. Guardrail Name

Provide a descriptive name, like S3 Security Rules or Platform Team Baseline.

2. Guardrail Content

You can either:

  • Write content directly in the editor (ideal for short rulesets)
  • Upload files such as .txt, .json, .docx, or .pdf (ideal for existing policy docs)

✍️ Example content:

1. Ensure all S3 buckets are encrypted.
2. Disallow public access to EC2 instances.
3. Require tagging on all resources.

3. Guardrail Scope

Decide where this guardrail applies:

  • Global (Org-wide) – applies to all infrastructure-as-code repos linked to Terracotta
  • Specific Repositories – only affects selected repositories

Use this when different teams or services require custom standards.

🧠 Guardrail Components

Once a Guardrail is saved, it is broken down into the following tabs:

Rules

This is the parsed output of your uploaded/entered content. Terracotta extracts rule categories, descriptions, and rationales automatically.

CategoryRuleRationale
Naming ConventionAll resource names should follow: Andy-<resource-name>To maintain consistency and ease of identification.
Resource ManagementRequire tagging on all resources.To ensure traceability, cost allocation, and governance.

Scope

Shows which repositories the guardrail is active on, and which platform (GitHub or GitLab) they're connected from.

RepositoryProvider
terracotta-ai-terraformGitHub
terracotta-aws-demo-tfGitHub

Source

Displays the original raw content or uploaded file that was used to define the guardrail.

Require tagging on all resources.
All resource names should follow this naming convention: "Andy-<resource-name>".

✅ Enforcement in PRs

Once configured, Terracotta automatically enforces guardrails during PR reviews.

To manually trigger a guardrail check, comment:

@try-terracotta tc:guard

If any violations are found, they will be flagged inline with:

  • 📍 File and line number
  • 🔒 Severity
  • 🧠 Explanation
  • 💪 Fix recommendations

📋 TL;DR

  • Create Guardrails via the Guardrails tab
  • Enter or upload your internal standards
  • Apply them globally or repo-specific
  • Terracotta parses and enforces these automatically during pull request reviews
  • Use tc:guard to trigger on-demand checks

Updated 5 days ago