Terracotta: Best Practices and How-To Guide

When you submit a Terraform or Open Tofu pull request, Terracotta instantly performs a Terraform plan on your newly pushed changes and submits an initial review as the first PR comment.

From here, you can start interacting with Terracotta directly in the PR comments by typing in Terracotta commands or referencing the @tryterracotta AI agent. Typing tc:help will print out the following:

A quick review of the commands seen above:

• tc:help shows you the help message
• tc:reviewInitial review of your Terraform code in the current pull request
• tc:plan runs a terraform plan and provides contextual feedback on potential issues, misconfigurations, security risks and more
• tc:drift initiates a real-time drift report, accessing your remote state file and current resource state in your infrastructure, and comparing it to your proposed changes.

Interacting with the Terracotta AI agent

Our Terracotta AI agent is available 24/7 and easily accessible to answer all questions about Terraform in context and at a moment's notice.

For example, want to do a security review of your PR or Terraform repo in general?

@tryterracotta perform a security review of my PR

Example output:

Below is the security review of your infrastructure changes based on the drift report output:

─────────────────────────────────────────────
1️⃣ Summary of Security Concerns

• Eight out of nine expected resources are missing from AWS—which means that if they are unintentionally removed, a subsequent Terraform apply may re-create these resources. When re-creating, any misconfigurations or overly permissive defaults in the expected resource definitions could expose your environment to unwanted risk.

• The expected state of some resources (for example, the EC2 instance and its associated security group) includes settings that may be considered security–sensitive. In particular, the open SSH access (ingress on port 22 from 0.0.0.0/0) poses a risk if the instance were to be re-provisioned without further restrictions.

─────────────────────────────────────────────
2️⃣ Detailed Security Review with Recommendations

[HIGH] Missing Core Network Resources (VPC, Subnet, IGW, and Route Table Association)
• What’s Wrong?
  – The expected state defines a dedicated VPC (vpc-0c5db49dcd56be54d), a public subnet, an Internet Gateway (igw-034b7c27236cf5c9e), and associated route table resources. Their absence is concerning because when these are re-created, they must be configured securely. A misconfigured VPC or subnet can lead to unintended exposure (for example, if public IP assignment or routing rules default to less-restrictive settings)....

Another example about setting up load balancers and security groups:

`@try-terracotta  do I need to setup security groups for load balancers? If I do not have any load balancers, provide me the TF code to do so with the proper security group setup.`

Example output:

Another example where we have Terracotta produce a new module:

`@try-terracotta  how would I put this into a load balancer module within context of my current Terraform code?`

Example output: