Pull and merge request reviews

Terracotta AI automatically performs infrastructure code reviews when a pull request is opened or updated. These reviews help DevOps and platform engineers catch drift, misconfigurations, cost spikes, and security issues before changes are merged.

🔁 How PR Reviews Work

Terracotta currently supports Terraform and CDK for Terraform (CDKTF). Support for Pulumi and OpenTofu is planned.

Code is cloned from the target repo.
Code is indexed into a vector database.
AI assistant performs a review:
- If credentials are not provided:
  - No terraform init or plan is executed.
  - An overall static assessment is performed.
- If credentials are provided:
  - Terracotta runs terraform init and plan.
  - It then performs drift detection, cost analysis, and deeper validation.

Every review is dynamically generated for the specific PR. The output reflects the code and metadata present at review time, including drift status, plan content (if available), and relevant security or lint issues.

Code is deleted after PR closes: for security and privacy, all cloned code and related vectors are removed once the pull request is closed.

✅ Checks Performed

🔍 Static Review (No Credentials Required)

Terraform syntax validation
Linting & formatting issues
Security & compliance misconfigurations
Detection of hardcoded values
Lifecycle best practices (prevent_destroy, etc.)
Cross-PR resource collision detection (e.g. two PRs editing the same resource)

📦 Dynamic Review (Credentials Required)

Full terraform init and plan
Cost estimation based on AWS pricing
Drift detection by comparing state vs live infra
Plan validation and state consistency

🧠 PR Comment Structure

A review comment is posted directly on the PR diff. It includes:

A summary section outlining severity, number of issues, and affected files
Specific recommendations for each detected issue
Optionally, code snippets for suggested fixes
A preventive measures section
A final TL;DR risk summary

🧪 Example Output (Will Vary Per PR)

Terracotta will leave a PR comment like the following, depending on what it finds:

File	Line	Issue	Severity	Recommendation
backend.tf	1	Hardcoded S3 bucket name	🟡 Medium	Use a variable for flexibility
security.tf	16	Egress allows 0.0.0.0/0 on port 443	🟢 Low	Restrict to known CIDRs if possible

# backend.tf
backend "s3" {
  bucket         = var.state_bucket_name
  key            = var.state_key
  region         = var.aws_region
  dynamodb_table = var.state_lock_table_name
  encrypt        = true
  # profile      = var.aws_profile
  # role_arn     = var.backend_role_arn
}

🛡️ Preventive Measures

Use static analysis tools (TFLint, Checkov, tfsec)
Use variables for sensitive or environment-specific data
Add lifecycle rules for critical resources
Peer review infrastructure modules

📋 Summary (TL;DR)

No high-severity issues detected
Minor improvements recommended
Safe to merge after cleanup

Note: This is a representative sample only. Actual PR review comments vary depending on your code, plan file, and context.

💬 Bot Commands

You can interact with Terracotta directly via PR comments:

tc:help – View available commands
tc:review – Re-run a full static review
tc:plan – Upload a plan to trigger a fresh analysis
tc:drift – Re-run drift detection (if configured)

🔕 Suppressing Comments

Terracotta allows selective suppression of checks:

Per-resource: via tag or module filter
Per-rule: configure in .terracotta.yml
Global: disable entire categories (e.g., cost, drift)

Note: Critical issues may still surface unless explicitly muted.

This PR Review engine helps platform teams ship safer, cleaner, and cost-aware Terraform infrastructure at scale.