Simulate a deployment

Terracotta AI can simulate a complete Terraform deployment by reviewing your entire repo in the context of a proposed pull request change. This simulation highlights what would happen during a terraform apply, providing deep insights into:

Resource creation and configuration
Security and compliance issues
Best-practice violations
Operational and dependency concerns

🚀 How to Trigger a Simulation

Use the following comment inside your pull request:

@try-terracotta review all the code in the repo in context of this change and simulate a deployment

Terracotta will analyze the diff in the context of the whole repository and simulate what the deployment would look like.

📋 Example Output

Terraform Code Review Report

What's Wrong?
File        Line  Issue                                                              Severity    Recommendation
main.tf     125   Resource name does not follow required 'Andy-' convention          🔴 High     Update the Name tag to start with Andy- for all new resources.
main.tf     125   No explicit dependency on the security group for new EC2 instance 🟡 Medium   Use `depends_on` to avoid race conditions.
main.tf     125   No explicit KMS key for EBS encryption                             🟡 Medium   Use a customer-managed KMS key.
main.tf     171   Output exposes public IP of new EC2 instance                       🟢 Low      Confirm exposure is intentional.
variables.tf 36   New variable for instance type lacks validation                    🟢 Low      Add validation block and documentation.

✅ Recommended Fixes

Resource Naming Convention

- tags = {
-   Name = "terraform-demo-web-instance-2"
- }
+ tags = {
+   Name = "Andy-web-instance-2"
+ }

Explicit Dependency

resource "aws_instance" "web2" {
  # ...
  depends_on = [aws_security_group.ec2_sg]
}

Customer-Managed KMS for EBS Encryption

resource "aws_kms_key" "ebs" {
  description         = "KMS key for EBS volume encryption"
  enable_key_rotation = true
}

resource "aws_instance" "web2" {
  root_block_device {
    volume_size = 8
    volume_type = "gp3"
    encrypted   = true
    kms_key_id  = aws_kms_key.ebs.arn
  }
}

Variable Validation

variable "instance_type_secondary" {
  description = "EC2 instance type for secondary instance"
  type        = string
  default     = "t2.micro"

  validation {
    condition     = contains(["t2.micro", "t3.micro", "t3.small"], var.instance_type_secondary)
    error_message = "Allowed values: t2.micro, t3.micro, t3.small"
  }
}

🔐 Preventive Measures

Integrate tflint, checkov, or tfsec into CI/CD
Use CI checks or pre-commit hooks for naming/encryption policies
Document outputs and variables for audit and onboarding
Use customer-managed KMS keys in production

📊 Summary

Deployment Simulation:

Resources: 2 EC2 instances, security group, route table, subnet, VPC, DynamoDB table

Security & Operational Warnings:

🔴 High: Naming convention violation (blocker)
🟡 Medium: KMS and dependency gaps (should fix pre-prod)
🟢 Low: Output/variable hygiene

Action:

Fix naming violations before the merge
Strongly consider dependency and encryption fixes
Update variable documentation

This simulation gives you a full view of deployment risks before terraform apply. Perfect for reviews, audits, and enforcing compliance early.