opsberry-ai

Backed by Y Combinator The safety net for every infrastructure pull request Catch risky infrastructure changes before they hit production Teams using Terracotta catch $5,000+ cost mistakes, prevent drift-caused outages, and save 6+ hours per week on PR reviews. Connect your repos and see your first results in minutes. Connect your repos free →See how it works GitHub GitLab TerraformOpenTofugithub.com Open Replacing t2 with t3 xlarge for terracotta ai #189gtlpanda wants to merge 3 commits into main from replacing-t2-with-t3-xlargeenvironments/prod/main.tf+12 -41414 provider "aws" {1515 region = var.aws_region1616 }171718- resource "aws_instance" "api" {19- instance_type = "t2.micro"20- ami = var.api_ami21- subnet_id = module.vpc.private_subnet_ids[0]18+ resource "aws_instance" "api" {19+ instance_type = "t3.xlarge"20+ ami = var.api_ami21+ subnet_id = module.vpc.private_subnet_ids[0]22+ vpc_security_group_ids = [aws_security_group.ec2_sg.id]22232324 tags = merge(local.common_tags, {2425 Name = "api-server"2526 })2627 }Checks pendingWaiting for Terracotta AI review...github.com/terracotta-aws-demo-tf/pull/189SecureAnalyzing pull request...Terracotta PlatformPull RequestsArchitecturePatternsDriftCostsModulesStandardsPull Requests/Replacing t2 with t3 xlarge for terracotta aiReplacing t2 with t3 xlarge for terracotta aiOpen terracotta-aws-demo-tf·#189·replacing-t2-with-t3-xlarge→mainREVIEW NEEDED3 high-severity findings require review before merge0CRITICAL3HIGH2MEDIUM4LOWCOST+$243/moGuardrail:guardrail·FAILURE Computed from your data 3 high-severity findings. Top issue: aws_security_group.ec2_sg allows SSH from 0.0.0.0/0. 1 guardrail violated. Estimated cost impact: +$243/mo. 2 of 6 checks passed.Findings in: Security Review, Guardrail, Cost Analysis, Blast Radius🧠 What's the main risk? 🧠 Is this safe to merge? 🧠 Explain guardrail violations Priority Findingsaws_security_group.ec2_sg allows SSH from 0.0.0.0/0 Pre-existingHigh The ingress.cidr_blocks for aws_security_group.ec2_sg includes 0.0.0.0/0, allowing SSH access from any IP. This exposes SSH to the internet and increases the risk of unauthorized access. → Restrict cidr_blocks to only trusted source IP ranges, for example: cidr_blocks = ["YOUR_OFFICE_IP/32"]🧠 How do I fix this?🧠 Open fix PRBeaconAdvisoryWhat's the main risk?✨ AIThe main risk is security misconfiguration:SSH open to 0.0.0.0/0 (the entire internet).Why this is top risk:•Immediate threat: Anyone, botnets, attackers, can brute-force or exploit SSH.•Attack outcome: One leaked key or weak password, and you're fully compromised (root on EC2 = full data loss, pivoting possible).•Real world: Internet-scanning bots will find open ports within minutes of the infra launching.•Production: Even in test/demo, this is dangerous. In prod, this is a P0 incident.Fix•Restrict SSH access to a trusted CIDR block (your VPN, company office, or jump host).•Better: Remove SSH entirely and use SSM Session Manager for access.No other risk (cost, drift, tagging) comes close. SSH open to the world is a critical breach vector. Fix it before you do anything else.Source: terracotta-aws-demo-tfAnalyzed: Mar 18, 2026 at 3:42 PMLive Trusted by platform engineering teams at The real problem Your team's infra review process has gaps. You just can't see them yet. Every platform team has one person who reviews every infra PR, chases drift, and fields cost questions because no one else has the context. That's not a process — it's a single point of failure. And the things that slip through don't announce themselves until production. Your codeinstance_type"t2.micro"ingressport 443 onlyLive infrainstance_type"t3.xlarge"ingressport 22, 443, 8080Last state check0 days agoUndetected Drift Changes happen outside of code. Console edits, local applies, partial deployments. Terraform doesn't warn you. Each one costs your team 4-8 hours of firefighting when it surfaces in production. Monthly AWS spend$2,400/moPR #312 merged Mar 3aws_rds_instance.apidb.t3.medium → db.r6g.2xlargeBlind Cost Increases A developer provisions an RDS instance. Nobody checks the cost. The bill arrives next month with a $5,000 surprise. Teams without automated cost checks average $3,000-$8,000/month in avoidable cloud spend. Update security group rulesMergedFiles changed: 12+847 -203Approved by: bot-ciFri 4:58 PMLine 847 of 1,050 ingress {+ cidr_blocks = ["0.0.0.0/0"] }Exposure: SSH from any IP worldwideSilent Security Gaps Open ports, public S3 buckets, overly permissive IAM roles. Buried in noisy plan diffs that get rubber stamped at 5pm on a Friday. Every cloud breach starts with one misconfigured resource nobody reviewed. Every unreviewed PR is a risk that compounds silently. A single drift incident burns a day of engineering time. A single missed cost change burns thousands in cloud spend. A single security gap can burn everything. How many are slipping through right now? The outcomes on every PR Every PR ships with proof it's safe, affordable, and compliant. No more guessing whether a change is safe to merge. Cost, drift, security, and compliance results delivered as a PR comment. No extra tools. No manual reviews. Cost Analysisaws_rds_instance.main+$342/moaws_elasticache_cluster.cache+$128/moaws_nat_gateway.private$32/moTotal impact+$0/moAnnual projection+$0/yr Cost Impact Catch the $5,000 mistake before it hits your bill Per-resource cost breakdown with annual projections. The average team catches thousands in avoidable spend in their first week. Drift Report0 driftedaws_security_group.webmodifiedingress rule added outside of Terraformaws_iam_role.lambdamodifiedpolicy document changed via consoleaws_s3_bucket.assetsdeletedresource removed outside of code Drift Detection Stop deploying on top of infrastructure that's already wrong Field-level drift comparison across 119 AWS resource types. Catch the console edits and manual applies that cause failed deployments and surprise outages. Security FindingsCriticalPublic S3 bucketaws_s3_bucket.uploads has public read enabledHighOpen port 22Security group allows SSH from 0.0.0.0/0IAM Least-Privilege Checkiam_role.deploy has s3:*. Overly permissiveiam_role.reader follows least-privilege Security & IAM Every security gap caught — without relying on human review. Open ports, public buckets, and overly permissive IAM — caught automatically with severity and blast radius context. Your team reviews findings, not 400-line diffs. Guardrail input Create Guardrail Require private S3 bucketsEnabledGlobalRuleS3 buckets must block public access.RuleRequire cost review on anything over $500/mo. Guardrails Your team's standards enforced on every PR — without writing policy code One sentence replaces weeks of Rego or Sentinel. "All S3 buckets must be private." Done. Enforced on every PR, across every repo, starting immediately. S3 bucket publicly accessibleaws_s3_bucket.uploads missing public access blockAuto-Fix AppliedCommittedaws_s3_bucket_public_access_block.uploads+ block_public_acls = true+ block_public_policy = true+ ignore_public_acls = true+ restrict_public_buckets = true Auto-Fix Problems fixed before the developer reads the comment Fix proposals generated and committed directly to the PR branch. Your developers review a solution, not a problem. Issues resolved in minutes, not hours. 0PRs reviewed0%Policy compliance0Active alertsRecent activityacme/infra PR #312 passed all guardrailsacme/platform drift detected in us-east-1acme/core PR #89 blocked by security guardrailTeams using Terracotta+4 Command Center Your CTO's infrastructure question — answered in one screen Stop building spreadsheets for leadership. Cost trends, drift posture, policy compliance, and PR status across every repo — always current, always ready. Built for both sides Developers ship faster. You stop being the bottleneck. Developers get instant answers in their PR — no waiting for your review. You get the fleet-wide picture without manually checking every repo. Both sides move faster. Terracottabot✓Code Reviewpassed✓Cost Analysis+$42/mo!Drift Detection1 drifted✓Security & IAMpassedReady to mergePR Review Developers get cost, drift, security, and compliance findings instantly — no waiting, no context switching. PRs that used to block on your review now ship in minutes. 0PRs reviewed0%Compliant$0Cost savedFleet activityacme/infra PR #312: all checks passedacme/platform: drift in us-east-1acme/core PR #89: blocked by guardrailCommand Center One dashboard replaces the Slack threads, spreadsheets, and manual checks. Cost trends, drift posture, compliance status — always current across every repo. Explore the full platform Real outcomes from teams that connected their repos. “The most time-consuming part of managing infra teams is the iterative loop of running Terraform, watching CI, and cleaning up failed deploys. Terracotta short-circuits that loop.” Robert ChristensenFormer Bison Trails & Coinbase Engineering Leader “It catches cost impacts, exposed secrets, and cross PR conflicts before we trigger our pipelines. It's been a huge win for speed, compliance, and confidence across all our environments.” Tyler PinckardHead of Software Engineering, DevOps & Security at SupportLogicTime to first value: 2 minutes From zero to full coverage in 2 minutes. No agents. No CLI. No infrastructure to manage. Install the GitHub or GitLab app and every IaC pull request is covered immediately. Connecting to acme/infra...Connecting to acme/platform...01/Connect your repos Install the GitHub or GitLab app. Nothing to deploy or maintain. Every new PR is automatically protected from the moment you connect. GuardrailPolicy createdGuardrail02/Set your guardrails Write your rules in plain English. Your team's standards are enforced automatically on every PR — no policy language to learn, no manual enforcement to maintain. PR #247 reviewed 2 guardrails passed, 1 drift detected, $12/mo cost impact SecurityCostDriftReady to merge03/Ship with confidence Every PR ships with proof it's safe, affordable, and compliant. Your developers get instant answers. You get the dashboard. Nobody waits on you anymore. What your current tools cost you Your current tools tell you what changed. Not what it costs, what it breaks, or whether it's safe. tfsec and Atlantis are good at what they do. But they don't catch drift, estimate costs, or enforce your team's standards. The gaps between tools are where incidents happen. Feature / InsightWhat you have todayTerracotta AIDrift detection❌No✅Real-time from state + cloudCost estimation❌Not included✅Per-resource cost breakdown before mergeContext awareness❌Line-based only✅Infra-aware: code + state + cloudBlast radius awareness❌Not evaluated✅Identifies downstream impact of resource changesHuman-readable summaries❌CLI error output or YAML✅Explains changes in plain EnglishTime to value🕐Setup + tuning required⚡Connect and get insights instantlyBottom line🧑‍💻You review every PR manually✅You review exceptions. Everything else ships safely.Pricing Free for developers. Built for platform teams. Developers get smart PR reviews at no cost. Platform teams get the full command center at $49/seat. Only charged when someone authors their first PR. Invite your whole team risk free. Monthly Annual Save 32%Only charged when a developer authors their first PR. Invite your whole team. Billing activates on usage.CommunityFreeNo credit card requiredFor small teams getting started.50 public repo PRs1 private repo (20 PRs/mo)Up to 5 seatsTerraform summary & code reviewAI-powered drift detection (1 repo)Basic support Connect your repos free Platform$49per engineer / monthFor platform engineering teams managing Terraform at scale.All Free features plus:Unlimited public & private PRsUnlimited seatsUnlimited drift reposAll check types (cost, guardrails, IAM, tags, blast radius)Slack integrationPriority support Upgrade to Platform →EnterpriseCustomTalk to salesSOC2 + HIPAA compliant. BYOC available. For regulated enterprises.All Platform features plus:Self-hosted option (BYOC)SSO & SAML authenticationAudit logging & traceabilityBiweekly check-insDedicated Slack/Teams channelOnboarding & integration assistanceFeature request prioritizationEarly access to beta featuresCustom integrations (HCP, CircleCI, etc.)Premium SLAFine-grain access control Contact Sales SOC 2 Type II HIPAA Compliant Every week without Terracotta is another week of surprise bills, undetected drift, and security gaps reaching production. Connect your repos. Catch your first mistake today.Install the GitHub or GitLab app. Your next IaC pull request gets a full cost, drift, and security review automatically. No credit card required. Connect your repos free → Talk to our team Guardrail PolicyRequire private S3 bucketsEnabledRuleS3 buckets must block public access.RuleEncryption must be enabled at rest.Applied to 12 repositoriesacme/infra #347Update RDS instance configurationCost increase: +$240/moAll guardrails passedNo security risks detectedReady to merge2m ago We use cookies for analytics and to improve your experience. See our Cookie Policy for details. Reject Accept --- Pricing Free for developers. Built for platform teams. Developers get smart PR reviews at no cost. Platform teams get the full command center at $49/seat. Only charged when someone authors their first PR. Invite your whole team risk free. Monthly Annual Save 32%Only charged when a developer authors their first PR. Invite your whole team. Billing activates on usage.CommunityFreeNo credit card requiredFor small teams getting started.50 public repo PRs1 private repo (20 PRs/mo)Up to 5 seatsTerraform summary & code reviewAI-powered drift detection (1 repo)Basic support Connect your repos free Platform$49per engineer / monthFor platform engineering teams managing Terraform at scale.All Free features plus:Unlimited public & private PRsUnlimited seatsUnlimited drift reposAll check types (cost, guardrails, IAM, tags, blast radius)Slack integrationPriority support Upgrade to Platform →EnterpriseCustomTalk to salesSOC2 + HIPAA compliant. BYOC available. For regulated enterprises.All Platform features plus:Self-hosted option (BYOC)SSO & SAML authenticationAudit logging & traceabilityBiweekly check-insDedicated Slack/Teams channelOnboarding & integration assistanceFeature request prioritizationEarly access to beta featuresCustom integrations (HCP, CircleCI, etc.)Premium SLAFine-grain access control Contact Sales Compare plansFeature breakdownFeatureFreePlatformEnterprisePublic repo PRs50UnlimitedUnlimitedPrivate repos1UnlimitedUnlimitedSeats5UnlimitedUnlimitedTF/K8s summary & code reviewSimulated plan reviewCost analysis—Drift detection1 repoUnlimitedUnlimitedGuardrail enforcement—IAM security analysis—Blast radius analysis—Command center dashboard—Slack integration—SSO / SAML / OIDC——SCIM provisioning——Audit logging——Self-hosted / VPC deployment——Dedicated support channel——Premium SLA——Custom integrations——FAQFrequently asked questionsWhen does billing start?What counts as a "seat"?Can I try Platform features before upgrading?What's the difference between monthly and annual billing?Do you offer discounts for startups or open-source teams?What does Enterprise pricing look like?Can I switch plans at any time?Is there a contract for Platform plans?Start reviewing infrastructure PRs today.Free for developers. No credit card required. Connect your repos in two minutes and get your first review on the next PR. Connect your repos free → Talk to sales We use cookies for analytics and to improve your experience. See our Cookie Policy for details. Reject Accept --- PlatformEvery IaC change reviewed. Every risk caught. Before merge.Developers get instant answers in the PR. Platform teams get fleet-wide visibility. Both sides ship faster, with fewer incidents and lower costs. Connect your repos free → See it in action PR ReviewCommand CenterTerracottabotjust nowDetected changes in your Terraform project. Running the following analyses:✓Terraform Simulated Plan ReviewEnforced✓Terraform Code ReviewEnforced✓Terraform Cost CheckAdvisory✓Terraform Drift CheckEnforced✓Terraform Guardrail Violation CheckAdvisory✓IAM Security AnalysisEnforcedTerraform Changes Summary2m agoThe patch adds an aws_instance.web with t3.large instance type, a 200GB gp3 root volume with high IOPS, a new aws_ebs_volume.web_data (500GB), and an aws_eip.web_eip Elastic IP. The aws_dynamodb_table.example switches from PAY_PER_REQUEST to PROVISIONED billing. Several changes increase the cost baseline.Simulated Plan Report2m agoPlan analyzed 11 resources (11 create, 0 update, 0 delete). Detected 4 issues.🔴HighSG allows SSH from 0.0.0.0/0aws_security_group.ec2_sg · Restrict ingress to trusted IPsGenerate Runbook🟠MediumEBS volume without encryptionaws_ebs_volume.web_data · Add encrypted = trueGenerate Runbook🟠MediumPublic route 0.0.0.0/0aws_route_table.public · Confirm routing is intentionalGenerate RunbookCode Review2m agoReviewed 1 Terraform file (main.tf). Detected 5 issues.🟠Mediumt3.large may be oversizedmain.tf · instance_type = "t3.large" increases compute costGenerate Runbook🟠Medium200GB gp3 root volumemain.tf · High IOPS/throughput may be unnecessaryGenerate Runbook🟠MediumDynamoDB PROVISIONED billingmain.tf · read=200 write=100 incurs static capacity chargesGenerate RunbookCost Analysis+$458/moaws_instance.web (t3.large)+$196/moaws_ebs_volume.web_data+$142/moaws_dynamodb_table.example+$112/moaws_eip.web_eip+$8/moCheck RunsPlanReviewCostSecurityGuardrailDriftIAMPull Requests421Needs reviewAdd RDS read replica2C 1Hacme/infra #312 · +$458/moResize ECS cluster3H 2Macme/platform #89 · +$820/moOpen & passingUpdate IAM policiesacme/core #247Add CloudWatch alarmsacme/data #156Fix VPC peering routesacme/net #78$24.8kBaseline/mo$312kAnnual+2.1%WeeklyBeaconAIWhich PRs have cost impact?AI2 PRs increase cost: #312 adds $458/mo (RDS replica), #89 adds $820/mo (ECS resize).Any drift issues?AI7 active drift items. 3 share a root cause: manual SG edits in us-east-1.Ask Beacon...In the pull requestEvery PR ships with proof it's safe to merge.Terracotta posts a structured comment on every Terraform, Kubernetes, and Terragrunt PR. Cost estimates, drift context, security findings, blast radius, guardrail enforcement, and module guidance. All in one place.PR ReviewReview Needed0 Critical2 High3 Medium1 LowPlan: +2 create · ~1 change · -1 destroyHIGHS3 bucket missing encryptionaws_s3_bucket.uploads · main.tf:42-455 of 6 checks passed: Plan · Security · Guardrail · IAM · Drift AI Code Review Structured analysis, not generic lintEvery PR gets a verdict with severity-rated findings, plan summaries, blast radius analysis, and individual check runs. Developers see exactly what needs attention and why.BeaconAdvisoryPR #312Why is this RDS change flagged? We need multi-AZ for compliance.AIMulti-AZ is enabled, correct for compliance. The flag is about the instance class upgrade from db.t3.medium to db.r6g.xlarge, increasing cost by $240/mo. The change itself is safe.What's the cost impact?Show blast radius Beacon Advisory Ask questions. Get answers. In context.Beacon is an AI advisory panel that knows your PR context: findings, cost data, drift, and plan output. Ask about any finding, get cost breakdowns, or request module recommendations with suggested prompts that adapt to what you're looking at.CRITICALBLOCKERS3 bucket publicly accessibleaws_s3_bucket.uploads · main.tf:18Fix ProposedAppliedmodules/storage/main.tfresource "aws_s3_bucket" "uploads" {+ block_public_acls = true+ block_public_policy = true+ restrict_public_buckets = true Auto-Fix Don't just flag it. Fix it.Terracotta generates fix proposals with full diffs for security findings and guardrail violations, then commits them directly to the PR branch. Your team reviews a solution, not a problem.Check Runstc/plansuccesstc/review2H3M·failuretc/costblocked · +$458/motc/securitysuccesstc/guardrailsuccesstc/drift2 drifted Merge Control Six independent checks. You pick which ones block merge.Terracotta reports individual check runs for plan, review, security, cost, drift, and guardrails, each with its own conclusion and finding counts. Configure which checks can block merge per repo. Works with GitHub branch protection and GitLab merge request approvals.Command centerThe infrastructure answers your CTO keeps asking for — always ready.Stop piecing together infrastructure state from Slack threads, plan outputs, and spreadsheets. Terracotta gives platform teams a single view of cost trends, drift posture, security findings, and PR activity across every repo.4 passing2 needs review1 criticalNeeds reviewAdd RDS read replica2C 1Hacme/infra #312 · +2 ~1 -0 · cost +$458/moResize ECS cluster3H 2Macme/platform #89 · +0 ~4 -0 · cost +$820/moOpen & passingUpdate IAM policiesacme/core #247Add CloudWatch alarmsacme/data #156 Pull Requests Every open PR, triaged by severitySee all open infrastructure PRs across every repo with verdict status, severity counts, plan changes, and cost delta. Critical findings and high-cost changes surface first. Fleet-wide summary badges show your infrastructure posture at a glance.7Active Drift3C · 4H3Acknowledged41Resolved (30d)avg 4.2d142 unchanged · 7 drifted · 2 missing · 155 checkedAI3 active drift items share a root cause: manual security group edits in us-east-1. Consider importing the console changes.View affected resourcesGenerate fix Drift Posture Coverage bars, severity breakdowns, and AI root cause analysisTrack active, acknowledged, and resolved drift across every repo with visual coverage bars showing unchanged vs. drifted vs. missing resources. AI narratives group findings by root cause and generate suggested next steps.$24.8kBaseline/mo$312kAnnual+2.1%Weekly trend5 PRs increasing+$850/mo2 PRs saving-$320/moNet delta+$530/moCost increases#89 Resize ECS cluster+$720/mo#312 Add RDS replica+$458/mo Cost Intelligence Fleet-wide cost posture with trend trackingSee baseline monthly cost, annual projections, and weekly trends. PRs are grouped by cost increases and savings, with net delta summary. AI-generated insights highlight the biggest cost drivers across your estate.Patterns42 total3 growingP0SecurityHardcoded secrets12 findings · 4 reposGrowingP1ComplianceMissing tags34 findings · 8 reposShrinkingStandardsRequire encryption at restGlobalEnabledTag all resources3 reposEnabledNo public S3 bucketsGlobalEnabled Patterns & Standards Spot trends and enforce guardrails fleet-widePatterns automatically classify recurring findings by tier (P0/P1/P2), category, and trend, with weekly sparklines showing whether they're growing or shrinking. Standards let you define custom guardrails enforced on every PR, with scope control per repo or globally.Works with your stackFull coverage across every IaC framework your team uses.Terracotta analyzes infrastructure changes across the IaC tools your team already uses. Every framework gets the same deep analysis: cost, drift, security, and blast radius.TerraformFull supportKubernetesFull supportTerragruntFull supportOpenTofuFull supportPulumiComing soonHelmComing soonGitHubGitLabAWSGCPSlackEnterpriseEnterprise-grade security so your compliance team says yes on day one.SOC 2 Type II certified, HIPAA compliant, with SSO, audit logging, and self-hosted deployment options. Everything your security and compliance teams need to say yes.SOC 2 Type II & HIPAAIndependently audited controls for security, availability, and confidentiality. HIPAA BAA available for healthcare infrastructure teams.SSO & SAMLSingle sign-on with your identity provider. SAML 2.0 and OIDC support for Okta, Azure AD, Google Workspace, and more.Self-Hosted & VPCDeploy Terracotta in your own cloud account. Your code never leaves your network. Available on AWS, GCP, and Azure.Audit LoggingEvery action logged with user, timestamp, and context. Export to your SIEM. Full traceability for compliance audits.Data PrivacyEphemeral clones deleted after analysis. No code stored. No training on your data. AES-256 at rest, TLS 1.3 in transit.Dedicated SupportPrivate Slack channel, biweekly check-ins, onboarding assistance, and feature request prioritization. Premium SLA included. Learn more about Enterprise →Explore furtherDocs: Getting Started Guide →Blog: Anatomy of an AI-Powered Review →See Terracotta on your own repos.Connect in two minutes. Every IaC PR gets a full review immediately. The command center populates as your team ships. Connect your repos free → Talk to our team No credit card required. We use cookies for analytics and to improve your experience. See our Cookie Policy for details. Reject Accept --- Next →Why Terracotta AI? We use cookies for analytics and to improve your experience. See our Cookie Policy for details. Reject Accept