TerraGuard

AI-powered IaC review that catches security flaws, cost waste, and architecture gaps before they reach production.

Comment

Inspiration

As an AWS Solutions Architect, I review infrastructure code daily. The same mistakes keep appearing: public S3 buckets, oversized dev instances, hardcoded credentials, missing encryption. Reviews take hours and require expertise across security, cost, and architecture — creating a massive bottleneck in the SDLC.

## What it does

TerraGuard is a GitLab Duo Agent Platform flow that automatically reviews Terraform and CloudFormation changes in merge requests. Three specialized AI agents collaborate to provide comprehensive feedback:

  • Security Agent — Scans for vulnerabilities: exposed secrets, overly permissive IAM, public resources, missing encryption
  • Cost Agent — Estimates monthly cost impact, identifies waste patterns, suggests optimizations with dollar amounts
  • Architecture Agent — Reviews against the AWS Well-Architected Framework's 6 pillars with scored ratings

Just mention @terraguard on any MR with IaC changes and get three detailed review comments in seconds.

## How I built it

Built entirely on the GitLab Duo Agent Platform using custom agents and a YAML-defined flow. Each agent has a domain-specific system prompt informed by real-world cloud security incidents and AWS pricing data. The flow orchestrates all three agents to run on MR events and post structured review comments.

## Challenges I ran into

Crafting system prompts that produce consistent, actionable output (not vague advice) was the hardest part. The agents needed to output structured tables with specific file:line references, estimated dollar amounts, and concrete fix recommendations — not generic best practices.

## What I learned

The GitLab Duo Agent Platform makes it surprisingly easy to build multi-agent workflows that integrate directly into the developer workflow. The key insight: agents are most useful when they're opinionated and specific, not when they try to cover everything.

## What's next for TerraGuard

  • Support for Azure (ARM/Bicep) and GCP Terraform providers
  • CI/CD pipeline integration to block MRs with critical security findings
  • Cost trending across MRs to track infrastructure spend over time

Built With

Share this project:

Updates