AI Code Review for Terraform Projects

Infrastructure as code is still code

Terraform transformed infrastructure management from manual console clicks into version-controlled configuration files. But treating infrastructure as code means infrastructure inherits all the problems of code: technical debt, inconsistent patterns, copy-paste duplication, and architectural decisions made under time pressure that nobody revisits.

A typical Terraform project starts with a handful of resources in a single directory. As the infrastructure grows, someone introduces modules. Then environments are split into workspaces or separate state files. Variables proliferate. Locals are used inconsistently. Some resources are imported from manual console changes and never fully integrated into the declarative model. After a year of organic growth, the codebase is a patchwork of conventions from different team members and different phases of the project.

The consequences of infrastructure debt are more severe than application debt. A poorly structured Terraform module does not just slow down development – it can take down production infrastructure, expose sensitive data through misconfigured security groups, or create cloud billing surprises through untracked resources. The blast radius of a bad terraform apply is an entire environment, not a single feature.

What VibeRails finds in Terraform projects

VibeRails performs a full-codebase scan using frontier large language models. Every .tf, .tfvars, module definition, and backend configuration is analysed – not just the files changed in a recent pull request, but the entire infrastructure codebase. For Terraform specifically, the AI reasons about:

• State file conflicts and management risks – backends configured without state locking, multiple workspaces sharing implicit dependencies, state files referencing resources that no longer exist, and remote state data sources creating tight coupling between independently managed stacks
• Hardcoded values versus variables – AMI IDs, instance types, CIDR blocks, account IDs, and region names embedded directly in resource blocks instead of parameterised through variables. These hardcoded values break when the configuration is reused across environments or accounts.
• Missing lifecycle rules – resources without prevent_destroy on critical infrastructure, missing create_before_destroy on resources that cause downtime during replacement, and absent ignore_changes for attributes managed outside Terraform
• Over-permissive IAM policies – Action: "*" and Resource: "*" in IAM policy documents, roles with full administrative access used for single-purpose services, and missing condition blocks that should restrict access by source IP, VPC, or MFA status
• Provider version pinning gaps – providers without version constraints that will break on the next major release, inconsistent version pinning across modules, and Terraform core version constraints that are either missing or too broad to prevent incompatible upgrades
• Module coupling and reusability issues – modules that reference parent state directly instead of accepting inputs, deeply nested module hierarchies that make changes risky, modules with dozens of variables that should be split into smaller units, and circular dependencies between modules
• Missing tagging standards – resources without cost allocation tags, inconsistent tag naming conventions across modules, missing tags required by organisational policies for compliance and billing attribution, and tags defined as hardcoded strings instead of inherited from variables
• Drift between plan and apply – patterns that cause drift: resources modified through the console and then not imported, conditional expressions that evaluate differently between plan and apply due to external data sources, and null_resource provisioners that execute on every apply

Each finding includes the file path, line range, severity level, category, and a description with suggested remediation. The structured output transforms an unwieldy Terraform codebase into a prioritised improvement plan.

What tflint, checkov, and terraform validate miss

Terraform has a mature ecosystem of linting and policy tools. terraform validate checks syntax. tflint catches common misconfigurations. Checkov and tfsec enforce security policies. These tools are essential and VibeRails does not replace them – it complements them by finding a category of issues they cannot detect.

Consider a module that defines an S3 bucket with server-side encryption enabled, public access blocked, and versioning turned on. Every policy check passes. But the module is consumed by three different stacks, each overriding the bucket_name variable with a hardcoded value, and two of the stacks reference the bucket in IAM policies using a constructed ARN string instead of the module output. If the bucket naming convention changes, two stacks silently lose access while the third continues working. No linter catches this because each file is syntactically and semantically valid in isolation.

Architecture-level issues require cross-file reasoning. A monolithic state file managing 200+ resources is a blast radius risk – a single misconfigured resource blocks changes to everything else in the state. A Terraform codebase where every module reads from a shared remote state creates an implicit dependency graph that is not visible in any single file. These patterns only emerge when you examine the entire codebase as a connected system, which is precisely what VibeRails does.

Security policies are another gap. Checkov can verify that a security group does not allow ingress on port 22 from 0.0.0.0/0. But it cannot determine whether the combination of three security groups attached to an instance, combined with the VPC's network ACLs and the subnet's route table, creates an unintended exposure path. That analysis requires understanding how multiple resources interact – the kind of reasoning that AI excels at and rule-based tools cannot perform.

When to review your Terraform codebase

Before a major infrastructure change. If you are migrating to a new region, splitting a monolithic state into smaller stacks, or upgrading providers to a new major version, a full codebase review identifies the hidden dependencies and hardcoded assumptions that will break during the change.

After an infrastructure incident. A production outage caused by a Terraform change is a signal that the codebase contains structural issues beyond the immediate cause. A VibeRails scan finds similar patterns elsewhere – other resources missing lifecycle rules, other IAM policies that are too broad, other state management patterns that create risk.

During team scaling. When the infrastructure team grows from two to ten engineers, inconsistent conventions multiply quickly. A review establishes a baseline of patterns and anti-patterns that informs team standards and prevents new engineers from copying existing bad patterns.

For compliance and audit readiness. Regulators and auditors increasingly ask about infrastructure security controls. A structured VibeRails report demonstrates that IAM policies, encryption settings, and network configurations have been reviewed systematically, not just spot-checked.

Desktop app, per-developer pricing

VibeRails runs as a desktop app with a BYOK model. It orchestrates Claude Code or Codex CLI installations you already have. Your Terraform configurations are read from disk locally and sent directly to the AI provider you configured – never to VibeRails servers. For teams managing infrastructure that contains sensitive network layouts, account structures, or security configurations, this means your infrastructure code is not uploaded to a VibeRails cloud service.

Export findings as HTML for architecture review meetings or CSV for import into Jira, Linear, or whatever tool your platform team uses. The structured format means findings can be turned into actionable tickets with file references, severity ratings, and clear remediation steps.

Start with the free tier today. Run a scan on your Terraform codebase and see what VibeRails finds. If the findings are valuable, upgrade to Pro at $19/month or $299 lifetime per developer.