Case study / TerraGate

Review infrastructure change before it becomes infrastructure risk.

A constrained Terraform review demo that turns plan JSON into explainable findings, while keeping execution and external writes outside the public boundary.

Role
Independent builder
System
TerraGate

Demo boundary

Live constrained demo

Deterministic Python checks / external writes mocked

Live constrained demo. Deterministic Python checks run against sample plans; external writes are mocked and Terraform execution is disabled.

01 / Frame

Problem

  • Terraform plans are dense review objects, and high-impact changes can be easy to miss in an unstructured diff.
  • A useful review gate must explain findings without gaining permission to execute the plan it examines.

Constraints

  • The public demo accepts bounded sample inputs rather than arbitrary infrastructure execution.
  • External comments, checks, and approval writes remain mocked.
  • Findings shown publicly come from deterministic Python checks.

02 / System

Real architecture, retained as review evidence.

TerraGate architecture showing the constrained public interface, deterministic review services, data store, and mocked external boundaries
Review-flow architecture. The diagram is reused from the public project record; inspect the source for the maintained context. Architecture source

03 / Decisions

Three decisions and the cost of each.

  1. 01

    Make deterministic checks the public source of findings

    Repeatable Python rules make the same plan produce the same result and keep the evaluation inspectable.

    Tradeoff

    The demo covers encoded checks rather than every organization-specific policy.

  2. 02

    Disable Terraform execution

    Separating review from apply keeps the public surface from holding infrastructure-changing authority.

    Tradeoff

    The demo proves review flow, not end-to-end deployment.

  3. 03

    Mock external write integrations

    Reviewers can inspect the intended handoff without exposing repository or approval credentials.

    Tradeoff

    Live GitHub comments and checks require a separately controlled installation path.

04 / Evidence

What the record supports—and how far it goes.

  • Live

    Constrained public review flow

    Sample inputs only; Terraform execution is disabled.

    Inspect evidence
  • Deterministic

    Python findings

    No active external policy-engine execution is claimed.

    Inspect evidence
  • Mocked

    External writes

    Repository checks, comments, and approvals are outside the public boundary.

    Inspect evidence

05 / Reliability & security

Deterministic review inside a constrained boundary.

Repeatable Python checks evaluate bounded inputs while Terraform execution stays disabled and external writes remain mocked. The threat model documents what the public surface cannot do.

Threat model

A stalled review recovers without gaining write authority.

If a review remains queued because the worker and execution mode disagree, the runbook checks REVIEW_EXECUTION_MODE, starts the worker or restores the intended safe mode, and keeps external writes mocked throughout the recovery.

Operator runbook

06 / Limits

Known limits

  • Terraform execution is disabled in the public demo.
  • External repository writes are mocked.
  • The public path does not execute an external policy engine.

Path to sustained operation

  1. Run evaluation inside an isolated worker with bounded time, memory, and input size.
  2. Use a narrowly scoped repository installation for checks and comments, with approval required for writes.
  3. Version rule packs and retain the rule version with every decision record.

07 / Artifact index

Follow the work into the repository.

PythonFastAPINext.jsTerraform plan JSONPostgreSQLCloudflare Workers