Pull Request Creation

Automatically create GitHub pull requests to fix infrastructure drift.

Overview

Controlinfra can automatically create pull requests with:

• AI-generated fix code
• Detailed description of the drift
• Root cause analysis
• Impact assessment
• Review checklist

Creating a Pull Request

From a Single Drift

1. Navigate to a scan with detected drift
2. Click on a drift to expand details
3. Review the AI analysis and fix code
4. Click "Create PR"

From Multiple Drifts

1. Select drifts you want to fix
2. Click "Create PR for Selected"
3. Review the combined changes
4. Confirm PR creation

Fix All Drifts

1. From the scan results page
2. Click "Fix All → Create PR"
3. Review all changes in the preview
4. Confirm to create the PR

PR Content

Title

Automatically generated based on drift:

fix(terraform): Resolve 3 infrastructure drifts in production

Format: fix(terraform): <summary of changes>

Description

The PR description includes:

## Summary

This PR resolves infrastructure drift detected by Controlinfra.

### Drifts Fixed

| Resource | Change | Severity |
|----------|--------|----------|
| aws_security_group.web | Update ingress rules | 🔴 Critical |
| aws_instance.api | Update instance type | 🟡 Medium |
| aws_s3_bucket.logs | Add tags | 🟢 Low |

## Root Cause Analysis

### aws_security_group.web
The security group was modified directly in the AWS console to add
an SSH rule from 0.0.0.0/0, likely for debugging purposes.

### aws_instance.api
Instance type was changed from t3.micro to t3.small, possibly due
to performance requirements during a traffic spike.

## Impact Assessment

- **Security**: Critical - SSH exposed to internet
- **Resources Affected**: 3 EC2 instances
- **Compliance**: May affect PCI-DSS compliance

## Review Checklist

- [ ] Reviewed all Terraform changes
- [ ] Verified changes match intended state
- [ ] Checked for unintended side effects
- [ ] Ran `terraform plan` locally
- [ ] Approved by infrastructure team

## How to Test

```bash
cd infrastructure/
terraform init
terraform plan

---

🤖 Generated by Controlinfra Scan ID: scan_abc123

### Files Changed

The PR includes modified Terraform files:

infrastructure/ ├── security_groups.tf (modified) ├── instances.tf (modified) └── storage.tf (modified)

## PR Settings

### Branch Naming

Default branch name format:

controlinfra/fix-drift-

Examples:
- `controlinfra/fix-drift-abc123`
- `controlinfra/fix-drift-2024-01-15`

### Base Branch

PRs are created against your repository's default branch (usually `main` or `master`).

### Labels

Automatically applied labels:
- `controlinfra`
- `infrastructure`
- `drift-fix`
- Severity labels: `critical`, `high`, `medium`, `low`

### Assignees

Optionally assign to:
- Repository owner
- Specific team members
- Based on CODEOWNERS file

## Workflow Integration

### GitHub Actions

Trigger workflows on PR creation:

```yaml
name: Terraform Plan
on:
  pull_request:
    paths:
      - '**.tf'

jobs:
  plan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform plan

Required Reviews

Controlinfra PRs respect your branch protection:

• Required reviewers
• Status checks
• CODEOWNERS rules

Auto-merge

If configured, PRs can auto-merge when:

• All checks pass
• Required reviews approved
• No conflicts

Managing PRs

View Created PRs

In Controlinfra:

1. Go to the scan that created the PR
2. Click "View PR" to open in GitHub

Or find PRs by label in GitHub:

label:controlinfra

Update Existing PR

If new drift is detected:

1. Open the existing PR
2. Click "Update PR" in Controlinfra
3. New changes are added as commits

Close Without Merging

If the drift is acceptable:

1. Close the PR in GitHub
2. Optionally add comment explaining why
3. Consider adding to ignore list

Best Practices

1. Review Before Merging

Always review AI-generated changes:

# Checkout the PR branch
git fetch origin
git checkout controlinfra/fix-drift-abc123

# Review the plan
terraform plan

# Check the diff
git diff main

2. Run CI/CD Checks

Ensure your pipeline validates:

• Terraform formatting (terraform fmt)
• Terraform validation (terraform validate)
• Security scanning (tfsec, checkov)
• Cost estimation (infracost)

3. Require Approval

Configure branch protection:

• Require 1+ approvals
• Require review from code owners
• Dismiss stale reviews

4. Test in Lower Environments

If possible:

1. Apply to staging first
2. Verify no issues
3. Then merge to production

5. Document Decisions

Add PR comments explaining:

• Why drift occurred
• Why fix approach was chosen
• Any manual follow-up needed

Troubleshooting

"Permission Denied" Creating PR

• Verify GitHub OAuth permissions
• Check you have write access to the repository
• Re-authorize Controlinfra if needed

PR Has Conflicts

• Another change was made to the same files
• Resolve conflicts manually:

  git checkout controlinfra/fix-drift-abc123
  git merge main
  # Resolve conflicts
  git push

Wrong Base Branch

• Edit the PR in GitHub to change base
• Or create a new PR targeting the correct branch

Files Missing from PR

• Verify the working directory is correct
• Check file paths in your repository
• Ensure Terraform files are tracked in git

Configuration

PR Template

Customize the PR template in repository settings:

# .github/controlinfra.yml
pullRequest:
  title: "fix(infra): {summary}"
  labels:
    - infrastructure
    - drift
  assignees:
    - "@infrastructure-team"
  reviewers:
    - "@security-team"

Branch Protection

Recommended settings:

# In GitHub repository settings
branches:
  main:
    protection:
      required_reviews: 1
      require_codeowners: true
      required_checks:
        - terraform-plan
        - security-scan

Next Steps

• Automated Fixes - How fixes are generated
• Drift Detection - Understanding drift
• Scan Scheduling - Automate scans