andreaslang.dev

File tools and validate: the agent's feedback loop

Terraform PR Agent · 17 min read

  • bedrock
  • pydantic-ai
  • terraform
  • validation

What this post covers

This post gives the agent real work. In previous posts we just gave it toy work to make sure the infrastructure, monitoring, and audit logs work. Now we build a harness for the agent to write Terraform and validate it.

To do this we give the agent a few tools:

The sandboxed file system tools themselves are simple; most of the work is returning good error messages to the model and making sure it does not breach the boundaries of the sandbox tmp folder. The terraform tools on the other hand are more complex, and they have consequences for the Lambda setup. They need to actually execute the terraform binary. For this post that meant changing the Lambda from a Python to a Docker based Lambda, which did require changing the build process and infrastructure setup.

Typical agent flow looks like this:

Logfire trace UI showing one terraform-pr-agent invocation: Mistral-large latest invocation with user prompt, agent invokes file write tool, terraform init, and terraform validate.

Notice the new AWS Lambda span, which was not there in the previous post. This is because I wanted to extend instrumentation given that now there is more happening than just the agent run. We do also re-lock the terraform dependency lock file for different architectures after the agent run and I wanted to see timings and memory usage for the external terraform process. Because we are using AWS Lambda, memory is a constraint and cost factor, made worse by the fact that if you are (like me) running this in a new sandbox AWS account you are capped at 3008 MB of memory. Increasing that is a slow process on basic support.

The system prompt in this iteration is not optimized (we’ll do that in a later post). We just tell the agent what tools it has and that it needs to run terraform-init before the first validate. list_files/read_file is currently not that important as we do not hook up GitHub/existing terraform code in this post. It will be more important when the agent needs to assess how to integrate its code into an existing project and to follow that project’s best practice guidelines when doing so.

System Prompt
You are the terraform-pr-agent. You operate on a Terraform workspace
through file tools (list_files, read_file, write_file, edit_file, delete_file)
and two terraform tools. Use the file tools to explore, write, and edit.
Run terraform_init before your first validate and again whenever you add
or change provider or module requirements. Call terraform_validate after
you write or change files to confirm the workspace still parses; treat its
output as feedback and edit until it is clean.


When you add the AWS provider, give it a version constraint such as "~> 6.0"
rather than leaving it unconstrained. terraform init records the exact resolved
version and checksums in .terraform.lock.hcl, which travels with the workspace
and is the reproducibility record, so the constraint does not need to be an exact
pin. Pin an exact version only when the user asks for one. Example:


terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 6.0"
    }
  }
}

Similarly, the user prompt is basic, with not much thought put into it. It is passed in the invoke event payload.

User Prompt
Set up a new terraform project, creating a best practice s3 bucket.

We store the end result in an S3 bucket. With no GitHub integration yet, that is a simple way to inspect the files the agent produced and validate the outcome.

Architecture

Post 2 wrapped the agent in a Lambda and stood up the dual-sink span pipeline behind it; post 3 made the model a runtime choice (an SSM model registry, a Mistral provider beside Bedrock, and EMF metrics feeding one CloudWatch dashboard). Post 4 keeps all of that as is. The Lambda itself changes from a zip package to a container image so we can ship the terraform CLI alongside the Python runtime; a new ECR repository holds the image, and terraform seeds it with a placeholder so the function can be created before the first real push, the container twin of post 2’s placeholder zip. Everything else around the function (IAM, Bedrock, the model registry, Firehose, S3) carries forward unchanged. The rest of the post is software: a workspace under /tmp, file tools, the terraform_validate tool, and a caller-side retry.

Your machineAWS accountConventionPydantic LogfireMistral APIpydantic-ai scriptDuckDBtraces.duckdbIAMSSM Parameter StoreECR repoterraform-pr-agentterraform-pr-agent Lambda(container image, arm64)added in this postchanged in this postunchanged from a prior postoptional in this postBedrockCloudWatchStorageOTLP ingestapi.mistral.aiMistral Large 3 / Devstralterraform-pr-agent rolebedrock-invoke policyfirehose role/models registry(String)/mistral-api-key(SecureString)pydantic-ai handlermodel factory(invoke-time)file + validate tools/tmp/<random>terraform binaryLambda Insights extensionLogfire + OTel span exportersterraform-pr-agentapplication profileeu.anthropic.claude-haiku-4-5inference profileClaude Haiku 4.5foundation modelEMF dashboardTerraformPrAgent/ModelsKinesis Firehoseterraform-pr-agent-auditS3 audit bucket(Object Lock)S3 runs bucket(force_destroy) attachedbuild modelfile IOinvoke imageinvoke (prompt + model)ConverseGetParameterGetParameterConverse (Bedrock entry)chat (Mistral entry)EMF metric logsexecution roleGetParameter + KMSgrants OTLP / HTTPPutRecordworkspace + result.jsonassumed bywriteread

The code

Prerequisites (one-time setup for the series)

Tooling and AWS access common to every post in this series.

Tooling

  • Terraform 1.x (install). Every post provisions infrastructure with Terraform.
  • uv for Python project management (install). Each post ships a runnable script you can invoke with uv run.
  • direnv (install) so terraform, uv run, and aws pick up AWS credentials automatically on cd. The project scaffold ships an .envrc that sources a gitignored .envrc.local.
  • (Optional) A coding agent such as Claude Code, Cursor, Codex, or Gemini CLI to consume the AgentPrompt blocks throughout the series. Not required (each prompt has a manual equivalent shown alongside it), but it skips the boilerplate.
Agent prompt: Check and install missing tooling 
You are helping set up tooling for a tutorial project.

For each of `terraform`, `uv`, and `direnv`, run `command -v` to
check whether it is installed. If present, print the version and
continue.

For missing tools, detect the system package manager in this order:
`command -v brew`, `command -v dnf`, `command -v apt-get`. Use the
first one available:

  - Terraform: `brew tap hashicorp/tap && brew install hashicorp/tap/terraform`,
    dnf via the HashiCorp RPM repo, or apt via the HashiCorp deb repo.
  - uv: `brew install uv`, or the official installer
    `curl -LsSf https://astral.sh/uv/install.sh | sh`.
  - direnv: `brew install direnv`, `dnf install direnv`, or
    `apt-get install direnv`.

If no package manager is available or the install fails, stop and
link the manual install page so the developer can finish by hand:

  - Terraform: https://developer.hashicorp.com/terraform/install
  - uv: https://docs.astral.sh/uv/getting-started/installation/
  - direnv: https://direnv.net/docs/installation.html

After installing direnv, do not modify any shell rc files. Print the
hook line for the developer's shell (bash, zsh, or fish) and the path
to the relevant rc file, then wait for them to apply it themselves.

Report which tools were already present, which you installed, and
which need manual follow-up.

AWS access

  • A sandbox, test, or personal AWS account with permission to create, modify, and delete the resources discussed in each post. If you don’t have one, follow the official Create Your AWS Account walkthrough (about ten minutes; requires a credit card and a phone number for verification). Treat it as disposable - you can close it from the billing console after the series.
  • AWS credentials available locally via aws configure sso, aws configure, or whichever method matches your setup. You wire them into the project through .envrc.local in the next section, not your shell rc.

Anthropic First Time Use

Bedrock requires a one-time use-case form per account (or per AWS Organization management account) before Anthropic models can be invoked. Easiest path: open any Claude model in the Bedrock console playground and submit the form. Auto-subscription on first invoke can take up to 15 minutes to settle, so it is worth clearing this before post 1.

CLI alternative and verification

Programmatic equivalent (requires AWS CLI 2.27.42 or later):

Terminal window
aws bedrock put-use-case-for-model-access \
  --form-data "$(printf '{"companyName":"...","companyWebsite":"...","intendedUsers":"1","industryOption":"...","otherIndustryOption":"","useCases":"..."}' | base64)"

Verify:

Terminal window
aws bedrock get-foundation-model-availability \
  --model-id anthropic.claude-haiku-4-5-20251001-v1:0 \
  --region eu-west-1

Look for agreementAvailability.status: AVAILABLE. Expected output:

{
  "modelId": "anthropic.claude-haiku-4-5-20251001-v1",
  "agreementAvailability": { "status": "AVAILABLE" },
  "authorizationStatus": "AUTHORIZED",
  "entitlementAvailability": "AVAILABLE",
  "regionAvailability": "AVAILABLE"
}

If the form has not been submitted, only agreementAvailability.status flips to NOT_AVAILABLE. The other three fields stay green even when invocation would fail, so do not rely on them.

The final tree. + is new in post 4, ~ extends a post 3 file, blank carries unchanged. Click any changed or new file to read it; the download below fast-forwards to this state if you want to walk through the post against the finished code. We also split the old handler.py in two: core.py holds the agent and an execute(prompt, model) that knows nothing about Lambda, and lambda_entry.py is the Lambda boundary that parses the event and calls it. It was getting out of hand as this post’s functionality piled on.

terraform-pr-agent/
agent/
__init__.py
handler.py
infra/
placeholder/
alerts.tf
audit-bucket.tf
bedrock.tf
firehose.tf
iam.tf
kms.tf
logfire.tf
main.tf
models.tf
scripts/
chat.py
queries.sql
tests/
test_handler.py
.envrc
.envrc.local
.gitignore
AGENTS.md
agent/core.py
"""Define the agent and execute one run.


Runtime-agnostic: a fresh /tmp workspace threaded through the file and validate
tools, one run id that joins the audit trace, the parked artifacts, and the
result. The telemetry pipeline lives in observability.py, model construction in
models.py, and run persistence plus the provider re-lock in runs.py; the Lambda
envelope and INIT wiring live in lambda_entry.py. This module knows nothing
about Lambda events.
"""


from __future__ import annotations


import uuid
from pathlib import Path
from tempfile import TemporaryDirectory


from pydantic import BaseModel, ConfigDict
from pydantic_ai import Agent


from agent.env import require_env
from agent.models import _build_model
from agent.runs import _persist_run, _relock_providers
from agent.tools import (
    WorkspaceDeps,
    _validate,
    delete_file,
    edit_file,
    list_files,
    read_file,
    terraform_init,
    terraform_validate,
    write_file,
)


# A soft reproducibility nudge following the standard Terraform pattern: a
# version constraint in the config, the exact version and checksums in the lock
# file. The tool-call spans in the trace are the ground truth for what the agent
# actually wrote.
_PROVIDER_PIN_RULE = (
    "When you add the AWS provider, give it a version constraint such as "
    '"~> 6.0" rather than leaving it unconstrained. terraform init records '
    "the exact resolved version and checksums in .terraform.lock.hcl, "
    "which travels with the workspace and is the reproducibility record, "
    "so the constraint does not need to be an exact pin. Pin an exact "
    "version only when the user asks for one. Example:\n"
    "\n"
    "terraform {\n"
    "  required_providers {\n"
    "    aws = {\n"
    '      source  = "hashicorp/aws"\n'
    '      version = "~> 6.0"\n'
    "    }\n"
    "  }\n"
    "}"
)


SYSTEM_PROMPT = (
    "You are the terraform-pr-agent. You operate on a Terraform workspace "
    "through file tools (list_files, read_file, write_file, edit_file, "
    "delete_file) and two terraform tools. Use the file tools to explore, "
    "write, and edit. Run terraform_init before your first validate and "
    "again whenever you add or change provider or module requirements. "
    "Call terraform_validate after you write or change files to confirm "
    "the workspace still parses; treat its output as feedback and edit "
    "until it is clean.\n\n" + _PROVIDER_PIN_RULE
)


# One Agent instance is reused across invocations: the tools reach the workspace
# through RunContext.deps, so each run_sync scopes them to a fresh WorkspaceDeps.
# The model carries no default; it is built from the registry at INVOKE and
# passed per run, so switching DEFAULT_MODEL needs no code change.
agent = Agent(
    deps_type=WorkspaceDeps,
    system_prompt=SYSTEM_PROMPT,
    tools=[
        list_files,
        read_file,
        write_file,
        edit_file,
        delete_file,
        terraform_init,
        terraform_validate,
    ],
    # Tools raise ModelRetry on failure; pydantic-ai ends the run once one tool
    # fails more than `retries` times in a row (a success resets the count). The
    # default of 1 would end the run on the second straight failing validate,
    # which is a normal part of the write-validate-edit loop, so the budget is
    # raised well past anything a converging run produces. The per-run turn cap
    # stays the runaway guard.
    retries=10,
)




# Caller-side backstop budget: how many follow-up runs to spend trying to get a
# clean validate after the agent reports done. The per-tool `retries` above
# guards the loop inside one run; this guards the run as a whole.
_MAX_VALIDATE_RETRIES = 3


_RETRY_PROMPT = (
    "terraform validate still reports errors after you finished. "
    "Fix them and validate again.\n\n{output}"
)




class ValidateDidNotConverge(RuntimeError):
    """terraform validate still failed after the caller-side retry budget."""




class RunResult(BaseModel):
    model_config = ConfigDict(frozen=True)


    run_id: str
    model: str
    output: str




def execute(prompt: str, model: str | None = None) -> RunResult:
    """Run the agent once and return the result.


    The run id is the trace's gen_ai.conversation.id and the runs/<run_id>/
    prefix, so one identifier joins trace, artifacts, and result. After the run
    the caller re-validates the workspace and feeds any failure back as a
    follow-up turn; a run that still fails after the retry budget raises, so the
    workspace ships under status error for debugging. ``model`` overrides
    DEFAULT_MODEL when given.
    """
    model_name = model or require_env("DEFAULT_MODEL")
    run_id = str(uuid.uuid4())
    with TemporaryDirectory(dir="/tmp") as workspace:
        root = Path(workspace)
        deps = WorkspaceDeps(root=root)
        try:
            built = _build_model(model_name)
            result = agent.run_sync(
                prompt,
                deps=deps,
                conversation_id=run_id,
                model=built,
                metadata={"model": model_name},
            )
            # The agent can report done while terraform validate still fails.
            # Re-validate ourselves and feed any error back as a follow-up turn,
            # reusing the run id and message history so each retry is an
            # invoke_agent span under the one invocation trace. Give up after the
            # budget and raise so the failure is honest rather than a clean run
            # over a broken workspace.
            ok, output = _validate(root)
            attempts = 0
            while not ok and attempts < _MAX_VALIDATE_RETRIES:
                attempts += 1
                result = agent.run_sync(
                    _RETRY_PROMPT.format(output=output),
                    deps=deps,
                    conversation_id=run_id,
                    model=built,
                    message_history=result.all_messages(),
                    metadata={"model": model_name},
                )
                ok, output = _validate(root)
            if not ok:
                raise ValidateDidNotConverge(output)
        except Exception as error:
            _persist_run(run_id, root, status="error", error=repr(error))
            raise
        _relock_providers(root)
        _persist_run(run_id, root, status="ok")
    return RunResult(run_id=run_id, model=model_name, output=str(result.output))
Fast-forward to the final code of this post

Download the cumulative checkpoint that matches the state at the end of this post. Useful for landing on the finished tree without working through every step.

Terminal window
mkdir -p ~/projects
cd ~/projects
curl -fsSL https://andreaslang.dev/terraform-pr-agent/terraform-pr-agent-04.tar.gz | tar xz

From zip to container image

In previous posts we used a normal Python Lambda, but for this post we moved to a Docker based Lambda to avoid the Lambda 250 MB size limit (unzipped). We could still have managed in this post with terraform 108 MB + site-packages 56 MB = 164 MB, but the container ceiling is 10 GB rather than 250 MB, which buys real headroom as the image grows. The container also hands us the whole image to control, system packages and filesystem layout, not just Python deps layered onto the AWS runtime. As a bonus it is a standard Docker image, so moving to something like ECS Fargate later is straightforward.

Looking at the Docker image you will also notice we use a multi-stage build, where we have build layers of the image in multiple stages and then copy them into the final image. This is an easy way of keeping build tools out of the final image and therefore reducing the size of the image. Our final image is 739 MB total, 169 MB above the shared 570 MB base. That sounds huge for people trying to build small images, but the base image we use is the AWS Lambda Python base image, which is heavily cached across the Lambda stack. So in practice we only pull the final 169 MB layer, which is far more reasonable.

Multi-stage build layout
builder stage        copied into the final image
-------------        ---------------------------
terraform       -->  terraform binary
python          -->  site-packages (/var/task)
insights        -->  Lambda Insights extension
build context   -->  agent/ source


base image: public.ecr.aws/lambda/python:3.13
left in the builders, never shipped: unzip, dnf cache, uv, gpg keyring, rpm metadata

We will not go through all the stages of the image, but here are the Python dependencies as an example. We use the AWS Lambda Python base image, install uv by copying the layer from yet another Docker image, copy pyproject.toml/uv.lock, export to a requirements.txt and then run uv pip to install the dependencies.

Dockerfile
# Same uv flow as the zip build this replaces (see the uv AWS Lambda
# guide); the dependency set installs straight into the task root, where
# the final stage picks it up.
FROM public.ecr.aws/lambda/python:3.13 AS python
COPY --from=ghcr.io/astral-sh/uv:0.11.21 /uv /usr/local/bin/uv
WORKDIR /opt/build
COPY pyproject.toml uv.lock ./
RUN uv export --frozen --no-dev --no-editable -o requirements.txt \
    && uv pip install \
        --no-installer-metadata \
        --no-compile-bytecode \
        --target "${LAMBDA_TASK_ROOT}" \
        -r requirements.txt

The Python stage does not ship. The final stage below just assembles the image by copying all the previous layers into it. Here you see we use:

  1. The Terraform binary
  2. The Lambda Insights extension (extensions and cloudwatch)
  3. The Python dependencies
  4. Our agent code

Initially I considered baking the Terraform AWS provider into the image, but managing it properly turned out to be difficult without constraining the use case further than it already is. So I took the simpler route: download the providers every time the agent calls terraform init.

Dockerfile
# The shipped image: only the artifacts the function uses at runtime
# cross over from the builder stages.
FROM public.ecr.aws/lambda/python:3.13
COPY --from=terraform /usr/local/bin/terraform /usr/local/bin/terraform
COPY --from=insights /opt/extensions /opt/extensions
COPY --from=insights /opt/cloudwatch /opt/cloudwatch
COPY --from=python ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
COPY agent ${LAMBDA_TASK_ROOT}/agent
WORKDIR ${LAMBDA_TASK_ROOT}

The CMD attribute for a Docker based Lambda needs to be the Python handler. It points at the handler function in the agent.lambda_entry module. While we are at it we also make terraform non-interactive and set the home folder to the only writable folder in a Lambda (/tmp).

Dockerfile
# terraform needs a writable HOME for incidental state; /tmp is the only
# writable path at runtime. CMD replaces the zip package's handler attribute
# and points at lambda_entry, the instrumented entry point, not the bare
# handler module.
ENV HOME=/tmp \
    TF_IN_AUTOMATION=true \
    TF_INPUT=false
CMD ["agent.lambda_entry.handler"]

ECR and the placeholder image

A consequence of switching to a Docker based Lambda is that we now need a placeholder image to avoid the terraform apply needing a three step process (first creating the ECR repo, pushing the image, then creating the Lambda). With the placeholder in place, a single apply can create the function, and scripts/build-lambda.sh pushes the real image afterward. It keeps the terraform apply self-contained, with the code ship as a separate step.

infra/ecr.tf
# Container twin of the zip flow's archive_file placeholder: the function
# resource needs a pullable image at create time, so terraform seeds a
# minimal one. Create-only (input never changes), so scripts/build-lambda.sh
# owns every push after this.
resource "terraform_data" "placeholder_image" {
  input = aws_ecr_repository.agent.repository_url


  # Needs docker and the aws cli on the machine running apply; both are
  # already prerequisites for the series.
  provisioner "local-exec" {
    command = <<-EOT
      aws ecr get-login-password --region ${data.aws_region.current.region} |
        docker login --username AWS --password-stdin ${split("/", aws_ecr_repository.agent.repository_url)[0]}
      docker buildx build --platform linux/arm64 --provenance=false \
        -t ${aws_ecr_repository.agent.repository_url}:placeholder \
        --push ${path.module}/placeholder
    EOT
  }
}

For the Lambda itself, package_type = "Image" and image_uri switch it to a Docker based Lambda. We also tell terraform to ignore changes to image_uri, because otherwise a re-apply would reset the function back to the placeholder image. Instead we want our agent Docker build to have control over the image URI. Further, we tweak timeout, memory size, and ephemeral storage to match the heavier resource needs now that terraform runs inside the function. Lambda layers, which we used in a previous post, are removed entirely; they do not work with a Docker based Lambda.

infra/lambda.tf
resource "aws_lambda_function" "agent" {
  function_name = "terraform-pr-agent"
  role          = aws_iam_role.lambda.arn
  architectures = ["arm64"]


  # The handler entry point comes from the image's CMD; the runtime,
  # handler, and layers attributes only apply to zip packages.
  package_type = "Image"
  image_uri    = "${aws_ecr_repository.agent.repository_url}:placeholder"


11 collapsed lines
  # Max Memory Used overstates what this function needs. It runs to ~2 GB on a
  # heavy run, but the track_memory spans (see agent/memory.py) show the real,
  # non-reclaimable demand stays under ~1 GB: ~315 MB resident for the Python
  # runtime plus a transient ~420 MB while terraform validate loads the
  # provider schema. The rest is reclaimable page cache from the ~800 MB
  # provider download and re-lock unpacks doing file IO on /tmp, which the
  # cgroup-based billed figure counts but the kernel drops under pressure, so
  # it is not OOM risk. Memory is therefore not the binding constraint here.
  # 3008 is set for the vCPU it buys, not the RAM: above 1769 MB Lambda gives a
  # full core (3008 is ~1.7), which speeds the run. Drop it toward ~1769 if
  # latency matters less than cost; do not raise it for memory headroom.
  memory_size = 3008


  # The per-run tool budget is the runaway guard; the timeout only has to
  # accommodate several model turns with init + validate rounds in between.
  timeout = 300


  # Two things land in /tmp: terraform init downloads the AWS provider
  # (~800 MB) into the workspace, and the post-run re-lock unpacks the
  # provider for three platforms (another ~2 GB) to write a portable lock
  # file. 4 GB covers both with headroom; the default 512 MB would not.
  ephemeral_storage {
    size = 4096
  }


  tracing_config {
    mode = "Active"
  }


17 collapsed lines
  environment {
    variables = merge(
      {
        MODELS_PARAMETER         = aws_ssm_parameter.models.name
        DEFAULT_MODEL            = var.default_model
        METRICS_NAMESPACE        = local.metrics_namespace
        FIREHOSE_DELIVERY_STREAM = aws_kinesis_firehose_delivery_stream.audit.name
        RUNS_BUCKET              = aws_s3_bucket.runs.bucket
      },
      local.logfire_token_wired ? {
        LOGFIRE_TOKEN_PARAMETER = local.logfire_token_parameter_name
      } : {},
      local.mistral_key_wired ? {
        MISTRAL_API_KEY_PARAMETER = aws_ssm_parameter.mistral_api_key[0].name
      } : {},
    )
  }


  # Code ships out of band: scripts/build-lambda.sh pushes a new image and
  # calls update-function-code, so terraform must not flip the function
  # back to the placeholder on the next apply.
  lifecycle {
    ignore_changes = [image_uri]
  }


  depends_on = [
    aws_iam_role_policy_attachment.lambda_basic_execution,
    aws_iam_role_policy_attachment.lambda_insights,
    aws_iam_role_policy.lambda_permissions,
    terraform_data.placeholder_image,
  ]
}

Watching cold starts

One common downside of a Docker Lambda is that cold starts are slower than normal Lambdas. We do not particularly care about cold starts, but we do want to measure them and make sure they do not get out of hand due to dependency bloat. The AWS Lambda Insights extension is a good way to measure cold starts, but because we cannot use layers, we need to add it to the image. The code looks scary, and I wish AWS thought about the end user the way Astral/uv do, but it is taken straight from the AWS docs.

Dockerfile
# Container images cannot attach layers, so the Lambda Insights extension
# is baked into the image: pinned version, detached GPG signature checked
# against the key fingerprint published in the Lambda Insights docs, so a
# tampered rpm fails the build.
FROM public.ecr.aws/lambda/python:3.13 AS insights
ARG INSIGHTS_VERSION=1.0.660.0
ARG INSIGHTS_BASE_URL=https://lambda-insights-extension-arm64.s3-ap-northeast-1.amazonaws.com
# The downloaded key is checked against the fingerprint from the docs
# before anything trusts it; gpg runs with --batch/--no-tty/--no-autostart
# because the base image ships no gpg-agent.
RUN curl -fsSLO ${INSIGHTS_BASE_URL}/amazon_linux/lambda-insights-extension-arm64.${INSIGHTS_VERSION}.rpm \
    && curl -fsSLO ${INSIGHTS_BASE_URL}/amazon_linux/lambda-insights-extension-arm64.${INSIGHTS_VERSION}.rpm.sig \
    && curl -fsSLO ${INSIGHTS_BASE_URL}/lambda-insights-extension.gpg \
    && gpg --batch --no-tty --show-keys --with-colons lambda-insights-extension.gpg \
        | grep -q '^fpr:::::::::E0AFFA11FFF35BD7349EE222479C97A1848ABDC8:' \
    && gpg --batch --no-tty --no-autostart --import lambda-insights-extension.gpg \
    && gpg --batch --no-tty --no-autostart --verify \
        lambda-insights-extension-arm64.${INSIGHTS_VERSION}.rpm.sig \
        lambda-insights-extension-arm64.${INSIGHTS_VERSION}.rpm \
    && rpm -U lambda-insights-extension-arm64.${INSIGHTS_VERSION}.rpm \
    && rm -f lambda-insights-extension-arm64.${INSIGHTS_VERSION}.rpm* lambda-insights-extension.gpg

The extension needs one IAM grant to write to its /aws/lambda-insights log group, a single managed-policy attachment that sits in the file browser above.

Below you see how we wire the metrics into the dashboard. We take the Lambda Insights metrics and plot:

infra/cloudwatch.tf
46 collapsed lines
      {
        type   = "text"
        x      = 0
        y      = 0
        width  = 24
        height = 2
        properties = {
          markdown = "## Lambda\nContainer-image function health: invocations and errors, end to end duration, cold start init duration (Lambda Insights emits `init_duration` only on a cold start), and the memory and `/tmp` footprint behind the `memory_size` and `ephemeral_storage` sizing."
        }
      },
      {
        type   = "metric"
        x      = 0
        y      = 2
        width  = 12
        height = 6
        properties = {
          title  = "Lambda invocations and errors"
          region = local.cloudwatch_region
          view   = "timeSeries"
          stat   = "Sum"
          period = 60
          metrics = [
            ["AWS/Lambda", "Invocations", "FunctionName", local.lambda_name, { label = "${local.lambda_name} / invocations" }],
            [".", "Errors", ".", ".", { label = "${local.lambda_name} / errors" }],
            [".", "Throttles", ".", ".", { label = "${local.lambda_name} / throttles" }],
          ]
        }
      },
      {
        type   = "metric"
        x      = 12
        y      = 2
        width  = 12
        height = 6
        properties = {
          title  = "Lambda duration (ms)"
          region = local.cloudwatch_region
          view   = "timeSeries"
          period = 60
          metrics = [
            ["AWS/Lambda", "Duration", "FunctionName", local.lambda_name, { label = "${local.lambda_name} / avg", stat = "Average" }],
            [".", ".", ".", ".", { label = "${local.lambda_name} / p99", stat = "p99" }],
          ]
        }
      },
      {
        type   = "metric"
        x      = 0
        y      = 8
        width  = 12
        height = 6
        properties = {
          title  = "Cold start init duration (ms)"
          region = local.cloudwatch_region
          view   = "timeSeries"
          period = 60
          metrics = [
            # Insights reports init_duration only when an init phase happened,
            # so points appear only on cold starts.
            ["LambdaInsights", "init_duration", "function_name", local.lambda_name, { label = "${local.lambda_name} / init avg (ms)", stat = "Average" }],
            [".", ".", ".", ".", { label = "${local.lambda_name} / init max (ms)", stat = "Maximum" }],
          ]
        }
      },
      {
        type   = "metric"
        x      = 12
        y      = 8
        width  = 12
        height = 6
        properties = {
          title  = "Memory used (MB)"
          region = local.cloudwatch_region
          view   = "timeSeries"
          period = 60
          metrics = [
            # used_memory_max is the cgroup figure (Max Memory Used), which
            # counts the reclaimable /tmp page cache and so reads ~2 GB while
            # real demand is under 1 GB. Backs the memory_size comment in
            # lambda.tf.
            ["LambdaInsights", "used_memory_max", "function_name", local.lambda_name, { label = "${local.lambda_name} / memory max (MB)", stat = "Maximum" }],
          ]
        }
      },
      {
        type   = "metric"
        x      = 0
        y      = 14
        width  = 12
        height = 6
        properties = {
          title  = "/tmp used (bytes)"
          region = local.cloudwatch_region
          view   = "timeSeries"
          period = 60
          metrics = [
            # tmp_used tracks the ~800 MB provider download into /tmp, behind
            # the 4 GB ephemeral_storage sizing in lambda.tf.
            ["LambdaInsights", "tmp_used", "function_name", local.lambda_name, { label = "${local.lambda_name} / tmp used (B)", stat = "Maximum" }],
          ]
        }
      },

In CloudWatch the dashboard looks like this. Cold starts sit around 3s, acceptable for our use case, and the memory and /tmp metrics stay within the configured limits.

CloudWatch dashboard for terraform-pr-agent with a Lambda section (invocations and errors, duration, cold starts, memory and /tmp) above a Model section (tokens, invocations and errors, latency, cache tokens).

Workspace setup

The agent needs some context for the run. Pydantic-ai is itself stateless. The agent only has conversation history if the previous messages are passed to it as a message_history argument. We talked about this back in post 1. Here we also need to give the agent context about the workspace it is working in so that the root/project folder can be validated. Tool calls should usually just use a relative path to it, but we need to make sure everything ends up in this tmp folder, so we can pick up the end result of the agent’s work. You also see files_read there; we use it to stop the agent editing files it has not read.

agent/tools.py
class WorkspaceDeps(BaseModel):
    """Per-run dependencies threaded through ``RunContext``.


    ``root`` is the directory the agent is allowed to read, write, and
    validate inside. Tools resolve every path relative to it and reject
    anything that escapes the root, so the agent cannot reach outside
    the workspace via ``..`` or absolute paths.
    """


    model_config = ConfigDict(arbitrary_types_allowed=True)


    root: Path
    files_read: set[Path] = Field(default_factory=set)

Each time the LLM invokes any of our tools with a path we validate it against the workspace root. Luckily Python has the pathlib module that makes this easy.

agent/tools.py
def _resolve_absolute_path(ctx: RunContext[WorkspaceDeps], path: str):
    root = ctx.deps.root.resolve()
    absolute_path = (root / Path(path)).resolve()
    if not absolute_path.is_relative_to(root):
        raise ModelRetry(
            f"Path {path} must be relative to the workspace root, "
            f"it cannot be absolute or walk up the directory tree."
        )
    return absolute_path

File tools

We have list_files(path), read_file(path), write_file(path, contents), edit_file(path, old_string, new_string) and delete_file(path). We won’t go through all of them, but show you the edit file tool. It uses _resolve_absolute_path(ctx, path) to resolve the path (always absolute in the end), which will also verify that the path is inside the workspace root. Then it validates additional constraints:

  1. The file exists
  2. The agent has previously read or created the file
  3. old_string (string to replace) is in the file contents
  4. old_string only exists once in the file contents (prevents accidental replacements)

One decision worth calling out: we raise ModelRetry instead of returning a description of the mistake the agent makes. The difference is that ModelRetry counts against the tool retry budget of the agent, while a string description telling the agent what to do next does not. It avoids long chains of corrections costing too many tokens. If that happens we would rather fail and raise an alert in a production environment, so that an SRE or the product team can investigate and fix the cause of the agent’s confusion (better system prompt or tool descriptions). During initial validation it also allows you to weed out models that are not as good with tool calls, which makes them unsuitable for your task.

agent/tools.py
def edit_file(
    ctx: RunContext[WorkspaceDeps],
    path: str,
    old_string: str,
    new_string: str,
) -> None:
    """Replace ``old_string`` with ``new_string`` in the file at ``path``."""
    file = _resolve_absolute_file(ctx, path)
    if not file.exists():
        raise ModelRetry(f"File {path} does not exist.")
    if file not in ctx.deps.files_read:
        raise ModelRetry(f"File {path} was not read. If you want to edit it, then read it first.")
    with file.open("r+") as f:
        contents = f.read()
        if old_string not in contents:
            raise ModelRetry(f"String {old_string} not found in file {path}.")
        if contents.count(old_string) > 1:
            raise ModelRetry(f"String {old_string} found more than once in file {path}.")
        f.seek(0)
        f.write(contents.replace(old_string, new_string))
        f.truncate()

The validate tool: agent-driven, any time

In this blog post we only offer terraform_validate() and terraform_init() to the agent to interact and validate terraform code. Terraform validate for example has a very simple flow:

  1. Use a sub-process to run terraform validate
  2. Validate the result:
    • If the exit code is 0 (success) return OK message
    • If the exit code is 1 (failure) ModelRetry error with stdout and stderr
agent/tools.py
def _validate(root: Path) -> tuple[bool, str]:
    """Run ``terraform validate`` in ``root``; return (passed, combined output).


    The agent reaches this through the tool below; the caller-side retry in
    handler.py calls it directly to re-check the workspace after the run.
    """
    with track_memory("terraform_validate"):
        result = subprocess.run(
            ["terraform", "validate", "-no-color"],
            cwd=root,
            capture_output=True,
            text=True,
        )
    return result.returncode == 0, f"{result.stdout}{result.stderr}"




def terraform_validate(ctx: RunContext[WorkspaceDeps]) -> str:
    """Run ``terraform validate`` in the workspace and return its output."""
    ok, output = _validate(ctx.deps.root)
    if ok:
        return "OK: terraform validate passed."
    raise ModelRetry(f"terraform validate failed:\n{output}")

A little bonus is the track_memory decorator, which creates a new span and attaches memory information to it. So we can dive into the agent run in Logfire and see how much memory it used.

Logfire trace UI showing memory.<step> spans from the track_memory decorator, each tagged with mem.used_bytes, mem.cache_bytes, and mem.child_max_rss_bytes attributes.

This is the Agent definition, one instance reused across invocations. The error budget for ModelRetry can be configured in the Agent setup.

agent/core.py
32 collapsed lines
# A soft reproducibility nudge following the standard Terraform pattern: a
# version constraint in the config, the exact version and checksums in the lock
# file. The tool-call spans in the trace are the ground truth for what the agent
# actually wrote.
_PROVIDER_PIN_RULE = (
    "When you add the AWS provider, give it a version constraint such as "
    '"~> 6.0" rather than leaving it unconstrained. terraform init records '
    "the exact resolved version and checksums in .terraform.lock.hcl, "
    "which travels with the workspace and is the reproducibility record, "
    "so the constraint does not need to be an exact pin. Pin an exact "
    "version only when the user asks for one. Example:\n"
    "\n"
    "terraform {\n"
    "  required_providers {\n"
    "    aws = {\n"
    '      source  = "hashicorp/aws"\n'
    '      version = "~> 6.0"\n'
    "    }\n"
    "  }\n"
    "}"
)


SYSTEM_PROMPT = (
    "You are the terraform-pr-agent. You operate on a Terraform workspace "
    "through file tools (list_files, read_file, write_file, edit_file, "
    "delete_file) and two terraform tools. Use the file tools to explore, "
    "write, and edit. Run terraform_init before your first validate and "
    "again whenever you add or change provider or module requirements. "
    "Call terraform_validate after you write or change files to confirm "
    "the workspace still parses; treat its output as feedback and edit "
    "until it is clean.\n\n" + _PROVIDER_PIN_RULE
)


# One Agent instance is reused across invocations: the tools reach the workspace
# through RunContext.deps, so each run_sync scopes them to a fresh WorkspaceDeps.
# The model carries no default; it is built from the registry at INVOKE and
# passed per run, so switching DEFAULT_MODEL needs no code change.
agent = Agent(
    deps_type=WorkspaceDeps,
    system_prompt=SYSTEM_PROMPT,
    tools=[
        list_files,
        read_file,
        write_file,
        edit_file,
        delete_file,
        terraform_init,
        terraform_validate,
    ],
    # Tools raise ModelRetry on failure; pydantic-ai ends the run once one tool
    # fails more than `retries` times in a row (a success resets the count). The
    # default of 1 would end the run on the second straight failing validate,
    # which is a normal part of the write-validate-edit loop, so the budget is
    # raised well past anything a converging run produces. The per-run turn cap
    # stays the runaway guard.
    retries=10,
)

Caller-side retry

Working with LLMs reminds me of the German saying:

Vertrauen ist gut, Kontrolle ist besser (Trust is good, verifying is better)

Here the agent can in principle ignore every instruction and report success while nothing actually works. Hence, we add some deterministic checks in the end and feed message_history back to the agent with a new prompt if they fail. At this stage this is really just making sure terraform init does not fail.

agent/core.py
            # The agent can report done while terraform validate still fails.
            # Re-validate ourselves and feed any error back as a follow-up turn,
            # reusing the run id and message history so each retry is an
            # invoke_agent span under the one invocation trace. Give up after the
            # budget and raise so the failure is honest rather than a clean run
            # over a broken workspace.
            ok, output = _validate(root)
            attempts = 0
            while not ok and attempts < _MAX_VALIDATE_RETRIES:
                attempts += 1
                result = agent.run_sync(
                    _RETRY_PROMPT.format(output=output),
                    deps=deps,
                    conversation_id=run_id,
                    model=built,
                    message_history=result.all_messages(),
                    metadata={"model": model_name},
                )
                ok, output = _validate(root)
            if not ok:
                raise ValidateDidNotConverge(output)

Parking the output in S3

In this iteration of the code we do not yet integrate GitHub, so to be able to see the code that the agent produced, we need to store it somewhere. This code stores it in an S3 bucket so we can inspect it later. We skip the .terraform folder, which is just local init scratch.

agent/runs.py
def _persist_run(run_id: str, workspace: Path, status: str, error: str | None = None) -> None:
6 collapsed lines
    """Park the workspace and a minimal result marker under runs/<run_id>/.


    result.json carries only what the audit trace does not: prompt, output, and
    messages already live in the trace under the same conversation id, so copying
    them here would create a second source of truth.
    """
    bucket = require_env("RUNS_BUCKET")
    s3 = boto3.client("s3")
    for file in _workspace_files(workspace):
        key = f"runs/{run_id}/workspace/{file.relative_to(workspace)}"
        s3.put_object(Bucket=bucket, Key=key, Body=file.read_bytes())
    result = {"status": status} | ({"error": error} if error else {})
    s3.put_object(
        Bucket=bucket,
        Key=f"runs/{run_id}/result.json",
        Body=json.dumps(result).encode(),
    )




def _workspace_files(workspace: Path) -> Iterator[Path]:
4 collapsed lines
    """Every file except .terraform/, which is init scratch plus the provider
    downloaded into /tmp, gigabytes of noise per run. The top-level
    .terraform.lock.hcl is the reproducibility record and stays.
    """
    for path in sorted(workspace.rglob("*")):
        if ".terraform" in path.relative_to(workspace).parts:
            continue
        if path.is_file():
            yield path

Tracing the whole invocation

The Lambda entry point stays thin: it requires a prompt, hands off to core.execute, and shapes the response. Its other job is the INIT wiring, configure telemetry then wrap the handler, which has to run at import. Keeping the execution logic separate from anything Lambda-related also means we could add other entry points later, deploying this somewhere else (e.g. ECS Fargate).

agent/lambda_entry.py
"""The Lambda boundary: parse the event, run the agent, shape the response.


This module also owns the INIT wiring. The container CMD targets
agent.lambda_entry.handler, so a unit test that imports agent.core never
configures logfire or registers the Firehose audit processor. Everything
Lambda-specific lives here, off the core, which is why no runtime-detection
check is needed to keep it out of tests.
"""


from __future__ import annotations


from typing import NotRequired, TypedDict


import logfire


from agent import observability
from agent.core import execute




10 collapsed lines
class HandlerEvent(TypedDict):
    prompt: str
    model: NotRequired[str]




class HandlerResponse(TypedDict):
    status: str
    run_id: str
    model: str
    output: str




def handler(event: HandlerEvent, context: object) -> HandlerResponse:
    """Lambda entry point: require a prompt, run the agent, wrap the result.


    ``prompt`` is required; an event without one is a caller error and fails
    fast rather than running a default. ``model`` overrides DEFAULT_MODEL when
    given. A run that does not converge raises, so the Lambda reports 5xx and
    the workspace ships under status error for debugging.
    """
    prompt = event.get("prompt")
    if not prompt:
        raise ValueError("event missing required 'prompt'")
    result = execute(prompt, event.get("model"))
    return {
        "status": "ok",
        "run_id": result.run_id,
        "model": result.model,
        "output": result.output,
    }




def bootstrap() -> None:
    """Stand up telemetry, then attach the Lambda runtime adapter.


    configure() first so the tracer provider exists when the handler is wrapped.
    instrument_aws_lambda wraps the target named by _HANDLER
    (agent.lambda_entry.handler) in place, so each invocation becomes one trace.
    """
    observability.configure()
    logfire.instrument_aws_lambda(handler)




bootstrap()

Changing the span hierarchy also means the example query we showed in a previous post for reading the audit data in S3 needs to change. We already changed the audit processor to ship if span.parent is None or span.parent.is_remote, now in the query we look for the agent invocations in particular by using gen_ai.operation.name = 'invoke_agent'. This works with or without the Lambda OTEL data being written.

scripts/traces.sql
roots AS (
    -- One row per agent run: pydantic-ai's invoke_agent span, identified by
    -- the GenAI operation rather than by being the parentless span.
    -- instrument_aws_lambda now roots each trace at the SpanKind.SERVER
    -- invocation span, so the agent run is a child of it, not the trace root.
    -- (A caller-side retry would put several invoke_agent spans under one
    -- invocation; the trace_id join below would then cross them, so that
    -- case wants each chat tied to its enclosing run instead.)
    SELECT * FROM spans
    WHERE list_filter(attributes, x -> x.key = 'gen_ai.operation.name')[1]
        .value.stringValue = 'invoke_agent'
),

What validate catches and what it doesn’t

Currently we only run terraform validate, which checks that the HCL and provider config are correct. It does not catch bad naming for Terraform variables, security issues, or misconfigurations that only show up during apply. In the following post we remedy some of this by giving the agent more tools to validate against, and enforcing extra checks such as security baselines.

End state

An agent that takes an English request and leaves a workspace in a validated state. File tools, validate tool, retry chain, and a structured self-report are all in place for posts 4-6 to build on.

Next: Conventions and policy: more tools, same feedback loop

All posts