# Demo Case: Terraform with DolphinScheduler

Show how Gomboc can take a real, actively maintained open-source Terraform deployment and go from “find problems” to “find and fix” directly in your IDE, then package the changes into a clean PR that your team can review and trust.

You’ll use a real-world open-source deployment ([Apache Dolphin Scheduler](https://github.com/apache/dolphinscheduler/blob/dev/deploy/terraform/README.md)) with Terraform to demonstrate production-hardening fixes and guardrails.

### Prerequisites

* Gomboc IDE plugin installed and configured. See: [VSCode Plugin page](https://docs.gomboc.ai/integrations/vscode-plugin#id-0.-prerequisites). 
* Terraform installed locally (if you plan to run validate/plan/apply)

#### Step 0: Prepare the demo repo

1. Clone the demo repo and open it in VS Code:

```bash
git clone https://github.com/iac-playground/dolphinscheduler.git
```

2. Confirm the repo is in a good state:

* Run `terraform fmt -recursive`
* Run `terraform validate` (or the repo’s documented validate flow)

#### Step 1: Run the first scan (the “wow” moment)

1. Open the Command Palette (`Ctrl/Cmd + Shift + P`)
2. Run: Gomboc: Scan current file or scenario (or scan-on-save, if enabled)
3. Keep the repo open: this is a multi-file Terraform project, so it should produce findings across the codebase.

{% hint style="info" %}
Traditional tools mostly stop at “here are findings.” Gomboc is built to connect findings to fixes in a consistent, reviewable workflow.
{% endhint %}

<figure><img src="https://3084082483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9X3GhAYjoqbnAMyhHhAr%2Fuploads%2FpUU7fDJ22emMTe4lB16V%2FScreenshot%202026-03-04%20at%205.04.25%E2%80%AFPM.png?alt=media&#x26;token=4233d037-23fa-4755-861d-dc3a032530ab" alt=""><figcaption></figcaption></figure>

#### Step 2: Review findings

In the IDE results list, pick 3-5 high-signal issues to focus on first. Typical categories for this repo include:

* Public exposure defaults (public instances / public DB access)
* Metadata hardening (IMDSv1 not disabled / metadata settings missing)
* Encryption gaps (S3 / RDS / EBS)
* Overly permissive IAM (broad actions like `s3:*`)
* Monitoring/backup gaps (log export, backup windows, retention)

You can also review this through the [Gomboc Reviewer (Webview)](https://docs.gomboc.ai/integrations/vscode-plugin/gomboc-reviewer-webview), which will provide you a single, centralized place to triage the findings, preview deterministic remediations, and apply changes across multiple files.&#x20;

1. In the Gomboc results list, select **one or more findings** (multi-select if supported).
   * Example: select several **database-related** fixes (multi-AZ, public access off, deletion protection).
2. Click **Review in Webview** / **Open Webview Reviewer** (wording may vary).
   * This opens a Gomboc “web view” inside the IDE that’s optimized for reviewing fixes.

#### Step 3: Inspect finding details

For each selected finding in the Webview Reviewer, review:

1. **Resource reference** (which Terraform resource/module is affected)
2. **Rule / policy driver** (what guardrail triggered this fix)
3. **Description** of what the fix does
4. (Optional) **External mapping** fields if present
   * Example: IDs or references that align with other scanners (like Checkov)

<figure><img src="https://3084082483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9X3GhAYjoqbnAMyhHhAr%2Fuploads%2FVOnAqoNlWksheGNdwDUy%2FScreenshot%202026-03-04%20at%205.45.55%E2%80%AFPM.png?alt=media&#x26;token=94513d55-ab37-46fb-9568-9b5464ac82c7" alt=""><figcaption></figcaption></figure>

#### Step 4: Preview fixes

1. In the Webview Reviewer, click **Preview** (or **Preview fixes**).
2. Gomboc will:
   * apply the changes in the correct order
   * ensure changes are consistent across dependencies
   * generate a preview of code diffs you can review before applying
3. Wait for preview generation to complete.

**What you should see:**

* A preview list showing **exact code changes** per resource/finding.
* A concrete diffs, not just recommendations.
* A summary of which rules triggered which updates (e.g., enabling metadata service hardening, enabling monitoring, termination protection).

<figure><img src="https://3084082483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9X3GhAYjoqbnAMyhHhAr%2Fuploads%2FmdvLSBhwUX8WkREJlJnl%2FScreenshot%202026-03-04%20at%205.50.23%E2%80%AFPM.png?alt=media&#x26;token=a18f31a3-d246-4ffd-939a-8a34d66a006b" alt=""><figcaption></figcaption></figure>

#### Step 5: Review diffs in detail

For a selected previewed fix:

1. Click **Open diff** to see the exact Terraform patch.
2. Use **View full resource in context** to understand how the change fits into the resource/module.
3. Confirm the fix is:
   * logically correct for production hardening
   * consistent with your organization’s expectations
   * not introducing unexpected side effects

<figure><img src="https://3084082483-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9X3GhAYjoqbnAMyhHhAr%2Fuploads%2Fd6lCeU0dBrX0NaKBBi03%2FScreenshot%202026-03-04%20at%205.53.35%E2%80%AFPM.png?alt=media&#x26;token=d45db49b-3f5f-4d3c-b73a-fef1110246e7" alt=""><figcaption></figcaption></figure>

#### Step 6: Apply fixes from the Webview Reviewer

1. After reviewing preview diffs, click **Apply** (or **Apply fixes**).
2. Gomboc will apply the selected patches to your working tree.

#### Step 7: Validate changes locally (recommended)

In a terminal at the repo root (or Terraform root):

1. Format:
   * `terraform fmt -recursive`
2. Validate:
   * `terraform validate`\
     (or run the repo’s documented validation steps if it requires variables/modules)

**Checkpoint:** Terraform validation passes (or you can clearly explain any missing inputs required by the repo).

#### Step 8: Re-scan to confirm findings are resolved

1. Run the scan again from the IDE:
   * **Scan** → **Scan current file or scenario**
2. Confirm the previously selected findings are now:
   * resolved / removed
   * reduced in severity/count