Does Infralyst use AI to decide what to recommend?

No. Infralyst recommendations are deterministic. The analysis checks CPU and memory P99.5 thresholds, data quality gates, and weekly seasonality patterns. No machine learning is involved in the decision. AI is only used in the final step: an agent reads your Terraform repo and writes the code change for the pull request.

What counts as a PR on the Free plan?

Each time you generate a Terraform pull request from a recommendation, that uses one of your 3 free PRs. Viewing recommendations doesn't use a PR. Upgrading to Pro unlocks unlimited PR generation.

Can I undo a change Infralyst made?

Yes. Every change is a standard Terraform pull request in your repo. If you've already merged and applied a PR and want to roll back, revert the PR in GitHub and run terraform apply again. Infralyst never merges or applies changes on your behalf.

What happens if the AI agent makes a mistake in the Terraform PR?

The agent validates syntax and reviews for edge cases like shared variables and lifecycle blocks, but every PR goes through your normal GitHub review process. Infralyst never merges or applies changes. If something looks wrong, close the PR. You can also revert a merged PR and run terraform apply to roll back.

Can I use Infralyst with multiple AWS accounts and Terraform repos?

Yes. You can connect multiple AWS accounts to a single workspace and map each to one or more Terraform state files across different GitHub repos. One repo managing multiple accounts, or multiple repos for one account, both work.

Does Infralyst store my Terraform state or AWS credentials?

No. Infralyst never stores AWS credentials. Access is through a read-only IAM role with an External ID unique to your workspace. Terraform state is loaded on demand when generating a PR, read once for resource mappings, and discarded immediately.

Does Infralyst merge pull requests or apply changes automatically?

No. Infralyst never merges PRs or modifies your AWS infrastructure. Every recommendation is a suggestion you can accept or dismiss. When you generate a PR, your team reviews the code diff and utilization data, then merges on your schedule. If something doesn't look right, you close the PR and nothing changes.

How does Infralyst handle downtime risk for EC2 rightsizing?

Infralyst classifies each resource by deployment type. Standalone EC2 instances require a stop/start, so the PR includes a downtime warning. Multi-instance Auto Scaling Groups use instance refresh for zero downtime rollouts. Single-instance ASGs and single-task Fargate services also get downtime warnings.

Infralyst Docs

Q: How long until I see recommendations?

Infralyst pulls up to a year of historical CloudWatch data when you first connect an AWS account. Once the initial fetch and analysis completes, Infralyst generates up to 5 recommendations for your highest-savings opportunities first. After that, one new recommendation is generated per day. Each individual resource needs at least 30 days of data at 95% uptime before it's eligible.

Q: Do I need GitHub and Terraform state connected to see recommendations?

No. Recommendations are generated from AWS CloudWatch data alone. GitHub and Terraform state are only required when you want to generate a pull request. You can connect AWS first, review recommendations, and add the other integrations later.

Infralyst analyzes your AWS infrastructure and generates Terraform pull requests to find savings. Sign up to create a workspace for your team. Every workspace starts on the Free plan with 3 free PRs.

Once your AWS account is connected, Infralyst pulls up to a year of historical usage data so savings recommendations can start appearing once the initial fetch and analysis is complete. You don't need GitHub or Terraform state connected to see recommendations. Those integrations are only required when you want to generate a pull request.

1Connect AWS2Add GitHub3Map Terraform state4Add Slack

Connect AWS

Infralyst connects to your AWS accounts through a read-only IAM role provisioned by a Terraform module. We never get write access to your infrastructure and we never store AWS credentials.

What the Terraform module creates

The module creates a single IAM role (infralyst-readonly) in your account with a trust policy that allows Infralyst's AWS account to assume it via STS. An External ID, unique to your workspace, is required for every assume-role call to prevent the confused deputy problem. No long-lived access keys are created.

What data we collect

For each supported resource type, Infralyst collects CPU utilization and memory utilization from CloudWatch, along with resource configuration metadata (instance types, launch templates, task definitions, Auto Scaling Group settings, and ECS service definitions). On first connection, we fetch up to a year of historical data. After that, we poll every 4 hours to keep the usage history current.

We use this data to build a usage profile for each resource and generate recommendations. We don't access application data, secrets, or anything outside the permissions listed above. Terraform state is loaded on demand when generating a PR, read once, and discarded. See the Supported resources section for how each type is analyzed and what thresholds trigger a recommendation.

When recommendations appear

After the initial data fetch and analysis completes, Infralyst generates up to 5 recommendations for your highest-savings opportunities first. After that, one new recommendation is generated per day as more resources are analyzed.

Each resource needs a minimum of 30 days of data at 95% uptime before it's eligible for a recommendation. This can vary by resource type. See the individual resource pages under Supported resources for specifics.

Setup

Add an AWS account in your workspace.
Follow the in-app steps to apply the Infralyst Terraform module in one of your infra repos:

Terraform module

module "infralyst_readonly_integration" {
  source  = "infralyst/readonly-integration/aws"
  version = "~> 1.0"

  external_id = "<your_workspace_external_id>"
}

output "infralyst_role_arn" {
  value       = module.infralyst_readonly_integration.role_arn
  description = "Paste this Role ARN into Infralyst"
}

Run terraform init and terraform apply.
Copy the infralyst_role_arn output and paste it into Infralyst.
Click Test connection to verify.

The app provides your External ID and walks you through each step.

View the Terraform module on the Terraform Registry →

Disconnecting

Disconnect the AWS account from your workspace settings in Infralyst. This stops all data collection and analysis immediately.

To fully remove access on your end, remove the Terraform module block from your configuration and run terraform apply to destroy the IAM role.

Add GitHub

Infralyst opens pull requests in your repositories through a GitHub App. We never push directly to your main branch and we never merge changes on your behalf. Every change goes through your normal review process.

App permissions

The Infralyst GitHub App requests:

Read access to repository metadata.
Read and write access to code, pull requests, and repository hooks.

Write access to code and pull requests is what allows Infralyst to open PRs with Terraform changes. Repository hooks let us stay in sync when relevant files change.

Choosing repos

During installation you select which repositories the app can access. Choose only the repos that contain your Terraform infrastructure code. The app cannot see or interact with any repository you haven't explicitly selected.

You can change your repo selection at any time from the GitHub App settings.

What the app doesn't do

Push to main or any protected branch.
Merge or approve pull requests.
Access repositories you haven't selected.
Read or modify anything outside of Terraform files relevant to a recommendation.

Setup

Install the Infralyst GitHub App from your workspace.
Choose your GitHub organization and select the repositories that contain your Terraform code.
Add those repos to your workspace.

Map Terraform state

Terraform state is where everything connects. A state mapping tells Infralyst which state file belongs to which AWS account and lives in which GitHub repo. This is how recommendations turn into pull requests that land in the right place.

Why we need this

Your Terraform state file is the link between a running AWS resource and the .tf code that defines it. Infralyst uses it to match a resource identified through CloudWatch metrics to the exact file, resource block, and attribute that needs to change in a pull request.

We don't store a copy of your state. We load it on demand when generating a PR, read the resource mappings we need, and discard it.

How mapping works

For each AWS account, you add one or more Terraform states. Each state connects:

An AWS account (the source of metrics and recommendations)
A backend (where the state file lives, either GitHub or S3)
A GitHub repo (the repo that contains the Terraform code for resources in that state)

This supports any infrastructure layout. One repo managing multiple AWS accounts, multiple repos for a single account, or any other combination. Just add the state mappings that match your setup.

S3 backend

If your Terraform state is stored in S3, Infralyst needs read access to the bucket. The app generates the exact bucket policy for you during setup:

S3 bucket policy

# Provider alias for the region where your state bucket lives.
# If you already have this provider defined, you can skip this block.
provider "aws" {
  alias  = "infralyst_state_region"
  region = "<your-bucket-region>"
}

resource "aws_s3_bucket_policy" "infralyst_state_access" {
  provider = aws.infralyst_state_region
  bucket   = "<your-state-bucket>"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid    = "InfralystReadAccess"
      Effect = "Allow"
      Principal = {
        AWS = "arn:aws:iam::<infralyst_account_id>:role/infralyst-readonly"
      }
      Action = [
        "s3:GetObject",
        "s3:ListBucket"
      ]
      Resource = [
        "arn:aws:s3:::<your-state-bucket>",
        "arn:aws:s3:::<your-state-bucket>/<your-state-key>"
      ]
    }]
  })
}

The app fills in the correct values for your bucket, state path, and Infralyst's account ID. Apply this alongside the read-only integration module.

Setup

In your workspace, go to the AWS account you want to configure.
Add a Terraform state.
Choose the backend (GitHub or S3).
If using S3, apply the generated bucket policy.
Select the GitHub repo that owns the Terraform code for that state.
Repeat for each state file associated with that account.

How PRs are generated

When you click "Generate PR," an AI agent reads your Terraform repository and writes the code change. The agent locates the relevant resource definitions, applies the change, validates the syntax, and reviews the result for edge cases. For example, it detects shared variables that could affect other resources, lifecycle blocks that would prevent the change from taking effect, and launch templates shared across multiple Auto Scaling Groups.

Warnings in pull requests

PRs include warnings when a change could affect availability or performance:

Downtime required for standalone EC2 instances (stop/start needed), single-instance Auto Scaling Groups, and single-task Fargate services. Multi-instance ASGs use instance refresh for zero downtime rollouts. Multi-task Fargate services use rolling deployments.
Throughput and bandwidth warnings when a smaller instance type or task size could reduce network or EBS throughput ceilings.

What the AI agent doesn't do

The AI agent only generates the Terraform code change. It never pushes to your main branch, never merges pull requests, and never applies anything to your AWS infrastructure. Every change goes through your normal GitHub review and merge process.

Add Slack

Optional

Slack integration is optional. It lets your team get notified about new savings opportunities and manage recommendations without leaving Slack.

What you get

Notifications when new recommendations appear.
PR generation directly from Slack. Generate a Terraform PR from a notification without leaving the channel.
Dismiss recommendations from Slack if a suggestion isn't relevant.
Flexible routing so the right team sees the right recommendations. Each AWS account or GitHub repo can be assigned to a specific Slack channel.

Setup

Connect Slack from your workspace settings.
For each AWS account or GitHub repo, assign a Slack channel to receive its notifications.

You can disconnect Slack at any time from your workspace settings.

Supported resources

Recommendations are generated by deterministic analysis. No AI or machine learning is involved in deciding what to recommend. The analysis checks usage thresholds, data quality, and seasonality patterns for each resource.

Each resource type has its own page covering the specific thresholds, methodology, and what changes in the generated Terraform PR.

Coming next:

EC2 previous-gen migrations
EC2 Graviton migrations

Setup and Usage FAQ

Can't find what you need? Visit our Support page.