Tools

Tools: Beyond the CLI: Building an Enterprise Terraform Impact Dashboard

2026-05-15 0 views admin
Tools: Beyond the CLI: Building an Enterprise Terraform Impact Dashboard

The Problem: The "Wall of Text"

The Solution: An Automation-First Dashboard

1. The Workflow

2. Enterprise Features

The Code: Python Risk Logic

copy the script below Stop Reading Raw JSON: Build an Enterprise Terraform Impact Dashboard As a Lead DevOps Architect, I often deal with infrastructure plans that touch hundreds of resources. Sifting through a standard terraform plan terminal output to find a single critical "delete" is like looking for a needle in a haystack. When you are managing complex infrastructure—like a technical cutover from Squid Proxy to Google Secure Web Proxy—the cognitive load is high. The risk of missing a "destroy" on a production database is a real threat to stability. Standard Terraform output is designed for logs, not for human auditing. In an enterprise environment, we face three main challenges: I developed a Python-based Impact Analyser that transforms a plan.json into a high-fidelity, interactive HTML dashboard. This isn't just a formatter; it’s a risk-assessment engine. The process is simple and integrates directly into any CI/CD pipeline: Here is a snippet of how the risk assessment engine identifies dangerous operations before they hit production: we can always modify the risk engine with more critical type resources Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

terraform plan terraform plan -out=main.tfplan terraform show -json main.tfplan > plan.json python3 tf_impact.py plan.json class RiskAnalyzer: """Identifies dangerous changes based on resource sensitivity""" CRITICAL_TYPES = { 'aws_db_instance', 'google_sql_database_instance', 'aws_s3_bucket', 'aws_iam_role', 'aws_kms_key' } @staticmethod def assess(resource_type, actions): is_delete = 'delete' in actions is_replace = 'create' in actions and 'delete' in actions if resource_type in RiskAnalyzer.CRITICAL_TYPES: return "CRITICAL" if (is_delete or is_replace) else "HIGH" if is_delete or is_replace: return "HIGH" return "LOW" class RiskAnalyzer: """Identifies dangerous changes based on resource sensitivity""" CRITICAL_TYPES = { 'aws_db_instance', 'google_sql_database_instance', 'aws_s3_bucket', 'aws_iam_role', 'aws_kms_key' } @staticmethod def assess(resource_type, actions): is_delete = 'delete' in actions is_replace = 'create' in actions and 'delete' in actions if resource_type in RiskAnalyzer.CRITICAL_TYPES: return "CRITICAL" if (is_delete or is_replace) else "HIGH" if is_delete or is_replace: return "HIGH" return "LOW" class RiskAnalyzer: """Identifies dangerous changes based on resource sensitivity""" CRITICAL_TYPES = { 'aws_db_instance', 'google_sql_database_instance', 'aws_s3_bucket', 'aws_iam_role', 'aws_kms_key' } @staticmethod def assess(resource_type, actions): is_delete = 'delete' in actions is_replace = 'create' in actions and 'delete' in actions if resource_type in RiskAnalyzer.CRITICAL_TYPES: return "CRITICAL" if (is_delete or is_replace) else "HIGH" if is_delete or is_replace: return "HIGH" return "LOW" #!/usr/bin/env python3 """ Enterprise Terraform Impact Analyser (v2.0) High-performance, filter-enabled change detector for large-scale plans. Provides a dynamic HTML dashboard with client-side filtering. """ import json import argparse import re import logging import sys from typing import Dict, List, Any, Optional from collections import defaultdict from datetime import datetime from dataclasses import dataclass, asdict # Configure logging logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s', stream=sys.stderr ) logger = logging.getLogger("TF-Impact") @dataclass class ResourceChange: address: str type: str name: str module: str provider: str actions: List[str] risk_level: str change_summary: str class FilterEngine: """Enterprise filtering logic for large-scale infrastructure""" def __init__(self, include_types=None, exclude_types=None, modules=None, providers=None, address_regex=None): self.include_types = set(include_types) if include_types else None self.exclude_types = set(exclude_types) if exclude_types else None self.modules = set(modules) if modules else None self.providers = set(providers) if providers else None self.address_pattern = re.compile(address_regex) if address_regex else None def should_include(self, resource_addr: str, r_type: str, module: str, provider: str) -> bool: if self.include_types and r_type not in self.include_types: return False if self.exclude_types and r_type in self.exclude_types: return False if self.modules and not any(module.startswith(m) for m in self.modules): return False if self.providers and provider not in self.providers: return False if self.address_pattern and not self.address_pattern.search(resource_addr): return False return True class RiskAnalyzer: """Identifies dangerous changes based on resource sensitivity""" CRITICAL_TYPES = { 'aws_db_instance', 'aws_rds_cluster', 'google_sql_database_instance', 'azurerm_postgresql_server', 'aws_s3_bucket', 'google_storage_bucket', 'aws_iam_role', 'aws_kms_key', 'kubernetes_namespace', 'aws_route53_zone' } @staticmethod def assess(resource_type: str, actions: List[str]) -> str: is_delete = 'delete' in actions is_replace = 'create' in actions and 'delete' in actions if resource_type in RiskAnalyzer.CRITICAL_TYPES: return "CRITICAL" if (is_delete or is_replace) else "HIGH" if is_delete or is_replace: return "HIGH" if 'update' in actions: return "MEDIUM" return "LOW" class EnterpriseTFDetector: def __init__(self, plan_file: str, filter_engine: FilterEngine): self.plan_file = plan_file self.filter_engine = filter_engine self.risk_analyzer = RiskAnalyzer() self.data = self._load_plan(plan_file) def _load_plan(self, filepath: str) -> Dict: try: with open(filepath, 'r') as f: return json.load(f) except Exception as e: logger.error(f"Failed to load plan file: {e}") sys.exit(1) def _detect_provider(self, resource_type: str) -> str: parts = resource_type.split('_', 1) return parts[0] if len(parts) > 1 else 'other' def analyze(self) -> Dict[str, Any]: logger.info(f"Analyzing {self.plan_file}...") results = { 'metadata': { 'timestamp': datetime.now().isoformat(), 'tf_version': self.data.get('terraform_version', 'Unknown'), 'plan_id': self.data.get('format_version', 'N/A') }, 'changes': [], 'stats': defaultdict(int), 'risk_summary': defaultdict(int), 'by_module': defaultdict(lambda: defaultdict(int)) } resource_changes = self.data.get('resource_changes', []) for change in resource_changes: addr = change.get('address') r_type = change.get('type') module = change.get('module_address', 'root') provider = self._detect_provider(r_type) actions = change.get('change', {}).get('actions', []) if 'no-op' in actions or not actions or actions == ['read']: continue if not self.filter_engine.should_include(addr, r_type, module, provider): continue risk = self.risk_analyzer.assess(r_type, actions) primary_action = "replace" if ('create' in actions and 'delete' in actions) else actions[0] res_obj = ResourceChange( address=addr, type=r_type, name=change.get('name'), module=module, provider=provider, actions=actions, risk_level=risk, change_summary=" -> ".join(actions) ) results['changes'].append(asdict(res_obj)) results['stats'][primary_action] += 1 results['risk_summary'][risk] += 1 results['by_module'][module][primary_action] += 1 return results class EnterpriseVisualizer: def __init__(self, analysis_results: Dict): self.results = analysis_results def generate_html(self, output_file: str): """Generates a standalone HTML dashboard with client-side filtering""" json_data = json.dumps(self.results) html_template = f""" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>TF Impact Dashboard</title> <script src="https://cdn.tailwindcss.com"></script> <style> .risk-CRITICAL {{ border-left: 5px solid #ef4444; background: rgba(239, 68, 68, 0.05); }} .risk-HIGH {{ border-left: 5px solid #f97316; background: rgba(249, 115, 22, 0.05); }} .risk-MEDIUM {{ border-left: 5px solid #f59e0b; }} .risk-LOW {{ border-left: 5px solid #10b981; }} </style> </head> <body class="bg-slate-900 text-slate-100 min-h-screen pb-20"> <div class="max-w-7xl mx-auto px-6 py-10"> <header class="flex justify-between items-center mb-10 border-b border-slate-700 pb-8"> <div> <h1 class="text-4xl font-extrabold text-white tracking-tight">Terraform Impact Dashboard</h1> <p class="text-slate-400 mt-2 font-medium">Enterprise Infrastructure Change Analysis</p> </div> <div class="text-right"> <div class="text-xs uppercase tracking-widest text-slate-500 font-bold">Report Generated</div> <div class="text-slate-300 font-mono">{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}</div> </div> </header> <div class="grid grid-cols-2 md:grid-cols-4 gap-6 mb-10"> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Create</div> <div class="text-3xl font-bold text-emerald-500">{self.results['stats']['create']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Update</div> <div class="text-3xl font-bold text-amber-500">{self.results['stats']['update']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Replace</div> <div class="text-3xl font-bold text-violet-500">{self.results['stats']['replace']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Delete</div> <div class="text-3xl font-bold text-red-500">{self.results['stats']['delete']}</div> </div> </div> <div class="bg-slate-800 p-8 rounded-2xl mb-10 border border-slate-700 shadow-2xl"> <h3 class="text-sm font-bold text-slate-400 uppercase tracking-widest mb-6">Interactive Filters</h3> <div class="grid grid-cols-1 md:grid-cols-3 gap-8"> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Search Resources</label> <input type="text" id="searchBox" placeholder="Search address, type, or module..." class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm focus:ring-2 focus:ring-blue-500 outline-none transition-all"> </div> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Risk Threshold</label> <select id="riskFilter" class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm outline-none"> <option value="ALL">Show All Risks</option> <option value="CRITICAL">Critical Only</option> <option value="HIGH">High & Above</option> </select> </div> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Filter Action</label> <select id="actionFilter" class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm outline-none"> <option value="ALL">All Actions</option> <option value="create">Create</option> <option value="update">Update</option> <option value="replace">Replace</option> <option value="delete">Delete</option> </select> </div> </div> </div> <div class="bg-slate-800 rounded-2xl border border-slate-700 overflow-hidden shadow-2xl"> <div id="resource-list" class="divide-y divide-slate-700"> </div> </div> </div> <script> const data = {json_data}; const listContainer = document.getElementById('resource-list'); function updateUI() {{ const searchTerm = document.getElementById('searchBox').value.toLowerCase(); const riskLevel = document.getElementById('riskFilter').value; const actionType = document.getElementById('actionFilter').value; const filtered = data.changes.filter(item => {{ const matchesSearch = item.address.toLowerCase().includes(searchTerm) || item.type.toLowerCase().includes(searchTerm); const matchesRisk = riskLevel === 'ALL' || (riskLevel === 'HIGH' ? (item.risk_level === 'HIGH' || item.risk_level === 'CRITICAL') : item.risk_level === riskLevel); const matchesAction = actionType === 'ALL' || item.actions.includes(actionType); return matchesSearch && matchesRisk && matchesAction; }}); if (filtered.length === 0) {{ listContainer.innerHTML = '<div class="p-20 text-center text-slate-500 font-medium">No resources match your filters</div>'; return; }} listContainer.innerHTML = filtered.map(item => ` <div class="p-6 hover:bg-slate-700/20 transition-all risk-${{item.risk_level}} flex flex-col md:flex-row justify-between items-start md:items-center gap-4"> <div class="flex-1"> <div class="flex items-center gap-3 mb-1"> <span class="text-xs font-mono font-bold text-slate-500 bg-slate-900 px-2 py-0.5 rounded border border-slate-700">${{item.type}}</span> <span class="text-xs font-bold uppercase tracking-tighter ${{item.risk_level === 'CRITICAL' ? 'text-red-500' : (item.risk_level === 'HIGH' ? 'text-orange-500' : 'text-slate-400')}}"> ${{item.risk_level}} RISK </span> </div> <h4 class="text-blue-400 font-mono text-sm font-semibold mb-1 truncate"># ${{item.address}}</h4> <div class="text-xs text-slate-500">Module Path: <span class="text-slate-400">${{item.module}}</span></div> </div> <div class="flex flex-col items-end gap-2"> <div class="flex gap-1"> ${{item.actions.map(a => ` <span class="px-3 py-1 rounded-full text-[10px] font-black uppercase tracking-widest border ${{a === 'create' ? 'bg-emerald-500/10 text-emerald-500 border-emerald-500/20' : a === 'delete' ? 'bg-red-500/10 text-red-500 border-red-500/20' : 'bg-blue-500/10 text-blue-400 border-blue-500/20'}}"> ${{a}} </span> `).join('')}} </div> <div class="text-[10px] font-bold text-slate-600 uppercase tracking-widest">Provider: ${{item.provider}}</div> </div> </div> `).join(''); }} document.getElementById('searchBox').addEventListener('input', updateUI); document.getElementById('riskFilter').addEventListener('change', updateUI); document.getElementById('actionFilter').addEventListener('change', updateUI); // Initial render updateUI(); </script> </body> </html> """ with open(output_file, 'w') as f: f.write(html_template) print(f"Dashboard generated: {output_file}") def main(): parser = argparse.ArgumentParser(description='Enterprise TF Impact Dashboard Generator') parser.add_argument('plan', help='Terraform plan JSON file') parser.add_argument('--output', default='tf_report.html', help='Output HTML filename') parser.add_argument('--provider', nargs='+', help='Initial filter by provider') parser.add_argument('--module', nargs='+', help='Initial filter by module prefix') args = parser.parse_args() # Pre-filtering engine (CLI level) engine = FilterEngine(providers=args.provider, modules=args.module) detector = EnterpriseTFDetector(args.plan, engine) results = detector.analyze() visualizer = EnterpriseVisualizer(results) visualizer.generate_html(args.output) print("\nSummary:") print(f" - Total Changes detected: {sum(results['stats'].values())}") print(f" - Critical Risks: {results['risk_summary']['CRITICAL']}") print(f" - High Risks: {results['risk_summary']['HIGH']}") if __name__ == "__main__": main() #!/usr/bin/env python3 """ Enterprise Terraform Impact Analyser (v2.0) High-performance, filter-enabled change detector for large-scale plans. Provides a dynamic HTML dashboard with client-side filtering. """ import json import argparse import re import logging import sys from typing import Dict, List, Any, Optional from collections import defaultdict from datetime import datetime from dataclasses import dataclass, asdict # Configure logging logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s', stream=sys.stderr ) logger = logging.getLogger("TF-Impact") @dataclass class ResourceChange: address: str type: str name: str module: str provider: str actions: List[str] risk_level: str change_summary: str class FilterEngine: """Enterprise filtering logic for large-scale infrastructure""" def __init__(self, include_types=None, exclude_types=None, modules=None, providers=None, address_regex=None): self.include_types = set(include_types) if include_types else None self.exclude_types = set(exclude_types) if exclude_types else None self.modules = set(modules) if modules else None self.providers = set(providers) if providers else None self.address_pattern = re.compile(address_regex) if address_regex else None def should_include(self, resource_addr: str, r_type: str, module: str, provider: str) -> bool: if self.include_types and r_type not in self.include_types: return False if self.exclude_types and r_type in self.exclude_types: return False if self.modules and not any(module.startswith(m) for m in self.modules): return False if self.providers and provider not in self.providers: return False if self.address_pattern and not self.address_pattern.search(resource_addr): return False return True class RiskAnalyzer: """Identifies dangerous changes based on resource sensitivity""" CRITICAL_TYPES = { 'aws_db_instance', 'aws_rds_cluster', 'google_sql_database_instance', 'azurerm_postgresql_server', 'aws_s3_bucket', 'google_storage_bucket', 'aws_iam_role', 'aws_kms_key', 'kubernetes_namespace', 'aws_route53_zone' } @staticmethod def assess(resource_type: str, actions: List[str]) -> str: is_delete = 'delete' in actions is_replace = 'create' in actions and 'delete' in actions if resource_type in RiskAnalyzer.CRITICAL_TYPES: return "CRITICAL" if (is_delete or is_replace) else "HIGH" if is_delete or is_replace: return "HIGH" if 'update' in actions: return "MEDIUM" return "LOW" class EnterpriseTFDetector: def __init__(self, plan_file: str, filter_engine: FilterEngine): self.plan_file = plan_file self.filter_engine = filter_engine self.risk_analyzer = RiskAnalyzer() self.data = self._load_plan(plan_file) def _load_plan(self, filepath: str) -> Dict: try: with open(filepath, 'r') as f: return json.load(f) except Exception as e: logger.error(f"Failed to load plan file: {e}") sys.exit(1) def _detect_provider(self, resource_type: str) -> str: parts = resource_type.split('_', 1) return parts[0] if len(parts) > 1 else 'other' def analyze(self) -> Dict[str, Any]: logger.info(f"Analyzing {self.plan_file}...") results = { 'metadata': { 'timestamp': datetime.now().isoformat(), 'tf_version': self.data.get('terraform_version', 'Unknown'), 'plan_id': self.data.get('format_version', 'N/A') }, 'changes': [], 'stats': defaultdict(int), 'risk_summary': defaultdict(int), 'by_module': defaultdict(lambda: defaultdict(int)) } resource_changes = self.data.get('resource_changes', []) for change in resource_changes: addr = change.get('address') r_type = change.get('type') module = change.get('module_address', 'root') provider = self._detect_provider(r_type) actions = change.get('change', {}).get('actions', []) if 'no-op' in actions or not actions or actions == ['read']: continue if not self.filter_engine.should_include(addr, r_type, module, provider): continue risk = self.risk_analyzer.assess(r_type, actions) primary_action = "replace" if ('create' in actions and 'delete' in actions) else actions[0] res_obj = ResourceChange( address=addr, type=r_type, name=change.get('name'), module=module, provider=provider, actions=actions, risk_level=risk, change_summary=" -> ".join(actions) ) results['changes'].append(asdict(res_obj)) results['stats'][primary_action] += 1 results['risk_summary'][risk] += 1 results['by_module'][module][primary_action] += 1 return results class EnterpriseVisualizer: def __init__(self, analysis_results: Dict): self.results = analysis_results def generate_html(self, output_file: str): """Generates a standalone HTML dashboard with client-side filtering""" json_data = json.dumps(self.results) html_template = f""" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>TF Impact Dashboard</title> <script src="https://cdn.tailwindcss.com"></script> <style> .risk-CRITICAL {{ border-left: 5px solid #ef4444; background: rgba(239, 68, 68, 0.05); }} .risk-HIGH {{ border-left: 5px solid #f97316; background: rgba(249, 115, 22, 0.05); }} .risk-MEDIUM {{ border-left: 5px solid #f59e0b; }} .risk-LOW {{ border-left: 5px solid #10b981; }} </style> </head> <body class="bg-slate-900 text-slate-100 min-h-screen pb-20"> <div class="max-w-7xl mx-auto px-6 py-10"> <header class="flex justify-between items-center mb-10 border-b border-slate-700 pb-8"> <div> <h1 class="text-4xl font-extrabold text-white tracking-tight">Terraform Impact Dashboard</h1> <p class="text-slate-400 mt-2 font-medium">Enterprise Infrastructure Change Analysis</p> </div> <div class="text-right"> <div class="text-xs uppercase tracking-widest text-slate-500 font-bold">Report Generated</div> <div class="text-slate-300 font-mono">{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}</div> </div> </header> <div class="grid grid-cols-2 md:grid-cols-4 gap-6 mb-10"> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Create</div> <div class="text-3xl font-bold text-emerald-500">{self.results['stats']['create']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Update</div> <div class="text-3xl font-bold text-amber-500">{self.results['stats']['update']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Replace</div> <div class="text-3xl font-bold text-violet-500">{self.results['stats']['replace']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Delete</div> <div class="text-3xl font-bold text-red-500">{self.results['stats']['delete']}</div> </div> </div> <div class="bg-slate-800 p-8 rounded-2xl mb-10 border border-slate-700 shadow-2xl"> <h3 class="text-sm font-bold text-slate-400 uppercase tracking-widest mb-6">Interactive Filters</h3> <div class="grid grid-cols-1 md:grid-cols-3 gap-8"> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Search Resources</label> <input type="text" id="searchBox" placeholder="Search address, type, or module..." class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm focus:ring-2 focus:ring-blue-500 outline-none transition-all"> </div> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Risk Threshold</label> <select id="riskFilter" class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm outline-none"> <option value="ALL">Show All Risks</option> <option value="CRITICAL">Critical Only</option> <option value="HIGH">High & Above</option> </select> </div> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Filter Action</label> <select id="actionFilter" class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm outline-none"> <option value="ALL">All Actions</option> <option value="create">Create</option> <option value="update">Update</option> <option value="replace">Replace</option> <option value="delete">Delete</option> </select> </div> </div> </div> <div class="bg-slate-800 rounded-2xl border border-slate-700 overflow-hidden shadow-2xl"> <div id="resource-list" class="divide-y divide-slate-700"> </div> </div> </div> <script> const data = {json_data}; const listContainer = document.getElementById('resource-list'); function updateUI() {{ const searchTerm = document.getElementById('searchBox').value.toLowerCase(); const riskLevel = document.getElementById('riskFilter').value; const actionType = document.getElementById('actionFilter').value; const filtered = data.changes.filter(item => {{ const matchesSearch = item.address.toLowerCase().includes(searchTerm) || item.type.toLowerCase().includes(searchTerm); const matchesRisk = riskLevel === 'ALL' || (riskLevel === 'HIGH' ? (item.risk_level === 'HIGH' || item.risk_level === 'CRITICAL') : item.risk_level === riskLevel); const matchesAction = actionType === 'ALL' || item.actions.includes(actionType); return matchesSearch && matchesRisk && matchesAction; }}); if (filtered.length === 0) {{ listContainer.innerHTML = '<div class="p-20 text-center text-slate-500 font-medium">No resources match your filters</div>'; return; }} listContainer.innerHTML = filtered.map(item => ` <div class="p-6 hover:bg-slate-700/20 transition-all risk-${{item.risk_level}} flex flex-col md:flex-row justify-between items-start md:items-center gap-4"> <div class="flex-1"> <div class="flex items-center gap-3 mb-1"> <span class="text-xs font-mono font-bold text-slate-500 bg-slate-900 px-2 py-0.5 rounded border border-slate-700">${{item.type}}</span> <span class="text-xs font-bold uppercase tracking-tighter ${{item.risk_level === 'CRITICAL' ? 'text-red-500' : (item.risk_level === 'HIGH' ? 'text-orange-500' : 'text-slate-400')}}"> ${{item.risk_level}} RISK </span> </div> <h4 class="text-blue-400 font-mono text-sm font-semibold mb-1 truncate"># ${{item.address}}</h4> <div class="text-xs text-slate-500">Module Path: <span class="text-slate-400">${{item.module}}</span></div> </div> <div class="flex flex-col items-end gap-2"> <div class="flex gap-1"> ${{item.actions.map(a => ` <span class="px-3 py-1 rounded-full text-[10px] font-black uppercase tracking-widest border ${{a === 'create' ? 'bg-emerald-500/10 text-emerald-500 border-emerald-500/20' : a === 'delete' ? 'bg-red-500/10 text-red-500 border-red-500/20' : 'bg-blue-500/10 text-blue-400 border-blue-500/20'}}"> ${{a}} </span> `).join('')}} </div> <div class="text-[10px] font-bold text-slate-600 uppercase tracking-widest">Provider: ${{item.provider}}</div> </div> </div> `).join(''); }} document.getElementById('searchBox').addEventListener('input', updateUI); document.getElementById('riskFilter').addEventListener('change', updateUI); document.getElementById('actionFilter').addEventListener('change', updateUI); // Initial render updateUI(); </script> </body> </html> """ with open(output_file, 'w') as f: f.write(html_template) print(f"Dashboard generated: {output_file}") def main(): parser = argparse.ArgumentParser(description='Enterprise TF Impact Dashboard Generator') parser.add_argument('plan', help='Terraform plan JSON file') parser.add_argument('--output', default='tf_report.html', help='Output HTML filename') parser.add_argument('--provider', nargs='+', help='Initial filter by provider') parser.add_argument('--module', nargs='+', help='Initial filter by module prefix') args = parser.parse_args() # Pre-filtering engine (CLI level) engine = FilterEngine(providers=args.provider, modules=args.module) detector = EnterpriseTFDetector(args.plan, engine) results = detector.analyze() visualizer = EnterpriseVisualizer(results) visualizer.generate_html(args.output) print("\nSummary:") print(f" - Total Changes detected: {sum(results['stats'].values())}") print(f" - Critical Risks: {results['risk_summary']['CRITICAL']}") print(f" - High Risks: {results['risk_summary']['HIGH']}") if __name__ == "__main__": main() #!/usr/bin/env python3 """ Enterprise Terraform Impact Analyser (v2.0) High-performance, filter-enabled change detector for large-scale plans. Provides a dynamic HTML dashboard with client-side filtering. """ import json import argparse import re import logging import sys from typing import Dict, List, Any, Optional from collections import defaultdict from datetime import datetime from dataclasses import dataclass, asdict # Configure logging logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s', stream=sys.stderr ) logger = logging.getLogger("TF-Impact") @dataclass class ResourceChange: address: str type: str name: str module: str provider: str actions: List[str] risk_level: str change_summary: str class FilterEngine: """Enterprise filtering logic for large-scale infrastructure""" def __init__(self, include_types=None, exclude_types=None, modules=None, providers=None, address_regex=None): self.include_types = set(include_types) if include_types else None self.exclude_types = set(exclude_types) if exclude_types else None self.modules = set(modules) if modules else None self.providers = set(providers) if providers else None self.address_pattern = re.compile(address_regex) if address_regex else None def should_include(self, resource_addr: str, r_type: str, module: str, provider: str) -> bool: if self.include_types and r_type not in self.include_types: return False if self.exclude_types and r_type in self.exclude_types: return False if self.modules and not any(module.startswith(m) for m in self.modules): return False if self.providers and provider not in self.providers: return False if self.address_pattern and not self.address_pattern.search(resource_addr): return False return True class RiskAnalyzer: """Identifies dangerous changes based on resource sensitivity""" CRITICAL_TYPES = { 'aws_db_instance', 'aws_rds_cluster', 'google_sql_database_instance', 'azurerm_postgresql_server', 'aws_s3_bucket', 'google_storage_bucket', 'aws_iam_role', 'aws_kms_key', 'kubernetes_namespace', 'aws_route53_zone' } @staticmethod def assess(resource_type: str, actions: List[str]) -> str: is_delete = 'delete' in actions is_replace = 'create' in actions and 'delete' in actions if resource_type in RiskAnalyzer.CRITICAL_TYPES: return "CRITICAL" if (is_delete or is_replace) else "HIGH" if is_delete or is_replace: return "HIGH" if 'update' in actions: return "MEDIUM" return "LOW" class EnterpriseTFDetector: def __init__(self, plan_file: str, filter_engine: FilterEngine): self.plan_file = plan_file self.filter_engine = filter_engine self.risk_analyzer = RiskAnalyzer() self.data = self._load_plan(plan_file) def _load_plan(self, filepath: str) -> Dict: try: with open(filepath, 'r') as f: return json.load(f) except Exception as e: logger.error(f"Failed to load plan file: {e}") sys.exit(1) def _detect_provider(self, resource_type: str) -> str: parts = resource_type.split('_', 1) return parts[0] if len(parts) > 1 else 'other' def analyze(self) -> Dict[str, Any]: logger.info(f"Analyzing {self.plan_file}...") results = { 'metadata': { 'timestamp': datetime.now().isoformat(), 'tf_version': self.data.get('terraform_version', 'Unknown'), 'plan_id': self.data.get('format_version', 'N/A') }, 'changes': [], 'stats': defaultdict(int), 'risk_summary': defaultdict(int), 'by_module': defaultdict(lambda: defaultdict(int)) } resource_changes = self.data.get('resource_changes', []) for change in resource_changes: addr = change.get('address') r_type = change.get('type') module = change.get('module_address', 'root') provider = self._detect_provider(r_type) actions = change.get('change', {}).get('actions', []) if 'no-op' in actions or not actions or actions == ['read']: continue if not self.filter_engine.should_include(addr, r_type, module, provider): continue risk = self.risk_analyzer.assess(r_type, actions) primary_action = "replace" if ('create' in actions and 'delete' in actions) else actions[0] res_obj = ResourceChange( address=addr, type=r_type, name=change.get('name'), module=module, provider=provider, actions=actions, risk_level=risk, change_summary=" -> ".join(actions) ) results['changes'].append(asdict(res_obj)) results['stats'][primary_action] += 1 results['risk_summary'][risk] += 1 results['by_module'][module][primary_action] += 1 return results class EnterpriseVisualizer: def __init__(self, analysis_results: Dict): self.results = analysis_results def generate_html(self, output_file: str): """Generates a standalone HTML dashboard with client-side filtering""" json_data = json.dumps(self.results) html_template = f""" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>TF Impact Dashboard</title> <script src="https://cdn.tailwindcss.com"></script> <style> .risk-CRITICAL {{ border-left: 5px solid #ef4444; background: rgba(239, 68, 68, 0.05); }} .risk-HIGH {{ border-left: 5px solid #f97316; background: rgba(249, 115, 22, 0.05); }} .risk-MEDIUM {{ border-left: 5px solid #f59e0b; }} .risk-LOW {{ border-left: 5px solid #10b981; }} </style> </head> <body class="bg-slate-900 text-slate-100 min-h-screen pb-20"> <div class="max-w-7xl mx-auto px-6 py-10"> <header class="flex justify-between items-center mb-10 border-b border-slate-700 pb-8"> <div> <h1 class="text-4xl font-extrabold text-white tracking-tight">Terraform Impact Dashboard</h1> <p class="text-slate-400 mt-2 font-medium">Enterprise Infrastructure Change Analysis</p> </div> <div class="text-right"> <div class="text-xs uppercase tracking-widest text-slate-500 font-bold">Report Generated</div> <div class="text-slate-300 font-mono">{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}</div> </div> </header> <div class="grid grid-cols-2 md:grid-cols-4 gap-6 mb-10"> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Create</div> <div class="text-3xl font-bold text-emerald-500">{self.results['stats']['create']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Update</div> <div class="text-3xl font-bold text-amber-500">{self.results['stats']['update']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Replace</div> <div class="text-3xl font-bold text-violet-500">{self.results['stats']['replace']}</div> </div> <div class="bg-slate-800 p-6 rounded-2xl border border-slate-700 shadow-lg"> <div class="text-slate-500 text-xs font-bold uppercase mb-1">Delete</div> <div class="text-3xl font-bold text-red-500">{self.results['stats']['delete']}</div> </div> </div> <div class="bg-slate-800 p-8 rounded-2xl mb-10 border border-slate-700 shadow-2xl"> <h3 class="text-sm font-bold text-slate-400 uppercase tracking-widest mb-6">Interactive Filters</h3> <div class="grid grid-cols-1 md:grid-cols-3 gap-8"> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Search Resources</label> <input type="text" id="searchBox" placeholder="Search address, type, or module..." class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm focus:ring-2 focus:ring-blue-500 outline-none transition-all"> </div> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Risk Threshold</label> <select id="riskFilter" class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm outline-none"> <option value="ALL">Show All Risks</option> <option value="CRITICAL">Critical Only</option> <option value="HIGH">High & Above</option> </select> </div> <div class="space-y-2"> <label class="text-xs font-bold text-slate-500 uppercase">Filter Action</label> <select id="actionFilter" class="w-full bg-slate-900 border-slate-700 border rounded-xl p-3 text-sm outline-none"> <option value="ALL">All Actions</option> <option value="create">Create</option> <option value="update">Update</option> <option value="replace">Replace</option> <option value="delete">Delete</option> </select> </div> </div> </div> <div class="bg-slate-800 rounded-2xl border border-slate-700 overflow-hidden shadow-2xl"> <div id="resource-list" class="divide-y divide-slate-700"> </div> </div> </div> <script> const data = {json_data}; const listContainer = document.getElementById('resource-list'); function updateUI() {{ const searchTerm = document.getElementById('searchBox').value.toLowerCase(); const riskLevel = document.getElementById('riskFilter').value; const actionType = document.getElementById('actionFilter').value; const filtered = data.changes.filter(item => {{ const matchesSearch = item.address.toLowerCase().includes(searchTerm) || item.type.toLowerCase().includes(searchTerm); const matchesRisk = riskLevel === 'ALL' || (riskLevel === 'HIGH' ? (item.risk_level === 'HIGH' || item.risk_level === 'CRITICAL') : item.risk_level === riskLevel); const matchesAction = actionType === 'ALL' || item.actions.includes(actionType); return matchesSearch && matchesRisk && matchesAction; }}); if (filtered.length === 0) {{ listContainer.innerHTML = '<div class="p-20 text-center text-slate-500 font-medium">No resources match your filters</div>'; return; }} listContainer.innerHTML = filtered.map(item => ` <div class="p-6 hover:bg-slate-700/20 transition-all risk-${{item.risk_level}} flex flex-col md:flex-row justify-between items-start md:items-center gap-4"> <div class="flex-1"> <div class="flex items-center gap-3 mb-1"> <span class="text-xs font-mono font-bold text-slate-500 bg-slate-900 px-2 py-0.5 rounded border border-slate-700">${{item.type}}</span> <span class="text-xs font-bold uppercase tracking-tighter ${{item.risk_level === 'CRITICAL' ? 'text-red-500' : (item.risk_level === 'HIGH' ? 'text-orange-500' : 'text-slate-400')}}"> ${{item.risk_level}} RISK </span> </div> <h4 class="text-blue-400 font-mono text-sm font-semibold mb-1 truncate"># ${{item.address}}</h4> <div class="text-xs text-slate-500">Module Path: <span class="text-slate-400">${{item.module}}</span></div> </div> <div class="flex flex-col items-end gap-2"> <div class="flex gap-1"> ${{item.actions.map(a => ` <span class="px-3 py-1 rounded-full text-[10px] font-black uppercase tracking-widest border ${{a === 'create' ? 'bg-emerald-500/10 text-emerald-500 border-emerald-500/20' : a === 'delete' ? 'bg-red-500/10 text-red-500 border-red-500/20' : 'bg-blue-500/10 text-blue-400 border-blue-500/20'}}"> ${{a}} </span> `).join('')}} </div> <div class="text-[10px] font-bold text-slate-600 uppercase tracking-widest">Provider: ${{item.provider}}</div> </div> </div> `).join(''); }} document.getElementById('searchBox').addEventListener('input', updateUI); document.getElementById('riskFilter').addEventListener('change', updateUI); document.getElementById('actionFilter').addEventListener('change', updateUI); // Initial render updateUI(); </script> </body> </html> """ with open(output_file, 'w') as f: f.write(html_template) print(f"Dashboard generated: {output_file}") def main(): parser = argparse.ArgumentParser(description='Enterprise TF Impact Dashboard Generator') parser.add_argument('plan', help='Terraform plan JSON file') parser.add_argument('--output', default='tf_report.html', help='Output HTML filename') parser.add_argument('--provider', nargs='+', help='Initial filter by provider') parser.add_argument('--module', nargs='+', help='Initial filter by module prefix') args = parser.parse_args() # Pre-filtering engine (CLI level) engine = FilterEngine(providers=args.provider, modules=args.module) detector = EnterpriseTFDetector(args.plan, engine) results = detector.analyze() visualizer = EnterpriseVisualizer(results) visualizer.generate_html(args.output) print("\nSummary:") print(f" - Total Changes detected: {sum(results['stats'].values())}") print(f" - Critical Risks: {results['risk_summary']['CRITICAL']}") print(f" - High Risks: {results['risk_summary']['HIGH']}") if __name__ == "__main__": main() - Risk Blindness: Critical resources (like RDS instances, S3 buckets, or IAM roles) look exactly like a minor tag update in the terminal. - Scale Issues: Large plans (500+ changes) are impossible to review manually without missing something important. - Stakeholder Gap: It is difficult to share a raw CLI output with a manager or security auditor for quick approval. - Generate the Plan: terraform plan -out=main.tfplan - Convert to JSON: terraform show -json main.tfplan > plan.json - Run the Analyser: python3 tf_impact.py plan.json - Risk-Level Heuristics: The script automatically flags changes as CRITICAL or HIGH if stateful resources (Databases, Storage, KMS Keys) are marked for deletion or replacement. - Client-Side Filtering: Built with Tailwind CSS and vanilla JavaScript, the dashboard allows you to search 1,000+ resources instantly by address or module path. - Standalone Portability: The output is a single HTML file. No database or server is required, making it perfect for CI/CD artifacts.

🏷️ Tags

toolsutilitiessecurity toolsbeyondbuildingenterpriseterraformimpactdashboardrce

More from Tools

Tools: Secrets Management in Modern DevOps: Vault, IRSA, External Secrets When to Use Each

Tools: Secrets Management in Modern DevOps: Vault, IRSA, External Secrets When to Use Each

2026-05-15 0
Tools: Exploring Linux Network Namespaces and Virtual Ethernet - Complete Guide

Tools: Exploring Linux Network Namespaces and Virtual Ethernet - Complete Guide

2026-05-15 0
Tools: Stop Breaking Your System Python: A Practical Guide to Managing Multiple Python Versions (2026)

Tools: Stop Breaking Your System Python: A Practical Guide to Managing Multiple Python Versions (2026)

2026-05-15 0
Tools: Building a Stateless, RAM-Only Transparent Tor Proxy for Linux (TTP v0.3.0) - Expert Insights

Tools: Building a Stateless, RAM-Only Transparent Tor Proxy for Linux (TTP v0.3.0) - Expert Insights

2026-05-15 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views