r/Terraform

Hey r/Terraform —

Long-time lurker, first-time poster. I built a tool called ArchiteX because I kept reviewing huge terraform plan diffs and missing the one line that mattered. Sharing it here because this is the audience that will tell me, honestly, whether it's actually useful or just my own itch.

What it does: drop-in GitHub Action. On every PR that touches *.tf, it parses base + head, builds a resource graph for each, computes the architectural delta (added / removed / changed nodes and edges), runs a set of weighted risk rules, and posts a sticky comment with:

• a 0–10 risk score with explainable reasons (each rule weight is documented and capped at 10.0)
• a plain-English summary of what changed and why a reviewer should care
• a focused Mermaid diagram of only the changed nodes + one layer of context — not the whole topology
• an optional CI gate (mode: blocking) for high-risk changes
• an audit bundle uploaded as a workflow artifact (summary.md, score.json, egress.json, a self-contained report.html, and a SHA-256 manifest)

Why I think it's different from tfsec / Checkov: those are great at "this line is misconfigured". ArchiteX answers "what changed in the architecture?" — a brand-new public entry point, an SG flipping from 10.0.0.0/16 to 0.0.0.0/0, a resource gated behind count = var.create ? 1 : 0 that you didn't notice was being toggled on. It's the architectural-delta layer on top of those tools, not a replacement. Run them side-by-side.

Things I made deliberate calls on:

• No LLM in the hot path. Template-based renderer. Same input → byte-identical output across runs, machines, contributors. I wanted a tool where re-running can never quietly change a score and erode reviewer trust.
• Local-only. Raw HCL never leaves the runner. The only network call is the GitHub REST API call to post the comment. No SaaS, no telemetry, no account, no paid tier.
• Conditional resources are first-class. Module-author repos have lots of count = var.x ? 1 : 0. Those resources get rendered as conditional phantoms (? prefix in the diagram) and explicitly excluded from per-resource rules so they can't false-positive.
• Self-contained HTML report — no JS, no CDN, no remote fonts. Open it in an air-gapped browser, the full report renders.

Coverage today: 45 AWS resource types across 7 abstract roles (network, access control, compute, entry points, data, storage, identity), 18 weighted risk rules. Multi-provider (Azure/GCP) is on the roadmap.

Free + MIT. Single Go binary, single Action, zero config to start.

• Repo: https://github.com/danilotrix86/ArchiteX
• Live sample report (no install): https://danilotrix86.github.io/ArchiteX/report.html
• 30-second quickstart is at the top of the README

What I'd love your help with:

1. What breaks it in your repo? Coverage gaps are the #1 thing I want to fix. If you have a Terraform pattern that ArchiteX mis-parses or misses entirely, the smallest reproducer you can paste in an issue is the highest-value contribution I can ask for.
2. Are the rule weights sensible? They're calibrated to my own taste and a small group of testers. I'd love to hear "rule X at weight Y is too high/low for my team's risk tolerance."
3. Module authors — does materializing conditional count resources as phantoms match what you'd want, or would you rather have a separate "module health" mode entirely?

Will answer every comment in the thread.

I was frustrated with keeping others to organize terraform files consistently, and reading the important pieces quickly, so I wrote a collection of linters.

• tflint-ruleset-naming
• tflint-ruleset-sort
• tfsortplus

It started out as me find this post then trying to work with tflint-ruleset-sheldon, ended up with me learning how to write my own linters and using the autofixer.

I kept working on infra codebases where nobody had a clear picture of how Terraform resources relate to each other modules, data sources, providers all tangled with no visual map.

So I built an extension that scans your .tf files, discovers resources and their dependencies, and renders an interactive topology graph inside your IDE. It also picks up Kubernetes, Docker Compose, .NET Aspire and ArgoCD so you see the full picture from infra to deployment in one place.

Works in both VS Code and JetBrains IDEs. I named it Mesh Infra 🙂

Would love feedback from community, especially on what IaC relationships or resource types would make incident triage faster.

Over the last few years (and especially the last four months) I've been working on a source-backed terraform provider that covers all Unifi Network API endpoints, verifying schemas and logic against the controller, tediously documenting every aspect of the APIs as they exist in the controller .deb. Some resources have 240+ configurable fields, like Network Configs.

As one person with limited physical hardware I can only test so far, so at this point I am calling it "alpha" stage and looking for testers who understand the risk of having to readopt devices if something goes wrong.

I've also built out a generator that writes the entire terraform config from a live controller, making the whole config importable from the jump.

Closed Alpha, because people will disregard warnings and nuke production, but please DM me and I can grant access.

Proof: I built a poor man's generator years ago with pure bash / jq, and have been rebuilding the provider from scratch since: https://github.com/robbycuenot/unifi-tf-generator

I always feel nervous before applying terraform while scrolling through a 500 line plan looking for something I'd missed, so I wrote a small tool for myself. It takes the plan JSON and the git diff, hands both to Claude, and gets back a short review: stuff like does the plan match what you changed, and is anything scary. Usage is basically `tfrev review --plan plan.json` and it prints a little table with the findings.

It's been catching stuff I would have normally missed especially when the diff is large. It's been mostly helpful so far. I had a few friends use it with their Jenkins pipelines and it seems to be helpful for them too, so I cleaned it up enough (I think) to share in case anyone else wants it: https://github.com/bishalOps/tfrev

Just a heads up that some chunks of this were written with Claude's help, mostly the CI templates, some of the test scaffolding, and the README. The core stuff and the plan/diff parsing I iterated on by hand because that's where the product actually lives. It felt appropriate given the tool itself is just a Claude wrapper at the end of the day.

I am just curious if the idea is useful to anyone besides me, or if I'm just bad at reading plans lol.

oh btw, the cost is usually between 0.03 - 0.15 depending on the diff size and amount of tf files involved.

HELP!
I just passed AWS SAA C03 certification exam, and now I am thinking about getting Terraform Certified. I visited their site and found this " https://developer.hashicorp.com/terraform/tutorials/certification-004 " guide there. How helpful is this guide, or do I prepare from other materials.

Background:

• Used Terraform at work and managed the Infra from GUI afterwards because importing to terraform from AWS and then changing the code seemed exhaustive.
• Know basics on using tfvars, blocks like resource, dynamic, depends on... output and variables

Sorry if this has been posted, but was reviewing the release notes for the upcoming 1.15.0 (currently in RC) and noted this.

> Terraform now supports variables and locals in module source and version attributes

Finally! And here is the PR of the change: https://github.com/hashicorp/terraform/pull/38217

TL;DR: you will be able to define variables as const = true - those variables then in turn will be allowed to be used with module.source= string/values.

So keen to see this - certainly better in instances where I'm passing &ref=vXX strings into module paths for versioning pinning - can now reuse these values in a variable for an entire configuration. Great!

Hey folks,

I'm Arunim, founding engineer at StackGuardian. I built an open-source tool called terraclaw that takes your existing cloud infrastructure and generates modular Terraform/OpenTofu HCL from it — not just a flat import, but structured code with modules, variables, dependency wiring, and import scripts.

How it works:

- Discovers resources via Steampipe (AWS + Azure)

- Interactive terminal UI to browse and select resources with dependency expansion

- You can register your own Terraform modules from git repos — it parses them via HCL and scores how well they fit your selected resources, then uses them as hard constraints during generation

- Runs import and iterates until terraform plan shows zero drift

It's written in Go, works with both Terraform and OpenTofu (just set TERRAFORM_BIN=tofu), and everything runs locally.

I'm looking for people to try it out and tell me what's broken, what's missing, or what would make it actually useful for your workflow. Issues and PRs welcome.

GitHub: https://github.com/arunim2405/terraclaw

If you find it useful, a star would really help with visibility. Thanks!

P.S: Sill in Beta, please use READ ONLY credentials.