13 Apr '23

Visualize AWS Security Groups and Rules from Terraform State

In an ever-changing AWS environment, maintaining manually created architecture diagrams can be challenging. For this reason, I decided to find an automated solution for generating diagrams based on the Terraform State File. In this blog post, I will introduce a tool that simplifies the maintenance of architecture diagrams, ensuring their accuracy and providing a clear understanding of AWS security groups and their interactions.

Issue

The challenge is to demonstrate how multiple security groups interact with each other. Manually maintaining diagrams with tools like draw.io can be time-consuming and may lead to inconsistencies and errors, which can impact overall security.

Introducing the Python Solution for Visualizing AWS Security Groups and Rules

Inspired by Gernot’s blog post about “diagrams as code” on AWS with CDK and D2, I developed a Terraform-specific solution using Python to parse the Terraform State File and generate diagrams. The full code can be found on GitHub.

How It Works

Parse the Terraform State File to extract security group information as well as prefix lists and hardcoded IP ranges.
Store the data in a custom format for easier diagram creation.
Generate the diagram using the extracted data and a diagram generation library.

Demonstration

The following example demonstrates the effectiveness of this solution, using sample Terraform code for a cross-account setup.

First, clone the GitHub repository containing the Python tool:

git clone https://github.com/tecracer/aws-security-group-diagram-from-terraform.git

Next, navigate to the repository folder and install the required dependencies:

cd aws-security-group-diagram-from-terraform
pip install -r requirements.txt

Now, from the directory of your terraform project run:

terraform show -json | python3 /path/to/aws-security-group-diagram-from-terraform/main.py -i --output_filename fancy_diagram --output_format png

This will directly read from the state file and will generate a diagram with the specified file name and format.

Open the generated diagram file to review the visual representation of your AWS security groups and rules.

Created Diagram

In the current version, the diagram may not look perfect, but there is much room for adjustments as the diagrams library offers many ways in which to customize the output file. Note that the icons used are not the actual icons for security groups as they are not released yet for the library, but changing the icon is easy and can be done later.

Conclusion

This Python tool offers a practical solution for visualizing AWS security groups and rules directly from the Terraform State File, saving time and effort while improving the accuracy and maintainability of architecture diagrams. Give it a try and let me know how it works for you!

terraform diagrams

Fabian Brakowski

Fabian is a Senior Cloud Consultant at tecRacer Consulting. He sees himself as an IT generalist with a strong focus on Automation, System Architecture, Networking and everything related to SAP.

Similar Posts You Might Enjoy

21 Apr '23

Streamline Security Group Maintenance in Terraform with Markdown Tables

Managing security groups and their rules in AWS infrastructure can become cumbersome and error-prone as your environment grows. In this blog post, I introduce a Terraform solution that simplifies this process by using a Markdown table to define security group rules. - by Fabian Brakowski

26 Apr '23

Using AI to generate Terraform Code from actual AWS resources

The world is changing, with new AI tools emerging every day. One such tool that has been making waves recently is ChatGPT. It is only the first of many such tools hitting the market, and it urges us to think about the future of our work. I recently used it to help with a standard task that I often perform and was amazed by how well it helped me to automate it. - by Fabian Brakowski

15 Aug '23

Hybrid DNS resolution using Route 53 Endpoints

When implementing a hybrid cloud solution and connecting your AWS VPCs with corporate data centers, setting up proper DNS resolution across the whole network is an important step to ensure full integration and functionality. In order to accomplish this task, Route53 Inbound and Outbound endpoints can be used. In combination with forwarding rules, they allow you to forward DNS traffic between your AWS VPC and on-premises data centers. In this blog post, I would like to show you how you can leverage Route53 endpoints in combination with Terraform to establish seamless DNS query resolution across your entire hybrid network. - by Hendrik Hagen

Share