Skip to main content

Terraback: Universal infrastructure scanning and Terraform generation tool

Project description

๐Ÿš€ Terraback

Multi-Cloud Infrastructure as Code Tool

Terraback is an advanced CLI tool that reverse-engineers existing cloud infrastructure into clean, production-ready Terraform code with intelligent dependency discovery.

Transform legacy cloud environments into infrastructure-as-code in minutes, not months.


โœจ Why Terraback?

  • ๐ŸŽฏ 90% Faster: Reduce infrastructure documentation time from weeks to hours
  • ๐Ÿง  Intelligent Discovery: Automatic dependency mapping across 50+ cloud services
  • ๐Ÿข Enterprise-Ready: Production-ready templates with lifecycle management
  • Multi-Cloud: Full support for AWS, Azure, and GCP
  • ๐Ÿ”’ Security-First: Read-only permissions, no credential storage, enterprise compliance

๐ŸŒŸ Features

๐Ÿ“Š Comprehensive Cloud Coverage

Core Infrastructure (Community Edition - Free):

  • AWS: EC2 Instances, VPCs, Subnets, Security Groups, S3 Buckets, IAM Roles
  • Azure: Virtual Machines, Virtual Networks, Subnets, Network Security Groups, Storage Accounts
  • GCP: Compute Instances, Networks, Subnets, Storage Buckets
  • Basic Commands: list, import, scan
  • โœจ Unlimited core resources
  • Basic dependency mapping

Advanced Services (Professional & Enterprise):

AWS Services:

  • Container Platform: ECS Clusters, Services, Task Definitions, ECR Repositories
  • Advanced Networking: CloudFront CDN, Route 53 DNS, NAT/Internet Gateways, VPC Endpoints
  • Database & Caching: RDS instances, ElastiCache Redis/Memcached clusters
  • Monitoring & Security: CloudWatch, Auto Scaling, ACM Certificates
  • Serverless & APIs: Lambda Functions, API Gateway, SQS, SNS
  • Storage: EFS, EBS Volumes/Snapshots, S3 advanced features
  • Load Balancing: ALB/NLB with advanced features, listener rules, SSL policies

Azure Services:

  • Compute: Virtual Machines with OS detection, Managed Disks, SSH Keys
  • Networking: Virtual Networks, Subnets with delegations, NSGs with rules
  • Storage: Storage Accounts with blob properties, static websites, encryption
  • Load Balancing: Application Gateway, Load Balancers
  • Database: Azure SQL, Cosmos DB
  • Container: AKS, Container Instances

GCP Services:

  • Compute: VM Instances, Persistent Disks, Machine Images
  • Networking: VPC Networks, Subnets, Firewall Rules
  • Storage: Cloud Storage, Persistent Disks
  • Container: GKE Clusters, Node Pools

๐Ÿ”— Intelligent Dependency Discovery

The --with-deps flag automatically discovers and maps complete infrastructure stacks:

# AWS Example
terraback ec2 scan --with-deps
# Automatically finds and scans:
# โ”œโ”€โ”€ VPC and networking (subnets, security groups)
# โ”œโ”€โ”€ Load balancers (ALB, target groups, listeners)
# โ”œโ”€โ”€ Storage (EBS volumes, snapshots)
# โ”œโ”€โ”€ Security (IAM roles, certificates)
# โ”œโ”€โ”€ Monitoring (CloudWatch logs, alarms)
# โ””โ”€โ”€ All interconnected dependencies

# Azure Example
terraback vm scan --with-deps
# Automatically finds and scans:
# โ”œโ”€โ”€ Virtual Networks and Subnets
# โ”œโ”€โ”€ Network Security Groups with rules
# โ”œโ”€โ”€ Managed Disks and Snapshots
# โ”œโ”€โ”€ Network Interfaces and Public IPs
# โ”œโ”€โ”€ Storage Accounts
# โ””โ”€โ”€ All interconnected dependencies

๐Ÿš€ Advanced Features

  • Performance Optimization: API response caching, parallel scanning, smart dependency resolution
  • Multi-Account/Subscription: Scan across multiple AWS accounts or Azure subscriptions
  • Module Generation: Create reusable Terraform modules automatically
  • State Management: Import existing resources directly into Terraform state
  • Compliance Ready: Generate code following HashiCorp and cloud provider best practices
  • Name Deduplication: Automatically append numeric suffixes to resource names when duplicates are detected
  • SSH Key Sanitization: Generated public keys are collapsed to a single line automatically

๐Ÿ“ฆ Installation

Prerequisites

  • Python 3.8+ (for pip installation)
  • Terraform 1.0+ (for import functionality)
  • Cloud CLI tools:
    • AWS: aws CLI configured
    • Azure: az CLI configured and logged in
    • GCP: gcloud CLI configured
  • (Optional) xxhash for faster cache hashing

Install via pip (Recommended)

pip install terraback

Install via Binary

Linux/macOS:

# Linux
curl -L https://dist.terraback.dev.io/releases/latest/terraback-linux -o terraback
chmod +x terraback
sudo mv terraback /usr/local/bin/

# macOS
curl -L https://dist.terraback.dev.io/releases/latest/terraback-macos -o terraback
chmod +x terraback
sudo mv terraback /usr/local/bin/

Windows: Download from releases


๐Ÿš€ Quick Start

AWS Scanning

# Configure AWS credentials (if not already done)
aws configure

# Scan EC2 instances
terraback ec2 scan

# Scan VPC with all dependencies
terraback vpc scan --with-deps

# Scan specific region
terraback ec2 scan --region eu-west-1

# Scan with specific profile
terraback s3 scan --profile production

Azure Scanning

# Login to Azure (if not already done)
az login

# Scan Virtual Machines
terraback vm scan

# Scan entire resource group
terraback vm scan --resource-group production-rg

# Scan specific subscription
terraback vnet scan --subscription-id YOUR-SUBSCRIPTION-ID

# Scan with location filter
terraback storage scan --location westeurope

Multi-Cloud Commands

# Scan all resources (cloud-specific)
terraback scan-all aws --region us-east-1
terraback scan-all azure --resource-group my-rg
terraback scan-all gcp --region us-central1 --cache-ttl 30

# Check authentication status
terraback auth-check

# Use caching for large infrastructures
terraback scan-recursive ec2 --use-cache --cache-ttl 120
terraback scan-recursive vm --use-cache --parallel-workers 10

After scanning completes, Terraback automatically runs terraform fmt, terraform init and terraform validate on the generated code. Use --skip-check with any scan-all command to bypass this validation step. If you skip the checks, run terraback aws scan-all --check (or python -m terraback.utils.template_syntax_fixer <output_dir>) before invoking terraform init manually.


๐Ÿ“‹ Supported Resources

AWS Resources (Full Support)

Service Resources Status
EC2 Instances, Volumes, Snapshots, AMIs, Key Pairs, Launch Templates, Network Interfaces โœ… Full Support
VPC VPCs, Subnets, Security Groups, Internet/NAT Gateways, Route Tables, VPC Endpoints โœ… Full Support
IAM Roles, Policies, Instance Profiles โœ… Full Support
S3 Buckets, Versioning, Lifecycle, ACLs, Policies โœ… Full Support
RDS Instances, Subnet Groups, Parameter Groups โœ… Full Support
Load Balancing ALB, NLB, CLB, Target Groups, Listeners, SSL Policies โœ… Full Support
Lambda Functions, Layers, Permissions โœ… Full Support
Route 53 Hosted Zones, Records โœ… Full Support
CloudWatch Log Groups, Alarms, Dashboards โœ… Full Support
Auto Scaling Groups, Launch Templates, Policies โœ… Full Support
ECS/ECR Clusters, Services, Task Definitions, Repositories โœ… Full Support
CloudFront Distributions, Origin Access Controls, Cache Policies โœ… Full Support
ElastiCache Redis/Memcached Clusters, Parameter Groups โœ… Full Support
ACM Certificates โœ… Full Support
EFS File Systems, Mount Targets, Access Points โœ… Full Support
API Gateway REST APIs, Resources, Methods, Deployments โœ… Full Support
SQS/SNS Queues, Topics, Subscriptions โœ… Full Support
Secrets Manager Secrets, Versions โœ… Full Support
Systems Manager Parameters, Documents โœ… Full Support

Azure Resources

Service Resources Status
Compute Virtual Machines, Managed Disks, Availability Sets, SSH Keys โœ… Full Support
Networking Virtual Networks, Subnets, Network Security Groups, Network Interfaces โœ… Full Support
Storage Storage Accounts, Blob Storage, File Shares โœ… Full Support
Load Balancing Load Balancers, Application Gateways โœ… Full Support
Database SQL Database, Cosmos DB โœ… Full Support
Container AKS, Container Instances โœ… Full Support
Identity Managed Identities, Service Principals โœ… Full Support

GCP Resources

Service Resources Status
Compute Engine Instances, Disks, Images โœ… Full Support
VPC Networks, Subnets, Firewalls โœ… Full Support
Cloud Storage Buckets, Objects โœ… Full Support
GKE Clusters, Node Pools โœ… Full Support

๐ŸŽฏ Advanced Usage

Dependency Scanning

# AWS: Scan EC2 with all dependencies
terraback ec2 scan --with-deps --output-dir ./infrastructure

# Azure: Scan VM with all dependencies  
terraback vm scan --with-deps --output-dir ./infrastructure

# Result: Complete infrastructure graph
# โ”œโ”€โ”€ compute/
# โ”‚   โ”œโ”€โ”€ instances.tf
# โ”‚   โ””โ”€โ”€ launch_templates.tf
# โ”œโ”€โ”€ networking/
# โ”‚   โ”œโ”€โ”€ vpc.tf
# โ”‚   โ”œโ”€โ”€ subnets.tf
# โ”‚   โ””โ”€โ”€ security_groups.tf
# โ””โ”€โ”€ storage/
#     โ”œโ”€โ”€ volumes.tf
#     โ””โ”€โ”€ snapshots.tf

Enterprise Module Generation

Transform generated Terraform into production-ready enterprise modules with standardized structure:

# Generate enterprise modules (requires Enterprise license)
terraback scan all aws --enterprise-modules

# Result: Organized module structure
# modules/
# โ”œโ”€โ”€ alb/
# โ”‚   โ”œโ”€โ”€ lb.tf
# โ”‚   โ”œโ”€โ”€ listeners.tf
# โ”‚   โ”œโ”€โ”€ global-accelerator.tf
# โ”‚   โ”œโ”€โ”€ variables.tf
# โ”‚   โ”œโ”€โ”€ outputs.tf
# โ”‚   โ””โ”€โ”€ locals.tf
# โ”œโ”€โ”€ ecs/
# โ”‚   โ””โ”€โ”€ service/
# โ”‚       โ”œโ”€โ”€ ecs-service.tf
# โ”‚       โ”œโ”€โ”€ ecs-task-definition.tf
# โ”‚       โ”œโ”€โ”€ autoscaling.tf
# โ”‚       โ”œโ”€โ”€ variables.tf
# โ”‚       โ”œโ”€โ”€ outputs.tf
# โ”‚       โ””โ”€โ”€ locals.tf
# โ”œโ”€โ”€ rds-aurora-postgresql/
# โ”‚   โ”œโ”€โ”€ cluster.tf
# โ”‚   โ”œโ”€โ”€ instances.tf
# โ”‚   โ”œโ”€โ”€ parameter-groups.tf
# โ”‚   โ”œโ”€โ”€ variables.tf
# โ”‚   โ”œโ”€โ”€ outputs.tf
# โ”‚   โ””โ”€โ”€ locals.tf
# โ””โ”€โ”€ s3-bucket/
#     โ”œโ”€โ”€ bucket.tf
#     โ”œโ”€โ”€ policy.tf
#     โ”œโ”€โ”€ versioning.tf
#     โ”œโ”€โ”€ lifecycle-configuration.tf
#     โ”œโ”€โ”€ variables.tf
#     โ”œโ”€โ”€ outputs.tf
#     โ””โ”€โ”€ locals.tf

# Works with all providers
terraback scan all azure --enterprise-modules
terraback scan all gcp --enterprise-modules

Features:

  • Automatically groups related resources into logical modules
  • Creates standard module files (variables.tf, outputs.tf, locals.tf)
  • Follows Terraform best practices and naming conventions
  • Supports 150+ AWS, Azure, and GCP resource types
  • Maintains proper resource dependencies
  • Production-ready module structure out of the box

Supported Module Types:

  • AWS: ALB, ASG, ECS, RDS, Lambda, S3, CloudFront, OpenSearch, and 40+ more
  • Azure: VMs, AKS, App Services, Databases, Networking, Storage, and 30+ more
  • GCP: Compute, GKE, Cloud Run, Cloud SQL, Networking, Storage, and 30+ more

Caching & Performance

# Enable caching for large infrastructures
terraback scan-all aws --cache-ttl 45
terraback scan-recursive ec2 --use-cache --cache-ttl 60

# View cache statistics
terraback cache stats

# Clear cache
terraback cache clear

# ``--cache-ttl`` sets how long scan results stay in the on-disk cache
# (in minutes) before expiring. This can dramatically speed up repeated
# ``scan-all`` operations on very large environments.
# For even faster cache hashing install ``xxhash`` (optional). Without it
# Terraback gracefully falls back to ``blake2s``.

# Parallel scanning
terraback scan-recursive vm --parallel-workers 10

Import to Terraform

# List resources Terraback previously scanned for a provider
terraback aws list-resources -o ./generated

# Import every scanned resource for a provider into Terraform state.
# Method auto-detects the best strategy based on your Terraform version.
terraback aws import -o ./generated --method auto --yes

# Fastest for Terraform 1.5+: import all resources via import blocks in one operation
terraback aws import -o ./generated --method bulk --yes

# Most reliable: import one resource at a time (avoids state-lock conflicts)
terraback aws import -o ./generated --method sequential --yes

# Validate with `terraform plan` before importing; abort on drift unless --allow-drift
terraback aws import -o ./generated --method bulk --plan-check

# Azure and GCP use the same import command
terraback azure import -o ./generated --method auto --yes
terraback gcp import -o ./generated --method auto --yes

# Import a single resource directly
terraback aws ec2 import i-1234567890abcdef0

Template Formatting Check

After scanning or when editing .tf files manually, run one of the following commands before running terraform init:

terraback aws scan-all --check
# or
python -m terraback.utils.template_syntax_fixer <output_dir>

Before executing these validation commands, ensure the base Python dependencies are installed. The template checker relies on packages from requirements.txt, including Jinja2. Install them with:

pip install -r requirements.txt

This prevents "Missing newline after argument" errors.

Example command sequence:

terraback scan-all aws --skip-check --output-dir ./generated
terraback aws scan-all --check
cd generated
terraform init

The --method option controls how state is imported:

  • auto (default) โ€“ automatically selects the best method based on your Terraform version.
  • bulk โ€“ for Terraform 1.5+, Terraback generates import blocks that Terraform applies in a single operation. This is the fastest method (roughly 2-3 minutes for hundreds of resources).
  • sequential โ€“ imports each resource one at a time. Slower (roughly 4 seconds per resource) but avoids state-lock conflicts and works on any Terraform version.

If --method is not specified, Terraback automatically chooses bulk on Terraform 1.5+ and falls back to sequential on older versions.

Use --plan-check to run a full terraform plan validation before importing. If the plan reports adds, changes, or destroys, the import aborts unless you also pass --allow-drift.


โš–๏ธ License & Pricing

Terraback uses a multi-tier licensing model:

Community Edition (Free)

  • โœ… Core resources for AWS, Azure, GCP
  • โœ… EC2, VPC, S3 (AWS)
  • โœ… VMs, VNets, Storage (Azure)
  • โœ… Compute, Networks, Storage (GCP)
  • โœ… โœจ Unlimited core resources
  • โœ… Basic dependency mapping
  • โœ… Community support via GitHub
  • โŒ Advanced services (RDS, Lambda, etc.)
  • โŒ Multi-account support

Professional License ($499 one-time, lifetime access)

  • All 50+ cloud services
  • Unlimited resources and accounts
  • Advanced dependency mapping
  • Multi-account/subscription scanning
  • RDS, Lambda, EKS, and more
  • Module generation and best practices
  • State file management
  • Priority email support
  • API access for automation
  • Lifetime updates included

Enterprise Edition (Coming Soon)

  • Everything in Professional
  • โœ… Enterprise Module Generation - Automatic organization into production-ready modules
  • โœ… Annual/multi-year licensing
  • โœ… SSO integration (SAML, OIDC)
  • โœ… Custom resource scanners
  • โœ… On-premise deployment options
  • โœ… SLA with guaranteed uptime
  • โœ… Dedicated training & onboarding
  • โœ… Dedicated customer success manager
  • โœ… Volume licensing & team management
  • โœ… Compliance reporting

๐Ÿ“š Documentation


Logging

Terraback respects two environment variables for logging:

  • TERRABACK_LOG_LEVEL controls the log verbosity (e.g. DEBUG or INFO).
  • TERRABACK_LOG_FILE can specify a path to write logs to a file.

Set these variables before running any command to adjust log output.


๐Ÿ› Troubleshooting

AWS Issues

# Check AWS credentials
aws sts get-caller-identity

# Use specific profile
export AWS_PROFILE=production

# Debug mode
terraback ec2 scan --debug

Azure Issues

# Check Azure login
az account show

# Set subscription
az account set --subscription "My Subscription"

# List available subscriptions
az account list --output table

Common Issues

  1. Permission Denied: Ensure your cloud credentials have read access to resources
  2. Rate Limiting: Use --use-cache flag for large infrastructures
  3. Module Not Found: Install with pip install -e . for development

๐Ÿš€ Roadmap

  • AWS support (50+ services)
  • Azure support (Core services)
  • GCP support (Core services)
  • Terraform module generation
  • Web UI dashboard
  • CI/CD integrations

๐Ÿ—๏ธ Template System

Terraback generates Terraform files from a collection of Jinja2 templates. All provider templates inherit from templates/common/base_resource.tf.j2, giving them a shared set of helper macros and a common block to override. To create a new template, extend the base file and implement the resources block:

{% extends "common/base_resource.tf.j2" %}
{% from "common/base_resource.tf.j2" import render_common_tags %}

{% block resources %}
resource "aws_my_service" "{{ item.name | tf_resource_name }}" {
  name = "{{ item.name }}"
  {{ render_common_tags(item, indent=2) }}
}
{% endblock %}

Complex-data macros

templates/common/macros.j2 exposes utilities for rendering lists and nested structures. Examples include:

  • render_block_list โ€“ iterate over complex objects and emit nested blocks
  • render_json_list โ€“ output JSON formatted lists
  • render_depends_on โ€“ add a depends_on array when dependencies exist

These macros keep templates concise while handling deeply nested data.

Automatic dependency generation

During scanning Terraback records relationships between resources. When a template uses render_depends_on, the discovered dependencies are inserted automatically. For example:

resource "aws_launch_template" "example" {
  ...
{{ macros.render_depends_on(template.depends_on, indent=2) }}
}

If an IAM role and security group were detected as dependencies, the rendered Terraform code becomes:

depends_on = [
  aws_iam_role.example_role,
  aws_security_group.example_sg,
]

Terraback calculates these relationships automatically, but you can still supply additional items in the depends_on list to enforce custom ordering.

๐Ÿงช Development & Testing

Install the additional packages used by the test suite:

pip install -r requirements-dev.txt

Then run all tests from the project root:

pytest

๐Ÿ“ Line Endings

This project enforces LF line endings for all text files. Git uses .gitattributes to normalize line endings and a pre-commit hook (end-of-file-fixer) ensures files end with a single newline.

๐Ÿ“ž Support


๐Ÿ™ Acknowledgments

Built with โค๏ธ by DevOps engineers who understand the pain of manual cloud documentation.


Copyright ยฉ 2025 Terraback

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

terraback-0.5.2.tar.gz (662.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

terraback-0.5.2-py3-none-any.whl (1.1 MB view details)

Uploaded Python 3

File details

Details for the file terraback-0.5.2.tar.gz.

File metadata

  • Download URL: terraback-0.5.2.tar.gz
  • Upload date:
  • Size: 662.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for terraback-0.5.2.tar.gz
Algorithm Hash digest
SHA256 db3bf905d675a2fd90bde201e9106acdab1037148a032407f54a89650272d3de
MD5 b768877a6e880d40e17e95072936a2a7
BLAKE2b-256 2a5f62ac4d994ee1cf8e63a7c86b29fb5b2e50aeb5a4b2a841133610c616d723

See more details on using hashes here.

File details

Details for the file terraback-0.5.2-py3-none-any.whl.

File metadata

  • Download URL: terraback-0.5.2-py3-none-any.whl
  • Upload date:
  • Size: 1.1 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for terraback-0.5.2-py3-none-any.whl
Algorithm Hash digest
SHA256 490f87cfbf2cddd6803f325d424ab143439d0540e3683a7140413a5a80780022
MD5 890b3bed029db483ed65fe378f3c4585
BLAKE2b-256 a41af92d3faf195729e18af0cf088e853eaa5ec2922e4a2896e7a7934e0c1983

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page