Local-first control plane for Terraform & Terragrunt — inventory, plan/apply, drift, locks and a cloud shell, in one UI.
Project description
TerraUi
A local-first control plane for Terraform & Terragrunt. Point it at the folder
that holds all your IaC repos; it discovers every unit, and gives one web UI to
inventory stacks, run plan/apply/destroy (streamed live), detect drift, read
state and locks, browse the Terragrunt dependency graph, open a cloud shell, and
ask an AI assistant.
This repo implements the TerraUi.dc.html design (the product surface) plus the
backend from BACKEND_SPEC.md. It ships as a Python package with the compiled
frontend bundled and served at /.
pip install -e . # from this repo (Python 3.10+)
cd ~/acme/infra # the folder containing your IaC repos
terraui start # discovers everything, opens http://localhost:8787
No IaC in the current folder? terraui start falls back to a fully-populated
demo dataset (the one from the design) so you can explore the whole UI.
Cloud SDK setup (gcloud / aws / az)
TerraUi shells out to your existing cloud CLIs — it never stores credentials. On
first terraui start it runs a read-only check of the providers your stacks
actually use and, if anything is missing, points you at terraui setup:
terraui setup # per provider: detect → offer install → offer login
setup is per-provider and skippable — if you only use GCP, skip AWS and
Azure and configure them later. It shows the exact install/login command before
running it and asks for confirmation; nothing happens silently. GCP runs both
required logins (gcloud auth login for the CLI and
gcloud auth application-default login for the Terraform provider).
CLI
terraui start [PATH] Local mode: scan PATH (default cwd), serve UI + executor
--port 8787 Port (default 8787)
--scan ./live ./mods Extra roots to scan
--no-open Don't auto-open the browser
--shell powershell|zsh|bash
--drift-interval 30m Background drift cadence (0 = off)
--demo Force the bundled demo dataset
--check Run interactive cloud-SDK setup before serving
--skip-checks Skip the cloud-SDK status check
terraui setup [PATH] Detect / install / authenticate cloud SDKs (per-provider, skippable)
--providers aws,gcp,azure Limit to specific providers
--yes Non-interactive (install only; skip browser logins)
terraui scan [PATH] --json Print discovered units as JSON (CI / debug)
terraui server --config … Team mode (scaffold — see BACKEND_SPEC §11)
terraui agent --server … Remote executor (scaffold)
What's implemented
| Area | Status |
|---|---|
| Discovery (HCL walk, backend/provider/deps parse, Terragrunt DAG) | ✅ discovery/ |
Execution engine (flag model → build_command, streamed over WS, persisted) |
✅ execution/, store/ |
| Cloud auth probes (AWS / GCP-with-ADC / Azure) | ✅ clouds/ |
State & lock read (terraform state list, acquire/release) |
✅ state/ |
| Drift (per-stack snapshots; demo data, live scan scaffolded) | ◑ drift endpoint |
| Cloud Shell PTY (pywinpty / ptyprocess, subprocess fallback) | ✅ shell/ |
AI assistant (Claude claude-haiku-4-5 proxy + offline fallback) |
✅ ai/ |
| Frontend bundle (all views, drawer, flag modal, toast) | ✅ web/index.html |
| VCS webhooks, server/agent mode, RBAC, policy gates | ☐ scaffolded (§10–11) |
The command the UI previews is exactly the command the executor runs —
buildCmdStr (frontend) and build_command (backend) are kept identical and
unit-tested against the spec example
(terragrunt run-all plan -var-file=env/prod.tfvars --terragrunt-non-interactive).
Architecture
Browser (web/index.html)
REST /api/* inventory, runs, drift, locks, graph, clouds, ai
WS /ws/run/{id} live plan/apply output
WS /ws/term/{sess} PTY terminal
│
FastAPI app (server/app.py)
discovery · execution · clouds · state · drift · ai · store
│ subprocess (user's shell)
▼
terraform / terragrunt / aws / gcloud / az on the local machine
Develop
pip install -e ".[dev,pty]"
pytest # command builder, discovery, API smoke tests
terraui start --demo # run the UI against the demo dataset
The AI assistant proxies to Claude when ANTHROPIC_API_KEY is set (model
claude-haiku-4-5); otherwise it returns grounded canned answers. The key never
reaches the browser.
Security
Local mode binds to 127.0.0.1. No secrets are stored — TerraUi shells out using
the cloud SDK credential chains already on your machine. Commands are built from a
structured flag model and passed as argv (never shell-interpolated); the action is
checked against an allow-list. Secrets are redacted from streamed logs before they
are persisted. See BACKEND_SPEC.md §14 for the full model.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file terraui-0.1.8.tar.gz.
File metadata
- Download URL: terraui-0.1.8.tar.gz
- Upload date:
- Size: 86.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d5e2a56704344bc905973314bc07084464424ccb2e286a5ed0398e245945dd66
|
|
| MD5 |
77d3ff022ae1e0fc4a99e0ff5d3027a3
|
|
| BLAKE2b-256 |
6e3ea0a3d14275f3a4bda8815626a13d3e15e0903b5bd7ecfd3c401e820ebfbc
|
File details
Details for the file terraui-0.1.8-py3-none-any.whl.
File metadata
- Download URL: terraui-0.1.8-py3-none-any.whl
- Upload date:
- Size: 80.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40dc7f79632bc52e8b84fc1fd51ad26659a7bb73fecab090de4004d033704bdf
|
|
| MD5 |
a4e03d4bbfc93f2248129c8f47ffe589
|
|
| BLAKE2b-256 |
a713531b0cc4e312113e5fc781254ca99add354a7ecc6d17e8012270f3c2f3c1
|