Terraform

Connect Knowledge Tree to your Terraform state files to detect drift, import resources, and generate HCL from graph data.

Overview

The Terraform integration connects Knowledge Tree to your Terraform state, enabling drift detection between declared infrastructure and what actually exists in your cloud accounts. It can also reverse-engineer HCL from discovered resources, making it easier to bring unmanaged resources under Terraform control.

State import

Knowledge Tree can read Terraform state from local files, remote backends (S3, GCS, Azure Storage), or Terraform Cloud. Imported state resources are matched against discovered resources using resource IDs and metadata.

Remote state backends -- S3, GCS, Azure Storage, Terraform Cloud
State locking -- respects Terraform state locking (DynamoDB, GCS)
Workspace support -- multiple workspaces mapped to separate scopes
Resource matching -- auto-matches by ARN, ID, and provider metadata

HCL generation

For resources that exist in your cloud but are not yet managed by Terraform, Knowledge Tree can generate HCL configuration blocks. This is especially useful for:

Importing existing infrastructure into Terraform management
Migrating between Terraform module structures
Creating reusable modules from discovered patterns
Documenting infrastructure as code for audit purposes

# Generated HCL example
resource "aws_security_group" "web_sg" {
  name        = "web-sg"
  description = "Auto-generated from Knowledge Tree discovery"
  vpc_id      = "vpc-abc123"

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Drift detection

Drift detection compares Terraform state against the live graph and reports discrepancies:

Drift type	Description
Missing resource	Declared in Terraform but not found in the cloud
Orphaned resource	Exists in the cloud but not in Terraform state
Config mismatch	Resource exists but attributes differ from state
Tag drift	Tags differ between Terraform and actual resource

Sensitive attributes

Terraform state may contain plain-text secrets (e.g., RDS master passwords). Knowledge Tree never stores sensitive state attributes -- only resource identifiers and structural metadata.

Workspace mapping

Terraform workspaces are mapped to Knowledge Tree scopes, allowing you to organize resources by environment (production, staging, development) or by team. Each workspace's resources are tracked independently for drift analysis.

Configuration

# config.yaml
integrations:
  terraform:
    backends:
      - type: s3
        bucket: acme-terraform-state
        key: production/terraform.tfstate
        region: us-east-1
      - type: terraform_cloud
        organization: acme
        workspace: production
    drift_detection:
      enabled: true
      schedule: "0 */6 * * *"
    hcl_generation:
      output_dir: "./generated-terraform"
      module_style: "minimal"