Paste your Terraform HCL into InfraSketch and get a full architecture diagram in seconds — AWS, GCP, and Azure resources auto-detected, grouped by layer, with official cloud provider icons. No CLI, no credentials, no signup. Everything runs in your browser.
Try it now — free
Paste your .tf files and see the architecture diagram instantly.
Why Terraform needs a diagram tool
A real-world Terraform codebase is hard to read as architecture. Resources live across dozens of files, module calls hide what actually gets deployed, and count / for_each meta-arguments mean one block can create ten resources. Reviewing a PR with 500 lines of HCL changes requires mental simulation to understand what the resulting infrastructure looks like.
Built-in options fall short. terraform graph outputs DOT format that, when rendered, produces an unreadable tangle of every internal dependency edge — providers, variables, locals, outputs — alongside actual resources. The AWS console shows deployed resources but not their relationships or intended topology. Visio and draw.io require manual box-drawing that drifts from the real infrastructure the moment someone runs terraform apply.
InfraSketch parses your HCL statically — no plan, no state, no AWS credentials required — and generates a topology diagram grouped by logical layer: Internet, Ingress, Compute, Data, Messaging, Security, and more. It works for AWS, GCP, and Azure resources in the same file.
How to generate a Terraform diagram
Open infrasketch.cloud. The Terraform tab is selected by default. Paste your HCL — one file, multiple concatenated files, or a partial module — and click Generate Diagram. The diagram renders immediately.
# Example: paste this into the Terraform tab
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
}
resource "aws_eks_cluster" "app" {
name = "production"
role_arn = aws_iam_role.eks.arn
vpc_config {
subnet_ids = [aws_subnet.private.id]
}
}
resource "aws_rds_cluster" "db" {
cluster_identifier = "app-db"
engine = "aurora-postgresql"
engine_version = "15.4"
}
resource "aws_elasticache_replication_group" "cache" {
replication_group_id = "app-cache"
description = "Redis for session data"
node_type = "cache.t4g.micro"
}
Tip: You can paste multiple .tf files concatenated together. InfraSketch parses the full block structure, so cross-file references like aws_subnet.private.id resolve correctly for containment and connection detection.
What gets visualized
Resource grouping
Resources grouped into swimlanes — Networking, Compute, Database, Messaging, Security — for instant topology understanding.
VPC containment
Resources referencing a VPC via vpc_id are drawn inside the VPC boundary. Subnets appear as nested lanes.
Reference arrows
HCL references like aws_subnet.private.id and module.vpc.vpc_id become directed arrows between nodes.
Multi-cloud support
AWS, GCP, and Azure resource types all parse in the same file. Mixed-provider setups diagram correctly.
Three common Terraform patterns
Pattern 1: VPC + EKS + RDS (three-tier web app)
The most common AWS architecture: public subnets for load balancers, private subnets for application pods, isolated subnets for databases. InfraSketch detects the subnet references and draws each resource in its correct network zone.
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.0.0/24"
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
}
resource "aws_lb" "app" {
load_balancer_type = "application"
subnets = [aws_subnet.public.id]
}
resource "aws_eks_cluster" "app" {
name = "production"
vpc_config {
subnet_ids = [aws_subnet.private.id]
}
}
resource "aws_db_instance" "postgres" {
engine = "postgres"
instance_class = "db.t4g.medium"
db_subnet_group_name = aws_db_subnet_group.main.name
}
The diagram shows ALB in the public subnet, EKS in the private subnet, and RDS in the isolated database tier — with arrows following the actual HCL references.
Pattern 2: Lambda + SQS + DynamoDB (serverless event pipeline)
Serverless architectures have no VPC by default, so InfraSketch groups them by service category rather than network zone. Lambda functions, SQS queues, and DynamoDB tables each land in their logical tier.
resource "aws_sqs_queue" "jobs" {
name = "job-queue"
}
resource "aws_lambda_function" "processor" {
function_name = "job-processor"
runtime = "python3.12"
handler = "handler.main"
filename = "lambda.zip"
environment {
variables = {
QUEUE_URL = aws_sqs_queue.jobs.url
TABLE = aws_dynamodb_table.results.name
}
}
}
resource "aws_lambda_event_source_mapping" "trigger" {
event_source_arn = aws_sqs_queue.jobs.arn
function_name = aws_lambda_function.processor.arn
}
resource "aws_dynamodb_table" "results" {
name = "job-results"
billing_mode = "PAY_PER_REQUEST"
hash_key = "jobId"
attribute {
name = "jobId"
type = "S"
}
}
Pattern 3: GCP Terraform with Cloud Run + Cloud SQL
InfraSketch supports GCP resources using the google_* provider prefix. Cloud Run services, Cloud SQL instances, Pub/Sub topics, GKE clusters, Cloud Storage buckets, and more all render with GCP icons.
resource "google_cloud_run_v2_service" "api" {
name = "api"
location = "us-central1"
template {
containers {
image = "gcr.io/my-project/api:latest"
env {
name = "DB_CONN"
value = google_sql_database_instance.main.connection_name
}
}
}
}
resource "google_sql_database_instance" "main" {
name = "app-db"
database_version = "POSTGRES_15"
region = "us-central1"
}
resource "google_pubsub_topic" "events" {
name = "app-events"
}
resource "google_storage_bucket" "assets" {
name = "my-project-assets"
location = "US"
}
Supported resource types
InfraSketch maps 85+ resource types across all three major providers:
- AWS networking: VPC, Subnet, ALB/NLB, Route 53, CloudFront, API Gateway, Transit Gateway, NAT Gateway
- AWS compute: EC2, ECS, EKS, Lambda, Elastic Beanstalk, Auto Scaling Groups
- AWS data: RDS, Aurora, DynamoDB, ElastiCache, Redshift, S3, Glacier
- AWS messaging: SQS, SNS, EventBridge, Kinesis, MSK (Kafka)
- AWS security: IAM, Security Groups, WAF, Shield, Secrets Manager, KMS
- AWS observability: CloudWatch, X-Ray
- GCP compute: GCE, GKE, Cloud Run, Cloud Functions, App Engine
- GCP data: Cloud SQL, Bigtable, Firestore, Spanner, BigQuery, Cloud Storage
- GCP networking: VPC, Load Balancer, Cloud DNS, Cloud CDN
- GCP messaging: Pub/Sub, Dataflow
- Azure: AKS, App Service, Functions, SQL, Cosmos DB, Service Bus, Key Vault, VNet, and 20+ more
Unrecognized resource types are silently skipped — they don't cause errors. The diagram shows what it knows and omits the rest.
How Terraform references become diagram connections
InfraSketch parses HCL attribute values for resource references in the pattern resource_type.resource_name.attribute. When it finds aws_subnet.private.id inside an aws_eks_cluster block, it draws an arrow from the EKS node to the subnet node. This covers the most common connection patterns:
vpc_id = aws_vpc.main.id→ containment inside VPC boundarysubnet_ids = [aws_subnet.private.id]→ placement in subnet lanesecurity_group_ids = [aws_security_group.app.id]→ connection to security group nodedb_subnet_group_name = aws_db_subnet_group.main.name→ RDS in database tierevent_source_arn = aws_sqs_queue.jobs.arn→ Lambda triggered by SQS
Module references like module.vpc.vpc_id also parse — the module name is shown as a dashed group boundary when module blocks are present in the input.
Export and share
Once your diagram is generated, export it in three formats:
- PNG — paste into Confluence, Notion, Slack, or any wiki
- SVG — scalable for presentations and design files
- draw.io XML — import into draw.io or diagrams.net for manual editing and annotation
The Share button generates a URL with your diagram state encoded in the hash — shareable without any server, since InfraSketch is 100% client-side.
Terraform diagram generator use cases
- PR reviews — paste a PR's
.tfchanges to see what new resources appear before merging - Onboarding — generate a diagram of your Terraform codebase and share it with new engineers instead of asking them to read HCL
- Architecture review boards — export PNG for design review submissions without touching Visio or Lucidchart
- Documentation — embed diagrams in README files, runbooks, and ADRs that stay in sync with your IaC
- Incident response — quickly diagram the affected infrastructure during an outage to understand blast radius
- Multi-cloud audits — diagram AWS + GCP or AWS + Azure resources from the same Terraform workspace
Generate your Terraform diagram now
Paste any .tf file and see your infrastructure topology in seconds. Free, no signup, nothing leaves your browser.
Frequently asked questions
Does InfraSketch run terraform plan or access my AWS account?
No. InfraSketch does static analysis of your HCL source code only. It never runs Terraform, never contacts AWS/GCP/Azure APIs, and never reads your state file. Your code is parsed locally in the browser and nothing is sent to any server.
Does it support Terraform modules?
InfraSketch parses module blocks and shows them as grouped boundaries in the diagram. Resources defined inside modules appear when you paste the module's .tf files into the input along with the root module — just concatenate the files together before pasting.
What about count and for_each resources?
Resources using count or for_each are shown as single nodes — InfraSketch doesn't expand them into multiple instances since it doesn't evaluate variable values. The diagram shows the intended architecture pattern rather than the exact instance count.
Can I use it with Terragrunt?
Yes — InfraSketch has a dedicated Terragrunt tab. Paste your terragrunt.hcl files to diagram the dependency graph between Terragrunt units. See the blog for a full Terragrunt walkthrough.
How is this different from terraform graph?
terraform graph outputs a raw dependency graph of every internal Terraform object — providers, variables, locals, outputs, and resources — which renders as an unreadable tangle for any real codebase. InfraSketch produces an architecture diagram grouped by logical layer, using only the resources you care about, with official cloud icons. It's intended for human communication, not debugging execution order.
Is it free?
Yes, InfraSketch is completely free with no usage limits. The source code is open on GitHub. There's no paid tier, no API key required, and no account to create.