Terraformer

This project is no longer maintained and is deprecated.

As of March 16, 2026, this repository has been archived. It is now read-only, and no further updates, security patches, or support will be provided.

A CLI tool that generates tf/json and tfstate files based on existing infrastructure (reverse Terraform).

• Disclaimer: This is not an official Google product
• Created by: Waze SRE

Table of Contents

• Demo GCP
• Capabilities
• Installation
• Supported Providers
  • Major Cloud
    • Google Cloud
    • AWS
    • Azure
    • AliCloud
    • IBM Cloud
  • Cloud
    • DigitalOcean
    • Equinix Metal
    • Fastly
    • Heroku
    • LaunchDarkly
    • Linode
    • NS1
    • OpenStack
    • TencentCloud
    • Vultr
    • Yandex Cloud
    • Ionos Cloud
  • Infrastructure Software
    • Kubernetes
    • OctopusDeploy
    • RabbitMQ
  • Network
    • Cloudflare (broken, see #1761)
    • Myrasec
    • PAN-OS
  • VCS
    • Azure DevOps
    • GitHub
    • Gitlab
  • Monitoring & System Management
    • Datadog
    • New Relic
    • Mackerel
    • PagerDuty
    • Opsgenie
    • Honeycomb.io
    • Opal
  • Community
    • Keycloak
    • Logz.io
    • Commercetools
    • Mikrotik
    • Xen Orchestra
    • GmailFilter
    • Grafana
    • Vault
  • Identity
    • Okta
    • Auth0
    • AzureAD
• Contributing
• Developing
• Infrastructure
• Stargazers over time

Demo GCP

Capabilities

1. Generate tf/json + tfstate files from existing infrastructure for all supported objects by resource.
2. Remote state can be uploaded to a GCS bucket.
3. Connect between resources with terraform_remote_state (local and bucket).
4. Save tf/json files using a custom folder tree pattern.
5. Import by resource name and type.
6. Support terraform 0.13 (for terraform 0.11 use v0.7.9).

Terraformer uses Terraform providers and is designed to easily support newly added resources. To upgrade resources with new fields, all you need to do is upgrade the relevant Terraform providers.

Import current state to Terraform configuration from a provider

Usage:
   import [provider] [flags]
   import [provider] [command]

Available Commands:
  list        List supported resources for a provider

Flags:
  -b, --bucket string         gs://terraform-state
  -c, --connect                (default true)
  -С, --compact                (default false)
  -x, --excludes strings      firewalls,networks
  -f, --filter strings        compute_firewall=id1:id2:id4
  -h, --help                  help for google
  -O, --output string         output format hcl or json (default "hcl")
  -o, --path-output string     (default "generated")
  -p, --path-pattern string   {output}/{provider}/ (default "{output}/{provider}/{service}/")
      --projects strings
  -z, --regions strings       europe-west1, (default [global])
  -r, --resources strings     firewall,networks or * for all services
  -s, --state string          local or bucket (default "local")
  -v, --verbose               verbose mode
  -n, --retry-number          number of retries to perform if refresh fails
  -m, --retry-sleep-ms        time in ms to sleep between retries

Use " import [provider] [command] --help" for more information about a command.

Permissions

The tool requires read-only permissions to list service resources.

Resources

You can use --resources parameter to tell resources from what service you want to import.

To import resources from all services, use --resources="*" . If you want to exclude certain services, you can combine the parameter with --excludes to exclude resources from services you don't want to import e.g. --resources="*" --excludes="iam".

Filtering

Filters are a way to choose which resources terraformer imports. It's possible to filter resources by its identifiers or attributes. Multiple filtering values are separated by :. If an identifier contains this symbol, value should be wrapped in ' e.g. --filter=resource=id1:'project:dataset_id'. Identifier based filters will be executed before Terraformer will try to refresh remote state.

Use Type when you need to filter only one of several types of resources. Multiple filters can be combined when importing different resource types. An example would be importing all AWS security groups from a specific AWS VPC:

terraformer import aws -r sg,vpc --filter Type=sg;Name=vpc_id;Value=VPC_ID --filter Type=vpc;Name=id;Value=VPC_ID

Notice how the Name is different for sg than it is for vpc.

Migration state version

For terraform >= 0.13, you can use replace-provider to migrate state from previous versions.

Example usage:

terraform state replace-provider -auto-approve "registry.terraform.io/-/aws" "hashicorp/aws"

Resource ID

Filtering is based on Terraform resource ID patterns. To find valid ID patterns for your resource, check the import part of the Terraform documentation.

Example usage:

terraformer import aws --resources=vpc,subnet --filter=vpc=myvpcid --regions=eu-west-1

Will only import the vpc with id myvpcid. This form of filters can help when it's necessary to select resources by its identifiers.

Field name only

It is possible to filter by specific field name only. It can be used e.g. when you want to retrieve resources only with a specific tag key.

Example usage:

terraformer import aws --resources=s3 --filter="Name=tags.Abc" --regions=eu-west-1

Will only import the s3 resources that have tag Abc. This form of filters can help when the field values are not important from filtering perspective.

Field with dots

It is possible to filter by a field that contains a dot.

Example usage:

terraformer import aws --resources=s3 --filter="Name=tags.Abc.def" --regions=eu-west-1

Will only import the s3 resources that have tag Abc.def.

Planning

The plan command generates a planfile that contains all the resources set to be imported. By modifying the planfile before running the import command, you can rename or filter the resources you'd like to import.

The rest of subcommands and parameters are identical to the import command.

$ terraformer plan google --resources=networks,firewall --projects=my-project --regions=europe-west1-d
(snip)

Saving planfile to generated/google/my-project/terraformer/plan.json

After reviewing/customizing the planfile, begin the import by running import plan.

$ terraformer import plan generated/google/my-project/terraformer/plan.json

Resource structure

Terraformer by default separates each resource into a file, which is put into a given service directory.

The default path for resource files is {output}/{provider}/{service}/{resource}.tf and can vary for each provider.

It's possible to adjust the generated structure by:

1. Using --compact parameter to group resource files within a single service into one resources.tf file
2. Adjusting the --path-pattern parameter and passing e.g. --path-pattern {output}/{provider}/ to generate resources for all services in one directory

It's possible to combine --compact --path-pattern parameters together.

Installation

Both Terraformer and a Terraform provider plugin need to be installed.

Terraformer

From a package manager

• Homebrew users can use brew install terraformer.
• MacPorts users can use sudo port install terraformer.
• Chocolatey users can use choco install terraformer.

From releases This installs all providers, set PROVIDER to one of google, aws or kubernetes if you only need one.

• Linux