terraformer

Overview

A CLI tool that generates tf and tfstate files based on existing infrastructure (reverse Terraform).

Detected project type: Go.

This repository was migrated from upstream source github.com/shafiqalibhai/terraformer and is preserved here for archival, reference, or continued local development.

At a glance

• Default branch: master
• Visibility: public
• Size: 41.0 MB
• Created: 2026-04-27
• Last updated: 2026-04-27
• Stars / Forks / Open issues: 0 / 0 / 0
• License: Apache-2.0

Languages

Language	Bytes	Share
Go	478,370 bytes	100.0%

Repository structure

• .github/
• cmd/
• docs/
• providers/
• snap/
• terraform_utils/
• tests/
• vendor/
• .gitignore (57 B)
• .travis.yml (293 B)
• AUTHORS (302 B)
• CODE_OF_CONDUCT.md (3,210 B)
• CONTRIBUTING.md (1,100 B)
• go.mod (3,560 B)
• go.sum (89,300 B)
• LICENSE (11,357 B)
• main.go (1,136 B)
• README.md (22,081 B)

Getting started

Clone the repository:

git clone https://forgejo.deployview.com/ssa/terraformer.git
cd terraformer

Installation

go build ./...

Usage

go run ./...

Original README

The content below is preserved from the previous README. Headings have been demoted so they don't compete with the new top-level sections.

A CLI tool that generates tf and tfstate files based on existing infrastructure (reverse Terraform).

• Disclaimer: This is not an official Google product
• Status: beta - we still need to improve documentation, squash some bugs, etc...
• Created by: Waze SRE

Table of Contents

• Capabilities
• Installation
• Supported providers
  • Google Cloud
  • AWS
  • Azure
  • OpenStack
  • Kubernetes
  • Github
  • Datadog
  • Cloudflare
  • Logzio
  • NewRelic
  • Heroku
• Contributing
• Developing
• Infrastructure

Capabilities

1. Generate tf + tfstate files from existing infrastructure for all supported objects by resource.
2. Remote state can be uploaded to a GCS bucket.
3. Connect between resources with terraform_remote_state (local and bucket).
4. Save tf files using a custom folder tree pattern.
5. Import by resource name and type.
6. Support terraform 0.12 (for terraform 0.11 use v0.7.9)

Terraformer uses terraform providers and is designed to easily support newly added resources. To upgrade resources with new fields, all you need to do is upgrade the relevant terraform providers.

Import current State to terraform configuration from google cloud

Usage:
   import google [flags]
   import google [command]

Available Commands:
  list        List supported resources for google provider

Flags:
  -b, --bucket string         gs://terraform-state
  -c, --connect                (default true)
  -f, --filter strings        google_compute_firewall=id1:id2:id4
  -h, --help                  help for google
  -o, --path-output string     (default "generated")
  -p, --path-pattern string   {output}/{provider}/custom/{service}/ (default "{output}/{provider}/{service}/")
      --projects strings
  -z, --regions strings       europe-west1, (default [global])
  -r, --resources strings     firewalls,networks
  -s, --state string          local or bucket (default "local")

Use " import google [command] --help" for more information about a command.

Permissions

Read-only permissions

Filtering

Filters are a way to choose which resources terraformer imports.

For example:

terraformer import aws --resources=vpc,subnet --filter=aws_vpc=myvpcid --regions=eu-west-1

will only import the vpc with id myvpcid.

Resources ID

Filtering is based on Terraform resource ID patterns. To find valid ID patterns for your resource, check the import part of Terraform documentation.

Planning

The plan command generates a planfile that contains all the resources set to be imported. By modifying the planfile before running the import command, you can rename or filter the resources you'd like to import.

The rest of subcommands and parameters are identical to the import command.

$ terraformer plan google --resources=networks,firewalls --projects=my-project --zone=europe-west1-d
(snip)

Saving planfile to generated/google/my-project/terraformer/plan.json

After reviewing/customizing the planfile, begin the import by running import plan.

$ terraformer import plan generated/google/my-project/terraformer/plan.json

Installation

From source:

1. Run git clone <terraformer repo>
2. Run GO111MODULE=on go mod vendor
3. Run go build -v
4. Run terraform init against an init.tf file to install the plugins required for your platform. For example, if you need plugins for the google provider, init.tf should contain:

provider "google" {}

Or alternatively

4. Copy your Terraform provider's plugin(s) to folder ~/.terraform.d/plugins/{darwin,linux}_amd64/, as appropriate.

From Releases:

• Linux

curl -LO https://github.com/GoogleCloudPlatform/terraformer/releases/download/$(curl -s https://api.github.com/repos/GoogleCloudPlatform/terraformer/releases/latest | grep tag_name | cut -d '"' -f 4)/terraformer-linux-amd64
chmod +x terraformer-linux-amd64
sudo mv terraformer-linux-amd64 /usr/local/bin/terraformer

• MacOS

curl -LO https://github.com/GoogleCloudPlatform/terraformer/releases/download/$(curl -s https://api.github.com/repos/GoogleCloudPlatform/terraformer/releases/latest | grep tag_name | cut -d '"' -f 4)/terraformer-darwin-amd64
chmod +x terraformer-darwin-amd64
sudo mv terraformer-darwin-amd64 /usr/local/bin/terraformer

Using a package manager

If you want to use a package manager:

• Homebrew users can use brew install terraformer.

Links to download terraform providers:

• google cloud provider >2.11.0 - here
• aws provider >2.25.0 - here
• azurerm provider >1.35.0 - here
• openstack provider >1.21.1 - here
• kubernetes provider >=1.9.0 - here
• github provider >=2.2.1 - here
• datadog provider >2.1.0 - here
• cloudflare provider >1.16 - here
• logzio provider >=1.1.1 - here

Information on provider plugins: https://www.terraform.io/docs/configuration/providers.html

Use with GCP

Example:

terraformer import google --resources=gcs,forwardingRules,httpHealthChecks --connect=true --regions=europe-west1,europe-west4 --projects=aaa,fff
terraformer import google --resources=gcs,forwardingRules,httpHealthChecks --filter=google_compute_firewall=rule1:rule2:rule3 --regions=europe-west1 --projects=aaa,fff

List of supported GCP services:

• addresses
  • google_compute_address
• autoscalers
  • google_compute_autoscaler
• backendBuckets
  • google_compute_backend_bucket
• backendServices
  • google_compute_backend_service
• bigQuery
  • google_bigquery_dataset
  • google_bigquery_table
• schedulerJobs
  • google_cloud_scheduler_job
• disks
  • google_compute_disk
• firewalls
  • google_compute_firewall
• forwardingRules
  • google_compute_forwarding_rule
• globalAddresses
  • google_compute_global_address
• globalForwardingRules
  • google_compute_global_forwarding_rule
• healthChecks
  • google_compute_health_check
• httpHealthChecks
  • google_compute_http_health_check
• httpsHealthChecks
  • google_compute_https_health_check
• images
  • google_compute_image
• instanceGroupManagers
  • google_compute_instance_group_manager
• instanceGroups
  • google_compute_instance_group
• instanceTemplates
  • google_compute_instance_template
• instances
  • google_compute_instance
• interconnectAttachments
  • google_compute_interconnect_attachment
• memoryStore
  • google_redis_instance
• networks
  • google_compute_network
• nodeGroups
  • google_compute_node_group
• nodeTemplates
  • google_compute_node_template
• regionAutoscalers
  • google_compute_region_autoscaler
• regionBackendServices
  • google_compute_region_backend_service
• regionDisks
  • google_compute_region_disk
• regionInstanceGroupManagers
  • google_compute_region_instance_group_manager
• routers
  • google_compute_router
• routes
  • google_compute_route
• securityPolicies
  • google_compute_security_policy
• sslPolicies
  • google_compute_ssl_policy
• subnetworks
  • google_compute_subnetwork
• targetHttpProxies
  • google_compute_target_http_proxy
• targetHttpsProxies
  • google_compute_target_https_proxy
• targetInstances
  • google_compute_target_instance
• targetPools
  • google_compute_target_pool
• targetSslProxies
  • google_compute_target_ssl_proxy
• targetTcpProxies
  • google_compute_target_tcp_proxy
• targetVpnGateways
  • google_compute_vpn_gateway
• urlMaps
  • google_compute_url_map
• vpnTunnels
  • google_compute_vpn_tunnel
• gke
  • google_container_cluster
  • google_container_node_pool
• pubsub
  • google_pubsub_subscription
  • google_pubsub_topic
• dataProc
  • google_dataproc_cluster
• cloudFunctions
  • google_cloudfunctions_function
• gcs
  • google_storage_bucket
  • google_storage_bucket_acl
  • google_storage_default_object_acl
  • google_storage_bucket_iam_binding
  • google_storage_bucket_iam_member
  • google_storage_bucket_iam_policy
  • google_storage_notification
• monitoring
  • google_monitoring_alert_policy
  • google_monitoring_group
  • google_monitoring_notification_channel
  • google_monitoring_uptime_check_config
• dns
  • google_dns_managed_zone
  • google_dns_record_set
• cloudsql
  • google_sql_database_instance
  • google_sql_database
• kms
  • google_kms_key_ring
  • google_kms_crypto_key
• project
  • google_project
• logging
  • google_logging_metric

Your tf and tfstate files are written by default to generated/gcp/zone/service.

Use with AWS

Example:

 terraformer import aws --resources=vpc,subnet --connect=true --regions=eu-west-1 --profile=prod
 terraformer import aws --resources=vpc,subnet --filter=aws_vpc=vpc_id1:vpc_id2:vpc_id3 --regions=eu-west-1

To load profiles from the shared AWS configuration file (typically ~/.aws/config), set the AWS_SDK_LOAD_CONFIG to true:

AWS_SDK_LOAD_CONFIG=true terraformer import aws --resources=vpc,subnet --regions=eu-west-1 --profile=prod

You can also provide no regions when importing resources:

terraformer import aws --resources=cloudfront --profile=prod

In that case terraformer will not know with which region resources are associated with and will not assume any region. That scenario is useful in case of global resources (e.g. CloudFront distributions or Route 53 records) and when region is passed implicitly through environmental variables or metadata service.

List of supported AWS services:

• elb
  • aws_elb
• alb (supports ALB and NLB)
  • aws_lb
  • aws_lb_listener
  • aws_lb_listener_rule
  • aws_lb_listener_certificate
  • aws_lb_target_group
  • aws_lb_target_group_attachment
• auto_scaling
  • aws_autoscaling_group
  • aws_launch_configuration
  • aws_launch_template
• rds
  • aws_db_instance
  • aws_db_parameter_group
  • aws_db_subnet_group
  • aws_db_option_group
  • aws_db_event_subscription
• iam
  • aws_iam_role
  • aws_iam_role_policy
  • aws_iam_user
  • aws_iam_user_group_membership
  • aws_iam_user_policy
  • aws_iam_policy_attachment
  • aws_iam_policy
  • aws_iam_group
  • aws_iam_group_membership
  • aws_iam_group_policy
• igw
  • aws_internet_gateway
• nat
  • aws_nat_gateway
• nacl
  • aws_network_acl
• s3
  • aws_s3_bucket
  • aws_s3_bucket_policy
• sg
  • aws_security_group
• subnet
  • aws_subnet
• vpc
  • aws_vpc
• vpc_peering
  • aws_vpc_peering_connection
• vpn_connection
  • aws_vpn_connection
• vpn_gateway
  • aws_vpn_gateway
• route53
  • aws_route53_zone
  • aws_route53_record
• acm
  • aws_acm_certificate
• elasticache
  • aws_elasticache_cluster
  • aws_elasticache_parameter_group
  • aws_elasticache_subnet_group
  • aws_elasticache_replication_group
• cloudfront
  • aws_cloudfront_distribution
• ec2_instance
  • aws_instance
• eip
  • aws_eip
• firehose
  • aws_kinesis_firehose_delivery_stream
• glue
  • glue_crawler
• route_table
  • aws_route_table
• ebs
  • aws_ebs_volume
  • aws_volume_attachment
• sqs
  • aws_sqs_queue
• sns
  • aws_sns_topic
  • aws_sns_topic_subscription
• ecs
  • aws_ecs_cluster
  • aws_ecs_service
  • aws_ecs_task_definition
• es
  • aws_elasticsearch_domain
• organization
  • aws_organizations_account
  • aws_organizations_organization
  • aws_organizations_organizational_unit
  • aws_organizations_policy
  • aws_organizations_policy_attachment
• dynamodb
  • aws_dynamodb_table
• cloudtrail
  • aws_cloudtrail
• kinesis
  • aws_kinesis_stream

Use with Azure

Example:

export ARM_CLIENT_ID=[CLIENT_ID]
export ARM_CLIENT_SECRET=[CLIENT_SECRET]
export ARM_SUBSCRIPTION_ID=[SUBSCRIPTION_ID]
export ARM_TENANT_ID=[TENANT_ID]

export AZURE_CLIENT_ID=[CLIENT_ID]
export AZURE_CLIENT_SECRET=[CLIENT_SECRET]
export AZURE_TENANT_ID=[TENANT_ID]

./terraformer import azure -r resource_group

List of supported Azure resources:

• resource_group
  • azurerm_resource_group

Use with OpenStack

Example:

 terraformer import openstack --resources=compute,networking --regions=RegionOne

List of supported OpenStack services:

• compute
  • openstack_compute_instance_v2
• networking
  • openstack_networking_secgroup_v2
  • openstack_networking_secgroup_rule_v2
• blockstorage
  • openstack_blockstorage_volume_v1
  • openstack_blockstorage_volume_v2
  • openstack_blockstorage_volume_v3

Use with Kubernetes

Example:

 terraformer import kubernetes --resources=deployments,services,storageclasses
 terraformer import kubernetes --resources=deployments,services,storageclasses --filter=kubernetes_deployment=name1:name2:name3

All kubernetes resources that are currently supported by the kubernetes provider, are also supported by this module. Here is the list of resources which are currently supported by kubernetes provider v.1.4:

• clusterrolebinding
  • kubernetes_cluster_role_binding
• configmaps
  • kubernetes_config_map
• deployments
  • kubernetes_deployment
• horizontalpodautoscalers
  • kubernetes_horizontal_pod_autoscaler
• limitranges
  • kubernetes_limit_range
• namespaces
  • kubernetes_namespace
• persistentvolumes
  • kubernetes_persistent_volume
• persistentvolumeclaims
  • kubernetes_persistent_volume_claim
• pods
  • kubernetes_pod
• replicationcontrollers
  • kubernetes_replication_controller
• resourcequotas
  • kubernetes_resource_quota
• secrets
  • kubernetes_secret
• services
  • kubernetes_service
• serviceaccounts
  • kubernetes_service_account
• statefulsets
  • kubernetes_stateful_set
• storageclasses
  • kubernetes_storage_class

Known issues

• Terraform kubernetes provider is rejecting resources with ":" characters in their names (as they don't meet DNS-1123), while it's allowed for certain types in kubernetes, e.g. ClusterRoleBinding.
• Because terraform flatmap uses "." to detect the keys for unflattening the maps, some keys with "." in their names are being considered as the maps.
• Since the library assumes empty strings to be empty values (not "0"), there are some issues with optional integer keys that are restricted to be positive.

Use with Github

Example:

 ./terraformer import github --organizations=YOUR_ORGANIZATION --resources=repositories --token=YOUR_TOKEN // or GITHUB_TOKEN in env
 ./terraformer import github --organizations=YOUR_ORGANIZATION --resources=repositories --filter=github_repository=id1:id2:id4 --token=YOUR_TOKEN // or GITHUB_TOKEN in env

Supports only organizational resources. List of supported resources:

• repositories
  • github_repository
  • github_repository_webhook
  • github_branch_protection
  • github_repository_collaborator
  • github_repository_deploy_key
• teams
  • github_team
  • github_team_membership
  • github_team_repository
• members
  • github_membership
• organization_webhooks
  • github_organization_webhook

Notes:

• Terraformer can't get webhook secrets from the github API. If you use a secret token in any of your webhooks, running terraform plan will result in a change being detected: => configuration.#: "1" => "0" in tfstate only.

Use with Datadog

Example:

 ./terraformer import datadog --resources=monitor --api-key=YOUR_DATADOG_API_KEY // or DATADOG_API_KEY in env --app-key=YOUR_DATADOG_APP_KEY // or DATADOG_APP_KEY in env
 ./terraformer import datadog --resources=monitor --filter=datadog_monitor=id1:id2:id4 --api-key=YOUR_DATADOG_API_KEY // or DATADOG_API_KEY in env --app-key=YOUR_DATADOG_APP_KEY // or DATADOG_APP_KEY in env

List of supported Datadog services:

• downtime
  • datadog_downtime
• monitor
  • datadog_monitor
• dashboard
  • datadog_dashboard
• screenboard
  • datadog_screenboard
• synthetics
  • datadog_synthetics_test
• timeboard
  • datadog_timeboard
• user
  • datadog_user

Use with Cloudflare

Example:

CLOUDFLARE_TOKEN=[CLOUDFLARE_API_TOKEN]
CLOUDFLARE_EMAIL=[CLOUDFLARE_EMAIL]
 ./terraformer import cloudflare --resources=firewall,dns

List of supported Cloudflare services:

• firewall
  • cloudflare_access_rule
  • cloudflare_filter
  • cloudflare_firewall_rule
  • cloudflare_zone_lockdown
• dns
  • cloudflare_zone
  • cloudflare_record
• access
  • cloudflare_access_application

Use with Logz.io

Example:

 LOGZIO_API_TOKEN=foobar LOGZIO_BASE_URL=https://api-eu.logz.io ./terraformer import logzio -r=alerts,alert_notification_endpoints // Import Logz.io alerts and alert notification endpoints

List of supported Logz.io resources:

• alerts
  • logzio_alert
• alert notification endpoints
  • logzio_endpoint

Use with NewRelic

Example:

NEWRELIC_API_KEY=[API-KEY]
./terraformer import newrelic -r alert,dashboard,infra,synthetics

List of supported NewRelic resources:

• alert
  • newrelic_alert_channel
  • newrelic_alert_condition
  • newrelic_alert_policy
• dashboard
  • newrelic_dashboard
• infra
  • newrelic_infra_alert_condition
• synthetics
  • newrelic_synthetics_monitor
  • newrelic_synthetics_alert_condition

Use with Heroku

Example:

export HEROKU_EMAIL=[HEROKU_EMAIL]
export HEROKU_API_KEY=[HEROKU_API_KEY]
./terraformer import heroku -r app,addon

List of supported Heroku resources:

• addon
  • heroku_addon
• app
  • heroku_app

Contributing

If you have improvements or fixes, we would love to have your contributions. Please read CONTRIBUTING.md for more information on the process we would like contributors to follow.

Developing

Terraformer was built so you can easily add new providers of any kind.

Process for generating tf + tfstate files:

1. Call GCP/AWS/other api and get list of resources.
2. Iterate over resources and take only the ID (we don't need mapping fields!)
3. Call to provider for readonly fields.
4. Call to infrastructure and take tf + tfstate.

Infrastructure

1. Call to provider using the refresh method and get all data.
2. Convert refresh data to go struct.
3. Generate HCL file - tf files.
4. Generate tfstate files.

All mapping of resource is made by providers and Terraform. Upgrades are needed only for providers.

GCP compute resources

For GCP compute resources, use generated code from providers/gcp/gcp_compute_code_generator.

To regenerate code:

go run providers/gcp/gcp_compute_code_generator/*.go

Similar projects

terraforming

Terraformer Benefits

• Simpler to add new providers and resources - already supports AWS, GCP, Github, Kubernetes, and Openstack. Terraforming supports only AWS.
• Better support for HCL + tfstate, including updates for Terraform 0.12
• If a provider adds new attributes to a resource, there is no need change Terraformer code - just update the terraform provider on your laptop.
• Automatically supports connections between resources in HCL files

Comparison

Terraforming gets all attributes from cloud APIs and creates HCL and tfstate files with templating. Each attribute in the API needs to map to attribute in terraform. Generated files from templating can be broken with illegal syntax. When a provider adds new attributes the terraforming code needs to be updated.

Terraformer instead uses terraform provider files for mapping attributes, HCL library from hashicorp, and terraform code.

Look for S3 support in Terraforming here and official s3 support Terraforming lacks full coverage for resources - as an example you can see that 70% of s3 options are not supported:

• terraforming - https://github.com/dtan4/terraforming/blob/master/lib/terraforming/template/tf/s3.erb
• official s3 support - https://www.terraform.io/docs/providers/aws/r/s3_bucket.html

Contributing

Contributions are welcome. The typical workflow is:

1. Open an issue describing the change you'd like to make.
2. Fork the repository (or create a feature branch if you have write access).
3. Commit your changes with clear, descriptive messages.
4. Open a pull request against the master branch.

Please follow the existing code style and include tests or reproduction steps where relevant.

License

This project is licensed under the Apache-2.0 license. See the LICENSE file for the full text.

Repository

• Browse: https://forgejo.deployview.com/ssa/terraformer
• Clone (HTTPS): https://forgejo.deployview.com/ssa/terraformer.git
• Clone (SSH): ssh://git@forgejo.deployview.com:30143/ssa/terraformer.git
• Upstream / origin: github.com/shafiqalibhai/terraformer

---

This README was generated automatically based on repository metadata, contents, and any prior README content. Edit any section above to add project-specific detail.