Step-by-Step: Reverse Engineering AWS into Valid Terraform

#terraform #aws #devops #cloud

The Real-World DevOps Problem

In a perfect, utopian DevOps world, every line of infrastructure is written in Terraform before it gets deployed. But in the real world, things are messy.

Sometimes you inherit a chaotic AWS account from a client where everything was built manually over the years by clicking around the console. Other times, a 2:00 AM production hotfix forces a developer to manually change a Security Group rule to get the site back online, leaving your Terraform state out of sync.

In these situations, writing the Infrastructure as Code (IaC) from scratch to match what is already live in the cloud is a slow, error-prone nightmare. This article will take you through how to automatically reverse-engineer your live AWS environment into valid Terraform code, saving you countless hours of manual work.

What is Terracognita?

To solve this problem, we use a tool called Terracognita. Built by the team at Cycloid, Terracognita is an open-source CLI tool that reads your live cloud environment and generates Terraform (HCL) code.

More importantly, it also generates the accompanying .tfstate file, meaning the code it gives you is instantly ready to be managed by Terraform.

You can check out the open-source project and installation instructions here: Terracognita GitHub Repository.

How to Run an Import

Once you have Terracognita installed, running a scan is incredibly simple. It uses the AWS credentials already configured on your local machine (via your ~/.aws/credentials file or environment variables).

Here is the command to scan an account and export it to Terraform:

terracognita aws --aws-default-region us-east-1 --hcl ./terra.tf --tfstate state.tfstate

Break down of the command:

aws: This tells Terracognita which cloud provider to scan.
--aws-default-region us-east-1: This specifies which AWS region you want to pull resources from.
--hcl ./terra.tf: This is the name of the file where the Terraform code will be saved.
--tfstate state.tfstate: This tells Terracognita to generate the crucial Terraform State JSON file so the resources are officially tracked.

Terracognita vs. Former2

If you have looked into exporting AWS to code before, you have likely heard of Former2. It is a very popular alternative that supports both CloudFormation and Terraform.

Former2 is a great alternative if you want to generate both Terraform and CloudFormation. However, if you're looking to work with Former2, be aware of its limitations. Severe scanning errors can occur on certain accounts, which makes Terracognita a much more reliable choice. Here is why:

1. Failing on Specific Services

Because Former2 tries to translate massive amounts of AWS API data into multiple different languages, its parser can be fragile. In our experience, it completely broke and crashed when trying to scan accounts that used services like ElasticTranscoder or had specific CostandUsageReports configured. Terracognita proved to be far more stable across edge cases.

2. Corrupting Terraform Syntax

The most frustrating issue with Former2 is how it handles some resource tags. Former2 tries to "humanize" the outputs. If you had an EC2 instance with a tag key named CustomerID, Former2 would occasionally add a space in the output, writing it as Customer ID.

In standard text, that looks nice. But in strict Terraform HCL syntax, adding random spaces into variable names completely breaks the code. An automated tool loses its value if you have to spend hours manually hunting down syntax typos. Because Terracognita is built only for Terraform, its output is significantly more reliable.

Automate the Next Step with Sunbird Insyte

If you are a Fractional CTO, DevOps consultant, or agency owner, generating this Terraform code is just step one. Step two is actually figuring out how much money is being wasted inside that architecture and identifying security vulnerabilities.

Instead of manually parsing through thousands of lines of generated code, you can automate the entire process.

We built Terracognita directly into Sunbird Insyte. Our platform automatically connects to your AWS account, reverse-engineers the infrastructure, and uses an AI-driven FinOps engine to tell you exactly which resources are driving up your bill and how to fix them.