Azure Terraform Diagram

Generate beautiful Microsoft Azure-style infrastructure diagrams from your Terraform projects automatically, with comprehensive DevOps insights including security analysis, cost estimation, and infrastructure metadata.

Features

Core Diagram Features

• Auto-generate diagrams on save - Automatically creates architecture.png when you save any .tf file
• Resource Group Grouping - Resources are visually grouped inside their resource groups for clear organization
• Multi-project Support - Each Terraform project folder gets its own separate diagram
• Interactive webview - Explore your infrastructure with pan, zoom, and click-to-navigate
• Azure-style visuals - Uses official Microsoft Azure icons and color schemes
• Dependency visualization - Shows connections between resources with smart orthogonal routing
• Resource tooltips - Hover for full details, click to jump to source code

DevOps Intelligence (NEW)

• Security Badges - Visual indicators for security issues (missing encryption, public endpoints, weak TLS)
• Cost Estimation - Monthly cost estimates displayed on resources and total architecture cost
• SKU Labels - Resource tier and SKU information visible at a glance
• Tag Compliance - Badges showing missing required tags
• Network Topology - CIDR ranges, private endpoint indicators, data flow visualization
• Terraform Info Sidebar - Providers, backend config, modules, variables, and outputs from HCL files

Installation

From VS Code Marketplace

Search for "Azure Terraform Diagram" in VS Code Extensions, or install from: https://marketplace.visualstudio.com/items?itemName=SerhiiVoinolovych.azure-terraform-diagram

From VSIX

1. Download the .vsix file
2. In VS Code, open Command Palette (Cmd+Shift+P / Ctrl+Shift+P)
3. Run "Extensions: Install from VSIX..."
4. Select the downloaded file

Usage

Automatic Diagram Generation

Simply save any .tf file in your workspace. The extension automatically:

1. Parses Terraform files in the same folder as the saved file
2. Analyzes security posture, estimates costs, and extracts infrastructure metadata
3. Generates an architecture.png in that folder
4. Shows a status bar confirmation

This allows you to have multiple Terraform projects in one workspace (e.g., task01/, task02/) and each will get its own separate architecture.png.

Generate Diagram for Specific Folder

Right-click on any folder in the VS Code Explorer and select "Generate Azure Infrastructure Diagram" to generate a diagram for just that folder's Terraform resources.

Manual Commands

Open Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and run:

Command	Description
Azure Terraform: Generate Azure Infrastructure Diagram	Opens interactive diagram in a new panel
Azure Terraform: Export Architecture Diagram as PNG	Manually exports diagram to PNG file

Interactive Diagram Controls

• Pan - Click and drag to move around
• Zoom - Mouse wheel or use the +/- buttons
• Fit to Screen - Click the fit button to see all resources
• Search - Filter resources by name or type
• Click resource - Opens the source .tf file at the resource definition

Configuration

Configure the extension in VS Code Settings (Cmd+, / Ctrl+,):

General Settings

Setting	Default	Description
azureTerraformDiagram.autoGenerateOnSave	true	Automatically generate architecture.png when saving .tf files
azureTerraformDiagram.outputFileName	architecture.png	Output file name for the generated diagram
azureTerraformDiagram.scopeToFolder	true	Generate diagram only for the folder containing the saved .tf file
azureTerraformDiagram.theme	auto	Diagram color theme (auto, light, dark)
azureTerraformDiagram.showModuleDetails	true	Show detailed module information
azureTerraformDiagram.excludeResourceTypes	[]	Resource types to exclude (e.g., azurerm_role_assignment)

Security & Compliance Settings

Setting	Default	Description
azureTerraformDiagram.security.showBadges	true	Show security assessment badges on diagram nodes
azureTerraformDiagram.security.severityThreshold	medium	Minimum severity level to show (critical, high, medium, low, info)
azureTerraformDiagram.compliance.showTagBadges	true	Show tag compliance badges on diagram nodes
azureTerraformDiagram.compliance.requiredTags	["environment", "owner"]	List of required tags for compliance checking

Cost Management Settings

Setting	Default	Description
azureTerraformDiagram.cost.showEstimates	true	Show monthly cost estimates on diagram nodes
azureTerraformDiagram.cost.currency	USD	Currency for cost estimates (USD, EUR, GBP, JPY, CAD, AUD)
azureTerraformDiagram.showSKULabels	true	Show SKU/tier information on diagram nodes

Network Visualization Settings

Setting	Default	Description
azureTerraformDiagram.network.showCIDR	true	Show CIDR ranges for network resources
azureTerraformDiagram.network.showPrivateEndpoints	true	Show private endpoint indicators on applicable resources
azureTerraformDiagram.network.showDataFlows	true	Show data flow connections between resources

Layout Settings

Setting	Default	Description
azureTerraformDiagram.layout.mode	auto	Layout mode: auto, hierarchical, network, or zones

DevOps Features

Security Analysis

The extension automatically analyzes your Terraform configuration for security best practices:

Check	Severity	Description
Public blob access	High	Storage accounts with allow_nested_items_to_be_public = true
Weak TLS	Medium	Resources with TLS version below 1.2
Missing network rules	High	Storage accounts without network restrictions
Public SQL access	High	SQL servers with public_network_access_enabled = true
Missing purge protection	Medium	Key Vaults without purge protection enabled
Public AKS cluster	Medium	AKS clusters without private_cluster_enabled
Missing NSG	High	Compute resources without NSG association
Missing managed identity	Low	Resources without managed identity configured
Unencrypted storage	High	Storage without encryption at rest
Missing HTTPS	Medium	App Services without HTTPS-only enforcement

Security badges appear in the top-right corner of affected resources:

• Red - Critical severity
• Orange - High severity
• Yellow - Medium severity

Cost Estimation

The extension provides Azure cost estimates based on resource SKUs:

• Per-resource costs - Displayed below each resource node (e.g., "~$70/mo")
• Total architecture cost - Shown in the bottom-right corner of the diagram
• SKU labels - Resource tier visible on each node (e.g., "Standard_D2s_v3")

Supported pricing for:

• Virtual Machines (all common sizes)
• Storage Accounts (Standard/Premium, LRS/GRS/ZRS)
• SQL Databases (Basic, Standard, Premium tiers)
• AKS Clusters (node pool costs)
• App Services (Free, Shared, Basic, Standard, Premium)
• Functions (Consumption, Premium)
• Redis Cache (Basic, Standard, Premium)
• Cosmos DB (Request Units)
• Key Vault (operations-based)
• And more...

Tag Compliance

Configure required tags and see compliance status at a glance:

{
  "azureTerraformDiagram.compliance.requiredTags": ["environment", "owner", "cost-center"]
}

Resources missing required tags display a warning badge.

Terraform Info Sidebar

The interactive diagram sidebar displays infrastructure metadata extracted from your HCL files:

Terraform Version

Shows the required_version constraint from your terraform block.

Providers

Lists all configured providers with:

• Provider name and alias
• Version constraints
• Source registry

Backend Configuration

Displays state backend details:

• Backend type (azurerm, s3, gcs, remote, local)
• Storage account, container, and key (for Azure)
• Bucket and region (for AWS)
• Organization and workspace (for Terraform Cloud)

Modules

Shows all module calls with:

• Module name
• Source type (registry, git, local, github)
• Version constraint
• Source URL

Variables

Lists input variables with:

• Variable name
• Type constraint
• Description
• Sensitivity flag
• Default value indicator

Outputs

Shows output definitions with:

• Output name
• Description
• Sensitivity flag

DevOps-Relevant Resource Details

The diagram displays comprehensive technical details that DevOps engineers need:

Network & Connectivity

Resource	Details Shown
Virtual Network	CIDR address space, DNS servers, location
Subnet	CIDR prefix, service endpoints, delegations
Network Interface	Private IP, allocation method, accelerated networking
Public IP	Allocation method, SKU, tier, zones, DNS label
NSG	Rule count, ports (allow/deny), direction
VNet Peering	VNet access, forwarding, gateway transit

Compute & Scaling

Resource	Details Shown
Virtual Machine	Size, OS image, disk type/size, zone, admin user
VM Scale Set	SKU, instance count, zones, upgrade policy
AKS	K8s version, node pool VM size, node count, autoscale range, CNI plugin, network policy
AKS Node Pool	VM size, node count, autoscale, zones, taints, labels
App Service	Runtime, TLS version, always on, HTTPS, VNet integration
Function App	Runtime version, OS type, scaling settings
Container Group	OS type, CPU, memory, ports, restart policy

Storage & Data

Resource	Details Shown
Storage Account	Tier + replication (e.g., Standard_LRS), kind, access tier, TLS version, HTTPS only
SQL Server	Version, admin login, TLS version, public/private access
SQL Database	SKU, max size, zone redundant, geo backup, PITR retention
PostgreSQL/MySQL	SKU, version, storage size, SSL enforcement, backup retention
Cosmos DB	Offer type, kind, consistency level, regions, multi-write
Redis Cache	SKU, family, capacity, TLS, shards, replicas, eviction policy

Security & Identity

Resource	Details Shown
Key Vault	SKU, retention days, purge protection, RBAC, deployment flags
Firewall	SKU, tier, threat intel mode, zones, policy
Application Gateway	SKU, tier, capacity, autoscale, WAF, HTTP/2
Bastion	SKU, copy/paste, file copy, tunneling, scale units
Private Endpoint	Subresource type, manual approval, DNS zone
Role Assignment	Role name, principal type

Monitoring & Management

Resource	Details Shown
Log Analytics	SKU, retention days, daily quota
Application Insights	App type, retention, sampling %, daily cap
Action Group	Email/SMS/webhook receivers
Recovery Vault	SKU, soft delete, storage mode, cross-region
Backup Policy	Frequency, daily/weekly/monthly retention

Integration & Messaging

Resource	Details Shown
Event Hub	SKU, capacity, auto-inflate, max throughput units
Service Bus	SKU, capacity, zone redundant, partitions
API Management	SKU, publisher, VNet type, zones

Layout

Resources are automatically grouped by Resource Group for clear organization:

┌─────────────── Resource Group: rg-production ───────────────┐
│                                                             │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐       │
│  │ Virtual Net  │  │   Subnet     │  │     NSG      │       │
│  │ 10.0.0.0/16  │  │ 10.0.1.0/24  │  │  5 rules     │       │
│  │   ~$0/mo     │  │   ~$0/mo     │  │   ~$0/mo     │       │
│  └──────────────┘  └──────────────┘  └──────────────┘       │
│                                                             │
│  ┌──────────────┐  ┌──────────────┐                         │
│  │  Linux VM    │  │   Storage    │                         │
│  │ Standard_D2s │  │ Standard_LRS │                         │
│  │  ~$70/mo  ⚠️  │  │  ~$21/mo     │                         │
│  └──────────────┘  └──────────────┘                         │
│                                                             │
│                        Total: ~$91/mo                       │
└─────────────────────────────────────────────────────────────┘

Within each resource group, resources are organized by type with multiple instances displayed horizontally.

Supported Azure Resources (100+)

Compute: Virtual Machines, VM Scale Sets, App Services, Function Apps, AKS, Container Instances, Container Registry, Batch

Networking: Virtual Networks, Subnets, NSGs, Load Balancers, Application Gateway, Azure Firewall, Bastion, VPN Gateway, Express Route, NAT Gateway, Private Endpoints, DNS Zones, Front Door, CDN

Storage & Databases: Storage Accounts, Blob Containers, File Shares, Managed Disks, SQL Server/Database, PostgreSQL, MySQL, Cosmos DB, Redis Cache

Security & Identity: Key Vault, Managed Identities, Role Assignments, Firewall Policies

Monitoring: Log Analytics, Application Insights, Action Groups, Metric Alerts, Diagnostic Settings

Integration: Event Hub, Service Bus, API Management, Logic Apps

Backup & Recovery: Recovery Services Vault, Backup Policies

Requirements

• VS Code 1.80.0 or higher
• Terraform files with Azure resources (azurerm_*)

Optional Dependencies

• sharp - For PNG generation. If not available, the extension falls back to SVG output.

Troubleshooting

Diagram not generating on save

1. Check that azureTerraformDiagram.autoGenerateOnSave is enabled
2. Ensure your file has a .tf extension
3. Check the Output panel for errors

PNG generation fails

The extension requires the sharp library for PNG output. If it fails:

• The extension automatically falls back to SVG format
• You can manually convert SVG to PNG using other tools

No resources shown

• Ensure your Terraform files contain azurerm_* resources
• Check that files are valid Terraform syntax
• Look for parsing errors in the Output panel

Resources from multiple folders mixed together

• Enable scopeToFolder setting (enabled by default)
• Right-click on specific folder to generate diagram for just that folder

Security badges not showing

• Ensure azureTerraformDiagram.security.showBadges is enabled
• Check security.severityThreshold - set to "low" to see all issues

Cost estimates showing $0

• Cost estimation requires SKU information in your Terraform resources
• Some resources (like VNets, Subnets) are free and show $0
• Check that resource attributes include size/SKU configurations

Development

# Install dependencies
npm install

# Compile TypeScript
npm run compile

# Watch mode
npm run watch

# Package extension
npm run package

Project Structure

azure-terraform-diagram/
├── src/
│   ├── extension.ts          # Extension entry point
│   ├── terraformParser.ts    # Terraform HCL parser with infra info extraction
│   ├── diagramLayout.ts      # Layout algorithms (zone & resource group grouping)
│   ├── diagramRenderer.ts    # SVG/PNG generation with DevOps badges
│   ├── azureIconMapper.ts    # Resource to icon mapping
│   ├── types/
│   │   ├── index.ts          # Type exports
│   │   ├── security.ts       # Security posture types
│   │   ├── cost.ts           # Cost estimation types
│   │   └── devops.ts         # DevOps/infrastructure types
│   ├── analyzers/
│   │   ├── securityAnalyzer.ts   # Security posture analysis
│   │   ├── costEstimator.ts      # Azure cost estimation
│   │   └── networkAnalyzer.ts    # Network topology analysis
│   └── data/
│       ├── azurePricing.ts       # Azure SKU pricing data
│       └── securityRules.ts      # Security best practice rules
├── resources/
│   └── azure-icons/          # Azure service icons
├── media/
│   └── icon.png              # Extension icon
├── package.json
└── tsconfig.json

License

MIT

Contributing

Contributions are welcome! Please feel free to submit issues and pull requests.

GitHub: https://github.com/sergeyitaly/azure-terraform-diagram

---

Tips:

• Add architecture.png to your git repository to share infrastructure diagrams with your team!
• Configure required tags in settings to enforce tagging standards across your team
• Use the security analysis to catch misconfigurations before they reach production
• Review cost estimates during PR reviews to catch expensive resource changes