Terraform HCL
Import raw Terraform .tf files directly in the browser for quick analysis of security group rules without running terraform plan first.
This format is browser only -- HCL import is available in the browser UI only. For CLI workflows, convert your Terraform code to plan JSON using
terraform show -jsonand use the Terraform Plan JSON format instead, which supports all four resource types and achieves 94.0% accuracy.
Example .tf file
resource "aws_security_group_rule" "allow-https" {
type = "ingress"
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["10.0.0.0/8"]
}
resource "aws_security_group_rule" "allow-web-egress" {
type = "egress"
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "trusted-ssh" {
type = "ingress"
protocol = "tcp"
from_port = 22
to_port = 22
cidr_blocks = [var.trusted_cidrs]
}Parser behavior
- Uses a regex-based parser (not a full HCL parser) to extract resource blocks by pattern matching.
- Supports four resource types:
aws_security_group_rule,aws_security_group,azurerm_network_security_rule, andgoogle_compute_firewall. - For
aws_security_group_rule, extracts:type(ingress/egress),protocol,from_port,to_port,cidr_blocks. - Variable references (
var.*) incidr_blocksare detected and generate warnings -- the actual values are unknown without runningterraform plan. - Balanced brace matching is used to find resource block boundaries.
Limitations
| Limitation | Detail |
|---|---|
| Browser only | No CLI support. Use terraform show -json for CLI workflows. |
| Regex parser | Not a full HCL parser. Complex expressions, locals, data sources, and conditional expressions are not evaluated. |
| Variable references | var.* and local.* references generate warnings and skip those CIDR values. |
| for_each / count | Dynamic resource generation with for_each or count is not expanded. |
| Interpolation | String interpolation ("${var.cidr}") is not resolved. |
| Modules | Module calls are not followed -- only resources defined in the scanned file are parsed. |
For comprehensive analysis, convert to plan JSON first:
terraform plan -out=tfplan
terraform show -json tfplan > plan.jsonThen use the Terraform Plan JSON import, which supports all four resource types across three providers.
Accuracy
Accuracy measured against a 400-rule CSV baseline (360 Tier 1 + 40 Tier 2).
| Metric | Value |
|---|---|
| Browser match rate | 10.0% (40/400) |
| Tier 1 accuracy | 11.5% (40/348) |
| Field accuracy | 100% for matched flows |
| Warnings generated | 6 (variable references) |
The low match rate is expected -- the regex parser only handles resource blocks with literal values. Rules using variables, locals, or complex expressions are skipped. For full coverage, use the Terraform Plan JSON format (94.0% match rate).
Troubleshooting
"Very few rules parsed" This is expected. The regex parser only handles resource blocks with literal string and numeric values. Convert to plan JSON for full coverage:
terraform plan -out=tfplan && terraform show -json tfplan > plan.json"Variable warning"
var.* references in CIDR blocks cannot be resolved without running terraform plan. The parser warns and skips those values. The rules themselves are still parsed, but flows with unresolvable CIDRs are omitted.
"Complex expressions ignored"
Locals, data sources, conditional expressions (condition ? a : b), and for_each are not evaluated. Only literal values are extracted.
"No resources found"
Verify the file contains resource blocks with one of the supported types. The parser matches resource "type" "name" { patterns.
Browser: Drag and drop a .tf file onto the import area. HCL format is auto-detected by the presence of resource blocks with Terraform patterns.