Terraform Plan JSON
Import Terraform plan JSON output to analyze firewall rules across AWS, Azure, and GCP providers in a single file. netbobr scans planned_values for security group and firewall resources, extracting flows from each provider's native field format.
Export command
Generate and convert a Terraform plan to JSON:
# Generate a plan file
terraform plan -out=tfplan
# Convert to JSON
terraform show -json tfplan > plan.jsonterraform show -json requires Terraform 0.12 or later. The output must be the JSON plan format, not the human-readable plan text.
Supported resource types
| Resource Type | Provider | Description |
|---|---|---|
aws_security_group_rule | AWS | Individual security group rule |
aws_security_group | AWS | Security group with inline ingress/egress blocks |
azurerm_network_security_rule | Azure | Network security group rule |
google_compute_firewall | GCP | Compute firewall rule |
Minimal example
{
"planned_values": {
"root_module": {
"resources": [
{
"type": "aws_security_group_rule",
"name": "allow-https",
"address": "module.security.aws_security_group_rule.allow-https",
"values": {
"type": "ingress",
"protocol": "tcp",
"from_port": 443,
"to_port": 443,
"cidr_blocks": ["10.0.0.0/8"],
"security_group_id": "sg-0123456789"
}
}
]
}
}
}Parser behavior
- Scans the
planned_values.root_module.resourcesarray, including nestedchild_modulesrecursively. - Each supported resource type uses its own extraction logic matching the native cloud format:
- AWS SG rules:
type(ingress/egress),protocol,from_port,to_port,cidr_blocks - AWS SG inline:
ingressandegressblocks with the same field structure - Azure NSG rules: same field mapping as the native Azure NSG parser (direction, protocol, source/destination address prefix, port range)
- GCP firewall rules: same field mapping as the native GCP parser (direction, allowed protocols, source/destination ranges)
- AWS SG rules:
- Security group references in
source_security_group_idgenerate a warning since SG IDs cannot be resolved to CIDRs.
Limitations
| Limitation | Detail |
|---|---|
| Security group references | Rules referencing other SGs by ID instead of CIDR blocks generate a warning and no flow. |
| Data sources | Only planned_values resources are scanned. Data source lookups and remote state references are not resolved. |
| Computed values | Fields marked as (known after apply) in the plan have null values in JSON and may produce incomplete flows. |
Accuracy
Accuracy measured against a 400-rule CSV baseline (360 Tier 1 + 40 Tier 2).
| Metric | Value |
|---|---|
| CLI match rate | 94.0% (376/400) -- highest of all formats |
| Browser match rate | 94.0% (376/400) |
| Tier 1 accuracy | 96.6% (336/348) |
| Tier 2 accuracy | 100.0% (40/40) |
| Field accuracy | 100% (risk score, risk level, verdict) |
Terraform Plan achieves the highest match rate because it supports all four resource types across three cloud providers, including Azure NSG rules that can express both specific source and destination CIDRs (Tier 2).
Troubleshooting
"No flows parsed"
Verify the file is terraform show -json output, not terraform plan text output. The JSON file must contain a planned_values key at the top level.
"Missing resources"
Check if resources are defined in child modules. netbobr recursively scans child_modules within planned_values.root_module, so nested modules are supported.
"Security group reference warning"
Rules that reference other security groups by ID (e.g., source_security_group_id: "sg-abc123") instead of CIDR blocks generate a warning. These rules cannot produce flows because the SG members are unknown.
"Unsupported resource type"
Only the four resource types listed above are scanned. Other firewall-related resources (e.g., aws_vpc_security_group_rule, aws_network_acl_rule) are not currently supported.
CLI usage:
npx @netbobr/cli analyze plan.json --cloud-format tf-planBrowser: Drag and drop the .json file onto the import area. Terraform Plan format is auto-detected by the presence of planned_values.