Blast radius is not another Terraform plan visualisation tool
If you’re familiar with Terraform then there’s a good chance you’ve used the Terraform plan command. It compares your current state to your desired state. Building a ‘plan’ that contains a ‘diff’ between both. The output gives us what resources will be created and destroyed along with any modifications before then executing the apply command.
Within the Terraform CLI you’ll see a plan output looking something like this:
And there’s some great tools out there to help you both format and visualise the output so that it is easier to interpret:
So what’s the problem? Terraform plan will tell you about the things it’s going to change:
It’ll even tell you if it’s going to change multiple things:
But it won’t tell you the context of those things within the wider application/infrastructure:
You need to be told which pieces you’re touching, sure, and terraform plan is a brilliant way to do that. But you also need to know where those pieces sit in the Jenga tower that is your infrastructure, and what effect removing them might have. That’s what Overmind’s blast radius does.
Overmind blast radius
With Overmind's risks you can surface incident-causing config changes as part of your pull request. When a pull request is opened and a Terraform plan is executed you can calculate the potential impact (or blast radius) of your change. By parsing the Terraform plan output and then using only read-only AWS credentials it can map out your infrastructure. It queries AWS directly and discovers relationships automatically, working out what the actual impact of your change is. Even for things not managed under Terraform.
From this you are then able to check the affected items to see if there is anything unexpected. If you notice that the change might affect more than you thought, you can modify either your code, or the way you plan to roll out and monitor the change to account for it. You can then share this change or graph with your team or the change advisory board.
From the blast radius it also provides a list of human readable risks that can be reviewed prior to running Terraform apply. These risks can either be commented back as part of your CI / CD pipeline or viewed in the app. Using our Github action you can combine this as part of your workflow. The action will comment back on the pull request telling you the blast radius (everything that might be affected by the given change).
Inside the app you can see the full blast radius in a interactive graph along with any metadata Overmind was able to get from AWS. When you're ready to start the change, Overmind will take a snapshot before and after to validate that the change went through as intended.
Don’t just take our word for it…
We want to make it as easy as possible to get started, because of this we have created an example repository. It shows how to run terraform on GitHub Actions and automatically submit each PR's changes to Overmind and report back the blast radius as a comment on the PR. This way you can get started easily with either your personal or org AWS account.