What’s the difference between Terraform Graph and Overmind?
James Lane
February 16, 2024
When making changes understanding the output from your Terraform plan is critical to ensuring that there is no unintentional impact from your changes. Because of this Terraform uses terraform graph that helps users to visualise these changes.
The terraform graph command is used to generate a visual representation of either a configuration or execution plan. The output is in the DOT format, which can then be used to generate charts.
The recommended program that can read this format is GraphViz, but many web services are also available to read this format. Some add extra formatting to the outputs so that
These are some of the online services:
First thing install graphviz (example on Mac OS):
Then generate a graph output using:
The -type flag can be used to control the type of graph shown. Terraform creates different graphs for different operations. The default type is "plan" if a configuration is given, and "apply" if a plan file is passed as an argument.
The output of terraform graph is in the DOT format, which can easily be converted to an image by making use of dot provided by GraphViz:
Here is an example graph output using graphviz:
As mentioned above, there are other services that can convert the provided dot. With these you typically upload the output to the online service and can modify it within the interface.
Heres an example from https://dreampuf.github.io/GraphvizOnline/.
Overmind is a SaaS Terraform impact analysis tool. It acts as a second pair of eyes, taking the output of Terraform plan to tell you along with the current state of your infrastructure to calculate any dependencies and determine the potential impact or the blast radius of a change. It works by querying your AWS infrastructure via their API in real-time using a read-only role.
Using the blast radius, its real-time dependency map and a LLM it can provide a list of human readable risks that can be reviewed prior to running Terraform apply. These risks can either be commented back as part of your CI / CD pipeline or viewed in the app.
Overmind supports >100 different AWS resources and >300 possible relationships, including those that span AWS Accounts and services, whether they be created by Terraform, manual intervention, or any other process. It currently has two plans (free & pay-as-you-go.) The free plan offers unlimited users 150 free changes per month with any extra changes $0.45 each after.
Get started by creating a free account.
Next you will need to create a change. This can be done by:
Let's look at an example using the Github action. Based on the planned changes and the relationships that we have discovered, Overmind discovers the blast radius of what might be affected by this change including resources not in terraform.
The Github action can be set up as part of you CI/CD pipeline to notify you of the affected items/ apps of your change automatically. However any CI /CD tool can be supported using the CLI.
You will then receive a set of human-readable risks that you are able to see if there is anything unexpected or of concern. If you notice that the change might affect more than you thought, you can modify either your code, or the way you plan to roll out and monitor the change to account for it. These risks can either be commented back as part of your CI / CD pipeline or viewed in the app.
By understanding which services would potentially by affected by the planned change, you'll have a full picture and will be able to fix any issues before it effects production.
When you're ready to start the change, Overmind will take a snapshot before and after to validate that the change went through as intended. Allowing you to view the health status of resources and config diffs in detail within the app.
Overmind also lets you discover dependencies in real-time using the “Explore” functionality, allowing them to plan the rollout of changes more easily and avoid risky changes to core components. Understand an application starting with just a AWS resource name or public data point and expanding outwards without significant knowledge of AWS or the application itself.
If you want to just try this out on public data (HTTP, DNS etc), you can use the new Playground without needing to sign up.
Before jumping into a comparison of the two it is worth providing some context to the application we are going to be making changes to. It is Kubernetes cluster that manages some API gateways using AWS services such as EKS, EFS & Route53.
Let’s take a look at what this change would look like as a Terraform Graph output. Due to image dimension restrictions the below is a screenshot of a much larger Terraform Graph output.
Whereas with Overmind we get a set of risks back as a comment an a interactive graph to explore the dependencies in more detail.
In this example the output was a 3.5mb svg file or a image with the dimensions 256925px by 3802px. If you were to convert pixels to cm's it's about as it's about as wide as The Wingspan of a 747 (68 metres). Dealing with such a large file is not easy and as you can see from the above screenshot it is not easily readable.
However, Terraform graph can still be a great tool when working with smaller, more manageable changes or if you simply want something to run on CLI. But when you ultimately need to make some larger, more complex changes it is when Overmind would come in to its own. Allowing you to only see the affected resources.
Both tools are freely available: