aws2tf.py will import into Terraform existing AWS infrastructure, and produce the corresponding Terraform HCL files.
aws2tf.py
will also attempt to:
- De-reference hardcoded values into their Terraform addresses.
- Find dependent resources and import them.
- Where possible, remove region and account references and replace with Terraform data values.
Finally aws2tf runs a terraform plan
command and there should hopefully be no subsequent additions or deletions reported by the terraform plan command as all the appropriate terraform configuration files will have automatically been created.
- MacOS or Linux
- Python3 (v3.8+)
- boto3 1.35.76 or later (pip3 install -r requirements.txt).
- AWS cli (v2) version 2.22.0 or higher needs to be installed and you need a login with at least "Read" privileges.
- Terraform version v1.7.5 or higher needs to be installed. (recommend you avoid early point releases eg. 1.9.0/1.9.1)
- jq version 1.6 or higher
- pyenv - to help manage Python versions and environments (https://github.com/pyenv/pyenv)
- tfenv - - to help manage multiple Terraform versions (https://github.com/tfutils/tfenv)
- trivy version 0.48.0 or later (https://aquasecurity.github.io/trivy/v0.54/)
(This tool is currently developed/tested using Python 3.9.16 on macOS 15.1.1)
Running the tool in your local shell (bash) required these steps:
- Unzip or clone this git repo into an empty directory.
- login to the AWS cli (aws configure).
- run the tool - see usage guide below.
To see the command line help use:
./aws2tf.py -h
or for more extensive help:
./aws2tf.py -l
To generate the terraform files for all the VPC's in your account/region:
./aws2tf.py -t vpc
or for a specific VPC:
./aws2tf.py -t aws_vpc -i vpc-xxxxxxxxxx
You can also instead of using predefined types use the direct Terraform resource names:
./aws2tf.py -t aws_sagemaker_domain
You can also combine type requests by using a comma delimited list:
./aws2tf.py -t vpc,efs,aws_dagemaker_domain
By default aws2tf genrates a separate aws_xxxx.tf file for every resource it finds, if you would prefer to have them all merged into a single file (main.tf) use the -s option:
./aws2tf.py -t vpc -s
Now you can add whatever resources you want by using the -m (merge) flag:
To add all ECS resources:
./aws2tf.py -t ecs -m
You can see all the supported types (-t [type]) by using -l (long help) option: ./aws2tf.py -l
You can also import just a specific resource by passing it's AWS resource name, in this example all the existing resources and the newly merged resources will be put into a single (main.tf) file as the -s option is included:
./aws2tf.py -t eks -i my-cluster-name -m -s
or for a specific domain:
./aws2tf.py -t aws_sagemaker_domain -i d-xxxxxxxxx -m
Add a specific S3 bucket:
./aws2tf -t aws_s3_bucket -i my_bucket_name -m
Often Organisations (and AWS blogs/workshops) deploy resources for use using a stack.
aws2tf can convert these to terraform for you using the -s [stack name] option
./aws2tf.sh -s <stack name>
Finally you can scan everything in your account by simply running:
./aws2tf.py
But this is Not recommended as this will take quite some time to complete!
You can also try the experimental fast mode which uses multi threading to speed things up:
./aws2tf.py -f
You may come across some kind of error as trying to test everyone's AWS combinations in advance isn't possible.
If you happen to find one of these errors please open an issue here and paste in the error and it will get fixed.
For stack sets (-s option) look for these two files in the generated/tf* directory - and paste their contents into the issue:
- stack-unprocessed.err
- stack-null.err
See the instructions here
Note you do not need to clone this repo if you want to run aws2tf as a container
see here for a list
see here for a list
aws2tf maintains state in it's own local directory:
generated/tf../
When using cumulative mode this same state file is used / added to.
It is not possible at this time to use your own state location (eg. on s3)
October 2024
The python version of this tool aws2tf.py
has now superceded the old bash script version.
You can still find and use the old version in the hidden sub-directory .aws2tf-archive