Automatically generate diagrams from resources deployed in AWS

March 19, 2025 — 4 Min Read

Automation
AWS
CI-CD
Diagramming
Documentation
GitHub
Tutorial

Navigating through all the services in the AWS console is cumbersome, and generating diagrams manually and keep them updated is a tedious job. infra-inspector automates these processes, so you can use it in CI/CD environments to automatically or periodically generate these useful info.

Prerequisites

  • AWS credentials: this is required to create the inventory file, as infra-inspector will need to call AWS APIs; note that only these read permissions are required.

Usage

Generate the inventory

First thing you need to create a configuration to tell the CLI tool which resources in which region to catalog. Create a file called inventory-config.yml with the following content:

awsAccounts:
  - regions:
      - regionName: us-east-1
        services:
          rdsEnabled: true
          elbEnabled: true
          mskEnabled: true
          elasticacheEnabled: true
          openSearchEnabled: true
          transitGatewayEnabled: true

For each account you can specify one or more regions, and for each of those you can enable the services to enable. Refer to the official documentation for more info.

Now you can use the config above to generate the inventory:

docker run --rm \
  -v ~/.aws/credentials:/root/.aws/credentials:ro \
  -v `pwd`/inventory-config.yml:/opt/infra-inspector/inventory-config.yml:ro \
  -v `pwd`/output:/output \
  ghcr.io/infra-inspector/infra-inspector:latest \
  inventory -c /opt/infra-inspector/inventory-config.yml -o /output/inventory.yml

This command assumes an inventory configuration file named inventory-config.yml and a directory output are in the current folder.

It also assume that the AWS profile specified in the config exists in ~/.aws/credentials. The profile should have the permissions to read all the supported resources, no write permissions are needed.

This command will produce something like this:

accounts:
  "000000000000":
    id: "000000000000"
    name: ""
    regions:
      us-east-1:
        azs:
          us-east-1a: true
          us-east-1b: true
          us-east-1c: true
          us-east-1d: true
          us-east-1e: true
          us-east-1f: true
        internetGateways: []
        name: us-east-1
        transitGateways: {}
        vpcs:
          vpc-0000000000000000:
            id: vpc-0000000000000000
            name: ""
            cidr: 172.31.0.0/16
            dbClusters: {}
            elasticacheClusters: {}
            elbs: {}
            isDefault: true
            mskClusters: {}
            openSearchClusters: {}
            subnets:
              subnet-00000000000000000:
                id: subnet-00000000000000000
                name: ""
                cidr: 172.31.48.0/20
                autoAssignPublicIp: true
                instances: {}
                az: us-east-1d
                natGateways: []
              subnet-00000000000000001:
                id: subnet-00000000000000001
                name: ""
                cidr: 172.31.32.0/20
                autoAssignPublicIp: true
                instances: {}
                az: us-east-1c
                natGateways: []
              subnet-00000000000000002:
                id: subnet-00000000000000002
                name: ""
                cidr: 172.31.0.0/20
                autoAssignPublicIp: true
                instances: {}
                az: us-east-1a
                natGateways: []
              subnet-00000000000000003:
                id: subnet-00000000000000003
                name: ""
                cidr: 172.31.16.0/20
                autoAssignPublicIp: true
                instances: {}
                az: us-east-1b
                natGateways: []
              subnet-00000000000000004:
                id: subnet-00000000000000004
                name: ""
                cidr: 172.31.80.0/20
                autoAssignPublicIp: true
                instances: {}
                az: us-east-1f
                natGateways: []
              subnet-00000000000000005:
                id: subnet-00000000000000005
                name: ""
                cidr: 172.31.64.0/20
                autoAssignPublicIp: true
                instances: {}
                az: us-east-1e
                natGateways: []
            tgwAttachments: {}

The content might be different based on the resources you have deployed in your account(s).

Generate the diagram

From the inventory we generated above we can then create the diagram with:

docker run --rm \
  -v `pwd`/output/inventory.yml:/opt/infra-inspector/inventory.yml:ro \
  -v `pwd`/output:/output \
  ghcr.io/infra-inspector/infra-inspector:latest \
  diagram -f /opt/infra-inspector/inventory.yml -o /output/diagram.drawio

If you need to override some details about the infrastructure (ie. to clarify some resource names), you can either edit the inventory YAML file before running the last command, or create a separate inventory containing only the overriding values.

The output can then be opened in Draw.io, which can be used from the CLI as well, in case you need to export the diagram as image.

With the inventory above you should get this diagram:

Use in CI pipelines

The above commands can be used in a CI/CD environment as well to automate the process, like for instance update the inventory and the diagram every time the infrastructure is updated, or at specified interval, like once a day.

For instance to automatically generate the inventory and the diagram after an update to the infrastructure is deployed:

name: Infrastructure deployment

on:
  push:
    branch:
      - main

jobs:
  infra-deployment:
    # ...
    # Job to deploy the infrastructure updates, using Terraform, Pulumi or
    # similar
    # ...

  infra-inspector:
    name: Generate inventory
    runs-on: ubuntu-latest
    needs:
      - infra-deployment
    container: ghcr.io/infra-inspector/infra-inspector:latest
    steps:
      - uses: actions/checkout@v4.2.2
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-west-2
      - name: Generate inventory
        run: infra-inspector inventory -c inventory-config.yml -o inventory.yml
      - name: Generate diagram
        run: infra-inspector diagram -f inventory.yml -o diagram.drawio
      - name: Archive code coverage results
        uses: actions/upload-artifact@v4
        with:
          name: diagram
          path: diagram.drawio

Here the job infra-inspector will run only after infra-deployment has been successfully completed, and it will checkout the repository where the inventory config is (here we are assuming is in the repo root, and it’s called inventory-config.yml), configure the AWS credentials needed to pull the data, generate the inventory and then the diagram, which is then finally stored as artifact.

Conclusion

Automating the generation of infrastructure diagrams with tools like infra-inspector offers significant advantages in terms of time savings, accuracy, and maintaining up-to-date documentation. By integrating this process into your CI/CD pipelines, you can ensure that your diagrams always reflect the current state of your AWS environment. This tutorial provides a practical introduction to using infra-inspector, but there’s much more to explore, including advanced configuration options, support for additional AWS services, and further customization possibilities.

To delve deeper into the capabilities of infra-inspector, explore its full feature set, and access the most up-to-date information, I encourage you to visit the official documentation at https://infra-inspector.github.io/. There you’ll find comprehensive documentation, detailed configuration guides, and potentially more advanced use cases to further enhance your infrastructure visualization and documentation efforts.

See Also:

Share this

comments powered by Disqus