Loading0%

Cloud graph and the cloud-to-code agent: discovery and codification

Cloud graph and the cloud-to-code agent: discovery and codification — overview

A legible cloud graph to see the estate, a discovery explorer to import live resources, and a codification agent that turns them into Terraform and opens a PR.

  • cloud graph
  • discovery
  • codification

TL;DR

Real cloud estates are full of resources nobody wrote as code.

I designed the loop that finds them and turns them into managed infrastructure: a legible cloud graph to see the estate, a discovery explorer to import live resources, and a codification agent that turns discovered resources into Terraform and opens a PR.

The problem

Two hard things at once.

First, a real topology is a hairball of hundreds of nodes that no visualization made legible.

Second, huge amounts of infrastructure exist in the cloud but not in code (unmanaged, undocumented, drifting), and hand-writing IaC to adopt it is slow and error-prone.

The insight

A graph is a tool for answering a question, so it should start scoped to the question, not render the universe.

And adoption is a pipeline (discover, decide, codify, review) with a human gate at the review step, because you are about to take ownership of real resources.

Early on I prototyped a pure force-directed layout and dropped it: it produced a different unstable hairball on every render, so I moved to a force graph with a dagre pre-layout that gives stable, readable positions.

The solution

  • Cloud graph: a D3 force-directed graph with dagre pre-layout (stable, not random), a shared node-card primitive, spotlight and fade to focus the subgraph relevant to the question, and sanitized labels so raw graph terminology never leaks.
Spotlight on one blueprint: its dependency edges light up, its live outputs sit alongside, the rest fades back
  • Discovery explorer: browse a live cloud account's resources, multi-select, and import them into an environment, with a unified scope selector across collections, repositories, and branches.
The discovery explorer over a live Azure account: pick the resources, name the environment, import
  • Codification agent (cloud-to-code): the agent runs the pattern end to end, from discovering a resource to comparing its live state against code, generating the Terraform change, opening a PR, and deploying. A resource-decision block handles the unmanaged or drift call (import, reconcile, or mark expected), and a code-indexing block makes ingestion legible while it runs.
The codification run, step by step: validate, generate Terraform, import, fix drift, publish, deploy, ending in a reviewable plan The whole loop in motion: from the estate graph, through discovery and import, to codified resources with zero drift

Impact

Turned shadow infrastructure everywhere into a guided, reviewable path from live cloud to owned code.

Reflection

The visualization win was editing, deciding what to leave out by default.

The codification win was framing adoption as a reviewable pipeline, not a magic button, so people trusted the agent to write their infrastructure.