Architecture & Model Export
Generate publication-quality diagrams, MBSE models, and rebuildable infrastructure code directly from your live asset graph. Available in Topology → Architecture Diagrams.
This is an export/documentation capability — it does not change the interactive Topology view.
Scope
Every export runs against one of two scopes:
- Current Selection — the subgraph currently loaded in Explorer (pick a root node and relationship depth). Best for focused, readable diagrams.
- Full System — the entire tenant graph. Text formats (Terraform, SysML, PlantUML) handle this at scale; the export streams server-side so even very large estates (tens of thousands of nodes) export without memory pressure.
Formats
Terraform (rebuildable)
Apply-grade Terraform that aims to rebuild the infrastructure that can be rebuilt — not just an inventory dump.
- Modular layout:
modules/<provider>/<region>/<vpc>/— navigable at any scale instead of one giantmain.tf. - Graph-driven references: resources reference each other (
aws_subnet.x.id) using the discovered relationship graph, so the bundle reconstructs real dependencies. UNMANAGED.mdmanifest: resources that cannot faithfully round-trip (stateful data such as RDS, IAM trust policies, secrets) are flagged and emitted as commented import-stubs — never silently dropped, and never as broken HCL.- Generated bundles are designed to pass
terraform validate.
AWS core (VPC/subnet/security groups/EC2/S3/ALB/IGW/NAT/Route53) is apply-grade today. Apply-grade fidelity for Azure/GCP/on-prem is on the roadmap; those resources are currently emitted as best-effort placeholders and listed in
UNMANAGED.md.
terraform init
terraform validate
terraform plan # review UNMANAGED.md items before applying
D2 diagram
A modern architecture diagram (architecture.d2):
- Color-coded containers per cloud/provider (AWS, Azure, GCP, VMware, M365, Cisco, Palo Alto, Active Directory, on-prem).
- Resources grouped by VPC/VNet; internet-exposed resources called out.
- Attack paths highlighted in red — the security story rendered visually, which generic cloud-icon tools cannot express.
Rendered live in the app. The Architecture Diagrams tab renders D2 to an
interactive diagram right in your browser (zoom, pan, light/dark themes, source
toggle, one-click SVG download) — no CLI required. You can still export the
architecture.d2 source and render it anywhere with the
D2 CLI: d2 architecture.d2 out.svg.
D2 is the single diagram engine across Infracast: the same D2 that renders live here is also embedded as SVG in generated documents (As-Built, SSP, compliance packages), so your in-app view and your authorization paperwork always match.
SysML v2 (MBSE)
A SysML v2 textual model (model.sysml) for model-based systems engineering:
- Resource types become
part defdefinitions; resources becomepartinstances with ports and attributes. - Relationships become
connections. - Attack paths are expressed as
constraintandrequirementviolations — making reachability risk first-class in the systems-engineering model. Complements the DoDAF export for defense/government programs.
PlantUML
A PlantUML block diagram (model.puml) for quick rendering in any PlantUML viewer.
Preview before download
The Architecture Diagrams tab includes a Preview button. For the D2 format it renders a fully interactive diagram in-browser (zoom/pan/themes/SVG download). For text formats (Terraform, SysML v2, PlantUML) it renders the primary generated artifact source so you can eyeball output before downloading the full ZIP bundle.
Notes
- All exports stream as a
.zipdownload. - Diagram output is densest at full-system scale — for readable diagrams, prefer a Selection scope; for text/model/IaC formats, full-system scale is fine.