Skip to main content

Architecture & Model Export

Generate publication-quality diagrams, MBSE models, and rebuildable infrastructure code directly from your live asset graph. Available in Topology → Architecture Diagrams.

This is an export/documentation capability — it does not change the interactive Topology view.

Scope

Every export runs against one of two scopes:

  • Current Selection — the subgraph currently loaded in Explorer (pick a root node and relationship depth). Best for focused, readable diagrams.
  • Full System — the entire tenant graph. Text formats (Terraform, SysML, PlantUML) handle this at scale; the export streams server-side so even very large estates (tens of thousands of nodes) export without memory pressure.

Formats

Terraform (rebuildable)

Apply-grade Terraform that aims to rebuild the infrastructure that can be rebuilt — not just an inventory dump.

  • Modular layout: modules/<provider>/<region>/<vpc>/ — navigable at any scale instead of one giant main.tf.
  • Graph-driven references: resources reference each other (aws_subnet.x.id) using the discovered relationship graph, so the bundle reconstructs real dependencies.
  • UNMANAGED.md manifest: resources that cannot faithfully round-trip (stateful data such as RDS, IAM trust policies, secrets) are flagged and emitted as commented import-stubs — never silently dropped, and never as broken HCL.
  • Generated bundles are designed to pass terraform validate.

AWS core (VPC/subnet/security groups/EC2/S3/ALB/IGW/NAT/Route53) is apply-grade today. Apply-grade fidelity for Azure/GCP/on-prem is on the roadmap; those resources are currently emitted as best-effort placeholders and listed in UNMANAGED.md.

terraform init
terraform validate
terraform plan # review UNMANAGED.md items before applying

D2 diagram

A modern architecture diagram (architecture.d2):

  • Color-coded containers per cloud/provider (AWS, Azure, GCP, VMware, M365, Cisco, Palo Alto, Active Directory, on-prem).
  • Resources grouped by VPC/VNet; internet-exposed resources called out.
  • Attack paths highlighted in red — the security story rendered visually, which generic cloud-icon tools cannot express.

Rendered live in the app. The Architecture Diagrams tab renders D2 to an interactive diagram right in your browser (zoom, pan, light/dark themes, source toggle, one-click SVG download) — no CLI required. You can still export the architecture.d2 source and render it anywhere with the D2 CLI: d2 architecture.d2 out.svg.

D2 is the single diagram engine across Infracast: the same D2 that renders live here is also embedded as SVG in generated documents (As-Built, SSP, compliance packages), so your in-app view and your authorization paperwork always match.

SysML v2 (MBSE)

A SysML v2 textual model (model.sysml) for model-based systems engineering:

  • Resource types become part def definitions; resources become part instances with ports and attributes.
  • Relationships become connections.
  • Attack paths are expressed as constraint and requirement violations — making reachability risk first-class in the systems-engineering model. Complements the DoDAF export for defense/government programs.

PlantUML

A PlantUML block diagram (model.puml) for quick rendering in any PlantUML viewer.

Preview before download

The Architecture Diagrams tab includes a Preview button. For the D2 format it renders a fully interactive diagram in-browser (zoom/pan/themes/SVG download). For text formats (Terraform, SysML v2, PlantUML) it renders the primary generated artifact source so you can eyeball output before downloading the full ZIP bundle.

Notes

  • All exports stream as a .zip download.
  • Diagram output is densest at full-system scale — for readable diagrams, prefer a Selection scope; for text/model/IaC formats, full-system scale is fine.