Terraback is a command-line tool that reverse-engineers your existing cloud infrastructure into clean, maintainable Terraform configurations. It discovers resources across AWS, Azure, and Google Cloud, maps their dependencies, and generates production-ready .tf files in seconds — so you can adopt Infrastructure-as-Code on infrastructure that was originally built by hand.

terraform import only attaches an existing resource to a Terraform state file — it does not generate the corresponding HCL configuration. You still have to write every block by hand and reconcile dozens of arguments. Terraback does both:

• Automatically discovers every supported resource in your account
• Generates complete .tf files with all arguments and references
• Resolves dependencies between resources (subnets ↔ security groups ↔ instances)
• Emits import blocks (Terraform 1.5+) or import scripts so the resulting state matches reality
• Saves up to 90% of the time compared to manual import

Terraback currently supports:

• AWS: 50+ services including EC2, VPC, RDS, Lambda, S3, IAM, ECS, EKS, ELB, Route 53, CloudFront, and more
• Azure: 20+ services including Virtual Machines, Networks, Storage, AKS, App Service, Key Vault
• Google Cloud: 15+ services including Compute Engine, VPC Networks, GKE, Cloud Storage, Cloud SQL

We add new services regularly based on user demand. The full list lives in the supported services page.

Yes. Terraback is designed so your infrastructure data never leaves your machine:

• Runs locally — scanning, parsing, and code generation all happen on the host you run it from
• Read-only IAM — Terraback only needs Describe*, List*, and Get* permissions, never write/modify
• No credential storage — it reuses the credentials your AWS CLI / Azure CLI / gcloud are already using
• No telemetry of resource data — only anonymized command-level usage metrics are sent
• License validation is offline after first activation

Yes. Terraback emits standard HCL2 syntax that is fully compatible with OpenTofu, Terraform 1.x, and Terragrunt. The generated files use the same provider blocks and resource schemas, so you can swap terraform for tofu without changing anything in the output.

• Operating Systems: Windows 10+, macOS 10.15+, Linux (Ubuntu 18.04+, Debian 10+, RHEL/CentOS 7+, Amazon Linux 2)
• Memory: 4 GB RAM minimum, 8 GB recommended for accounts with 1,000+ resources
• Disk Space: ~500 MB for installation
• Cloud CLI Tools: AWS CLI v2, Azure CLI, or gcloud SDK — whichever providers you plan to scan
• Python: 3.8 or higher (only when installing via pip; standalone binaries bundle their own runtime)

Terraback reuses your existing CLI authentication — there is nothing to configure inside Terraback itself.

# AWS
aws configure
terraback scan aws

# Azure
az login
terraback scan azure

# Google Cloud
gcloud auth application-default login
terraback scan gcp

Yes. Anything the underlying cloud SDK can resolve will work — including AWS SSO sessions, AWS IAM Identity Center, aws sts assume-role profiles, Azure managed identities, and GCP service-account impersonation. Pass the profile or environment variables you would normally use:

AWS_PROFILE=production terraback scan aws

Terraback can emit:

• Terraform HCL (.tf files) — the default, idiomatic format
• Import blocks — declarative import { ... } blocks for Terraform 1.5+
• Import scripts — shell scripts of terraform import commands for older versions
• Resource inventory — Markdown tables describing what was discovered

You have three options, in order of how recent your Terraform version is:

1. Import blocks (Terraform 1.5+ — recommended):

terraback scan aws --use-import-blocks

2. Generated import scripts (works on any version):

terraback scan aws --generate-imports

3. Direct state import:

terraback scan aws --import-state

Yes, by service or by individual resource:

# Exclude entire services
terraback scan aws --exclude ec2,rds

# Exclude individual resource IDs
terraback scan aws --exclude-resources i-0abc123,my-bucket-name

Terraback emits human-readable HCL grouped by service, with cross-references resolved to Terraform expressions (aws_subnet.main.id) instead of literal IDs. Variables are extracted for things that look environment-specific (account IDs, region names, common tags), so the same module can be reused across accounts with minimal edits.

Terraback's primary use case is generating Terraform for the cloud you're already on, not translating between providers. That said, having clean, normalized HCL is the prerequisite for any migration project — once your AWS infrastructure is described in code, it's far easier to plan an equivalent Azure or GCP topology by hand.

• Community (free): core scanning across AWS, Azure, and GCP, basic dependency mapping, and unlimited use for personal/small projects
• Professional ($499, one-time): lifetime access to all 50+ services, advanced dependency mapping, parallel multi-account scanning, priority email support, and all future updates

• Lifetime access to every supported service across AWS, Azure, and GCP
• Advanced dependency mapping for complex networking and IAM relationships
• Multi-account / multi-profile parallel scanning
• Priority email support at support@terraback.io
• All future updates — no annual renewal

Per-user. The license is fingerprint-bound at activation, but if you replace your machine you can deactivate the old one and re-activate on the new hardware. Reach out to support if you need help moving the license.

Community can be used in CI for non-commercial or evaluation work. Production CI/CD use of paid features (parallel scanning, advanced dependency mapping, all services beyond the Community subset) requires a Professional license.

The most common causes, in order:

1. Insufficient IAM permissions — Terraback needs Describe* / List* / Get* on the services you're scanning
2. Wrong region — by default Terraback scans only the region your CLI is configured for; use --all-regions or --region
3. Service not yet supported — check the supported services page
4. Resource is in a different account — for cross-account, scan with the appropriate AWS_PROFILE

Run with --debug for a verbose log of what was attempted and what was skipped.

Terraback detects cycles during dependency resolution and breaks them by emitting explicit depends_on blocks rather than direct references. The generated configuration is always plan-able even when the underlying graph has cycles (security group ↔ security group rules, for example).

For large accounts:

• Limit by service: --services ec2,vpc,iam
• Limit by region: --region us-east-1 instead of --all-regions
• Enable parallel processing (Professional only): --parallel
• Make sure caching is on (it's the default): --cache

• Email: support@terraback.io
• Website: contact form at terraback.io

Yes, with Professional:

# Scan a specific named profile
terraback scan aws --profile production

# Scan every profile in your AWS config file in parallel
terraback scan aws --all-profiles

Scan time scales roughly linearly with resource count:

• Small (under 100 resources): ~30 seconds
• Medium (100–1,000 resources): 2–5 minutes
• Large (1,000+ resources): 10–20 minutes

Professional includes parallel scanning, which typically halves the time on multi-region or multi-account workloads.

Yes — it has been used on accounts with 1,000+ EC2 instances, 5,000+ Lambda functions, and tens of thousands of IAM resources. Pagination, caching, and rate-limit-aware retries are built in, so the SDK's API limits become the bottleneck rather than Terraback itself.

• Official docs: docs.terraback.io
• Website: terraback.io
• README: ships with the binary and the pip package

• Email: support@terraback.io (priority for Professional customers)
• Website contact form: terraback.io

To get a fast answer, include:

• Terraback version (terraback --version)
• Cloud provider, region, and account size (rough resource count)
• Error messages or --debug output
• Your license type (Community or Professional)

• Feature releases: roughly monthly
• Bug-fix and security patches: as needed, usually within days

All updates are included with a Professional license — there's no renewal.