# Implementation Plan: IaC Reverse Engineering ## Overview Build a Python CLI tool that reverse-engineers existing on-premises infrastructure into Terraform HCL code and state files. The tool follows a pipeline architecture (Scanner → Dependency Resolver → Code Generator → State Builder → Validator) with a provider plugin system for each on-premises platform (Docker Swarm, Kubernetes, Synology, Harvester, Bare Metal, Windows, Authentik). ## Tasks - [ ] 1. Set up project structure and core data models - [ ] 1.1 Create project directory structure, pyproject.toml, and install dependencies - Create `src/iac_reverse/` package with `__init__.py` - Create subdirectories: `scanner/`, `resolver/`, `generator/`, `state_builder/`, `validator/`, `incremental/`, `auth/`, `cli/` - Set up `pyproject.toml` with dependencies: kubernetes, docker, pywinrm, hypothesis, pytest, click, jinja2, networkx, pyyaml, python-synology - Create `tests/` directory with `unit/`, `property/`, `integration/` subdirectories - _Requirements: 1.1, 5.1, 5.2_ - [ ] 1.2 Define core enums, data classes, and interfaces - Implement `ProviderType` enum (docker_swarm, kubernetes, synology, harvester, bare_metal, windows) - Implement `PlatformCategory` enum (container_orchestration, storage_appliance, hci, bare_metal, windows) and `PROVIDER_PLATFORM_MAP` - Implement `CpuArchitecture` enum (amd64, arm, aarch64) - Implement `ScanProfile`, `DiscoveredResource`, `ScanResult`, `ScanProgress` dataclasses - Implement `ResourceRelationship`, `DependencyGraph`, `UnresolvedReference` dataclasses - Implement `GeneratedFile`, `ExtractedVariable`, `CodeGenerationResult` dataclasses - Implement `StateEntry`, `StateFile` dataclasses - Implement `ValidationResult`, `PlannedChange`, `ValidationError` dataclasses - Implement `ChangeType` enum and `ResourceChange`, `ChangeSummary` dataclasses - Define `ProviderPlugin` abstract base class with all abstract methods - _Requirements: 1.1, 1.2, 2.1, 3.1, 4.1, 5.1, 5.2, 8.1_ - [ ] 1.3 Implement ScanProfile validation logic - Validate mandatory fields: provider type and non-empty credentials - Validate optional fields: resource_type_filters max 200 entries, endpoints list - Validate resource types against provider's supported types - Return all validation errors in a single response - _Requirements: 6.1, 6.6, 6.7_ - [ ]* 1.4 Write property test for scan profile validation (Property 20) - **Property 20: Scan profile validation completeness** - **Validates: Requirements 6.1, 6.6, 6.7** - [ ] 2. Implement Scanner core and provider plugin system - [ ] 2.1 Implement Scanner orchestrator with progress reporting and error handling - Create `Scanner` class that accepts a `ScanProfile` and orchestrates discovery - Implement connection timeout (30 seconds) and authentication error handling with descriptive messages - Implement progress callback invocation per resource type completion - Implement retry logic: up to 3 retries with exponential backoff for transient errors - Implement partial inventory return on connection loss - Implement warning logging for unsupported resource types while continuing scan - _Requirements: 1.1, 1.3, 1.4, 1.5, 1.6, 1.7_ - [ ]* 2.2 Write property tests for Scanner behavior (Properties 2, 3, 4, 5) - **Property 2: Authentication error descriptiveness** - **Property 3: Graceful degradation on unsupported resource types** - **Property 4: Progress reporting frequency** - **Property 5: Partial inventory preservation on failure** - **Validates: Requirements 1.3, 1.4, 1.5, 1.7** - [ ] 2.3 Implement Docker Swarm provider plugin - Implement `DockerSwarmPlugin` using docker-sdk-python - Discover services, networks, volumes, configs, secrets (metadata only) - Detect architecture from node info - _Requirements: 1.1, 1.2, 5.2_ - [ ] 2.4 Implement Kubernetes provider plugin - Implement `KubernetesPlugin` using kubernetes-client - Discover deployments, services, ingresses, config maps, persistent volumes, namespaces - Detect architecture from node labels - _Requirements: 1.1, 1.2, 5.2_ - [ ] 2.5 Implement Synology provider plugin - Implement `SynologyPlugin` using Synology DSM API - Discover shared folders, volumes, storage pools, replication tasks, users - Detect architecture from system info (ARM vs AMD64) - _Requirements: 1.1, 1.2, 5.2_ - [ ] 2.6 Implement Harvester provider plugin - Implement `HarvesterPlugin` using Harvester/K8s-based API - Discover VMs, volumes, images, networks (HCI combined resources) - Detect architecture from node info - _Requirements: 1.1, 1.2, 5.2_ - [ ] 2.7 Implement Bare Metal provider plugin - Implement `BareMetalPlugin` using IPMI/Redfish API - Discover hardware inventory, BMC configs, network interfaces, RAID configurations - Detect architecture from system hardware info - _Requirements: 1.1, 1.2, 5.2_ - [ ] 2.8 Implement Windows provider plugin - Implement `WindowsDiscoveryPlugin` using pywinrm library - Authenticate via WinRM using NTLM or Kerberos (configurable transport, port, SSL) - Discover Windows services, scheduled tasks, IIS sites, IIS app pools, network adapters, firewall rules, installed software, Windows features, Hyper-V VMs, Hyper-V switches, DNS records, local users, local groups - Detect CPU architecture via WMI Win32_Processor query - Discover Hyper-V resources only if the Hyper-V role is installed; skip gracefully otherwise - Handle WinRM-specific errors: WinRM not enabled, WMI query failure, insufficient privileges - _Requirements: 1.1, 1.2, 5.2_ - [ ] 2.9 Implement Authentik integration (SSO + discovery plugin) - Implement `AuthentikAuthProvider` for OAuth2/OIDC SSO flow (authenticate, refresh, validate) - Implement `AuthentikDiscoveryPlugin` conforming to `ProviderPlugin` - Discover flows, stages, providers, applications, outposts, property mappings, certificates, groups, sources - _Requirements: 1.1, 1.2, 5.2_ - [ ]* 2.10 Write property test for resource inventory completeness (Property 1) - **Property 1: Resource inventory completeness** - **Validates: Requirements 1.2** - [ ] 3. Checkpoint - Ensure all tests pass - Ensure all tests pass, ask the user if questions arise. - [ ] 4. Implement Dependency Resolver - [ ] 4.1 Implement dependency resolution and graph building - Create `DependencyResolver` class - Analyze resource `raw_references` to identify parent-child, reference, and dependency relationships - Build dependency graph using networkx - Produce topological ordering of resources - Represent relationships as explicit Terraform references (not hardcoded IDs) - _Requirements: 2.1, 2.2, 2.4_ - [ ] 4.2 Implement cycle detection and resolution suggestions - Detect circular dependencies in the graph - Report cycles listing all involved resources - Suggest resolution strategies (which relationship to break, data source lookup alternatives) - _Requirements: 2.3_ - [ ] 4.3 Implement unresolved reference handling - Identify references to IDs not in the current inventory - Log warnings for unresolved references - Represent unresolved references as data source lookups or variables in output - _Requirements: 2.5_ - [ ]* 4.4 Write property tests for Dependency Resolver (Properties 6, 7, 8, 9) - **Property 6: Dependency relationship identification** - **Property 7: Cycle detection correctness** - **Property 8: Topological order validity** - **Property 9: Unresolved references become data sources or variables** - **Validates: Requirements 2.1, 2.3, 2.4, 2.5** - [ ] 5. Implement Code Generator - [ ] 5.1 Implement HCL code generation with Jinja2 templates - Create `CodeGenerator` class - Create Jinja2 templates for Terraform resource blocks per provider/resource type - Generate syntactically valid HCL files from dependency graph - Organize output: one `.tf` file per resource type - Include traceability comments with original resource unique_id - Use Terraform resource references for inter-resource dependencies (not hardcoded IDs) - Generate architecture-specific tags/labels on resources - _Requirements: 3.1, 3.2, 3.5, 3.6_ - [ ] 5.2 Implement identifier sanitization - Create `sanitize_identifier()` function - Convert resource names to valid Terraform identifiers: `^[a-zA-Z_][a-zA-Z0-9_]*$` - Handle special characters, unicode, leading digits, spaces by replacing with underscores - Ensure non-empty output for any input - _Requirements: 3.4_ - [ ] 5.3 Implement variable extraction logic - Identify attribute values appearing in 2+ resources - Extract shared values into `variables.tf` with defaults set to most common value - Generate variable declarations with type expressions and descriptions - _Requirements: 3.3_ - [ ] 5.4 Implement provider configuration block generation - Generate separate provider blocks for each distinct provider used - Include platform-specific configuration (endpoints, certificate settings) - _Requirements: 5.4_ - [ ] 5.5 Implement multi-provider resource merging with conflict resolution - Merge resources from multiple scan profiles into unified inventory - Resolve naming conflicts by prefixing with provider identifier - Preserve provider-specific attributes - _Requirements: 5.3_ - [ ]* 5.6 Write property tests for Code Generator (Properties 10, 11, 12, 13, 14, 15) - **Property 10: References in generated output use Terraform syntax** - **Property 11: Generated HCL syntactic validity** - **Property 12: File organization by resource type** - **Property 13: Variable extraction for shared values** - **Property 14: Identifier sanitization validity** - **Property 15: Traceability comments in generated code** - **Validates: Requirements 2.2, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6** - [ ] 6. Implement State Builder - [ ] 6.1 Implement Terraform state file generation (format v4) - Create `StateBuilder` class - Generate state JSON with version=4, unique UUID lineage, serial number - Create state entries binding each resource block to its live infrastructure ID - Populate full attribute sets from discovery data - Set schema_version matching provider version from scan profile - Mark sensitive attributes per provider schema - Include dependency references in state entries - _Requirements: 4.1, 4.2, 4.4, 4.5_ - [ ] 6.2 Implement unmapped resource handling in state builder - Log warnings for resources that cannot be mapped to state entries - Handle missing provider-assigned resource identifiers - Exclude unmapped resources from state file - _Requirements: 4.3, 4.6_ - [ ]* 6.3 Write property tests for State Builder (Properties 16, 17) - **Property 16: State file structural validity** - **Property 17: State entry completeness and schema correctness** - **Validates: Requirements 4.1, 4.2, 4.4, 4.5** - [ ] 7. Checkpoint - Ensure all tests pass - Ensure all tests pass, ask the user if questions arise. - [ ] 8. Implement Validator - [ ] 8.1 Implement Terraform validation runner - Create `Validator` class - Run `terraform init` and `terraform validate` against generated output - Run `terraform plan` and check for zero planned changes - Report validation errors with file name and error description - Report drift: list each resource with planned change type (add, modify, destroy) - Handle missing Terraform binary with descriptive error - _Requirements: 7.1, 7.2, 7.3, 7.5_ - [ ] 8.2 Implement auto-correction loop for validation errors - Attempt to correct validation errors (up to 3 attempts) - Re-validate after each correction - Report failure with remaining error details if corrections exhausted - _Requirements: 7.4_ - [ ]* 8.3 Write property test for drift report correctness (Property 22) - **Property 22: Drift report correctness** - **Validates: Requirements 7.3** - [ ] 9. Implement Incremental Scan Engine - [ ] 9.1 Implement scan snapshot storage and retrieval - Store scan results as timestamped JSON in `.iac-reverse/snapshots/` - Use profile_hash for matching scans to profiles - Retain at least 2 most recent snapshots per profile - Load previous snapshot for comparison - _Requirements: 8.4, 8.6_ - [ ] 9.2 Implement change detection and classification - Compare current scan against previous snapshot - Classify resources as added, removed, or modified - Produce change summary with counts and resource details - Handle first scan (no previous) as full initial scan - _Requirements: 8.1, 8.4, 8.5_ - [ ] 9.3 Implement incremental code and state updates - Update only IaC files containing changed resources (not full regeneration) - Remove resource blocks and state entries for removed resources - Add/update blocks for added/modified resources - _Requirements: 8.2, 8.3_ - [ ]* 9.4 Write property tests for Incremental Scan (Properties 23, 24, 25, 26) - **Property 23: Change classification correctness** - **Property 24: Incremental update scope** - **Property 25: Removed resource exclusion** - **Property 26: Snapshot retention** - **Validates: Requirements 8.1, 8.2, 8.3, 8.5, 8.6** - [ ] 10. Implement CLI and wire pipeline together - [ ] 10.1 Implement CLI entry point with Click - Create `cli.py` with Click command group - Implement `scan` command accepting scan profile YAML path - Implement `generate` command to run full pipeline (scan → resolve → generate → state → validate) - Implement `diff` command for incremental scanning - Implement `validate` command for standalone validation - Implement `login` command for Authentik SSO authentication - Wire all pipeline components together in correct order - Add progress bars and formatted output for scan progress - _Requirements: 1.1, 1.5, 6.1, 6.2, 6.3, 6.4, 6.5_ - [ ] 10.2 Implement scan profile YAML loading and environment variable expansion - Parse YAML scan profiles - Expand `${ENV_VAR}` references in credential fields - Support multi-profile YAML for multi-provider scans - _Requirements: 6.1, 5.3_ - [ ]* 10.3 Write property tests for multi-provider and filtering (Properties 18, 19, 20, 21) - **Property 18: Multi-provider merge with naming conflict resolution** - **Property 19: Provider block generation** - **Property 20: Scan profile validation completeness** (additional coverage) - **Property 21: Filtering correctness** - **Validates: Requirements 5.3, 5.4, 6.1, 6.2, 6.4, 6.6, 6.7** - [ ] 11. Implement resource type filter and multi-provider failure handling - [ ] 11.1 Implement resource type filtering in scanner - When filters specified, discover only listed resource types - When no filters specified, discover all supported types for provider - _Requirements: 6.2, 6.3_ - [ ] 11.2 Implement multi-provider partial failure handling - Complete scanning for all remaining providers when one fails - Include successfully discovered resources in inventory - Report which providers failed with error details - _Requirements: 5.5_ - [ ] 12. Final checkpoint - Ensure all tests pass - Ensure all tests pass, ask the user if questions arise. ## Notes - Tasks marked with `*` are optional and can be skipped for faster MVP - Each task references specific requirements for traceability - Checkpoints ensure incremental validation - Property tests validate universal correctness properties from the design document - Unit tests validate specific examples and edge cases - The tool is Python-based using Hypothesis for property-based testing - All provider plugins conform to the `ProviderPlugin` abstract interface - Pipeline architecture ensures each component is independently testable - Providers: Docker Swarm, Kubernetes, Synology, Harvester, Bare Metal, Windows, Authentik - Platform categories: Container Orchestration, Storage Appliance, HCI, Bare Metal, Windows (no Hypervisor category) - Windows discovery uses pywinrm/WMI for services, IIS, scheduled tasks, Hyper-V, and more ## Task Dependency Graph ```json { "waves": [ { "id": 0, "tasks": ["1.1"] }, { "id": 1, "tasks": ["1.2"] }, { "id": 2, "tasks": ["1.3", "2.1"] }, { "id": 3, "tasks": ["1.4", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8", "2.9"] }, { "id": 4, "tasks": ["2.2", "2.10"] }, { "id": 5, "tasks": ["4.1"] }, { "id": 6, "tasks": ["4.2", "4.3"] }, { "id": 7, "tasks": ["4.4", "5.1", "5.2"] }, { "id": 8, "tasks": ["5.3", "5.4", "5.5"] }, { "id": 9, "tasks": ["5.6", "6.1"] }, { "id": 10, "tasks": ["6.2"] }, { "id": 11, "tasks": ["6.3", "8.1"] }, { "id": 12, "tasks": ["8.2"] }, { "id": 13, "tasks": ["8.3", "9.1"] }, { "id": 14, "tasks": ["9.2"] }, { "id": 15, "tasks": ["9.3"] }, { "id": 16, "tasks": ["9.4", "10.1", "11.1", "11.2"] }, { "id": 17, "tasks": ["10.2"] }, { "id": 18, "tasks": ["10.3"] } ] } ```