Mastering Multi-Cloud Visibility with HCP Terraform and Infragraph: A Step-by-Step Guide

Overview

In today’s multi-cloud and hybrid environments, infrastructure management has become a labyrinth of siloed data, outdated snapshots, and escalating costs. Platform teams often find themselves stitching together insights from multiple tools, only to miss real-time changes and security risks. HashiCorp Cloud Platform (HCP) Terraform, now integrated with Infragraph, offers a transformative approach: a centralized, event-driven knowledge graph that provides a unified, live view of your entire infrastructure estate. This guide will walk you through setting up and leveraging HCP Terraform powered by Infragraph, currently in public preview for qualified US customers. You’ll learn how to replace static, fragmented views with dynamic, actionable intelligence that can improve security, cost management, and operational efficiency.

By the end of this tutorial, you will be able to enable the Infragraph integration, configure data sources, and interpret the knowledge graph to identify ownership, detect vulnerabilities, and optimize resource usage—all from within the HCP Terraform interface.

Prerequisites

Before you start, ensure you have the following:

• An active HCP Terraform account (previously known as Terraform Cloud) – only accounts based in the United States are eligible for the public preview. Check your account settings or contact HashiCorp support to confirm qualification.
• Administrator or owner permissions on the HCP Terraform organization where you intend to enable Infragraph.
• At least one Terraform workspace managing infrastructure in AWS, Azure, or GCP (or any combination).
• Basic familiarity with Terraform configurations – you should know how to manage resources and state files.
• A working knowledge of your cloud providers’ console to verify resource metadata.

Note: The preview is limited to specific customers. If you are outside the US or not yet approved, you can still read along to understand the future capabilities.

Step-by-Step Instructions

1. Enable the Infragraph Integration in HCP Terraform

The first step is to activate the Infragraph feature for your organization. In the public preview, this is done via a feature flag in the HCP Terraform settings.

1. Log in to app.terraform.io (or your HCP Terraform instance).
2. Navigate to your Organization Settings (gear icon in top navigation).
3. Under the “Feature Previews” tab, look for “HCP Terraform powered by Infragraph”. Click “Enable”.
4. Confirm the activation. You may see a warning that the feature is experimental; accept the terms.

Once enabled, you will see a new “Infrastructure Graph” menu item in the left sidebar of your organization’s dashboard. If you do not see the option, your account may not be qualified; contact HashiCorp support.

2. Configure Data Sources for the Knowledge Graph

Infragraph builds its graph from your existing Terraform workspaces. By default, it begins ingesting data from all workspaces associated with your organization. However, you can fine-tune which resources are tracked to avoid noise.

1. Go to “Infrastructure Graph” → “Data Sources”.
2. You will see a list of your workspaces. For each workspace, toggle the “Include in Graph” switch to ON (or OFF to exclude).
3. Optionally, you can filter by resource type (e.g., only track VMs, databases, or load balancers). Infragraph automatically recognizes common cloud resources.
4. Click “Save”. The system will begin an initial sync. Depending on the number of resources, this can take a few minutes.

The graph is updated event‑driven: any change to a tracked workspace (via a Terraform run) will trigger a refresh of the affected nodes and edges. This ensures near‑real‑time accuracy.

3. Exploring the Knowledge Graph

Now that data is flowing, you can explore the graph to discover relationships and gain insights.

1. Click on “Infrastructure Graph” → “Graph View”. You will see a dynamic, interactive diagram of your infrastructure. Each node represents a resource (e.g., an EC2 instance, a VPC, an Azure SQL Database). Edges show dependencies (e.g., an instance belongs to a security group).
2. Use the search bar to find specific resources by name, type, or tag.
3. Click on any node to see details: owner (if set via tags), last Terraform update, cloud provider, region, and recent state changes.
4. Toggle filters to view only certain resource types (e.g., only “compute” resources).
5. Export the current view as a JSON file for programmatic analysis (available via the “Export” button).

For example, if you want to identify all resources without proper owner tags, search for owner:null (this requires that you have tagged resources with an ‘owner’ key in your Terraform config).

4. Using Insights for Security and Cost Optimization

The real power of Infragraph lies in its dynamic insights. Two common use cases are tracking untagged resources and detecting anomalies.

Security – Find Orphaned Resources: In the graph, look for resources that have no incoming or outgoing edges (isolated nodes). These might be forgotten storage buckets or security groups. Click on them to see their last modification date. If they are older than your retention policy, mark them for cleanup.

Cost – Detect Spike in Usage: Infragraph tracks recent state change counts. If a workspace shows an unusual number of updates in the past 24 hours, it could indicate a cost‑related issue (e.g., an auto‑scaling group gone wild). Check the “Recent Activity” tab for that workspace in the Terraform dashboard.

You can also create custom alerts by integrating with webhooks (available in future versions, but currently preview limitations apply).

5. Automating Workflows with the Graph API (Preview)

Although the public preview does not yet expose a mature API, early adopters can use the embedded GraphQL endpoint (enabled under “Settings” → “API”). This allows you to query the graph for specific patterns.

// Example GraphQL query to fetch all AWS EC2 instances with their owners
{
  resources(type: "aws_instance") {
    id
    metadata {
      tags
      region
    }
  }
}

Note: The API is subject to change and not recommended for production use until GA.

Common Mistakes

Mistake 1: Not Enabling the Feature for All Relevant Workspaces

Infragraph only ingests data from workspaces you explicitly include. If you forget to toggle a workspace, that part of your infrastructure will be invisible, leading to blind spots. Tip: After enabling the integration, do a bulk enable of all workspaces, then selectively exclude noisy ones.

Mistake 2: Assuming the Graph Is Rebuilt Instantly After Changes

While Infragraph is event‑driven, there is still a short latency (typically 30–60 seconds) between a Terraform run and the graph update. Do not expect real‑time changes if you immediately refresh the graph; wait a minute and then reload.

Mistake 3: Overlooking Tagging Consistency

Infragraph uses tags to infer ownership and grouping. If your Terraform configurations do not include consistent tagging (e.g., missing “owner” or “environment” tags), the graph will show many resources as “unknown”. Solution: Adopt a tagging convention and enforce it with Terraform policy checks before the preview goes GA.

Mistake 4: Confusing the Graph with Live Cloud Data

The knowledge graph is sourced from Terraform state files, not directly from cloud providers. If someone uses the cloud console to manually create a resource (outside Terraform), it will not appear until the next run that imports it. Infragraph is as accurate as your Terraform coverage – it does not replace cloud inventory tools.

Summary

HCP Terraform powered by Infragraph provides a much‑needed unified, dynamic view of your multi‑cloud infrastructure. By following this guide, you have enabled the feature, configured which workspaces contribute to the knowledge graph, explored the interactive visualization, and started using it for security and cost insights. Remember to keep your tagging consistent and to understand that the graph reflects Terraform state, not the raw cloud inventory. As the public preview evolves, expect more automation capabilities and broader API access. This integration is a promising step toward turning infrastructure data into actionable intelligence, reducing complexity and operational risk.