.png)
1 month ago
8
A Rust-based REST API service that transforms Terraform state files into detailed FedRAMP-aligned architecture boundary diagrams using AI-enhanced Mermaid diagram generation.
Hayashi is a web service that parses Terraform state files and generates visual architecture diagrams with security and compliance boundaries. It leverages Cloudflare Workers AI to create human-friendly diagrams that meet FedRAMP, NIST 800-53, and other compliance framework requirements.
- 🔄 Automatic Diagram Generation: Parse Terraform state files and generate Mermaid flowchart diagrams
- 🔒 Security Boundary Visualization: Clearly delineate FedRAMP authorization boundaries and trust zones
- 📋 Compliance Controls: Annotate resources with relevant NIST 800-53 controls (SC-7, AU-2, AC-6, CM-2, etc.)
- 🏗️ Architecture Tiers: Automatically organize resources into public, application, and data tiers
- 🎨 Smart Styling: Color-coded boundaries and security zones with AWS service icons
- 🤖 AI-Enhanced: Uses Cloudflare Workers AI to generate clean, readable diagrams
- Rust 1.70+
- Cloudflare account with Workers AI access
The API server will start on http://0.0.0.0:3000
POST /v1/diagram
Generate a Mermaid architecture diagram from a Terraform state file.
- name (required): Title for the generated diagram
- statefile_path (required): Path to the Terraform state file
- model (optional): Cloudflare Workers AI model to use (defaults to @cf/openai/gpt-oss-120b)
- api_key (optional): Override the default Cloudflare API token
Hayashi automatically categorizes and visualizes a wide range of AWS resources including:
- Networking: VPC, Internet Gateway, NAT Gateway, Load Balancers, Security Groups, NACLs
- Compute: ECS, EKS, EC2, Lambda, Auto Scaling Groups
- Storage: S3, EFS, EBS
- Database: RDS, DynamoDB, ElastiCache, DocumentDB, Neptune
- Security: KMS, IAM, GuardDuty, Security Hub, WAF
- Monitoring: CloudTrail, GuardDuty, Config, CloudWatch, VPC Flow Logs
- State File Parsing: Reads and parses Terraform state files to extract infrastructure resources
- Resource Graph Building: Constructs a directed graph of resources and their relationships
- Trust Zone Classification: Automatically categorizes resources into:
- Identity & Access Management plane
- Key Management plane
- Audit & Monitoring plane
- Network boundaries (VPCs with tiered subnets)
- External interfaces
- Subnet Tier Detection: Intelligently classifies subnets as Public, Private-App, Private-DB, or Management
- AI Enhancement: Sends the base diagram structure to Cloudflare Workers AI for human-friendly formatting
- FedRAMP Compliance: Adds NIST 800-53 control annotations, encryption labels, and authorization boundaries
The API returns Mermaid flowchart syntax with:
- FedRAMP Authorization Boundary as the main container
- Trust zone subgraphs (Security Services, VPCs, Network Tiers)
- AWS service icons from icon.icepanel.io and cloudflare CDN
- Encryption annotations (🔒 EBS-CMK, 🔒 KMS, etc.)
- NIST control references (SC-7, AU-2, CM-2, etc.)
- Color-coded styling for different security zones
Contributions are welcome! Please read our Contributing Guide for details.
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with Rust 🦀
- Diagram rendering powered by Mermaid.js
- Icons from AWS Architecture Icons and IcePanel
