ThothCTL Inventory IaC Command¶
Overview¶
The thothctl inventory iac command creates, updates, and manages an inventory of Infrastructure as Code (IaC) components in your project. This inventory tracks modules, their versions, sources, and dependencies, providing valuable insights into your infrastructure composition with modern, professional HTML reports and comprehensive provider version analysis.
Recent Improvements ✨¶
- 🎯 Independent Version Checking: Separate flags for module versions (
-cv) and provider versions (-cpv) — check what you need - 🎨 Modern HTML Reports: Professional styling with Inter font, gradients, and responsive design
- 📊 Enhanced Provider Analysis: Comprehensive provider version tracking with status indicators
- 📱 Responsive Design: Reports work perfectly on desktop, tablet, and mobile devices
Command Options¶
Usage: thothctl inventory iac [OPTIONS]
Create a inventory about IaC modules composition for terraform/tofu/terragrunt projects
Options:
-cv, --check-versions Check latest versions for modules
-cpv, --check-provider-versions Check latest versions for providers
--check-providers Check and report provider information for each stack
-ft, --framework-type [auto|terraform|terragrunt|terraform-terragrunt|module|cdkv2]
Framework type to analyze (auto for automatic detection)
-r, --report-type [html|json|cyclonedx|all]
Type of report to generate
-iact, --inventory-action [create|update|restore]
Action for inventory tasks
-iph, --inventory-path PATH Path for saving inventory reports
-pj, --project-name TEXT Custom project name for the report
--provider-tool [tofu|terraform]
Tool to use for checking providers (default: tofu)
--complete Include .terraform and .terragrunt-cache in analysis
-auto, --auto-approve Auto approve updating dependencies
--post-to-pr Post inventory summary as a PR comment
(Azure DevOps or GitHub)
--vcs-provider [auto|azure_repos|github]
VCS provider for PR comments (default:
auto-detect from CI environment)
--space TEXT Space name for credential resolution
(Azure DevOps)
--help Show this message and exit.
Basic Usage¶
Create a Basic Inventory¶
This creates an inventory of all IaC components in the current directory and generates a modern HTML report in the default location (./Reports/Inventory).
Create an Inventory with Version Checking¶
# Check module versions only
thothctl inventory iac -cv
# Check provider versions only
thothctl inventory iac -cpv
# Check both module and provider versions
thothctl inventory iac -cv -cpv
# Provider info without version lookup
thothctl inventory iac --check-providers
Generate Different Report Types¶
# HTML report with modern styling (default)
thothctl inventory iac --report-type html
# JSON report for automation
thothctl inventory iac --report-type json
# CycloneDX SBOM report (OWASP standard)
thothctl inventory iac --report-type cyclonedx
# All report types (HTML, JSON, and CycloneDX)
thothctl inventory iac --report-type all
Specify Custom Output Directory and Project Name¶
thothctl inventory iac \
-cv -cpv \
--inventory-path ./docs/infrastructure \
--project-name "Production Infrastructure"
Modern HTML Reports 🎨¶
The new HTML reports feature:
CycloneDX SBOM Reports 🔒¶
ThothCTL now supports generating CycloneDX Software Bill of Materials (SBOM) reports, following the OWASP CycloneDX standard:
Features:¶
- ✅ OWASP Standard Compliance: Follows CycloneDX 1.4 specification
- ✅ Infrastructure Components: Maps Terraform modules and providers to SBOM components
- ✅ Version Tracking: Includes current and latest version information
- ✅ Security Integration: Compatible with vulnerability scanning tools
- ✅ Supply Chain Visibility: Provides complete infrastructure dependency mapping
Use Cases:¶
- Security Auditing: Track all infrastructure dependencies for security reviews
- Compliance Reporting: Meet regulatory requirements for software inventory
- Vulnerability Management: Integration with security scanning tools
- Supply Chain Security: Monitor infrastructure component sources and versions
Example:¶
# Generate CycloneDX SBOM for security audit
thothctl inventory iac -cv -cpv --report-type cyclonedx
# Complete analysis with all formats including SBOM
thothctl inventory iac -cv -cpv --report-type all
The CycloneDX report includes: - Infrastructure components as SBOM components - Version information and update status - Source URLs and external references - Custom properties for ThothCTL-specific metadata
Professional Design¶
- Inter Font Family: Modern, readable typography
- Gradient Headers: Professional blue gradient styling
- Responsive Layout: Works on all devices and screen sizes
- Print Optimization: Perfect for PDF generation and documentation
Enhanced Data Visualization¶
- Provider Version Columns: "Latest Version" and "Status" columns for all providers
- Color-Coded Status Badges:
- 🟢 Current: Green badges for up-to-date components
- 🔴 Outdated: Red badges for components needing updates
- 🟡 Unknown: Yellow badges for components with unknown status
- Interactive Tables: Hover effects and improved readability
- Module Information: Comprehensive component and provider details
Report Features¶
- Project Information Header: Clean project overview with metadata
- Summary Statistics: Total components, outdated count, provider statistics
- Detailed Component Tables: Organized by stack with full provider information
- Modern CSS Styling: Professional appearance suitable for business use
Version Checking & Provider Analysis 📊¶
Unified Version Checking¶
The --check-versions flag now provides comprehensive analysis:
What it does: - ✅ Checks latest versions for all Terraform/Terragrunt modules - ✅ Automatically enables provider checking - ✅ Analyzes provider versions against registries - ✅ Shows version comparison (current vs. latest) - ✅ Provides status indicators (Current/Outdated/Unknown)
Provider-Only Analysis¶
If you only want provider information without version checking:
Provider Version Information¶
The reports now include comprehensive provider data: - Provider Name: aws, google, kubernetes, etc. - Current Version: Version currently in use - Latest Version: Most recent available version - Source Registry: Where the provider comes from - Module Context: Which module uses the provider - Status: Current, Outdated, or Unknown
Technical Debt Scoring 📊¶
When --check-versions is enabled, ThothCTL calculates a technical debt score that reflects how outdated your infrastructure is.
Weighted Formula¶
The debt score uses a weighted approach that separates module health from provider health:
module_debt = outdated_modules / total_modules (weight: 70%)
provider_debt = outdated_providers / total_providers (weight: 30%)
debt_score = (module_debt × 0.7 + provider_debt × 0.3) × 100 + breaking_changes_penalty
Why weighted? Modules define your architecture and are the primary source of risk. Providers are dependencies that may be intentionally pinned (e.g., a latest module tested against a specific provider version). A single outdated provider should not inflate the score disproportionately.
Breaking Changes Penalty¶
Each module or provider with detected breaking changes adds +5 points to the debt score (capped at 100%).
Risk Levels¶
| Debt Score | Risk Level | Meaning |
|---|---|---|
| ≥ 70% | Critical | Immediate action required |
| ≥ 50% | High | Plan upgrades soon |
| ≥ 30% | Medium | Schedule maintenance |
| < 30% | Low | Infrastructure is well-maintained |
Examples¶
| Scenario | Score | Risk |
|---|---|---|
| 2 modules current, ½ providers outdated | 15% | Low |
| 2/4 modules outdated, providers current | 35% | Medium |
| All modules and providers outdated | 100% | Critical |
| Everything current | 0% | Low |
Recommendations¶
The system auto-generates actionable recommendations based on the metrics: - Update outdated modules/providers - Review components with breaking changes before upgrading - Confirmation when infrastructure is well-maintained (score < 20%)
Framework Type Options¶
Auto-detect Framework (Default)¶
Automatically detects the framework type based on project files.
Terraform Framework¶
Analyzes Terraform files (.tf) with version checking.
Terragrunt Framework¶
Analyzes Terragrunt files (terragrunt.hcl) with comprehensive provider analysis.
Mixed Terraform-Terragrunt Framework¶
Analyzes both Terraform and Terragrunt files with full version checking.
Inventory Actions¶
1. Create (Default)¶
Scans IaC files and creates a new inventory with version analysis.
2. Update¶
thothctl inventory iac \
--inventory-action update \
--inventory-path ./path/to/inventory.json \
--auto-approve
Updates IaC files based on the inventory.
3. Restore¶
Restores IaC files to the state recorded in the inventory.
Advanced Usage Examples¶
Comprehensive Infrastructure Audit¶
thothctl inventory iac \
--check-versions \
--report-type all \
--project-name "Production Infrastructure Audit" \
--inventory-path ./docs/audit
This generates: - Modern HTML report with provider version analysis - JSON report for automation - Complete module and provider inventory - Version status for all components
Terragrunt Project Analysis¶
thothctl inventory iac \
--framework-type terragrunt \
--check-versions \
--project-name "Terragrunt Infrastructure"
CI/CD Integration¶
# In your CI/CD pipeline
thothctl inventory iac \
--check-versions \
--report-type json \
--inventory-path ./reports/$(date +%Y-%m-%d)
# Post inventory summary as a PR comment
thothctl inventory iac --check-versions --post-to-pr
PR Comment Integration¶
The --post-to-pr flag posts an inventory summary table directly to the pull request, including component counts, provider stats, and technical debt metrics.
# GitHub Actions example
- run: thothctl inventory iac --check-versions --post-to-pr
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Azure Pipelines example (uses built-in System.AccessToken, no PAT needed)
- script: thothctl inventory iac --check-versions --post-to-pr
env:
AZDO_PERSONAL_ACCESS_TOKEN: $(System.AccessToken)
Platform comment size limits (GitHub: 65K chars, Azure DevOps: 150K chars) are enforced automatically with truncation. See check iac PR comment docs for full platform setup details, including required Azure DevOps build service permissions.
Complete Analysis with All Options¶
thothctl inventory iac \
--check-versions \
--complete \
--report-type all \
--project-name "Complete Infrastructure Analysis" \
--provider-tool tofu \
--inventory-path ./comprehensive-analysis
Report Structure¶
HTML Report Sections¶
- Header: Project name, type, and generation timestamp
- Summary: Statistics about components, providers, and versions
- Stack Details: Organized by stack with:
- Component tables with version information
- Provider tables with version analysis
- Status indicators and latest version information
JSON Report Structure¶
{
"version": 2,
"projectName": "my-project",
"projectType": "terraform-terragrunt",
"components": [
{
"stack": "./stacks/networking",
"components": [
{
"type": "module",
"name": "vpc",
"version": ["5.0.0"],
"source": ["terraform-aws-modules/vpc/aws"],
"latest_version": "5.19.0",
"source_url": "https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws",
"status": "Outdated"
}
],
"providers": [
{
"name": "aws",
"version": "6.0.0",
"source": "registry.opentofu.org/hashicorp/aws",
"module": "Root",
"component": "networking",
"latest_version": "6.2.0",
"status": "outdated"
}
]
}
],
"provider_version_stats": {
"total_providers": 15,
"outdated_providers": 3,
"current_providers": 12,
"unknown_providers": 0
}
}
Use Cases¶
1. Infrastructure Auditing¶
Benefits: - Identify outdated modules and providers - Generate professional reports for stakeholders - Track infrastructure composition over time
2. Version Management¶
# Create inventory with version analysis
thothctl inventory iac --check-versions --report-type json
# Review the generated report for outdated components
# Update modules based on findings
3. Documentation Generation¶
thothctl inventory iac \
--check-versions \
--project-name "Production Infrastructure Documentation" \
--report-type html
Generates professional documentation with: - Modern styling suitable for business presentations - Comprehensive component and provider information - Version status and recommendations
4. Compliance and Security¶
Helps with: - Security audits by identifying outdated providers - Compliance reporting with comprehensive documentation - Risk assessment through version analysis
5. CI/CD Integration¶
# In your pipeline
thothctl inventory iac \
--check-versions \
--report-type json \
--inventory-path ./reports/$(date +%Y-%m-%d)
# Parse JSON output for automated decision making
Best Practices¶
1. Regular Version Checking¶
2. Comprehensive Analysis¶
# For thorough audits, use all features
thothctl inventory iac \
--check-versions \
--complete \
--report-type all \
--project-name "Monthly Infrastructure Audit"
3. Documentation Standards¶
# Generate consistent documentation
thothctl inventory iac \
--check-versions \
--project-name "$(basename $(pwd)) Infrastructure" \
--inventory-path ./docs/infrastructure
4. Provider Tool Selection¶
# Use OpenTofu for modern Terraform workflows
thothctl inventory iac --check-versions --provider-tool tofu
# Use Terraform for legacy workflows
thothctl inventory iac --check-versions --provider-tool terraform
5. Report Organization¶
# Organize reports by date and environment
thothctl inventory iac \
--check-versions \
--inventory-path ./reports/$(date +%Y-%m)/production \
--project-name "Production Infrastructure - $(date +%B\ %Y)"
Troubleshooting¶
Common Issues¶
CSS Styling Issues (Fixed)¶
The recent updates have resolved all CSS variable issues that previously caused HTML report generation failures.
Version Checking Failures¶
Solution: Ensure internet connectivity and module source accessibility.Provider Analysis Failures¶
Solution: - Ensure the provider tool (tofu/terraform) is installed - Runtofu init or terraform init in problematic directories
- Check that all modules are properly initialized
Report Generation Issues¶
Solution: Ensure write permissions to the output directory.Debugging¶
For detailed logs:
Migration from Old Flags¶
Before (Deprecated)¶
# Old redundant flags
thothctl inventory iac --check-providers --check-provider-versions --check-versions
After (Recommended)¶
Benefits of the new approach: - ✅ Single flag for all version checking - ✅ Automatic provider checking when needed - ✅ Simplified user experience - ✅ Reduced confusion - ✅ Maintained functionality
Related Commands¶
- thothctl check iac: Check IaC components against best practices
- thothctl scan: Scan infrastructure code for security issues
- thothctl project: Project management commands
Summary¶
The thothctl inventory iac command now provides:
- 🎯 Unified version checking with a single
--check-versionsflag - 🎨 Modern HTML reports with professional styling and responsive design
- 📊 Comprehensive provider analysis with version tracking and status indicators
- 🚀 Intelligent automation that enables provider checking when needed
- 📱 Multi-device compatibility with responsive design for all screen sizes
- 🔧 Enhanced user experience with simplified flags and better documentation
Use thothctl inventory iac --check-versions for the best experience with comprehensive analysis and modern reporting.