Examples

Real tfplan2md output from actual Terraform plans. See what your reports will look like.

Report Templates

tfplan2md includes built-in templates for different use cases. Choose the right level of detail for your workflow.

🔒 Security Analysis Integration

NEW in v1.6.0

Combine Terraform plan changes with security findings from Checkov, TfLint, and Trivy in a single unified report. Security issues are automatically mapped to specific resources and attributes.

Best For:

Security-conscious teams requiring audit trails
Compliance workflows requiring both infrastructure and security validation
Teams using multiple security tools (Checkov, TfLint, Trivy)
PR reviews where security findings need visibility alongside changes

Security Analysis Integration Output

Terraform Plan Report

Generated by tfplan2md 1.6.0 on 2026-01-31 08:43:31 UTC | Terraform 1.14.0

Summary

Action	Count	Resource Types
➕ Add	15	1 azurerm_api_management_api_operation 1 azurerm_api_management_named_value 1 azurerm_firewall_network_rule_collection 1 azurerm_key_vault 1 azurerm_key_vault_secret 2 azurerm_log_analytics_workspace 1 azurerm_resource_group 2 azurerm_role_assignment 1 azurerm_storage_account 1 azurerm_subnet 1 azurerm_subscription 2 azurerm_virtual_network
🔄 Change	6	1 azurerm_firewall_network_rule_collection 1 azurerm_key_vault 1 azurerm_key_vault_secret 2 azurerm_storage_account 1 azurerm_virtual_network
Total	26

Code Analysis Summary

Status: ⚠️ 2 high findings require attention

Severity	Count	Resource Types
🚨 Critical	0
⚠️ High	2	1 azurerm_key_vault 1 azurerm_storage_account
⚠️ Medium	4	1 azurerm_key_vault 1 azurerm_storage_account
ℹ️ Low	1	1 azurerm_virtual_network

Tools Used: Checkov 3.2.490, tflint 0.60.0, Trivy 0.50.0

Resource Changes

📦 Module: root

➕ azurerm_storage_account logs — 🆔 sttfplan2mdlogs in 📁 rg-tfplan2md-demo 🌍 eastus

🔒 Security & Quality: ⚠️ 1 High, ⚠️ 1 Medium

Severity	Rule	Tool	Message	Attribute
⚠️ High	`CKV_AZURE_33`	Checkov	Ensure Storage logging is enabled for Queue service	`queue_properties`
⚠️ Medium	`CKV2_AZURE_38`	Checkov	Ensure soft-delete is enabled on Azure storage account	`blob_properties`

Attribute	Value
account_replication_type	`LRS`
account_tier	`Standard`
name	`🆔 sttfplan2mdlogs`

# Terraform Plan Report

Generated by tfplan2md 1.6.0 on 2026-01-31 08:43:31 UTC | Terraform 1.14.0

## Summary

| Action | Count | Resource Types |
| ------ | ----- | -------------- |
| ➕ Add | 15 | 1 azurerm_api_management_api_operation<br>... |
| 🔄 Change | 6 | 1 azurerm_firewall_network_rule_collection<br>... |
| **Total** | **26** | |

## Code Analysis Summary

**Status:** ⚠️ 2 high findings require attention

| Severity | Count | Resource Types |
| -------- | ----- | -------------- |
| 🚨 Critical | 0 |  |
| ⚠️ High | 2 | 1 azurerm_key_vault<br>1 azurerm_storage_account |
| ⚠️ Medium | 4 | 1 azurerm_key_vault<br>1 azurerm_storage_account |
| ℹ️ Low | 1 | 1 azurerm_virtual_network |

**Tools Used:** Checkov 3.2.490, tflint 0.60.0, Trivy 0.50.0

## Resource Changes

### 📦 Module: root

<details open style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_storage_account <b><code>logs</code></b> — <code>🆔 sttfplan2mdlogs</code> in <code>📁 rg-tfplan2md-demo</code> <code>🌍 eastus</code></summary>
<br>

🔒 **Security & Quality:** ⚠️ 1 High, ⚠️ 1 Medium

| Severity | Rule | Tool | Message | Attribute |
| -------- | ---- | ---- | ------- | --------- |
| ⚠️ High | `CKV_AZURE_33` | Checkov | Ensure Storage logging is enabled for Queue service | `queue_properties` |
| ⚠️ Medium | `CKV2_AZURE_38` | Checkov | Ensure soft-delete is enabled on Azure storage account | `blob_properties` |

</details>

Learn More About Security Integration

Summary Template

--template summary

Compact overview showing only action counts and resource type breakdown. Perfect for notifications where the full report isn't needed.

Best For:

Drift detection notifications (Teams, Slack)
Scheduled pipeline summaries
Quick overviews before viewing full report

Summary Template Output

Terraform Plan Summary

Terraform Version: 1.14.0

Generated: 2025-12-20T14:30:00Z

Summary

Action	Count	Resource Types
➕ Add	12	1 azurerm_firewall_network_rule_collection 1 azurerm_key_vault 1 azurerm_key_vault_secret 2 azurerm_log_analytics_workspace 1 azurerm_resource_group 2 azurerm_role_assignment 1 azurerm_storage_account 1 azurerm_subnet 2 azurerm_virtual_network
🔄 Change	6	1 azurerm_firewall_network_rule_collection 1 azurerm_key_vault 1 azurerm_key_vault_secret 2 azurerm_storage_account 1 azurerm_virtual_network
♻️ Replace	2	1 azurerm_network_security_group 1 azurerm_subnet
❌ Destroy	3	1 azurerm_role_assignment 1 azurerm_storage_account 1 azurerm_virtual_network
Total	23

# Terraform Plan Summary

**Terraform Version:** 1.14.0

**Generated:** 2025-12-20T14:30:00Z

## Summary

| Action | Count | Resource Types |
|--------|-------|----------------|
| ➕ Add | 12 | 1 azurerm_firewall_network_rule_collection<br/>1 azurerm_key_vault<br/>1 azurerm_key_vault_secret<br/>2 azurerm_log_analytics_workspace<br/>1 azurerm_resource_group<br/>2 azurerm_role_assignment<br/>1 azurerm_storage_account<br/>1 azurerm_subnet<br/>2 azurerm_virtual_network |
| 🔄 Change | 6 | 1 azurerm_firewall_network_rule_collection<br/>1 azurerm_key_vault<br/>1 azurerm_key_vault_secret<br/>2 azurerm_storage_account<br/>1 azurerm_virtual_network |
| ♻️ Replace | 2 | 1 azurerm_network_security_group<br/>1 azurerm_subnet |
| ❌ Destroy | 3 | 1 azurerm_role_assignment<br/>1 azurerm_storage_account<br/>1 azurerm_virtual_network |
| **Total** | **23** | |

Default Template

default

Full report with summary, resource changes, and attribute details. Shows exactly what will change.

Best For:

Standard PR reviews
Security audits
Change verification

Default Template Output (excerpt)

Terraform Plan Report

Terraform Version: 1.14.0

Summary

Action	Count	Resource Types
➕ Add	12	...
🔄 Change	6	...
Total	23

Resource Changes

📦 Module: root

➕ azurerm_resource_group core — 🆔 rg-tfplan2md-demo 🌍 eastus

Attribute	Value
location	`🌍 eastus`
name	`🆔 rg-tfplan2md-demo`

🏷️ Tags: environment: demo owner: tfplan2md

🔄 azurerm_storage_account data — 🆔 sttfplan2mddata in 📁 rg-tfplan2md-demo 🌍 eastus | 2🔧 account_replication_type, tags.cost_center

Attribute	Before	After
account_replication_type	`LRS`	`GRS`
tags.cost_center	-	`1234`

# Terraform Plan Report

**Terraform Version:** 1.14.0

## Summary

| Action | Count | Resource Types |
|--------|-------|----------------|
| ➕ Add | 12 | ... |
| 🔄 Change | 6 | ... |
| **Total** | **23** | |

## Resource Changes

### 📦 Module: root

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px">
<summary>➕ azurerm_resource_group <b><code>core</code></b> — <code>🆔 rg-tfplan2md-demo</code> <code>🌍 eastus</code></summary>
<br/>

| Attribute | Value |
|-----------|-------|
| location | `🌍 eastus` |
| name | `🆔 rg-tfplan2md-demo` |

**🏷️ Tags:** `environment: demo` `owner: tfplan2md`

</details>

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px">
<summary>🔄 azurerm_storage_account <b><code>data</code></b> — <code>🆔 sttfplan2mddata</code> in <code>📁 rg-tfplan2md-demo</code> <code>🌍 eastus</code> | 2🔧 account_replication_type, tags.cost_center</summary>
<br/>

| Attribute | Before | After |
|-----------|--------|-------|
| account_replication_type | `LRS` | `GRS` |
| tags.cost_center | - | `1234` |

</details>

Feature Examples

See how tfplan2md transforms complex Terraform changes into readable reports.

Firewall Rule Semantic Diffing

Learn more →

Array index changes are replaced with a semantic diff showing which rules were added, modified, or removed.

Firewall Network Rule Collection Update

🔄 azurerm_firewall_network_rule_collection network_rules — 🆔 demo-network-rules in 📁 rg-firewall-demo | 9🔧 priority, rule[0].destination_addresses[0], rule[0].destination_ports[0], +6 more

🔄 azurerm_firewall_network_rule_collection.network_rules

Collection: demo-network-rules | Priority: 150 | Action: ✅ Allow

Rule Changes

Change	Rule Name	Protocols	Source Addresses	Destination Addresses	Destination Ports
➕	`allow-dns`	`🔗 TCP`, `📨 UDP`	`🌐 10.1.0.0/24`	`🌐 168.63.129.16`	`🔌 53`
🔄	`allow-http`	🔗 TCP	`- 🌐 10.1.0.0/24 + 🌐 10.0.0.0/8`	`- 🌐 0.0.0.0/0 + ✳️`	🔌 80
❌	`allow-ssh-old`	`🔗 TCP`	`🌐 10.0.0.0/16`	`🌐 10.1.0.0/24`	`🔌 22`
⏺️	`allow-https`	`🔗 TCP`	`🌐 10.1.0.0/24`	`🌐 0.0.0.0/0`	`🔌 443`

<details open style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>🔄 azurerm_firewall_network_rule_collection <b><code>network_rules</code></b> — <code>🆔 demo-network-rules</code> in <code>📁 rg-firewall-demo</code> | 9🔧 priority, rule[0].destination_addresses[0], rule[0].destination_ports[0], +6 more</summary>
<br>

### 🔄 azurerm_firewall_network_rule_collection.network_rules

**Collection:** `demo-network-rules` | **Priority:** `150` | **Action:** `✅ Allow`

#### Rule Changes

| Change | Rule Name | Protocols | Source Addresses | Destination Addresses | Destination Ports | Description |
| -------- | ----------- | ----------- | ------------------ | ---------------------- | ------------------- | ------------- |
| ➕ | `allow-dns` | `🔗 TCP`, `📨 UDP` | `🌐 10.1.0.0/24` | `🌐 168.63.129.16` | `🔌 53` | `` |
| 🔄 | `allow-http` | 🔗 TCP | <code style="display:block; white-space:normal; padding:0; margin:0;"><span style="background-color: #fff5f5; border-left: 3px solid #d73a49; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">- 🌐 10.<span style="background-color: #ffc0c0; color: #24292e;">1</span>.0.0/<span style="background-color: #ffc0c0; color: #24292e;">24</span></span><br><span style="background-color: #f0fff4; border-left: 3px solid #28a745; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">+ 🌐 10.<span style="background-color: #acf2bd; color: #24292e;">0</span>.0.0/<span style="background-color: #acf2bd; color: #24292e;">8</span></span></code> | <code style="display:block; white-space:normal; padding:0; margin:0;"><span style="background-color: #fff5f5; border-left: 3px solid #d73a49; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">- <span style="background-color: #ffc0c0; color: #24292e;">🌐 0.0.0.0/0</span></span><br><span style="background-color: #f0fff4; border-left: 3px solid #28a745; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">+ <span style="background-color: #acf2bd; color: #24292e;">✳️</span></span></code> | 🔌 80 |  |
| ❌ | `allow-ssh-old` | `🔗 TCP` | `🌐 10.0.0.0/16` | `🌐 10.1.0.0/24` | `🔌 22` | `` |
| ⏺️ | `allow-https` | `🔗 TCP` | `🌐 10.1.0.0/24` | `🌐 0.0.0.0/0` | `🔌 443` | `` |

</details>

Firewall Application Rule Collections

Learn more →

Application rules render as readable FQDN-focused tables with semantic diffs for added, changed, removed, and unchanged entries.

Firewall Application Rule Collections

🔄 azurerm_firewall_application_rule_collection app_rules_update — 🆔 web-rules in 📁 rg-firewall-demo | 3 🔧 ➕ 🆔 allow-github, 🔄 🆔 allow-microsoft, ❌ 🆔 allow-old-site

Collection: web-rules | Priority: 200 | Action: ✅ Allow

Rule Changes

Change	Rule Name	Protocols	Source Addresses	Target FQDNs	Description
➕	`🆔 allow-github`	`Https:443`	`10.0.1.0/24`	`github.com, *.github.io`	`GitHub access`
🔄	`🆔 allow-microsoft`	`Http:80, Https:443`	`10.0.0.0/24 -> 10.0.0.0/16`	`*.microsoft.com`	`Microsoft services`
❌	`🆔 allow-old-site`	`Https:443`	`10.0.2.0/24`	`old-site.example.com`	`Legacy site (removed)`

<summary>🔄 azurerm_firewall_application_rule_collection <b><code>app_rules_update</code></b> — <code>🆔 web-rules</code> in <code>📁 rg-firewall-demo</code> | 3 🔧 ➕ <code>🆔 allow-github</code>, 🔄 <code>🆔 allow-microsoft</code>, ❌ <code>🆔 allow-old-site</code></summary>

**Collection:** `web-rules` | **Priority:** `200` | **Action:** `✅ Allow`

#### Rule Changes

| Change | Rule Name | Protocols | Source Addresses | Target FQDNs | Description |
| ------ | --------- | --------- | ---------------- | ------------ | ----------- |
| ➕ | `🆔 allow-github` | `Https:443` | `10.0.1.0/24` | `github.com, *.github.io` | `GitHub access` |
| 🔄 | `🆔 allow-microsoft` | `Http:80, Https:443` | `10.0.0.0/24 -> 10.0.0.0/16` | `*.microsoft.com` | `Microsoft services` |
| ❌ | `🆔 allow-old-site` | `Https:443` | `10.0.2.0/24` | `old-site.example.com` | `Legacy site (removed)` |

Module Grouping

Learn more →

Resources are automatically organized by Terraform module for better readability in multi-module configurations.

Multi-Module Report Structure

Resource Changes

📦 Module: root

➕ azurerm_resource_group core — 🆔 rg-tfplan2md-demo 🌍 eastus

Attribute	Value
location	`🌍 eastus`
name	`🆔 rg-tfplan2md-demo`

🏷️ Tags: environment: demo owner: tfplan2md

➕ azurerm_storage_account logs — 🆔 sttfplan2mdlogs in 📁 rg-tfplan2md-demo 🌍 eastus

Attribute	Value
account_replication_type	`LRS`
account_tier	`Standard`
allow_blob_public_access	`❌ false`
location	`🌍 eastus`
min_tls_version	`TLS1_2`
name	`🆔 sttfplan2mdlogs`
resource_group_name	`📁 rg-tfplan2md-demo`

🏷️ Tags: cost_center: ops environment: demo

📦 Module: `module.network`

➕ azurerm_virtual_network hub — 🆔 vnet-hub in 📁 rg-tfplan2md-demo 🌍 eastus 🌐 10.0.0.0/16

Attribute	Value
address_space[0]	`🌐 10.0.0.0/16`
location	`🌍 eastus`
name	`🆔 vnet-hub`
resource_group_name	`📁 rg-tfplan2md-demo`

🏷️ Tags: environment: demo

📦 Module: `module.security`

➕ azurerm_role_assignment rg_reader — 👤 Jane Doe (User) → 🛡️ Reader on rg-tfplan2md-demo

Attribute	Value
scope	`📁 rg-tfplan2md-demo` in subscription `12345678-1234-1234-1234-123456789012`
role_definition_id	`🛡️ Reader` (`acdd72a7-3385-48ef-bd42-f606fba81ae7`)
principal_id	`👤 Jane Doe (User)` [`00000000-0000-0000-0000-000000000001`]
principal_type	`👤 User`
role_definition_name	`🛡️ Reader`

📦 Module: `module.network.module.monitoring`

➕ azurerm_log_analytics_workspace network — 🆔 law-network-monitoring in 📁 rg-tfplan2md-demo 🌍 eastus

Attribute	Value
location	`🌍 eastus`
name	`🆔 law-network-monitoring`
resource_group_name	`📁 rg-tfplan2md-demo`
retention_in_days	`30`
sku	`PerGB2018`

🏷️ Tags: environment: demo module: monitoring

## Resource Changes

### 📦 Module: root

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_resource_group <b><code>core</code></b> — <code>🆔 rg-tfplan2md-demo</code> <code>🌍 eastus</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| location | `🌍 eastus` |
| name | `🆔 rg-tfplan2md-demo` |

**🏷️ Tags:** `environment: demo` `owner: tfplan2md`

</details>

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_storage_account <b><code>logs</code></b> — <code>🆔 sttfplan2mdlogs</code> in <code>📁 rg-tfplan2md-demo</code> <code>🌍 eastus</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| account_replication_type | `LRS` |
| account_tier | `Standard` |
| allow_blob_public_access | `❌ false` |
| location | `🌍 eastus` |
| min_tls_version | `TLS1_2` |
| name | `🆔 sttfplan2mdlogs` |
| resource_group_name | `📁 rg-tfplan2md-demo` |

**🏷️ Tags:** `cost_center: ops` `environment: demo`

</details>

---

### 📦 Module: `module.network`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_virtual_network <b><code>hub</code></b> — <code>🆔 vnet-hub</code> in <code>📁 rg-tfplan2md-demo</code> <code>🌍 eastus</code> <code>🌐 10.0.0.0/16</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| address_space[0] | `🌐 10.0.0.0/16` |
| location | `🌍 eastus` |
| name | `🆔 vnet-hub` |
| resource_group_name | `📁 rg-tfplan2md-demo` |

**🏷️ Tags:** `environment: demo`

</details>

---

### 📦 Module: `module.security`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_role_assignment <b><code>rg_reader</code></b> — <code>👤 Jane Doe (User)</code> → <code>🛡️ Reader</code> on <code>rg-tfplan2md-demo</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| scope | `📁 rg-tfplan2md-demo` in subscription `12345678-1234-1234-1234-123456789012` |
| role_definition_id | `🛡️ Reader` (`acdd72a7-3385-48ef-bd42-f606fba81ae7`) |
| principal_id | `👤 Jane Doe (User)` [`00000000-0000-0000-0000-000000000001`] |
| principal_type | `👤 User` |
| role_definition_name | `🛡️ Reader` |

</details>

---

### 📦 Module: `module.network.module.monitoring`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_log_analytics_workspace <b><code>network</code></b> — <code>🆔 law-network-monitoring</code> in <code>📁 rg-tfplan2md-demo</code> <code>🌍 eastus</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| location | `🌍 eastus` |
| name | `🆔 law-network-monitoring` |
| resource_group_name | `📁 rg-tfplan2md-demo` |
| retention_in_days | `30` |
| sku | `PerGB2018` |

**🏷️ Tags:** `environment: demo` `module: monitoring`

</details>

Parent-Child Resource Grouping

Learn more →

Groups, virtual networks, and other parent resources keep their related child changes inline instead of scattering them across the report.

Parent-Child Resource Grouping

➕ azuread_group platform_engineers — 👥 Platform Engineers (🆔 platform-engineers) | 3 👤 1 👥 1 💻 | ➕ 5 members

Attribute	Value
display_name	`Platform Engineers`
mail_nickname	`platform-engineers`

Members

Change	Member	Terraform Resource
➕	`user-100`	`members attribute`
➕	`group-200`	`members attribute`
➕	`spn-300`	`members attribute`

➕ azurerm_virtual_network spoke — 🆔 vnet-spoke in 📁 rg-tfplan2md-demo 🌍 eastus 🌐 10.1.0.0/16 | ➕ 1 subnets | ♻️ 1 subnets

Subnets

Change	Name	Address Prefixes	NSG	Delegation	Terraform Resource
➕	`🆔 snet-app`	`🌐 10.1.1.0/24`	-	-	`module.network.azurerm_subnet.app`
♻️	`🆔 snet-db`	`🌐 10.1.20.0/24`	-	-	`module.network.azurerm_subnet.db`

<summary>➕ azuread_group <b><code>platform_engineers</code></b> — <code>👥 Platform Engineers</code> (<code>🆔 platform-engineers</code>) | <code>3 👤 1 👥 1 💻</code> | ➕ 5 members</summary>

#### Members

| Change | Member | Terraform Resource |
| ------ | ------ | ------------------ |
| ➕ | `user-100` | `members attribute` |
| ➕ | `group-200` | `members attribute` |
| ➕ | `spn-300` | `members attribute` |

<summary>➕ azurerm_virtual_network <b><code>spoke</code></b> — <code>🆔 vnet-spoke</code> in <code>📁 rg-tfplan2md-demo</code> <code>🌍 eastus</code> <code>🌐 10.1.0.0/16</code> | ➕ 1 subnets | ♻️ 1 subnets</summary>

#### Subnets

| Change | Name | Address Prefixes | NSG | Delegation | Terraform Resource |
| ------ | ---- | ---------------- | --- | ---------- | ------------------ |
| ➕ | `🆔 snet-app` | `🌐 10.1.1.0/24` | - | - | `module.network.azurerm_subnet.app` |
| ♻️ | `🆔 snet-db` | `🌐 10.1.20.0/24` | - | - | `module.network.azurerm_subnet.db` |

Azure Role Assignment Display

Learn more →

Role assignments show human-readable names with principal mapping instead of cryptic GUIDs.

Role Assignment Creation

➕ azurerm_role_assignment rg_reader — 👤 Jane Doe (User) → 🛡️ Reader on rg-tfplan2md-demo

Attribute	Value
scope	`📁 rg-tfplan2md-demo` in subscription `12345678-1234-1234-1234-123456789012`
role_definition_id	`🛡️ Reader` (`acdd72a7-3385-48ef-bd42-f606fba81ae7`)
principal_id	`👤 Jane Doe (User)` [`00000000-0000-0000-0000-000000000001`]
principal_type	`👤 User`
role_definition_name	`🛡️ Reader`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_role_assignment <b><code>rg_reader</code></b> — <code>👤 Jane Doe (User)</code> → <code>🛡️ Reader</code> on <code>rg-tfplan2md-demo</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| scope | `📁 rg-tfplan2md-demo` in subscription `12345678-1234-1234-1234-123456789012` |
| role_definition_id | `🛡️ Reader` (`acdd72a7-3385-48ef-bd42-f606fba81ae7`) |
| principal_id | `👤 Jane Doe (User)` [`00000000-0000-0000-0000-000000000001`] |
| principal_type | `👤 User` |
| role_definition_name | `🛡️ Reader` |

</details>

Principal Mapping File

{
  "users": {
    "12345678-1234-1234-1234-123456789012": "jane.doe@contoso.com",
    "87654321-4321-4321-4321-210987654321": "john.smith@contoso.com"
  },
  "groups": {
    "abcdef12-3456-7890-abcd-ef1234567890": "Platform Team"
  },
  "servicePrincipals": {
    "fedcba98-7654-3210-fedc-ba9876543210": "terraform-spn"
  }
}

Azure DevOps Build Definitions

Learn more →

Build definitions render repository configuration, variables, triggers, and outputs as structured tables that stay reviewable even when Terraform marks nested blocks as sensitive.

Azure DevOps Build Definition Tables

➕ azuredevops_build_definition example2 — 🆔 example-pipeline

Pipeline Name: example-pipeline

Path: \Pipelines

Agent Pool: Azure Pipelines

Variables

Name	Value	Is Secret	Allow Override
`🆔 BUILD_CONFIGURATION`	`Release`	`❌ false`	`✅ true`
`🆔 BUILD_PLATFORM`	`Any CPU`	`❌ false`	`✅ true`

Repository

Type	Repo ID	Branch	YAML Path	Report Build Status
`TfsGit`	`🗃️ Infrastructure-Platform (80128bc2-17ff-45f8-ad59-d7609a605c75)`	`⎇ refs/heads/master`	`azure-pipelines.yml`	`✅ true`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azuredevops_build_definition <b><code>example2</code></b> — <code>🆔 example-pipeline</code></summary>
<br>

**Pipeline Name:** <code>example-pipeline</code>

**Path:** <code>\Pipelines</code>

#### Variables

| Name | Value | Is Secret | Allow Override |
| ---- | ----- | --------- | -------------- |
| `🆔 BUILD_CONFIGURATION` | `Release` | `❌ false` | `✅ true` |
| `🆔 BUILD_PLATFORM` | `Any CPU` | `❌ false` | `✅ true` |

#### Repository

| Type | Repo ID | Branch | YAML Path | Report Build Status |
| ---- | ------- | ------ | --------- | ------------------- |
| `TfsGit` | `🗃️ Infrastructure-Platform (80128bc2-17ff-45f8-ad59-d7609a605c75)` | `⎇ refs/heads/master` | `azure-pipelines.yml` | `✅ true` |
</details>

Terraform Outputs

Learn more →

Output changes render in a dedicated table so reviewers can see IDs, URLs, and computed values alongside the resource changes that produce them.

Terraform Outputs Table

📤 Outputs

Change	Name	Description	Sensitive	Value
🔄	`pipeline_id`	The ID of the created build pipeline	No	(known after apply)
	`project_name`	The name of the created Azure DevOps project	No	`🆔 example-project`
	`repository_url`	The HTTPS URL of the created Git repository	No	`https://oocx@dev.azure.com/oocx/example-project/_git/example-repo`
	`variable_group_id`	The ID of the created variable group	No	`1`

## 📤 Outputs

| Change | Name | Description | Sensitive | Value |
| ------ | ---- | ----------- | --------- | ----- |
| 🔄 | `pipeline_id` | The ID of the created build pipeline | No | (known after apply) |
|   | `project_name` | The name of the created Azure DevOps project | No | `🆔 example-project` |
|   | `repository_url` | The HTTPS URL of the created Git repository | No | `https://oocx@dev.azure.com/oocx/example-project/_git/example-repo` |
|   | `variable_group_id` | The ID of the created variable group | No | `1` |

Sensitive Value Masking

Learn more →

Sensitive values are automatically masked by default to prevent accidental exposure in PRs.

Default (Masked)

➕ azurerm_key_vault_secret db_password — 🆔 db-password

Attribute	Value
content_type	`password`
key_vault_id	Key Vault `kv-tfplan2md` in resource group `rg-tfplan2md-demo` of subscription `12345678-1234-1234-1234-123456789012`
name	`🆔 db-password`
value	`(sensitive)`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_key_vault_secret <b><code>db_password</code></b> — <code>🆔 db-password</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| content_type | `password` |
| key_vault_id | Key Vault `kv-tfplan2md` in resource group `rg-tfplan2md-demo` of subscription `12345678-1234-1234-1234-123456789012` |
| name | `🆔 db-password` |
| value | `(sensitive)` |

</details>

With --show-sensitive

➕ azurerm_key_vault_secret db_password — 🆔 db-password

Attribute	Value
content_type	`password`
key_vault_id	Key Vault `kv-tfplan2md` in resource group `rg-tfplan2md-demo` of subscription `12345678-1234-1234-1234-123456789012`
name	`🆔 db-password`
value	`super-secret-value`

<details style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>➕ azurerm_key_vault_secret <b><code>db_password</code></b> — <code>🆔 db-password</code></summary>
<br>

| Attribute | Value |
| ----------- | ------- |
| content_type | `password` |
| key_vault_id | Key Vault `kv-tfplan2md` in resource group `rg-tfplan2md-demo` of subscription `12345678-1234-1234-1234-123456789012` |
| name | `🆔 db-password` |
| value | `super-secret-value` |

</details>

Real-World Examples

Complete example projects showing tfplan2md in action.

📋

Comprehensive Demo

A handcrafted Terraform plan demonstrating all tfplan2md features: firewall rules, NSG rules, role assignments, module grouping, and more.

23 resources 4 modules 8 resource types

Module grouping Firewall rules Role assignments Sensitive values

View on GitHub → See Report →

🔧

Azure DevOps Example

Real Terraform configuration creating Azure DevOps projects, repositories, variable groups, and pipelines. Generate your own plans and test tfplan2md.

4 resources azuredevops provider

Project creation Git repository Variable groups Pipelines

View on GitHub →

Try It Yourself

Run the comprehensive demo using Docker or build from source.

Using Docker

# Default report with principal mapping
docker run --rm oocx/tfplan2md \
  /examples/comprehensive-demo/plan.json \
  --principals /examples/comprehensive-demo/demo-principals.json

# Summary report
docker run --rm oocx/tfplan2md \
  /examples/comprehensive-demo/plan.json \
  --template summary

# Show sensitive values
docker run --rm oocx/tfplan2md \
  /examples/comprehensive-demo/plan.json \
  --principals /examples/comprehensive-demo/demo-principals.json \
  --show-sensitive

From Source

git clone https://github.com/oocx/tfplan2md.git
cd tfplan2md

# Default report
dotnet run --project src/Oocx.TfPlan2Md/Oocx.TfPlan2Md.csproj -- \
  examples/comprehensive-demo/plan.json \
  --principals examples/comprehensive-demo/demo-principals.json

# Summary report
dotnet run --project src/Oocx.TfPlan2Md/Oocx.TfPlan2Md.csproj -- \
  examples/comprehensive-demo/plan.json \
  --template summary

Get Started Browse Examples on GitHub

Report Templates

🔒 Security Analysis Integration

Terraform Plan Report

Summary

Code Analysis Summary

Resource Changes

📦 Module: root

Summary Template

Terraform Plan Summary

Summary

Default Template

Terraform Plan Report

Summary

Resource Changes

📦 Module: root

Feature Examples

Firewall Rule Semantic Diffing

🔄 azurerm_firewall_network_rule_collection.network_rules

Rule Changes

Firewall Application Rule Collections

Rule Changes

Module Grouping

Resource Changes

📦 Module: root

📦 Module: module.network

📦 Module: module.security

📦 Module: module.network.module.monitoring

Parent-Child Resource Grouping

Members

Subnets

Azure Role Assignment Display

Azure DevOps Build Definitions

Variables

Repository

Terraform Outputs

📤 Outputs

Sensitive Value Masking

Real-World Examples

Comprehensive Demo

Azure DevOps Example

Try It Yourself

📦 Module: `module.network`

📦 Module: `module.security`

📦 Module: `module.network.module.monitoring`