Azure Optimizations

Purpose-built features for Azure that format resource IDs, map principal names, and show role assignments clearly.

Readable Azure Resource IDs

azurerm

Long Azure resource IDs are automatically parsed and formatted as human-readable scopes instead of displaying raw GUID paths.

❌ Without tfplan2md

# module.security.azurerm_key_vault.main will be created
+ resource "azurerm_key_vault" "main" {
    + id                            = (known after apply)
    + location                      = "eastus"
    + name                          = "kv-tfplan2md"
    + resource_group_name           = "rg-tfplan2md-demo"
    + tenant_id                     = "11111111-2222-3333-4444-555555555555"
  }

# module.security.azurerm_key_vault_secret.db_password will be created
+ resource "azurerm_key_vault_secret" "db_password" {
    + key_vault_id = "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rg-tfplan2md-demo/providers/Microsoft.KeyVault/vaults/kv-tfplan2md"
    + name         = "db-password"
  }

Long Azure IDs make it hard to identify resources at a glance.

✅ With tfplan2md

Key Vault Secret Output

➕ module.security.azurerm_key_vault_secret.db_password

Attribute Value
content_type password
key_vault_id Key Vault kv-tfplan2md in resource group rg-tfplan2md-demo
name 🆔 db-password 
### ➕ module.security.azurerm_key_vault_secret.db_password

| Attribute | Value |
| ----------- | ------- |
| content_type | `password` |
| key_vault_id | Key Vault `kv-tfplan2md` in resource group `rg-tfplan2md-demo` |
| name | `🆔 db-password` |

Human-readable format shows what you need to know—the resource name and its resource group.

Features

  • Automatic detection for subscription, resource group, and resource IDs
  • Only values are formatted as code—labels remain readable
  • Azure IDs remain in attribute tables (not moved to large values section)
  • Works for all azurerm resources—no configuration needed

Azure Role Assignment Display

azurerm

Role assignments show human-readable role names, scopes, and principal information in a clear table format.

❌ Without tfplan2md

Raw Terraform Output 
# module.iam.azurerm_role_assignment.storage_admin will be created
+ resource "azurerm_role_assignment" "rg_reader" {
    + id                   = (known after apply)
    + principal_id         = "00000000-0000-0000-0000-000000000001"
    + principal_type       = "User"
    + role_definition_id   = "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
    + role_definition_name = "Reader"
    + scope                = "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rg-tfplan2md-demo"
  }

GUIDs and long paths make it hard to understand who gets what access.

✅ With tfplan2md

Role Assignment Output

➕ module.security.azurerm_role_assignment.rg_reader

👤 User → 🛡️ Reader on rg-tfplan2md-demo
Attribute Value
scope 📁 rg-tfplan2md-demo
role_definition_name 🛡️ Reader
principal_type 👤 User
principal_id 00000000-0000-0000-0000-000000000001 
### ➕ module.security.azurerm_role_assignment.rg_reader

<summary>👤 User → 🛡️ Reader on rg-tfplan2md-demo</summary>

| Attribute | Value |
| ----------- | ------- |
| scope | `📁 rg-tfplan2md-demo` |
| role_definition_name | `🛡️ Reader` |
| principal_type | `👤 User` |
| principal_id | `00000000-0000-0000-0000-000000000001` |

Clear summary at the top, formatted scope, and visual icons.

Principal Name Mapping

azurerm

Map cryptic Principal IDs (GUIDs) to human-readable names (e.g., user emails, group names, service principals) using a JSON mapping file.

Command 
tfplan2md plan.json --principal-mapping principals.json

Benefits

  • No more cryptic GUIDs in role assignments
  • Immediately see who has access to what
  • Works with role assignments and any resource showing principal IDs
  • Falls back to GUID if no mapping exists

Learn More

Azure optimizations include automatic formatting of resource IDs, role assignments, and principal name mapping.

Related Documentation