HashiCorp Cloud Platform
Infragraph overview
Infragraph is the HashiCorp Cloud Platform (HCP) resource graph database. It creates a centralized data storage layer for your infrastructure environment metadata to enable greater visibility into resources and their usage.
Introduction
Infragraph helps you visualize and act on your hybrid cloud infrastructure.
The resource graph service has several pieces that you use together:
- Connect data sources to the resource graph
- Displays interactive data results in your web browser
- Queries filter the resources displayed by the resource graph
Hands-on: Complete the Explore your organization's infrastructure with Infragraph tutorial to get started with Infragraph.
Requirements
To use Infragraph, you must meet the following requirements:
- Your HCP account must have the Admin or Owner role in your HCP organization.
- An HCP Terraform organization with a Standard edition plan or above.
- You must be able to create teams and team tokens in HCP Terraform.
Activate Infragraph
To activate Infragraph, sign in to the HCP portal, navigate to your Organization dashboard, and select Activate under the Infragraph section of the left navigation panel.
You must present an HCP Terraform token to activate Infragraph. We recommend creating a new HCP Terraform team with the following permissions to scope the access of the team API token.
- Manage all workspaces
Refer to the Create teams documentation for information on how to create an HCP Terraform team. Refer to Team API tokens for information on how to create and manage team API tokens.
Enter your team API token and click Activate Infragraph.
When your token expires, Infragraph alerts you to provide a new token.
Workflow
After you activate Infragraph, you can complete the following steps to get started:
- Connect your data sources to your HCP organization
- Select a pre-built query or build your own
- Explore the relationships between resources using the graph explorer
Roles and permissions
Infragraph introduces new roles and permissions to your HCP organization. You can scope user access to Infragraph using service-level permissions.
The following table describes the roles and permissions for Infragraph, scoped to their service-level and organizational access.
| Permission | Connection Admin | Infragraph Admin | Infragraph Querier |
|---|---|---|---|
| Create, edit, and delete connections | ✅ | ✅ | ❌ |
| View connections | ✅ | ✅ | ✅ |
| Create, edit, and delete saved queries from the catalog | ❌ | ✅ | ✅ |
| View, build and execute any query | ❌ | ✅ | ✅ |
| Assign and edit Infragraph roles | ❌ | ✅ | ❌ |
| View audit logs | ❌ | ❌ | ❌ |
| View node inventory | ❌ | ✅ | ✅ |
| View synced data | ✅ | ✅ | ✅ |
Limitations
Infragraph does not support the following:
- Real-time updates. Updates only occur on a triggered or scheduled sync operations.
- HCP Terraform drift detection.
- Automated vulnerability detection and remediation.
- Ingesting SBOMs outside of HCP Packer.
- HCP European regions. Infragraph is only available in the United States.
- Adding custom nodes and edges to the graph.
- Creating resource tags within the application.
- Tags specified in upstream data source are synced, such as AWS resource tags.
Constraints
Infragraph has the following constraints:
- Only one instance of each connection type can be active at a time.
- The AWS connector supports 100 accounts per connection.
- The HCP Terraform connector supports one organization per connection.
- Only a subset of planned AWS resources and resource fields are supported.
- Initial HCP Packer syncs require up to a 30 minute wait after you create the connection.
- Query API validation is limited. Query failures and errors may not be exposed.
- The inventory page contains resources that are built by the graph service, not ingested by connections. Resources ingested when you connect Infragraph to your cloud service are discovered resources and are not differentiated from the other type of resources in the UI.