InfraDots logo
← What's New

See exactly what each workspace manages

Every finalized Terraform state is now indexed by resource type. Browse the inventory across your org, drill into "who uses aws_iam_role," and ask the Slack bot — no state downloads required.

You almost certainly have this question somewhere in your backlog: "Which workspaces touch IAM?" — usually because somebody is preparing an audit, or investigating a permissions incident, or scoping a security review. Until today the answer in InfraDots was a manual one: download each state, grep it, repeat.

Not anymore.

What's new

Every time a state is finalized, InfraDots now parses out the inventory of managed resources and stores a per-workspace, per-type, per-provider count. That index is exposed in three places:

  • The Resources tab on each workspace shows the full breakdown — type, provider, count — sorted by what's most concentrated.
  • A new API endpoint at /api/organizations/<org>/resource-types/ returns the same data aggregated across all workspaces in the org. Filter to one workspace with ?workspace=<name> or one provider with ?provider=hashicorp/aws.
  • A drill-down at /api/organizations/<org>/resource-types/<type>/workspaces/ answers "which workspaces use this type?" — sorted by count.

The Slack bot speaks the same language. @infradots resources lists the top types across your org. @infradots who uses aws_iam_role returns the workspace list.

Why it matters

The point isn't pretty tables. The point is that questions about your infrastructure footprint — for security, FinOps, blast-radius analysis, or just satisfying curiosity — should be answerable in seconds, not afternoons.

A few examples of what this unlocks:

  • Audit prep: pull every workspace managing aws_iam_role or aws_kms_key in one query.
  • Provider migrations: confirm zero hashicorp/aws resources remain before deprecating a credential.
  • Blast-radius assessment: combine with auto-discovered interconnections to see what each upstream workspace owns, not just the dependency edges.

Under the hood

The indexer runs as part of the existing state post-processing pipeline — no extra state downloads, no new background jobs. Data sources (mode = "data") are deliberately excluded; you see what each workspace manages, not what it reads.

Atomic refresh on every finalized state means the inventory never lags behind reality. A destroy clears the row; a new apply repopulates it; there's no catch-up sweep to run.

Turning it on

Nothing to flip — it's on by default for every organization. Open any workspace and click the new Resources tab.