Interactive Understanding Layer

Understand the blast radius

Search resources, navigate dependencies, check blast radius, and track every change — from the console or the API.

Global Search Graph Explorer Blast Radius Change Timeline Dashboard HTTP API

Find any resource, instantly

Field-scoped search across every state and workspace—filter by type, module, or address. No more grepping state files or asking a teammate where that RDS instance lives.

⌕ module:api-prod All workspaces

12 results across 3 states · 12ms

aws_instance.api-prod-1

t3.large · us-east-1a

production

RUNNING

aws_instance.api-prod-2

t3.large · us-east-1b

production

RUNNING

aws_lb.api-prod

application load balancer

production

ACTIVE

aws_ecs_service.api-prod

2/2 tasks running

production

RUNNING

... 8 more results

Blast radius: know what breaks before you apply

Changing aws_security_group.api? Stategraph traces every dependency and shows you exactly what's at risk—before you touch anything. The radius doesn't stop at the state file: consumers in other states, including remote-state references, are part of the graph.

Target Resource

aws_security_group.api

Direct Dependencies (Distance 1)

aws_instance.api-1

aws_instance.api-2

aws_instance.api-3

aws_lb.api

aws_ecs_service.api

aws_rds_instance.primary

Transitive Dependencies (Distance 2+)

aws_lb_target_group.api

aws_route53_record.api

aws_cloudwatch_alarm.api-cpu

aws_autoscaling_group.api

aws_iam_role.api

aws_sns_topic.alerts

Total Affected

Direct Deps

Max Distance

shell

$ stategraph blast-radius --state $STATE_ID "aws_security_group.api"

aws_instance.api-1 1

aws_lb.api 1

… 14 more rows

One command in the terminal, one API call, or the interactive graph explorer in the console—same graph behind all three. How blast radius works →

What changed. When. Who.

Every plan and apply—from CI, a laptop, or an AI agent—runs through the server and lands in one transaction log. Correlate incidents with changes and hand auditors evidence—without extra tooling.

2:47 PM

Added aws_rds_instance.analytics

sarah@company.com · txn_8f3a9b2

1:22 PM

Modified aws_security_group.api (3 resources affected)

mike@company.com · txn_7d2c1a4

11:05 AM

Destroyed aws_instance.temp-worker

automation@company.com · txn_6a9f8e3

9:18 AM

Scaled aws_autoscaling_group.api → 6 instances

deploy@company.com · txn_5b1e7d9

stategraph sql query

-- The audit trail is a table, not a log file to grep

SELECT id, state, created_by, completed_at

FROM transactions

ORDER BY completed_at DESC

LIMIT 5

Transactions and their logs are SQL tables—join them against resources, states, and users to answer "what touched this resource last week?" How the audit timeline works →

Infrastructure data as an API

Every insight Stategraph surfaces is also available via HTTP API. Build internal tools, feed dashboards, power automations, and integrate with your existing observability stack.

HTTP API

# Get blast radius for a resource

GET /api/v1/states/$STATE_ID/instances/aws_security_group.api/blast-radius

Authorization: Bearer $STATEGRAPH_API_KEY

200 OK · 8ms

{

"results": [

{ "address": "aws_instance.api-1", "distance": 1 },

{ "address": "aws_lb.api", "distance": 1 },

{ "address": "aws_route53_record.api", "distance": 2 },

... 16 resources in the radius

]

}

Blast radius

GET /api/v1/states/{id}/instances/{address}/blast-radius

GET /api/v1/states/{id}/instances?q=type:aws_instance

Timeline

GET /api/v1/tenants/{id}/tx

SQL

GET /api/v1/mql?q=SELECT…

Understand Your Infrastructure

Search resources, explore dependencies, and track every change from one interface.

Get started Read the docs