Compatibility with newest Python, Terraform versions + new features

[Ianyliu]

I've been working on the improvements of this tool as a Cisco Technical Intern this summer.

Here are some of the major changes I've made:

• Add compatibility with recent versions of Terraform, Python, and Python packages
• Allow Blast Radius to run independent of any Terraform file/folder/installation. Just simply provide a DOT script (file upload/text input)
• New functionality (on app)
  • Tabs. This enables infrastructure comparison from different Terraform plans from different people.
  • Print graph. Allows users to print graph directly. (TODO: Doesn't work all the time)
  • Upload DOT files to generate graphs. Upload .txt files with DOT script (copy and past terraform graph output into a text file.
  • Text input for DOT script.
• UI enhancements. Updated color scheme to more closely follow the 60-30-10 rule.
• Added an example for running Blast Radius on AWS EC2 via Terraform
• Added an example for running Blast Radius on Kubernetes
• Added 3 example DOT files in examples/ folder to test out the newest features I've added
• Better error handling to notify user of the problem
• Create new Docker repo
• Updated Dockerfile and Docker image to implement aforementioned functionality and features.
• Update Docker image to include multi-cpu architecture (ARM, AMD, etc.)
• Updated README.md to include more information
• Other changes: I've spend quite some time looking across different forks and pull requests from others like gruberdev, AshleyHollis, etc. to merge changes (haven't finished). Some them include, switching to pyhcl2, adding Terratests to Dockerfile, PowerShell scripts that run Blast Radius on Docker, allowing Blast Radius to run even if JSON data couldn't be parsed, etc.

You can test out my Docker image at https://hub.docker.com/repository/docker/ianyliu/blast-radius-fork/

[Ianyliu]

@rquadling Could you please try again with my latest image from Docker? I've never seen this issue before so I'm not sure if I can fix it.

[rquadling]

@Ianyliu Thank you for this. Will try it out tomorrow (UK time).

[rquadling]

Really sorry for the delay in replying. Just retried running ...

$ docker run --rm -it -p 5000:5000 -v $(pwd):/data:ro --security-opt apparmor:unconfined --cap-add=SYS_ADMIN  ianyliu/blast-radius-fork

- ecr_repos in modules/ecr_repo
╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "grouped_ecr_repos" (grouped-ecr.tf:45) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "tailscale_connection" (tailscale.tf:8) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "tailscale_zone_association" (tailscale.tf:23) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "grouped_ecr_repos" (grouped-ecr.tf:45) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "grouped_ecr_repos" (grouped-ecr.tf:45) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "tailscale_connection" (tailscale.tf:8) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "grouped_ecr_repos" (grouped-ecr.tf:45) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "tailscale_connection" (tailscale.tf:8) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

╷
│ Error: Error accessing remote module registry
│ 
│ Failed to retrieve available versions for module "tailscale_zone_association" (tailscale.tf:23) from app.terraform.io: error looking up module versions: 401 Unauthorized.
╵

The terraform plan has all worked.

I'm running this on a MacBook Pro M1 chipset.

[Copilot]

Pull request overview

This PR modernizes the Blast Radius fork for newer Python/Terraform ecosystems and expands the web UI to support DOT-only usage (no Terraform project required) with multi-graph/tab workflows.

Changes:

• Updated Python/Terraform/Docker dependencies and packaging to target newer versions and include static assets.
• Added DOT upload + text input flows and tabbed multi-graph UI features (upload, print, spinner/overlay, etc.).
• Added expanded docs/examples plus Docker/Kubernetes helper assets and CI security workflows.

Reviewed changes

Copilot reviewed 32 out of 37 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
setup.py	Adjust package discovery exclusions and include package data.
requirements.txt	Bump/pin Python dependencies (Flask/Jinja2/requests, add python-hcl2, etc.).
examples/Example1.txt	Add sample DOT graph for new upload/input features.
examples/Example2.txt	Add sample DOT graph for new upload/input features.
examples/Example3.txt	Add large sample DOT graph for new upload/input features.
docker-entrypoint.sh	Improve env var defaults, add optional -chdir init, print build output.
doc/embedded.md	Minor wording/formatting updates for embedding docs.
blastradius/util.py	Update collections import for newer Python compatibility.
blastradius/server/templates/non_tf_dir.html	New “no Terraform dir” UI template enabling DOT-only mode.
blastradius/server/templates/index.html	Reworked main UI: tabs, upload/input, print, spinner overlay.
blastradius/server/templates/error.html	Improve error page diagnostics with templated install checks.
blastradius/server/static/js/blast-radius.js	Major UI/behavior additions: tabs, upload/input handlers, print, JSON-less handling attempts.
blastradius/server/static/css/style.css	Add spinner/overlay styling and tab UI styling.
blastradius/server/server.py	Add DOT upload/input endpoints and conditional rendering for non-Terraform mode.
blastradius/handlers/terraform.py	Switch to python-hcl2 parsing and adjust module discovery logic.
blastradius/handlers/dot.py	Regex tweak for module label parsing.
bin/blast-radius	Add --host flag and adjust serve behavior.
README.md	Major documentation overhaul (usage, Docker/K8s quickstarts, feature list).
PowerShell/docker_run.ps1	Add helper script to run the Docker image.
PowerShell/docker_build.ps1	Add helper script to build Docker image (and optional buildx notes).
Makefile	Update Docker image name for build/publish targets.
Kubernetes/k8-blast-radius-service.yaml	Add K8s Service manifest.
Kubernetes/k8-blast-radius-deployment.yaml	Add K8s Deployment manifest for running Blast Radius.
Dockerfile	Update Terraform/Python versions, add git, add build-time smoke-ish step.
Docker/docker-compose.yml	Update compose version and Docker image reference.
Docker.md	Add detailed Docker usage/build documentation.
BASH/docker_run.sh	Add bash helper to build/run image with params.
BASH/docker_build.sh	Add bash helper to build (and optional buildx multi-arch).
AWS/blast-radius-aws.tf	Add AWS EC2 Terraform example to generate/use graphs.
.gitignore	Ignore IDE dirs, Terraform outputs, macOS artifacts, etc.
.github/workflows/dependency-review.yml	Add dependency review workflow.
.github/workflows/codesee-arch-diagram.yml	Add CodeSee architecture diagram workflow.
.github/workflows/codeql.yml	Add CodeQL scanning workflow.
.github/workflows/codeql-analysis.yml	Add second CodeQL workflow (duplicate config).
.dockerignore	Expand dockerignore rules and exclude large example/doc artifacts from builds.

Comments suppressed due to low confidence (1)

blastradius/server/server.py:218

• initalizeDotGraph() always instantiates Terraform(os.getcwd()) and populates node.definition. This makes the new “DOT-only / no-Terraform-directory” mode depend on successfully parsing local .tf files, and will raise if any .tf file fails to parse (see Terraform.init). Consider wrapping Terraform parsing in a try/except and leaving definition empty when parsing fails or when no .tf files are present.

    if module_depth is not None and module_depth >= 0:
        dot.set_module_depth(module_depth)

    tf = Terraform(os.getcwd())
    for node in dot.nodes:
        node.definition = tf.get_def(node)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

index() always calls get_help(), but get_help() runs terraform --version. When Terraform isn't installed (the new supported mode), this will raise (FileNotFoundError) before the non-Terraform template can render. Consider making get_help() resilient (e.g., return placeholders when terraform isn't found) or only call it when is_terraform_installation is true.

Suggested change

	return render_template(template, help=get_help(), folder_name=folder_name)
	help_data = get_help() if is_terraform_installation else {}
	return render_template(template, help=help_data, folder_name=folder_name)

[Copilot]

get_python_version() falls back to python --version into completed2, but the return value still reads from completed.stdout. This will return an empty/incorrect version string when python3 is missing. Return completed2.stdout in the fallback case (or unify into a single variable).

Suggested change

	completed2 = subprocess.run(
	['python', '--version'], stdout=subprocess.PIPE)
	if completed2.returncode != 0:
	completed = subprocess.run(
	['python', '--version'], stdout=subprocess.PIPE)
	if completed.returncode != 0:

[Copilot]

In the remote-module branch, self.modules = Terraform(...) overwrites the self.modules dict with a Terraform instance. This breaks subsequent lookups like self.modules[...] in get_def(). This should likely be self.modules[name] = Terraform(...) (and only after verifying the module directory exists).

Suggested change

	if re.match(r'.*\/(\/.*)(?!:)', source):
	path = os.path.join(path, match.groups()[0])
	self.modules = Terraform(directory=path, settings=mod)
	if match:
	path = os.path.join(path, match.groups()[0])
	if os.path.exists(path):
	self.modules[name] = Terraform(directory=path, settings=mod)

[Copilot]

Missing braces change the control flow in data.nodes.forEach(...): the [root] root special-case assignment is now nested under if (!(node.type in resource_groups)), so it won't run for node types that are in resource_groups. Add braces or move the root check out so it always applies to the root node.

[Copilot]

The HTML string for the JSON tooltip checkbox includes two class attributes on the same <input> element (class="form-check-input" ... class="graph-tooltip-json"). Only one will be applied, which can break styling/selector logic. Merge these into a single class attribute.

Suggested change

	'<input class="form-check-input" type="checkbox" value="" class="graph-tooltip-json" id="' + graphSelector + '-tooltip-json"' +
	'<input class="form-check-input graph-tooltip-json" type="checkbox" value="" id="' + graphSelector + '-tooltip-json"' +

[Copilot]

docker-entrypoint.sh runs with set -e and unconditionally cat /output.txt. If /output.txt isn't present (e.g., when the Dockerfile’s test lines are commented out as suggested), the entrypoint will exit and the container won't start. Guard this (e.g., if [ -f /output.txt ]; then ...; fi).

[Copilot]

This template includes both a bundled jQuery (/static/js/jquery.slim.min.js) and a second copy loaded from a CDN. Loading jQuery twice can cause plugin/handler issues, and the CDN script is not pinned with SRI/integrity. Prefer a single source (ideally the vendored one) and add integrity/crossorigin if a CDN is required.

Suggested change

<script src="https://code.jquery.com/jquery-3.5.0.js"></script>

[Copilot]

The d3.json() callback logs error but then continues and immediately dereferences data.edges / data.nodes. If the JSON request fails (the case you're trying to support), data can be null/undefined and this will throw, preventing DOT-only graphs from rendering. If error is set, return early or set data = {nodes: [], edges: []} and disable JSON-dependent features.

[Copilot]

This template includes both a bundled jQuery (/static/js/jquery.slim.min.js) and a second copy loaded from a CDN. Loading jQuery twice can cause plugin/handler issues, and the CDN script is not pinned with SRI/integrity. Prefer a single source (ideally the vendored one) and add integrity/crossorigin if a CDN is required.

Suggested change

<script src="https://code.jquery.com/jquery-3.5.0.js"></script>

[Copilot]

There are two CodeQL workflows (codeql.yml and codeql-analysis.yml) with the same name: "CodeQL" and nearly identical configuration. This will run CodeQL twice on the same events and can be confusing/noisy. Consider deleting one file or consolidating schedules into a single workflow.

Suggested change

	name: "CodeQL"
	on:
	push:
	branches: [ "main" ]
	pull_request:
	# The branches below must be a subset of the branches above
	branches: [ "main" ]
	name: "CodeQL (scheduled)"
	on: