Diagramming Infrastructure as Code
Infrastructure as code is precise but hard to read - hundreds of resources and dependencies in text. Diagramming the resources, modules, and state makes a change reviewable before you apply it to production.
Infrastructure as code turns servers, networks, and databases into declarative configuration that can be versioned, reviewed, and applied repeatably. It is a huge improvement over clicking around a console, but it trades one problem for another: the infrastructure is now precise and reproducible, yet reading hundreds of resources and their dependencies as text is genuinely hard, and a small change can ripple through the dependency graph in ways a diff does not reveal. Diagramming the infrastructure is how you keep it comprehensible and make changes safe to review.
This guide shows how to diagram infrastructure as code: the resources it provisions, the modules that group them, and the state that tracks what actually exists, along with the dependency graph that determines the order of changes. Build the diagrams in Atlas Diagram Studio at /diagrams, and draft from a description with the AI diagram generator at /diagram-tools/ai-diagram-generator. The examples use Terraform-style concepts, but the approach applies to any declarative infrastructure tool.
Resources, modules, and state
Three concepts anchor any infrastructure-as-code diagram. Resources are the individual pieces of infrastructure the code declares - a virtual network, a compute instance, a managed database, a load balancer - each corresponding to a real thing the provider creates. Modules are reusable groups of resources packaged together, like a module that stands up a complete service with its compute, networking, and permissions. State is the tool's record of what it has actually provisioned, the mapping between your code and the real resources, which is what lets the tool compute the difference between desired and actual on each change.
A good diagram distinguishes these layers. At the top level you show the modules and how they compose - a network module, an application module that depends on it, a data module - which is the architecture-level view most people need. Inside a module you can show the individual resources and their relationships. And the state, while abstract, is worth representing in a diagram about how changes flow, because misunderstanding state is behind many infrastructure incidents: two people applying at once, a resource changed by hand drifting from state, a state file that becomes the single source of truth you must protect.
The dependency graph
Underneath declarative infrastructure is a dependency graph the tool builds to decide what to create, change, or destroy and in what order. A compute instance depends on the network it lives in; the network must exist first. A DNS record depends on the load balancer it points to. Diagramming this graph as a directed acyclic graph of resources - arrows pointing from a resource to what it depends on - reveals the true shape of the infrastructure and the order in which changes take effect, which the flat configuration files obscure.
This dependency view is where diagramming most improves safety. A change that looks small in a diff - renaming a resource, changing an attribute that forces replacement - can, through the dependency graph, cascade into recreating everything downstream, potentially with downtime. Seeing the graph lets reviewers spot that a change to a foundational resource like a network or a database will ripple outward, before the change is applied. It also makes circular or fragile dependencies visible, which are a common source of apply-time failures that are baffling without the graph in front of you.
What an IaC diagram should show
An infrastructure-as-code diagram is most valuable when it captures the things that make changes risky. Include these.
- The resources provisioned, grouped by type - networking, compute, storage, data, identity - so the inventory is legible at a glance.
- The modules and how they compose, showing which modules depend on which for the architecture-level view.
- The dependency graph between resources, so the order of creation and the blast radius of a change are visible.
- Which changes force replacement versus in-place update, since replacement can mean downtime or data loss.
- Environment boundaries - dev, staging, production - and how the same modules are instantiated per environment.
- State backend and locking: where state is stored and how concurrent applies are prevented from corrupting it.
- External data sources and secrets the configuration reads, so hidden inputs are not invisible.
- The apply flow: plan, review, approve, apply - the gate that separates a proposed change from a live one.
Keeping infrastructure diagrams honest
The perennial risk with any infrastructure diagram is drift: the code changes, the diagram does not, and soon the picture describes infrastructure that no longer exists. The defenses are the same discipline that keeps the code itself trustworthy. Keep architecture-level diagrams in the repository next to the configuration so they are updated in the same pull requests that change the infrastructure, and review the diagram change alongside the code change. For detailed resource graphs, lean on generation from the tool where possible, since a machine-derived graph cannot drift as long as you regenerate it.
Balance the two levels deliberately. Auto-generated resource graphs are always accurate but often too dense to communicate intent, while hand-crafted module and architecture diagrams communicate the design but need maintaining. Many teams keep a curated architecture diagram they update by hand and a generated dependency graph they regenerate on demand, getting both intent and accuracy. Build the curated views in Atlas Diagram Studio at /diagrams, with real-time collaboration so the platform team maintains them together. For how these fit a broader documentation set, see the guide on documenting software with diagrams and the system architecture diagram guide, and for the pipeline that applies your infrastructure, the guide on how to diagram a CI/CD pipeline.