Cloud Inventory

Cloud Inventory is your starting point in SGCode. It displays all resources discovered across your connected cloud accounts and lets you take action on them.

To open the Cloud Inventory:

1. Select SGCode on the sidebar
2. Select Cloud Inventory from the sidebar or the menu

Cloud Inventory

The top of the page shows three key metrics:

• Total Resources — the total number of resources discovered across your connected cloud accounts. Select View Cloud Providers to manage your connections.
• Infra Projects — the number of infrastructure-as-code projects generated from your cloud resources. Select View All to see them.
• IaC Coverage — the percentage of your resources managed as code. Select View State Backends to manage your state backends.

Use the Options dropdown in the table toolbar to configure a module for your selection:

Options dropdown

Resource list

The resources list shows every resource found across your connected cloud accounts.

Resource list

The table displays each resource's name, account ID, resource type, when it was last scanned, its resource status, and its linked state backend.

Resource status values:

• SG Managed — Resource is managed through StackGuardian workflows.
• Unmanaged — Resource is not tracked by any IaC state file.
• Externally Managed — Resource is managed by IaC but not through StackGuardian.
• SG Drifted — StackGuardian-managed resource has drifted from its expected state.
• SG State Only — Resource exists in StackGuardian state but no longer exists in the cloud. These resources cannot be codified.
• External State Only — Resource exists in an external IaC state but no longer exists in the cloud. These resources cannot be codified.
• Codifying — Your code is ready. Open the workbench, review, and hit "Create & Plan" — we'll raise a PR and start managing this resource automatically.

Use the Search resources by name field to find a specific resource. Use the Filters button to filter results by resource type, account, or other attributes.

To group resources, use the Group by dropdown next to the search field. Available groupings are: No Group, Group by Resource Type, Group by Cloud Provider, Group by Region, Group by Account, and Group by Tag. When grouping by tag, resources are grouped by tag key only. To filter by a specific tag value, use the Filters panel instead.

Group by dropdown

Resource Details

To view the details of a specific resource, select its name in the table. The Resource Details modal opens with two tabs:

Overview

Shows the resource's key attributes: Resource Name, Resource ID, Account ID, Integrations, Region, Tags, Resource Status, Resource Type, Service, Scanned At, State Backend, and IaC Source.

Resource Details

Attributes

Shows the raw JSON attributes for the resource as discovered from your cloud account. Select Copy JSON to copy the full attribute payload.

Resource Attributes

Select resources to codify

In the Resource Discovered tab, select one or more resources from the table using the checkboxes. The row highlights in blue when selected.

Select resources to codify

When you select resources, a bottom bar appears showing:

• Import Summary and the number of resources selected
• View Details — review your full selection before proceeding
• A projected Coverage Gain percentage showing how much your IaC coverage will increase
• Codify — the button to start code generation. Use the dropdown next to it to choose between Terraform and OpenTofu.

You can add dependencies for a single resource inline by selecting + Dependencies in its Actions column, or by opening the resource's Dependencies tab in the Resource Details modal.

Configure Module

Before selecting resources to codify, you can optionally import a module. Importing a module creates a new grouping filter for your discovered resources based on the selected template. This helps you organise and manage resources that match specific infrastructure patterns.

To import a module, select Import Module from the Options dropdown.

Expand Imported Modules and select a source type:

• Git Repository

  Connect to an existing Git repository that contains your Terraform module.

  Complete the following fields:

  • Version Control— select your version control connector
  • Repository— enter the repository URL
  • Branch, Tag or Commit — specify the branch, tag, or commit (for example, main, v1.0, 0c708f)
  • Working Dir — specify the directory containing the module (for example, /, infra, modules/vm)
  • Git Sparse Checkout Config — optional sparse checkout configuration
  • Enable git core.autocrlf — optional checkbox for line ending handling

  Select Analyze to validate and import the module.

• Templates

  Select this option to import a module from StackGuardian's template library.

Code generation

After selecting Codify, SGCode creates a new project and opens the Code Workbench. The platform generates Terraform or OpenTofu code for your selected resources — this typically takes a few minutes depending on the number of resources selected.

During generation, a progress bar shows the current status. SGCode runs an internal validation cycle: it generates the code, runs a plan to check for errors, and if errors are found, regenerates the code automatically before delivering the final result. If the validation finds no errors, the progress bar moves quickly to completion. If errors are found and a fix is attempted, the progress bar moves more slowly toward the end.

As generation runs, files begin appearing in the file tree and code starts rendering progressively in the editor. Editing is locked during this time, but you can browse the files as they appear. Once generation is complete, editing unlocks automatically.

Code generation

You can navigate away from this page while generation runs. To return to a session, open the Infra Projects tab and select the project name to reopen it in the Code Workbench.

Each project is assigned an auto-generated name (for example, clean-blue). To rename it, select the pencil icon next to the name.

Code Workbench

When generation is complete, the Code Workbench displays the generated files in a file tree on the left and a code editor on the right.

Code Workbench

The footer shows the project name, last modified time, and the current PR status.

The file tree may include files such as main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, terraform.tfvars, and imports.sh, depending on the resources you selected.

Review the generated code carefully before proceeding. AI-generated code should always be validated before deployment.

Editing the code

You can edit the code directly in the editor. Use Cmd+S (or select Save) to save your changes. An asterisk on a file tab indicates unsaved changes. Use the undo and redo buttons in the toolbar to manage edits.

Select the three-dot menu on a file or folder in the file tree to access additional options: Rename, New File, New Folder, Copy Path, and Delete File.

Editing the code

Plan Logs and Issues

The bottom panel contains two tabs:

• Plan Logs — shows the output of the most recent Terraform plan run.
• Issues — shows errors detected in the generated code, each with a file reference and a description. If issues are present, a Fix Issues ([n]) button appears. Select it to let SGCode attempt an automatic fix.

Issues tab

Reviewing fixes with diff view

When you select Fix all issues, SGCode attempts to resolve the detected errors and opens a diff view showing the original code on the left and the proposed changes on the right. A file counter shows how many files were affected (for example, FILE 1 OF 1).

Reviewing fixes with diff view

Review the proposed changes and select:

• Accept Changes — apply the fix to the file
• Decline Changes — discard the fix and keep the original code

Create PR & Plan

When you're ready to validate your generated code, select Create PR & Plan in the bottom bar of the Code Workbench.

Create PR & Plan

This opens the Create PR & Plan modal, which creates a pull request and runs a Terraform plan in a single step.

Complete the following fields:

• Version Control — select your version control connector. Select Add new VCS Connector if you haven't connected one yet.
• Repository— search for and select the target repository.
• Target branch — the branch to merge into. Usually main.
• Source branch — the branch SGCode will create to push your generated changes. Must be a new branch name that doesn't already exist in the repository.
• Working Dir — the directory in the repository where SGCode will place the newly generated code.

Expand Run Configuration to review or adjust the workflow settings:

• Workflow Name — defaults to the project name
• Existing Workflow Groups / Workflow Group Name — select or specify the workflow group
• Connector — select a connected cloud provider connector

Select Create to create the pull request and start the plan. A workflow is created automatically.

NOTES

• A pull request is required to run a plan.
• Pull request management — including merging and closing — happens in your version control system.. SGCode does not merge pull requests.

Run locally guide

If you prefer to manage your code outside the platform, select Run Locally Guide in the modal for an alternative path:

1. Download your code as a ZIP, extract it, and push it to your repository
2. Set up a Workflow in StackGuardian to remotely test and maintain the code
3. Inject the OpenTofu/Terraform cloud block config to connect your code to the StackGuardian Workflow
4. Run terraform login app.stackguardian.io to authenticate your local environment
5. Run terraform plan locally and connect to the StackGuardian Workflow

Push & Plan

Once a pull request is open, the bottom bar updates to show the PR status and the Push & Plan button.

Push & Plan

Select Push & Plan to push any new changes to the open pull request and run the plan again.

While the plan runs, the status bar shows "Running Terraform Plan" with the message "This may take a few moments, open run details to follow progress." Plan logs stream live in the Plan Logs tab.

Plan completed

When the plan finishes, the results appear in the Plan Logs tab. If the plan shows changes (for example, 3 to Change), it means the generated code differs from what's currently deployed in your cloud account.

Select Fix all issues to let SGCode attempt to reconcile the differences automatically. The diff view opens showing the proposed changes. Review and select Accept Changes or Decline Changes, then run the plan again to verify.

Repeat until the plan shows 0 to Add, 0 to Change, 0 to Destroy — or until you're satisfied with the changes.

Push changes

If you make further edits to the code after creating a pull request, select Push Changes in the bottom bar to commit the latest changes to the open pull request.

Only one active pull request per project is supported at a time. To create a new pull request, close or merge the existing one in the version control system first.

IaC coverage

IaC coverage is the percentage of your discovered cloud resources managed as code. SGCode displays this metric at the top of the Cloud Inventory page and updates it as you codify more resources.

When coverage is low, a risk indicator appears — for example, High Risk: Codify Resources — to guide you toward the next action.

When you select resources to codify, the bottom bar shows a projected Coverage Gain so you can see the impact before you start generation.