CLI Reference
Complete guide to RepliMap commands
Global Options
These options work with all commands:
| Option | Short | Description |
|---|---|---|
--profile | -p | AWS profile name from ~/.aws/credentials |
--region | -r | AWS region (e.g., us-east-1) |
--format | -f | Output format: text, json, table |
--verbose | -v | Increase verbosity (-v, -vv) |
--quiet | -q | Suppress output (errors only) |
--version | -V | Show version info |
--privacy | Show privacy and data-handling info | |
--help | -h | Show help for command |
scan
Scans AWS resources and builds the dependency graph.
replimap scan --profile prod --region us-east-1Options
| Option | Description |
|---|---|
--scope | Limit to VPC: vpc:vpc-12345678 or vpc-name:Production* |
--entry | Start from entry point: alb:my-alb or tag:App=MyApp |
--tag | Filter by tag: Environment=Production |
--cache | Use cached results for incremental scans |
--types | Filter by resource types, comma-separated |
--exclude-tag | Exclude by tag (repeatable) |
--trust-center | Enable Trust Center API auditing (Team+) |
Examples
# Scan a specific VPC
replimap scan -p prod --scope vpc:vpc-12345678
# Scan by tag
replimap scan -p prod --entry tag:Application=MyApp
# Scan from an ALB entry point
replimap scan -p prod --entry alb:my-app-alb
# Use cache for faster incremental scans
replimap scan -p prod --cachecodify
Generates Terraform plus an import scaffold from the scanned graph, and reports IaC coverage against your existing state files.
replimap codify --profile prod --output-dir ./terraformOptions
| Option | Description |
|---|---|
--dry-run | Preview what will be generated without writing files |
--output-dir | Output directory for generated code |
--coverage-state | A tfstate to match against — local path or s3://bucket/key (repeatable) |
--coverage-state-dir | Directory of *.tfstate files to match against |
--use-import-script | Emit imports.sh (CLI import commands) instead of imports.tf blocks |
--include-global | Include global resources (IAM, S3) alongside regional ones |
Examples
# Preview
replimap codify -p prod --dry-run
# Generate Terraform + import scaffold
replimap codify -p prod --output-dir ./terraform
# Also report which live resources are in NO state file
replimap codify -p prod \
--coverage-state s3://tf-states/prod/terraform.tfstate \
--coverage-state-dir ./statesGenerated Files
Resources are grouped one file per service:
terraform/
├── vpc.tf / networking.tf / security_groups.tf
├── ec2.tf / compute.tf / alb.tf
├── rds.tf / elasticache.tf / s3.tf / storage.tf / messaging.tf
├── providers.tf / versions.tf
└── imports.tf # import scaffold (Pro) — correct import ID format per typegraph
Generates infrastructure visualizations.
replimap graph --profile prod --format html --output infra.htmlOptions
| Option | Description |
|---|---|
--format | html (interactive D3), mermaid, json |
--output | Output file path |
--vpc | Scope to specific VPC |
--all | Show all resources (no filtering) |
--routes | Include routes and route tables |
--no-collapse | Disable resource grouping |
--open / --no-open | Open in browser after generation |
Interactive Graph Features
The HTML graph is a single self-contained file — D3 is inlined, nothing loads from the internet, so it renders fully air-gapped and can be handed to a client as-is. It includes:
| Feature | Description |
|---|---|
| VPC/Subnet Containers | Hierarchical layout — public/private subnets nested in their VPC |
| Blast Radius | Click a resource to highlight everything it touches |
| Search & Filters | Find resources by name/type; collapsible filter panel |
| Legend & Tooltips | Per-type legend, hover details, zoom/pan |
audit
Runs security and compliance checks.
replimap audit --profile prod --format html --output audit.htmlOptions
| Option | Description |
|---|---|
--format | html (default), json |
--output | Report path (default: ~/.replimap/reports/<timestamp>/) |
--framework | soc2 (default), apra_cps234, rbnz_bs11, nzism, all |
--state | Terraform state file — switches to SOC 2 evidence mode |
--fail-on-high | Exit code 1 if HIGH/CRITICAL issues found (CI) |
--fail-on-score | Exit code 1 if score below threshold (CI) |
--fix | Generate Terraform remediation code for findings |
--vpc | Scope to a specific VPC |
The full terminal summary (score, grade, top issues) is free; exporting the HTML report and the SOC 2 evidence package is Pro+.
Compliance Frameworks
- SOC 2
- APRA CPS 234
- RBNZ BS11
- NZISM
drift
Experimental. Attribute-level drift comparison is free and marked
experimental — on real accounts, terraform plan is still the better
answer for "did what I manage change?". What RepliMap ships and stands
behind is the opposite question: IaC coverage — what exists
that no state file manages.
Detects drift between Terraform state and AWS.
replimap drift --profile prod --state ./terraform.tfstateOptions
| Option | Description |
|---|---|
--state | Path to local tfstate file |
--state-bucket | S3 bucket for remote state (with --state-key) |
--state-key | S3 key for remote state |
--format | console, html, json |
--managed-only | Only report drift for resources managed in the state |
--fail-on-drift | Exit code 1 if any drift detected (CI) |
--fail-on-high | Exit code 1 only for high-severity drift (CI) |
Offline Drift Detection
# Offline drift using cached scan
replimap drift-offline offline -p prod -s ./terraform.tfstate
# Output SARIF for GitHub Security
replimap drift-offline offline -p prod -s ./terraform.tfstate --sarif
# Compare scans over time
replimap drift-offline compare-scans -p prod \
--current ./scan-today.json \
--previous ./scan-yesterday.jsondeps
Explores resource dependencies and blast radius.
replimap deps sg-12345 --region us-east-1Options
| Option | Description |
|---|---|
--format | console, tree, table, html, json |
--depth | Limit analysis depth |
--analyze | Deep analysis with specialized analyzers |
--vpc | Scope to specific VPC |
Impact Levels
| Level | Score | Description |
|---|---|---|
| CRITICAL | 80-100 | Core infrastructure (VPC, main DB) |
| HIGH | 60-79 | Production services |
| MEDIUM | 40-59 | Supporting resources |
| LOW | 20-39 | Peripheral resources |
Impact estimates are based on AWS API metadata only. Application-level dependencies (hardcoded IPs, config files) are NOT detected.
iam
Generates least-privilege IAM policies.
replimap iam for-resource -p prod -r i-0abc123 -s runtime_readOptions
| Option | Description |
|---|---|
-r, --resource | Resource ID or name (required) |
-s, --scope | Policy scope (see below) |
-E, --enrich | Graph enrichment — discover implicit dependencies |
-f, --format | json (default) or terraform |
--create-role | Generate IAM role in Terraform output |
--depth | Maximum traversal depth (default 3) |
Policy Scopes
| Scope | Description |
|---|---|
runtime_read | Read-only for runtime operations (default) |
runtime_write | Write access for runtime |
runtime_full | Full read/write for runtime |
infra_deploy | Full access for deployment |
cost
Estimates monthly AWS costs.
replimap cost --region us-east-1Options
| Option | Description |
|---|---|
--vpc | Scope to specific VPC |
--format | console (default), table, html, csv, json, markdown |
--output | Output file path |
--acknowledge | Acknowledge that output is an estimate (skip prompt) |
--ri-aware | Consider Reserved Instances and Savings Plans |
Cost estimates are for planning only. Actual costs may differ due to data transfer, API calls, reserved instances, and other factors.
license
Manage your RepliMap license.
# View license status
replimap license status
# View usage statistics
replimap license usage
# Activate a license key
replimap license activate RM-XXXX-XXXX-XXXX-XXXX
# Deactivate license
replimap license deactivatetrust-center
Audit-grade logging of every AWS API call RepliMap makes (Team+). Prove to a client or auditor that the scan was 100% read-only.
# Record API calls during a scan
replimap scan -p prod --trust-center
# Check status
replimap trust-center status
# Generate compliance report (json, csv, or text)
replimap trust-center report
replimap trust-center report --report-format json -o audit.json
replimap trust-center report --report-format csv -o api-calls.csv
# Clear audit sessions
replimap trust-center clear