RepliMap Docs

CLI Reference

Complete guide to RepliMap commands

Global Options

These options work with all commands:

OptionShortDescription
--profile-pAWS profile name from ~/.aws/credentials
--region-rAWS region (e.g., us-east-1)
--format-fOutput format: text, json, table
--verbose-vIncrease verbosity (-v, -vv)
--quiet-qSuppress output (errors only)
--version-VShow version info
--privacyShow privacy and data-handling info
--help-hShow help for command

scan

Scans AWS resources and builds the dependency graph.

replimap scan --profile prod --region us-east-1

Options

OptionDescription
--scopeLimit to VPC: vpc:vpc-12345678 or vpc-name:Production*
--entryStart from entry point: alb:my-alb or tag:App=MyApp
--tagFilter by tag: Environment=Production
--cacheUse cached results for incremental scans
--typesFilter by resource types, comma-separated
--exclude-tagExclude by tag (repeatable)
--trust-centerEnable Trust Center API auditing (Team+)

Examples

# Scan a specific VPC
replimap scan -p prod --scope vpc:vpc-12345678

# Scan by tag
replimap scan -p prod --entry tag:Application=MyApp

# Scan from an ALB entry point
replimap scan -p prod --entry alb:my-app-alb

# Use cache for faster incremental scans
replimap scan -p prod --cache

codify

Generates Terraform plus an import scaffold from the scanned graph, and reports IaC coverage against your existing state files.

replimap codify --profile prod --output-dir ./terraform

Options

OptionDescription
--dry-runPreview what will be generated without writing files
--output-dirOutput directory for generated code
--coverage-stateA tfstate to match against — local path or s3://bucket/key (repeatable)
--coverage-state-dirDirectory of *.tfstate files to match against
--use-import-scriptEmit imports.sh (CLI import commands) instead of imports.tf blocks
--include-globalInclude global resources (IAM, S3) alongside regional ones

Examples

# Preview
replimap codify -p prod --dry-run

# Generate Terraform + import scaffold
replimap codify -p prod --output-dir ./terraform

# Also report which live resources are in NO state file
replimap codify -p prod \
  --coverage-state s3://tf-states/prod/terraform.tfstate \
  --coverage-state-dir ./states

Generated Files

Resources are grouped one file per service:

terraform/
├── vpc.tf / networking.tf / security_groups.tf
├── ec2.tf / compute.tf / alb.tf
├── rds.tf / elasticache.tf / s3.tf / storage.tf / messaging.tf
├── providers.tf / versions.tf
└── imports.tf        # import scaffold (Pro) — correct import ID format per type

graph

Generates infrastructure visualizations.

replimap graph --profile prod --format html --output infra.html

Options

OptionDescription
--formathtml (interactive D3), mermaid, json
--outputOutput file path
--vpcScope to specific VPC
--allShow all resources (no filtering)
--routesInclude routes and route tables
--no-collapseDisable resource grouping
--open / --no-openOpen in browser after generation

Interactive Graph Features

The HTML graph is a single self-contained file — D3 is inlined, nothing loads from the internet, so it renders fully air-gapped and can be handed to a client as-is. It includes:

FeatureDescription
VPC/Subnet ContainersHierarchical layout — public/private subnets nested in their VPC
Blast RadiusClick a resource to highlight everything it touches
Search & FiltersFind resources by name/type; collapsible filter panel
Legend & TooltipsPer-type legend, hover details, zoom/pan

audit

Runs security and compliance checks.

replimap audit --profile prod --format html --output audit.html

Options

OptionDescription
--formathtml (default), json
--outputReport path (default: ~/.replimap/reports/<timestamp>/)
--frameworksoc2 (default), apra_cps234, rbnz_bs11, nzism, all
--stateTerraform state file — switches to SOC 2 evidence mode
--fail-on-highExit code 1 if HIGH/CRITICAL issues found (CI)
--fail-on-scoreExit code 1 if score below threshold (CI)
--fixGenerate Terraform remediation code for findings
--vpcScope to a specific VPC

The full terminal summary (score, grade, top issues) is free; exporting the HTML report and the SOC 2 evidence package is Pro+.

Compliance Frameworks

  • SOC 2
  • APRA CPS 234
  • RBNZ BS11
  • NZISM

drift

Experimental. Attribute-level drift comparison is free and marked experimental — on real accounts, terraform plan is still the better answer for "did what I manage change?". What RepliMap ships and stands behind is the opposite question: IaC coverage — what exists that no state file manages.

Detects drift between Terraform state and AWS.

replimap drift --profile prod --state ./terraform.tfstate

Options

OptionDescription
--statePath to local tfstate file
--state-bucketS3 bucket for remote state (with --state-key)
--state-keyS3 key for remote state
--formatconsole, html, json
--managed-onlyOnly report drift for resources managed in the state
--fail-on-driftExit code 1 if any drift detected (CI)
--fail-on-highExit code 1 only for high-severity drift (CI)

Offline Drift Detection

# Offline drift using cached scan
replimap drift-offline offline -p prod -s ./terraform.tfstate

# Output SARIF for GitHub Security
replimap drift-offline offline -p prod -s ./terraform.tfstate --sarif

# Compare scans over time
replimap drift-offline compare-scans -p prod \
  --current ./scan-today.json \
  --previous ./scan-yesterday.json

deps

Explores resource dependencies and blast radius.

replimap deps sg-12345 --region us-east-1

Options

OptionDescription
--formatconsole, tree, table, html, json
--depthLimit analysis depth
--analyzeDeep analysis with specialized analyzers
--vpcScope to specific VPC

Impact Levels

LevelScoreDescription
CRITICAL80-100Core infrastructure (VPC, main DB)
HIGH60-79Production services
MEDIUM40-59Supporting resources
LOW20-39Peripheral resources

Impact estimates are based on AWS API metadata only. Application-level dependencies (hardcoded IPs, config files) are NOT detected.


iam

Generates least-privilege IAM policies.

replimap iam for-resource -p prod -r i-0abc123 -s runtime_read

Options

OptionDescription
-r, --resourceResource ID or name (required)
-s, --scopePolicy scope (see below)
-E, --enrichGraph enrichment — discover implicit dependencies
-f, --formatjson (default) or terraform
--create-roleGenerate IAM role in Terraform output
--depthMaximum traversal depth (default 3)

Policy Scopes

ScopeDescription
runtime_readRead-only for runtime operations (default)
runtime_writeWrite access for runtime
runtime_fullFull read/write for runtime
infra_deployFull access for deployment

cost

Estimates monthly AWS costs.

replimap cost --region us-east-1

Options

OptionDescription
--vpcScope to specific VPC
--formatconsole (default), table, html, csv, json, markdown
--outputOutput file path
--acknowledgeAcknowledge that output is an estimate (skip prompt)
--ri-awareConsider Reserved Instances and Savings Plans

Cost estimates are for planning only. Actual costs may differ due to data transfer, API calls, reserved instances, and other factors.


license

Manage your RepliMap license.

# View license status
replimap license status

# View usage statistics  
replimap license usage

# Activate a license key
replimap license activate RM-XXXX-XXXX-XXXX-XXXX

# Deactivate license
replimap license deactivate

trust-center

Audit-grade logging of every AWS API call RepliMap makes (Team+). Prove to a client or auditor that the scan was 100% read-only.

# Record API calls during a scan
replimap scan -p prod --trust-center

# Check status
replimap trust-center status

# Generate compliance report (json, csv, or text)
replimap trust-center report
replimap trust-center report --report-format json -o audit.json
replimap trust-center report --report-format csv -o api-calls.csv

# Clear audit sessions
replimap trust-center clear

On this page