Hi HN. I built tfstate-audit (solo) to solve a recurring problem at work: during audits/key rotations we needed to answer "where did this credential/resource come from, and when did it first appear?" In practice, that info is often buried in Terraform state history, and digging through object versions manually is painful.

(Some teammates didn't even realize how much valuable information gets stored in Terraform state. It's basically a time machine for your infrastructure, if you can query it.)

tfstate-audit is local-first: it builds a local SQLite index and runs entirely on your machine. It's read-only (only lists/downloads historical versions) with redaction on by default, and no telemetry.

It lets you search across attributes/outputs/metadata, view a git-log-like timeline, diff two versions, and generate "advise" output + an optional Markdown evidence pack. It supports S3, GCS, Azure Blob Storage, HCP Terraform, and file://.

Quick start:

  go install github.com/BetaFold3/tfstate-audit/cmd/tfstate-audit@latest
  tfstate-audit index --source s3://bucket/path/to/state.tfstate --since 2025-01-01T00:00:00Z --limit-per-source 50
  tfstate-audit search --query 'attr.value~=^AKIA OR attr.value~=^ASIA' --group-by source

Would love feedback: What's your current workflow for answering "when did this resource/secret first appear in state"? Curious if others hit this during audits or incident response.