# IaC describe ## Usage **Note:** This feature is available in Snyk CLI version v1.876.0 or greater. `snyk iac describe []` ## Description The `snyk iac describe` command detects unmanaged infrastructure resources. It compares resources in your Terraform state file against actual resources in your cloud provider and outputs a report. * Resources in your Terraform state files are **managed resources**. * Resources that exist but are not in your Terraform state file are **unmanaged resources**. For detailed information and examples, see [IaC describe command examples](https://docs.snyk.io/scan-with-snyk/snyk-iac/detect-drift-and-manually-created-resources/iac-describe-command-examples) For a list of related commands see the snyk [iac help](/developer-tools/snyk-cli/commands/iac.md); `iac --help` ## Exit codes Possible exit codes and their meaning: **0**: success, no unmanaged resources found\ **1**: unmanaged resources found\ **2**: failure ## Configure the Snyk CLI You can use environment variables and set variables for connecting with the Snyk API; see [Configure the Snyk CLI](https://docs.snyk.io/snyk-cli/configure-the-snyk-cli) ## Configure the Terraform provider You can set environment variables to configure the Terraform provider used by the `describe` command; see [Configure cloud providers](https://docs.snyk.io/scan-using-snyk/scan-infrastructure/iac+-code-to-cloud-capabilities/detect-drift-and-manually-created-resources/configure-cloud-providers) ## Debug Use the `-d` option to output the debug logs. ## Optional arguments ### `--org=` Specify the `` to run Snyk commands tied to a specific Snyk Organization. Overrides the default `` that is the current preferred Organization in your [Account settings](https://app.snyk.io/account) Note that you can also use `--org=`. The `ORG_ID` works in both the CLI and the API. The Organization slug name works in the CLI, but not in the API. For more information, see the article [How to select the Organization to use in the CLI](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/how-to-select-the-organization-to-use-in-the-cli) ### `--from=[,...]` Specify multiple Terraform state files to be read. Glob patterns are supported. For more information, including a list of supported IaC sources and how to use them, see [IAC Sources usage](https://docs.snyk.io/scan-with-snyk/snyk-iac/detect-drift-and-manually-created-resources/iac-sources-usage) ### `--to=` Specify the cloud provider to scan (default: AWS with Terraform). Supported providers: * `github+tf` (GitHub with Terraform) * `aws+tf` (Amazon Web Services with Terraform) * `gcp+tf` (Google Cloud Platform with Terraform) * `azure+tf` (Azure with Terraform) ### `--tf-provider-version` Specify a Terraform provider version to use. If none is specified, default versions are used as follows: * aws\@3.19.0 * github\@4.4.0 * google\@3.78.0 * azurerm\@2.71.0 ### `--tf-lockfile` Read the Terraform lock file (`.terraform.lock.hcl`) from a custom path (default: current directory). If parsing the lockfile fails, errors are logged and scan continues. **Note**: When you are using both the `--tf-lockfile` and `--tf-provider-version` options together, `--tf-provider-version` takes precedence. ### `--fetch-tfstate-headers` Use a specific HTTP header or headers for the HTTP backend when fetching Terraform state. ### `--tfc-token` Specify an API token to authenticate to the Terraform Cloud or Enterprise API. ### `--tfc-endpoint` Read the current state for a given workspace from Terraform Enterprise by passing the `tfc-endpoint` value that is specific to your org's Terraform Enterprise installation. ### `--config-dir` Change the directory path used for `iac describe` configuration (default `$HOME`). This can be useful, for example, if you want to invoke this command in an AWS Lambda function where you can only use the `/tmp` folder. ## Options for including and excluding resources ### `--service=[,...]` Specify the services to inspect for unmanaged resources. This option cannot be used with a `.snyk` unmanaged resource ignore rule; the content in `.snyk` will be ignored. Supported services: `aws_s3`, `aws_ec2`, `aws_lambda`, `aws_rds`, `aws_route53`, `aws_iam` , `aws_vpc`, `aws_api_gateway`, `aws_apigatewayv2`, `aws_sqs`, `aws_sns`, `aws_ecr`, `aws_cloudfront`, `aws_kms`, `aws_dynamodb`, `azure_base`, `azure_compute`, `azure_storage`, `azure_network`, `azure_container`, `azure_database`, `azure_loadbalancer`, `azure_private_dns`, `google_cloud_platform`, `google_cloud_storage`, `google_compute_engine`, `google_cloud_dns`, `google_cloud_bigtable`, `google_cloud_bigquery`, `google_cloud_functions`, `google_cloud_sql`, `google_cloud_run` ### `--filter` Use filter rules. Filter rules allow you to build a JMESPath expression to include or exclude a set of resources from the report. For more information, see [Filter results](https://docs.snyk.io/scan-using-snyk/scan-infrastructure/iac+-code-to-cloud-capabilities/detect-drift-and-manually-created-resources/filter-rules) ### `--strict` Enable strict mode. The `iac describe` command ignores service-linked resources by default (like service-linked AWS IAM roles, their policies, and policy attachments). To include those resources in the report you can enable **strict mode**. Note that this can create noise when used with an AWS account. ## Options for policies ### `--ignore-policy` Ignore all set policies, the current policy in the `.snyk` file, org level ignores, and the project policy in the Snyk Web UI. ### `--policy-path=` Manually pass a path to a `.snyk` policy file. ## Options for output ### `--quiet` Output only the scan result to stdout. ### `--json` Output the report as a JSON data structure to stdout. ### `--html` Output the report as html to stdout. ### `--html-file-output=` Output the report as html into a file. ## Examples for snyk iac describe command For more examples, see [IaC describe command examples](https://docs.snyk.io/scan-with-snyk/snyk-iac/detect-drift-and-manually-created-resources/iac-describe-command-examples) ### Detect unmanaged resources on AWS with a single local Terraform state ``` $ snyk iac describe --from="tfstate://terraform.tfstate" ``` ### Specify AWS credentials ``` $ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=XXX snyk iac describe ``` ### Use an AWS named profile ``` $ AWS_PROFILE=profile_name snyk iac describe ``` ### Use a single Terraform state stored on an S3 backend ``` $ snyk iac describe --from="tfstate+s3://my-bucket/path/to/state.tfstate" ``` ### Aggregate multiple Terraform states ``` $ snyk iac describe --from="tfstate://terraform_S3.tfstate,tfstate://terraform_VPC.tfstate" ``` ### Aggregate many Terraform states using glob pattern ``` $ snyk iac describe --from="tfstate://path/to/**/*.tfstate" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.snyk.io/developer-tools/snyk-cli/commands/iac-describe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.