Blast Radius Analysis

Understand the impact of changing or removing a resource. Oxid traverses the dependency graph to show you exactly what would be affected, how deep the impact goes, and how severe it is.

Usage

oxid blast-radius <address> [flags]
oxid blast-radius --plan [flags]
oxid blast-radius <resource_type> [flags]

The blast-radius command analyzes the dependency graph to answer two critical questions: "What breaks if I change this resource?" and "Why does this resource exist?"

Forward Mode (Default)

Forward mode shows all resources that depend on the target - everything that would be affected if the target resource changes or is destroyed.

$ oxid blast-radius aws_vpc.main

Blast radius for aws_vpc.main

Severity: HIGH (32 resources, 3 levels deep)

Types affected:
  4 aws_subnet
  3 aws_route_table
  4 aws_route_table_association
  6 aws_security_group
  8 aws_instance
  3 aws_nat_gateway
  2 aws_lb
  1 aws_db_subnet_group
  1 aws_elasticache_subnet_group

Depth 1 - direct dependents (14 resources):
  ~ aws_internet_gateway.main
  ~ aws_subnet.public[0]
  ~ aws_subnet.public[1]
  ~ aws_subnet.private[0]
  ~ aws_subnet.private[1]
  ~ aws_security_group.web
  ~ aws_security_group.api
  ~ aws_security_group.db
  ~ aws_security_group.cache
  ~ aws_security_group.lb
  ~ aws_security_group.bastion
  ~ aws_route_table.public
  ~ aws_route_table.private[0]
  ~ aws_route_table.private[1]

Depth 2 - transitive dependents (12 resources):
  ~ aws_route_table_association.public[0]
  ~ aws_route_table_association.public[1]
  ~ aws_route_table_association.private[0]
  ~ aws_route_table_association.private[1]
  ~ aws_nat_gateway.az1
  ~ aws_nat_gateway.az2
  ~ aws_nat_gateway.az3
  ~ aws_instance.bastion
  ~ aws_lb.api
  ~ aws_lb.web
  ~ aws_db_subnet_group.main
  ~ aws_elasticache_subnet_group.main

Depth 3 - deep dependents (6 resources):
  ~ aws_instance.api[0]
  ~ aws_instance.api[1]
  ~ aws_instance.worker[0]
  ~ aws_instance.worker[1]
  ~ aws_instance.worker[2]
  ~ aws_instance.web[0]

Reverse Mode (--why)

Reverse mode answers the opposite question: "Why does this resource exist? What depends on it, and what does it depend on?"

$ oxid blast-radius aws_instance.api[0] --why

Why does aws_instance.api[0] exist?

Depends on (upstream):
  aws_subnet.private[0]
    aws_vpc.main
  aws_security_group.api
    aws_vpc.main
  aws_lb.api
    aws_subnet.public[0]
    aws_subnet.public[1]
  aws_iam_instance_profile.api
    aws_iam_role.api

Depended on by (downstream):
  (none - this is a leaf resource)
TipUse --why to understand the full dependency chain of a resource before removing it from your configuration.

Auto-detect from Plan (--plan)

Analyze the blast radius of all resources that would change in the current plan:

$ oxid blast-radius --plan

Analyzing blast radius for 3 planned changes...

aws_security_group.api (update):
  Severity: MEDIUM (8 resources, 2 levels deep)
  Depth 1: 4 aws_instance, 1 aws_lb_target_group
  Depth 2: 2 aws_lb_listener, 1 aws_route53_record

aws_iam_role.api (update):
  Severity: LOW (2 resources, 1 level deep)
  Depth 1: 1 aws_iam_instance_profile, 1 aws_iam_role_policy

aws_s3_bucket.logs (create):
  Severity: NONE (0 dependent resources)

Filter to Deployed Resources (--state)

By default, blast-radius analyzes the full configuration graph. Use --state to filter to only resources that are currently deployed:

oxid blast-radius aws_vpc.main --state

This is useful when your configuration includes resources that have not been applied yet.

Resource Type Matching

Pass a resource type instead of a specific address to analyze all resources of that type:

$ oxid blast-radius aws_subnet

Blast radius for 4 resources of type aws_subnet:

aws_subnet.public[0]:
  Severity: MEDIUM (8 resources, 2 levels deep)

aws_subnet.public[1]:
  Severity: MEDIUM (8 resources, 2 levels deep)

aws_subnet.private[0]:
  Severity: HIGH (12 resources, 2 levels deep)

aws_subnet.private[1]:
  Severity: HIGH (12 resources, 2 levels deep)

Severity Ratings

Oxid assigns a severity based on the number of affected resources and depth of impact:

  • NONE - No dependent resources. Safe to modify or remove.
  • LOW - 1-5 dependent resources, 1 level deep.
  • MEDIUM - 6-15 dependent resources, or 2 levels deep.
  • HIGH - 16+ dependent resources, or 3+ levels deep. Review carefully before changes.

Flags

FlagDescriptionDefault
--whyReverse mode: show what the resource depends on and what depends on it.false
--planAuto-detect target resources from the current plan.false
--stateFilter analysis to only currently deployed resources.false
--depth <n>Maximum depth to traverse in the dependency graph.unlimited
--jsonOutput in JSON format for scripting.false

Use Cases

Pre-change impact analysis

Before modifying a VPC, subnet, or security group, run blast-radius to understand the full impact:

oxid blast-radius aws_vpc.main

CI/CD safety gate

Block applies that affect too many resources:

# In CI pipeline
SEVERITY=$(oxid blast-radius --plan --json | jq -r '.max_severity')
if [ "$SEVERITY" = "HIGH" ]; then
  echo "High blast radius detected. Requiring manual approval."
  exit 1
fi

Understanding unfamiliar infrastructure

When working with infrastructure you did not build, use --why to trace the dependency chain:

oxid blast-radius aws_lambda_function.processor --why