Understanding Blast Radius
Blast Radius is Overmind's core feature for understanding the potential impact of infrastructure changes. It automatically discovers dependencies between resources and shows you what might be affected before you deploy.
What is Blast Radius?​
When you make a change to your infrastructure, the effects can ripple through connected resources. Blast radius analysis:
- Maps dependencies between resources in real-time
- Identifies affected resources across services and accounts
- Visualizes impact through interactive graphs
- Supports 100+ AWS resource types and 300+ relationship types
- Works with any resource — Terraform-managed, console-created, or otherwise
Example​
If you modify a security group, blast radius might reveal:
Security Group (changed)
└── EC2 Instances (3)
└── Target Group
└── Load Balancer
└── Route53 Record
└── CloudFront Distribution
This shows you that a "simple" security group change could affect 6+ resources downstream.
Scan Types​
Blast radius offers three scan types, each balancing speed against thoroughness:
Quick (10m)​
Best for: Rapid feedback, initial assessments, routine changes
- Shallow dependency scan (fewer levels)
- Fastest results
- May miss some indirect dependencies
- Good for well-understood, low-risk changes
When to use:
- Daily deployments with familiar infrastructure
- Minor configuration changes
- Time-sensitive situations
Detailed (15m)​
Best for: Most production changes (recommended default)
- Balanced depth and speed
- Catches most relevant dependencies
- Good trade-off for typical deployments
When to use:
- Standard production deployments
- Changes to shared resources
- When you need confidence without exhaustive analysis
Full (30m)​
Best for: Critical changes, unfamiliar infrastructure, compliance requirements
- Deepest dependency discovery
- Finds all possible connections
- May surface less relevant dependencies
When to use:
- Major infrastructure changes
- Changes to core networking or security
- First-time analysis of unfamiliar systems
- Compliance or audit requirements
Configuring Blast Radius​
Via Account Settings (Recommended)​
Configure your team's default scan type in Overmind:
- Open Account Settings
- Navigate to Configuration > Blast Radius
- Select your preferred sensitivity level (Quick, Detailed, or Full)
These settings apply to all overmind terraform plan runs for your account.
Via CLI (submit-plan only)​
For per-command control, use overmind changes submit-plan with explicit flags:
# Quick analysis
overmind changes submit-plan tfplan.json \
--blast-radius-link-depth 2 \
--blast-radius-max-items 200
# Thorough analysis
overmind changes submit-plan tfplan.json \
--blast-radius-link-depth 5 \
--blast-radius-max-items 1000
See CLI Configuration for all available options.
Choosing the Right Scan Type​
| Scenario | Recommended Scan | Why |
|---|---|---|
| Daily deployments | Quick | Fast feedback for routine changes |
| Production release | Detailed | Balance of speed and coverage |
| Security group changes | Detailed or Full | Security changes often have wide impact |
| Database migrations | Full | Critical changes need complete visibility |
| First analysis of legacy system | Full | Discover unknown dependencies |
| Hotfix during incident | Quick | Speed is critical |
| Compliance audit | Full | Need comprehensive documentation |
Reading Blast Radius Results​
Metrics​
After analysis, you'll see:
- Items: Total resources in the blast radius
- Edges: Connections between resources
Example: Blast Radius: Items: 128 Edges: 350
The Graph​
The interactive graph shows:
- Changed resources (highlighted)
- Directly affected resources (first-level connections)
- Indirectly affected resources (downstream connections)
- Relationship types (depends on, targets, etc.)
Tips for Interpretation​
- High item count isn't always bad — Core infrastructure naturally has many connections
- Focus on critical paths — Look for connections to databases, load balancers, and external services
- Check cross-account connections — Changes may affect resources in other AWS accounts
- Review unexpected connections — These often reveal undocumented dependencies
Incomplete Blast Radius​
Sometimes blast radius analysis can't complete fully. Common causes:
- Permission issues — Source doesn't have access to some resources
- Timeout — Analysis exceeded time limits
- Missing sources — Not all accounts are configured
Solutions:
- Check that your sources have proper read permissions
- Verify all relevant accounts are configured
- Consider using a longer timeout for complex infrastructure
- Review source logs in the Overmind UI
Best Practices​
- Start with Detailed — Use as your default, adjust based on experience
- Use Full for unknowns — When exploring unfamiliar infrastructure
- Quick for iteration — When making incremental changes you understand
- Document patterns — Note which resources typically have large blast radii
- Set team defaults — Configure account-level settings for consistency