ABDMaker

FedRAMP Authorization Boundary Diagram Generator for Lucidchart.

Overview

ABDMaker automates the creation of FedRAMP-compliant Authorization Boundary Diagrams (ABD) by collecting infrastructure data from cloud providers and generating diagrams that meet FedRAMP PMO requirements per the Agency Authorization Boundary Diagram Job Aid.

Features

• 13 FedRAMP ABD Views: Generates all required views per FedRAMP Authorization Boundary Guidance V3.0
• V3.0 Compliance: Full compliance with FedRAMP Authorization Boundary Guidance Draft V3.0
• Multi-Cloud Support: AWS, Azure, and GCP (including GovCloud regions)
• Direct Lucidchart Upload: Upload diagrams directly to Lucidchart via OAuth 2.0
• Lucidchart Export: Generates .lucid format files for import into Lucidchart
• OAuth 2.0 Integration: Secure browser-based authentication with automatic token refresh
• Automated Mapping: Cloud resources automatically mapped to FedRAMP component names
• Subnet Classification: Automatic categorization (public, application, data, security, management)
• Data Flow Visualization: Encryption status indicators (FIPS, non-FIPS, unencrypted)
• DNS/DNSSEC Support: Authoritative and recursive DNS with DNSSEC indicators
• SSP Tool Validation: Validates all SSP-required tools are depicted in diagrams
• Configurable: YAML configuration for custom mappings and styling

Installation

pip install abdmaker

Or install from source:

git clone https://github.com/your-org/abdmaker.git
cd abdmaker
pip install -e .

Quick Start

Option 1: Direct Upload to Lucidchart (Recommended)

# Create configuration file
abdmaker init-config abdmaker.yaml

# Edit configuration with your settings
# - Add Lucidchart OAuth credentials (client_id, client_secret)
# - Configure cloud provider credentials
# - Set organization details

# Generate and upload diagrams directly to Lucidchart
abdmaker generate -c abdmaker.yaml --upload

The --upload flag will:

1. Open your browser for OAuth 2.0 authentication
2. Generate the FedRAMP ABD diagrams
3. Upload directly to your Lucidchart account
4. Provide a direct edit URL to your new document

Option 2: Generate .lucid File for Manual Import

# Generate diagrams to a file
abdmaker generate -c abdmaker.yaml -o output.lucid

Importing to Lucidchart Manually

After generating your .lucid file:

1. Log in to Lucidchart (or GovCloud for FedRAMP)
2. Click Import → From Computer
3. Select your generated .lucid file
4. Your FedRAMP ABD diagrams will open with all 13 views

## Generated Views

ABDMaker generates all 13 FedRAMP-required ABD views per V3.0 guidance:

### Core ABD Views (9)
1. **ABD Overview** - High-level authorization boundary with all components
2. **Component Shell** - Boundary structure template
3. **Network Diagram** - Network topology, subnets, and DNS (with DNSSEC)
4. **Customer Data Flow** - Data flow paths with encryption indicators
5. **CSP Remote Access** - Administrator access paths with MFA
6. **External Services** - External integrations with FedRAMP authorization status
7. **Security Log Overview** - Logging architecture
8. **Service Restoration** - Failover, recovery, and alternate site
9. **Customer Implementation** - Customer-specific components

### V3.0 Separate Data Flow Diagrams (4)
10. **Customer Authentication Flow** - Customer User/Admin authentication with MFA type
11. **CSP Authentication Flow** - CSP Admin/Support authentication with MFA type
12. **Interconnected Systems Flow** - External services and interconnections
13. **Backup Data Flow** - Backup and alternate site data flow with RTO/RPO

## Configuration

Create `abdmaker.yaml`:

```yaml
# Organization details
organization:
  system_name: "My System"
  system_owner: "Organization Name"
  impact_level: "Moderate"

# Lucidchart OAuth 2.0 configuration (for --upload feature)
lucidchart:
  client_id: "your-oauth-client-id"
  client_secret: "your-oauth-client-secret"
  api_base_url: "https://api.lucid.co"  # Use api.lucid.co for commercial
  # Optional settings:
  # default_folder_id: "folder-uuid"  # Target folder for uploads

# Cloud provider configuration
cloud_providers:
  aws:
    enabled: true
    regions:
      - us-gov-west-1
      # - us-east-1

V3.0 Configuration Options

ABDMaker supports all FedRAMP V3.0 requirements through configuration:

# DNS Configuration (V3.0 Network Diagram Requirements)
dns:
  authoritative_dns: "External Authoritative DNS"
  recursive_dns: "Internal Recursive DNS"
  dnssec_enabled: true

# Alternate Processing Site (V3.0 DR/Backup Requirements)
alternate_site:
  enabled: true
  site_type: "warm"  # hot, warm, cold, or none
  rto_hours: 24      # Recovery Time Objective
  rpo_hours: 4       # Recovery Point Objective

# MFA Configuration (V3.0 Authentication Flow Requirements)
mfa:
  customer_mfa_type: "TOTP"       # TOTP, Push, SMS, Hardware Token
  csp_admin_mfa_type: "Hardware"  # Hardware Token recommended for admin
  phishing_resistant: true

# SSP Tools Validation (V3.0 Requirement)
ssp_tools:
  validate_on_generate: true
  required_tools:
    - "SIEM / Correlation"
    - "Vulnerability Scan Engine"
    - "Logging Server"
    - "Platform Health Monitoring"

# Customer Agents (V3.0 - CSP components on customer devices)
customer_agents:
  agents: ["CSP Monitoring Agent", "CSP Security Agent"]
  affects_cia: false  # If true, agents are inside authorization boundary

# V3.0 Additional DFD Views
diagram_options:
  views:
    customer_authentication_flow: true
    csp_authentication_flow: true
    interconnected_systems_flow: true
    backup_data_flow: true

Getting Lucidchart OAuth Credentials

1. Log in to Lucidchart Developer Portal
2. Create a new OAuth 2.0 application
3. Set redirect URI to: http://localhost:8080/callback
4. Copy the client_id and client_secret to your configuration

CLI Commands

abdmaker generate [OPTIONS]     # Generate ABD diagrams
  -c, --config PATH            # Configuration file path
  -o, --output PATH            # Output .lucid file path
  -u, --upload                 # Upload directly to Lucidchart
  --folder-id TEXT             # Target Lucidchart folder ID
  -t, --title TEXT             # Document title

abdmaker inventory    # Generate component inventory
abdmaker validate     # Validate configuration file
abdmaker init-config  # Create sample configuration
abdmaker list-mappings # Show resource mappings
abdmaker tui          # Launch interactive interface

Examples

# Generate and upload to Lucidchart
abdmaker generate -c abdmaker.yaml --upload

# Generate to file
abdmaker generate -c abdmaker.yaml -o my-abd.lucid

# Upload to specific folder
abdmaker generate -c abdmaker.yaml --upload --folder-id "abc-123"

# Custom title
abdmaker generate -c abdmaker.yaml --upload --title "Production ABD"

Requirements

• Python 3.11+
• Lucidchart account (Commercial or GovCloud)
• Lucidchart OAuth 2.0 credentials (for direct upload feature)
• Cloud provider credentials (AWS/Azure/GCP)

Recent Changes

Version 3.0 (January 2026)

FedRAMP Authorization Boundary Guidance V3.0 Compliance

• ✅ 4 New DFD Views: Separate authentication and data flow diagrams per V3.0
  • Customer Authentication Flow (with MFA type)
  • CSP Authentication Flow (with MFA type)
  • Interconnected Systems Flow
  • Backup Data Flow (with RTO/RPO)
• ✅ DNS/DNSSEC Support: Network diagrams now include authoritative and recursive DNS with DNSSEC indicators
• ✅ Encryption at Rest Indicators: Visual badges showing encryption status (🔒 FIPS, 🔒 ENC, ⚠️ UNENC)
• ✅ Boundary Location Badges: Components labeled as IN (inside), EXT (external), or EDGE (boundary edge)
• ✅ SSP Tool Validation: Validates all SSP-required tools are depicted in diagrams with warnings for missing tools
• ✅ Customer Agent Support: CSP-provided components on customer devices with boundary classification
• ✅ Non-FedRAMP Service Indicators: Visual distinction for services not FedRAMP authorized
• ✅ Alternate Site Configuration: Support for hot/warm/cold/none DR site types
• ✅ Unencrypted Flow Warnings: Explicit warnings for any unencrypted data flows
• ✅ Updated Legend: V3.0 indicators included in diagram legends

Version 2.0 (January 2026)

Direct Upload Feature

• ✅ Implemented OAuth 2.0 authorization code flow for Lucidchart
• ✅ Browser-based authentication with localhost callback server
• ✅ Automatic token refresh with expiration tracking
• ✅ Direct upload via Lucidchart Standard Import API
• ✅ Support for both commercial (api.lucid.co) and GovCloud instances

Bug Fixes

• ✅ Fixed text field format in Standard Import JSON (direct string vs nested object)
• ✅ Fixed duplicate page generation when using --upload flag
• ✅ Fixed shape style serialization (fill/stroke objects)
• ✅ Added automatic retry logic for 401 unauthorized responses

Technical Improvements

• Token caching in ~/.abdmaker/lucidchart_token.json
• Proper fill format: {type: "color", color: "#hex"}
• Proper stroke format: {color: "#hex", width: N, style: "solid"}
• Separated upload_to_lucidchart() from upload_document() for better reusability

License

MIT License