# tfmcp: Terraform Model Context Protocol Tool
[](https://archestra.ai/mcp-catalog/nwiizo__tfmcp)
*⚠️ This project includes production-ready security features but is still under active development. While the security system provides robust protection, please review all operations carefully in production environments. ⚠️*
tfmcp is a command-line tool that helps you interact with Terraform via the Model Context Protocol (MCP). It allows LLMs to manage and operate your Terraform environments, including:
## 🎮 Demo
See tfmcp in action with Claude Desktop:
- Reading Terraform configuration files
- Analyzing Terraform plan outputs
- Applying Terraform configurations
- Managing Terraform state
- Creating and modifying Terraform configurations
## 🎉 Latest Release
The latest version of tfmcp (v0.1.9) is now available on Crates.io! You can easily install it using Cargo:
```bash
cargo install tfmcp
```
### 🆕 What's New in v0.1.9
- **📊 Plan Analysis**: Structured plan analysis with risk scoring and recommendations
- **🔍 State Analysis**: Deep state inspection with drift detection
- **📁 Workspace Management**: Full terraform workspace support (list, show, new, select, delete)
- **📥 Import Helper**: Guided resource import with config generation
- **✨ Code Formatting**: terraform fmt integration
- **🔗 Dependency Graph**: terraform graph visualization with DOT output
- **📤 Output Management**: terraform output access
- **🏷️ Taint/Untaint**: Resource taint management (with deprecation notices for 1.5+)
- **🔄 State Refresh**: Explicit state refresh operations
- **📦 Provider Info**: Detailed provider information with lock file parsing
- **🦀 Rust Edition 2024**: Migrated to Rust Edition 2024 (requires Rust 1.85.0+)
## Features
- 🚀 **Terraform Integration**
Deeply integrates with the Terraform CLI to analyze and execute operations.
- 📄 **MCP Server Capabilities**
Runs as a Model Context Protocol server, allowing AI assistants to access and manage Terraform.
- 🔬 **Module Health Analysis**
Whitebox approach to Infrastructure as Code with cohesion/coupling analysis, health scoring, and refactoring suggestions based on software engineering principles.
- 📊 **Resource Dependency Graph**
Visualize resource relationships including explicit depends_on and implicit reference dependencies.
- 📦 **Module Registry Integration**
Search and explore Terraform modules from the registry, get module details and versions.
- 🔐 **Enterprise Security**
Production-ready security controls with configurable policies, audit logging, and access restrictions.
- 📊 **Advanced Analysis**
Detailed Terraform configuration analysis with best practice recommendations and security checks.
- 📋 **Guideline Compliance** (v0.1.8)
Future Architect Terraform guidelines integration with compliance scoring, secret detection, and variable quality checks.
- ⚡️ **Blazing Fast**
High-speed processing powered by the Rust ecosystem with optimized parsing and caching.
- 🛠️ **Automatic Setup**
Automatically creates sample Terraform projects when needed, ensuring smooth operation even for new users.
- 🐳 **Docker Support**
Run tfmcp in a containerized environment with all dependencies pre-installed.
## Installation
### From Source
```bash
# Clone the repository
git clone https://github.com/nwiizo/tfmcp
cd tfmcp
# Build and install
cargo install --path .
```
### From Crates.io
```bash
cargo install tfmcp
```
### Using Docker
```bash
# Clone the repository
git clone https://github.com/nwiizo/tfmcp
cd tfmcp
# Build the Docker image
docker build -t tfmcp .
# Run the container
docker run -it tfmcp
```
## Requirements
- Rust (edition 2021)
- Terraform CLI installed and available in PATH
- Claude Desktop (for AI assistant integration)
- Docker (optional, for containerized deployment)
## Usage
```bash
$ tfmcp --help
✨ A CLI tool to manage Terraform configurations and operate Terraform through the Model Context Protocol (MCP).
Usage: tfmcp [OPTIONS] [COMMAND]
Commands:
mcp Launch tfmcp as an MCP server
analyze Analyze Terraform configurations
help Print this message or the help of the given subcommand(s)
Options:
-c, --config <PATH> Path to the configuration file
-d, --dir <PATH> Terraform project directory
-V, --version Print version
-h, --help Print help
```
### Using Docker
When using Docker, you can run tfmcp commands like this:
```bash
# Run as MCP server (default)
docker run -it tfmcp
# Run with specific command and options
docker run -it tfmcp analyze --dir /app/example
# Mount your Terraform project directory
docker run -it -v /path/to/your/terraform:/app/terraform tfmcp --dir /app/terraform
# Set environment variables
docker run -it -e TFMCP_LOG_LEVEL=debug tfmcp
```
### Integrating with Claude Desktop
To use tfmcp with Claude Desktop:
1. If you haven't already, install tfmcp:
```bash
cargo install tfmcp
```
Alternatively, you can use Docker:
```bash
docker build -t tfmcp .
```
2. Find the path to your installed tfmcp executable:
```bash
which tfmcp
```
3. Add the following configuration to `~/Library/Application\ Support/Claude/claude_desktop_config.json`:
```json
{
"mcpServers": {
"tfmcp": {
"command": "/path/to/your/tfmcp", // Replace with the actual path from step 2
"args": ["mcp"],
"env": {
"HOME": "/Users/yourusername", // Replace with your username
"PATH": "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
"TERRAFORM_DIR": "/path/to/your/terraform/project" // Optional: specify your Terraform project
}
}
}
}
```
If you're using Docker with Claude Desktop, you can set up the configuration like this:
```json
{
"mcpServers": {
"tfmcp": {
"command": "docker",
"args": ["run", "--rm", "-v", "/path/to/your/terraform:/app/terraform", "tfmcp", "mcp"],
"env": {
"TERRAFORM_DIR": "/app/terraform"
}
}
}
}
```
4. Restart Claude Desktop and enable the tfmcp tool.
5. tfmcp will automatically create a sample Terraform project in `~/terraform` if one doesn't exist, ensuring Claude can start working with Terraform right away. The sample project is based on the examples included in the `example/demo` directory of this repository.
## MCP Tools
tfmcp provides 31 MCP tools for AI assistants:
### Core Terraform Operations
| `init_terraform` | Initialize Terraform working directory |
| `get_terraform_plan` | Generate and show execution plan |
| `analyze_plan` | **NEW** Analyze plan with risk scoring and recommendations |
| `apply_terraform` | Apply Terraform configuration |
| `destroy_terraform` | Destroy Terraform-managed infrastructure |
| `validate_terraform` | Validate configuration syntax |
| `validate_terraform_detailed` | Detailed validation with guidelines |
| `get_terraform_state` | Show current state |
| `analyze_state` | **NEW** Analyze state with drift detection |
| `list_terraform_resources` | List all managed resources |
| `set_terraform_directory` | Change active project directory |
### Workspace & State (v0.1.9)
| `terraform_workspace` | **NEW** Manage workspaces (list, show, new, select, delete) |
| `terraform_import` | **NEW** Import existing resources |
| `terraform_taint` | **NEW** Taint/untaint resources |
| `terraform_refresh` | **NEW** Refresh state |
### Code & Output (v0.1.9)
| `terraform_fmt` | **NEW** Format code |
| `terraform_graph` | **NEW** Generate dependency graph |
| `terraform_output` | **NEW** Get output values |
| `terraform_providers` | **NEW** Get provider info with lock file |
### Analysis & Security
| `analyze_terraform` | Analyze configuration |
| `analyze_module_health` | Module health with cohesion/coupling metrics |
| `get_resource_dependency_graph` | Resource dependencies visualization |
| `suggest_module_refactoring` | Refactoring suggestions |
| `get_security_status` | Security scan with secret detection |
### Registry
| `search_terraform_providers` | Search providers |
| `get_provider_info` | Provider details |
| `get_provider_docs` | Provider documentation |
| `search_terraform_modules` | Search modules |
| `get_module_details` | Module details |
| `get_latest_module_version` | Latest module version |
| `get_latest_provider_version` | Latest provider version |
## Logs and Troubleshooting
The tfmcp server logs are available at:
```
~/Library/Logs/Claude/mcp-server-tfmcp.log
```
Common issues and solutions:
- **Claude can't connect to the server**: Make sure the path to the tfmcp executable is correct in your configuration
- **Terraform project issues**: tfmcp automatically creates a sample Terraform project if none is found
- **Method not found errors**: MCP protocol support includes resources/list and prompts/list methods
- **Docker issues**: If using Docker, ensure your container has proper volume mounts and permissions
## Environment Variables
### Core Configuration
- `TERRAFORM_DIR`: Set this to specify a custom Terraform project directory. If not set, tfmcp will use the directory provided by command line arguments, configuration files, or fall back to `~/terraform`. You can also change the project directory at runtime using the `set_terraform_directory` tool.
- `TFMCP_LOG_LEVEL`: Set to `debug`, `info`, `warn`, or `error` to control logging verbosity.
- `TFMCP_DEMO_MODE`: Set to `true` to enable demo mode with additional safety features.
### Security Configuration
- `TFMCP_ALLOW_DANGEROUS_OPS`: Set to `true` to enable apply/destroy operations (default: `false`)
- `TFMCP_ALLOW_AUTO_APPROVE`: Set to `true` to enable auto-approve for dangerous operations (default: `false`)
- `TFMCP_MAX_RESOURCES`: Set maximum number of resources that can be managed (default: 50)
- `TFMCP_AUDIT_ENABLED`: Set to `false` to disable audit logging (default: `true`)
- `TFMCP_AUDIT_LOG_FILE`: Custom path for audit log file (default: `~/.tfmcp/audit.log`)
- `TFMCP_AUDIT_LOG_SENSITIVE`: Set to `true` to include sensitive information in audit logs (default: `false`)
## Security Considerations
tfmcp includes comprehensive security features designed for production use:
### 🔒 Built-in Security Features
- **Access Controls**: Automatic blocking of production/sensitive file patterns
- **Operation Restrictions**: Dangerous operations (apply/destroy) disabled by default
- **Resource Limits**: Configurable maximum resource count protection
- **Audit Logging**: Complete operation tracking with timestamps and user identification
- **Directory Validation**: Security policy enforcement for project directories
### 🛡️ Security Best Practices
- **Default Safety**: Apply/destroy operations are disabled by default - explicitly enable only when needed
- **Review Plans**: Always review Terraform plans before applying, especially AI-generated ones
- **IAM Boundaries**: Use appropriate IAM permissions and role boundaries in cloud environments
- **Audit Monitoring**: Regularly review audit logs at `~/.tfmcp/audit.log`
- **File Patterns**: Built-in protection against accessing `prod*`, `production*`, and `secret*` patterns
- **Docker Security**: When using containers, carefully consider volume mounts and exposed data
### ⚙️ Production Configuration
```bash
# Recommended production settings
export TFMCP_ALLOW_DANGEROUS_OPS=false # Keep disabled for safety
export TFMCP_ALLOW_AUTO_APPROVE=false # Require manual approval
export TFMCP_MAX_RESOURCES=10 # Limit resource scope
export TFMCP_AUDIT_ENABLED=true # Enable audit logging
export TFMCP_AUDIT_LOG_SENSITIVE=false # Don't log sensitive data
```
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
1. Fork the repository
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Run quality checks before committing:
```bash
cargo fmt --all
cargo clippy --all-targets --all-features
cargo test --all-features
```
4. Commit your changes (`git commit -m 'Add some amazing feature'`)
5. Push to the branch (`git push origin feature/amazing-feature`)
6. Open a Pull Request
### Release Process
Releases are done manually (automated CI release is disabled):
1. Update version in `Cargo.toml`
2. Create GitHub release: `gh release create v0.1.x --title "v0.1.x - Title" --notes "Release notes"`
3. Publish to crates.io: `cargo publish`
## Roadmap
Here are some planned improvements and future features for tfmcp:
### Completed
- [x] **Basic Terraform Integration**
Core integration with Terraform CLI for analyzing and executing operations.
- [x] **MCP Server Implementation**
Initial implementation of the Model Context Protocol server for AI assistants.
- [x] **Automatic Project Creation**
Added functionality to automatically create sample Terraform projects when needed.
- [x] **Claude Desktop Integration**
Support for seamless integration with Claude Desktop.
- [x] **Core MCP Methods**
Implementation of essential MCP methods including resources/list and prompts/list.
- [x] **Error Handling Improvements**
Better error handling and recovery mechanisms for robust operation.
- [x] **Dynamic Project Directory Switching**
Added ability to change the active Terraform project directory without restarting the service.
- [x] **Crates.io Publication**
Published the package to Crates.io for easy installation via Cargo.
- [x] **Docker Support**
Added containerization support for easier deployment and cross-platform compatibility.
- [x] **Security Enhancements**
Comprehensive security system with configurable policies, audit logging, access controls, and production-ready safety features.
- [x] **Module Health Analysis (v0.1.6)**
Whitebox approach to IaC with cohesion/coupling metrics, health scoring, and refactoring suggestions.
- [x] **Resource Dependency Graph (v0.1.6)**
Visualization of resource relationships including explicit and implicit dependencies.
- [x] **Module Registry Integration (v0.1.6)**
Search and explore Terraform modules from the registry.
- [x] **Comprehensive Testing Framework**
85+ tests including integration tests with real Terraform configurations.
- [x] **RMCP SDK Migration (v0.1.8)**
Migrated to official RMCP SDK with proper tool annotations for better MCP compliance.
- [x] **Future Architect Guidelines (v0.1.8)**
Terraform coding standards compliance checks with secret detection and variable quality validation.
### In Progress
- [ ] **Multi-Environment Support**
Add support for managing multiple Terraform environments, workspaces, and modules.
### Planned
- [ ] **Expanded MCP Protocol Support**
Implement additional MCP methods and capabilities for richer integration with AI assistants.
- [ ] **Performance Optimization**
Optimize resource usage and response times for large Terraform projects.
- [ ] **Cost Estimation**
Integrate with cloud provider pricing APIs to provide cost estimates for Terraform plans.
- [ ] **Interactive TUI**
Develop a terminal-based user interface for easier local usage and debugging.
- [ ] **Integration with Other AI Platforms**
Extend beyond Claude to support other AI assistants and platforms.
- [ ] **Plugin System**
Develop a plugin architecture to allow extensions of core functionality.
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.