/ Verzeichnis / Playground / tfmcp
← Alle Server ↗ GitHub
● Community nwiizo ⚡ Sofort

tfmcp

von nwiizo · nwiizo/tfmcp

Let Claude read your Terraform configs, dry-run plans, and (opt-in) apply changes — without handing over your cloud keys.

tfmcp wraps the local Terraform CLI as an MCP server. It reads HCL, runs plan/validate/format, explores state, and — only when you explicitly enable TFMCP_ALLOW_DANGEROUS_OPS — can apply or destroy. Credentials stay in your existing AWS/GCP/Azure env; tfmcp never sees them directly.

▶ Demo ansehen 📦 Installieren 💡 Anwendungsfälle

Warum nutzen

Hauptfunktionen

Live-Demo

In der Praxis

tfmcp.replay ▶ bereit
0/0

Installieren

Wählen Sie Ihren Client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Öffne Claude Desktop → Settings → Developer → Edit Config. Nach dem Speichern neu starten.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cursor nutzt das gleiche mcpServers-Schema wie Claude Desktop. Projektkonfiguration schlägt die globale.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Klicken Sie auf das MCP-Servers-Symbol in der Cline-Seitenleiste, dann "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Gleiche Struktur wie Claude Desktop. Windsurf neu starten zum Übernehmen.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "tfmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ]
    }
  ]
}

Continue nutzt ein Array von Serverobjekten statt einer Map.

~/.config/zed/settings.json
{
  "context_servers": {
    "tfmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/nwiizo/tfmcp"
        ]
      }
    }
  }
}

In context_servers hinzufügen. Zed lädt beim Speichern neu.

claude mcp add tfmcp -- TODO 'See README: https://github.com/nwiizo/tfmcp'

Einzeiler. Prüfen mit claude mcp list. Entfernen mit claude mcp remove.

Anwendungsfälle

Praxisnahe Nutzung: tfmcp

Review a Terraform plan before merging the PR

👤 Platform engineers, SREs reviewing IaC pull requests ⏱ ~10 min intermediate

Wann einsetzen: A PR changes 40+ resources and you want a sanity check on blast radius before approving.

Voraussetzungen
  • Terraform CLI installed and cloud credentials configuredaws configure or equivalent; tfmcp uses whatever your shell has
  • tfmcp installed via cargo — cargo install tfmcp
Ablauf
  1. Point tfmcp at the Terraform directory
    Set TERRAFORM_DIR to ~/work/infra/prod and run terraform plan. Summarize what's changing.✓ Kopiert
    → Clean plan summary with add/change/destroy counts
  2. Ask for a risk-scored breakdown
    For every resource being destroyed or replaced, rate the risk (low/med/high) and explain why. Flag anything stateful.✓ Kopiert
    → Risk table highlighting DB, queue, or data resources
  3. Get a PR-ready review comment
    Draft a PR review comment: approve, request changes, or block — with reasoning.✓ Kopiert
    → Actionable review text ready to paste

Ergebnis: A risk-aware plan review in 3 minutes instead of 30, with no keystrokes spent on apply.

Fallstricke
  • Plan succeeds locally but will fail in CI due to different provider versions — Make sure tfmcp's terraform version matches what your CI uses — pin via .terraform-version or tfenv
  • State is remote and tfmcp gets stuck on auth — Run terraform init once manually to cache backend creds before invoking tfmcp
Kombinieren mit: github · filesystem

Detect and explain Terraform drift in production

👤 SREs auditing 'what changed outside of Terraform' ⏱ ~20 min intermediate

Wann einsetzen: Monthly drift check, or when a cloud console change is suspected.

Ablauf
  1. Run a plan against prod and look for changes
    Run terraform plan against prod and tell me if there's drift — resources where the real state diverges from .tf.✓ Kopiert
    → List of drifted resources with diffs
  2. Classify each drift
    For each drift, say whether it's safe to refresh (reconcile Terraform to reality) or requires re-apply (reconcile reality to Terraform).✓ Kopiert
    → Two lists: refresh-candidates and re-apply-candidates

Ergebnis: A drift report with specific remediation plan per resource.

Fallstricke
  • Drift is normal for some auto-scaled or provider-managed fields — Add a drift-ignore list (via ignore_changes lifecycle block) for known-noisy fields like last_modified timestamps

Understand an unfamiliar Terraform module

👤 New team members dropped into a 500-file terraform repo ⏱ ~15 min beginner

Wann einsetzen: You inherited an infra repo and need a map of what's there before touching anything.

Ablauf
  1. Scan the directory
    List every module in ~/work/infra. For each, tell me what resources it manages and what inputs it expects.✓ Kopiert
    → Module inventory with purpose and inputs per module
  2. Generate a dependency graph
    Run terraform graph and describe the module dependency tree — which modules depend on which.✓ Kopiert
    → Clear ASCII tree or numbered list

Ergebnis: A mental map of the repo without having to read every .tf file by hand.

Fallstricke
  • Some modules are unused dead code — Ask tfmcp to flag modules referenced nowhere in the root or any other module
Kombinieren mit: filesystem

Kombinationen

Mit anderen MCPs für 10-fache Wirkung

tfmcp + github

Review a Terraform PR end-to-end: pull diff from GitHub, plan locally via tfmcp, post review comment

Fetch PR #42 from acme/infra, checkout the branch, run tfmcp terraform plan, and draft a review comment.✓ Kopiert
tfmcp + filesystem

Bulk-refactor HCL files and verify the plan doesn't change output

Rename variable aws_region to region across all .tf files in ~/infra, then confirm plan shows no resource changes.✓ Kopiert

Werkzeuge

Was dieses MCP bereitstellt

WerkzeugEingabenWann aufrufenKosten
terraform_plan dir?: str, var_file?: str Safe — always run before apply 1 terraform plan run
terraform_apply dir?: str, auto_approve?: bool Only with TFMCP_ALLOW_DANGEROUS_OPS=true and explicit user intent real cloud changes
terraform_validate dir?: str Before commit — cheap syntax/type check free
terraform_state_list dir?: str Inventory what Terraform knows about free (reads state)
terraform_show dir?: str, resource?: str Inspect the stored state for a specific resource free
terraform_graph dir?: str Understand module/resource dependencies free

Kosten & Limits

Was der Betrieb kostet

API-Kontingent
No tfmcp-level quota; bounded by your cloud provider API rate limits
Tokens pro Aufruf
Plan output for large repos can hit 20k+ tokens — use targeting
Kosten in €
Free and MIT; real cost is whatever apply touches in your cloud
Tipp
Keep apply off by default. Use terraform plan -target=module.x to scope noisy plans and save context tokens.

Sicherheit

Rechte, Secrets, Reichweite

Minimale Scopes: Local terraform binary + cloud-provider read credentials for plan/validate
Credential-Speicherung: Whatever terraform already uses — AWS env vars, ~/.aws/credentials, workload identity, etc.
Datenabfluss: Calls your cloud provider APIs directly from your machine; tfmcp does not call back home
Niemals gewähren: TFMCP_ALLOW_DANGEROUS_OPS=true in shared sessions Admin cloud credentials when read-only would suffice

Fehlerbehebung

Häufige Fehler und Lösungen

terraform binary not found

Install Terraform and ensure it's on PATH. tfmcp shells out to terraform; it does not bundle it.

Prüfen: terraform version
Error: No valid credential sources

Your shell's cloud creds aren't exported. Run aws sts get-caller-identity (or equivalent) first.

Prüfen: aws sts get-caller-identity
Plan says 'apply denied: TFMCP_ALLOW_DANGEROUS_OPS not set'

By design. If you truly want to apply, export TFMCP_ALLOW_DANGEROUS_OPS=true for that session only.

Prüfen: echo $TFMCP_ALLOW_DANGEROUS_OPS
Backend initialization required

Run terraform init once manually in the target dir before calling tfmcp tools.

Prüfen: terraform init

Alternativen

tfmcp vs. andere

AlternativeWann stattdessenKompromiss
terraform-mcp-server (hashicorp official)You want a vendor-backed MCP with registry supportLess CLI parity; fewer state/drift tools
Raw shell MCP + terraformYou want total flexibilityNo guardrails — easy to run terraform destroy by accident

Mehr

Ressourcen

📖 Offizielle README auf GitHub lesen

🐙 Offene Issues ansehen

🔍 Alle 400+ MCP-Server und Skills durchsuchen