/ Annuaire / Playground / tfmcp
← Tous les serveurs ↗ GitHub
● Communauté nwiizo ⚡ Instantané

tfmcp

par nwiizo · nwiizo/tfmcp

Let Claude read your Terraform configs, dry-run plans, and (opt-in) apply changes — without handing over your cloud keys.

tfmcp wraps the local Terraform CLI as an MCP server. It reads HCL, runs plan/validate/format, explores state, and — only when you explicitly enable TFMCP_ALLOW_DANGEROUS_OPS — can apply or destroy. Credentials stay in your existing AWS/GCP/Azure env; tfmcp never sees them directly.

▶ Voir la démo 📦 Installer 💡 Cas d'usage

Pourquoi l'utiliser

Fonctionnalités clés

Démo en direct

Aperçu en pratique

tfmcp.replay ▶ prêt
0/0

Installer

Choisissez votre client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Ouvrez Claude Desktop → Settings → Developer → Edit Config. Redémarrez après avoir enregistré.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cursor utilise le même schéma mcpServers que Claude Desktop. La config projet l'emporte sur la globale.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cliquez sur l'icône MCP Servers dans la barre latérale Cline, puis "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Même format que Claude Desktop. Redémarrez Windsurf pour appliquer.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "tfmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ]
    }
  ]
}

Continue utilise un tableau d'objets serveur plutôt qu'une map.

~/.config/zed/settings.json
{
  "context_servers": {
    "tfmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/nwiizo/tfmcp"
        ]
      }
    }
  }
}

Ajoutez dans context_servers. Zed recharge à chaud à la sauvegarde.

claude mcp add tfmcp -- TODO 'See README: https://github.com/nwiizo/tfmcp'

Une seule ligne. Vérifiez avec claude mcp list. Supprimez avec claude mcp remove.

Cas d'usage

Usages concrets : tfmcp

Review a Terraform plan before merging the PR

👤 Platform engineers, SREs reviewing IaC pull requests ⏱ ~10 min intermediate

Quand l'utiliser : A PR changes 40+ resources and you want a sanity check on blast radius before approving.

Prérequis
  • Terraform CLI installed and cloud credentials configuredaws configure or equivalent; tfmcp uses whatever your shell has
  • tfmcp installed via cargo — cargo install tfmcp
Déroulement
  1. Point tfmcp at the Terraform directory
    Set TERRAFORM_DIR to ~/work/infra/prod and run terraform plan. Summarize what's changing.✓ Copié
    → Clean plan summary with add/change/destroy counts
  2. Ask for a risk-scored breakdown
    For every resource being destroyed or replaced, rate the risk (low/med/high) and explain why. Flag anything stateful.✓ Copié
    → Risk table highlighting DB, queue, or data resources
  3. Get a PR-ready review comment
    Draft a PR review comment: approve, request changes, or block — with reasoning.✓ Copié
    → Actionable review text ready to paste

Résultat : A risk-aware plan review in 3 minutes instead of 30, with no keystrokes spent on apply.

Pièges
  • Plan succeeds locally but will fail in CI due to different provider versions — Make sure tfmcp's terraform version matches what your CI uses — pin via .terraform-version or tfenv
  • State is remote and tfmcp gets stuck on auth — Run terraform init once manually to cache backend creds before invoking tfmcp
Combiner avec : github · filesystem

Detect and explain Terraform drift in production

👤 SREs auditing 'what changed outside of Terraform' ⏱ ~20 min intermediate

Quand l'utiliser : Monthly drift check, or when a cloud console change is suspected.

Déroulement
  1. Run a plan against prod and look for changes
    Run terraform plan against prod and tell me if there's drift — resources where the real state diverges from .tf.✓ Copié
    → List of drifted resources with diffs
  2. Classify each drift
    For each drift, say whether it's safe to refresh (reconcile Terraform to reality) or requires re-apply (reconcile reality to Terraform).✓ Copié
    → Two lists: refresh-candidates and re-apply-candidates

Résultat : A drift report with specific remediation plan per resource.

Pièges
  • Drift is normal for some auto-scaled or provider-managed fields — Add a drift-ignore list (via ignore_changes lifecycle block) for known-noisy fields like last_modified timestamps

Understand an unfamiliar Terraform module

👤 New team members dropped into a 500-file terraform repo ⏱ ~15 min beginner

Quand l'utiliser : You inherited an infra repo and need a map of what's there before touching anything.

Déroulement
  1. Scan the directory
    List every module in ~/work/infra. For each, tell me what resources it manages and what inputs it expects.✓ Copié
    → Module inventory with purpose and inputs per module
  2. Generate a dependency graph
    Run terraform graph and describe the module dependency tree — which modules depend on which.✓ Copié
    → Clear ASCII tree or numbered list

Résultat : A mental map of the repo without having to read every .tf file by hand.

Pièges
  • Some modules are unused dead code — Ask tfmcp to flag modules referenced nowhere in the root or any other module
Combiner avec : filesystem

Combinaisons

Associez-le à d'autres MCPs pour un effet X10

tfmcp + github

Review a Terraform PR end-to-end: pull diff from GitHub, plan locally via tfmcp, post review comment

Fetch PR #42 from acme/infra, checkout the branch, run tfmcp terraform plan, and draft a review comment.✓ Copié
tfmcp + filesystem

Bulk-refactor HCL files and verify the plan doesn't change output

Rename variable aws_region to region across all .tf files in ~/infra, then confirm plan shows no resource changes.✓ Copié

Outils

Ce que ce MCP expose

OutilEntréesQuand appelerCoût
terraform_plan dir?: str, var_file?: str Safe — always run before apply 1 terraform plan run
terraform_apply dir?: str, auto_approve?: bool Only with TFMCP_ALLOW_DANGEROUS_OPS=true and explicit user intent real cloud changes
terraform_validate dir?: str Before commit — cheap syntax/type check free
terraform_state_list dir?: str Inventory what Terraform knows about free (reads state)
terraform_show dir?: str, resource?: str Inspect the stored state for a specific resource free
terraform_graph dir?: str Understand module/resource dependencies free

Coût et limites

Coût d'exécution

Quota d'API
No tfmcp-level quota; bounded by your cloud provider API rate limits
Tokens par appel
Plan output for large repos can hit 20k+ tokens — use targeting
Monétaire
Free and MIT; real cost is whatever apply touches in your cloud
Astuce
Keep apply off by default. Use terraform plan -target=module.x to scope noisy plans and save context tokens.

Sécurité

Permissions, secrets, portée

Portées minimales : Local terraform binary + cloud-provider read credentials for plan/validate
Stockage des identifiants : Whatever terraform already uses — AWS env vars, ~/.aws/credentials, workload identity, etc.
Sortie de données : Calls your cloud provider APIs directly from your machine; tfmcp does not call back home
Ne jamais accorder : TFMCP_ALLOW_DANGEROUS_OPS=true in shared sessions Admin cloud credentials when read-only would suffice

Dépannage

Erreurs courantes et correctifs

terraform binary not found

Install Terraform and ensure it's on PATH. tfmcp shells out to terraform; it does not bundle it.

Vérifier : terraform version
Error: No valid credential sources

Your shell's cloud creds aren't exported. Run aws sts get-caller-identity (or equivalent) first.

Vérifier : aws sts get-caller-identity
Plan says 'apply denied: TFMCP_ALLOW_DANGEROUS_OPS not set'

By design. If you truly want to apply, export TFMCP_ALLOW_DANGEROUS_OPS=true for that session only.

Vérifier : echo $TFMCP_ALLOW_DANGEROUS_OPS
Backend initialization required

Run terraform init once manually in the target dir before calling tfmcp tools.

Vérifier : terraform init

Alternatives

tfmcp vs autres

AlternativeQuand l'utiliserCompromis
terraform-mcp-server (hashicorp official)You want a vendor-backed MCP with registry supportLess CLI parity; fewer state/drift tools
Raw shell MCP + terraformYou want total flexibilityNo guardrails — easy to run terraform destroy by accident

Plus

Ressources

📖 Lire le README officiel sur GitHub

🐙 Voir les issues ouvertes

🔍 Parcourir les 400+ serveurs MCP et Skills