/ ディレクトリ / プレイグラウンド / tfmcp
← 全サーバー ↗ GitHub
● コミュニティ nwiizo ⚡ 即起動

tfmcp

作者 nwiizo · nwiizo/tfmcp

Let Claude read your Terraform configs, dry-run plans, and (opt-in) apply changes — without handing over your cloud keys.

tfmcp wraps the local Terraform CLI as an MCP server. It reads HCL, runs plan/validate/format, explores state, and — only when you explicitly enable TFMCP_ALLOW_DANGEROUS_OPS — can apply or destroy. Credentials stay in your existing AWS/GCP/Azure env; tfmcp never sees them directly.

▶ デモを見る 📦 インストール 💡 ユースケース

なぜ使うのか

主な機能

ライブデモ

実際の動作

tfmcp.replay ▶ 準備完了
0/0

インストール

クライアントを選択

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop → Settings → Developer → Edit Config を開く。保存後、アプリを再起動。

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cursor は Claude Desktop と同じ mcpServers スキーマを使用。プロジェクト設定はグローバルより優先。

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cline サイドバーの MCP Servers アイコンをクリックし、"Edit Configuration" を選択。

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop と同じ形式。Windsurf を再起動して反映。

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "tfmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ]
    }
  ]
}

Continue はマップではなくサーバーオブジェクトの配列を使用。

~/.config/zed/settings.json
{
  "context_servers": {
    "tfmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/nwiizo/tfmcp"
        ]
      }
    }
  }
}

context_servers に追加。保存時に Zed がホットリロード。

claude mcp add tfmcp -- TODO 'See README: https://github.com/nwiizo/tfmcp'

ワンライナー。claude mcp list で確認、claude mcp remove で削除。

ユースケース

実用的な使い方: tfmcp

Review a Terraform plan before merging the PR

👤 Platform engineers, SREs reviewing IaC pull requests ⏱ ~10 min intermediate

使うタイミング: A PR changes 40+ resources and you want a sanity check on blast radius before approving.

前提条件
  • Terraform CLI installed and cloud credentials configuredaws configure or equivalent; tfmcp uses whatever your shell has
  • tfmcp installed via cargo — cargo install tfmcp
フロー
  1. Point tfmcp at the Terraform directory
    Set TERRAFORM_DIR to ~/work/infra/prod and run terraform plan. Summarize what's changing.✓ コピーしました
    → Clean plan summary with add/change/destroy counts
  2. Ask for a risk-scored breakdown
    For every resource being destroyed or replaced, rate the risk (low/med/high) and explain why. Flag anything stateful.✓ コピーしました
    → Risk table highlighting DB, queue, or data resources
  3. Get a PR-ready review comment
    Draft a PR review comment: approve, request changes, or block — with reasoning.✓ コピーしました
    → Actionable review text ready to paste

結果: A risk-aware plan review in 3 minutes instead of 30, with no keystrokes spent on apply.

注意点
  • Plan succeeds locally but will fail in CI due to different provider versions — Make sure tfmcp's terraform version matches what your CI uses — pin via .terraform-version or tfenv
  • State is remote and tfmcp gets stuck on auth — Run terraform init once manually to cache backend creds before invoking tfmcp
組み合わせ: github · filesystem

Detect and explain Terraform drift in production

👤 SREs auditing 'what changed outside of Terraform' ⏱ ~20 min intermediate

使うタイミング: Monthly drift check, or when a cloud console change is suspected.

フロー
  1. Run a plan against prod and look for changes
    Run terraform plan against prod and tell me if there's drift — resources where the real state diverges from .tf.✓ コピーしました
    → List of drifted resources with diffs
  2. Classify each drift
    For each drift, say whether it's safe to refresh (reconcile Terraform to reality) or requires re-apply (reconcile reality to Terraform).✓ コピーしました
    → Two lists: refresh-candidates and re-apply-candidates

結果: A drift report with specific remediation plan per resource.

注意点
  • Drift is normal for some auto-scaled or provider-managed fields — Add a drift-ignore list (via ignore_changes lifecycle block) for known-noisy fields like last_modified timestamps

Understand an unfamiliar Terraform module

👤 New team members dropped into a 500-file terraform repo ⏱ ~15 min beginner

使うタイミング: You inherited an infra repo and need a map of what's there before touching anything.

フロー
  1. Scan the directory
    List every module in ~/work/infra. For each, tell me what resources it manages and what inputs it expects.✓ コピーしました
    → Module inventory with purpose and inputs per module
  2. Generate a dependency graph
    Run terraform graph and describe the module dependency tree — which modules depend on which.✓ コピーしました
    → Clear ASCII tree or numbered list

結果: A mental map of the repo without having to read every .tf file by hand.

注意点
  • Some modules are unused dead code — Ask tfmcp to flag modules referenced nowhere in the root or any other module
組み合わせ: filesystem

組み合わせ

他のMCPと組み合わせて10倍の力を

tfmcp + github

Review a Terraform PR end-to-end: pull diff from GitHub, plan locally via tfmcp, post review comment

Fetch PR #42 from acme/infra, checkout the branch, run tfmcp terraform plan, and draft a review comment.✓ コピーしました
tfmcp + filesystem

Bulk-refactor HCL files and verify the plan doesn't change output

Rename variable aws_region to region across all .tf files in ~/infra, then confirm plan shows no resource changes.✓ コピーしました

ツール

このMCPが提供する機能

ツール入力呼び出すタイミングコスト
terraform_plan dir?: str, var_file?: str Safe — always run before apply 1 terraform plan run
terraform_apply dir?: str, auto_approve?: bool Only with TFMCP_ALLOW_DANGEROUS_OPS=true and explicit user intent real cloud changes
terraform_validate dir?: str Before commit — cheap syntax/type check free
terraform_state_list dir?: str Inventory what Terraform knows about free (reads state)
terraform_show dir?: str, resource?: str Inspect the stored state for a specific resource free
terraform_graph dir?: str Understand module/resource dependencies free

コストと制限

運用コスト

APIクォータ
No tfmcp-level quota; bounded by your cloud provider API rate limits
呼び出しあたりのトークン
Plan output for large repos can hit 20k+ tokens — use targeting
金額
Free and MIT; real cost is whatever apply touches in your cloud
ヒント
Keep apply off by default. Use terraform plan -target=module.x to scope noisy plans and save context tokens.

セキュリティ

権限、シークレット、影響範囲

最小スコープ: Local terraform binary + cloud-provider read credentials for plan/validate
認証情報の保管: Whatever terraform already uses — AWS env vars, ~/.aws/credentials, workload identity, etc.
データ送信先: Calls your cloud provider APIs directly from your machine; tfmcp does not call back home
絶対に付与しない: TFMCP_ALLOW_DANGEROUS_OPS=true in shared sessions Admin cloud credentials when read-only would suffice

トラブルシューティング

よくあるエラーと対処法

terraform binary not found

Install Terraform and ensure it's on PATH. tfmcp shells out to terraform; it does not bundle it.

確認: terraform version
Error: No valid credential sources

Your shell's cloud creds aren't exported. Run aws sts get-caller-identity (or equivalent) first.

確認: aws sts get-caller-identity
Plan says 'apply denied: TFMCP_ALLOW_DANGEROUS_OPS not set'

By design. If you truly want to apply, export TFMCP_ALLOW_DANGEROUS_OPS=true for that session only.

確認: echo $TFMCP_ALLOW_DANGEROUS_OPS
Backend initialization required

Run terraform init once manually in the target dir before calling tfmcp tools.

確認: terraform init

代替案

tfmcp 他との比較

代替案代わりに使う場面トレードオフ
terraform-mcp-server (hashicorp official)You want a vendor-backed MCP with registry supportLess CLI parity; fewer state/drift tools
Raw shell MCP + terraformYou want total flexibilityNo guardrails — easy to run terraform destroy by accident

その他

リソース

📖 GitHub の公式 README を読む

🐙 オープンな issue を見る

🔍 400以上のMCPサーバーとSkillsを見る