tfmcp MCP — 사용 사례, 설치 & 라이브 데모

왜 쓰나요

핵심 기능

31 tools covering init, plan, apply, destroy, validate, state, workspaces, modules
Plan analysis with risk scoring and state drift detection
Dangerous ops gated behind TFMCP_ALLOW_DANGEROUS_OPS env var (off by default)
Audit logging on by default — every tool call recorded
Uses your local terraform binary and existing provider credentials

라이브 데모

실제 사용 모습

tfmcp.replay ▶ 준비됨

0/0

설치

클라이언트 선택

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop → Settings → Developer → Edit Config 열기. 저장 후 앱 재시작.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cursor는 Claude Desktop과 동일한 mcpServers 스키마 사용. 프로젝트 설정이 전역보다 우선.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cline 사이드바의 MCP Servers 아이콘 클릭 후 "Edit Configuration" 선택.

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop과 같은 형식. Windsurf 재시작 후 적용.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "tfmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ]
    }
  ]
}

Continue는 맵이 아닌 서버 오브젝트 배열 사용.

~/.config/zed/settings.json

{
  "context_servers": {
    "tfmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/nwiizo/tfmcp"
        ]
      }
    }
  }
}

context_servers에 추가. 저장 시 Zed가 핫 리로드.

claude mcp add tfmcp -- TODO 'See README: https://github.com/nwiizo/tfmcp'

한 줄 명령. claude mcp list로 확인, claude mcp remove로 제거.

사용 사례

실전 활용법: tfmcp

Review a Terraform plan before merging the PR

👤 Platform engineers, SREs reviewing IaC pull requests ⏱ ~10 min intermediate

언제 쓸까: A PR changes 40+ resources and you want a sanity check on blast radius before approving.

사전 조건

Terraform CLI installed and cloud credentials configured — aws configure or equivalent; tfmcp uses whatever your shell has
tfmcp installed via cargo — cargo install tfmcp

흐름

Point tfmcp at the Terraform directory

Set TERRAFORM_DIR to ~/work/infra/prod and run terraform plan. Summarize what's changing.✓ 복사됨

→ Clean plan summary with add/change/destroy counts
Ask for a risk-scored breakdown

For every resource being destroyed or replaced, rate the risk (low/med/high) and explain why. Flag anything stateful.✓ 복사됨

→ Risk table highlighting DB, queue, or data resources
Get a PR-ready review comment

Draft a PR review comment: approve, request changes, or block — with reasoning.✓ 복사됨

→ Actionable review text ready to paste

결과: A risk-aware plan review in 3 minutes instead of 30, with no keystrokes spent on apply.

함정

Plan succeeds locally but will fail in CI due to different provider versions — Make sure tfmcp's terraform version matches what your CI uses — pin via .terraform-version or tfenv
State is remote and tfmcp gets stuck on auth — Run terraform init once manually to cache backend creds before invoking tfmcp

함께 쓰기: github · filesystem

Detect and explain Terraform drift in production

👤 SREs auditing 'what changed outside of Terraform' ⏱ ~20 min intermediate

언제 쓸까: Monthly drift check, or when a cloud console change is suspected.

흐름

Run a plan against prod and look for changes

Run terraform plan against prod and tell me if there's drift — resources where the real state diverges from .tf.✓ 복사됨

→ List of drifted resources with diffs
Classify each drift

For each drift, say whether it's safe to refresh (reconcile Terraform to reality) or requires re-apply (reconcile reality to Terraform).✓ 복사됨

→ Two lists: refresh-candidates and re-apply-candidates

결과: A drift report with specific remediation plan per resource.

함정

Drift is normal for some auto-scaled or provider-managed fields — Add a drift-ignore list (via ignore_changes lifecycle block) for known-noisy fields like last_modified timestamps

Understand an unfamiliar Terraform module

👤 New team members dropped into a 500-file terraform repo ⏱ ~15 min beginner

언제 쓸까: You inherited an infra repo and need a map of what's there before touching anything.

흐름

Scan the directory

List every module in ~/work/infra. For each, tell me what resources it manages and what inputs it expects.✓ 복사됨

→ Module inventory with purpose and inputs per module
Generate a dependency graph

Run terraform graph and describe the module dependency tree — which modules depend on which.✓ 복사됨

→ Clear ASCII tree or numbered list

결과: A mental map of the repo without having to read every .tf file by hand.

함정

Some modules are unused dead code — Ask tfmcp to flag modules referenced nowhere in the root or any other module

함께 쓰기: filesystem

조합

다른 MCP와 조합해 10배 효율

tfmcp + github

Review a Terraform PR end-to-end: pull diff from GitHub, plan locally via tfmcp, post review comment

Fetch PR #42 from acme/infra, checkout the branch, run tfmcp terraform plan, and draft a review comment.✓ 복사됨

tfmcp + filesystem

Bulk-refactor HCL files and verify the plan doesn't change output

Rename variable aws_region to region across all .tf files in ~/infra, then confirm plan shows no resource changes.✓ 복사됨

도구

이 MCP가 노출하는 것

도구	입력	언제 호출	비용
terraform_plan	dir?: str, var_file?: str	Safe — always run before apply	1 terraform plan run
terraform_apply	dir?: str, auto_approve?: bool	Only with TFMCP_ALLOW_DANGEROUS_OPS=true and explicit user intent	real cloud changes
terraform_validate	dir?: str	Before commit — cheap syntax/type check	free
terraform_state_list	dir?: str	Inventory what Terraform knows about	free (reads state)
terraform_show	dir?: str, resource?: str	Inspect the stored state for a specific resource	free
terraform_graph	dir?: str	Understand module/resource dependencies	free

비용 및 제한

운영 비용

API 쿼터: No tfmcp-level quota; bounded by your cloud provider API rate limits
호출당 토큰: Plan output for large repos can hit 20k+ tokens — use targeting
금액: Free and MIT; real cost is whatever apply touches in your cloud
팁: Keep apply off by default. Use terraform plan -target=module.x to scope noisy plans and save context tokens.

보안

권한, 시크릿, 파급범위

최소 스코프: Local terraform binary + cloud-provider read credentials for plan/validate

자격 증명 저장: Whatever terraform already uses — AWS env vars, ~/.aws/credentials, workload identity, etc.

데이터 외부 송신: Calls your cloud provider APIs directly from your machine; tfmcp does not call back home

절대 부여 금지: TFMCP_ALLOW_DANGEROUS_OPS=true in shared sessions Admin cloud credentials when read-only would suffice

This is an experimental tool — pin a specific version and test in a non-prod workspace first.
Leave TFMCP_ALLOW_DANGEROUS_OPS unset until you trust your prompts.

문제 해결

자주 발생하는 오류와 해결

terraform binary not found

Install Terraform and ensure it's on PATH. tfmcp shells out to terraform; it does not bundle it.

확인: terraform version

Error: No valid credential sources

Your shell's cloud creds aren't exported. Run aws sts get-caller-identity (or equivalent) first.

확인: aws sts get-caller-identity

Plan says 'apply denied: TFMCP_ALLOW_DANGEROUS_OPS not set'

By design. If you truly want to apply, export TFMCP_ALLOW_DANGEROUS_OPS=true for that session only.

확인: echo $TFMCP_ALLOW_DANGEROUS_OPS

Backend initialization required

Run terraform init once manually in the target dir before calling tfmcp tools.

확인: terraform init

대안

tfmcp 다른 것과 비교

대안	언제 쓰나	단점/장점
terraform-mcp-server (hashicorp official)	You want a vendor-backed MCP with registry support	Less CLI parity; fewer state/drift tools
Raw shell MCP + terraform	You want total flexibility	No guardrails — easy to run `terraform destroy` by accident

tfmcp