/ Diretório / Playground / tfmcp
← Todos os servidores ↗ GitHub
● Comunidade nwiizo ⚡ Instantâneo

tfmcp

por nwiizo · nwiizo/tfmcp

Let Claude read your Terraform configs, dry-run plans, and (opt-in) apply changes — without handing over your cloud keys.

tfmcp wraps the local Terraform CLI as an MCP server. It reads HCL, runs plan/validate/format, explores state, and — only when you explicitly enable TFMCP_ALLOW_DANGEROUS_OPS — can apply or destroy. Credentials stay in your existing AWS/GCP/Azure env; tfmcp never sees them directly.

▶ Ver demo 📦 Instalar 💡 Casos de uso

Por que usar

Principais recursos

Demo ao vivo

Como fica na prática

tfmcp.replay ▶ pronto
0/0

Instalar

Escolha seu cliente

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Abra Claude Desktop → Settings → Developer → Edit Config. Reinicie após salvar.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Cursor usa o mesmo esquema mcpServers que o Claude Desktop. Config de projeto vence a global.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Clique no ícone MCP Servers na barra lateral do Cline, depois "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "tfmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ],
      "_inferred": true
    }
  }
}

Mesmo formato do Claude Desktop. Reinicie o Windsurf para aplicar.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "tfmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/nwiizo/tfmcp"
      ]
    }
  ]
}

O Continue usa um array de objetos de servidor em vez de um map.

~/.config/zed/settings.json
{
  "context_servers": {
    "tfmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/nwiizo/tfmcp"
        ]
      }
    }
  }
}

Adicione em context_servers. Zed recarrega automaticamente ao salvar.

claude mcp add tfmcp -- TODO 'See README: https://github.com/nwiizo/tfmcp'

Uma linha só. Verifique com claude mcp list. Remova com claude mcp remove.

Casos de uso

Usos do mundo real: tfmcp

Review a Terraform plan before merging the PR

👤 Platform engineers, SREs reviewing IaC pull requests ⏱ ~10 min intermediate

Quando usar: A PR changes 40+ resources and you want a sanity check on blast radius before approving.

Pré-requisitos
  • Terraform CLI installed and cloud credentials configuredaws configure or equivalent; tfmcp uses whatever your shell has
  • tfmcp installed via cargo — cargo install tfmcp
Fluxo
  1. Point tfmcp at the Terraform directory
    Set TERRAFORM_DIR to ~/work/infra/prod and run terraform plan. Summarize what's changing.✓ Copiado
    → Clean plan summary with add/change/destroy counts
  2. Ask for a risk-scored breakdown
    For every resource being destroyed or replaced, rate the risk (low/med/high) and explain why. Flag anything stateful.✓ Copiado
    → Risk table highlighting DB, queue, or data resources
  3. Get a PR-ready review comment
    Draft a PR review comment: approve, request changes, or block — with reasoning.✓ Copiado
    → Actionable review text ready to paste

Resultado: A risk-aware plan review in 3 minutes instead of 30, with no keystrokes spent on apply.

Armadilhas
  • Plan succeeds locally but will fail in CI due to different provider versions — Make sure tfmcp's terraform version matches what your CI uses — pin via .terraform-version or tfenv
  • State is remote and tfmcp gets stuck on auth — Run terraform init once manually to cache backend creds before invoking tfmcp
Combine com: github · filesystem

Detect and explain Terraform drift in production

👤 SREs auditing 'what changed outside of Terraform' ⏱ ~20 min intermediate

Quando usar: Monthly drift check, or when a cloud console change is suspected.

Fluxo
  1. Run a plan against prod and look for changes
    Run terraform plan against prod and tell me if there's drift — resources where the real state diverges from .tf.✓ Copiado
    → List of drifted resources with diffs
  2. Classify each drift
    For each drift, say whether it's safe to refresh (reconcile Terraform to reality) or requires re-apply (reconcile reality to Terraform).✓ Copiado
    → Two lists: refresh-candidates and re-apply-candidates

Resultado: A drift report with specific remediation plan per resource.

Armadilhas
  • Drift is normal for some auto-scaled or provider-managed fields — Add a drift-ignore list (via ignore_changes lifecycle block) for known-noisy fields like last_modified timestamps

Understand an unfamiliar Terraform module

👤 New team members dropped into a 500-file terraform repo ⏱ ~15 min beginner

Quando usar: You inherited an infra repo and need a map of what's there before touching anything.

Fluxo
  1. Scan the directory
    List every module in ~/work/infra. For each, tell me what resources it manages and what inputs it expects.✓ Copiado
    → Module inventory with purpose and inputs per module
  2. Generate a dependency graph
    Run terraform graph and describe the module dependency tree — which modules depend on which.✓ Copiado
    → Clear ASCII tree or numbered list

Resultado: A mental map of the repo without having to read every .tf file by hand.

Armadilhas
  • Some modules are unused dead code — Ask tfmcp to flag modules referenced nowhere in the root or any other module
Combine com: filesystem

Combinações

Combine com outros MCPs para 10× de alavancagem

tfmcp + github

Review a Terraform PR end-to-end: pull diff from GitHub, plan locally via tfmcp, post review comment

Fetch PR #42 from acme/infra, checkout the branch, run tfmcp terraform plan, and draft a review comment.✓ Copiado
tfmcp + filesystem

Bulk-refactor HCL files and verify the plan doesn't change output

Rename variable aws_region to region across all .tf files in ~/infra, then confirm plan shows no resource changes.✓ Copiado

Ferramentas

O que este MCP expõe

FerramentaEntradasQuando chamarCusto
terraform_plan dir?: str, var_file?: str Safe — always run before apply 1 terraform plan run
terraform_apply dir?: str, auto_approve?: bool Only with TFMCP_ALLOW_DANGEROUS_OPS=true and explicit user intent real cloud changes
terraform_validate dir?: str Before commit — cheap syntax/type check free
terraform_state_list dir?: str Inventory what Terraform knows about free (reads state)
terraform_show dir?: str, resource?: str Inspect the stored state for a specific resource free
terraform_graph dir?: str Understand module/resource dependencies free

Custo e limites

O que custa rodar

Cota de API
No tfmcp-level quota; bounded by your cloud provider API rate limits
Tokens por chamada
Plan output for large repos can hit 20k+ tokens — use targeting
Monetário
Free and MIT; real cost is whatever apply touches in your cloud
Dica
Keep apply off by default. Use terraform plan -target=module.x to scope noisy plans and save context tokens.

Segurança

Permissões, segredos, alcance

Escopos mínimos: Local terraform binary + cloud-provider read credentials for plan/validate
Armazenamento de credenciais: Whatever terraform already uses — AWS env vars, ~/.aws/credentials, workload identity, etc.
Saída de dados: Calls your cloud provider APIs directly from your machine; tfmcp does not call back home
Nunca conceda: TFMCP_ALLOW_DANGEROUS_OPS=true in shared sessions Admin cloud credentials when read-only would suffice

Solução de problemas

Erros comuns e correções

terraform binary not found

Install Terraform and ensure it's on PATH. tfmcp shells out to terraform; it does not bundle it.

Verificar: terraform version
Error: No valid credential sources

Your shell's cloud creds aren't exported. Run aws sts get-caller-identity (or equivalent) first.

Verificar: aws sts get-caller-identity
Plan says 'apply denied: TFMCP_ALLOW_DANGEROUS_OPS not set'

By design. If you truly want to apply, export TFMCP_ALLOW_DANGEROUS_OPS=true for that session only.

Verificar: echo $TFMCP_ALLOW_DANGEROUS_OPS
Backend initialization required

Run terraform init once manually in the target dir before calling tfmcp tools.

Verificar: terraform init

Alternativas

tfmcp vs. outros

AlternativaQuando usarTroca
terraform-mcp-server (hashicorp official)You want a vendor-backed MCP with registry supportLess CLI parity; fewer state/drift tools
Raw shell MCP + terraformYou want total flexibilityNo guardrails — easy to run terraform destroy by accident

Mais

Recursos

📖 Leia o README oficial no GitHub

🐙 Ver issues abertas

🔍 Ver todos os 400+ servidores MCP e Skills