MCP server for auditing Terraform state files for security misconfigurations

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for berkayildi from gravatar.com berkayildi

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Berkay Yildirim
  • Tags audit , infrastructure , mcp , security , terraform
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

mcp-tfstate-reader

Python 3.10+ MCP License: MIT

A local Model Context Protocol (MCP) server that parses Terraform .tfstate files and lets AI agents audit enterprise infrastructure for security misconfigurations — without requiring direct cloud credentials.

Features

Tool Description
list_resources Parse a .tfstate file and list every managed resource with its address and type
audit_security Scan for common misconfigurations (see below)
get_resource_detail Dump the full attributes of a specific resource by address

Security checks in audit_security

  • S3 — buckets without server-side encryption
  • Security Groups — ingress rules open to 0.0.0.0/0 on sensitive ports: 22 (SSH), 3389 (RDP), 5432 (PostgreSQL)
  • IAM — policies with wildcard * actions (full admin access)
  • RDS — instances without storage_encrypted = true
  • EC2 — instances with associate_public_ip_address = true
  • CloudWatch — log groups without a retention policy

Requirements

  • Python 3.10+
  • mcp SDK

Installation

git clone https://github.com/berkay-yildirim/mcp-tfstate-reader.git
cd mcp-tfstate-reader
make setup

Or install directly:

pip install mcp-tfstate-reader

Usage

Run the server

make start
# or
python -m mcp_tfstate_reader.server

The server communicates over stdio (standard input/output), which is the default MCP transport for local tools.

Use with a tfstate file

Point any of the three tools at a local .tfstate file path:

{
  "tfstate_path": "/path/to/terraform.tfstate"
}

Claude Desktop integration

Add the following to your Claude Desktop MCP configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

Option A — installed via pip

{
  "mcpServers": {
    "tfstate-reader": {
      "command": "mcp-tfstate-reader"
    }
  }
}

Option B — from source (virtualenv)

{
  "mcpServers": {
    "tfstate-reader": {
      "command": "/absolute/path/to/mcp-tfstate-reader/.venv/bin/python",
      "args": ["-m", "mcp_tfstate_reader.server"]
    }
  }
}

Option C — with uvx (no install required)

{
  "mcpServers": {
    "tfstate-reader": {
      "command": "uvx",
      "args": ["mcp-tfstate-reader"]
    }
  }
}

Development

# Install with dev dependencies
make setup

# Run tests
make test

# Build distribution
make build

# Clean everything
make clean

Example interaction

Once connected to Claude Desktop, you can ask:

"Audit /home/user/infra/prod/terraform.tfstate for security issues."

Claude will call audit_security and return a structured list of findings like:

Found 4 finding(s):

[HIGH] aws_s3_bucket.assets: S3 bucket has no server-side encryption configuration.
[HIGH] aws_security_group.bastion: Security group allows 0.0.0.0/0 ingress on port 22.
[CRITICAL] aws_iam_policy.admin: IAM policy contains a wildcard (*) action — grants unrestricted permissions.
[HIGH] aws_db_instance.prod: RDS instance storage is not encrypted.

License

MIT © Berkay Yildirim

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for berkayildi from gravatar.com berkayildi

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Berkay Yildirim
  • Tags audit , infrastructure , mcp , security , terraform
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.3.0

0.2.0

0.1.2

This version

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcp_tfstate_reader-0.1.1.tar.gz (9.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcp_tfstate_reader-0.1.1-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file mcp_tfstate_reader-0.1.1.tar.gz.

File metadata

  • Download URL: mcp_tfstate_reader-0.1.1.tar.gz
  • Upload date:
  • Size: 9.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for mcp_tfstate_reader-0.1.1.tar.gz
Algorithm Hash digest
SHA256 28155a60c824c15c798f259c52c88aa603b4938175c5fe2c43b4e95dd2320028
MD5 1b7abca7dd306a6188a6949973b65068
BLAKE2b-256 d3c6598cd53fc4a4279dddaacca67da9e5054dcaa3610294b1c7b5fcacf79445

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcp_tfstate_reader-0.1.1.tar.gz:

Publisher: release.yml on berkayyildirim/mcp-tfstate-reader

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mcp_tfstate_reader-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for mcp_tfstate_reader-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 33f2e4af7c67b12ba5067364059d7974f518c0ac99f3e4ef1c445c1d3df6c66c
MD5 e377bae292218451f6598bb4c15cfa75
BLAKE2b-256 730e99976f3bf525a66f2e29fb2f65d3bae710e930d9314e47d2daa1c887fd56

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcp_tfstate_reader-0.1.1-py3-none-any.whl:

Publisher: release.yml on berkayyildirim/mcp-tfstate-reader

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page