MCP-backed Terraform assistant with ephemeral-values compliance.
Project description
Terraform Guardrail MCP
Terraform Guardrail MCP is a Python-based MCP server + CLI + minimal web UI that helps AI assistants and platform teams generate valid Terraform code and enforce ephemeral-values compliance. It targets multi-cloud teams and focuses on reducing configuration drift, secret leakage, and invalid provider usage. Live app: https://terraform-guardrail.streamlit.app/
What it does
- MCP server that exposes provider metadata and compliance checks
- CLI for scanning Terraform configs and state for sensitive leaks
- Minimal web UI for quick scans and reports
- Rules engine focused on ephemeral values, write-only arguments, and secret hygiene
Architecture
flowchart LR
subgraph Interfaces
CLI[CLI]
MCP[MCP Server]
WEB[Web UI]
end
subgraph Core
SCAN[Compliance Engine]
GEN[Snippet Generator]
end
REG[Terraform Registry]
TF[Terraform CLI]
CLI --> SCAN
WEB --> SCAN
MCP --> SCAN
MCP --> GEN
SCAN --> TF
GEN --> REG
MCP --> REG
flowchart TB
INPUTS[Inputs: .tf, .tfvars, .tfstate] --> PARSE[Parse & Normalize]
PARSE --> RULES[Apply Rules TG001-TG005]
RULES --> REPORT[Findings + Summary Report]
REPORT --> OUTPUT[CLI JSON / UI Render / MCP Response]
MVP scope (v0.1)
- Scan
.tfand.tfvarsfor sensitive values and missingephemeral = true - Scan
.tfstatefor leaked sensitive values - Provider metadata retrieval for AWS, Azure, GCP, Kubernetes, Helm, OCI, Vault, Alicloud, and vSphere via Terraform Registry
- MCP server with
scan_terraformandget_provider_metadatatools - Minimal web UI for uploading a file and viewing the report
Quickstart
python -m venv .venv
source .venv/bin/activate
pip install -e "[dev]"
# CLI scan
terraform-guardrail scan examples
# snippet generation
terraform-guardrail generate aws aws_s3_bucket --name demo
# MCP server (stdio)
terraform-guardrail mcp
# Web UI
terraform-guardrail web
Install from PyPI
pip install terraform-guardrail
PyPI: https://pypi.org/project/terraform-guardrail/ (latest: 0.2.3)
CLI examples
# scan a directory
terraform-guardrail scan ./examples --format json
# scan state files too
terraform-guardrail scan ./examples --state ./examples/sample.tfstate
# enable schema-aware validation (requires terraform CLI + initialized workspace)
terraform-guardrail scan ./examples --schema
Web UI
Visit http://127.0.0.1:8000 and upload a Terraform file to view a compliance report.
Streamlit App
streamlit run streamlit_app.py
Live app: https://terraform-guardrail.streamlit.app/
Streamlit Cloud deployment
- Push this repo to GitHub.
- Create a new Streamlit Cloud app.
- Set the main file path to
streamlit_app.py. - Deploy (Streamlit will install from
requirements.txt).
Release Links
- PyPI: https://pypi.org/project/terraform-guardrail/
- GitHub Releases: https://github.com/Huzefaaa2/terraform-guardrail/releases
Deployment Guide
See docs/streamlit_cloud.md for a detailed Streamlit Cloud walkthrough.
Diagrams
Mermaid diagrams render on GitHub and the Wiki. If you're viewing this on PyPI, use these links:
- GitHub README: https://github.com/Huzefaaa2/terraform-guardrail#architecture
- Wiki Diagrams: https://github.com/Huzefaaa2/terraform-guardrail/wiki/Diagrams
Release Checklist
- Update version in
pyproject.toml. - Update
RELEASE_NOTES.mdandCHANGELOG.md. - Commit changes and push to
main. - Create and push a tag:
git tag -a vX.Y.Z -m "vX.Y.Z"thengit push origin vX.Y.Z. - Confirm GitHub Actions release workflow completed successfully.
Changelog Automation
This repo uses git-cliff to generate CHANGELOG.md.
git cliff -o CHANGELOG.md
Or run:
make changelog
Release Helpers
make release-dry VERSION=0.2.1
make version-bump VERSION=0.2.1
MCP tools (current)
scan_terraform: Run compliance checks over a path and optional state file.get_provider_metadata: Fetch provider metadata from Terraform Registry (AWS + Azure).generate_snippet: Generate Terraform snippets for common AWS/Azure resources.
Roadmap
- Schema-aware code generation using provider schemas
fixcommand to apply safe rewrites for ephemeral values- Multi-environment policies and OPA-compatible output
- Stack-aware orchestration and drift detection
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file terraform_guardrail-0.2.4.tar.gz.
File metadata
- Download URL: terraform_guardrail-0.2.4.tar.gz
- Upload date:
- Size: 15.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94f8c6621680aabab544d1906678957869939356f35b1e6713803e7c35d56a0e
|
|
| MD5 |
3758e70006137a438749e7b33eebce74
|
|
| BLAKE2b-256 |
bf081f30d1b8122767735e15b84c1b1ccbebfeb977a590a9dcebb4e329f9d6ef
|
File details
Details for the file terraform_guardrail-0.2.4-py3-none-any.whl.
File metadata
- Download URL: terraform_guardrail-0.2.4-py3-none-any.whl
- Upload date:
- Size: 16.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
65b441e49bc26790f89b5d53b1741350c1f9edd5d814f5ea7fba9b39a165d2a1
|
|
| MD5 |
295acc4203ebecf7adbfb6743854d2aa
|
|
| BLAKE2b-256 |
4632379eafd803af5931fd681a1a28db9d58f75fcddc684aaac3e8b9d7587f6e
|
