terraform-partner

This Terraform MCP Server + Partner-Managed Resources provides an AI-assisted workflow for managing Terraform workspaces and automating security remediation. It integrates with the Terraform Registry APIs to fetch providers, modules, and policies and adds a partner-managed layer that can discover AWS Security Hub findings, map them to Terraform resources, and generate remediation configurations using the HCP Terraform workspace. The server is designed for CLI-driven workflows: upload Terraform configurations via the MCP API, generate fixes with AI assistance, and apply changes back through Terraform workspaces. Use the built-in capabilities to synchronize security findings with your Terraform state, automatically link ARNs to Terraform addresses, and push remediation changes to your Terraform org. The tooling supports discovering workspaces, indexing Terraform state to extract resource IDs, and mapping AWS findings to corresponding Terraform resources for streamlined remediation across your cloud infrastructure.

Prerequisites:

• Node.js (v14+ recommended) or a compatible runtime
• Git
• Access token or credentials for Terraform Registry APIs and AWS Security Hub if using live data

1. Clone the repository: git clone https://github.com/your-org/terraform-partner-mcp-server.git cd terraform-partner-mcp-server

2. Install dependencies: npm install

3. Configure environment variables (example):

   • MCP_LOG_LEVEL=info
   • MCP_ALLOWED_ORIGINS=http://localhost:3000
   • TF_REGISTRY_API_TOKEN=your-terraform-registry-api-token
   • AWS_REGION=us-east-1
   • SECURITY_HUB_ENABLED=true

4. Run the server (example for Node.js): npm run build || true node server.js

5. Verify the MCP server is up by hitting the configured endpoint (default http://localhost:3000).

Notes:

• If you prefer Docker, you can containerize this server by creating a Dockerfile that runs the same node server.js command and pass the same environment variables at runtime.
• Ensure you have proper IAM permissions and network access for AWS Security Hub and Terraform Registry APIs.

Troubleshooting:

• If the server fails to start, check MCP_LOG_LEVEL and MCP_ALLOWED_ORIGINS for misconfigurations.
• Verify TF_REGISTRY_API_TOKEN is valid and has access to required providers/modules.
• Ensure your environment has network access to Terraform Registry APIs and AWS endpoints.

Tips and known considerations:

• Security: The MCP server is described as intended for local usage; avoid exposing it publicly without proper authentication and origin restrictions.
• Environment variables: You can tune behavior by using MCP_ALLOWED_ORIGINS, MCP_LOG_LEVEL, and API tokens for 3rd-party services.
• Partner-Managed Resources: This fork adds automated mapping of AWS Security Hub findings to Terraform resources. Ensure your Terraform state is up-to-date to maximize accurate ARNs-to-resource linking.
• CLI-driven workflow: This setup emphasizes programmatic uploads and remediations via the API. If you want VCS-driven workflows, keep an eye on experimental support for GitHub PR-based automation.
• Terraform Registry integration: The server will fetch providers, modules, and policies via the Terraform Registry APIs; ensure your tokens and network access align with Terraform’s API requirements.
• Debugging: Increase logging with MCP_LOG_LEVEL for verbose output during integration tests.
• Compatibility: If upgrading the server, review breaking changes in the MCP protocol or Terraform registry API endpoints.
• Rate limits: Be mindful of API rate limits for Terraform Registry and Security Hub when performing automated syncs.
• Data security: Never store Secrets in plain text in logs; use environment-scoped secrets and secure secret management where possible.