-
Notifications
You must be signed in to change notification settings - Fork 6
Home
Terraform Guardrail MCP (TerraGuard) (Model Context Protocol) is an enterprise-grade IaC governance and guardrail platform that enforces architectural intent, compliance, and platform standards directly inside CI/CD. It runs outside Terraform, exposes provider context, and enforces guardrails that prevent bad state before apply.
pip install terraform-guardrailbrew install Huzefaaa2/tap/terraform-guardrailchoco install terraform-guardrailTerraform-Guardrail is licensed under Business Source License (BSL) 1.1 with a change date to Apache 2.0. Commercial usage requires explicit permission.
- Licensing details: Licensing
Making Infrastructure Governance Executable
Despite using Terraform and security scanners, enterprises still face:
- Inconsistent enforcement across teams
- Policies applied too late in delivery
- Manual reviews that don’t scale
- Different interpretations of “standards”
- Audit findings caused by drift, not intent
👉 The issue is not lack of tools —
👉 The issue is lack of a governance distribution mechanism.
Terraform-Guardrail MCP is an enterprise-grade IaC governance and guardrail platform for Terraform that enforces architectural intent, compliance, and platform standards directly in CI/CD.
It:
- Establishes a non-negotiable safety floor
- Distributes guardrails consistently via CI/CD
- Enables progressive enforcement (Advisory → Warn → Strict)
- Makes governance versioned, auditable, and repeatable
Governance becomes code, not documents.
| Layer | Role |
|---|---|
| Terraform-Guardrail MCP | Governance & enforcement orchestration |
| Checkov / tfsec / Terrascan | Deep static security & compliance scanning |
| OPA / Sentinel | Advanced & runtime policy enforcement |
| CI/CD (GitLab/GitHub) | Execution & control point |
Terraform-Guardrail does not replace existing tools — it connects and operationalizes them.
Every Terraform change passes through the same guardrails, before it ever reaches the cloud.
Implemented at:
- Merge request / pull request stage
- GitLab group-level CI enforcement
- No per-repo negotiation
| Phase | Mode | Business Outcome |
|---|---|---|
| Phase 1 | Advisory | Visibility, zero disruption |
| Phase 2 | Warn | Accountability without blocking |
| Phase 3 | Strict | Mandatory compliance for prod |
✔ No “big-bang” rollout
✔ Teams keep autonomy above the safety floor
Without it:
- Governance relies on people & process
- Controls drift over time
- Audit remediation is expensive
With it:
- Governance is automatic and consistent
- Security shifts left into CI
- Audit evidence is generated by default
- Platform teams scale without becoming bottlenecks
Terraform-Guardrail MCP turns infrastructure governance
from guidelines into guarantees.
It enables speed and safety — without trading one for the other.
Non-negotiable safety floor, composable freedom above it. Guardrails live outside Terraform.
flowchart LR
USER[Platform + Product Teams] --> CHANNELS[CLI / Streamlit / REST API / MCP]
CHANNELS --> GUARDRAIL["Terraform Guardrail MCP (TerraGuard)"]
GUARDRAIL --> REPORTS[Readable Guidance + Evidence]
GUARDRAIL --> TERRAFORM[Safer Terraform Applies]
- Roadmap
- Deliverables Reference
- Enterprise Implementation Plan
- Architecture
- Diagrams
- Comparison with Other Tools
- CLI Usage
- GitHub Action
- GitLab CI Templates
- Packaging
- Licensing
- MCP Server
- Compliance Rules
- Streamlit Deployment
- Docker Compose Stack
- Live Streamlit App
- PyPI Package
- Release Process
- Version: 1.0.4
- Container image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail
- Registry image: https://github.com/Huzefaaa2/terraform-guardrail/pkgs/container/terraform-guardrail-registry
- Supported providers: AWS, Azure, GCP, Kubernetes, Helm, OCI, Vault, Alicloud, vSphere
- Local stack: Docker Compose (API + UI + policy registry, optional analytics)
- Policy registry: OPA bundles published under
/bundles/*.tar.gz - Policy evaluation available via CLI when OPA is installed
| Area | CLI | Web UI / Streamlit |
|---|---|---|
Config scan (.tf, .tfvars, .hcl) |
Yes | Yes |
State leak scan (.tfstate) |
Yes | Yes |
| Schema-aware validation | Yes | Yes |
| CSV export | No | Yes |
| Provider metadata | Yes | Yes |
| Snippet generation | Yes | No |
| Multi-file scan | Yes (directory) | Yes (upload up to 10) |