awslabs.terraform-mcp-server 1.0.14__py3-none-any.whl

awslabs/__init__.py

@@ -0,0 +1,17 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file is part of the awslabs namespace.
+# It is intentionally minimal to support PEP 420 namespace packages.
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)

awslabs/terraform_mcp_server/__init__.py

@@ -0,0 +1,17 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""awslabs.terraform-mcp-server"""
+
+__version__ = '1.0.14'

awslabs/terraform_mcp_server/impl/resources/__init__.py

@@ -0,0 +1,25 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Resource implementations for the Terraform expert."""
+
+from .terraform_aws_provider_resources_listing import terraform_aws_provider_assets_listing_impl
+from .terraform_awscc_provider_resources_listing import (
+    terraform_awscc_provider_resources_listing_impl,
+)
+
+__all__ = [
+    'terraform_aws_provider_assets_listing_impl',
+    'terraform_awscc_provider_resources_listing_impl',
+]

awslabs/terraform_mcp_server/impl/resources/terraform_aws_provider_resources_listing.py

@@ -0,0 +1,66 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Implementation for terraform_aws_provider_resources_listing resource."""
+
+import sys
+from loguru import logger
+from pathlib import Path
+
+
+# Configure logger for enhanced diagnostics with stacktraces
+logger.configure(
+    handlers=[
+        {
+            'sink': sys.stderr,
+            'backtrace': True,
+            'diagnose': True,
+            'format': '<green>{time:YYYY-MM-DD HH:mm:ss.SSS}</green> | <level>{level: <8}</level> | <cyan>{name}</cyan>:<cyan>{function}</cyan>:<cyan>{line}</cyan> - <level>{message}</level>',
+        }
+    ]
+)
+
+# Path to the static markdown file
+STATIC_RESOURCES_PATH = (
+    Path(__file__).parent.parent.parent / 'static' / 'AWS_PROVIDER_RESOURCES.md'
+)
+
+
+async def terraform_aws_provider_assets_listing_impl() -> str:
+    """Generate a comprehensive listing of AWS provider resources and data sources.
+
+    This implementation reads from a pre-generated static markdown file instead of
+    scraping the web in real-time. The static file should be generated using the
+    generate_aws_provider_resources.py script.
+
+    Returns:
+        A markdown formatted string with categorized resources and data sources
+    """
+    logger.info('Loading AWS provider resources listing from static file')
+
+    try:
+        # Check if the static file exists
+        if STATIC_RESOURCES_PATH.exists():
+            # Read the static file content
+            with open(STATIC_RESOURCES_PATH, 'r', encoding='utf-8') as f:
+                content = f.read()
+            logger.info('Successfully loaded AWS Provider asset list')
+            return content
+        else:
+            # Send error if static file does not exist
+            logger.debug(f"Static assets list file not found at '{STATIC_RESOURCES_PATH}'")
+            raise Exception('Static assets list file not found')
+    except Exception as e:
+        logger.error(f'Error generating AWS provider assets listing: {e}')
+        return f'# AWS Provider Assets Listing\n\nError generating listing: {str(e)}'

awslabs/terraform_mcp_server/impl/resources/terraform_awscc_provider_resources_listing.py

@@ -0,0 +1,69 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Implementation for terraform_awscc_provider_resources_listing resource."""
+
+import sys
+from loguru import logger
+from pathlib import Path
+
+
+# Configure logger for enhanced diagnostics with stacktraces
+logger.configure(
+    handlers=[
+        {
+            'sink': sys.stderr,
+            'backtrace': True,
+            'diagnose': True,
+            'format': '<green>{time:YYYY-MM-DD HH:mm:ss.SSS}</green> | <level>{level: <8}</level> | <cyan>{name}</cyan>:<cyan>{function}</cyan>:<cyan>{line}</cyan> - <level>{message}</level>',
+        }
+    ]
+)
+
+# Path to the static markdown file
+STATIC_RESOURCES_PATH = (
+    Path(__file__).parent.parent.parent / 'static' / 'AWSCC_PROVIDER_RESOURCES.md'
+)
+
+
+async def terraform_awscc_provider_resources_listing_impl() -> str:
+    """Generate a comprehensive listing of AWSCC provider resources and data sources.
+
+    This implementation reads from a pre-generated static markdown file instead of
+    scraping the web in real-time. The static file should be generated using the
+    generate_awscc_provider_resources.py script.
+
+    Returns:
+        A markdown formatted string with categorized resources and data sources
+    """
+    logger.info('Loading AWSCC provider resources listing from static file')
+
+    try:
+        # Check if the static file exists
+        if STATIC_RESOURCES_PATH.exists():
+            # Read the static file content
+            with open(STATIC_RESOURCES_PATH, 'r', encoding='utf-8') as f:
+                content = f.read()
+
+            logger.info(
+                f'Successfully loaded AWSCC provider resources from {STATIC_RESOURCES_PATH}'
+            )
+            return content
+        else:
+            # Send error if static file does not exist
+            logger.debug(f"Static assets list file not found at '{STATIC_RESOURCES_PATH}'")
+            raise Exception('Static assets list file not found')
+    except Exception as e:
+        logger.error(f'Error generating AWSCC provider resources listing: {e}')
+        return f'# AWSCC Provider Resources Listing\n\nError generating listing: {str(e)}'

awslabs/terraform_mcp_server/impl/tools/__init__.py

@@ -0,0 +1,33 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Tool implementations for the terraform MCP server."""
+
+from .search_user_provided_module import search_user_provided_module_impl
+from .execute_terraform_command import execute_terraform_command_impl
+from .execute_terragrunt_command import execute_terragrunt_command_impl
+from .search_aws_provider_docs import search_aws_provider_docs_impl
+from .search_awscc_provider_docs import search_awscc_provider_docs_impl
+from .search_specific_aws_ia_modules import search_specific_aws_ia_modules_impl
+from .run_checkov_scan import run_checkov_scan_impl
+
+__all__ = [
+    'search_user_provided_module_impl',
+    'execute_terraform_command_impl',
+    'execute_terragrunt_command_impl',
+    'search_aws_provider_docs_impl',
+    'search_awscc_provider_docs_impl',
+    'search_specific_aws_ia_modules_impl',
+    'run_checkov_scan_impl',
+]

awslabs/terraform_mcp_server/impl/tools/execute_terraform_command.py

@@ -0,0 +1,223 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Implementation of Terraform command execution tool."""
+
+import json
+import os
+import re
+import subprocess
+from awslabs.terraform_mcp_server.impl.tools.utils import get_dangerous_patterns
+from awslabs.terraform_mcp_server.models import TerraformExecutionRequest, TerraformExecutionResult
+from loguru import logger
+
+
+async def execute_terraform_command_impl(
+    request: TerraformExecutionRequest,
+) -> TerraformExecutionResult:
+    """Execute Terraform workflow commands against an AWS account.
+
+    This tool runs Terraform commands (init, plan, validate, apply, destroy) in the
+    specified working directory, with optional variables and region settings.
+
+    Parameters:
+        request: Details about the Terraform command to execute
+
+    Returns:
+        A TerraformExecutionResult object containing command output and status
+    """
+    logger.info(f"Executing 'terraform {request.command}' in {request.working_directory}")
+
+    # Helper function to clean output text
+    def clean_output_text(text: str) -> str:
+        """Clean output text by removing or replacing problematic Unicode characters.
+
+        Args:
+            text: The text to clean
+
+        Returns:
+            Cleaned text with ASCII-friendly replacements
+        """
+        if not text:
+            return text
+
+        # First remove ANSI escape sequences (color codes, cursor movement)
+        ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
+        text = ansi_escape.sub('', text)
+
+        # Remove C0 and C1 control characters (except common whitespace)
+        control_chars = re.compile(r'[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F-\x9F]')
+        text = control_chars.sub('', text)
+
+        # Replace HTML entities
+        html_entities = {
+            '->': '->',  # Replace HTML arrow
+            '&lt;': '<',  # Less than
+            '&gt;': '>',  # Greater than
+            '&amp;': '&',  # Ampersand
+        }
+        for entity, replacement in html_entities.items():
+            text = text.replace(entity, replacement)
+
+        # Replace box-drawing and other special Unicode characters with ASCII equivalents
+        unicode_chars = {
+            '\u2500': '-',  # Horizontal line
+            '\u2502': '|',  # Vertical line
+            '\u2514': '+',  # Up and right
+            '\u2518': '+',  # Up and left
+            '\u2551': '|',  # Double vertical
+            '\u2550': '-',  # Double horizontal
+            '\u2554': '+',  # Double down and right
+            '\u2557': '+',  # Double down and left
+            '\u255a': '+',  # Double up and right
+            '\u255d': '+',  # Double up and left
+            '\u256c': '+',  # Double cross
+            '\u2588': '#',  # Full block
+            '\u25cf': '*',  # Black circle
+            '\u2574': '-',  # Left box drawing
+            '\u2576': '-',  # Right box drawing
+            '\u2577': '|',  # Down box drawing
+            '\u2575': '|',  # Up box drawing
+        }
+        for char, replacement in unicode_chars.items():
+            text = text.replace(char, replacement)
+
+        return text
+
+    # Set environment variables for AWS region if provided
+    env = os.environ.copy()
+    if request.aws_region:
+        env['AWS_REGION'] = request.aws_region
+
+    # Security check for command injection
+    allowed_commands = ['init', 'plan', 'validate', 'apply', 'destroy']
+    if request.command not in allowed_commands:
+        logger.error(f'Invalid Terraform command: {request.command}')
+        return TerraformExecutionResult(
+            command=f'terraform {request.command}',
+            status='error',
+            error_message=f'Invalid Terraform command: {request.command}. Allowed commands are: {", ".join(allowed_commands)}',
+            working_directory=request.working_directory,
+            outputs=None,
+        )
+
+    # Check for potentially dangerous characters or command injection attempts
+    dangerous_patterns = get_dangerous_patterns()
+    logger.debug(f'Checking for {len(dangerous_patterns)} dangerous patterns')
+
+    for pattern in dangerous_patterns:
+        if request.variables:
+            # Check if the pattern is in any of the variable values
+            for var_name, var_value in request.variables.items():
+                if pattern in str(var_value) or pattern in str(var_name):
+                    logger.error(
+                        f'Potentially dangerous pattern detected in variable {var_name}: {pattern}'
+                    )
+                    return TerraformExecutionResult(
+                        command=f'terraform {request.command}',
+                        status='error',
+                        error_message=f"Security violation: Potentially dangerous pattern '{pattern}' detected in variable '{var_name}'",
+                        working_directory=request.working_directory,
+                        outputs=None,
+                    )
+
+    # Build the command
+    cmd = ['terraform', request.command]
+
+    # Add auto-approve flag for apply and destroy commands to make them non-interactive
+    if request.command in ['apply', 'destroy']:
+        logger.info(f'Adding -auto-approve flag to {request.command} command')
+        cmd.append('-auto-approve')
+
+    # Add variables only for commands that accept them (plan, apply, destroy)
+    if request.command in ['plan', 'apply', 'destroy'] and request.variables:
+        logger.info(f'Adding {len(request.variables)} variables to {request.command} command')
+        for key, value in request.variables.items():
+            cmd.append(f'-var={key}={value}')
+
+    # Execute command
+    try:
+        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
+        # Safe: Command is validated against allowlist, variables are checked for dangerous patterns,
+        # working_directory is user-controlled but subprocess uses cwd parameter (not shell injection)
+        process = subprocess.run(  # noqa: B603 - Safe: allowlisted commands, validated variables, no shell injection
+            cmd, cwd=request.working_directory, capture_output=True, text=True, env=env
+        )
+
+        # Prepare the result
+        stdout = process.stdout
+        stderr = process.stderr if process.stderr else ''
+
+        # Clean output text if requested
+        if request.strip_ansi:
+            logger.debug('Cleaning command output text (ANSI codes and control characters)')
+            stdout = clean_output_text(stdout)
+            stderr = clean_output_text(stderr)
+
+        result = {
+            'command': f'terraform {request.command}',
+            'status': 'success' if process.returncode == 0 else 'error',
+            'return_code': process.returncode,
+            'stdout': stdout,
+            'stderr': stderr,
+            'working_directory': request.working_directory,
+            'outputs': None,
+        }
+
+        # Get outputs if this was a successful apply command
+        if request.command == 'apply' and process.returncode == 0:
+            try:
+                logger.info('Getting Terraform outputs')
+                output_process = subprocess.run(  # noqa: B603 - Safe: hardcoded terraform output command with no user input
+                    ['terraform', 'output', '-json'],
+                    cwd=request.working_directory,
+                    capture_output=True,
+                    text=True,
+                    env=env,
+                )
+
+                if output_process.returncode == 0 and output_process.stdout:
+                    # Get output and clean it if needed
+                    output_stdout = output_process.stdout
+                    if request.strip_ansi:
+                        output_stdout = clean_output_text(output_stdout)
+
+                    # Parse the JSON output
+                    raw_outputs = json.loads(output_stdout)
+
+                    # Process outputs to extract values from complex structure
+                    processed_outputs = {}
+                    for key, value in raw_outputs.items():
+                        # Terraform outputs in JSON format have a nested structure
+                        # with 'value', 'type', and sometimes 'sensitive'
+                        if isinstance(value, dict) and 'value' in value:
+                            processed_outputs[key] = value['value']
+                        else:
+                            processed_outputs[key] = value
+
+                    result['outputs'] = processed_outputs
+                    logger.info(f'Extracted {len(processed_outputs)} Terraform outputs')
+            except Exception as e:
+                logger.warning(f'Failed to get Terraform outputs: {e}')
+
+        # Return the output
+        return TerraformExecutionResult(**result)
+    except Exception as e:
+        return TerraformExecutionResult(
+            command=f'terraform {request.command}',
+            status='error',
+            error_message=str(e),
+            working_directory=request.working_directory,
+            outputs=None,
+        )