claude-iac-mcp-server
Enables AI agents to query an approved Terraform module registry and generate compliant Azure infrastructure code. It provides tools for module discovery, scaffolding, and validation against organizational standards.
README
AI-Assisted IaC Self-Service Platform (Azure + Terraform)
An AI-assisted self-service platform for infrastructure. Developers use Claude Code or GitHub Copilot to query an approved Terraform module registry and generate compliant Azure infrastructure — without hand-rolling Terraform or pulling random modules off the internet.
The approved registry is hybrid:
- Azure Verified Modules (AVM) — Microsoft's curated, compliance-grade modules from the public Terraform Registry (the baseline).
- Your own modules — hosted in a GitHub repo and referenced via a
git::source. No registry product required. Seeregistry/modules/TEMPLATE-custom-git-module.yaml.
It has two halves:
- An IaC MCP server (
server/iac_mcp_server.py) — exposes the approved module registry + standards as MCP tools. - Agent skill / context (
skills/iac-self-service/SKILL.md) — encodes how the agent must use those tools to stay compliant.
developer ──▶ Claude Code / Copilot ──MCP──▶ iac_mcp_server ──▶ registry/ + standards/
│ (AVM + your git modules)
└── guided by skills/iac-self-service/SKILL.md
Note on names:
acmeis a placeholder org name and theapp.terraform.io/acme/*entry is an optional private-registry example. Replaceacmewith your own short name to brand it. The real, working modules are the AVM ones.
Layout
| Path | Purpose |
|---|---|
server/iac_mcp_server.py |
FastMCP server (7 tools) |
registry/catalog.yaml |
The allowlist of approved modules |
registry/modules/*.yaml |
Per-module spec: source, version, rg_ref, inputs, outputs, example |
registry/modules/TEMPLATE-custom-git-module.yaml |
How to register your own git module |
standards/standards.yaml |
Naming, regions, required tags, source allowlist, security baseline |
skills/iac-self-service/SKILL.md |
The agent skill encoding the standards |
environments/prod/payments/ |
Example output: a compliant, AVM-based main.tf |
.mcp.json |
Claude Code MCP wiring (local stdio) |
Dockerfile |
Container image for a hosted (HTTP) instance |
deploy/ |
One-command Azure deploy + teardown scripts and docs |
tests/smoke_test.py |
Fast smoke test of the tools (19 checks) |
MCP tools
| Tool | What it does |
|---|---|
list_modules(category?) |
List approved modules (optionally by category) |
search_modules(query) |
Free-text search the registry |
get_module(name) |
Full spec: source, version, rg_ref, inputs, outputs, example |
list_standards() |
The org standards the agent must honor |
generate_module_usage(module, workload, environment, …) |
Scaffold a compliant block (naming, RG wiring, tags) + todo_inputs |
validate_config(hcl) |
Heuristic policy check before terraform plan |
refresh_registry() |
Hot-reload registry/standards after edits |
Setup
pip install -r requirements.txt
python tests/smoke_test.py # expect: ALL PASSED (19 checks)
Use with Claude Code
.mcp.json is already provided. From the repo root:
claude # auto-discovers .mcp.json and starts the server
Load the skill once:
New-Item -ItemType Directory -Force .claude\skills\iac-self-service | Out-Null
Copy-Item skills\iac-self-service\SKILL.md .claude\skills\iac-self-service\
Then ask: "Provision a storage account and a Postgres database for the payments app
in prod." The agent runs list_standards → search_modules → get_module →
generate_module_usage → validate_config and writes a compliant main.tf.
Use with GitHub Copilot
Copilot (VS Code) reads MCP servers from .vscode/mcp.json:
{
"servers": {
"acme-iac-platform": {
"type": "stdio",
"command": "python",
"args": ["${workspaceFolder}/server/iac_mcp_server.py"]
}
}
}
For a hosted instance, point Copilot at the URL instead:
{ "servers": { "acme-iac-platform": { "type": "http", "url": "https://<fqdn>/mcp" } } }.
Mirror the rules from SKILL.md into .github/copilot-instructions.md so Copilot Chat
applies them.
Two run modes: local (stdio) vs hosted (HTTP)
| Local | Hosted (org) | |
|---|---|---|
| Transport | stdio (default) | HTTP / streamable-http |
| Who starts it | Claude Code / Copilot auto-spawn it per session | Always-on Azure Container App |
| Setup | none — .mcp.json already wires it |
deploy/deploy-azure.ps1 (one command) |
| Connect | .mcp.json (project) or claude mcp add |
claude mcp add --transport http … https://<fqdn>/mcp |
Switch a process to HTTP mode with MCP_TRANSPORT=http (the Dockerfile sets this).
Deploy a shared instance to Azure
So a whole team points at one URL instead of running it locally:
az login
.\deploy\deploy-azure.ps1 # builds the image in Azure + deploys to Container Apps
It prints the MCP URL and the connect command. Tear down with
.\deploy\destroy-azure.ps1. Full guide (connection, one-time test, auth before
real use, cost): deploy/README.md.
Deploying the example
The generated example lives in environments/prod/payments/. To deploy it against
your Azure state account without editing committed files:
cd environments/prod/payments
Copy-Item backend.local.hcl.example backend.local.hcl # edit values for your state account
# azurerm v4 needs a subscription id; the azurerm backend needs auth to your state account
$env:ARM_SUBSCRIPTION_ID = (az account show --query id -o tsv)
# state auth: either set use_azuread_auth in backend.local.hcl (needs Blob Data Contributor),
# or supply the key: $env:ARM_ACCESS_KEY = (az storage account keys list -g <rg> -n <sa> --query "[0].value" -o tsv)
terraform init "-backend-config=backend.local.hcl" # NOTE: quotes are required in PowerShell
terraform plan
terraform apply
The example uses real AVM modules, so terraform init actually downloads them (needs
Terraform >= 1.11 for the write-only Postgres password). The state backend account
(e.g. myterrasa) must already exist — backend.local.hcl is gitignored, so your real
account names never get published.
Add one of YOUR own modules
- Copy
registry/modules/TEMPLATE-custom-git-module.yamltoregistry/modules/<name>.yaml. - Set
sourceto agit::https://github.com/<you>/...//modules/<name>?ref=v1.0.0,rg_refto match how your module takes its resource group, andstatus: approved. - Add
<name>toregistry/catalog.yaml. refresh_registry()(or restart). The AI now self-serves your module too.
Production hardening (next steps)
- Add authentication to the hosted instance (the
deploy/HTTP server ships open by default). Put it behind Entra ID / an API gateway before any real org use — see the Security section of deploy/README.md. - Replace the heuristic
validate_configwith OPA/Conftest policies, run both here and in CI (the heuristic is a fast pre-flight, not the enforcement gate). - Pin AVM versions centrally and add a renovate/dependabot job to bump them.
- Emit telemetry on which modules are generated to measure adoption.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.