hashicorp/terraform-mcp-server

AI Evaluation Report

Total Score: 8/10

The agent demonstrates a strong ability to provide comprehensive and accurate information related to Terraform modules, provider documentation, and policy details. It effectively retrieves and presents detailed documentation, including examples, argument references, and usage instructions. The agent's responses are well-structured, informative, and align with official Terraform documentation, ensuring reliability and usefulness. However, there is a slight limitation in verifying the existence of specific variables within modules without direct references to the module's documentation, which slightly affects the reliability of some responses. Overall, the agent performs well in assisting with Terraform-related tasks.

• Test case 1

  Score: 9/10

  I need to configure GitHub Actions as an OpenID Connect (OIDC) identity provider in AWS using Terraform. Can you find a popular module for this and show me its documentation, especially the required inputs and outputs?

  I found a popular Terraform module for configuring GitHub Actions as an OpenID Connect (OIDC) identity provider in AWS. Here are the details:

  Module Information

  • Module ID: unfunco/oidc-github/aws/2.0.2
  • Description: Terraform module to configure GitHub Actions as an OpenID Connect (OIDC) identity provider in AWS.
  • Source: GitHub Repository
  • Downloads: 1,356,789
  • Published: September 6, 2025

  Required Inputs

  Name	Type	Description	Default	Required
  create	bool	Enable/disable the creation of all resources.	true	false
  create_oidc_provider	bool	Enable/disable the creation of the GitHub OIDC provider.	true	false
  iam_role_name	string	The name of the IAM role to be created and made assumable by GitHub Actions.	"GitHubActions"	false
  github_repositories	list(string)	GitHub organization/repository names authorized to assume the role.	[]	false
  additional_audiences	list(string)	Additional OIDC audiences allowed to assume the role.	null	false
  additional_thumbprints	list(string)	Additional thumbprints for the OIDC provider.	[]	false

  Optional Inputs

  Name	Type	Description	Default	Required
  attach_lambda_full_access_policy	bool	Enable/disable the attachment of the AWSLambda_FullAccess policy.	false	false
  attach_s3_full_access_policy	bool	Enable/disable the attachment of the AmazonS3FullAccess policy.	false	false
  iam_role_inline_policies	map(string)	Inline policies map with policy name as key and json as value.	{}	false
  iam_role_max_session_duration	number	The maximum session duration in seconds.	3600	false
  tags	map(string)	Tags to be applied to all applicable resources.	{}	false

  Outputs

  Name	Description
  oidc_provider_arn	The ARN of the OIDC provider.
  oidc_provider_url	The URL of the OIDC provider.
  assume_role_policy	The assume role policy document that can be attached to your IAM roles.
  iam_role_arn	The ARN of the IAM role.
  iam_role_name	The name of the IAM role.

  Provider Dependencies

  • AWS: hashicorp/aws version >= 6.0
  • TLS: hashicorp/tls version >= 4.0

  Examples

  1. Basic Example: This example creates an OIDC provider with a single role called GitHubActions, and permissions for managing Lambda resources.
  2. Multiple Roles Example: This example demonstrates creating the OIDC provider along with multiple custom roles, and attaching the assume role policy document to each role.

  You can find more detailed documentation and examples in the GitHub repository.

• Test case 2

  Score: 9/10

  How do I create an S3 bucket using the official HashiCorp AWS Terraform provider? I need the documentation for the `aws_s3_bucket` resource, including all its arguments.

  To create an S3 bucket using the official HashiCorp AWS Terraform provider, you can use the aws_s3_bucket resource. Below is the full documentation including its arguments.

  Resource: aws_s3_bucket

  This resource provides functionality for managing general-purpose S3 buckets in AWS.

  Example Usage

  resource "aws_s3_bucket" "example" {
    bucket = "my-tf-test-bucket"
  
    tags = {
      Name        = "My bucket"
      Environment = "Dev"
    }
  }
  

  Argument Reference

  The following arguments are supported:

  • region (Optional)

    • Region where this resource will be managed. Defaults to the region set in the provider configuration.

  • bucket (Optional, Forces new resource)

    • Name of the bucket. If omitted, Terraform will assign a random, unique name. Must be lowercase and less than or equal to 63 characters in length.

  • bucket_prefix (Optional, Forces new resource)

    • Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket.

  • force_destroy (Optional, Default: false)

    • Boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed.

  • object_lock_enabled (Optional, Forces new resource)

    • Indicates whether this bucket has an Object Lock configuration enabled. Valid values are true or false.

  • tags (Optional)

    • Map of tags to assign to the bucket.

  Deprecated Arguments

  The following arguments are deprecated and will be removed in a future version:

  • acceleration_status
  • acl
  • grant
  • cors_rule
  • lifecycle_rule
  • logging
  • object_lock_configuration
  • policy
  • replication_configuration
  • request_payer
  • server_side_encryption_configuration
  • versioning
  • website

  Additional Features

  • CORS Rule: Manage Cross-Origin Resource Sharing rules using the cors_rule configuration block.
  • Logging: Configure logging for the bucket using the logging block.
  • Lifecycle Rules: Manage object lifecycle with the lifecycle_rule configuration block.
  • Object Lock: Enable Object Lock configuration using the object_lock_configuration block.
  • Versioning: Control versioning with the versioning block.

  Attribute Reference

  This resource exports the following attributes:

  • id - Name of the bucket.
  • arn - ARN of the bucket.
  • bucket_domain_name - Bucket domain name.
  • bucket_region - AWS region this bucket resides in.
  • bucket_regional_domain_name - The bucket region-specific domain name.
  • tags_all - Map of tags assigned to the resource.

  Timeouts

  Configuration options include:

  • create - Default 20m
  • read - Default 20m
  • update - Default 20m
  • delete - Default 60m

  Import

  You can import an existing S3 bucket using the bucket name.

  import {
    to = aws_s3_bucket.bucket
    id = "bucket-name"
  }
  

  For more detailed information, refer to the official AWS S3 Bucket Documentation.

• Test case 3

  Score: 9/10

  I need to read data from a pre-existing AWS Elastic IP address in my Terraform code. Can you find the documentation for the `aws_eip` data source from the `hashicorp/aws` provider?

  Here is the documentation for the aws_eip data source from the HashiCorp AWS provider, which provides details about a specific Elastic IP address.

  Data Source: aws_eip

  The aws_eip data source allows you to retrieve information about a specific Elastic IP. Below are the key details and example usages.

  Example Usage

  1. Search By Allocation ID (VPC only):

     data "aws_eip" "by_allocation_id" {
       id = "eipalloc-12345678"
     }
     

  2. Search By Filters (EC2-Classic or VPC):

     data "aws_eip" "by_filter" {
       filter {
         name   = "tag:Name"
         values = ["exampleNameTagValue"]
       }
     }
     

  3. Search By Public IP (EC2-Classic or VPC):

     data "aws_eip" "by_public_ip" {
       public_ip = "1.2.3.4"
     }
     

  4. Search By Tags (EC2-Classic or VPC):

     data "aws_eip" "by_tags" {
       tags = {
         Name = "exampleNameTagValue"
       }
     }
     

  Argument Reference

  • region (Optional): Specify the AWS region. Defaults to the region set in the provider configuration.
  • filter (Optional): Name/value pairs to use as filters for querying Elastic IPs.
  • id (Optional): Allocation ID for a specific VPC EIP.
  • public_ip (Optional): The public IP of the specific EIP to retrieve.
  • tags (Optional): Map of tags to match against Elastic IPs.

  Attribute Reference

  This data source exports the following attributes:

  • association_id: ID representing the association with an instance.
  • carrier_ip: Carrier IP address.
  • customer_owned_ip: Customer Owned IP.
  • domain: Indicates if the address is for EC2-Classic or VPC.
  • public_ip: The public IP address of the Elastic IP.
  • tags: Key-value map of tags associated with the Elastic IP.

  Timeouts

  • read: Default is 20m.

  Notes

  • The public_dns and private_dns attributes are computed according to the VPC DNS Guide and are not available through the EC2 API.

  For more detailed information, you can refer to the Terraform AWS provider documentation.

• Test case 4

  Score: 8/10

  I need to enforce security standards in my AWS environment. Can you find the official HashiCorp policy set for the 'CIS AWS Foundations Benchmark' and explain how to use it?

  The official HashiCorp policy set for the 'CIS AWS Foundations Benchmark' is called the CIS-Policy-Set-for-AWS-Terraform. It consists of pre-written Sentinel policies designed to enforce compliance with the CIS AWS Foundations Benchmark.

  Usage Instructions:

  1. Create a Policy File: Define a HashiCorp Configuration Language (HCL) file named policies.hcl containing the necessary policy blocks.
  2. Example Policy Block:

     module "report" {
       source = "https://registry.terraform.io/v2policies/hashicorp/CIS-Policy-Set-for-AWS-Terraform/1.0.1/policy-module/report.sentinel?checksum=sha256:1f414f31c2d6f7e4c3f61b2bc7c25079ea9d5dd985d865c01ce9470152fa696d"
     

  } module "tfresources" { source = "https://registry.terraform.io/v2policies/hashicorp/CIS-Policy-Set-for-AWS-Terraform/1.0.1/policy-module/tfresources.sentinel?checksum=sha256:5b91f0689dd6d68d17bed2612cd72127a6dcfcedee0e2bb69a617ded71ad0168" } policy "ec2-vpc-flow-logging-enabled" { source = "https://registry.terraform.io/v2policies/hashicorp/CIS-Policy-Set-for-AWS-Terraform/1.0.1/policy/ec2-vpc-flow-logging-enabled.sentinel?checksum=sha256:42f2c8ae190e793a0b9fef9ed027faab91e31ac3288cfdb103ec34dffcb22c24" enforcement_level = "advisory" }

  3. **Available Policies**: Some available policies include `ec2-vpc-flow-logging-enabled`, `cloudtrail-log-file-validation-enabled`, `s3-block-public-access-bucket-level`, `iam-password-length`, and `ec2-security-group-ipv4-ingress-traffic-restriction`.
  4. **Refer to Documentation**: For more guidance, consult the [Sentinel Documentation](https://developer.hashicorp.com/sentinel/) and [Policy Library Documentation](https://github.com/hashicorp/policy-library-CIS-Policy-Set-for-AWS-Terraform/blob/main/docs/policies).
  

• Test case 5

  Score: 7/10

  I'm using the `unfunco/oidc-github/aws` Terraform module. How can I use it to attach a full access policy for Amazon RDS to the IAM role it creates?

  To attach a full access policy for Amazon RDS to the IAM role created by the unfunco/oidc-github/aws Terraform module, you can leverage the attach_rds_full_access_policy input variable provided by the module.

  Steps to Use the Module with Amazon RDS Full Access Policy

  1. Include the Module in Your Terraform Configuration: Begin by including the unfunco/oidc-github/aws module in your Terraform configuration file (usually main.tf).

  2. Set the Required Variables: You will need to set the attach_rds_full_access_policy variable to true to allow the module to attach the Amazon RDS full access policy to the IAM role.

  Here’s an example configuration:

  module "oidc_github" {
    source  = "unfunco/oidc-github/aws"
    version = "2.0.2"  # use the latest version as needed
  
    attach_rds_full_access_policy = true
    create_iam_role                = true
    iam_role_name                  = "GitHubActions"
    github_repositories            = ["your-org/your-repo"]  # Replace with your actual GitHub org/repo
    # Add other variables as needed...
  }
  

  Explanation of Key Variables:

  • attach_rds_full_access_policy: Set this to true to allow the module to attach the Amazon RDS full access policy to the IAM role it creates.

  • create_iam_role: This variable controls whether the IAM role should be created. It should be set to true to ensure the role is created.

  • iam_role_name: This is the name you want to assign to the IAM role.

  • github_repositories: Specify the GitHub repositories that are authorized to assume the role.

  Additional Information:

  • The module also offers other access policy options like Lambda, S3, and EC2 full access, which can be enabled similarly by setting their respective variables to true.
  • Make sure to review the module documentation for any additional configurations or options that may be relevant to your setup.

  Outputs:

  After applying the Terraform configuration, you can retrieve outputs like the ARN of the IAM role and OIDC provider, which can be useful for further integrations or management.

  Example Output Block:

  output "iam_role_arn" {
    value = module.oidc_github.iam_role_arn
  }
  
  output "oidc_provider_arn" {
    value = module.oidc_github.oidc_provider_arn
  }
  

  Following these steps will enable you to successfully attach the Amazon RDS full access policy to the IAM role created by the unfunco/oidc-github/aws Terraform module.