[go: up one dir, main page]
HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

Security model for Terraform MCP server

This document explains the security model for the Terraform Model Context Protocol (MCP) server when operating the server locally. Understanding this model helps you safely integrate local AI agents with Terraform tooling. This ensures the following outcomes, even in local environments:

  • Tool execution is safe and controlled
  • Sensitive operations are protected from accidental misuse or injection
  • LLM behavior is constrained and auditable prior to application.

Refer to the Terraform MCP server overview for additional information.

Threat model

You should be aware of the following potential threats to the Terraform MCP server.

Hallucinations

AI hallucinations, or the generation of false information, stem from insufficient training data, flawed model assumptions, and biased datasets. They pose serious risks in critical applications where accuracy is vital for correct diagnoses and sound decisions. We recommend always validating the data prior to applying any changes to your infrastructure.

Prompt injection

Improperly validating or sanitizing inputs can allow attackers to inject malicious instructions for the MCP server to execute. This can lead to code execution, server side request forgery (SSRF), and other kinds of security breaches. To mitigate this risk, we've implemented input validation for all user-sourced data entering the MCP server.

Tool poisoning

Tool poisoning is when the MCP server inadvertently executes hidden instructions within comprehensive tool descriptions, which lets attackers instigate unwanted or damaging outcomes. To mitigate tool poisoning, the MCP server uses static tool descriptions that don't allow poisoning.

Rug pull attack

Deploying a remotely accessible MCP server changes its available tools and descriptions after deployment. This enables malicious behavior that isn't present when the tool was initially approved.

Tool shadowing

When multiple MCP servers are connected, a compromised server can override tools from trusted servers, leading to potential security breaches. You should take precautions when operating several MCP servers.

Threat model exclusions

The following are not part of the threat model for the Terraform MCP Server:

  • Foundational model: Concerns related to the underlying AI models, training data, and inherent vulnerabilities.
  • Infrastructure deployment: Concerns related to the security of infrastructure, network and software environments configuration and deployment through the output of the model should always be reviewed prior to any change application.

Recommendations for secure use

  • Always validate before doing any write changes.
  • Follow the instructions for securely deploying the MCP server. Refer to Secure configuration.
Edit this page on GitHub