VOOZH about

URL: https://apify.com/dori1/terraform-guard

โ‡ฑ Terraform Guard - AI Terraform Plan Safety Gate ยท Apify

Pricing

from $0.25 / terraform plan safety check

Go to Apify Store

Pre-apply Terraform and OpenTofu safety gate for AI agents and CI pipelines. Checks the exact plan JSON before apply and blocks risky database deletes, stateful replacements, public ingress, force-destroy buckets, and other production-impacting changes.

Pricing

from $0.25 / terraform plan safety check

Rating

0.0

(0)

Developer

๐Ÿ‘ Doron Aloni

Doron Aloni

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

a month ago

Last modified

Share

terraform-guard

AI-agent-native Terraform plan safety gate.

terraform-guard checks the JSON output of a Terraform/OpenTofu plan before apply and returns a deterministic verdict:

  • allow: no dangerous change detected
  • warn: risky change needs human review
  • block: likely data loss, exposure, outage, or privilege blast radius

It is designed for the new failure mode: coding agents can now edit infrastructure and may try to run terraform apply. This tool gives agents, CI systems, and humans a machine-readable pre-apply stop sign.

Quick Start

pip install-e".[dev]"
terraform plan -out=tf.plan
terraform show -json tf.plan > plan.json
terraform-guard check plan.json --pro--format text

Write PR/CI artifacts:

terraform-guard check plan.json --pro\
 --markdown-file terraform-guard.md \
 --sarif-file terraform-guard.sarif \
 --json-file terraform-guard.json

CI-friendly exit codes:

  • 0: allow
  • 1: parse/input error
  • 2: warn when --fail-on warn
  • 3: block

MCP

Run the local MCP server:

$terraform-guard-mcp

MCP tool:

  • terraform_guard_check_plan(plan_json, ruleset)
  • terraform_guard_list_rules(ruleset)

Local Pro mode is gated by TFGUARD_LICENSE_KEY. The current offline demo accepts keys beginning with TFG-PRO-; production licensing must replace this with signed offline licenses or marketplace verification.

GitHub Action

This repository includes a root action.yml for GitHub Action distribution:

-run: terraform plan -input=false -out=tf.plan
-run: terraform show -json tf.plan > tfplan.json
-uses: your-org/terraform-guard@v0
with:
plan-path: tfplan.json
pro:"true"
fail-on: block
upload-sarif:"true"

Examples:

  • docs/examples/github-action-plan-gate.yml
  • docs/examples/github-action-apply-gate.yml
  • docs/examples/gitlab-ci.yml
  • docs/examples/atlantis.yaml

The action writes JSON, Markdown, and SARIF reports under terraform-guard-output/.

Apify

This repo includes an Apify Actor scaffold:

.actor/actor.json
.actor/input_schema.json
.actor/output_schema.json
.actor/openapi.json
.actor/pay_per_event.json
Dockerfile

The Actor supports two modes:

  • normal Actor run: paste planJson, get a dataset/KV result
  • Standby mode: exposes a Streamable HTTP MCP endpoint at /mcp

Pay-per-event hooks are wired for:

  • terraform-plan-check
  • terraform-pro-ruleset

Configure the same events in Apify Console when publishing.

Rules

Free rules:

IDSeverityCheck
TFG001blockDatabase delete
TFG002blockStateful resource replacement
TFG003warnNewly introduced public ingress
TFG004blockNetwork delete or replacement

Pro rules:

IDSeverityCheck
TFG005blockDeletion protection disabled
TFG006blockDatabase replacement by broad type match
TFG007warnBackup retention reduced
TFG008warnWildcard or broad administrative IAM
TFG009blockLoad balancer removed or replaced
TFG010blockForce-destroy storage bucket
TFG011warnObject storage made public
TFG012blockEncryption at rest disabled
TFG013blockCryptographic key deleted or replaced
TFG014warnDatabase made publicly reachable

Recommended Product Lane

Do not position this as another static Terraform scanner. Checkov and Trivy already own broad IaC scanning.

The wedge is narrower and sharper:

pre-apply approval gate for AI-generated infrastructure changes.

Best distribution targets:

  • local CLI and MCP for Cursor, Claude, Codex, VS Code, and other agents
  • GitHub/GitLab CI gates with PR comments
  • Atlantis, Spacelift, env0, and Terraform Cloud run-task integrations
  • Apify as an agent marketplace and pay-per-event experiment

The moat should be low-false-positive plan risk scoring, repo/workspace baselines, approval evidence, and integrations in the actual apply path.

More detail:

  • docs/CI_APPLY_PATH_INTEGRATIONS.md
  • docs/MONETIZATION_AND_REGISTRATION.md
  • docs/PRODUCT_STRATEGY.md

Development

pip install-e".[dev]"
pytest
ruff check .

Privacy

The core scanner runs locally and does not call cloud APIs. Terraform plans can contain sensitive infrastructure metadata, so local CLI/MCP and self-hosted CI should be the primary enterprise deployment path. Hosted Apify runs are best for demo, marketplace discovery, and teams comfortable uploading plan JSON.

You might also like

Terraform Registry Scraper

crawlerbros/terraform-registry-scraper

Scrape the Terraform Registry - search modules and providers, or fetch details for specific modules/providers. Returns downloads, versions, descriptions, source URLs, and verification status.

Terraform Registry Scraper

crawlergang/terraform-registry-scraper

Scrape the Terraform Registry - search modules and providers, or fetch details for specific modules/providers. Returns downloads, versions, descriptions, source URLs, and verification status.

2

5.0

Terraform Registry Modules Scraper

parseforge/terraform-registry-modules-scraper

Browse the HashiCorp Terraform Registry for module metadata across every provider. Pull namespace, name, version, owner, source repo URL, usage counts, and verified status. Filter by keyword, provider, or namespace. Handy for module catalogs, version tracking, and provenance audits.

Safety Gate Scraper โ€” EU Product Recalls & Safety Alerts

studio-amba/safetygate-scraper

Extract product recalls and safety alerts from the EU Safety Gate (RAPEX) system. Dangerous product notifications covering all non-food consumer products.

Remote.com Jobs Scraper

fetch_cat/remote-dot-com-jobs-scraper

Scrape public Remote.com job listings with compensation, departments, locations, seniority, sponsorship flags, quick apply, and apply URLs.

Cicd Cost Optimizer

fiery_dream/cicd-cost-optimizer

Analyze GitHub Actions, GitLab CI, Jenkins, and other CI/CD platforms for cost optimization opportunities. Identify expensive workflows, bottlenecks, and get actionable recommendations. First free CI/CD cost optimization tool.

๐Ÿ‘ User avatar

Cody Churchwell

2

EU Safety Gate RAPEX Product Alerts Scraper

parseforge/eu-safety-gate-rapex-scraper

Track dangerous product alerts from the EU Safety Gate (RAPEX) rapid alert system across 31 countries. Pull product name, brand, category, risk type, notifying country, alert number, measures, and image for compliance monitoring, recall research, and consumer safety analysis.

LinkedIn Easy Apply Bot โ€” Auto-Apply with AI Filters

sunny_spade/linkedin-easy-apply-bot

Automatically applies to LinkedIn Easy Apply jobs matching your profile. Filters by language, role relevance, and Language fluency requirements. Fills all form fields using your profile data. Requires a valid LinkedIn session cookie.

Linkedin Jobs Scraper ๐Ÿš€ (Targeted, Bulk & Easy Apply)

bluephantom/linkedin-jobs-scraper

The ultimate LinkedIn Scraper. Bulk search 100s of cities & companies at once. Filter by 'Easy Apply', 'Remote/Hybrid', and 'Date'. Safe, fast, and 100% public data. Ideal for Lead Gen & Market Analysis.

Related articles

What are AI agents?
Read more
7 types of AI agents you should know about
Read more
7 real-world AI agent examples in 2025 you need to know
Read more