Terraform Guardrail MCP (TerraGuard)

Enterprise guardrails workspace

Scan Terraform folders, curate enterprise policies, and review rule ownership in one flow.

How to guides Learn the workflow
All guides
{% for guide in how_to_guides %} {{ guide.title }} {{ guide.description }} {% endfor %}
Next rule {{ next_rule_id }}
{% if error %}
{{ error }}
{% endif %}

Scanner

Upload Terraform workspace

.tf .tfvars .hcl

Baselines

Org-wide baseline lifecycle

{{ baselines | length }}
{% if baselines %}
{% for baseline in baselines %}
{{ baseline.name }} version={{ baseline.version }} · policies={{ baseline.policy_ids | length }} · approved={{ baseline.approved }}
{% if not baseline.approved %}
{% endif %}
{% endfor %}
{% endif %}

Authoring

Create enterprise policy

{{ next_rule_id }}
Example

Create a policy named Production S3 encryption with owner platform-security, standard SOC2, control CC6.6, and remediation Enable default SSE with KMS. The rule ID is assigned automatically as {{ next_rule_id }}.

Enforcement

Bind policies to orgs, groups, or repos

{{ bindings | length }}
{% if bindings %}
{% for binding in bindings %} {{ binding.target_type }}:{{ binding.target }} policies={{ binding.policy_ids | length }} · baselines={{ binding.baseline_ids | length }} {% if binding.parent %} · parent={{ binding.parent }}{% endif %} {% endfor %}
{% endif %}

Resolve

Preview effective policies

Exceptions

Policy waivers

{{ waivers | length }}
{% if waivers %}
{% for waiver in waivers %}
{{ waiver.rule_id }} · {{ waiver.owner }} {{ waiver.status }} · expires {{ waiver.expires_at }}

{{ waiver.reason }}

{% if waiver.path %}path={{ waiver.path }}{% endif %}
{% if waiver.status == "requested" %}
{% endif %} {% if waiver.status != "revoked" %}
{% endif %}
{% endfor %}
{% else %}

No policy waivers have been requested.

{% endif %}
{% if resolved %}

Resolved enforcement

{{ resolved.target_type }}:{{ resolved.target }}

{{ resolved.policy_ids | length }} policies
Bindings{{ resolved.binding_targets | join(", ") or "none" }}
Baselines{{ resolved.baseline_ids | join(", ") or "none" }}
Policies{{ resolved.policy_ids | length }}
Target{{ resolved.target }}
{% if resolved.policies %}
{% for policy in resolved.policies %} {{ policy.rule_id or "none" }} · {{ policy.name }} {{ policy.status }} · {{ policy.severity }} {% endfor %}
{% else %}

No policies resolved for this target.

{% endif %}
{% endif %} {% if selected_default_rule %}

Default rule detail

{{ selected_default_rule.name }}

Built-in
Rule ID{{ selected_default_rule.rule_id }}
SourceDefault catalog
StatusActive
Risk{{ selected_default_rule.risk }}

{{ selected_default_rule.name }} is enforced by the built-in scanner rule catalog. Recommended remediation: {{ selected_default_rule.remediation }}

{% elif selected_policy %}

Policy detail

{{ selected_policy.name }}

{{ selected_policy.status }}
Rule ID{{ selected_policy.rule_id or "unmapped" }}
Scope{{ selected_policy.scope }}
Severity{{ selected_policy.severity }}
Owner{{ selected_policy.metadata.owner or "unassigned" }}
Standard{{ selected_policy.metadata.standard or "none" }}
Control{{ selected_policy.metadata.control_id or "none" }}
{% if selected_policy.status != "approved" %}
{% endif %}

Preview

Validate this policy before approval

{{ selected_policy.rule_id or "none" }}
{% endif %} {% if preview %}

Policy preview

{{ preview.policy_name }}

{{ preview.rule_id or "unmapped" }}
{{ preview.summary.findings }}Total
{{ preview.summary.high }}High
{{ preview.summary.medium }}Medium
{{ preview.summary.low }}Low
{% if preview.findings %}
    {% for finding in preview.findings %}
  • {{ finding.severity }} {{ finding.rule_id }} {{ finding.message }} {{ finding.path }} {% if finding.waiver_id or (finding.detail and finding.detail.waiver) %} Waived by {{ finding.waiver_id or finding.detail.waiver.id }} until {{ finding.waiver_expires_at or finding.detail.waiver.expires_at }} {% endif %} {% if finding.suggested_fix %} {{ finding.suggested_fix }} {% endif %}
    • {% endfor %}
{% else %}

No findings matched this policy rule ID in the uploaded files.

{% endif %}
{% endif %} {% if report %}

Intelligent evaluation

{{ report.scanned_path }}

{% if evaluation %} {{ evaluation.decision }} {% endif %}
{% if report.metadata and report.metadata.intelligence %} {% set intelligence = report.metadata.intelligence %}
Risk profile {% if intelligence.profile %} {{ intelligence.profile.name }} {% else %} No profile matched {% endif %}
Context {{ intelligence.context.environment or "any" }} · {{ intelligence.context.risk_tier or "any" }}
Adjustments {{ intelligence.adjustments | length }}
Suggested fixes {{ intelligence.recommendations | length }}
{% if intelligence.adjustments %}
{% for adjustment in intelligence.adjustments %} {{ adjustment.rule_id }} raised from {{ adjustment["from"] }} to {{ adjustment.to }} {% if adjustment.path %}at {{ adjustment.path }}{% endif %} {% endfor %}
{% endif %} {% endif %}
{{ report.summary.findings }}Total
{{ report.summary.high }}High
{{ report.summary.medium }}Medium
{{ report.summary.low }}Low
    {% for finding in report.findings %}
  • {{ finding.severity }} {{ finding.rule_id }} {{ finding.message }} {{ finding.path }} {% if finding.waiver_id or (finding.detail and finding.detail.waiver) %} Waived by {{ finding.waiver_id or finding.detail.waiver.id }} until {{ finding.waiver_expires_at or finding.detail.waiver.expires_at }} {% endif %} {% if finding.suggested_fix %} {{ finding.suggested_fix }} {% endif %}
    • {% endfor %}
{% endif %}