Terraform Guardrail MCP (TerraGuard)

Enterprise guardrails workspace

Scan Terraform folders, curate enterprise policies, and review rule ownership in one flow.

How to guides Learn the workflow

All guides

{% for guide in how_to_guides %} {{ guide.title }} {{ guide.description }} {% endfor %}

Next rule {{ next_rule_id }}

{% if error %}

{% endif %}

Scanner

Upload Terraform workspace

.tf .tfvars .hcl

Baselines

Org-wide baseline lifecycle

{% if baselines %}

{% for baseline in baselines %}

{{ baseline.name }} version={{ baseline.version }} · policies={{ baseline.policy_ids | length }} · approved={{ baseline.approved }} {% if not baseline.approved %} {% endif %}

{% endfor %}

{% endif %}

Authoring

Create enterprise policy

Example

Create a policy named Production S3 encryption with owner platform-security, standard SOC2, control CC6.6, and remediation Enable default SSE with KMS. The rule ID is assigned automatically as {{ next_rule_id }}.

Enforcement

Bind policies to orgs, groups, or repos

{% if bindings %}

{% for binding in bindings %} {{ binding.target_type }}:{{ binding.target }} policies={{ binding.policy_ids | length }} · baselines={{ binding.baseline_ids | length }} {% if binding.parent %} · parent={{ binding.parent }}{% endif %} {% endfor %}

{% endif %}

Resolve

Preview effective policies

{% if resolved %}

Resolved enforcement

{{ resolved.target_type }}:{{ resolved.target }}

{{ resolved.policy_ids | length }} policies

Bindings{{ resolved.binding_targets | join(", ") or "none" }}

Baselines{{ resolved.baseline_ids | join(", ") or "none" }}

Policies{{ resolved.policy_ids | length }}

Target{{ resolved.target }}

{% if resolved.policies %}

{% for policy in resolved.policies %} {{ policy.rule_id or "none" }} · {{ policy.name }} {{ policy.status }} · {{ policy.severity }} {% endfor %}

{% else %}

No policies resolved for this target.

{% endif %}

{% endif %} {% if selected_default_rule %}

Default rule detail

Built-in

Rule ID{{ selected_default_rule.rule_id }}

SourceDefault catalog

StatusActive

Risk{{ selected_default_rule.risk }}

{{ selected_default_rule.name }} is enforced by the built-in scanner rule catalog. Recommended remediation: {{ selected_default_rule.remediation }}

{% elif selected_policy %}

Policy detail

Rule ID{{ selected_policy.rule_id or "unmapped" }}

Scope{{ selected_policy.scope }}

Severity{{ selected_policy.severity }}

Owner{{ selected_policy.metadata.owner or "unassigned" }}

Standard{{ selected_policy.metadata.standard or "none" }}

Control{{ selected_policy.metadata.control_id or "none" }}

{% if selected_policy.status != "approved" %} {% endif %}

Preview

Validate this policy before approval

{% endif %} {% if preview %}

Policy preview

{{ preview.summary.findings }}Total

{{ preview.summary.high }}High

{{ preview.summary.medium }}Medium

{{ preview.summary.low }}Low

{% if preview.findings %}

{{ finding.severity }} {{ finding.rule_id }} {{ finding.message }} {{ finding.path }}

{% else %}

No findings matched this policy rule ID in the uploaded files.

{% endif %}

{% endif %} {% if report %}

Scan report

{{ report.summary.findings }}Total

{{ report.summary.high }}High

{{ report.summary.medium }}Medium

{{ report.summary.low }}Low

{{ finding.severity }} {{ finding.rule_id }} {{ finding.message }} {{ finding.path }}

{% endif %}

Rule catalog

Default Rules

Registry

Enterprise Policies

{% if policies %} {% else %}

No enterprise policies yet.

{% endif %}

Enterprise guardrails workspace

Upload Terraform workspace

Org-wide baseline lifecycle

Create enterprise policy

Bind policies to orgs, groups, or repos

Preview effective policies

{{ resolved.target_type }}:{{ resolved.target }}

{{ selected_default_rule.name }}

{{ selected_policy.name }}

Validate this policy before approval

{{ preview.policy_name }}

{{ report.scanned_path }}