Agent Workflow
This is the canonical loop an MCP agent follows to inventory live cloud resources,
generate Terraform HCL with import blocks, and verify the result with a read-only
terraform plan. All six Terraback MCP tools are read-only or code-generation-only:
none of them import into state, apply, or mutate cloud infrastructure. See the
Tool Reference for full parameter tables.
Prerequisites
Check these before starting:
- Terraback is installed and on
PATH. The MCP server is launched asterraback mcp. If the tools are missing from the client, install withpip install terrabackand re-add the server. - Read-only cloud credentials are configured in the environment the MCP server
runs in. Tools use the ambient credential chain and never take credentials as
arguments: AWS
ReadOnlyAccess+SecurityAudit, AzureReaderon the subscription, GCProles/vieweron the project. See Security and Credentials. - Terraform 1.5 or newer is on
PATHif the loop will callverify_plan— it runsterraform initandterraform plan, and import blocks require Terraform 1.5+.
Scope semantics
Every provider-facing tool takes provider + scope:
aws: scope is a region, e.g."us-east-1". Optionalprofileselects a named AWS CLI profile.azure: scope is a subscription ID.gcp: scope is a project ID.
Confirm provider and scope with the user before starting the loop.
The canonical loop
1. Plan coverage
Call list_supported_resources (optionally with provider) and confirm the resource
types the user cares about are supported. Use the returned type names in every later
types argument.
2. Inventory
Call scan_infrastructure with provider and scope. Pass types to narrow the scan
— it is much faster than scanning everything. The result contains summary.total and
summary.counts_by_type. The full resource list is inlined only up to 200 entries; for
larger inventories the result instead points at inventory_file — read that JSON file
from disk to see individual resources.
3. Target unmanaged resources (optional)
If the user already has Terraform state, call detect_unmanaged with provider,
scope, and state_files. v1 reads LOCAL state file paths only — for remote backends
(S3, azurerm, GCS, Terraform Cloud) run terraform state pull > state.json first and
pass that path. Work only on the unmanaged resources it reports; never touch
already-managed ones.
4. Codify
Call codify_batch with provider, scope, types, and an explicit output_dir.
Start with a small type subset rather than everything at once. To skip already-managed
resources, pass state_files plus exclude_managed: true.
The Community tier caps a single call at 25 total resources. If the tool returns
{"error": "resource_cap_exceeded", ...}, nothing was written: narrow the request
using types or tag_filters (the error's counts_by_type shows what to cut), or
tell the user the Professional tier removes the cap. Use codify_resource for a
single known resource ID — it is not capped.
5. Verify
Call verify_plan with terraform_dir set to the output directory. It returns
drift ("none", "drift_detected", or "plan_failed") and a summary of
imports, adds, changes, destroys.
6. Fix drift until clean
Pending imports are expected and are not drift. Adds, changes, and destroys are problems:
- Read
change_resources/add_resources/destroy_resourcesfrom the result, open the corresponding.tffiles inoutput_dir, and fix the specific attributes causing the diff. - If
driftis"plan_failed", read the returned error output, fix the invalid HCL or provider config, and re-run. - Re-run
verify_planafter each fix. Repeat untildriftis"none".
7. Hand off
Summarize for the user: files written (list the .tf files in output_dir), resource
counts by type, and any remaining warnings from the tool results. State clearly that
nothing has been imported or applied yet, and give the next command
(terraform apply performs the imports).
Safety rules
- Never edit the IDs inside generated
importblocks — they are the contract between the code and the live resource. - Prefer regenerating a resource (
codify_resource/codify_batch) over hand-editing whole files; hand-edit only targeted attributes when resolving drift. - Never run
terraform applyunless the user explicitly asks for it. Every Terraback MCP tool is read-only or code-generation-only by design — applying is a deliberate, separate step the user takes. - Do not invent tool parameters. The parameter tables in the Tool Reference are the authoritative contract for what each tool accepts.
Related pages
- Tool Reference: full parameter tables and example calls for every tool used in this loop.
- Security and Credentials: read-only roles to configure before running the loop.
- Licensing and Limits: what changes about step 4 on the Community tier.
- Troubleshooting: fixes for the most common issues
encountered mid-loop (missing
ARM_SUBSCRIPTION_ID, old Terraform, large inventories, remote state backends).