This is page 514 of 522. Use http://codebase.md/awslabs/mcp?lines=true&page={x} to view the full context.
# Directory Structure
```
├── .devcontainer
│ └── devcontainer.json
├── .github
│ ├── actions
│ │ ├── build-and-push-container-image
│ │ │ └── action.yml
│ │ └── clear-space-ubuntu-latest-agressively
│ │ └── action.yml
│ ├── codecov.yml
│ ├── CODEOWNERS
│ ├── dependabot.yml
│ ├── ISSUE_TEMPLATE
│ │ ├── bug_report.yml
│ │ ├── documentation.yml
│ │ ├── feature_request.yml
│ │ ├── rfc.yml
│ │ └── support_awslabs_mcp_servers.yml
│ ├── pull_request_template.md
│ ├── SECURITY
│ ├── SUPPORT
│ └── workflows
│ ├── aws-api-mcp-upgrade-version.yml
│ ├── bandit-requirements.txt
│ ├── bandit.yml
│ ├── cfn_nag.yml
│ ├── check-gh-pages-builds.yml
│ ├── check-license-header-hash.txt
│ ├── check-license-header.json
│ ├── check-license-header.yml
│ ├── checkov.yml
│ ├── codeql.yml
│ ├── dependency-review-action.yml
│ ├── detect-secrets-requirements.txt
│ ├── gh-pages.yml
│ ├── merge-prevention.yml
│ ├── powershell.yml
│ ├── pre-commit-requirements.txt
│ ├── pre-commit.yml
│ ├── pull-request-lint.yml
│ ├── python.yml
│ ├── RELEASE_INSTRUCTIONS.md
│ ├── release-initiate-branch.yml
│ ├── release-merge-tag.yml
│ ├── release.py
│ ├── release.yml
│ ├── scanners.yml
│ ├── scorecard-analysis.yml
│ ├── semgrep-requirements.txt
│ ├── semgrep.yml
│ ├── stale.yml
│ ├── trivy.yml
│ └── typescript.yml
├── .gitignore
├── .pre-commit-config.yaml
├── .python-version
├── .ruff.toml
├── .secrets.baseline
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── DESIGN_GUIDELINES.md
├── DEVELOPER_GUIDE.md
├── docs
│ └── images
│ └── root-readme
│ ├── cline-api-provider-filled.png
│ ├── cline-chat-interface.png
│ ├── cline-custom-instructions.png
│ ├── cline-select-aws-profile.png
│ ├── cline-select-bedrock.png
│ ├── configure-mcp-servers.png
│ ├── install-cline-extension.png
│ ├── mcp-servers-installed.png
│ └── select-mcp-servers.png
├── docusaurus
│ ├── .gitignore
│ ├── docs
│ │ ├── installation.md
│ │ ├── intro.md
│ │ ├── samples
│ │ │ ├── index.md
│ │ │ ├── mcp-integration-with-kb.md
│ │ │ ├── mcp-integration-with-nova-canvas.md
│ │ │ └── stepfunctions-tool-mcp-server.md
│ │ ├── servers
│ │ │ ├── amazon-bedrock-agentcore-mcp-server.md
│ │ │ ├── amazon-keyspaces-mcp-server.md
│ │ │ ├── amazon-mq-mcp-server.md
│ │ │ ├── amazon-neptune-mcp-server.md
│ │ │ ├── amazon-qbusiness-anonymous-mcp-server.md
│ │ │ ├── amazon-qindex-mcp-server.md
│ │ │ ├── amazon-sns-sqs-mcp-server.md
│ │ │ ├── aurora-dsql-mcp-server.md
│ │ │ ├── aws-api-mcp-server.md
│ │ │ ├── aws-appsync-mcp-server.md
│ │ │ ├── aws-bedrock-custom-model-import-mcp-server.md
│ │ │ ├── aws-bedrock-data-automation-mcp-server.md
│ │ │ ├── aws-dataprocessing-mcp-server.md
│ │ │ ├── aws-diagram-mcp-server.md
│ │ │ ├── aws-documentation-mcp-server.md
│ │ │ ├── aws-healthomics-mcp-server.md
│ │ │ ├── aws-iot-sitewise-mcp-server.md
│ │ │ ├── aws-knowledge-mcp-server.md
│ │ │ ├── aws-location-mcp-server.md
│ │ │ ├── aws-msk-mcp-server.md
│ │ │ ├── aws-pricing-mcp-server.md
│ │ │ ├── aws-serverless-mcp-server.md
│ │ │ ├── aws-support-mcp-server.md
│ │ │ ├── bedrock-kb-retrieval-mcp-server.md
│ │ │ ├── billing-cost-management-mcp-server.md
│ │ │ ├── ccapi-mcp-server.md
│ │ │ ├── cdk-mcp-server.md
│ │ │ ├── cfn-mcp-server.md
│ │ │ ├── cloudtrail-mcp-server.md
│ │ │ ├── cloudwatch-appsignals-mcp-server.md
│ │ │ ├── cloudwatch-mcp-server.md
│ │ │ ├── code-doc-gen-mcp-server.md
│ │ │ ├── core-mcp-server.md
│ │ │ ├── cost-explorer-mcp-server.md
│ │ │ ├── documentdb-mcp-server.md
│ │ │ ├── dynamodb-mcp-server.md
│ │ │ ├── ecs-mcp-server.md
│ │ │ ├── eks-mcp-server.md
│ │ │ ├── elasticache-mcp-server.md
│ │ │ ├── finch-mcp-server.md
│ │ │ ├── frontend-mcp-server.md
│ │ │ ├── git-repo-research-mcp-server.md
│ │ │ ├── healthlake-mcp-server.md
│ │ │ ├── iam-mcp-server.md
│ │ │ ├── kendra-index-mcp-server.md
│ │ │ ├── lambda-tool-mcp-server.md
│ │ │ ├── memcached-mcp-server.md
│ │ │ ├── mysql-mcp-server.md
│ │ │ ├── nova-canvas-mcp-server.md
│ │ │ ├── openapi-mcp-server.md
│ │ │ ├── postgres-mcp-server.md
│ │ │ ├── prometheus-mcp-server.md
│ │ │ ├── redshift-mcp-server.md
│ │ │ ├── s3-tables-mcp-server.md
│ │ │ ├── stepfunctions-tool-mcp-server.md
│ │ │ ├── syntheticdata-mcp-server.md
│ │ │ ├── terraform-mcp-server.md
│ │ │ ├── timestream-for-influxdb-mcp-server.md
│ │ │ ├── valkey-mcp-server.md
│ │ │ └── well-architected-security-mcp-server.mdx
│ │ └── vibe_coding.md
│ ├── docusaurus.config.ts
│ ├── package-lock.json
│ ├── package.json
│ ├── README.md
│ ├── sidebars.ts
│ ├── src
│ │ ├── components
│ │ │ ├── HomepageFeatures
│ │ │ │ └── styles.module.css
│ │ │ └── ServerCards
│ │ │ ├── index.tsx
│ │ │ └── styles.module.css
│ │ ├── css
│ │ │ ├── custom.css
│ │ │ └── doc-override.css
│ │ └── pages
│ │ ├── index.module.css
│ │ └── servers.tsx
│ ├── static
│ │ ├── .nojekyll
│ │ ├── assets
│ │ │ ├── icons
│ │ │ │ ├── activity.svg
│ │ │ │ ├── book-open.svg
│ │ │ │ ├── cpu.svg
│ │ │ │ ├── database.svg
│ │ │ │ ├── dollar-sign.svg
│ │ │ │ ├── help-circle.svg
│ │ │ │ ├── key.svg
│ │ │ │ ├── server.svg
│ │ │ │ ├── share-2.svg
│ │ │ │ ├── tool.svg
│ │ │ │ └── zap.svg
│ │ │ └── server-cards.json
│ │ └── img
│ │ ├── aws-logo.svg
│ │ └── logo.png
│ └── tsconfig.json
├── LICENSE
├── NOTICE
├── README.md
├── samples
│ ├── mcp-integration-with-kb
│ │ ├── .env.example
│ │ ├── .python-version
│ │ ├── assets
│ │ │ └── simplified-mcp-flow-diagram.png
│ │ ├── clients
│ │ │ └── client_server.py
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── user_interfaces
│ │ │ └── chat_bedrock_st.py
│ │ └── uv.lock
│ ├── mcp-integration-with-nova-canvas
│ │ ├── .env.example
│ │ ├── .python-version
│ │ ├── clients
│ │ │ └── client_server.py
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── user_interfaces
│ │ │ └── image_generator_st.py
│ │ └── uv.lock
│ ├── README.md
│ └── stepfunctions-tool-mcp-server
│ ├── README.md
│ └── sample_state_machines
│ ├── customer-create
│ │ └── app.py
│ ├── customer-id-from-email
│ │ └── app.py
│ ├── customer-info-from-id
│ │ └── app.py
│ └── template.yml
├── scripts
│ ├── README.md
│ └── verify_package_name.py
├── src
│ ├── amazon-bedrock-agentcore-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_bedrock_agentcore_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── config.py
│ │ │ ├── server.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── cache.py
│ │ │ ├── doc_fetcher.py
│ │ │ ├── indexer.py
│ │ │ ├── text_processor.py
│ │ │ └── url_validator.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── SECURITY.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_cache.py
│ │ │ ├── test_config.py
│ │ │ ├── test_doc_fetcher.py
│ │ │ ├── test_indexer.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_server.py
│ │ │ ├── test_text_processor.py
│ │ │ └── test_url_validator.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── amazon-kendra-index-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_kendra_index_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── server.py
│ │ │ └── util.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── amazon-keyspaces-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_keyspaces_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── client.py
│ │ │ ├── config.py
│ │ │ ├── consts.py
│ │ │ ├── llm_context.py
│ │ │ ├── models.py
│ │ │ ├── server.py
│ │ │ └── services.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── test_client.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_query_analysis_service.py
│ │ │ ├── test_server.py
│ │ │ └── test_services.py
│ │ └── uv.lock
│ ├── amazon-mq-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_mq_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── aws_service_mcp_generator.py
│ │ │ ├── consts.py
│ │ │ ├── rabbitmq
│ │ │ │ ├── __init__.py
│ │ │ │ ├── admin.py
│ │ │ │ ├── connection.py
│ │ │ │ ├── doc
│ │ │ │ │ ├── rabbitmq_broker_sizing_guide.md
│ │ │ │ │ ├── rabbitmq_performance_optimization_best_practice.md
│ │ │ │ │ ├── rabbitmq_production_deployment_guidelines.md
│ │ │ │ │ ├── rabbitmq_quorum_queue_migration_guide.md
│ │ │ │ │ └── rabbitmq_setup_best_practice.md
│ │ │ │ ├── handlers.py
│ │ │ │ └── module.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── example
│ │ │ └── sample_mcp_q_cli.json
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── rabbitmq
│ │ │ │ ├── __init__.py
│ │ │ │ ├── conftest.py
│ │ │ │ ├── test_admin.py
│ │ │ │ ├── test_connection.py
│ │ │ │ ├── test_handlers.py
│ │ │ │ └── test_module.py
│ │ │ ├── test_aws_service_mcp_generator.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── amazon-neptune-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_neptune_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── exceptions.py
│ │ │ ├── graph_store
│ │ │ │ ├── __init__.py
│ │ │ │ ├── analytics.py
│ │ │ │ ├── base.py
│ │ │ │ └── database.py
│ │ │ ├── models.py
│ │ │ ├── neptune.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_analytics.py
│ │ │ ├── test_database.py
│ │ │ ├── test_exceptions.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_models.py
│ │ │ ├── test_neptune.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── amazon-qbusiness-anonymous-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_qbusiness_anonymous_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── clients.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── amazon-qindex-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_qindex_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── clients.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_clients.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── test_server.py
│ │ └── uv.lock
│ ├── amazon-sns-sqs-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── amazon_sns_sqs_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── common.py
│ │ │ ├── consts.py
│ │ │ ├── generator.py
│ │ │ ├── server.py
│ │ │ ├── sns.py
│ │ │ └── sqs.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── print_tools.py
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── README.md
│ │ │ ├── test_common.py
│ │ │ ├── test_generator.py
│ │ │ ├── test_server.py
│ │ │ ├── test_sns.py
│ │ │ └── test_sqs.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aurora-dsql-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aurora_dsql_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ ├── mutable_sql_detector.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_connection_reuse.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_profile_option.py
│ │ │ ├── test_readonly_enforcement.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-api-mcp-server
│ │ ├── .gitattributes
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_api_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── core
│ │ │ │ ├── __init__.py
│ │ │ │ ├── agent_scripts
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── manager.py
│ │ │ │ │ ├── models.py
│ │ │ │ │ └── registry
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── application-failure-troubleshooting.script.md
│ │ │ │ │ ├── cloudtral-mutli-region-setup.script.md
│ │ │ │ │ ├── create_amazon_aurora_db_cluster_with_instances.script.md
│ │ │ │ │ ├── lambda-timeout-debugging.script.md
│ │ │ │ │ ├── scripts_format.md
│ │ │ │ │ └── troubleshoot-permissions-with-cloudtrail-events.script.md
│ │ │ │ ├── aws
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── driver.py
│ │ │ │ │ ├── pagination.py
│ │ │ │ │ ├── regions.py
│ │ │ │ │ ├── service.py
│ │ │ │ │ └── services.py
│ │ │ │ ├── common
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── command_metadata.py
│ │ │ │ │ ├── command.py
│ │ │ │ │ ├── config.py
│ │ │ │ │ ├── errors.py
│ │ │ │ │ ├── file_operations.py
│ │ │ │ │ ├── file_system_controls.py
│ │ │ │ │ ├── helpers.py
│ │ │ │ │ ├── models.py
│ │ │ │ │ └── py.typed
│ │ │ │ ├── data
│ │ │ │ │ └── api_metadata.json
│ │ │ │ ├── metadata
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── read_only_operations_list.py
│ │ │ │ ├── parser
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── custom_validators
│ │ │ │ │ │ ├── __init__.py
│ │ │ │ │ │ ├── botocore_param_validator.py
│ │ │ │ │ │ ├── ec2_validator.py
│ │ │ │ │ │ └── ssm_validator.py
│ │ │ │ │ ├── interpretation.py
│ │ │ │ │ ├── lexer.py
│ │ │ │ │ └── parser.py
│ │ │ │ ├── py.typed
│ │ │ │ └── security
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws_api_customization.json
│ │ │ │ └── policy.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── CONTRIBUTING.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── agent_scripts
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_manager.py
│ │ │ │ └── test_registry
│ │ │ │ ├── another_valid_script.script.md
│ │ │ │ ├── test_script.script.md
│ │ │ │ └── valid_script.script.md
│ │ │ ├── aws
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_driver.py
│ │ │ │ ├── test_pagination.py
│ │ │ │ ├── test_service.py
│ │ │ │ └── test_services.py
│ │ │ ├── common
│ │ │ │ ├── test_command.py
│ │ │ │ ├── test_config.py
│ │ │ │ ├── test_file_operations.py
│ │ │ │ ├── test_file_system_controls.py
│ │ │ │ ├── test_file_validation.py
│ │ │ │ └── test_helpers.py
│ │ │ ├── fixtures.py
│ │ │ ├── history_handler.py
│ │ │ ├── metadata
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_read_only_operations_list.py
│ │ │ ├── parser
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_file_path_detection.py
│ │ │ │ ├── test_lexer.py
│ │ │ │ ├── test_parser_customizations.py
│ │ │ │ └── test_parser.py
│ │ │ ├── test_security_policy.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-appsync-mcp-server
│ │ ├── .dockerignore
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_appsync_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── decorators.py
│ │ │ ├── helpers.py
│ │ │ ├── operations
│ │ │ │ ├── __init__.py
│ │ │ │ ├── create_api_cache.py
│ │ │ │ ├── create_api_key.py
│ │ │ │ ├── create_api.py
│ │ │ │ ├── create_channel_namespace.py
│ │ │ │ ├── create_datasource.py
│ │ │ │ ├── create_domain_name.py
│ │ │ │ ├── create_function.py
│ │ │ │ ├── create_graphql_api.py
│ │ │ │ ├── create_resolver.py
│ │ │ │ └── create_schema.py
│ │ │ ├── server.py
│ │ │ ├── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── create_api_cache.py
│ │ │ │ ├── create_api_key.py
│ │ │ │ ├── create_api.py
│ │ │ │ ├── create_channel_namespace.py
│ │ │ │ ├── create_datasource.py
│ │ │ │ ├── create_domain_name.py
│ │ │ │ ├── create_function.py
│ │ │ │ ├── create_graphql_api.py
│ │ │ │ ├── create_resolver.py
│ │ │ │ └── create_schema.py
│ │ │ └── validators.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── test_all_create_tools_write_protection.py
│ │ │ ├── test_create_api_cache.py
│ │ │ ├── test_create_api_key.py
│ │ │ ├── test_create_api.py
│ │ │ ├── test_create_channel_namespace.py
│ │ │ ├── test_create_datasource_tool.py
│ │ │ ├── test_create_datasource.py
│ │ │ ├── test_create_domain_name.py
│ │ │ ├── test_create_function.py
│ │ │ ├── test_create_graphql_api.py
│ │ │ ├── test_create_resolver.py
│ │ │ ├── test_create_schema_tool.py
│ │ │ ├── test_create_schema.py
│ │ │ ├── test_helpers.py
│ │ │ ├── test_server.py
│ │ │ ├── test_validators.py
│ │ │ └── test_write_operation.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-bedrock-custom-model-import-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_bedrock_custom_model_import_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── client.py
│ │ │ ├── llm_context.py
│ │ │ ├── models.py
│ │ │ ├── prompts.py
│ │ │ ├── server.py
│ │ │ ├── services
│ │ │ │ ├── __init__.py
│ │ │ │ ├── imported_model_service.py
│ │ │ │ └── model_import_service.py
│ │ │ ├── tools
│ │ │ │ ├── create_model_import_job.py
│ │ │ │ ├── delete_imported_model.py
│ │ │ │ ├── get_imported_model.py
│ │ │ │ ├── get_model_import_job.py
│ │ │ │ ├── list_imported_models.py
│ │ │ │ └── list_model_import_jobs.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── aws.py
│ │ │ ├── config.py
│ │ │ ├── consts.py
│ │ │ └── matching.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── services
│ │ │ │ ├── test_imported_model_service.py
│ │ │ │ └── test_model_import_service.py
│ │ │ ├── test_client.py
│ │ │ ├── test_init.py
│ │ │ ├── test_llm_context.py
│ │ │ ├── test_prompts.py
│ │ │ ├── test_server.py
│ │ │ ├── tools
│ │ │ │ ├── test_create_model_import_job.py
│ │ │ │ ├── test_delete_imported_model.py
│ │ │ │ ├── test_get_imported_model.py
│ │ │ │ ├── test_get_model_import_job.py
│ │ │ │ ├── test_list_imported_models.py
│ │ │ │ └── test_list_model_import_jobs.py
│ │ │ └── utils
│ │ │ ├── test_aws.py
│ │ │ ├── test_config.py
│ │ │ └── test_matching.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-bedrock-data-automation-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_bedrock_data_automation_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── helpers.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── test_helpers.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-dataprocessing-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_dataprocessing_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── core
│ │ │ │ ├── __init__.py
│ │ │ │ └── glue_data_catalog
│ │ │ │ ├── __init__.py
│ │ │ │ ├── data_catalog_database_manager.py
│ │ │ │ ├── data_catalog_handler.py
│ │ │ │ └── data_catalog_table_manager.py
│ │ │ ├── handlers
│ │ │ │ ├── __init__.py
│ │ │ │ ├── athena
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── athena_data_catalog_handler.py
│ │ │ │ │ ├── athena_query_handler.py
│ │ │ │ │ └── athena_workgroup_handler.py
│ │ │ │ ├── commons
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── common_resource_handler.py
│ │ │ │ ├── emr
│ │ │ │ │ ├── emr_ec2_cluster_handler.py
│ │ │ │ │ ├── emr_ec2_instance_handler.py
│ │ │ │ │ └── emr_ec2_steps_handler.py
│ │ │ │ └── glue
│ │ │ │ ├── __init__.py
│ │ │ │ ├── crawler_handler.py
│ │ │ │ ├── data_catalog_handler.py
│ │ │ │ ├── glue_commons_handler.py
│ │ │ │ ├── glue_etl_handler.py
│ │ │ │ ├── interactive_sessions_handler.py
│ │ │ │ └── worklows_handler.py
│ │ │ ├── models
│ │ │ │ ├── __init__.py
│ │ │ │ ├── athena_models.py
│ │ │ │ ├── common_resource_models.py
│ │ │ │ ├── data_catalog_models.py
│ │ │ │ ├── emr_models.py
│ │ │ │ └── glue_models.py
│ │ │ ├── server.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── aws_helper.py
│ │ │ ├── consts.py
│ │ │ ├── logging_helper.py
│ │ │ └── mutable_sql_detector.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── core
│ │ │ │ ├── __init__.py
│ │ │ │ └── glue_data_catalog
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_data_catalog_database_manager.py
│ │ │ │ ├── test_data_catalog_handler.py
│ │ │ │ └── test_data_catalog_table_manager.py
│ │ │ ├── handlers
│ │ │ │ ├── __init__.py
│ │ │ │ ├── athena
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── test_athena_data_catalog_handler.py
│ │ │ │ │ ├── test_athena_query_handler.py
│ │ │ │ │ ├── test_athena_workgroup_handler.py
│ │ │ │ │ └── test_custom_tags_athena.py
│ │ │ │ ├── commons
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── test_common_resource_handler.py
│ │ │ │ ├── emr
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── test_custom_tags_emr.py
│ │ │ │ │ ├── test_emr_ec2_cluster_handler.py
│ │ │ │ │ ├── test_emr_ec2_instance_handler.py
│ │ │ │ │ └── test_emr_ec2_steps_handler.py
│ │ │ │ └── glue
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_crawler_handler.py
│ │ │ │ ├── test_custom_tags_glue.py
│ │ │ │ ├── test_data_catalog_handler.py
│ │ │ │ ├── test_glue_commons_handler.py
│ │ │ │ ├── test_glue_etl_handler.py
│ │ │ │ ├── test_glue_interactive_sessions_handler.py
│ │ │ │ └── test_glue_workflows_handler.py
│ │ │ ├── models
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_athena_models.py
│ │ │ │ ├── test_common_resource_models.py
│ │ │ │ ├── test_data_catalog_models.py
│ │ │ │ ├── test_emr_models.py
│ │ │ │ ├── test_glue_models.py
│ │ │ │ ├── test_interactive_sessions_models.py
│ │ │ │ └── test_workflows_models.py
│ │ │ ├── test_init.py
│ │ │ ├── test_server.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── test_aws_helper.py
│ │ │ ├── test_custom_tags.py
│ │ │ └── test_logging_helper.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-diagram-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_diagram_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── diagrams_tools.py
│ │ │ ├── models.py
│ │ │ ├── scanner.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── resources
│ │ │ │ ├── __init__.py
│ │ │ │ └── example_diagrams
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws_example.py
│ │ │ │ ├── flow_example.py
│ │ │ │ └── sequence_example.py
│ │ │ ├── test_diagrams.py
│ │ │ ├── test_models.py
│ │ │ ├── test_sarif_fix.py
│ │ │ ├── test_scanner.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-documentation-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_documentation_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── models.py
│ │ │ ├── server_aws_cn.py
│ │ │ ├── server_aws.py
│ │ │ ├── server_utils.py
│ │ │ ├── server.py
│ │ │ └── util.py
│ │ ├── basic-usage.gif
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── constants.py
│ │ │ ├── resources
│ │ │ │ └── lambda_sns_raw.html
│ │ │ ├── test_aws_cn_get_available_services_live.py
│ │ │ ├── test_aws_cn_read_documentation_live.py
│ │ │ ├── test_aws_read_documentation_live.py
│ │ │ ├── test_aws_recommend_live.py
│ │ │ ├── test_aws_search_live.py
│ │ │ ├── test_metadata_handling.py
│ │ │ ├── test_models.py
│ │ │ ├── test_server_aws_cn.py
│ │ │ ├── test_server_aws.py
│ │ │ ├── test_server_utils.py
│ │ │ ├── test_server.py
│ │ │ └── test_util.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-healthomics-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_healthomics_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ ├── models.py
│ │ │ ├── server.py
│ │ │ ├── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── helper_tools.py
│ │ │ │ ├── run_analysis.py
│ │ │ │ ├── troubleshooting.py
│ │ │ │ ├── workflow_analysis.py
│ │ │ │ ├── workflow_execution.py
│ │ │ │ ├── workflow_linting.py
│ │ │ │ └── workflow_management.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── aws_utils.py
│ │ │ ├── s3_utils.py
│ │ │ └── validation_utils.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── docs
│ │ │ └── workflow_linting.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ ├── test_aws_utils.py
│ │ │ ├── test_consts.py
│ │ │ ├── test_helper_tools.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_models.py
│ │ │ ├── test_run_analysis.py
│ │ │ ├── test_s3_utils.py
│ │ │ ├── test_server.py
│ │ │ ├── test_troubleshooting.py
│ │ │ ├── test_workflow_analysis.py
│ │ │ ├── test_workflow_execution.py
│ │ │ ├── test_workflow_linting.py
│ │ │ ├── test_workflow_management.py
│ │ │ └── test_workflow_tools.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-iot-sitewise-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_iot_sitewise_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── client.py
│ │ │ ├── models.py
│ │ │ ├── prompts
│ │ │ │ ├── __init__.py
│ │ │ │ ├── asset_hierarchy.py
│ │ │ │ ├── bulk_import_workflow.py
│ │ │ │ ├── data_exploration.py
│ │ │ │ └── data_ingestion.py
│ │ │ ├── server.py
│ │ │ ├── tool_metadata.py
│ │ │ ├── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── sitewise_access.py
│ │ │ │ ├── sitewise_asset_models.py
│ │ │ │ ├── sitewise_assets.py
│ │ │ │ ├── sitewise_data.py
│ │ │ │ ├── sitewise_gateways.py
│ │ │ │ └── sitewise_metadata_transfer.py
│ │ │ └── validation.py
│ │ ├── CHANGELOG.md
│ │ ├── DEVELOPMENT.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── examples
│ │ │ └── wind_farm_example.py
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_server.py
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_client.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_models.py
│ │ │ ├── test_server.py
│ │ │ ├── test_sitewise_access.py
│ │ │ ├── test_sitewise_asset_models.py
│ │ │ ├── test_sitewise_assets.py
│ │ │ ├── test_sitewise_data.py
│ │ │ ├── test_sitewise_gateways.py
│ │ │ ├── test_sitewise_metadata_transfer.py
│ │ │ └── test_validation.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-knowledge-mcp-server
│ │ └── README.md
│ ├── aws-location-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_location_server
│ │ │ ├── __init__.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_server_integration.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-msk-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_msk_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── server.py
│ │ │ └── tools
│ │ │ ├── __init__.py
│ │ │ ├── common_functions
│ │ │ │ ├── __init__.py
│ │ │ │ ├── client_manager.py
│ │ │ │ └── common_functions.py
│ │ │ ├── logs_and_telemetry
│ │ │ │ ├── __init__.py
│ │ │ │ ├── cluster_metrics_tools.py
│ │ │ │ ├── list_customer_iam_access.py
│ │ │ │ └── metric_config.py
│ │ │ ├── mutate_cluster
│ │ │ │ ├── __init__.py
│ │ │ │ ├── batch_associate_scram_secret.py
│ │ │ │ ├── batch_disassociate_scram_secret.py
│ │ │ │ ├── create_cluster_v2.py
│ │ │ │ ├── put_cluster_policy.py
│ │ │ │ ├── reboot_broker.py
│ │ │ │ ├── update_broker_count.py
│ │ │ │ ├── update_broker_storage.py
│ │ │ │ ├── update_broker_type.py
│ │ │ │ ├── update_cluster_configuration.py
│ │ │ │ ├── update_monitoring.py
│ │ │ │ └── update_security.py
│ │ │ ├── mutate_config
│ │ │ │ ├── __init__.py
│ │ │ │ ├── create_configuration.py
│ │ │ │ ├── tag_resource.py
│ │ │ │ ├── untag_resource.py
│ │ │ │ └── update_configuration.py
│ │ │ ├── mutate_vpc
│ │ │ │ ├── __init__.py
│ │ │ │ ├── create_vpc_connection.py
│ │ │ │ ├── delete_vpc_connection.py
│ │ │ │ └── reject_client_vpc_connection.py
│ │ │ ├── read_cluster
│ │ │ │ ├── __init__.py
│ │ │ │ ├── describe_cluster_operation.py
│ │ │ │ ├── describe_cluster.py
│ │ │ │ ├── get_bootstrap_brokers.py
│ │ │ │ ├── get_cluster_policy.py
│ │ │ │ ├── get_compatible_kafka_versions.py
│ │ │ │ ├── list_client_vpc_connections.py
│ │ │ │ ├── list_cluster_operations.py
│ │ │ │ ├── list_nodes.py
│ │ │ │ └── list_scram_secrets.py
│ │ │ ├── read_config
│ │ │ │ ├── __init__.py
│ │ │ │ ├── describe_configuration_revision.py
│ │ │ │ ├── describe_configuration.py
│ │ │ │ ├── list_configuration_revisions.py
│ │ │ │ └── list_tags_for_resource.py
│ │ │ ├── read_global
│ │ │ │ ├── __init__.py
│ │ │ │ ├── list_clusters.py
│ │ │ │ ├── list_configurations.py
│ │ │ │ ├── list_kafka_versions.py
│ │ │ │ └── list_vpc_connections.py
│ │ │ ├── read_vpc
│ │ │ │ ├── __init__.py
│ │ │ │ └── describe_vpc_connection.py
│ │ │ └── static_tools
│ │ │ ├── __init__.py
│ │ │ └── cluster_best_practices.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_client_manager.py
│ │ │ ├── test_cluster_metrics_tools.py
│ │ │ ├── test_common_functions.py
│ │ │ ├── test_create_cluster_v2.py
│ │ │ ├── test_create_configuration.py
│ │ │ ├── test_create_vpc_connection.py
│ │ │ ├── test_delete_vpc_connection.py
│ │ │ ├── test_describe_cluster_operation.py
│ │ │ ├── test_describe_cluster.py
│ │ │ ├── test_describe_configuration_revision.py
│ │ │ ├── test_describe_configuration.py
│ │ │ ├── test_describe_vpc_connection.py
│ │ │ ├── test_get_bootstrap_brokers.py
│ │ │ ├── test_get_cluster_policy.py
│ │ │ ├── test_get_compatible_kafka_versions.py
│ │ │ ├── test_init.py
│ │ │ ├── test_list_client_vpc_connections.py
│ │ │ ├── test_list_cluster_operations.py
│ │ │ ├── test_list_clusters.py
│ │ │ ├── test_list_configuration_revisions.py
│ │ │ ├── test_list_configurations.py
│ │ │ ├── test_list_customer_iam_access.py
│ │ │ ├── test_list_kafka_versions.py
│ │ │ ├── test_list_nodes.py
│ │ │ ├── test_list_scram_secrets.py
│ │ │ ├── test_list_tags_for_resource.py
│ │ │ ├── test_list_vpc_connections.py
│ │ │ ├── test_logs_and_telemetry.py
│ │ │ ├── test_main.py
│ │ │ ├── test_mutate_cluster_init.py
│ │ │ ├── test_mutate_cluster_success_cases.py
│ │ │ ├── test_mutate_cluster.py
│ │ │ ├── test_mutate_config_init.py
│ │ │ ├── test_mutate_vpc_init.py
│ │ │ ├── test_read_cluster_init_updated.py
│ │ │ ├── test_read_cluster_init.py
│ │ │ ├── test_read_config_init.py
│ │ │ ├── test_read_global_init.py
│ │ │ ├── test_read_vpc_init.py
│ │ │ ├── test_reject_client_vpc_connection.py
│ │ │ ├── test_server.py
│ │ │ ├── test_static_tools_init.py
│ │ │ ├── test_tag_resource.py
│ │ │ ├── test_tool_descriptions.py
│ │ │ ├── test_untag_resource.py
│ │ │ └── test_update_configuration.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-pricing-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_pricing_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── cdk_analyzer.py
│ │ │ ├── consts.py
│ │ │ ├── helpers.py
│ │ │ ├── models.py
│ │ │ ├── pricing_client.py
│ │ │ ├── pricing_transformer.py
│ │ │ ├── report_generator.py
│ │ │ ├── server.py
│ │ │ ├── static
│ │ │ │ ├── __init__.py
│ │ │ │ ├── COST_REPORT_TEMPLATE.md
│ │ │ │ └── patterns
│ │ │ │ ├── __init__.py
│ │ │ │ └── BEDROCK.md
│ │ │ └── terraform_analyzer.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_cdk_analyzer.py
│ │ │ ├── test_helpers.py
│ │ │ ├── test_pricing_client.py
│ │ │ ├── test_pricing_transformer.py
│ │ │ ├── test_report_generator.py
│ │ │ ├── test_server.py
│ │ │ └── test_terraform_analyzer.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── aws-serverless-mcp-server
│ │ ├── .pre-commit.config.yaml
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_serverless_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── models.py
│ │ │ ├── resources
│ │ │ │ ├── __init__.py
│ │ │ │ ├── deployment_details.py
│ │ │ │ ├── deployment_list.py
│ │ │ │ ├── template_details.py
│ │ │ │ └── template_list.py
│ │ │ ├── server.py
│ │ │ ├── template
│ │ │ │ ├── __init__.py
│ │ │ │ ├── registry.py
│ │ │ │ ├── renderer.py
│ │ │ │ └── templates
│ │ │ │ ├── backend.j2
│ │ │ │ ├── frontend.j2
│ │ │ │ ├── fullstack.j2
│ │ │ │ └── README.md
│ │ │ ├── tools
│ │ │ │ ├── common
│ │ │ │ │ └── base_tool.py
│ │ │ │ ├── guidance
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── deploy_serverless_app_help.py
│ │ │ │ │ ├── get_iac_guidance.py
│ │ │ │ │ ├── get_lambda_event_schemas.py
│ │ │ │ │ ├── get_lambda_guidance.py
│ │ │ │ │ └── get_serverless_templates.py
│ │ │ │ ├── poller
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── esm_diagnosis.py
│ │ │ │ │ ├── esm_guidance.py
│ │ │ │ │ └── esm_recommend.py
│ │ │ │ ├── sam
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── sam_build.py
│ │ │ │ │ ├── sam_deploy.py
│ │ │ │ │ ├── sam_init.py
│ │ │ │ │ ├── sam_local_invoke.py
│ │ │ │ │ └── sam_logs.py
│ │ │ │ ├── schemas
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── describe_schema.py
│ │ │ │ │ ├── list_registries.py
│ │ │ │ │ └── search_schema.py
│ │ │ │ └── webapps
│ │ │ │ ├── __init__.py
│ │ │ │ ├── configure_domain.py
│ │ │ │ ├── deploy_webapp.py
│ │ │ │ ├── get_metrics.py
│ │ │ │ ├── update_webapp_frontend.py
│ │ │ │ ├── utils
│ │ │ │ │ ├── deploy_service.py
│ │ │ │ │ ├── frontend_uploader.py
│ │ │ │ │ └── startup_script_generator.py
│ │ │ │ └── webapp_deployment_help.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── aws_client_helper.py
│ │ │ ├── cloudformation.py
│ │ │ ├── const.py
│ │ │ ├── deployment_manager.py
│ │ │ ├── github.py
│ │ │ └── process.py
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── test_cloudformation.py
│ │ │ ├── test_configure_domain.py
│ │ │ ├── test_deploy_serverless_app_help.py
│ │ │ ├── test_deploy_service.py
│ │ │ ├── test_deploy_webapp.py
│ │ │ ├── test_deployment_details.py
│ │ │ ├── test_deployment_help.py
│ │ │ ├── test_deployment_list.py
│ │ │ ├── test_deployment_manager.py
│ │ │ ├── test_esm_diagnosis.py
│ │ │ ├── test_esm_guidance.py
│ │ │ ├── test_esm_recommend.py
│ │ │ ├── test_frontend_uploader.py
│ │ │ ├── test_get_iac_guidance.py
│ │ │ ├── test_get_lambda_event_schemas.py
│ │ │ ├── test_get_lambda_guidance.py
│ │ │ ├── test_get_metrics.py
│ │ │ ├── test_get_serverless_templates.py
│ │ │ ├── test_github.py
│ │ │ ├── test_models.py
│ │ │ ├── test_process.py
│ │ │ ├── test_sam_build.py
│ │ │ ├── test_sam_deploy.py
│ │ │ ├── test_sam_init.py
│ │ │ ├── test_sam_local_invoke.py
│ │ │ ├── test_sam_logs.py
│ │ │ ├── test_schemas.py
│ │ │ ├── test_server.py
│ │ │ ├── test_startup_script_generator.py
│ │ │ ├── test_template_details.py
│ │ │ ├── test_template_list.py
│ │ │ ├── test_template_registry.py
│ │ │ ├── test_template_renderer.py
│ │ │ └── test_update_webapp_frontend.py
│ │ └── uv.lock
│ ├── aws-support-mcp-server
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── aws_support_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── client.py
│ │ │ ├── consts.py
│ │ │ ├── debug_helper.py
│ │ │ ├── errors.py
│ │ │ ├── formatters.py
│ │ │ ├── models.py
│ │ │ └── server.py
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftests.py
│ │ │ ├── test_aws_support_mcp_server.py
│ │ │ └── test_models.py
│ │ └── uv.lock
│ ├── bedrock-kb-retrieval-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── bedrock_kb_retrieval_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── knowledgebases
│ │ │ │ ├── __init__.py
│ │ │ │ ├── clients.py
│ │ │ │ ├── discovery.py
│ │ │ │ └── retrieval.py
│ │ │ ├── models.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── test_clients.py
│ │ │ ├── test_discovery.py
│ │ │ ├── test_env_config.py
│ │ │ ├── test_models.py
│ │ │ ├── test_retrieval.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── billing-cost-management-mcp-server
│ │ ├── __init__.py
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── billing_cost_management_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── models.py
│ │ │ ├── prompts
│ │ │ │ ├── __init__.py
│ │ │ │ ├── decorator.py
│ │ │ │ ├── graviton_migration.py
│ │ │ │ ├── README.md
│ │ │ │ ├── savings_plans.py
│ │ │ │ └── types.py
│ │ │ ├── server.py
│ │ │ ├── templates
│ │ │ │ └── recommendation_templates
│ │ │ │ ├── ebs_volume.template
│ │ │ │ ├── ec2_asg.template
│ │ │ │ ├── ec2_instance.template
│ │ │ │ ├── ecs_service.template
│ │ │ │ ├── idle.template
│ │ │ │ ├── lambda_function.template
│ │ │ │ ├── rds_database.template
│ │ │ │ ├── reserved_instances.template
│ │ │ │ └── savings_plans.template
│ │ │ ├── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws_pricing_operations.py
│ │ │ │ ├── aws_pricing_tools.py
│ │ │ │ ├── bcm_pricing_calculator_tools.py
│ │ │ │ ├── budget_tools.py
│ │ │ │ ├── compute_optimizer_tools.py
│ │ │ │ ├── cost_anomaly_tools.py
│ │ │ │ ├── cost_comparison_tools.py
│ │ │ │ ├── cost_explorer_operations.py
│ │ │ │ ├── cost_explorer_tools.py
│ │ │ │ ├── cost_optimization_hub_helpers.py
│ │ │ │ ├── cost_optimization_hub_tools.py
│ │ │ │ ├── free_tier_usage_tools.py
│ │ │ │ ├── recommendation_details_tools.py
│ │ │ │ ├── ri_performance_tools.py
│ │ │ │ ├── sp_performance_tools.py
│ │ │ │ ├── storage_lens_tools.py
│ │ │ │ └── unified_sql_tools.py
│ │ │ └── utilities
│ │ │ ├── __init__.py
│ │ │ ├── aws_service_base.py
│ │ │ ├── constants.py
│ │ │ ├── logging_utils.py
│ │ │ └── sql_utils.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── requirements.txt
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── prompts
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_prompts.py
│ │ │ ├── README.md
│ │ │ ├── test_models.py
│ │ │ ├── test_server.py
│ │ │ ├── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── fixtures.py
│ │ │ │ ├── test_aws_bcm_pricing_calculator_tools.py
│ │ │ │ ├── test_aws_pricing_tools.py
│ │ │ │ ├── test_budget_tools.py
│ │ │ │ ├── test_compute_optimizer_tools.py
│ │ │ │ ├── test_cost_anomaly_tools_enhanced.py
│ │ │ │ ├── test_cost_anomaly_tools.py
│ │ │ │ ├── test_cost_comparison_tools.py
│ │ │ │ ├── test_cost_explorer_operations.py
│ │ │ │ ├── test_cost_explorer_tools.py
│ │ │ │ ├── test_cost_optimization_hub_helpers.py
│ │ │ │ ├── test_cost_optimization_hub_tools.py
│ │ │ │ ├── test_free_tier_usage_tools_new.py
│ │ │ │ ├── test_recommendation_details_tools.py
│ │ │ │ ├── test_ri_performance_tools.py
│ │ │ │ ├── test_sp_performance_tools.py
│ │ │ │ ├── test_storage_lens_tools.py
│ │ │ │ └── test_unified_sql_tools.py
│ │ │ └── utilities
│ │ │ ├── test_aws_service_base.py
│ │ │ └── test_sql_utils.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── ccapi-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── ccapi_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── aws_client.py
│ │ │ ├── cloud_control_utils.py
│ │ │ ├── context.py
│ │ │ ├── errors.py
│ │ │ ├── iac_generator.py
│ │ │ ├── impl
│ │ │ │ ├── __init__.py
│ │ │ │ ├── tools
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── explanation.py
│ │ │ │ │ ├── infrastructure_generation.py
│ │ │ │ │ ├── resource_operations.py
│ │ │ │ │ ├── security_scanning.py
│ │ │ │ │ └── session_management.py
│ │ │ │ └── utils
│ │ │ │ ├── __init__.py
│ │ │ │ └── validation.py
│ │ │ ├── infrastructure_generator.py
│ │ │ ├── models
│ │ │ │ ├── __init__.py
│ │ │ │ └── models.py
│ │ │ ├── schema_manager.py
│ │ │ ├── server.py
│ │ │ └── static
│ │ │ └── __init__.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── test_aws_client.py
│ │ │ ├── test_checkov_install.py
│ │ │ ├── test_cloud_control_utils.py
│ │ │ ├── test_context.py
│ │ │ ├── test_errors.py
│ │ │ ├── test_explanation.py
│ │ │ ├── test_iac_generator.py
│ │ │ ├── test_infrastructure_generation.py
│ │ │ ├── test_infrastructure_generator.py
│ │ │ ├── test_models.py
│ │ │ ├── test_resource_operations.py
│ │ │ ├── test_schema_manager.py
│ │ │ ├── test_security_scanning.py
│ │ │ ├── test_server.py
│ │ │ ├── test_session_management.py
│ │ │ └── test_validation.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── cdk-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── cdk_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── core
│ │ │ │ ├── __init__.py
│ │ │ │ ├── resources.py
│ │ │ │ ├── search_utils.py
│ │ │ │ ├── server.py
│ │ │ │ └── tools.py
│ │ │ ├── data
│ │ │ │ ├── __init__.py
│ │ │ │ ├── cdk_nag_parser.py
│ │ │ │ ├── construct_descriptions.py
│ │ │ │ ├── genai_cdk_loader.py
│ │ │ │ ├── lambda_layer_parser.py
│ │ │ │ ├── lambda_powertools_loader.py
│ │ │ │ ├── schema_generator.py
│ │ │ │ └── solutions_constructs_parser.py
│ │ │ ├── server.py
│ │ │ └── static
│ │ │ ├── __init__.py
│ │ │ ├── CDK_GENERAL_GUIDANCE.md
│ │ │ ├── CDK_NAG_GUIDANCE.md
│ │ │ └── lambda_powertools
│ │ │ ├── bedrock.md
│ │ │ ├── cdk.md
│ │ │ ├── dependencies.md
│ │ │ ├── index.md
│ │ │ ├── insights.md
│ │ │ ├── logging.md
│ │ │ ├── metrics.md
│ │ │ └── tracing.md
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── core
│ │ │ │ ├── test_resources_enhanced.py
│ │ │ │ ├── test_resources.py
│ │ │ │ ├── test_search_utils.py
│ │ │ │ ├── test_server.py
│ │ │ │ └── test_tools.py
│ │ │ └── data
│ │ │ ├── test_cdk_nag_parser.py
│ │ │ ├── test_genai_cdk_loader.py
│ │ │ ├── test_lambda_powertools_loader.py
│ │ │ ├── test_schema_generator.py
│ │ │ └── test_solutions_constructs_parser.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── cfn-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── cfn_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── aws_client.py
│ │ │ ├── cloud_control_utils.py
│ │ │ ├── context.py
│ │ │ ├── errors.py
│ │ │ ├── iac_generator.py
│ │ │ ├── schema_manager.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── test_aws_client.py
│ │ │ ├── test_cloud_control_utils.py
│ │ │ ├── test_errors.py
│ │ │ ├── test_iac_generator.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_schema_manager.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── cloudtrail-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── cloudtrail_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── common.py
│ │ │ ├── models.py
│ │ │ ├── server.py
│ │ │ └── tools.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_models.py
│ │ │ ├── test_server.py
│ │ │ └── test_tools.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── cloudwatch-appsignals-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── cloudwatch_appsignals_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── audit_presentation_utils.py
│ │ │ ├── audit_utils.py
│ │ │ ├── aws_clients.py
│ │ │ ├── canary_utils.py
│ │ │ ├── server.py
│ │ │ ├── service_audit_utils.py
│ │ │ ├── service_tools.py
│ │ │ ├── sli_report_client.py
│ │ │ ├── slo_tools.py
│ │ │ ├── trace_tools.py
│ │ │ └── utils.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ ├── test_audit_presentation_utils.py
│ │ │ ├── test_audit_utils.py
│ │ │ ├── test_aws_profile.py
│ │ │ ├── test_canary_utils.py
│ │ │ ├── test_initialization.py
│ │ │ ├── test_server_audit_functions.py
│ │ │ ├── test_server_audit_tools.py
│ │ │ ├── test_server.py
│ │ │ ├── test_service_audit_utils.py
│ │ │ ├── test_service_tools_operations.py
│ │ │ ├── test_sli_report_client.py
│ │ │ ├── test_slo_tools.py
│ │ │ └── test_utils.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── cloudwatch-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── cloudwatch_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── cloudwatch_alarms
│ │ │ │ ├── models.py
│ │ │ │ └── tools.py
│ │ │ ├── cloudwatch_logs
│ │ │ │ ├── models.py
│ │ │ │ └── tools.py
│ │ │ ├── cloudwatch_metrics
│ │ │ │ ├── data
│ │ │ │ │ └── metric_metadata.json
│ │ │ │ ├── models.py
│ │ │ │ └── tools.py
│ │ │ ├── common.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── cloudwatch_alarms
│ │ │ │ ├── test_active_alarms.py
│ │ │ │ ├── test_alarm_history_integration.py
│ │ │ │ ├── test_alarm_history.py
│ │ │ │ └── test_alarms_error_handling.py
│ │ │ ├── cloudwatch_logs
│ │ │ │ ├── test_logs_error_handling.py
│ │ │ │ ├── test_logs_models.py
│ │ │ │ └── test_logs_server.py
│ │ │ ├── cloudwatch_metrics
│ │ │ │ ├── test_metrics_error_handling.py
│ │ │ │ ├── test_metrics_models.py
│ │ │ │ ├── test_metrics_server.py
│ │ │ │ └── test_validation_error.py
│ │ │ ├── test_common_and_server.py
│ │ │ ├── test_init.py
│ │ │ └── test_main.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── code-doc-gen-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── code_doc_gen_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── server.py
│ │ │ └── utils
│ │ │ ├── doc_generator.py
│ │ │ ├── models.py
│ │ │ ├── repomix_manager.py
│ │ │ └── templates.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_doc_generator_edge_cases.py
│ │ │ ├── test_doc_generator.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_repomix_manager_scenarios.py
│ │ │ ├── test_repomix_manager.py
│ │ │ ├── test_repomix_statistics.py
│ │ │ ├── test_server_extended.py
│ │ │ ├── test_server.py
│ │ │ └── test_templates.py
│ │ └── uv.lock
│ ├── core-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── core_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── server.py
│ │ │ └── static
│ │ │ ├── __init__.py
│ │ │ └── PROMPT_UNDERSTANDING.md
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_response_types.py
│ │ │ ├── test_server.py
│ │ │ └── test_static.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── cost-explorer-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── cost_explorer_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── comparison_handler.py
│ │ │ ├── constants.py
│ │ │ ├── cost_usage_handler.py
│ │ │ ├── forecasting_handler.py
│ │ │ ├── helpers.py
│ │ │ ├── metadata_handler.py
│ │ │ ├── models.py
│ │ │ ├── server.py
│ │ │ └── utility_handler.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_comparison_handler.py
│ │ │ ├── test_cost_usage_handler.py
│ │ │ ├── test_forecasting_handler.py
│ │ │ ├── test_helpers.py
│ │ │ ├── test_metadata_handler.py
│ │ │ ├── test_models.py
│ │ │ ├── test_server.py
│ │ │ └── test_utility_handler.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── documentdb-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ └── documentdb_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── analytic_tools.py
│ │ │ ├── config.py
│ │ │ ├── connection_tools.py
│ │ │ ├── db_management_tools.py
│ │ │ ├── query_tools.py
│ │ │ ├── server.py
│ │ │ └── write_tools.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ ├── test_analytic_tools.py
│ │ │ ├── test_connection_tools.py
│ │ │ ├── test_db_management_tools.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_query_tools.py
│ │ │ └── test_write_tools.py
│ │ └── uv.lock
│ ├── dynamodb-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── dynamodb_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── common.py
│ │ │ ├── database_analysis_queries.py
│ │ │ ├── database_analyzers.py
│ │ │ ├── prompts
│ │ │ │ └── dynamodb_architect.md
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── evals
│ │ │ │ ├── dynamic_evaluators.py
│ │ │ │ ├── evaluation_registry.py
│ │ │ │ ├── logging_config.py
│ │ │ │ ├── multiturn_evaluator.py
│ │ │ │ ├── README.md
│ │ │ │ ├── scenarios.py
│ │ │ │ └── test_dspy_evals.py
│ │ │ ├── test_dynamodb_server.py
│ │ │ └── test_source_db_integration.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── ecs-mcp-server
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── ecs_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── api
│ │ │ │ ├── __init__.py
│ │ │ │ ├── containerize.py
│ │ │ │ ├── delete.py
│ │ │ │ ├── ecs_troubleshooting.py
│ │ │ │ ├── infrastructure.py
│ │ │ │ ├── resource_management.py
│ │ │ │ ├── status.py
│ │ │ │ └── troubleshooting_tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── detect_image_pull_failures.py
│ │ │ │ ├── fetch_cloudformation_status.py
│ │ │ │ ├── fetch_network_configuration.py
│ │ │ │ ├── fetch_service_events.py
│ │ │ │ ├── fetch_task_failures.py
│ │ │ │ ├── fetch_task_logs.py
│ │ │ │ ├── get_ecs_troubleshooting_guidance.py
│ │ │ │ └── utils.py
│ │ │ ├── main.py
│ │ │ ├── modules
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aws_knowledge_proxy.py
│ │ │ │ ├── containerize.py
│ │ │ │ ├── delete.py
│ │ │ │ ├── deployment_status.py
│ │ │ │ ├── infrastructure.py
│ │ │ │ ├── resource_management.py
│ │ │ │ └── troubleshooting.py
│ │ │ ├── templates
│ │ │ │ ├── ecr_infrastructure.json
│ │ │ │ └── ecs_infrastructure.json
│ │ │ └── utils
│ │ │ ├── arn_parser.py
│ │ │ ├── aws.py
│ │ │ ├── config.py
│ │ │ ├── docker.py
│ │ │ ├── security.py
│ │ │ ├── templates.py
│ │ │ └── time_utils.py
│ │ ├── DEVELOPMENT.md
│ │ ├── pyproject.toml
│ │ ├── pyrightconfig.json
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── integ
│ │ │ │ └── mcp-inspector
│ │ │ │ ├── .gitignore
│ │ │ │ ├── README.md
│ │ │ │ ├── run-tests.sh
│ │ │ │ └── scenarios
│ │ │ │ ├── 01_comprehensive_troubleshooting
│ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ ├── 03_cleanup.sh
│ │ │ │ │ ├── description.txt
│ │ │ │ │ └── utils
│ │ │ │ │ ├── mcp_helpers.sh
│ │ │ │ │ └── validation_helpers.sh
│ │ │ │ └── 02_test_knowledge_proxy_tools
│ │ │ │ ├── 01_create.sh
│ │ │ │ ├── 02_validate.sh
│ │ │ │ ├── 03_cleanup.sh
│ │ │ │ ├── description.txt
│ │ │ │ └── utils
│ │ │ │ ├── knowledge_validation_helpers.sh
│ │ │ │ └── mcp_knowledge_helpers.sh
│ │ │ ├── llm_testing
│ │ │ │ ├── invalid_cfn_template.yaml
│ │ │ │ ├── README.md
│ │ │ │ ├── run_tests.sh
│ │ │ │ ├── scenarios
│ │ │ │ │ ├── 01_cloudformation_failure
│ │ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ │ ├── 03_prompts.txt
│ │ │ │ │ │ ├── 04_evaluation.md
│ │ │ │ │ │ ├── 05_cleanup.sh
│ │ │ │ │ │ └── description.txt
│ │ │ │ │ ├── 02_service_failure
│ │ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ │ ├── 03_prompts.txt
│ │ │ │ │ │ ├── 04_evaluation.md
│ │ │ │ │ │ ├── 05_cleanup.sh
│ │ │ │ │ │ └── description.txt
│ │ │ │ │ ├── 03_task_exit_failure
│ │ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ │ ├── 03_prompts.txt
│ │ │ │ │ │ ├── 04_evaluation.md
│ │ │ │ │ │ ├── 05_cleanup.sh
│ │ │ │ │ │ └── description.txt
│ │ │ │ │ ├── 04_network_configuration_failure
│ │ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ │ ├── 03_prompts.txt
│ │ │ │ │ │ ├── 05_cleanup.sh
│ │ │ │ │ │ └── description.txt
│ │ │ │ │ ├── 05_resource_constraint_failure
│ │ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ │ ├── 03_prompts.txt
│ │ │ │ │ │ ├── 05_cleanup.sh
│ │ │ │ │ │ └── description.txt
│ │ │ │ │ └── 06_load_balancer_failure
│ │ │ │ │ ├── 01_create.sh
│ │ │ │ │ ├── 02_validate.sh
│ │ │ │ │ ├── 03_prompts.txt
│ │ │ │ │ ├── 05_cleanup.sh
│ │ │ │ │ └── description.txt
│ │ │ │ ├── SCRIPT_IMPROVEMENTS.md
│ │ │ │ └── utils
│ │ │ │ ├── aws_helpers.sh
│ │ │ │ └── evaluation_template.md
│ │ │ └── unit
│ │ │ ├── __init__.py
│ │ │ ├── api
│ │ │ │ ├── conftest.py
│ │ │ │ ├── test_delete_api.py
│ │ │ │ ├── test_ecs_troubleshooting.py
│ │ │ │ ├── test_resource_management_api.py
│ │ │ │ └── troubleshooting_tools
│ │ │ │ └── test_fetch_network_configuration.py
│ │ │ ├── conftest.py
│ │ │ ├── modules
│ │ │ │ ├── test_aws_knowledge_proxy.py
│ │ │ │ └── test_resource_management_module.py
│ │ │ ├── test_aws_role_utils.py
│ │ │ ├── test_aws_utils.py
│ │ │ ├── test_containerize.py
│ │ │ ├── test_delete.py
│ │ │ ├── test_docker_utils.py
│ │ │ ├── test_docker_with_role.py
│ │ │ ├── test_image_pull_failure_extended.py
│ │ │ ├── test_image_pull_failure.py
│ │ │ ├── test_infrastructure_role.py
│ │ │ ├── test_infrastructure.py
│ │ │ ├── test_integration.py
│ │ │ ├── test_main.py
│ │ │ ├── test_resource_management_api_operation.py
│ │ │ ├── test_resource_management_tool.py
│ │ │ ├── test_resource_management.py
│ │ │ ├── test_security_integration.py
│ │ │ ├── test_status_pytest.py
│ │ │ ├── test_status.py
│ │ │ ├── troubleshooting_tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── conftest.py
│ │ │ │ ├── test_detect_image_pull_failures.py
│ │ │ │ ├── test_fetch_cloudformation_status.py
│ │ │ │ ├── test_fetch_service_events.py
│ │ │ │ ├── test_fetch_task_failures.py
│ │ │ │ ├── test_fetch_task_logs.py
│ │ │ │ ├── test_get_ecs_troubleshooting_guidance.py
│ │ │ │ ├── test_is_ecr_image_security.py
│ │ │ │ └── test_utils.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── async_test_utils.py
│ │ │ ├── test_arn_parser.py
│ │ │ ├── test_config.py
│ │ │ ├── test_docker.py
│ │ │ ├── test_response_sanitization.py
│ │ │ ├── test_security_extended.py
│ │ │ ├── test_security.py
│ │ │ ├── test_templates.py
│ │ │ └── test_time_utils.py
│ │ └── uv.lock
│ ├── eks-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── eks_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── aws_helper.py
│ │ │ ├── cloudwatch_handler.py
│ │ │ ├── cloudwatch_metrics_guidance_handler.py
│ │ │ ├── consts.py
│ │ │ ├── data
│ │ │ │ └── eks_cloudwatch_metrics_guidance.json
│ │ │ ├── eks_kb_handler.py
│ │ │ ├── eks_stack_handler.py
│ │ │ ├── iam_handler.py
│ │ │ ├── insights_handler.py
│ │ │ ├── k8s_apis.py
│ │ │ ├── k8s_client_cache.py
│ │ │ ├── k8s_handler.py
│ │ │ ├── logging_helper.py
│ │ │ ├── models.py
│ │ │ ├── scripts
│ │ │ │ └── update_eks_cloudwatch_metrics_guidance.py
│ │ │ ├── server.py
│ │ │ ├── templates
│ │ │ │ ├── eks-templates
│ │ │ │ │ └── eks-with-vpc.yaml
│ │ │ │ └── k8s-templates
│ │ │ │ ├── deployment.yaml
│ │ │ │ └── service.yaml
│ │ │ └── vpc_config_handler.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_aws_helper.py
│ │ │ ├── test_cloudwatch_handler.py
│ │ │ ├── test_cloudwatch_metrics_guidance_handler.py
│ │ │ ├── test_eks_kb_handler.py
│ │ │ ├── test_eks_stack_handler.py
│ │ │ ├── test_iam_handler.py
│ │ │ ├── test_init.py
│ │ │ ├── test_insights_handler.py
│ │ │ ├── test_k8s_apis.py
│ │ │ ├── test_k8s_client_cache.py
│ │ │ ├── test_k8s_handler.py
│ │ │ ├── test_logging_helper.py
│ │ │ ├── test_main.py
│ │ │ ├── test_models.py
│ │ │ ├── test_server.py
│ │ │ └── test_vpc_config_handler.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── elasticache-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── elasticache_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── common
│ │ │ │ ├── __init__.py
│ │ │ │ ├── connection.py
│ │ │ │ ├── decorators.py
│ │ │ │ └── server.py
│ │ │ ├── context.py
│ │ │ ├── main.py
│ │ │ └── tools
│ │ │ ├── __init__.py
│ │ │ ├── cc
│ │ │ │ ├── __init__.py
│ │ │ │ ├── connect.py
│ │ │ │ ├── create.py
│ │ │ │ ├── delete.py
│ │ │ │ ├── describe.py
│ │ │ │ ├── modify.py
│ │ │ │ ├── parsers.py
│ │ │ │ └── processors.py
│ │ │ ├── ce
│ │ │ │ ├── __init__.py
│ │ │ │ └── get_cost_and_usage.py
│ │ │ ├── cw
│ │ │ │ ├── __init__.py
│ │ │ │ └── get_metric_statistics.py
│ │ │ ├── cwlogs
│ │ │ │ ├── __init__.py
│ │ │ │ ├── create_log_group.py
│ │ │ │ ├── describe_log_groups.py
│ │ │ │ ├── describe_log_streams.py
│ │ │ │ ├── filter_log_events.py
│ │ │ │ └── get_log_events.py
│ │ │ ├── firehose
│ │ │ │ ├── __init__.py
│ │ │ │ └── list_delivery_streams.py
│ │ │ ├── misc
│ │ │ │ ├── __init__.py
│ │ │ │ ├── batch_apply_update_action.py
│ │ │ │ ├── batch_stop_update_action.py
│ │ │ │ ├── describe_cache_engine_versions.py
│ │ │ │ ├── describe_engine_default_parameters.py
│ │ │ │ ├── describe_events.py
│ │ │ │ └── describe_service_updates.py
│ │ │ ├── rg
│ │ │ │ ├── __init__.py
│ │ │ │ ├── complete_migration.py
│ │ │ │ ├── connect.py
│ │ │ │ ├── create.py
│ │ │ │ ├── delete.py
│ │ │ │ ├── describe.py
│ │ │ │ ├── modify.py
│ │ │ │ ├── parsers.py
│ │ │ │ ├── processors.py
│ │ │ │ ├── start_migration.py
│ │ │ │ └── test_migration.py
│ │ │ └── serverless
│ │ │ ├── __init__.py
│ │ │ ├── connect.py
│ │ │ ├── create.py
│ │ │ ├── delete.py
│ │ │ ├── describe.py
│ │ │ ├── models.py
│ │ │ └── modify.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_connection.py
│ │ │ ├── test_decorators.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── tools
│ │ │ ├── cc
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_connect_additional.py
│ │ │ │ ├── test_connect_coverage_additional.py
│ │ │ │ ├── test_connect_coverage.py
│ │ │ │ ├── test_connect.py
│ │ │ │ ├── test_create_additional.py
│ │ │ │ ├── test_create.py
│ │ │ │ ├── test_delete.py
│ │ │ │ ├── test_describe.py
│ │ │ │ ├── test_modify.py
│ │ │ │ ├── test_parsers.py
│ │ │ │ └── test_processors.py
│ │ │ ├── ce
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_get_cost_and_usage.py
│ │ │ ├── cw
│ │ │ │ └── test_get_metric_statistics.py
│ │ │ ├── cwlogs
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_create_log_group.py
│ │ │ │ ├── test_describe_log_groups.py
│ │ │ │ ├── test_describe_log_streams.py
│ │ │ │ ├── test_filter_log_events.py
│ │ │ │ └── test_get_log_events.py
│ │ │ ├── firehose
│ │ │ │ └── test_list_delivery_streams.py
│ │ │ ├── misc
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_batch_apply_update_action.py
│ │ │ │ ├── test_batch_stop_update_action.py
│ │ │ │ ├── test_describe_cache_engine_versions.py
│ │ │ │ ├── test_describe_engine_default_parameters.py
│ │ │ │ ├── test_describe_events.py
│ │ │ │ └── test_describe_service_updates.py
│ │ │ ├── rg
│ │ │ │ ├── __init__.py
│ │ │ │ ├── test_complete_migration.py
│ │ │ │ ├── test_connect_additional.py
│ │ │ │ ├── test_connect_coverage_additional.py
│ │ │ │ ├── test_connect_optional_fields.py
│ │ │ │ ├── test_connect_partial_coverage.py
│ │ │ │ ├── test_connect.py
│ │ │ │ ├── test_create.py
│ │ │ │ ├── test_delete.py
│ │ │ │ ├── test_describe.py
│ │ │ │ ├── test_modify.py
│ │ │ │ ├── test_parsers.py
│ │ │ │ ├── test_processors.py
│ │ │ │ ├── test_start_migration.py
│ │ │ │ └── test_test_migration.py
│ │ │ └── serverless
│ │ │ ├── test_connect_additional.py
│ │ │ ├── test_connect_coverage_additional.py
│ │ │ ├── test_connect_optional_fields.py
│ │ │ ├── test_connect.py
│ │ │ ├── test_create.py
│ │ │ ├── test_delete.py
│ │ │ ├── test_describe.py
│ │ │ └── test_modify.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── finch-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── finch_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ ├── models.py
│ │ │ ├── server.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── build.py
│ │ │ ├── common.py
│ │ │ ├── ecr.py
│ │ │ ├── push.py
│ │ │ └── vm.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── test_cli_flags.py
│ │ │ ├── test_logging_configuration.py
│ │ │ ├── test_server.py
│ │ │ ├── test_utils_build.py
│ │ │ ├── test_utils_common.py
│ │ │ ├── test_utils_ecr.py
│ │ │ ├── test_utils_push.py
│ │ │ └── test_utils_vm.py
│ │ └── uv.lock
│ ├── frontend-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── frontend_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── server.py
│ │ │ ├── static
│ │ │ │ └── react
│ │ │ │ ├── essential-knowledge.md
│ │ │ │ └── troubleshooting.md
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ └── file_utils.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_file_utils.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── test_server.py
│ │ └── uv.lock
│ ├── git-repo-research-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── git_repo_research_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── defaults.py
│ │ │ ├── embeddings.py
│ │ │ ├── github_search.py
│ │ │ ├── indexer.py
│ │ │ ├── models.py
│ │ │ ├── repository.py
│ │ │ ├── search.py
│ │ │ ├── server.py
│ │ │ └── utils.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_errors_repository.py
│ │ │ ├── test_github_search_edge_cases.py
│ │ │ ├── test_graphql_github_search.py
│ │ │ ├── test_local_repository.py
│ │ │ ├── test_repository_utils.py
│ │ │ ├── test_rest_github_search.py
│ │ │ ├── test_search.py
│ │ │ ├── test_server.py
│ │ │ └── test_url_repository.py
│ │ └── uv.lock
│ ├── healthlake-mcp-server
│ │ ├── .dockerignore
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── healthlake_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── fhir_operations.py
│ │ │ ├── main.py
│ │ │ ├── models.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── CONTRIBUTING.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── examples
│ │ │ ├── mcp_config.json
│ │ │ └── README.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ ├── test_fhir_client_comprehensive.py
│ │ │ ├── test_fhir_error_scenarios.py
│ │ │ ├── test_fhir_operations.py
│ │ │ ├── test_integration_mock_based.py
│ │ │ ├── test_main_edge_cases.py
│ │ │ ├── test_main.py
│ │ │ ├── test_mcp_integration_coverage.py
│ │ │ ├── test_models_edge_cases.py
│ │ │ ├── test_models.py
│ │ │ ├── test_readonly_mode.py
│ │ │ ├── test_server_core.py
│ │ │ ├── test_server_error_handling.py
│ │ │ ├── test_server_mcp_handlers.py
│ │ │ ├── test_server_toolhandler.py
│ │ │ └── test_server_validation.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── iam-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── iam_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── aws_client.py
│ │ │ ├── context.py
│ │ │ ├── errors.py
│ │ │ ├── models.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── DESIGN_COMPLIANCE.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── examples
│ │ │ ├── get_policy_document_example.py
│ │ │ └── inline_policy_demo.py
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── run_tests.sh
│ │ ├── tests
│ │ │ ├── test_context.py
│ │ │ ├── test_errors.py
│ │ │ ├── test_inline_policies.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── lambda-tool-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── lambda_tool_mcp_server
│ │ │ ├── __init__.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── examples
│ │ │ ├── README.md
│ │ │ └── sample_functions
│ │ │ ├── customer-create
│ │ │ │ └── app.py
│ │ │ ├── customer-id-from-email
│ │ │ │ └── app.py
│ │ │ ├── customer-info-from-id
│ │ │ │ └── app.py
│ │ │ └── template.yml
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── test_format_lambda_response.py
│ │ │ ├── test_integration_coverage.py
│ │ │ ├── test_integration.py
│ │ │ ├── test_register_lambda_functions.py
│ │ │ ├── test_schema_integration.py
│ │ │ ├── test_server_coverage_additional.py
│ │ │ ├── test_server_coverage.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── mcp-lambda-handler
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ └── mcp_lambda_handler
│ │ │ ├── __init__.py
│ │ │ ├── mcp_lambda_handler.py
│ │ │ ├── session.py
│ │ │ └── types.py
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ └── test_lambda_handler.py
│ │ └── uv.lock
│ ├── memcached-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── memcached_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── common
│ │ │ │ ├── config.py
│ │ │ │ ├── connection.py
│ │ │ │ └── server.py
│ │ │ ├── context.py
│ │ │ ├── main.py
│ │ │ └── tools
│ │ │ └── cache.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── ELASTICACHECONNECT.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_cache_readonly.py
│ │ │ ├── test_cache.py
│ │ │ ├── test_connection.py
│ │ │ ├── test_init.py
│ │ │ └── test_main.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── mysql-mcp-server
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── mysql_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── mutable_sql_detector.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── nova-canvas-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── nova_canvas_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ ├── models.py
│ │ │ ├── novacanvas.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── test_models.py
│ │ │ ├── test_novacanvas.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── openapi-mcp-server
│ │ ├── .coveragerc
│ │ ├── .dockerignore
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── AUTHENTICATION.md
│ │ ├── AWS_BEST_PRACTICES.md
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── openapi_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── api
│ │ │ │ ├── __init__.py
│ │ │ │ └── config.py
│ │ │ ├── auth
│ │ │ │ ├── __init__.py
│ │ │ │ ├── api_key_auth.py
│ │ │ │ ├── auth_cache.py
│ │ │ │ ├── auth_errors.py
│ │ │ │ ├── auth_factory.py
│ │ │ │ ├── auth_protocol.py
│ │ │ │ ├── auth_provider.py
│ │ │ │ ├── base_auth.py
│ │ │ │ ├── basic_auth.py
│ │ │ │ ├── bearer_auth.py
│ │ │ │ ├── cognito_auth.py
│ │ │ │ └── register.py
│ │ │ ├── patch
│ │ │ │ └── __init__.py
│ │ │ ├── prompts
│ │ │ │ ├── __init__.py
│ │ │ │ ├── generators
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── operation_prompts.py
│ │ │ │ │ └── workflow_prompts.py
│ │ │ │ ├── models.py
│ │ │ │ └── prompt_manager.py
│ │ │ ├── server.py
│ │ │ └── utils
│ │ │ ├── __init__.py
│ │ │ ├── cache_provider.py
│ │ │ ├── config.py
│ │ │ ├── error_handler.py
│ │ │ ├── http_client.py
│ │ │ ├── metrics_provider.py
│ │ │ ├── openapi_validator.py
│ │ │ └── openapi.py
│ │ ├── CHANGELOG.md
│ │ ├── DEPLOYMENT.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── OBSERVABILITY.md
│ │ ├── pyproject.toml
│ │ ├── pyrightconfig.json
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── api
│ │ │ │ └── test_config.py
│ │ │ ├── auth
│ │ │ │ ├── test_api_key_auth.py
│ │ │ │ ├── test_auth_cache.py
│ │ │ │ ├── test_auth_errors.py
│ │ │ │ ├── test_auth_factory_caching.py
│ │ │ │ ├── test_auth_factory_coverage.py
│ │ │ │ ├── test_auth_factory.py
│ │ │ │ ├── test_auth_protocol_additional.py
│ │ │ │ ├── test_auth_protocol_boost.py
│ │ │ │ ├── test_auth_protocol_coverage.py
│ │ │ │ ├── test_auth_protocol_extended.py
│ │ │ │ ├── test_auth_protocol_improved.py
│ │ │ │ ├── test_auth_protocol.py
│ │ │ │ ├── test_auth_provider_additional.py
│ │ │ │ ├── test_base_auth_coverage.py
│ │ │ │ ├── test_base_auth.py
│ │ │ │ ├── test_basic_auth.py
│ │ │ │ ├── test_bearer_auth.py
│ │ │ │ ├── test_cognito_auth_additional_coverage.py
│ │ │ │ ├── test_cognito_auth_boost_coverage.py
│ │ │ │ ├── test_cognito_auth_client_credentials.py
│ │ │ │ ├── test_cognito_auth_coverage_boost.py
│ │ │ │ ├── test_cognito_auth_exceptions.py
│ │ │ │ ├── test_cognito_auth.py
│ │ │ │ ├── test_register_coverage.py
│ │ │ │ └── test_register.py
│ │ │ ├── prompts
│ │ │ │ ├── standalone
│ │ │ │ │ ├── test_operation_prompt.py
│ │ │ │ │ ├── test_prompt_arguments.py
│ │ │ │ │ └── test_secure_operation_prompt.py
│ │ │ │ ├── test_mcp_prompt_manager_integration.py
│ │ │ │ ├── test_mcp_prompt_manager.py
│ │ │ │ ├── test_models_dict_method.py
│ │ │ │ ├── test_operation_prompts_extended.py
│ │ │ │ ├── test_prompt_manager_additional.py
│ │ │ │ ├── test_prompt_manager_comprehensive.py
│ │ │ │ ├── test_prompt_manager_coverage.py
│ │ │ │ └── test_prompt_registration.py
│ │ │ ├── README.md
│ │ │ ├── test_api_name.py
│ │ │ ├── test_cache_coverage_89.py
│ │ │ ├── test_client.py
│ │ │ ├── test_coverage_boost.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main_extended.py
│ │ │ ├── test_main.py
│ │ │ ├── test_openapi_coverage_89.py
│ │ │ ├── test_server_auth_errors.py
│ │ │ ├── test_server_coverage_boost_2.py
│ │ │ ├── test_server_coverage_boost.py
│ │ │ ├── test_server_exception_handling.py
│ │ │ ├── test_server_extended.py
│ │ │ ├── test_server_httpx_version.py
│ │ │ ├── test_server_part1.py
│ │ │ ├── test_server_route_logging.py
│ │ │ ├── test_server_signal_handlers.py
│ │ │ ├── test_server.py
│ │ │ └── utils
│ │ │ ├── test_cache_provider.py
│ │ │ ├── test_error_handler_boost.py
│ │ │ ├── test_error_handler_extended.py
│ │ │ ├── test_error_handler_fix.py
│ │ │ ├── test_error_handler.py
│ │ │ ├── test_http_client_comprehensive.py
│ │ │ ├── test_http_client_extended.py
│ │ │ ├── test_http_client_extended2.py
│ │ │ ├── test_http_client_import_error.py
│ │ │ ├── test_http_client.py
│ │ │ ├── test_metrics_provider_decorators.py
│ │ │ ├── test_metrics_provider_extended2.py
│ │ │ ├── test_metrics_provider_prometheus.py
│ │ │ ├── test_metrics_provider.py
│ │ │ ├── test_openapi_validator.py
│ │ │ └── test_openapi.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── postgres-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── postgres_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── connection
│ │ │ │ ├── __init__.py
│ │ │ │ ├── abstract_db_connection.py
│ │ │ │ ├── db_connection_singleton.py
│ │ │ │ ├── psycopg_pool_connection.py
│ │ │ │ └── rds_api_connection.py
│ │ │ ├── mutable_sql_detector.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ ├── test_psycopg_connector.py
│ │ │ ├── test_server.py
│ │ │ └── test_singleton.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── prometheus-mcp-server
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── prometheus_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ ├── models.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── conftest.py
│ │ │ ├── test_aws_credentials.py
│ │ │ ├── test_config_manager.py
│ │ │ ├── test_consts.py
│ │ │ ├── test_coverage_gaps.py
│ │ │ ├── test_coverage_improvement.py
│ │ │ ├── test_final_coverage.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_models.py
│ │ │ ├── test_prometheus_client.py
│ │ │ ├── test_prometheus_connection.py
│ │ │ ├── test_security_validator.py
│ │ │ ├── test_server_coverage.py
│ │ │ ├── test_tools.py
│ │ │ └── test_workspace_config.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── redshift-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── redshift_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── consts.py
│ │ │ ├── models.py
│ │ │ ├── redshift.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_redshift.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── s3-tables-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── s3_tables_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── constants.py
│ │ │ ├── database.py
│ │ │ ├── engines
│ │ │ │ ├── __init__.py
│ │ │ │ └── pyiceberg.py
│ │ │ ├── file_processor
│ │ │ │ ├── __init__.py
│ │ │ │ ├── csv.py
│ │ │ │ ├── parquet.py
│ │ │ │ └── utils.py
│ │ │ ├── models.py
│ │ │ ├── namespaces.py
│ │ │ ├── resources.py
│ │ │ ├── s3_operations.py
│ │ │ ├── server.py
│ │ │ ├── table_buckets.py
│ │ │ ├── tables.py
│ │ │ └── utils.py
│ │ ├── CHANGELOG.md
│ │ ├── CONTEXT.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_csv.py
│ │ │ ├── test_database.py
│ │ │ ├── test_file_processor_utils.py
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ ├── test_namespaces.py
│ │ │ ├── test_parquet.py
│ │ │ ├── test_pyiceberg.py
│ │ │ ├── test_resources.py
│ │ │ ├── test_s3_operations.py
│ │ │ ├── test_server.py
│ │ │ ├── test_table_buckets.py
│ │ │ ├── test_tables.py
│ │ │ └── test_utils.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── stepfunctions-tool-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── stepfunctions_tool_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── aws_helper.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── README.md
│ │ │ ├── test_aws_helper.py
│ │ │ ├── test_create_state_machine_tool.py
│ │ │ ├── test_filter_state_machines_by_tag.py
│ │ │ ├── test_format_state_machine_response.py
│ │ │ ├── test_get_schema_arn_from_state_machine_arn.py
│ │ │ ├── test_get_schema_from_registry.py
│ │ │ ├── test_invoke_express_state_machine_impl.py
│ │ │ ├── test_invoke_standard_state_machine_impl.py
│ │ │ ├── test_main.py
│ │ │ ├── test_register_state_machines.py
│ │ │ ├── test_sanitize_tool_name.py
│ │ │ ├── test_server.py
│ │ │ └── test_validate_state_machine_name.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── syntheticdata-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── syntheticdata_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── pandas_interpreter.py
│ │ │ ├── server.py
│ │ │ └── storage
│ │ │ ├── __init__.py
│ │ │ ├── base.py
│ │ │ ├── loader.py
│ │ │ └── s3.py
│ │ ├── CHANGELOG.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── conftest.py
│ │ │ ├── test_constants.py
│ │ │ ├── test_pandas_interpreter.py
│ │ │ ├── test_server.py
│ │ │ └── test_storage
│ │ │ ├── __init__.py
│ │ │ ├── test_loader.py
│ │ │ └── test_s3.py
│ │ └── uv.lock
│ ├── terraform-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── terraform_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── impl
│ │ │ │ ├── resources
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── terraform_aws_provider_resources_listing.py
│ │ │ │ │ └── terraform_awscc_provider_resources_listing.py
│ │ │ │ └── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── execute_terraform_command.py
│ │ │ │ ├── execute_terragrunt_command.py
│ │ │ │ ├── run_checkov_scan.py
│ │ │ │ ├── search_aws_provider_docs.py
│ │ │ │ ├── search_awscc_provider_docs.py
│ │ │ │ ├── search_specific_aws_ia_modules.py
│ │ │ │ ├── search_user_provided_module.py
│ │ │ │ └── utils.py
│ │ │ ├── models
│ │ │ │ ├── __init__.py
│ │ │ │ └── models.py
│ │ │ ├── scripts
│ │ │ │ ├── generate_aws_provider_resources.py
│ │ │ │ ├── generate_awscc_provider_resources.py
│ │ │ │ └── scrape_aws_terraform_best_practices.py
│ │ │ ├── server.py
│ │ │ └── static
│ │ │ ├── __init__.py
│ │ │ ├── AWS_PROVIDER_RESOURCES.md
│ │ │ ├── AWS_TERRAFORM_BEST_PRACTICES.md
│ │ │ ├── AWSCC_PROVIDER_RESOURCES.md
│ │ │ ├── MCP_INSTRUCTIONS.md
│ │ │ └── TERRAFORM_WORKFLOW_GUIDE.md
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── __init__.py
│ │ │ ├── .gitignore
│ │ │ ├── conftest.py
│ │ │ ├── README.md
│ │ │ ├── test_command_impl.py
│ │ │ ├── test_execute_terraform_command.py
│ │ │ ├── test_execute_terragrunt_command.py
│ │ │ ├── test_models.py
│ │ │ ├── test_parameter_annotations.py
│ │ │ ├── test_resources.py
│ │ │ ├── test_run_checkov_scan.py
│ │ │ ├── test_search_user_provided_module.py
│ │ │ ├── test_server.py
│ │ │ ├── test_tool_implementations.py
│ │ │ ├── test_utils_additional.py
│ │ │ └── test_utils.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── timestream-for-influxdb-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── timestream_for_influxdb_mcp_server
│ │ │ ├── __init__.py
│ │ │ └── server.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_init.py
│ │ │ ├── test_main.py
│ │ │ └── test_server.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ ├── valkey-mcp-server
│ │ ├── .gitignore
│ │ ├── .python-version
│ │ ├── awslabs
│ │ │ ├── __init__.py
│ │ │ └── valkey_mcp_server
│ │ │ ├── __init__.py
│ │ │ ├── common
│ │ │ │ ├── __init__.py
│ │ │ │ ├── config.py
│ │ │ │ ├── connection.py
│ │ │ │ └── server.py
│ │ │ ├── context.py
│ │ │ ├── main.py
│ │ │ ├── tools
│ │ │ │ ├── __init__.py
│ │ │ │ ├── bitmap.py
│ │ │ │ ├── hash.py
│ │ │ │ ├── hyperloglog.py
│ │ │ │ ├── json.py
│ │ │ │ ├── list.py
│ │ │ │ ├── misc.py
│ │ │ │ ├── server_management.py
│ │ │ │ ├── set.py
│ │ │ │ ├── sorted_set.py
│ │ │ │ ├── stream.py
│ │ │ │ └── string.py
│ │ │ └── version.py
│ │ ├── CHANGELOG.md
│ │ ├── docker-healthcheck.sh
│ │ ├── Dockerfile
│ │ ├── ELASTICACHECONNECT.md
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── pyproject.toml
│ │ ├── README.md
│ │ ├── tests
│ │ │ ├── test_bitmap.py
│ │ │ ├── test_config.py
│ │ │ ├── test_connection.py
│ │ │ ├── test_hash.py
│ │ │ ├── test_hyperloglog.py
│ │ │ ├── test_init.py
│ │ │ ├── test_json_additional.py
│ │ │ ├── test_json_readonly.py
│ │ │ ├── test_json.py
│ │ │ ├── test_list_additional.py
│ │ │ ├── test_list_readonly.py
│ │ │ ├── test_list.py
│ │ │ ├── test_main.py
│ │ │ ├── test_misc.py
│ │ │ ├── test_server_management.py
│ │ │ ├── test_set_readonly.py
│ │ │ ├── test_set.py
│ │ │ ├── test_sorted_set_additional.py
│ │ │ ├── test_sorted_set_readonly.py
│ │ │ ├── test_sorted_set.py
│ │ │ ├── test_stream_additional.py
│ │ │ ├── test_stream_readonly.py
│ │ │ ├── test_stream.py
│ │ │ └── test_string.py
│ │ ├── uv-requirements.txt
│ │ └── uv.lock
│ └── well-architected-security-mcp-server
│ ├── .python-version
│ ├── awslabs
│ │ └── well_architected_security_mcp_server
│ │ ├── __init__.py
│ │ ├── consts.py
│ │ ├── server.py
│ │ └── util
│ │ ├── __init__.py
│ │ ├── network_security.py
│ │ ├── prompt_utils.py
│ │ ├── resource_utils.py
│ │ ├── security_services.py
│ │ └── storage_security.py
│ ├── PROMPT_TEMPLATE.md
│ ├── pyproject.toml
│ ├── README.md
│ ├── tests
│ │ ├── __init__.py
│ │ ├── conftest.py
│ │ ├── README.md
│ │ ├── test_access_analyzer_fix.py
│ │ ├── test_network_security_additional.py
│ │ ├── test_network_security.py
│ │ ├── test_prompt_utils_coverage.py
│ │ ├── test_prompt_utils.py
│ │ ├── test_resource_utils_fix.py
│ │ ├── test_resource_utils.py
│ │ ├── test_security_services_additional.py
│ │ ├── test_security_services_coverage.py
│ │ ├── test_security_services.py
│ │ ├── test_server_additional.py
│ │ ├── test_server_coverage.py
│ │ ├── test_server_prompts.py
│ │ ├── test_server_security_findings.py
│ │ ├── test_server.py
│ │ ├── test_storage_security_additional.py
│ │ ├── test_storage_security_comprehensive.py
│ │ ├── test_storage_security_edge_cases.py
│ │ ├── test_storage_security_recommendations.py
│ │ ├── test_storage_security.py
│ │ └── test_user_agent_config.py
│ └── uv.lock
└── VIBE_CODING_TIPS_TRICKS.md
```
# Files
--------------------------------------------------------------------------------
/src/terraform-mcp-server/awslabs/terraform_mcp_server/static/AWS_TERRAFORM_BEST_PRACTICES.md:
--------------------------------------------------------------------------------
```markdown
1 | # AWS Terraform Provider Best Practices
2 |
3 | _This document was automatically extracted from the AWS Prescriptive Guidance PDF._
4 |
5 | _Source: [https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/terraform-aws-provider-best-practices/terraform-aws-provider-best-practices.pdf](https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/terraform-aws-provider-best-practices/terraform-aws-provider-best-practices.pdf)_
6 |
7 | ## Best practices for using the Terraform AWS Provider
8 |
9 | ## AWS Prescriptive Guidance
10 |
11 | Copyright © 2025 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
12 |
13 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
14 |
15 | AWS Prescriptive Guidance: Best practices for using the Terraform
16 |
17 | ## AWS Provider
18 |
19 | Copyright © 2025 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
20 |
21 | Amazon's trademarks and trade dress may not be used in connection with any product or service
22 |
23 | that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any
24 |
25 | manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are
26 |
27 | the property of their respective owners, who may or may not be affiliated with, connected to, or
28 |
29 | sponsored by Amazon.
30 |
31 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
32 |
33 | ## Table of Contents
34 |
35 | Introduction.....................................................................................................................................1
36 |
37 | Objectives.......................................................................................................................................................1
38 |
39 | Target audience.............................................................................................................................................2
40 |
41 | Overview..........................................................................................................................................3
42 |
43 | Security best practices....................................................................................................................5
44 |
45 | Follow the principle of least privilege.....................................................................................................5
46 |
47 | Use IAM roles................................................................................................................................................6
48 |
49 | Grant least privilege access by using IAM policies...........................................................................6
50 |
51 | Assume IAM roles for local authentication........................................................................................6
52 |
53 | Use IAM roles for Amazon EC2 authentication.................................................................................8
54 |
55 | Use dynamic credentials for HCP Terraform workspaces...............................................................9
56 |
57 | Use IAM roles in AWS CodeBuild.........................................................................................................9
58 |
59 | Run GitHub Actions remotely on HCP Terraform.............................................................................9
60 |
61 | Use GitHub Actions with OIDC and configure the AWS Credentials action.................................9
62 |
63 | Use GitLab with OIDC and the AWS CLI............................................................................................9
64 |
65 | Use unique IAM users with legacy automation tools.........................................................................10
66 |
67 | Use the Jenkins AWS Credentials plugin.........................................................................................10
68 |
69 | Continuously monitor, validate, and optimize least privilege...........................................................10
70 |
71 | Continuously monitor access key usage..........................................................................................10
72 |
73 | Continually validate IAM policies .........................................................................................................6
74 |
75 | Secure remote state storage...................................................................................................................11
76 |
77 | Enable encryption and access controls............................................................................................12
78 |
79 | Limit direct access to collaborative workflows...............................................................................12
80 |
81 | Use AWS Secrets Manager.......................................................................................................................12
82 |
83 | Continuously scan infrastructure and source code.............................................................................12
84 |
85 | Use AWS services for dynamic scanning..........................................................................................13
86 |
87 | Perform static analysis........................................................................................................................13
88 |
89 | Ensure prompt remediation................................................................................................................13
90 |
91 | Enforce policy checks................................................................................................................................13
92 |
93 | Backend best practices..................................................................................................................15
94 |
95 | Use Amazon S3 for remote storage.......................................................................................................16
96 |
97 | Enable remote state locking..............................................................................................................16
98 |
99 | Enable versioning and automatic backups......................................................................................16
100 |
101 | Restore previous versions if needed.................................................................................................17
102 |
103 | iii
104 |
105 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
106 |
107 | Use HCP Terraform...............................................................................................................................17
108 |
109 | Facilitate team collaboration...................................................................................................................17
110 |
111 | Improve accountability by using AWS CloudTrail..........................................................................17
112 |
113 | Separate the backends for each environment.....................................................................................18
114 |
115 | Reduce the scope of impact...............................................................................................................18
116 |
117 | Restrict production access..................................................................................................................18
118 |
119 | Simplify access controls......................................................................................................................18
120 |
121 | Avoid shared workspaces....................................................................................................................19
122 |
123 | Actively monitor remote state activity..................................................................................................19
124 |
125 | Get alerts on suspicious unlocks.......................................................................................................19
126 |
127 | Monitor access attempts.....................................................................................................................19
128 |
129 | Best practices for code base structure and organization............................................................20
130 |
131 | Implement a standard repository structure.........................................................................................21
132 |
133 | Root module structure.........................................................................................................................24
134 |
135 | Reusable module structure.................................................................................................................24
136 |
137 | Structure for modularity..........................................................................................................................25
138 |
139 | Don't wrap single resources...............................................................................................................26
140 |
141 | Encapsulate logical relationships......................................................................................................26
142 |
143 | Keep inheritance flat............................................................................................................................26
144 |
145 | Reference resources in outputs..........................................................................................................26
146 |
147 | Don't configure providers....................................................................................................................26
148 |
149 | Declare required providers..................................................................................................................27
150 |
151 | Follow naming conventions.....................................................................................................................28
152 |
153 | Follow guidelines for resource naming............................................................................................28
154 |
155 | Follow guidelines for variable naming.............................................................................................28
156 |
157 | Use attachment resources........................................................................................................................29
158 |
159 | Use default tags .........................................................................................................................................30
160 |
161 | Meet Terraform registry requirements..................................................................................................30
162 |
163 | Use recommended module sources.......................................................................................................31
164 |
165 | Registry...................................................................................................................................................31
166 |
167 | VCS providers.........................................................................................................................................32
168 |
169 | Follow coding standards...........................................................................................................................33
170 |
171 | Follow style guidelines........................................................................................................................34
172 |
173 | Configure pre-commit hooks.............................................................................................................34
174 |
175 | Best practices for AWS Provider version management...............................................................35
176 |
177 | Add automated version checks...............................................................................................................35
178 |
179 | iv
180 |
181 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
182 |
183 | Monitor new releases................................................................................................................................35
184 |
185 | Contribute to providers............................................................................................................................36
186 |
187 | Best practices for community modules........................................................................................37
188 |
189 | Discover community modules.................................................................................................................37
190 |
191 | Use variables for customization ........................................................................................................37
192 |
193 | Understand dependencies ........................................................................................................................37
194 |
195 | Use trusted sources...................................................................................................................................38
196 |
197 | Subscribe to notifications ...................................................................................................................38
198 |
199 | Contribute to community modules........................................................................................................38
200 |
201 | FAQ.................................................................................................................................................40
202 |
203 | Next steps......................................................................................................................................41
204 |
205 | Resources........................................................................................................................................42
206 |
207 | References....................................................................................................................................................42
208 |
209 | Tools..............................................................................................................................................................42
210 |
211 | Document history..........................................................................................................................43
212 |
213 | Glossary..........................................................................................................................................44
214 |
215 | #.....................................................................................................................................................................44
216 |
217 | A.....................................................................................................................................................................45
218 |
219 | B.....................................................................................................................................................................48
220 |
221 | C.....................................................................................................................................................................50
222 |
223 | D.....................................................................................................................................................................53
224 |
225 | E.....................................................................................................................................................................57
226 |
227 | F.....................................................................................................................................................................59
228 |
229 | G.....................................................................................................................................................................61
230 |
231 | H.....................................................................................................................................................................62
232 |
233 | I......................................................................................................................................................................63
234 |
235 | L.....................................................................................................................................................................65
236 |
237 | M....................................................................................................................................................................67
238 |
239 | O....................................................................................................................................................................71
240 |
241 | P.....................................................................................................................................................................73
242 |
243 | Q....................................................................................................................................................................76
244 |
245 | R.....................................................................................................................................................................76
246 |
247 | S.....................................................................................................................................................................79
248 |
249 | T.....................................................................................................................................................................83
250 |
251 | U.....................................................................................................................................................................84
252 |
253 | V.....................................................................................................................................................................85
254 |
255 | v
256 |
257 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
258 |
259 | W....................................................................................................................................................................85
260 |
261 | Z.....................................................................................................................................................................86
262 |
263 | vi
264 |
265 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
266 |
267 | ## Best practices for using the Terraform AWS Provider
268 |
269 | Michael Begin, Senior DevOps Consultant, Amazon Web Services (AWS)
270 |
271 | May 2024 (document history)
272 |
273 | Managing infrastructure as code (IaC) with Terraform on AWS offers important benefits such as
274 |
275 | improved consistency, security, and agility. However, as your Terraform configuration grows in size
276 |
277 | and complexity, it becomes critical to follow best practices to avoid pitfalls.
278 |
279 | This guide provides recommended best practices for using the Terraform AWS Provider from
280 |
281 | HashiCorp. It walks you through proper versioning, security controls, remote backends, codebase
282 |
283 | structure, and community providers to optimize Terraform on AWS. Each section dives into more
284 |
285 | details on the specifics of applying these best practices:
286 |
287 | *Security
288 |
289 | *Backends
290 |
291 | *Code base structure and organization
292 |
293 | *AWS Provider version management
294 |
295 | *Community modules
296 |
297 | ## Objectives
298 |
299 | This guide helps you gain operational knowledge on the Terraform AWS Provider and addresses
300 |
301 | the following business goals that you can achieve by following IaC best practices around security,
302 |
303 | reliability, compliance, and developer productivity.
304 |
305 | *Improve infrastructure code quality and consistency across Terraform projects.
306 |
307 | *Accelerate developer onboarding and ability to contribute to infrastructure code.
308 |
309 | *Increase business agility through faster infrastructure changes.
310 |
311 | *Reduce errors and downtime related to infrastructure changes.
312 |
313 | *Optimize infrastructure costs by following IaC best practices.
314 |
315 | *Strengthen your overall security posture through best practice implementation.
316 |
317 | Objectives 1
318 |
319 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
320 |
321 | ## Target audience
322 |
323 | The target audience for this guide includes technical leads and managers who oversee teams
324 |
325 | that use Terraform for IaC on AWS. Other potential readers include infrastructure engineers,
326 |
327 | DevOps engineers, solutions architects, and developers who actively use Terraform to manage AWS
328 |
329 | infrastructure.
330 |
331 | Following these best practices will save time and help unlock the benefits of IaC for these roles.
332 |
333 | Target audience 2
334 |
335 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
336 |
337 | ## Overview
338 |
339 | Terraform providers are plugins that allow Terraform to interact with different APIs. The Terraform
340 |
341 | AWS Provider is the official plugin for managing AWS infrastructure as code (IaC) with Terraform. It
342 |
343 | translates Terraform syntax into AWS API calls to create, read, update, and delete AWS resources.
344 |
345 | The AWS Provider handles authentication, translating Terraform syntax to AWS API calls, and
346 |
347 | provisioning resources in AWS. You use a Terraform provider code block to configure the provider
348 |
349 | plugin that Terraform uses to interact with the AWS API. You can configure multiple AWS Provider
350 |
351 | blocks to manage resources across different AWS accounts and Regions.
352 |
353 | Here's an example Terraform configuration that uses multiple AWS Provider blocks with aliases
354 |
355 | to manage an Amazon Relational Database Service (Amazon RDS) database that has a replica in a
356 |
357 | different Region and account. The primary and secondary providers assume different AWS Identity
358 |
359 | and Access Management (IAM) roles:
360 |
361 | # Configure the primary AWS Provider
362 |
363 | provider "aws" {
364 |
365 | region = "us-west-1"
366 |
367 | alias = "primary"
368 |
369 | }
370 |
371 | # Configure a secondary AWS Provider for the replica Region and account
372 |
373 | provider "aws" {
374 |
375 | region = "us-east-1"
376 |
377 | alias = "replica"
378 |
379 | assume_role {
380 |
381 | role_arn = "arn:aws:iam::<replica-account-id>:role/<role-name>"
382 |
383 | session_name = "terraform-session"
384 |
385 | }
386 |
387 | }
388 |
389 | # Primary Amazon RDS database
390 |
391 | resource "aws_db_instance" "primary" {
392 |
393 | provider = aws.primary
394 |
395 | # ... RDS instance configuration
396 |
397 | }
398 |
399 | # Read replica in a different Region and account
400 |
401 | resource "aws_db_instance" "read_replica" {
402 |
403 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
404 |
405 | provider = aws.replica
406 |
407 | # ... RDS read replica configuration
408 |
409 | replicate_source_db = aws_db_instance.primary.id
410 |
411 | }
412 |
413 | In this example:
414 |
415 | *The first provider block configures the primary AWS Provider in the us-west-1 Region with
416 |
417 | the alias primary .
418 |
419 | *The second provider block configures a secondary AWS Provider in the us-east-1 Region
420 |
421 | with the alias replica. This provider is used to create a read replica of the primary database in
422 |
423 | a different Region and account. The assume_role block is used to assume an IAM role in the
424 |
425 | replica account. The role_arn specifies the Amazon Resource Name (ARN) of the IAM role to
426 |
427 | assume, and session_name is a unique identifier for the Terraform session.
428 |
429 | *The aws_db_instance.primary resource creates the primary Amazon RDS database by using
430 |
431 | the primary provider in the us-west-1 Region.
432 |
433 | *The aws_db_instance.read_replica resource creates a read replica of the primary database
434 |
435 | in the us-east-1 Region by using the replica provider. The replicate_source_db
436 |
437 | attribute references the ID of the primary database.
438 |
439 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
440 |
441 | ## Security best practices
442 |
443 | Properly managing authentication, access controls, and security is critical for secure usage of the
444 |
445 | Terraform AWS Provider. This section outlines best practices around:
446 |
447 | *IAM roles and permissions for least-privilege access
448 |
449 | *Securing credentials to help prevent unauthorized access to AWS accounts and resources
450 |
451 | *Remote state encryption to help protect sensitive data
452 |
453 | *Infrastructure and source code scanning to identify misconfigurations
454 |
455 | *Access controls for remote state storage
456 |
457 | *Sentinel policy enforcement to implement governance guardrails
458 |
459 | Following these best practices helps strengthen your security posture when you use Terraform to
460 |
461 | manage AWS infrastructure.
462 |
463 | ## Follow the principle of least privilege
464 |
465 | Least privilege is a fundamental security principle that refers to granting only the minimum
466 |
467 | permissions required for a user, process, or system to perform its intended functions. It's a core
468 |
469 | concept in access control and a preventative measure against unauthorized access and potential
470 |
471 | data breaches.
472 |
473 | The principle of least privilege is emphasized multiple times in this section because it directly
474 |
475 | relates to how Terraform authenticates and runs actions against cloud providers such as AWS.
476 |
477 | When you use Terraform to provision and manage AWS resources, it acts on behalf of an entity
478 |
479 | (user or role) that requires appropriate permissions to make API calls. Not following least privilege
480 |
481 | opens up major security risks:
482 |
483 | *If Terraform has excessive permissions beyond what's needed, an unintended misconfiguration
484 |
485 | could make undesired changes or deletions.
486 |
487 | *Overly permissive access grants increase the scope of impact if Terraform state files or
488 |
489 | credentials are compromised.
490 |
491 | *Not following least privilege goes against security best practices and regulatory compliance
492 |
493 | requirements for granting minimal required access.
494 |
495 | Follow the principle of least privilege 5
496 |
497 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
498 |
499 | ## Use IAM roles
500 |
501 | Use IAM roles instead of IAM users wherever possible to enhance security with the Terraform
502 |
503 | AWS Provider. IAM roles provide temporary security credentials that automatically rotate, which
504 |
505 | eliminates the need to manage long-term access keys. Roles also offer precise access controls
506 |
507 | through IAM policies.
508 |
509 | ## Grant least privilege access by using IAM policies
510 |
511 | Carefully construct IAM policies to ensure that roles and users have only the minimum set of
512 |
513 | permissions that are required for their workload. Start with an empty policy and iteratively add
514 |
515 | allowed services and actions. To accomplish this:
516 |
517 | *Enable IAM Access Analyzer to evaluate policies and highlight unused permissions that can be
518 |
519 | removed.
520 |
521 | *Manually review policies to remove any capabilities that aren't essential for the role's intended
522 |
523 | responsibility.
524 |
525 | *Use IAM policy variables and tags to simplify permission management.
526 |
527 | Well-constructed policies grant just enough access to accomplish the workload's responsibilities
528 |
529 | and nothing more. Define actions at the operation level, and allow calls only to required APIs on
530 |
531 | specific resources.
532 |
533 | Following this best practice reduces the scope of impact and follows the fundamental security
534 |
535 | principles of separation of duties and least privilege access. Start strict and open access gradually
536 |
537 | as needed, instead of starting open and trying to restrict access later.
538 |
539 | ## Assume IAM roles for local authentication
540 |
541 | When you run Terraform locally, avoid configuring static access keys. Instead, use IAM roles to grant
542 |
543 | privileged access temporarily without exposing long-term credentials.
544 |
545 | First, create an IAM role with the necessary minimum permissions and add a trust relationship
546 |
547 | that allows the IAM role to be assumed by your user account or federated identity. This authorizes
548 |
549 | temporary usage of the role.
550 |
551 | Trust relationship policy example:
552 |
553 | Use IAM roles 6
554 |
555 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
556 |
557 | {
558 |
559 | "Version": "2012-10-17",
560 |
561 | "Statement": [
562 |
563 | {
564 |
565 | "Effect": "Allow",
566 |
567 | "Principal": {
568 |
569 | "AWS": "arn:aws:iam::111122223333:role/terraform-execution"
570 |
571 | },
572 |
573 | "Action": "sts:AssumeRole"
574 |
575 | }
576 |
577 | ]
578 |
579 | }
580 |
581 | Then, run the AWS CLI command aws sts assume-role to retrieve short-lived credentials for the
582 |
583 | role. These credentials are typically valid for one hour.
584 |
585 | AWS CLI command example:
586 |
587 | aws sts assume-role --role-arn arn:aws:iam::111122223333:role/terraform-execution --
588 |
589 | role-session-name terraform-session-example
590 |
591 | The output of the command contains an access key, secret key, and session token that you can use
592 |
593 | to authenticate to AWS:
594 |
595 | {
596 |
597 | "AssumedRoleUser": {
598 |
599 | "AssumedRoleId": "AROA3XFRBF535PLBIFPI4:terraform-session-example",
600 |
601 | "Arn": "arn:aws:sts::111122223333:assumed-role/terraform-execution/terraform-
602 |
603 | session-example"
604 |
605 | },
606 |
607 | "Credentials": {
608 |
609 | "SecretAccessKey": " wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
610 |
611 | "SessionToken": " AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT
612 |
613 | +FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/
614 |
615 | IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/
616 |
617 | AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
618 |
619 | "Expiration": "2024-03-15T00:05:07Z",
620 |
621 | "AccessKeyId": ...
622 |
623 | }
624 |
625 | }
626 |
627 | The AWS Provider can also automatically handle assuming the role.
628 |
629 | Assume IAM roles for local authentication 7
630 |
631 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
632 |
633 | Provider configuration example for assuming an IAM role:
634 |
635 | provider "aws" {
636 |
637 | assume_role {
638 |
639 | role_arn = "arn:aws:iam::111122223333:role/terraform-execution"
640 |
641 | session_name = "terraform-session-example"
642 |
643 | }
644 |
645 | }
646 |
647 | This grants elevated privilege strictly for the Terraform session's duration. The temporary keys
648 |
649 | cannot be leaked because they expire automatically after the maximum duration of the session.
650 |
651 | The key benefits of this best practice include improved security compared with long-lived access
652 |
653 | keys, fine-grained access controls on the role for least privileges, and the ability to easily revoke
654 |
655 | access by modifying the role's permissions. By using IAM roles, you also avoid having to directly
656 |
657 | store secrets locally in scripts or on disk, which helps you share Terraform configuration securely
658 |
659 | across a team.
660 |
661 | Use IAM roles for Amazon EC2 authentication
662 |
663 | When you run Terraform from Amazon Elastic Compute Cloud (Amazon EC2) instances, avoid
664 |
665 | storing long-term credentials locally. Instead, use IAM roles and instance profiles to grant least-
666 |
667 | privilege permissions automatically.
668 |
669 | First, create an IAM role with the minimum permissions and assign the role to the instance profile.
670 |
671 | The instance profile allows EC2 instances to inherit the permissions defined in the role. Then,
672 |
673 | launch instances by specifying that instance profile. The instance will authenticate through the
674 |
675 | attached role.
676 |
677 | Before you run any Terraform operations, verify that the role is present in the instance metadata to
678 |
679 | confirm that the credentials were successfully inherited.
680 |
681 | TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-
682 |
683 | metadata-token-ttl-seconds: 21600")
684 |
685 | curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/
686 |
687 | iam/security-credentials/
688 |
689 | This approach avoids hardcoding permanent AWS keys into scripts or Terraform configuration
690 |
691 | within the instance. The temporary credentials are made available to Terraform transparently
692 |
693 | through the instance role and profile.
694 |
695 | Use IAM roles for Amazon EC2 authentication 8
696 |
697 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
698 |
699 | The key benefits of this best practice include improved security over long-term credentials,
700 |
701 | reduced credential management overhead, and consistency between development, test, and
702 |
703 | production environments. IAM role authentication simplifies Terraform runs from EC2 instances
704 |
705 | while enforcing least-privilege access.
706 |
707 | ## Use dynamic credentials for HCP Terraform workspaces
708 |
709 | HCP Terraform is a managed service provided by HashiCorp that helps teams use Terraform to
710 |
711 | provision and manage infrastructure across multiple projects and environments. When you run
712 |
713 | Terraform in HCP Terraform, use dynamic credentials to simplify and secure AWS authentication.
714 |
715 | Terraform automatically exchanges temporary credentials on each run without needing IAM role
716 |
717 | assumption.
718 |
719 | Benefits include easier secret rotation, centralized credential management across workspaces,
720 |
721 | least-privilege permissions, and eliminating hardcoded keys. Relying on hashed ephemeral keys
722 |
723 | enhances security compared with long-lived access keys.
724 |
725 | ## Use IAM roles in AWS CodeBuild
726 |
727 | In AWS CodeBuild, run your builds by using an IAM role that's assigned to the CodeBuild project.
728 |
729 | This allows each build to automatically inherit temporary credentials from the role instead of using
730 |
731 | long-term keys.
732 |
733 | ## Run GitHub Actions remotely on HCP Terraform
734 |
735 | Configure GitHub Actions workflows to run Terraform remotely on HCP Terraform workspaces. Rely
736 |
737 | on dynamic credentials and remote state locking instead of GitHub secrets management.
738 |
739 | Use GitHub Actions with OIDC and configure the AWS Credentials
740 |
741 | action
742 |
743 | Use the OpenID Connect (OIDC) standard to federate GitHub Actions identity through IAM. Use the
744 |
745 | Configure AWS Credentials action to exchange the GitHub token for temporary AWS credentials
746 |
747 | without needing long-term access keys.
748 |
749 | ## Use GitLab with OIDC and the AWS CLI
750 |
751 | Use the OIDC standard to federate GitLab identities through IAM for temporary access. By
752 |
753 | relying on OIDC, you avoid having to directly manage long-term AWS access keys within GitLab.
754 |
755 | Use dynamic credentials for HCP Terraform workspaces 9
756 |
757 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
758 |
759 | Credentials are exchanged just-in-time, which improves security. Users also gain least privilege
760 |
761 | access according to the permissions in the IAM role.
762 |
763 | ## Use unique IAM users with legacy automation tools
764 |
765 | If you have automation tools and scripts that lack native support for using IAM roles, you can
766 |
767 | create individual IAM users to grant programmatic access. The principle of least privilege still
768 |
769 | applies. Minimize policy permissions and rely on separate roles for each pipeline or script. As you
770 |
771 | migrate to more modern tools or scripts, begin supporting roles natively and gradually transition
772 |
773 | to them.
774 |
775 | ## Warning
776 |
777 | IAM users have long-term credentials, which present a security risk. To help mitigate this
778 |
779 | risk, we recommend that you provide these users with only the permissions they require to
780 |
781 | perform the task and that you remove these users when they are no longer needed.
782 |
783 | ## Use the Jenkins AWS Credentials plugin
784 |
785 | Use the AWS Credentials plugin in Jenkins to centrally configure and inject AWS credentials into
786 |
787 | builds dynamically. This avoids checking secrets into source control.
788 |
789 | Continuously monitor, validate, and optimize least privilege
790 |
791 | Over time, additional permissions might get granted that can exceed the minimum policies
792 |
793 | required. Continuously analyze access to identify and remove any unnecessary entitlements.
794 |
795 | ## Continuously monitor access key usage
796 |
797 | If you cannot avoid using access keys, use IAM credential reports to find unused access keys that
798 |
799 | are older than 90 days, and revoke inactive keys across both user accounts and machine roles. Alert
800 |
801 | administrators to manually confirm the removal of keys for active employees and systems.
802 |
803 | Monitoring key usage helps you optimize permissions because you can identify and remove unused
804 |
805 | entitlements. When you follow this best practice with access key rotation, it limits credential
806 |
807 | lifespan and enforces least privilege access.
808 |
809 | Use unique IAM users with legacy automation tools 10
810 |
811 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
812 |
813 | AWS provides several services and features that you can use to set up alerts and notifications for
814 |
815 | administrators. Here are some options:
816 |
817 | *AWS Config: You can use AWS Config rules to evaluate the configuration settings of your AWS
818 |
819 | resources, including IAM access keys. You can create custom rules to check for specific conditions,
820 |
821 | such as unused access keys that are older than a specific number of days. When a rule is violated,
822 |
823 | AWS Config can start an evaluation for remediation or send notifications to an Amazon Simple
824 |
825 | Notification Service (Amazon SNS) topic.
826 |
827 | *AWS Security Hub: Security Hub provides a comprehensive view of your AWS account's security
828 |
829 | posture and can help detect and notify you about potential security issues, including unused or
830 |
831 | inactive IAM access keys. Security Hub can integrate with Amazon EventBridge and Amazon SNS
832 |
833 | or Amazon Q Developer in chat applications to send notifications to administrators.
834 |
835 | *AWS Lambda: Lambda functions can be called by various events, including Amazon CloudWatch
836 |
837 | Events or AWS Config rules. You can write custom Lambda functions to evaluate IAM access key
838 |
839 | usage, perform additional checks, and send notifications by using services such as Amazon SNS
840 |
841 | or Amazon Q Developer in chat applications.
842 |
843 | ## Continually validate IAM policies
844 |
845 | Use IAM Access Analyzer to evaluate policies that are attached to roles and identify any unused
846 |
847 | services or excess actions that were granted. Implement periodic access reviews to manually verify
848 |
849 | that policies match current requirements.
850 |
851 | Compare the existing policy with the policy generated by IAM Access Analyzer and remove any
852 |
853 | unnecessary permissions. You should also provide reports to users and automatically revoke
854 |
855 | unused permissions after a grace period. This helps ensure that minimal policies remain in effect.
856 |
857 | Proactively and frequently revoking obsolete access minimizes the credentials that might be at risk
858 |
859 | during a breach. Automation provides sustainable, long-term credential hygiene and permissions
860 |
861 | optimization. Following this best practice limits the scope of impact by proactively enforcing least
862 |
863 | privilege across AWS identities and resources.
864 |
865 | ## Secure remote state storage
866 |
867 | Remote state storage refers to storing the Terraform state file remotely instead of locally on the
868 |
869 | machine where Terraform is running. The state file is crucial because it keeps track of the resources
870 |
871 | that are provisioned by Terraform and their metadata.
872 |
873 | Continually validate IAM policies 11
874 |
875 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
876 |
877 | Failure to secure remote state can lead to serious issues such as loss of state data, inability to
878 |
879 | manage infrastructure, inadvertent resource deletion, and exposure of sensitive information that
880 |
881 | might be present in the state file. For this reason, securing remote state storage is crucial for
882 |
883 | production-grade Terraform usage.
884 |
885 | ## Enable encryption and access controls
886 |
887 | Use Amazon Simple Storage Service (Amazon S3) server-side encryption (SSE) to encrypt remote
888 |
889 | state at rest.
890 |
891 | Limit direct access to collaborative workflows
892 |
893 | *Structure collaboration workflows in HCP Terraform or in a CI/CD pipeline within your Git
894 |
895 | repository to limit direct state access.
896 |
897 | *Rely on pull requests, run approvals, policy checks, and notifications to coordinate changes.
898 |
899 | Following these guidelines helps secure sensitive resource attributes and avoids conflicts with team
900 |
901 | members' changes. Encryption and strict access protections help reduce the attack surface, and
902 |
903 | collaboration workflows enable productivity.
904 |
905 | ## Use AWS Secrets Manager
906 |
907 | There are many resources and data sources in Terraform that store secret values in plaintext in the
908 |
909 | state file. Avoid storing secrets in state―use AWS Secrets Manager instead.
910 |
911 | Instead of attempting to manually encrypt sensitive values, rely on Terraform's built-in support for
912 |
913 | sensitive state management. When exporting sensitive values to output, make sure that the values
914 |
915 | are marked as sensitive.
916 |
917 | ## Continuously scan infrastructure and source code
918 |
919 | Proactively scan both infrastructure and source code continuously for risks such as exposed
920 |
921 | credentials or misconfigurations to harden your security posture. Address findings promptly by
922 |
923 | reconfiguring or patching resources.
924 |
925 | Enable encryption and access controls 12
926 |
927 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
928 |
929 | ## Use AWS services for dynamic scanning
930 |
931 | Use AWS native tools such as Amazon Inspector, AWS Security Hub, Amazon Detective, and
932 |
933 | Amazon GuardDuty to monitor provisioned infrastructure across accounts and Regions. Schedule
934 |
935 | recurring scans in Security Hub to track deployment and configuration drift. Scan EC2 instances,
936 |
937 | Lambda functions, containers, S3 buckets, and other resources.
938 |
939 | ## Perform static analysis
940 |
941 | Embed static analyzers such as Checkov directly into CI/CD pipelines to scan Terraform
942 |
943 | configuration code (HCL) and identify risks preemptively before deployment. This moves security
944 |
945 | checks to an earlier point in the development process (referred to as shifting left) and prevents
946 |
947 | misconfigured infrastructure.
948 |
949 | ## Ensure prompt remediation
950 |
951 | For all scan findings, ensure prompt remediation by either updating Terraform configuration,
952 |
953 | applying patches, or reconfiguring resources manually as appropriate. Lower risk levels by
954 |
955 | addressing the root causes.
956 |
957 | Using both infrastructure scanning and code scanning provides layered insight across Terraform
958 |
959 | configurations, the provisioned resources, and application code. This maximizes the coverage of risk
960 |
961 | and compliance through preventative, detective, and reactive controls while embedding security
962 |
963 | earlier into the software development lifecycle (SDLC).
964 |
965 | ## Enforce policy checks
966 |
967 | Use code frameworks such as HashiCorp Sentinel policies to provide governance guardrails and
968 |
969 | standardized templates for infrastructure provisioning with Terraform.
970 |
971 | Sentinel policies can define requirements or restrictions on Terraform configuration to align with
972 |
973 | organizational standards and best practices. For example, you can use Sentinel policies to:
974 |
975 | *Require tags on all resources.
976 |
977 | *Restrict instance types to an approved list.
978 |
979 | *Enforce mandatory variables.
980 |
981 | *Prevent the destruction of production resources.
982 |
983 | Use AWS services for dynamic scanning 13
984 |
985 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
986 |
987 | Embedding policy checks into Terraform configuration lifecycles enables proactive enforcement of
988 |
989 | standards and architecture guidelines. Sentinel provides shared policy logic that helps accelerate
990 |
991 | development while preventing unapproved practices.
992 |
993 | Enforce policy checks 14
994 |
995 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
996 |
997 | ## Backend best practices
998 |
999 | Using a proper remote backend to store your state file is critical for enabling collaboration,
1000 |
1001 | ensuring state file integrity through locking, providing reliable backup and recovery, integrating
1002 |
1003 | with CI/CD workflows, and taking advantage of advanced security, governance, and management
1004 |
1005 | features offered by managed services such as HCP Terraform.
1006 |
1007 | Terraform supports various backend types such as Kubernetes, HashiCorp Consul, and HTTP.
1008 |
1009 | However, this guide focuses on Amazon S3, which is an optimal backend solution for most AWS
1010 |
1011 | users.
1012 |
1013 | As a fully managed object storage service that offers high durability and availability, Amazon S3
1014 |
1015 | provides a secure, scalable and low-cost backend for managing Terraform state on AWS. The global
1016 |
1017 | footprint and resilience of Amazon S3 exceeds what most teams can achieve by self-managing
1018 |
1019 | state storage. Additionally, being natively integrated with AWS access controls, encryption options,
1020 |
1021 | versioning capabilities, and other services makes Amazon S3 a convenient backend choice.
1022 |
1023 | This guide doesn't provide backend guidance for other solutions such as Kubernetes or Consul
1024 |
1025 | because the primary target audience is AWS customers. For teams that are fully in the AWS
1026 |
1027 | Cloud, Amazon S3 is typically the ideal choice over Kubernetes or HashiCorp Consul clusters. The
1028 |
1029 | simplicity, resilience, and tight AWS integration of Amazon S3 state storage provides an optimal
1030 |
1031 | foundation for most users who follow AWS best practices. Teams can take advantage of the
1032 |
1033 | durability, backup protections, and availability of AWS services to keep remote Terraform state
1034 |
1035 | highly resilient.
1036 |
1037 | Following the backend recommendations in this section will lead to more collaborative Terraform
1038 |
1039 | code bases while limiting the impact of errors or unauthorized modifications. By implementing a
1040 |
1041 | well-architected remote backend, teams can optimize Terraform workflows.
1042 |
1043 | Best practices:
1044 |
1045 | *Use Amazon S3 for remote storage
1046 |
1047 | *Facilitate team collaboration
1048 |
1049 | *Separate the backends for each environment
1050 |
1051 | *Actively monitor remote state activity
1052 |
1053 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1054 |
1055 | Use Amazon S3 for remote storage
1056 |
1057 | Storing Terraform state remotely in Amazon S3 and implementing state locking and consistency
1058 |
1059 | checking by using Amazon DynamoDB provide major benefits over local file storage. Remote state
1060 |
1061 | enables team collaboration, change tracking, backup protections, and remote locking for increased
1062 |
1063 | safety.
1064 |
1065 | Using Amazon S3 with the S3 Standard storage class (default) instead of ephemeral local storage
1066 |
1067 | or self-managed solutions provides 99.999999999% durability and 99.99% availability protections
1068 |
1069 | to prevent accidental state data loss. AWS managed services such as Amazon S3 and DynamoDB
1070 |
1071 | provide service-level agreements (SLAs) that exceed what most organizations can achieve when
1072 |
1073 | they self-manage storage. Rely on these protections to keep remote backends accessible.
1074 |
1075 | ## Enable remote state locking
1076 |
1077 | DynamoDB locking restricts state access to prevent concurrent write operations. This prevents
1078 |
1079 | simultaneous modifications from multiple users and reduces errors.
1080 |
1081 | Example backend configuration with state locking:
1082 |
1083 | terraform {
1084 |
1085 | backend "s3" {
1086 |
1087 | bucket = "myorg-terraform-states"
1088 |
1089 | key = "myapp/production/tfstate"
1090 |
1091 | region = "us-east-1"
1092 |
1093 | dynamodb_table = "TerraformStateLocking"
1094 |
1095 | }
1096 |
1097 | }
1098 |
1099 | ## Enable versioning and automatic backups
1100 |
1101 | For additional safeguarding, enable automatic versioning and backups by using AWS Backup on
1102 |
1103 | Amazon S3 backends. Versioning preserves all previous versions of the state whenever changes are
1104 |
1105 | made. It also lets you restore previous working state snapshots if needed to roll back unwanted
1106 |
1107 | changes or recover from accidents.
1108 |
1109 | Use Amazon S3 for remote storage 16
1110 |
1111 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1112 |
1113 | ## Restore previous versions if needed
1114 |
1115 | Versioned Amazon S3 state buckets make it easy to revert changes by restoring a previous known
1116 |
1117 | good state snapshot. This helps protect against accidental changes and provides additional backup
1118 |
1119 | capabilities.
1120 |
1121 | ## Use HCP Terraform
1122 |
1123 | HCP Terraform provides a fully managed backend alternative to configuring your own state
1124 |
1125 | storage. HCP Terraform automatically handles the secure storage of state and encryption while
1126 |
1127 | unlocking additional features.
1128 |
1129 | When you use HCP Terraform, state is stored remotely by default, which enables state sharing
1130 |
1131 | and locking across your organization. Detailed policy controls help you restrict state access and
1132 |
1133 | changes.
1134 |
1135 | Additional capabilities include version control integrations, policy guardrails, workflow automation,
1136 |
1137 | variables management, and single sign-on integrations with SAML. You can also use Sentinel policy
1138 |
1139 | as code to implement governance controls.
1140 |
1141 | Although HCP Terraform requires using a software as a service (SaaS) platform, for many teams
1142 |
1143 | the benefits around security, access controls, automated policy checks, and collaboration features
1144 |
1145 | make it an optimal choice over self-managing state storage with Amazon S3 or DynamoDB.
1146 |
1147 | Easy integration with services such as GitHub and GitLab with minor configuration also appeals to
1148 |
1149 | users who fully embrace cloud and SaaS tools for better team workflows.
1150 |
1151 | ## Facilitate team collaboration
1152 |
1153 | Use remote backends to share state data across all the members of your Terraform team. This
1154 |
1155 | facilitates collaboration because it gives the entire team visibility into infrastructure changes.
1156 |
1157 | Shared backend protocols combined with state history transparency simplify internal change
1158 |
1159 | management. All infrastructure changes go through the established pipeline, which increases
1160 |
1161 | business agility across the enterprise.
1162 |
1163 | ## Improve accountability by using AWS CloudTrail
1164 |
1165 | Integrate AWS CloudTrail with the Amazon S3 bucket to capture API calls made to the state bucket.
1166 |
1167 | Filter CloudTrail events to track PutObject , DeleteObject, and other relevant calls.
1168 |
1169 | Restore previous versions if needed 17
1170 |
1171 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1172 |
1173 | CloudTrail logs show the AWS identity of the principal that made each API call for state change.
1174 |
1175 | The user's identity can be matched to a machine account or to members of the team who interact
1176 |
1177 | with the backend storage.
1178 |
1179 | Combine CloudTrail logs with Amazon S3 state versioning to tie infrastructure changes to the
1180 |
1181 | principal who applied them. By analyzing multiple revisions, you can attribute any updates to the
1182 |
1183 | machine account or responsible team member.
1184 |
1185 | If an unintended or disruptive change occurs, state versioning provides rollback capabilities.
1186 |
1187 | CloudTrail traces the change to the user so you can discuss preventative improvements.
1188 |
1189 | We also recommend that you enforce IAM permissions to limit state bucket access. Overall, S3
1190 |
1191 | Versioning and CloudTrail monitoring supports auditing across infrastructure changes. Teams gain
1192 |
1193 | improved accountability, transparency, and audit capabilities into the Terraform state history.
1194 |
1195 | ## Separate the backends for each environment
1196 |
1197 | Use distinct Terraform backends for each application environment. Separate backends isolate state
1198 |
1199 | between development, test, and production.
1200 |
1201 | ## Reduce the scope of impact
1202 |
1203 | Isolating state helps ensure that changes in lower environments don't impact production
1204 |
1205 | infrastructure. Accidents or experiments in development and test environments have limited
1206 |
1207 | impact.
1208 |
1209 | ## Restrict production access
1210 |
1211 | Lock down permissions for the production state backend to read-only access for most users. Limit
1212 |
1213 | who can modify the production infrastructure to the CI/CD pipeline and break glass roles.
1214 |
1215 | ## Simplify access controls
1216 |
1217 | Managing permissions at the backend level simplifies access control between environments.
1218 |
1219 | Using distinct S3 buckets for each application and environment means that broad read or write
1220 |
1221 | permissions can be granted on entire backend buckets.
1222 |
1223 | Separate the backends for each environment 18
1224 |
1225 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1226 |
1227 | ## Avoid shared workspaces
1228 |
1229 | Although you can use Terraform workspaces to separate state between environments, distinct
1230 |
1231 | backends provide stronger isolation. If you have shared workspaces, accidents can still impact
1232 |
1233 | multiple environments.
1234 |
1235 | Keeping environment backends fully isolated minimizes the impact of any single failure or
1236 |
1237 | breach. Separate backends also align access controls to the environment's sensitivity level. For
1238 |
1239 | example, you can provide write protection for the production environment and broader access for
1240 |
1241 | development and test environments.
1242 |
1243 | ## Actively monitor remote state activity
1244 |
1245 | Continuously monitoring remote state activity is critical for detecting potential issues early. Look
1246 |
1247 | for anomalous unlocks, changes, or access attempts.
1248 |
1249 | ## Get alerts on suspicious unlocks
1250 |
1251 | Most state changes should run through CI/CD pipelines. Generate alerts if state unlocks occur
1252 |
1253 | directly through developer workstations, which could signal unauthorized or untested changes.
1254 |
1255 | ## Monitor access attempts
1256 |
1257 | Authentication failures on state buckets might indicate reconnaissance activity. Notice if multiple
1258 |
1259 | accounts are trying to access state, or unusual IP addresses appear, which signals compromised
1260 |
1261 | credentials.
1262 |
1263 | Avoid shared workspaces 19
1264 |
1265 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1266 |
1267 | ## Best practices for code base structure and organization
1268 |
1269 | Proper code base structure and organization is critical as Terraform usage grows across large teams
1270 |
1271 | and enterprises. A well-architected code base enables collaboration at scale while enhancing
1272 |
1273 | maintainability.
1274 |
1275 | This section provides recommendations on Terraform modularity, naming conventions,
1276 |
1277 | documentation, and coding standards that support quality and consistency.
1278 |
1279 | Guidance includes breaking configuration into reusable modules by environment and components,
1280 |
1281 | establishing naming conventions by using prefixes and suffixes, documenting modules and clearly
1282 |
1283 | explaining inputs and outputs, and applying consistent formatting rules by using automated style
1284 |
1285 | checks.
1286 |
1287 | Additional best practices cover logically organizing modules and resources in a structured
1288 |
1289 | hierarchy, cataloging public and private modules in documentation, and abstracting unnecessary
1290 |
1291 | implementation details in modules to simplify usage.
1292 |
1293 | By implementing code base structure guidelines around modularity, documentation, standards, and
1294 |
1295 | logical organization, you can support broad collaboration across teams while keeping Terraform
1296 |
1297 | maintainable as usage spreads across an organization. By enforcing conventions and standards, you
1298 |
1299 | can avoid the complexity of a fragmented code base.
1300 |
1301 | Best practices:
1302 |
1303 | *Implement a standard repository structure
1304 |
1305 | *Structure for modularity
1306 |
1307 | *Follow naming conventions
1308 |
1309 | *Use attachment resources
1310 |
1311 | *Use default tags
1312 |
1313 | *Meet Terraform registry requirements
1314 |
1315 | *Use recommended module sources
1316 |
1317 | *Follow coding standards
1318 |
1319 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1320 |
1321 | ## Implement a standard repository structure
1322 |
1323 | We recommend that you implement the following repository layout. Standardizing on these
1324 |
1325 | consistency practices across modules improves discoverability, transparency, organization, and
1326 |
1327 | reliability while enabling reuse across many Terraform configurations.
1328 |
1329 | *Root module or directory: This should be the primary entry point for both Terraform root and
1330 |
1331 | re-usable modules and is expected to be unique. If you have a more complex architecture, you
1332 |
1333 | can use nested modules to create lightweight abstractions. This helps you describe infrastructure
1334 |
1335 | in terms of its architecture instead of directly, in terms of physical objects.
1336 |
1337 | *README : The root module and any nested modules should have README files. This file must
1338 |
1339 | be named README.md . It should contain a description of the module and what it should be
1340 |
1341 | used for. If you want to include an example of using this module with other resources, put it in
1342 |
1343 | an examples directory. Consider including a diagram that depicts the infrastructure resources
1344 |
1345 | the module might create and their relationships. Use terraform-docs to automatically generate
1346 |
1347 | inputs or outputs of the module.
1348 |
1349 | *main.tf: This is the primary entry point. For a simple module, all resources might be created in
1350 |
1351 | this file. For a complex module, resource creation might be spread across multiple files, but any
1352 |
1353 | nested module calls should be in the main.tf file.
1354 |
1355 | *variables.tf and outputs.tf: These files contain the declarations for variables and outputs. All
1356 |
1357 | variables and outputs should have one-sentence or two-sentence descriptions that explain
1358 |
1359 | their purpose. These descriptions are used for documentation. For more information, see the
1360 |
1361 | HashiCorp documentation for variable configuration and output configuration.
1362 |
1363 | *All variables must have a defined type.
1364 |
1365 | *The variable declaration can also include a default argument. If the declaration includes a
1366 |
1367 | default argument, the variable is considered to be optional, and the default value is used if you
1368 |
1369 | don't set a value when you call the module or run Terraform. The default argument requires
1370 |
1371 | a literal value and cannot reference other objects in the configuration. To make a variable
1372 |
1373 | required, omit a default in the variable declaration and consider whether setting nullable =
1374 |
1375 | false makes sense.
1376 |
1377 | *For variables that have environment-independent values (such as disk_size ), provide default
1378 |
1379 | values.
1380 |
1381 | *For variables that have environment-specific values (such as project_id ), don't provide
1382 |
1383 | default values. In this case, the calling module must provide meaningful values.
1384 |
1385 | Implement a standard repository structure 21
1386 |
1387 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1388 |
1389 | *Use empty defaults for variables such as empty strings or lists only when leaving the variable
1390 |
1391 | empty is a valid preference that the underlying APIs don't reject.
1392 |
1393 | *Be judicious in your use of variables. Parameterize values only if they must vary for each
1394 |
1395 | instance or environment. When you decide whether to expose a variable, ensure that you have
1396 |
1397 | a concrete use case for changing that variable. If there's only a small chance that a variable
1398 |
1399 | might be needed, don't expose it.
1400 |
1401 | *Adding a variable with a default value is backward compatible.
1402 |
1403 | *Removing a variable is backward incompatible.
1404 |
1405 | *In cases where a literal is reused in multiple places, you should use a local value without
1406 |
1407 | exposing it as a variable.
1408 |
1409 | *Don't pass outputs directly through input variables, because doing so prevents them from
1410 |
1411 | being properly added to the dependency graph. To ensure that implicit dependencies are
1412 |
1413 | created, make sure that outputs reference attributes from resources. Instead of referencing an
1414 |
1415 | input variable for an instance directly, pass the attribute.
1416 |
1417 | *locals.tf: This file contains local values that assign a name to an expression, so a name can be
1418 |
1419 | used multiple times within a module instead of repeating the expression. Local values are like
1420 |
1421 | a function's temporary local variables. The expressions in local values aren't limited to literal
1422 |
1423 | constants; they can also reference other values in the module, including variables, resource
1424 |
1425 | attributes, or other local values, in order to combine them.
1426 |
1427 | *providers.tf: This file contains the terraform block and provider blocks. provider blocks must
1428 |
1429 | be declared only in root modules by consumers of modules.
1430 |
1431 | If you're using HCP Terraform, also add an empty cloud block . The cloud block should be
1432 |
1433 | configured entirely through environment variables and environment variable credentials as part
1434 |
1435 | of a CI/CD pipeline.
1436 |
1437 | *versions.tf: This file contains the required_providers block. All Terraform modules must declare
1438 |
1439 | which providers it requires so that Terraform can install and use these providers.
1440 |
1441 | *data.tf: For simple configuration, put data sources next to the resources that reference them.
1442 |
1443 | For example, if you are fetching an image to be used in launching an instance, place it alongside
1444 |
1445 | the instance instead of collecting data resources in their own file. If the number of data sources
1446 |
1447 | becomes too large, consider moving them to a dedicated data.tf file.
1448 |
1449 | *.tfvars files: For root modules, you can provide non-sensitive variables by using a .tfvars file.
1450 |
1451 | For consistency, name the variable files terraform.tfvars . Place common values at the root
1452 |
1453 | of the repository, and environment-specific values within the envs/ folder.
1454 |
1455 | Implement a standard repository structure 22
1456 |
1457 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1458 |
1459 | *Nested modules: Nested modules should exist under the modules/ subdirectory. Any nested
1460 |
1461 | module that has a README.md is considered usable by an external user. If a README.md doesn't
1462 |
1463 | exist, the module is considered for internal use only. Nested modules should be used to split
1464 |
1465 | complex behavior into multiple small modules that users can carefully pick and choose.
1466 |
1467 | If the root module includes calls to nested modules, these calls should use relative paths such
1468 |
1469 | as ./modules/sample-module so that Terraform will consider them to be part of the same
1470 |
1471 | repository or package instead of downloading them again separately.
1472 |
1473 | If a repository or package contains multiple nested modules, they should ideally be composable
1474 |
1475 | by the caller instead of directly calling each other and creating a deeply nested tree of modules.
1476 |
1477 | *Examples: Examples of using a reusable module should exist under the examples/ subdirectory
1478 |
1479 | at the root of the repository. For each example, you can add a README to explain the goal and
1480 |
1481 | usage of the example. Examples for submodules should also be placed in the root examples/
1482 |
1483 | directory.
1484 |
1485 | Because examples are often copied into other repositories for customization, module blocks
1486 |
1487 | should have their source set to the address an external caller would use, not to a relative path.
1488 |
1489 | *Service named files: Users often want to separate Terraform resources by service in multiple
1490 |
1491 | files. This practice should be discouraged as much as possible, and resources should be defined
1492 |
1493 | in main.tf instead. However, if a collection of resources (for example, IAM roles and policies)
1494 |
1495 | exceeds 150 lines, it's reasonable to break it into its own files, such as iam.tf. Otherwise, all
1496 |
1497 | resource code should be defined in the main.tf .
1498 |
1499 | *Custom scripts : Use scripts only when necessary. Terraform doesn't account for, or manage,
1500 |
1501 | the state of resources that are created through scripts. Use custom scripts only when Terraform
1502 |
1503 | resources don't support the desired behavior. Place custom scripts called by Terraform in a
1504 |
1505 | scripts/ directory.
1506 |
1507 | *Helper scripts : Organize helper scripts that aren't called by Terraform in a helpers/ directory.
1508 |
1509 | Document helper scripts in the README.md file with explanations and example invocations. If
1510 |
1511 | helper scripts accept arguments, provide argument checking and --help output.
1512 |
1513 | *Static files: Static files that Terraform references but doesn't run (such as startup scripts loaded
1514 |
1515 | onto EC2 instances) must be organized into a files/ directory. Place lengthy documents in
1516 |
1517 | external files, separate from their HCL. Reference them with the file() function.
1518 |
1519 | *Templates: For files that the Terraform templatefile function reads in, use the file extension
1520 |
1521 | .tftpl. Templates must be placed in a templates/ directory.
1522 |
1523 | Implement a standard repository structure 23
1524 |
1525 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1526 |
1527 | ## Root module structure
1528 |
1529 | Terraform always runs in the context of a single root module. A complete Terraform configuration
1530 |
1531 | consists of a root module and the tree of child modules (which includes the modules that are called
1532 |
1533 | by the root module, any modules called by those modules, and so on).
1534 |
1535 | Terraform root module layout basic example:
1536 |
1537 | .
1538 |
1539 | ### data.tf
1540 |
1541 | ### envs
1542 |
1543 | # ### dev
1544 |
1545 | # # ### terraform.tfvars
1546 |
1547 | # ### prod
1548 |
1549 | # # ### terraform.tfvars
1550 |
1551 | # ### test
1552 |
1553 | # ### terraform.tfvars
1554 |
1555 | ### locals.tf
1556 |
1557 | ### main.tf
1558 |
1559 | ### outputs.tf
1560 |
1561 | ### providers.tf
1562 |
1563 | ### README.md
1564 |
1565 | ### terraform.tfvars
1566 |
1567 | ### variables.tf
1568 |
1569 | ### versions.tf
1570 |
1571 | ## Reusable module structure
1572 |
1573 | Reusable modules follow the same concepts as root modules. To define a module, create a new
1574 |
1575 | directory for it and place the .tf files inside, just as you would define a root module. Terraform
1576 |
1577 | can load modules either from local relative paths or from remote repositories. If you expect a
1578 |
1579 | module to be reused by many configurations, place it in its own version control repository. It's
1580 |
1581 | important to keep the module tree relatively flat to make it easier to reuse the modules in different
1582 |
1583 | combinations.
1584 |
1585 | Terraform reusable module layout basic example:
1586 |
1587 | .
1588 |
1589 | ### data.tf
1590 |
1591 | ### examples
1592 |
1593 | Root module structure 24
1594 |
1595 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1596 |
1597 | # ### multi-az-new-vpc
1598 |
1599 | # # ### data.tf
1600 |
1601 | # # ### locals.tf
1602 |
1603 | # # ### main.tf
1604 |
1605 | # # ### outputs.tf
1606 |
1607 | # # ### providers.tf
1608 |
1609 | # # ### README.md
1610 |
1611 | # # ### terraform.tfvars
1612 |
1613 | # # ### variables.tf
1614 |
1615 | # # ### versions.tf
1616 |
1617 | # # ### vpc.tf
1618 |
1619 | # ### single-az-existing-vpc
1620 |
1621 | # # ### data.tf
1622 |
1623 | # # ### locals.tf
1624 |
1625 | # # ### main.tf
1626 |
1627 | # # ### outputs.tf
1628 |
1629 | # # ### providers.tf
1630 |
1631 | # # ### README.md
1632 |
1633 | # # ### terraform.tfvars
1634 |
1635 | # # ### variables.tf
1636 |
1637 | # # ### versions.tf
1638 |
1639 | ### iam.tf
1640 |
1641 | ### locals.tf
1642 |
1643 | ### main.tf
1644 |
1645 | ### outputs.tf
1646 |
1647 | ### README.md
1648 |
1649 | ### variables.tf
1650 |
1651 | ### versions.tf
1652 |
1653 | ## Structure for modularity
1654 |
1655 | In principle, you can combine any resources and other constructs into a module, but overusing
1656 |
1657 | nested and reusable modules can make your overall Terraform configuration harder to understand
1658 |
1659 | and maintain, so use these modules in moderation.
1660 |
1661 | When it makes sense, break your configuration into reusable modules that raise the level of
1662 |
1663 | abstraction by describing a new concept in your architecture that is constructed from resource
1664 |
1665 | types.
1666 |
1667 | When you modularize your infrastructure into reusable definitions, aim for logical sets of resources
1668 |
1669 | instead of individual components or overly complex collections.
1670 |
1671 | Structure for modularity 25
1672 |
1673 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1674 |
1675 | Don't wrap single resources
1676 |
1677 | You shouldn't create modules that are thin wrappers around other single resource types. If you
1678 |
1679 | have trouble finding a name for your module that's different from the name of the main resource
1680 |
1681 | type inside it, your module probably isn't creating a new abstraction―it's adding unnecessary
1682 |
1683 | complexity. Instead, use the resource type directly in the calling module.
1684 |
1685 | ## Encapsulate logical relationships
1686 |
1687 | Group sets of related resources such as networking foundations, data tiers, security controls, and
1688 |
1689 | applications. A reusable module should encapsulate infrastructure pieces that work together to
1690 |
1691 | enable a capability.
1692 |
1693 | Keep inheritance flat
1694 |
1695 | When you nest modules in subdirectories, avoid going more than one or two levels deep. Deeply
1696 |
1697 | nested inheritance structures complicate configurations and troubleshooting. Modules should build
1698 |
1699 | on other modules―not build tunnels through them.
1700 |
1701 | By focusing modules on logical resource groupings that represent architecture patterns, teams can
1702 |
1703 | quickly configure reliable infrastructure foundations. Balance abstraction without over-engineering
1704 |
1705 | or over-simplification.
1706 |
1707 | ## Reference resources in outputs
1708 |
1709 | For every resource that's defined in a reusable module, include at least one output that references
1710 |
1711 | the resource. Variables and outputs let you infer dependencies between modules and resources.
1712 |
1713 | Without any outputs, users cannot properly order your module in relation to their Terraform
1714 |
1715 | configurations.
1716 |
1717 | Well-structured modules that provide environment consistency, purpose-driven groupings, and
1718 |
1719 | exported resource references enable organization-wide Terraform collaboration at scale. Teams can
1720 |
1721 | assemble infrastructure from reusable building blocks.
1722 |
1723 | Don't configure providers
1724 |
1725 | Although shared modules inherit providers from calling modules, modules should not configure
1726 |
1727 | provider settings themselves. Avoid specifying provider configuration blocks in modules. This
1728 |
1729 | configuration should only be declared once globally.
1730 |
1731 | Don't wrap single resources 26
1732 |
1733 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1734 |
1735 | ## Declare required providers
1736 |
1737 | Although provider configurations are shared between modules, shared modules must also declare
1738 |
1739 | their own provider requirements. This practice enables Terraform to ensure that there is a single
1740 |
1741 | version of the provider that's compatible with all modules in the configuration, and to specify the
1742 |
1743 | source address that serves as the global (module-agnostic) identifier for the provider. However,
1744 |
1745 | module-specific provider requirements don't specify any of the configuration settings that
1746 |
1747 | determine what remote endpoints the provider will access, such as an AWS Region.
1748 |
1749 | By declaring version requirements and avoiding hardcoded provider configuration, modules provide
1750 |
1751 | portability and reusability across Terraform configurations using shared providers.
1752 |
1753 | For shared modules, define the minimum required provider versions in a required_providers block
1754 |
1755 | in versions.tf .
1756 |
1757 | To declare that a module requires a particular version of the AWS provider, use a
1758 |
1759 | required_providers block inside a terraform block:
1760 |
1761 | terraform {
1762 |
1763 | required_version = ">= 1.0.0"
1764 |
1765 | required_providers {
1766 |
1767 | aws = {
1768 |
1769 | source = "hashicorp/aws"
1770 |
1771 | version = ">= 4.0.0"
1772 |
1773 | }
1774 |
1775 | }
1776 |
1777 | }
1778 |
1779 | If a shared module supports only a specific version of the AWS provider, use the pessimistic
1780 |
1781 | constraint operator (~> ), which allows only the rightmost version component to increment:
1782 |
1783 | terraform {
1784 |
1785 | required_version = ">= 1.0.0"
1786 |
1787 | required_providers {
1788 |
1789 | aws = {
1790 |
1791 | source = "hashicorp/aws"
1792 |
1793 | version = "~> 4.0"
1794 |
1795 | }
1796 |
1797 | Declare required providers 27
1798 |
1799 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1800 |
1801 | }
1802 |
1803 | }
1804 |
1805 | In this example, ~> 4.0 allows the installation of 4.57.1 and 4.67.0 but not 5.0.0. For more
1806 |
1807 | information, see Version Constraint Syntax in the HashiCorp documentation.
1808 |
1809 | ## Follow naming conventions
1810 |
1811 | Clear, descriptive names simplify your understanding of relationships between resources in the
1812 |
1813 | module and the purpose of configuration values. Consistency with style guidelines enhances
1814 |
1815 | readability for both module users and maintainers.
1816 |
1817 | ## Follow guidelines for resource naming
1818 |
1819 | *Use snake_case (where lowercase terms are separated by underscores) for all resource names to
1820 |
1821 | match Terraform style standards. This practice ensures consistency with the naming convention
1822 |
1823 | for resource types, data source types, and other predefined values. This convention doesn't apply
1824 |
1825 | to name arguments.
1826 |
1827 | *To simplify references to a resource that is the only one of its type (for example, a single load
1828 |
1829 | balancer for an entire module), name the resource main or this for clarity.
1830 |
1831 | *Use meaningful names that describe the purpose and context of the resource, and that help
1832 |
1833 | differentiate between similar resources (for example, primary for the main database and
1834 |
1835 | read_replica for a read replica of the database).
1836 |
1837 | *Use singular, not plural names.
1838 |
1839 | *Don't repeat the resource type in the resource name.
1840 |
1841 | ## Follow guidelines for variable naming
1842 |
1843 | *Add units to the names of inputs, local variables, and outputs that represent numeric values such
1844 |
1845 | as disk size or RAM size (for example, ram_size_gb for RAM size in gigabytes). This practice
1846 |
1847 | makes the expected input unit clear for configuration maintainers.
1848 |
1849 | *Use binary units such as MiB and GiB for storage sizes, and decimal units such as MB or GB for
1850 |
1851 | other metrics.
1852 |
1853 | *Give Boolean variables positive names such as enable_external_access .
1854 |
1855 | Follow naming conventions 28
1856 |
1857 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1858 |
1859 | ## Use attachment resources
1860 |
1861 | Some resources have pseudo-resources embedded as attributes in them. Where possible, you
1862 |
1863 | should avoid using these embedded resource attributes and use the unique resource to attach that
1864 |
1865 | pseudo-resource instead. These resource relationships can cause cause-and-effect issues that are
1866 |
1867 | unique for each resource.
1868 |
1869 | Using an embedded attribute (avoid this pattern):
1870 |
1871 | resource "aws_security_group" "allow_tls" {
1872 |
1873 | ...
1874 |
1875 | ingress {
1876 |
1877 | description = "TLS from VPC"
1878 |
1879 | from_port = 443
1880 |
1881 | to_port = 443
1882 |
1883 | protocol = "tcp"
1884 |
1885 | cidr_blocks = [aws_vpc.main.cidr_block]
1886 |
1887 | ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
1888 |
1889 | }
1890 |
1891 | egress {
1892 |
1893 | from_port = 0
1894 |
1895 | to_port = 0
1896 |
1897 | protocol = "-1"
1898 |
1899 | cidr_blocks = ["0.0.0.0/0"]
1900 |
1901 | ipv6_cidr_blocks = ["::/0"]
1902 |
1903 | }
1904 |
1905 | }
1906 |
1907 | Using attachment resources (preferred):
1908 |
1909 | resource "aws_security_group" "allow_tls" {
1910 |
1911 | ...
1912 |
1913 | }
1914 |
1915 | resource "aws_security_group_rule" "example" {
1916 |
1917 | type = "ingress"
1918 |
1919 | description = "TLS from VPC"
1920 |
1921 | from_port = 443
1922 |
1923 | to_port = 443
1924 |
1925 | protocol = "tcp"
1926 |
1927 | cidr_blocks = [aws_vpc.main.cidr_block]
1928 |
1929 | Use attachment resources 29
1930 |
1931 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1932 |
1933 | ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
1934 |
1935 | security_group_id = aws_security_group.allow_tls.id
1936 |
1937 | }
1938 |
1939 | ## Use default tags
1940 |
1941 | Assign tags to all resources that can accept tags. The Terraform AWS Provider has an
1942 |
1943 | aws_default_tags data source that you should use inside the root module.
1944 |
1945 | Consider adding necessary tags to all resources that are created by a Terraform module. Here's a
1946 |
1947 | list of possible tags to attach:
1948 |
1949 | *Name : Human-readable resource name
1950 |
1951 | *AppId : The ID for the application that uses the resource
1952 |
1953 | *AppRole: The resource's technical function; for example, "webserver" or "database"
1954 |
1955 | *AppPurpose : The resource's business purpose; for example, "frontend ui" or "payment processor"
1956 |
1957 | *Environment: The software environment, such as dev, test, or prod
1958 |
1959 | *Project: The projects that use the resource
1960 |
1961 | *CostCenter : Who to bill for resource usage
1962 |
1963 | ## Meet Terraform registry requirements
1964 |
1965 | A module repository must meet all of the following requirements so it can be published to a
1966 |
1967 | Terraform registry.
1968 |
1969 | You should always follow these requirements even if you aren't planning to publish the module
1970 |
1971 | to a registry in the short term. By doing so, you can publish the module to a registry later without
1972 |
1973 | having to change the configuration and structure of the repository.
1974 |
1975 | *Repository name: For a module repository, use the three-part name terraform-aws-<NAME> ,
1976 |
1977 | where <NAME> reflects the type of infrastructure the module manages. The <NAME> segment can
1978 |
1979 | contain additional hyphens (for example, terraform-aws-iam-terraform-roles ).
1980 |
1981 | *Standard module structure: The module must adhere to the standard repository structure. This
1982 |
1983 | allows the registry to inspect your module and generate documentation, track resource usage,
1984 |
1985 | and more.
1986 |
1987 | Use default tags 30
1988 |
1989 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
1990 |
1991 | *After you create the Git repository, copy the module files to the root of the repository. We
1992 |
1993 | recommend that you place each module that is intended to be reusable in the root of its own
1994 |
1995 | repository, but you can also reference modules from subdirectories.
1996 |
1997 | *If you're using HCP Terraform, publish the modules that are intended to be shared to your
1998 |
1999 | organization registry. The registry handles downloads and controls access with HCP Terraform
2000 |
2001 | API tokens, so consumers do not need access to the module's source repository even when
2002 |
2003 | they run Terraform from the command line.
2004 |
2005 | *Location and permissions: The repository must be in one of your configured version control
2006 |
2007 | system (VCS) providers, and the HCP Terraform VCS user account must have administrator access
2008 |
2009 | to the repository. The registry needs administrator access to create the webhooks to import new
2010 |
2011 | module versions.
2012 |
2013 | *x.y.z tags for releases: At least one release tag must be present for you to publish a module. The
2014 |
2015 | registry uses release tags to identify module versions. Release tag names must use semantic
2016 |
2017 | versioning, which you can optionally prefix with a v (for example, v1.1.0 and 1.1.0 ). The
2018 |
2019 | registry ignores tags that do not look like version numbers. For more information about
2020 |
2021 | publishing modules, see the Terraform documentation.
2022 |
2023 | For more information, see Preparing a Module Repository in the Terraform documentation.
2024 |
2025 | ## Use recommended module sources
2026 |
2027 | Terraform uses the source argument in a module block to find and download the source code for
2028 |
2029 | a child module.
2030 |
2031 | We recommend that you use local paths for closely related modules that have the primary purpose
2032 |
2033 | of factoring out repeated code elements, and using a native Terraform module registry or a VCS
2034 |
2035 | provider for modules that are intended to be shared by multiple configurations.
2036 |
2037 | The following examples illustrate the most common and recommended source types for sharing
2038 |
2039 | modules. Registry modules support versioning. You should always provide a specific version, as
2040 |
2041 | shown in the following examples.
2042 |
2043 | ## Registry
2044 |
2045 | Terraform registry:
2046 |
2047 | module "lambda" {
2048 |
2049 | Use recommended module sources 31
2050 |
2051 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2052 |
2053 | source = "github.com/terraform-aws-modules/terraform-aws-lambda.git?
2054 |
2055 | ref=e78cdf1f82944897ca6e30d6489f43cf24539374" #--> v4.18.0
2056 |
2057 | ...
2058 |
2059 | }
2060 |
2061 | By pinning commit hashes, you can avoid drift from public registries that are vulnerable to supply
2062 |
2063 | chain attacks.
2064 |
2065 | HCP Terraform:
2066 |
2067 | module "eks_karpenter" {
2068 |
2069 | source = "app.terraform.io/my-org/eks/aws"
2070 |
2071 | version = "1.1.0"
2072 |
2073 | ...
2074 |
2075 | enable_karpenter = true
2076 |
2077 | }
2078 |
2079 | Terraform Enterprise:
2080 |
2081 | module "eks_karpenter" {
2082 |
2083 | source = "terraform.mydomain.com/my-org/eks/aws"
2084 |
2085 | version = "1.1.0"
2086 |
2087 | ...
2088 |
2089 | enable_karpenter = true
2090 |
2091 | }
2092 |
2093 | ## VCS providers
2094 |
2095 | VCS providers support the ref argument for selecting a specific revision, as shown in the following
2096 |
2097 | examples.
2098 |
2099 | GitHub (HTTPS):
2100 |
2101 | module "eks_karpenter" {
2102 |
2103 | VCS providers 32
2104 |
2105 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2106 |
2107 | source = "github.com/my-org/terraform-aws-eks.git?ref=v1.1.0"
2108 |
2109 | ...
2110 |
2111 | enable_karpenter = true
2112 |
2113 | }
2114 |
2115 | Generic Git repository (HTTPS):
2116 |
2117 | module "eks_karpenter" {
2118 |
2119 | source = "git::https://example.com/terraform-aws-eks.git?ref=v1.1.0"
2120 |
2121 | ...
2122 |
2123 | enable_karpenter = true
2124 |
2125 | }
2126 |
2127 | Generic Git repository (SSH):
2128 |
2129 | ## Warning
2130 |
2131 | You need to configure credentials to access private repositories.
2132 |
2133 | module "eks_karpenter" {
2134 |
2135 | source = "git::ssh://[email protected]/terraform-aws-eks.git?ref=v1.1.0"
2136 |
2137 | ...
2138 |
2139 | enable_karpenter = true
2140 |
2141 | }
2142 |
2143 | ## Follow coding standards
2144 |
2145 | Apply consistent Terraform formatting rules and styles across all configuration files. Enforce
2146 |
2147 | standards by using automated style checks in CI/CD pipelines. When you embed coding best
2148 |
2149 | practices into team workflows, configurations remain readable, maintainable, and collaborative as
2150 |
2151 | usage spreads widely across an organization.
2152 |
2153 | Follow coding standards 33
2154 |
2155 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2156 |
2157 | ## Follow style guidelines
2158 |
2159 | *Format all Terraform files (.tf files) with the terraform fmt command to match HashiCorp style
2160 |
2161 | standards.
2162 |
2163 | *Use the terraform validate command to verify the syntax and structure of your configuration.
2164 |
2165 | *Statically analyze code quality by using TFLint . This linter checks for Terraform best practices
2166 |
2167 | beyond just formatting and fails builds when it encounters errors.
2168 |
2169 | Configure pre-commit hooks
2170 |
2171 | Configure client-side pre-commit hooks that run terraform fmt , tflint , checkov , and other
2172 |
2173 | code scans and style checks before you allow commits. This practice helps you validate standards
2174 |
2175 | conformance earlier in developer workflows.
2176 |
2177 | Use pre-commit frameworks such as pre-commit to add Terraform linting, formatting, and code
2178 |
2179 | scanning as hooks on your local machine. Hooks run on each Git commit and fail the commit if
2180 |
2181 | checks don't pass.
2182 |
2183 | Moving style and quality checks to local pre-commit hooks provides rapid feedback to developers
2184 |
2185 | before changes are introduced. Standards become part of the coding workflow.
2186 |
2187 | Follow style guidelines 34
2188 |
2189 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2190 |
2191 | ## Best practices for AWS Provider version management
2192 |
2193 | Carefully managing versions of the AWS Provider and associated Terraform modules is critical for
2194 |
2195 | stability. This section outlines best practices around version constraints and upgrades.
2196 |
2197 | Best practices:
2198 |
2199 | *Add automated version checks
2200 |
2201 | *Monitor new releases
2202 |
2203 | *Contribute to providers
2204 |
2205 | ## Add automated version checks
2206 |
2207 | Add version checks for Terraform providers in your CI/CD pipelines to validate version pinning, and
2208 |
2209 | fail builds if the version is undefined.
2210 |
2211 | *Add TFLint checks in CI/CD pipelines to scan for provider versions that don't have pinned major/
2212 |
2213 | minor version constraints defined. Use the TFLint ruleset plugin for Terraform AWS Provider,
2214 |
2215 | which provides rules for detecting possible errors and checks for best practices about AWS
2216 |
2217 | resources.
2218 |
2219 | *Fail CI runs that detect unpinned provider versions to prevent implicit upgrades from reaching
2220 |
2221 | production.
2222 |
2223 | ## Monitor new releases
2224 |
2225 | *Monitor provider release notes and changelog feeds. Get notifications on new major/minor
2226 |
2227 | releases.
2228 |
2229 | *Assess release notes for potentially breaking changes and evaluate their impact on your existing
2230 |
2231 | infrastructure.
2232 |
2233 | *Upgrade minor versions in non-production environments first to validate them before updating
2234 |
2235 | the production environment.
2236 |
2237 | By automating version checks in pipelines and monitoring new releases, you can catch unsupported
2238 |
2239 | upgrades early and give your teams time to evaluate the impact of new major/minor releases
2240 |
2241 | before you update production environments.
2242 |
2243 | Add automated version checks 35
2244 |
2245 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2246 |
2247 | ## Contribute to providers
2248 |
2249 | Actively contribute to HashiCorp AWS Provider by reporting defects or requesting features in
2250 |
2251 | GitHub issues:
2252 |
2253 | *Open well-documented issues on the AWS Provider repository to detail any bugs you
2254 |
2255 | encountered or functionality that is missing. Provide reproducible steps.
2256 |
2257 | *Request and vote on enhancements to expand the capabilities of the AWS Provider for managing
2258 |
2259 | new services.
2260 |
2261 | *Reference issued pull requests when you contribute proposed fixes for provider defects or
2262 |
2263 | enhancements. Link to related issues.
2264 |
2265 | *Follow the contribution guidelines in the repository for coding conventions, testing standards,
2266 |
2267 | and documentation.
2268 |
2269 | By giving back to the providers you use, you can provide direct input into their roadmap and help
2270 |
2271 | improve their quality and capabilities for all users.
2272 |
2273 | Contribute to providers 36
2274 |
2275 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2276 |
2277 | ## Best practices for community modules
2278 |
2279 | Using modules effectively is key to managing complex Terraform configurations and promoting
2280 |
2281 | reuse. This section provides best practices around community modules, dependencies, sources,
2282 |
2283 | abstraction, and contributions.
2284 |
2285 | Best practices:
2286 |
2287 | *Discover community modules
2288 |
2289 | *Understand dependencies
2290 |
2291 | *Use trusted sources
2292 |
2293 | *Contribute to community modules
2294 |
2295 | ## Discover community modules
2296 |
2297 | Search the Terraform Registry, GitHub , and other sources for existing AWS modules that might
2298 |
2299 | solve your use case before you build a new module. Look for popular options that have recent
2300 |
2301 | updates and are actively maintained.
2302 |
2303 | ## Use variables for customization
2304 |
2305 | When you use community modules, pass inputs through variables instead of forking or directly
2306 |
2307 | modifying the source code. Override defaults where required instead of changing the internals of
2308 |
2309 | the module.
2310 |
2311 | Forking should be limited to contributing fixes or features to the original module to benefit the
2312 |
2313 | broader community.
2314 |
2315 | ## Understand dependencies
2316 |
2317 | Before you use the module, review its source code and documentation to identify dependencies:
2318 |
2319 | *Required providers: Note the versions of AWS, Kubernetes, or other providers the module
2320 |
2321 | requires.
2322 |
2323 | *Nested modules: Check for other modules used internally that introduce cascading
2324 |
2325 | dependencies.
2326 |
2327 | Discover community modules 37
2328 |
2329 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2330 |
2331 | *External data sources: Note the APIs, custom plugins, or infrastructure dependencies that the
2332 |
2333 | module relies on.
2334 |
2335 | By mapping out the full tree of direct and indirect dependencies, you can avoid surprises when you
2336 |
2337 | use the module.
2338 |
2339 | ## Use trusted sources
2340 |
2341 | Sourcing Terraform modules from unverified or unknown publishers introduces significant risk. Use
2342 |
2343 | modules only from trusted sources.
2344 |
2345 | *Favor certified modules from the Terraform Registry that are published by verified creators such
2346 |
2347 | as AWS or HashiCorp partners.
2348 |
2349 | *For custom modules, review publisher history, support levels, and usage reputation, even if the
2350 |
2351 | module is from your own organization.
2352 |
2353 | By not allowing modules from unknown or unvetted sources, you can reduce the risk of injecting
2354 |
2355 | vulnerabilities or maintenance issues into your code.
2356 |
2357 | Subscribe to notifications
2358 |
2359 | Subscribe to notifications for new module releases from trusted publishers:
2360 |
2361 | *Watch GitHub module repositories to get alerts on new versions of the module.
2362 |
2363 | *Monitor publisher blogs and changelogs for updates.
2364 |
2365 | *Get proactive notifications for new versions from verified, highly rated sources instead of
2366 |
2367 | implicitly pulling in updates.
2368 |
2369 | Consuming modules only from trusted sources and monitoring changes provide stability and
2370 |
2371 | security. Vetted modules enhance productivity while minimizing supply chain risk.
2372 |
2373 | ## Contribute to community modules
2374 |
2375 | Submit fixes and enhancements for community modules that are hosted in GitHub:
2376 |
2377 | *Open pull requests on modules to address defects or limitations that you encounter in your
2378 |
2379 | usage.
2380 |
2381 | Use trusted sources 38
2382 |
2383 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2384 |
2385 | *Request new best practice configurations to be added to existing OSS modules by creating
2386 |
2387 | issues.
2388 |
2389 | Contributing to community modules enhances reusable, codified patterns for all Terraform
2390 |
2391 | practitioners.
2392 |
2393 | Contribute to community modules 39
2394 |
2395 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2396 |
2397 | ## FAQ
2398 |
2399 | Q. Why focus on the AWS Provider?
2400 |
2401 | A. The AWS Provider is one of the most widely used and complex providers for provisioning
2402 |
2403 | infrastructure in Terraform. Following these best practices help users optimize their usage of the
2404 |
2405 | provider for the AWS environment.
2406 |
2407 | Q. I'm new to Terraform. Can I use this guide?
2408 |
2409 | A. The guide is for people who are new to Terraform as well as more advanced practitioners who
2410 |
2411 | want to level up their skills. The practices improve workflows for users at any stage of learning.
2412 |
2413 | Q. What are some key best practices covered?
2414 |
2415 | A. Key best practices include using IAM roles over access keys, pinning versions, incorporating
2416 |
2417 | automated testing , remote state locking, credential rotation, contributing back to providers, and
2418 |
2419 | logically organizing code bases.
2420 |
2421 | Q. Where can I learn more about Terraform?
2422 |
2423 | A. The Resources section includes links to the official HashiCorp Terraform documentation and
2424 |
2425 | community forums. Use the links to learn more about advanced Terraform workflows.
2426 |
2427 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2428 |
2429 | ## Next steps
2430 |
2431 | Here are some potential next steps after reading this guide:
2432 |
2433 | *If you have an existing Terraform code base, review your configuration and identify areas that
2434 |
2435 | could be improved based on the recommendations that are provided in this guide. For example,
2436 |
2437 | review best practices for implementing remote backends, separating code into modules, using
2438 |
2439 | version pinning, and so on, and validate these in your configuration.
2440 |
2441 | *If you don't have an existing Terraform code base, use these best practices when you structure
2442 |
2443 | your new configuration. Follow the advice around state management, authentication, code
2444 |
2445 | structure, and so on from the beginning.
2446 |
2447 | *Try using some of the HashiCorp community modules referenced in this guide to see if they
2448 |
2449 | simplify your architecture patterns. The modules allow higher levels of abstraction, so you don't
2450 |
2451 | have to rewrite common resources.
2452 |
2453 | *Enable linting, security scans, policy checks, and automated testing tools to reinforce some of
2454 |
2455 | the best practices around security, compliance, and code quality. Tools such as TFLint, tfsec, and
2456 |
2457 | Checkov can help.
2458 |
2459 | *Review the latest AWS Provider documentation to see if there are any new resources or
2460 |
2461 | functionality that could help optimize your Terraform usage. Stay up to date on new versions of
2462 |
2463 | the AWS Provider.
2464 |
2465 | *For additional guidance, see the Terraform documentation, best practices guide, and style guide
2466 |
2467 | on the HashiCorp website.
2468 |
2469 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2470 |
2471 | ## Resources
2472 |
2473 | ## References
2474 |
2475 | The following links provide additional reading material for the Terraform AWS Provider and using
2476 |
2477 | Terraform for IaC on AWS.
2478 |
2479 | *Terraform AWS Provider (HashiCorp documentation)
2480 |
2481 | *Terraform modules for AWS services (Terraform Registry)
2482 |
2483 | *The AWS and HashiCorp Partnership (HashiCorp blog post)
2484 |
2485 | *Dynamic Credentials with the AWS Provider (HCP Terraform documentation)
2486 |
2487 | *DynamoDB State Locking (Terraform documentation)
2488 |
2489 | *Enforce Policy with Sentinel (Terraform documentation)
2490 |
2491 | ## Tools
2492 |
2493 | The following tools help improve code quality and automation of Terraform configurations on
2494 |
2495 | AWS, as recommended in this best practices guide.
2496 |
2497 | Code quality:
2498 |
2499 | *Checkov: Scans Terraform code to identify misconfigurations before deployment.
2500 |
2501 | *TFLint : Identifies possible errors, deprecated syntax, and unused declarations. This linter can also
2502 |
2503 | enforce AWS best practices and naming conventions.
2504 |
2505 | *terraform-docs : Generates documentation from Terraform modules in various output formats.
2506 |
2507 | Automation tools:
2508 |
2509 | *HCP Terraform: Helps teams version, collaborate, and build Terraform workflows with policy
2510 |
2511 | checks and approval gates.
2512 |
2513 | *Atlantis : An open source Terraform pull request automation tool for validating code changes.
2514 |
2515 | *CDK for Terraform: A framework that lets you use familiar languages such as TypeScript, Python,
2516 |
2517 | Java, C#, and Go instead of HashiCorp Configuration Language (HCL) to define, provision, and
2518 |
2519 | test your Terraform infrastructure as code.
2520 |
2521 | References 42
2522 |
2523 | ## AWS Prescriptive Guidance Best practices for using the Terraform AWS Provider
2524 |
```