All Products
Search
Document Center

OpenAPI Explorer:How to use Terraform Tools in OpenAPI MCP Server

Last Updated:Sep 25, 2025

Terraform is an infrastructure as code (IaC) tool. It uses the declarative HashiCorp Configuration Language to define cloud resources. You can execute Terraform commands to automatically create and manage your infrastructure. OpenAPI MCP Server integrates the automated creation capabilities of Terraform. You can use Terraform tools to configure Terraform code in the MCP system. This process combines the autonomy of AI with the deterministic orchestration of Terraform.

lQLPJwKcU7tGQHnNBTrNDOSw-Nwm2-VZSyoIqf0EaSNnAA_3300_1338

Create Terraform Tools

  1. Go to the Alibaba Cloud OpenAPI MCP service and create an MCP service. Then, click Add Terraform Tools.

  2. On the Add Terraform Tool page, enter the information for the tool.

    Configuration item

    Description

    Terraform Tool Name

    The name of the Terraform Tool.

    Terraform Tool Description

    A description of the Terraform Tool's function or any special notes.

    Terraform Tool

    The Terraform code. Use the Terraform AI assistant on the page to generate the code, or write your own code as needed.

    Asynchronous execution

    • No: The agent waits until the task is complete and then returns the execution results of the Terraform Tool.

    • Yes: If you select this option, OpenAPI MCP Server automatically adds the system tool (QueryTerraformTaskStatus) to query the status of the asynchronous task. After the agent calls the Terraform Tool, it immediately returns a TaskId. Use this TaskId to call the system tool and query the task status.

    Note

    If the Terraform code is complex or has a long running time, select Yes to prevent model invocation timeouts.

    Deletion policy

    • Do not delete: The created resources are not released, regardless of whether the task succeeds or fails.

    • Always delete: The system immediately releases all created resources, regardless of whether the task succeeds or fails.

    • Delete on failure: The system releases the created resources only if the task fails.

    Note

    With the exception of the Always delete option, the other options do not support resource deletion through Terraform Tools after creation. Executing the Terraform Tool again recreates the resources.

    This topic provides an example of Terraform code to deploy Dify for testing. For more Terraform examples, see Tutorials.

    Deploy Dify

    provider "alicloud" { region = var.region } variable "region" { description = "The Alibaba Cloud region" type = string default = "cn-hongkong" } variable "instance_type" { description = "The ECS instance type" type = string default = "ecs.c9i.xlarge" validation { condition = can(regex("^ecs\\.", var.instance_type)) error_message = "The instance type must start with 'ecs.'" } } variable "system_disk_category" { description = "The system disk type" type = string default = "cloud_essd" validation { condition = contains(["cloud_efficiency", "cloud_ssd", "cloud_essd"], var.system_disk_category) error_message = "The system disk type must be one of cloud_efficiency, cloud_ssd, or cloud_essd." } } variable "system_disk_size" { description = "The system disk size in GB" type = number default = 40 validation { condition = var.system_disk_size >= 20 && var.system_disk_size <= 500 error_message = "The system disk size must be between 20 GB and 500 GB." } } variable "instance_password" { description = "The password for the ECS instance. It must be at least 8 characters long and contain an uppercase letter, a lowercase letter, and a number." type = string sensitive = true validation { condition = ( length(var.instance_password) >= 8 && length(var.instance_password) <= 30 && can(regex("[a-z]", var.instance_password)) && can(regex("[A-Z]", var.instance_password)) && can(regex("[0-9]", var.instance_password)) ) error_message = "The password must be at least 8 characters long and contain an uppercase letter, a lowercase letter, and a number." } } variable "vpc_cidr" { description = "The CIDR block for the VPC" type = string default = "192.168.0.0/16" } variable "vswitch_cidr" { description = "The CIDR block for the vSwitch" type = string default = "192.168.1.0/24" } variable "project_name" { description = "The project name, used for naming resources" type = string default = "dify-deployment" } variable "internet_max_bandwidth_out" { description = "The maximum public bandwidth in Mbps" type = number default = 5 validation { condition = var.internet_max_bandwidth_out >= 1 && var.internet_max_bandwidth_out <= 200 error_message = "The public bandwidth must be between 1 Mbps and 200 Mbps." } } data "alicloud_zones" "default" { available_disk_category = var.system_disk_category available_resource_creation = "VSwitch" available_instance_type = var.instance_type } # Get the latest CentOS 7 image data "alicloud_images" "centos" { owners = "system" name_regex = "^centos_7" most_recent = true instance_type = var.instance_type } # Create a VPC resource "alicloud_vpc" "main" { vpc_name = "${var.project_name}-vpc" cidr_block = var.vpc_cidr } # Create a vSwitch resource "alicloud_vswitch" "main" { vpc_id = alicloud_vpc.main.id cidr_block = var.vswitch_cidr zone_id = data.alicloud_zones.default.zones.0.id vswitch_name = "${var.project_name}-vswitch" } # Create a security group resource "alicloud_security_group" "main" { security_group_name = "${var.project_name}-sg" description = "Security group for Dify deployment" vpc_id = alicloud_vpc.main.id } # Security group rule - HTTP resource "alicloud_security_group_rule" "http" { type = "ingress" ip_protocol = "tcp" nic_type = "intranet" policy = "accept" port_range = "80/80" priority = 1 security_group_id = alicloud_security_group.main.id cidr_ip = "0.0.0.0/0" description = "Allow HTTP traffic" } # Security group rule - SSH resource "alicloud_security_group_rule" "ssh" { type = "ingress" ip_protocol = "tcp" nic_type = "intranet" policy = "accept" port_range = "22/22" priority = 1 security_group_id = alicloud_security_group.main.id cidr_ip = "0.0.0.0/0" description = "Allow SSH traffic" } # Security group rule - HTTPS resource "alicloud_security_group_rule" "https" { type = "ingress" ip_protocol = "tcp" nic_type = "intranet" policy = "accept" port_range = "443/443" priority = 1 security_group_id = alicloud_security_group.main.id cidr_ip = "0.0.0.0/0" description = "Allow HTTPS traffic" } # Create an ECS instance resource "alicloud_instance" "dify" { instance_name = "${var.project_name}-instance" image_id = data.alicloud_images.centos.images[0].id instance_type = var.instance_type system_disk_category = var.system_disk_category system_disk_size = var.system_disk_size password = var.instance_password vswitch_id = alicloud_vswitch.main.id security_groups = [alicloud_security_group.main.id] internet_max_bandwidth_out = var.internet_max_bandwidth_out } locals { # Install and configure Dify deploy_dify = base64encode(<<-EOF #!/bin/bash # Dify auto-installation script set -e # Log function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> /var/log/dify-install.log echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" } # Error handling error_exit() { log "ERROR: $1" exit 1 } log "Updating system packages..." yum update -y || error_exit "Failed to update system." yum install -y git log "Installing Docker..." sudo wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.cloud.aliyuncs.com/docker-ce/linux/centos/docker-ce.repo sudo sed -i 's|https://mirrors.aliyun.com|http://mirrors.cloud.aliyuncs.com|g' /etc/yum.repos.d/docker-ce.repo sudo yum -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin log "Starting Docker service..." systemctl start docker || error_exit "Failed to start Docker." systemctl enable docker || error_exit "Failed to enable Docker to start on boot." log "Creating application directory..." mkdir -p /opt/dify cd /opt/dify git clone https://github.com/langgenius/dify.git . || error_exit "Failed to clone dify." log "Copying environment configuration file..." cd docker cp .env.example .env || error_exit "Failed to copy environment configuration file." log "Starting Dify service..." docker compose up -d || error_exit "Failed to start Dify service." log "Dify installation complete!" log "Access URL: http://$(curl -s ipinfo.io/ip):80" log "The default administrator account must be created on the first visit." EOF ) } resource "alicloud_ecs_command" "deploy_dify" { name = "deploy_dify" type = "RunShellScript" command_content = local.deploy_dify timeout = 600 working_dir = "/root" } resource "alicloud_ecs_invocation" "invocation" { instance_id = [alicloud_instance.dify.id] command_id = alicloud_ecs_command.deploy_dify.id timeouts { create = "10m" } } # Get instance information data "alicloud_instances" "dify" { ids = [alicloud_instance.dify.id] depends_on = [alicloud_instance.dify] }

    image

Test Terraform Tools on the client

This topic describes how to test Terraform Tools in Tongyi Lingma.

  1. Configure OpenAPI MCP Server as described in Configure MCP in Tongyi Lingma. After the configuration is applied, information about the tools in MCP is displayed.

    image

  2. Enter a natural language command to run MCP. For example, "Help me deploy Dify in China (Hong Kong)".

    image

  3. Because asynchronous execution is used, the agent returns a TaskId. Use this TaskId to poll the system tool (QueryTerraformTaskStatus) for the task status.

    image

  4. To verify that Dify is deployed, enter http://<Public IP> in a browser. A page similar to the following screenshot indicates a successful deployment and that the Terraform Tool ran correctly.

    image