Create and use Terraform tools in OpenAPI MCP Server-OpenAPI Explorer(OpenAPI)-阿里云帮助中心

Terraform is an infrastructure as code tool. It uses a declarative configuration language, the HashiCorp Configuration Language, to define cloud resources and automates infrastructure creation and management by running Terraform commands. By integrating Terraform's automation capabilities, OpenAPI MCP Server lets you configure Terraform code as tools in the MCP system. This approach combines AI agent autonomy with Terraform's deterministic orchestration.

lQLPJwKcU7tGQHnNBTrNDOSw-Nwm2-VZSyoIqf0EaSNnAA_3300_1338

Create a Terraform tool

Go to the Alibaba Cloud OpenAPI MCP service page to create an MCP service, and then click Add Terraform Tools.

On the Add Terraform Tool page, enter the information for your tool.

Parameter	Description
Terraform tool name	The name of the tool.
Terraform tool description	Describes the tool's function and any special notes.
Terraform tool	The field for your Terraform code. You can use the provided Terraform AI assistant to generate the code or write it manually based on your requirements.
Asynchronous execution	No: The AI agent waits for the task to complete and then returns the execution results. Yes: OpenAPI MCP Server automatically adds the `QueryTerraformTaskStatus` system tool. After the AI agent calls the Terraform tool, the server immediately returns a `TaskId`. Use this `TaskId` to call the system tool and query the task's execution status. Note If your Terraform code is complex or takes a long time to run, select Yes to avoid large language model (LLM) invocation timeouts.
Deletion policy	Never Delete: Created resources are not released, regardless of whether the task succeeds or fails. Always Delete: All created resources are immediately released, regardless of whether the task succeeds or fails. Delete on Failure: Created resources are released only if the task fails. Note With the other options, you cannot use the Terraform tool to delete resources after they are created. Running the Terraform tool again recreates the resources.

This document provides sample Terraform code to deploy Dify. For more Terraform examples, see the tutorial.

Deploy Dify

provider "alicloud" {
  region = var.region
}
variable "region" {
  description = "The Alibaba Cloud region"
  type        = string
  default     = "cn-hongkong"
}
variable "instance_type" {
  description = "The ECS instance type"
  type        = string
  default     = "ecs.c9i.xlarge"
  validation {
    condition     = can(regex("^ecs\\.", var.instance_type))
    error_message = "The instance type must start with 'ecs.'"
  }
}
variable "system_disk_category" {
  description = "The system disk type"
  type        = string
  default     = "cloud_essd"
  validation {
    condition     = contains(["cloud_efficiency", "cloud_ssd", "cloud_essd"], var.system_disk_category)
    error_message = "The system disk type must be one of cloud_efficiency, cloud_ssd, or cloud_essd."
  }
}
variable "system_disk_size" {
  description = "The system disk size in GB"
  type        = number
  default     = 40
  validation {
    condition     = var.system_disk_size >= 20 && var.system_disk_size <= 500
    error_message = "The system disk size must be between 20 GB and 500 GB."
  }
}
variable "instance_password" {
  description = "The password for the ECS instance. It must be 8 to 30 characters long and contain an uppercase letter, a lowercase letter, and a number."
  type        = string
  sensitive   = true
  validation {
    condition = (
      length(var.instance_password) >= 8 &&
      length(var.instance_password) <= 30 &&
      can(regex("[a-z]", var.instance_password)) &&
      can(regex("[A-Z]", var.instance_password)) &&
      can(regex("[0-9]", var.instance_password))
    )
    error_message = "The password must be 8 to 30 characters long and contain an uppercase letter, a lowercase letter, and a number."
  }
}
variable "vpc_cidr" {
  description = "The CIDR block for the VPC"
  type        = string
  default     = "192.168.0.0/16"
}
variable "vswitch_cidr" {
  description = "The CIDR block for the vSwitch"
  type        = string
  default     = "192.168.1.0/24"
}
variable "project_name" {
  description = "The project name, used for naming resources"
  type        = string
  default     = "dify-deployment"
}
variable "internet_max_bandwidth_out" {
  description = "The maximum public bandwidth in Mbps"
  type        = number
  default     = 5
  validation {
    condition     = var.internet_max_bandwidth_out >= 1 && var.internet_max_bandwidth_out <= 200
    error_message = "The public bandwidth must be between 1 Mbps and 200 Mbps."
  }
}
data "alicloud_zones" "default" {
  available_disk_category     = var.system_disk_category
  available_resource_creation = "VSwitch"
  available_instance_type     = var.instance_type
}
# Get the latest CentOS 7 image
data "alicloud_images" "centos" {
  owners        = "system"
  name_regex    = "^centos_7"
  most_recent   = true
  instance_type = var.instance_type
}
# Create a VPC
resource "alicloud_vpc" "main" {
  vpc_name   = "${var.project_name}-vpc"
  cidr_block = var.vpc_cidr
}
# Create a vSwitch
resource "alicloud_vswitch" "main" {
  vpc_id       = alicloud_vpc.main.id
  cidr_block   = var.vswitch_cidr
  zone_id      = data.alicloud_zones.default.zones.0.id
  vswitch_name = "${var.project_name}-vswitch"
}
# Create a security group
resource "alicloud_security_group" "main" {
  security_group_name = "${var.project_name}-sg"
  description         = "Security group for Dify deployment"
  vpc_id              = alicloud_vpc.main.id
}
# Security group rule - HTTP
resource "alicloud_security_group_rule" "http" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "80/80"
  priority          = 1
  security_group_id = alicloud_security_group.main.id
  cidr_ip           = "0.0.0.0/0"
  description       = "Allow HTTP traffic"
}
# Security group rule - SSH
resource "alicloud_security_group_rule" "ssh" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "22/22"
  priority          = 1
  security_group_id = alicloud_security_group.main.id
  cidr_ip           = "0.0.0.0/0"
  description       = "Allow SSH traffic"
}
# Security group rule - HTTPS
resource "alicloud_security_group_rule" "https" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "443/443"
  priority          = 1
  security_group_id = alicloud_security_group.main.id
  cidr_ip           = "0.0.0.0/0"
  description       = "Allow HTTPS traffic"
}
# Create an ECS instance
resource "alicloud_instance" "dify" {
  instance_name              = "${var.project_name}-instance"
  image_id                   = data.alicloud_images.centos.images[0].id
  instance_type              = var.instance_type
  system_disk_category       = var.system_disk_category
  system_disk_size           = var.system_disk_size
  password                   = var.instance_password
  vswitch_id                 = alicloud_vswitch.main.id
  security_groups            = [alicloud_security_group.main.id]
  internet_max_bandwidth_out = var.internet_max_bandwidth_out
}
locals {
  # Install and configure Dify
  deploy_dify = base64encode(<<-EOF
#!/bin/bash
# Dify auto-installation script
set -e
# Logging function
log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> /var/log/dify-install.log
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}
# Error handling
error_exit() {
    log "ERROR: $1"
    exit 1
}
log "Updating system packages..."
yum update -y || error_exit "Failed to update the system"
yum install -y git
log "Installing Docker..."
sudo wget -O /etc/yum.repos.d/docker-ce.repo http://mirrors.cloud.aliyuncs.com/docker-ce/linux/centos/docker-ce.repo
sudo sed -i 's|https://mirrors.aliyun.com|http://mirrors.cloud.aliyuncs.com|g' /etc/yum.repos.d/docker-ce.repo
sudo yum -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
log "Starting Docker service..."
systemctl start docker || error_exit "Failed to start Docker"
systemctl enable docker || error_exit "Failed to enable Docker at boot"
log "Creating application directory..."
mkdir -p /opt/dify
cd /opt/dify
git clone https://github.com/langgenius/dify.git . || error_exit "Failed to clone dify"
log "Copying environment configuration file..."
cd docker
cp .env.example .env || error_exit "Failed to copy environment configuration file"
log "Starting Dify service..."
docker compose up -d || error_exit "Failed to start Dify service"
log "Dify installation complete!"
log "Access URL: http://$(curl -s ipinfo.io/ip):80"
log "The administrator account must be created on the first visit."
EOF
  )
}
resource "alicloud_ecs_command" "deploy_dify" {
  name            = "deploy_dify"
  type            = "RunShellScript"
  command_content = local.deploy_dify
  timeout         = 600
  working_dir     = "/root"
}
resource "alicloud_ecs_invocation" "invocation" {
  instance_id = [alicloud_instance.dify.id]
  command_id  = alicloud_ecs_command.deploy_dify.id
  timeouts {
    create = "10m"
  }
}
# Get instance information
data "alicloud_instances" "dify" {
  ids        = [alicloud_instance.dify.id]
  depends_on = [alicloud_instance.dify]
}

In the Add Terraform Tool panel, set Terraform Tool Name to deploydify and Terraform Tool Description to Deploy Dify in a CentOS ECS instance. Paste the preceding Terraform code into the code editor. For Asynchronous Execution, select Yes. For Deletion Policy, select Delete on Failure.

Test the Terraform tool in a client

This section describes how to test the Terraform tool in Tongyi Lingma.

Follow the instructions in Configure MCP in Tongyi Lingma to set up OpenAPI MCP Server. After configuration, the tools included in the MCP are displayed.

The terraform-dify service is enabled. The tool list includes three tools: Ecs-20140526-DescribeInstances (queries ECS instances), terraform/deploydify (deploys Dify in a CentOS ECS instance), and system-QueryTerraformTaskStatus (queries Terraform task status).
Enter a natural language command to run the MCP. For example, "Help me deploy Dify in China (Hong Kong)."

Click the AI agent tab in the lower-left corner of the input box to switch to agent mode, then enter the natural language command and send it.
Because you chose asynchronous execution, the AI agent returns a TaskId. You can use this TaskId to repeatedly call the system tool (QueryTerraformTaskStatus) to check the task's execution status.

The AI agent first runs the terraform-dify/terraform/deploydify tool to start the deployment task. After receiving the TaskId, it repeatedly calls QueryTerraformTaskStatus to poll the status, which is Applying during the process. After the deployment succeeds, it returns the deployment information: the region is China (Hong Kong) (cn-hongkong), the availability zone is cn-hongkong-b, the instance name is dify-deployment-instance, the instance type is ecs.c9i.xlarge (4 vCPUs and 8 GB of memory), and a public IP address has been assigned.
You can verify that Dify is deployed successfully by entering http://<Public IP address> in your browser. If the deployment is successful, the following page appears, which indicates that the Terraform tool was executed successfully.

The page displays the Set up your Admin account interface for the Dify Community Edition. It includes fields for Email, Username, and Password. The password must contain letters and numbers and be at least 8 characters long. After you enter the information, click Set to complete the setup.