Back to MCP Servers

Terraform MCP Server

Official HashiCorp MCP server for Terraform Registry and HCP Terraform: providers, modules, policies, workspaces, runs, and Stacks.

Developer Tools by HashiCorp API Key active
GitHub Docs
Overview

The Terraform MCP Server is HashiCorp's official Model Context Protocol integration for the Terraform ecosystem. It connects AI assistants to live data from the public Terraform Registry (providers, modules, Sentinel policies) and to HCP Terraform / Terraform Enterprise (organizations, projects, workspaces, runs, variables, variable sets, policy sets, and Stacks). This gives agents access to current, version-accurate documentation and the ability to operate against real Terraform infrastructure instead of relying on stale training data.

The server is distributed as a Go binary and a Docker image (hashicorp/terraform-mcp-server) and ships with around 50 tools grouped into toolsets: registry (public registry, default), registry-private (private registry in HCP/TFE), and terraform (workspace and run management). It supports both stdio and StreamableHTTP transports, configurable session modes (stateful/stateless), CORS allow-lists, OpenTelemetry metrics, and a --toolsets / --tools filter to scope what the model can call.

The project is in beta and HashiCorp explicitly recommends local use only, mounting CA certs for corporate proxies, and setting MCP_ALLOWED_ORIGINS when exposing the HTTP transport. Write-style operations against HCP/TFE require a valid TFE_TOKEN and, for some sensitive operations, the ENABLE_TF_OPERATIONS flag.

Tools

Tool Description
search_providers Search the public Terraform Registry for providers.
get_provider_details Get details and documentation for a specific provider.
get_latest_provider_version Return the latest published version of a provider.
get_provider_capabilities List resources and data sources a provider exposes.
search_modules Search the public registry for Terraform modules.
get_module_details Get inputs, outputs, and usage for a module.
get_latest_module_version Return latest published version of a module.
search_policies Search Sentinel policy libraries in the registry.
get_policy_details Get details for a specific policy.
search_private_modules Search private registry modules in HCP/TFE.
get_private_module_details Get details for a private registry module.
search_private_providers Search private registry providers.
get_private_provider_details Get details for a private registry provider.
list_terraform_orgs List HCP Terraform / TFE organizations.
list_terraform_projects List projects in an organization.
list_workspaces List workspaces in an organization or project.
get_workspace_details Get a workspace's configuration and state.
create_workspace Create a new workspace.
create_no_code_workspace Create a no-code provisioning workspace.
update_workspace Update workspace attributes.
delete_workspace_safely Delete a workspace if safe to do so.
list_runs List runs for a workspace.
get_run_details Get details for a specific run.
get_plan_details Get plan details for a run.
get_plan_logs Fetch plan logs.
get_plan_json_output Fetch JSON plan output.
get_apply_details Get apply phase details.
get_apply_logs Fetch apply logs.
get_sentinel_mock Retrieve Sentinel mock data for a run.
create_run Queue a new run on a workspace.
action_run Apply, discard, or cancel a run.
list_workspace_variables List variables on a workspace.
create_workspace_variable Create a workspace variable.
update_workspace_variable Update a workspace variable.
list_variable_sets List variable sets in an organization.
create_variable_set Create a variable set.
create_variable_in_variable_set Add a variable to a variable set.
delete_variable_in_variable_set Delete a variable from a variable set.
attach_variable_set_to_workspaces Attach a variable set to workspaces.
detach_variable_set_from_workspaces Detach a variable set from workspaces.
create_workspace_tags Add tags to a workspace.
read_workspace_tags Read tags on a workspace.
attach_policy_set_to_workspaces Attach a policy set to workspaces.
get_token_permissions Show the permissions of the configured TFE token.
list_stacks List Terraform Stacks in an organization or project.
get_stack_details Get details for a Stack.
list_workspace_policy_sets List policy sets attached to a workspace.
Setup Guide

Prerequisites

  • Docker (recommended) or Go to build from source
  • An MCP-capable client (Claude Desktop, Cursor, VS Code, Amazon Q Developer, Gemini)
  • For HCP Terraform / Terraform Enterprise tools: a TFE_TOKEN API token

Run with Docker

docker pull hashicorp/terraform-mcp-server:latest

Claude Desktop / Cursor config (stdio)

Add to claude_desktop_config.json or ~/.cursor/mcp.json:

{
  "mcpServers": {
    "terraform": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "TFE_TOKEN",
        "-e", "TFE_ADDRESS",
        "hashicorp/terraform-mcp-server:latest"
      ],
      "env": {
        "TFE_TOKEN": "your-hcp-or-tfe-token",
        "TFE_ADDRESS": "https://app.terraform.io"
      }
    }
  }
}

Public-registry-only setup (no token needed):

{
  "mcpServers": {
    "terraform": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "hashicorp/terraform-mcp-server:latest"]
    }
  }
}

StreamableHTTP transport

docker run -p 8080:8080 \
  -e TRANSPORT_MODE=streamable-http \
  -e TRANSPORT_PORT=8080 \
  -e MCP_ALLOWED_ORIGINS="http://localhost" \
  hashicorp/terraform-mcp-server:latest

Endpoint: http://localhost:8080/mcp, health at /health.

Key environment variables

  • TFE_TOKEN: HCP Terraform / TFE API token
  • TFE_ADDRESS: TFE/HCP endpoint (default https://app.terraform.io)
  • TFE_SKIP_TLS_VERIFY: skip TLS verification (use only when required)
  • TRANSPORT_MODE: stdio (default) or streamable-http
  • TRANSPORT_PORT: HTTP port (default 8080)
  • MCP_ALLOWED_ORIGINS: CORS allow-list, required for HTTP transport
  • ENABLE_TF_OPERATIONS: enable tools requiring explicit approval
  • OTEL_METRICS_ENABLED: emit OpenTelemetry metrics

Filter tools / toolsets

docker run -i --rm hashicorp/terraform-mcp-server:latest \
  --toolsets=registry,terraform
# or
docker run -i --rm hashicorp/terraform-mcp-server:latest \
  --tools=search_providers,get_provider_details,list_workspaces
Use Cases
  • Pull current, version-pinned provider docs and examples (e.g. aws_lb_listener_rule in hashicorp/aws 5.x) directly into a coding agent so generated HCL matches the actual schema.
  • Discover and evaluate community modules: search the registry, fetch inputs/outputs, and have the agent wire them into a root module.
  • Operate HCP Terraform / TFE workspaces from an agent: create workspaces, set variables and variable sets, queue runs, and apply or discard plans based on plan JSON.
  • Triage failing runs by fetching plan and apply logs, summarizing errors, and proposing fixes against the relevant provider docs.
  • Govern infrastructure with Sentinel: search policies, attach policy sets to workspaces, and inspect mock data for policy testing.
  • Explore Terraform Stacks: list Stacks and inspect their configuration as part of multi-environment rollouts.
Example Prompts
  • "Search the Terraform Registry for the latest hashicorp/aws provider and show the schema for aws_s3_bucket_lifecycle_configuration."
  • "Find a well-maintained module for an AWS VPC with private subnets and tell me its required inputs."
  • "In HCP Terraform org acme, list workspaces tagged prod, then show the last failed run for each and summarize the error."
  • "Create a workspace payments-staging in project payments, set TF_VAR_region=us-east-1, attach the core-secrets variable set, and queue a plan."
  • "List Stacks in org acme and show the configuration for platform-stack."
  • "Search Sentinel policies for aws-no-public-s3 and attach the matching policy set to all workspaces in the prod project."
Pros
  • Official HashiCorp project covering both the public registry and HCP Terraform / Terraform Enterprise, including private registry and Stacks.
  • Broad tool surface (around 50 tools) with toolset and per-tool filtering for least-privilege agent setups.
  • Multiple transports (stdio and StreamableHTTP), Docker image, OpenTelemetry metrics, and CORS controls suitable for real deployments.
  • Read-only registry tools work without any token, which makes provider/module lookups trivial to enable.
Limitations
  • Marked as beta; HashiCorp explicitly says not to use it in production and intends it for local use.
  • HCP/TFE write operations require careful handling: TFE_TOKEN scope, ENABLE_TF_OPERATIONS, and prompt-injection risk against untrusted LLMs.
  • It does not run terraform plan/apply against local code; execution happens through HCP/TFE runs, so pure local CLI workflows still need a separate tool.
Alternatives
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.