Terraform MCP Server
OfficialHashiCorp's official server for Terraform Registry providers, modules, and IaC workflows.
Add to your client
Copy the config for your MCP client and paste it into its config file.
docker run -i --rm hashicorp/terraform-mcp-serverPaste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"terraform-mcp-server": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"hashicorp/terraform-mcp-server"
]
}
}
}Requires Docker to be installed and running.
Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- An MCP-compatible client (Claude, Cursor, VS Code Copilot, etc.)
- Docker running, OR Go installed to build/install from source (`go install github.com/hashicorp/terraform-mcp-server/cmd/terraform-mcp-server@latest`)
- Public Registry tools need no credentials
- For private modules/providers and workspace tools: an HCP Terraform / Terraform Enterprise API token set as TFE_TOKEN (and TFE_ADDRESS for self-hosted TFE), created under your HCP Terraform user or team API tokens settings
About Terraform MCP Server
The Terraform MCP Server is HashiCorp's official Model Context Protocol server for the Terraform ecosystem. It gives AI assistants structured access to the Terraform Registry (providers, modules, and policies) and, when a token is supplied, to HCP Terraform and Terraform Enterprise workspaces, runs, plans, and variables. This lets an agent look up the right provider/module, read documentation, and reason about Infrastructure-as-Code without hallucinating resource arguments.
It ships as a Go binary and a published Docker image (hashicorp/terraform-mcp-server). The server supports two transports: stdio (the default, for local MCP clients) and StreamableHTTP (for centralized/remote deployments, enabled with TRANSPORT_MODE=streamable-http).
Tools are grouped into toolsets — registry, registry-private, and terraform — so you can expose only the public Registry lookups or also enable private modules/providers and full workspace management. Registry tools need no authentication; the terraform and registry-private toolsets require a TFE_TOKEN.
Tools & capabilities (12)
search_providersSearch the Terraform Registry for providers
get_provider_detailsGet documentation and details for a provider
get_latest_provider_versionResolve the latest published version of a provider
search_modulesSearch the Registry for reusable modules
get_module_detailsGet inputs, outputs, and docs for a module
search_policiesSearch Sentinel/policy libraries in the Registry
list_workspacesList HCP Terraform / TFE workspaces (requires token)
get_workspace_detailsInspect a specific workspace's configuration
create_run / get_run_details / list_runsTrigger and inspect Terraform runs in a workspace
get_plan_details / get_plan_logs / get_plan_json_outputRead plan output and logs for a run
list_workspace_variables / create_workspace_variableManage workspace variables and variable sets
list_stacks / get_stack_detailsInspect Terraform Stacks
When to use it
- Use it when you want an agent to pick the correct provider/module and write valid HCL instead of guessing argument names
- Use it when reviewing or generating Terraform and you need authoritative Registry docs inline
- Use it when you need to list workspaces and inspect run/plan status in HCP Terraform or Terraform Enterprise
- Use it when an agent should trigger a run and read back the plan logs/JSON to explain proposed changes
- Use it when you want to expose private Registry modules/providers to your AI workflow behind a token
Quick setup
- 1Choose a run method: Docker (`docker run -i --rm hashicorp/terraform-mcp-server`) or the Go binary
- 2Add the server to your MCP client config (command + args, or URL for StreamableHTTP)
- 3For Registry-only use, no auth is needed; for workspace/private tools, set TFE_TOKEN (and TFE_ADDRESS for TFE)
- 4Optionally restrict exposed tools by selecting a toolset (registry, registry-private, terraform)
- 5Restart the MCP client and confirm tools like search_providers appear
- 6Run a test prompt (e.g. 'find the latest aws provider version') to verify connectivity
Security notes
In default mode it only reads the public Terraform Registry, so risk is low; adding a TFE_TOKEN grants access to your Terraform Cloud/Enterprise org and should be scoped accordingly. Pin a specific image tag rather than latest for reproducible behavior.
Terraform MCP Server FAQ
Do I need a Terraform Cloud token to use it?
No for public Registry lookups (search/get providers, modules, policies). Yes for the `terraform` and `registry-private` toolsets, which talk to HCP Terraform / Terraform Enterprise and require TFE_TOKEN.
Is it free?
The server is open source under MPL-2.0 and free to run. Registry access is free; workspace operations are governed by your HCP Terraform / Terraform Enterprise plan.
Can I run it remotely instead of stdio?
Yes. Set TRANSPORT_MODE=streamable-http to serve over HTTP (with optional TLS via MCP_TLS_CERT_FILE/MCP_TLS_KEY_FILE) for centralized deployments.
How do I limit which tools the agent can call?
Pick a toolset. `registry` exposes only public lookups; `registry-private` adds private modules/providers; `terraform` enables full workspace, run, and variable management.
Does it work with self-hosted Terraform Enterprise?
Yes. Set TFE_ADDRESS to your TFE hostname (and TFE_SKIP_TLS_VERIFY if using self-signed certs) along with TFE_TOKEN.
Alternatives to Terraform MCP Server
Compare all alternatives →
GitHub's official server for repos, issues, PRs, and Actions — local Docker or hosted remote.
Official AWS Labs server that lets agents call any AWS API via the AWS CLI surface.
Grafana's official server for dashboards, Prometheus/Loki queries, alerts, and incidents.
Compare Terraform MCP Server with: