tfmcp
Terraform MCP server letting AI assistants read, plan, apply, analyze, and manage Terraform infrastructure.
Add to your client
Copy the config for your MCP client and paste it into its config file.
cargo install tfmcpPaste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"tfmcp": {
"command": "/path/to/your/tfmcp",
"args": [
"mcp"
],
"env": {
"HOME": "/Users/yourusername",
"PATH": "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
"TERRAFORM_DIR": "/path/to/your/terraform/project"
}
}
}
}Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- Rust (edition 2021; v0.1.9 requires Rust 1.85.0+ / Edition 2024)
- Terraform CLI installed and available in PATH
- Claude Desktop (for AI assistant integration)
- Docker (optional, for containerized deployment)
About tfmcp
tfmcp is a Rust CLI and MCP server that gives AI assistants safe, structured access to Terraform. Launched via tfmcp mcp, it integrates with Claude Desktop over stdio and exposes 31 tools for reading configs, generating and analyzing plans, applying/destroying infrastructure, managing state and workspaces, formatting and graphing code, analyzing module health, and searching the Terraform registry. It ships with enterprise security controls (dangerous ops disabled by default, resource limits, sensitive-path blocking, audit logging) and can automatically scaffold a sample Terraform project so new users can start immediately.
Tools & capabilities (31)
init_terraformInitialize Terraform working directory.
get_terraform_planGenerate and show execution plan.
analyze_planAnalyze plan with risk scoring and recommendations.
apply_terraformApply Terraform configuration.
destroy_terraformDestroy Terraform-managed infrastructure.
validate_terraformValidate configuration syntax.
validate_terraform_detailedDetailed validation with guidelines.
get_terraform_stateShow current state.
analyze_stateAnalyze state with drift detection.
list_terraform_resourcesList all managed resources.
set_terraform_directoryChange active project directory.
terraform_workspaceManage workspaces (list, show, new, select, delete).
terraform_importImport existing resources.
terraform_taintTaint/untaint resources.
terraform_refreshRefresh state.
terraform_fmtFormat code.
terraform_graphGenerate dependency graph.
terraform_outputGet output values.
terraform_providersGet provider info with lock file.
analyze_terraformAnalyze configuration.
analyze_module_healthModule health with cohesion/coupling metrics.
get_resource_dependency_graphResource dependencies visualization.
suggest_module_refactoringRefactoring suggestions.
get_security_statusSecurity scan with secret detection.
search_terraform_providersSearch providers.
get_provider_infoProvider details.
get_provider_docsProvider documentation.
search_terraform_modulesSearch modules.
get_module_detailsModule details.
get_latest_module_versionLatest module version.
get_latest_provider_versionLatest provider version.
What this server can do
tfmcp provides tools for these capabilities — tap one to see every MCP server that does the same:
When to use it
- Let an AI assistant read and explain existing Terraform configurations.
- Generate a Terraform plan and get AI-driven risk scoring and recommendations before applying.
- Apply or destroy infrastructure through Claude Desktop with safety guardrails and audit logging.
- Inspect and manage Terraform state and workspaces, including drift detection.
- Analyze module health (cohesion/coupling) and get refactoring suggestions.
- Search the Terraform registry for providers and modules and fetch their docs and latest versions.
Security notes
Dangerous operations (apply/destroy) are disabled by default and must be explicitly enabled via TFMCP_ALLOW_DANGEROUS_OPS=true. Auto-approve is off by default (TFMCP_ALLOW_AUTO_APPROVE). Resource count is capped (TFMCP_MAX_RESOURCES, default 50). Built-in access controls block prod*, production*, and secret* file patterns. Audit logging is enabled by default and written to ~/.tfmcp/audit.log. Always review AI-generated Terraform plans before applying, and apply appropriate IAM boundaries in cloud environments.
tfmcp FAQ
Is tfmcp an official Terraform/HashiCorp product?
No. It is an independent open-source project by nwiizo, licensed under MIT. The README notes it is experimental and under active development.
How do I connect tfmcp to Claude Desktop?
Install it (`cargo install tfmcp`), find the binary path with `which tfmcp`, then add an mcpServers entry to ~/Library/Application Support/Claude/claude_desktop_config.json with command set to the tfmcp path and args set to ["mcp"]. Restart Claude Desktop and enable the tool.
Are apply and destroy operations safe?
By default they are disabled. You must set TFMCP_ALLOW_DANGEROUS_OPS=true to enable them, and TFMCP_ALLOW_AUTO_APPROVE remains false unless explicitly enabled. tfmcp also caps resource counts and blocks sensitive file patterns.
Can I run tfmcp with Docker?
Yes. Build the image with `docker build -t tfmcp .`, then point Claude Desktop's command at "docker" with args ["run", "--rm", "-v", "/path/to/your/terraform:/app/terraform", "tfmcp", "mcp"].
Alternatives to tfmcp
Compare all alternatives →
GitHub's official server for repos, issues, PRs, and Actions — local Docker or hosted remote.
Official AWS Labs server that lets agents call any AWS API via the AWS CLI surface.
Bulk Kubernetes port forwarding with an MCP server that lets AI assistants forward services, inspect pods, and monitor traffic.
Compare tfmcp with: