home / mcp / terraform mcp server
Provides programmable access to Terraform Registry data, workspace management, and policy interactions via MCP for IaC automation.
Configuration
View docs{
"mcpServers": {
"hashicorp-terraform-mcp-server": {
"command": "terraform-mcp-server",
"args": [
"stdio",
"--log-file",
"/path/to/log"
],
"env": {
"TFE_TOKEN": "YOUR_TFE_TOKEN",
"TFE_ADDRESS": "https://app.terraform.io",
"MCP_ENDPOINT": "/mcp",
"MCP_CORS_MODE": "strict",
"TRANSPORT_HOST": "127.0.0.1",
"TRANSPORT_MODE": "streamable-http",
"TRANSPORT_PORT": "8080",
"MCP_SESSION_MODE": "stateful",
"MCP_TLS_KEY_FILE": "<MCP_TLS_KEY_FILE>",
"MCP_TLS_CERT_FILE": "<MCP_TLS_CERT_FILE>",
"MCP_ALLOWED_ORIGINS": "<MCP_ALLOWED_ORIGINS>",
"TFE_SKIP_TLS_VERIFY": "false",
"ENABLE_TF_OPERATIONS": "false",
"MCP_RATE_LIMIT_GLOBAL": "10:20",
"MCP_RATE_LIMIT_SESSION": "5:10"
}
}
}
}The Terraform MCP Server provides a StreamableHTTP and Stdio capable interface that connects Terraform Registry APIs with your MCP-enabled AI workflows. It enables automated IaC interactions, workspace management, and secure access to Terraform Cloud/Enterprise resources in a local or controlled environment.
You use the Terraform MCP Server by configuring an MCP client to connect to the server in one of two ways: the local Stdio transport for direct, on-machine interactions, or the StreamableHTTP transport for remote access. In both modes, you can manage Terraform workspaces, access Terraform Registry data, and perform workspace operations through your MCP-enabled assistant. Start with the transport you need, then provide your MCP client with the server address (for HTTP) or the local IO channel (for Stdio). Ensure your client is trusted, and review the outputs before applying changes to your Terraform configurations.
Prerequisites: you need Docker installed and running if you plan to use the containerized server. If you prefer building from source, you also need a Go toolchain.
Install from source or run in Docker as described below.
Run in Stdio mode (local): use the binary directly in your environment or a container that exposes stdio. The most common approach is to run the server as a process that reads from standard input and writes to standard output.
Run in StreamableHTTP mode (remote): expose an HTTP endpoint to accept requests from MCP clients or AI assistants. You can run the server in a Docker container and expose port 8080 for HTTP transport.
The following commands cover typical deployment paths.
If running in Docker, set TRANSPORT_HOST=0.0.0.0 to allow external connections to the HTTP transport. Always validate the health endpoint after starting the server, for example curl http://localhost:8080/health.
Security notes: restrict access with MCP_ALLOWED_ORIGINS when using StreamableHTTP in non-local environments and review outputs carefully to ensure alignment with security and compliance requirements.
To help your AI agents interact with the Terraform MCP Server, you can share an MCP configuration snippet with your IDE or agent platform. The example below demonstrates a local stdio configuration.
The server accepts a range of environment variables to control access, transport, and rate limits. Important variables include TRANSPORT_MODE, TRANSPORT_HOST, TRANSPORT_PORT, MCP_ENDPOINT, MCP_SESSION_MODE, MCP_ALLOWED_ORIGINS, MCP_CORS_MODE, MCP_TLS_CERT_FILE, MCP_TLS_KEY_FILE, MCP_RATE_LIMIT_GLOBAL, MCP_RATE_LIMIT_SESSION, and ENABLE_TF_OPERATIONS. These should be set according to your deployment scenario and security requirements, especially when enabling the StreamableHTTP transport in non-local environments.
Provides a health check endpoint to verify the MCP server is responsive and running.
HTTP-based transport with SSE support for remote MCP clients, enabling real-time interactions.
Local transport using standard input/output for direct MCP client communication.
Manage Terraform workspaces, including creation, updates, deletions, and related variables and tags.