š Terraform Model Context Protocol (MCP) Tool - An experimental CLI tool that enables AI assistants to manage and operate Terraform environments. Supports reading Terraform configurations, analyzing plans, applying configurations, and managing state with Claude Desktop integration. ā”ļø
Configuration
View docs{
"mcpServers": {
"nwiizo-tfmcp": {
"command": "tfmcp",
"args": [
"mcp"
],
"env": {
"HOME": "Replace with your home directory",
"PATH": "/usr/local/bin:/usr/bin:/bin",
"TERRAFORM_DIR": "/path/to/terraform/project",
"TFMCP_DEMO_MODE": "true",
"TFMCP_LOG_LEVEL": "info",
"TFMCP_AUDIT_ENABLED": "true",
"TFMCP_MAX_RESOURCES": "50",
"TFMCP_ALLOW_AUTO_APPROVE": "false",
"TFMCP_ALLOW_DANGEROUS_OPS": "false",
"TFMCP_AUDIT_LOG_SENSITIVE": "false"
}
}
}
}tfmcp is a Model Context Protocol server that lets you manage Terraform configurations and operations using AI assistants. It integrates tightly with the Terraform CLI to analyze plans, apply changes, inspect state, and navigate workspaces, all through the MCP interface. This enables you to automate safe Terraform workflows with clear guidance, auditing, and governance in place.
Start tfmcp as an MCP server to enable AI assistants to interact with your Terraform environment. Run the server locally, or use Docker for containerized deployment. You can then connect your MCP client (such as Claude Desktop) to issue Terraform-related actions through natural language prompts or structured tool calls. Use the available tools to analyze configurations, plan, apply when permitted, manage state, and inspect provider data and dependencies.
Prerequisites you need before installing tfmcp: Rust toolchain, Terraform CLI, and optionally Docker for containerized deployment. You also need an MCP client capable of communicating with an MCP server.
# From Crates.io (recommended for quick start)
cargo install tfmcp
# From source (builds from the repository)
# Clone the repository
git clone https://github.com/nwiizo/tfmcp
cd tfmcp
# Build and install
cargo install --path .You can run tfmcp inside a container to avoid local Rust/tooling setup. Build the image and run it directly.
# Build the Docker image
docker build -t tfmcp .
# Run the container (default MCP server mode)
docker run -it tfmcp
# Run with a specific command and options (example for analysis)
docker run -it tfmcp analyze --dir /app/terraform
# Mount your Terraform project directory
docker run -it -v /path/to/your/terraform:/app/terraform tfmcp --dir /app/terraform
# Set environment variables (example)
docker run -it -e TFMCP_LOG_LEVEL=debug tfmcpIf you use Claude Desktop, install tfmcp and point Claude to run the MCP server. You can also containerize tfmcp with Docker for Claude integration.
# Install tfmcp
cargo install tfmcp
# Locate the executable path
which tfmcp
```
Configure Claude with the following JSON snippet, replacing paths as needed:
```json
{
"mcpServers": {
"tfmcp": {
"command": "/path/to/your/tfmcp",
"args": ["mcp"],
"env": {
"HOME": "/Users/yourusername",
"PATH": "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
"TERRAFORM_DIR": "/path/to/your/terraform/project"
}
}
}
}
```
If you prefer Docker, configure Claude to invoke the container with a mounted Terraform directory and run the MCP server inside the container.tfmcp includes a safety-first security system with configurable policies, audit logging, and access controls. Review and tailor safety settings before enabling dangerous operations like apply or destroy. You can enable demo mode for safety during exploration, and configure audit logging to track all actions.
Key environment variables you can set to customize tfmcp behavior in production include: TERRAFORM_DIR to specify the Terraform project directory, TFMCP_LOG_LEVEL to control logging verbosity, and TFMCP_DEMO_MODE to enable a mode with extra safety checks. For security, you can disable dangerous operations by default and require manual approval for apply/destroy.
export TERRAFORM_DIR=/path/to/your/terraform/project
export TFMCP_LOG_LEVEL=info
export TFMCP_DEMO_MODE=false
export TFMCP_ALLOW_DANGEROUS_OPS=false
export TFMCP_ALLOW_AUTO_APPROVE=false
export TFMCP_MAX_RESOURCES=50
export TFMCP_AUDIT_ENABLED=true
export TFMCP_AUDIT_LOG_SENSITIVE=false
```
Auditing is written to the default audit path unless you override it, and you should review the audit logs regularly.If the MCP client cannot connect, verify that you started the tfmcp server correctly and that the configured command and path are correct. For Docker users, ensure volume mounts and permissions are set so the MCP server can access your Terraform directory. If you encounter missing methods, verify you are using the correct MCP endpoint and that your client is configured to call the available tools.
tfmcp exposes a comprehensive set of tools for Terraform operations, analysis, and module/provider browsing. These tools cover core Terraform actions, workspace and state management, code formatting, graph generation, provider/module information, and security-focused checks. Use them through your MCP client to keep Terraform workflows auditable and well-governed.
{
"mcpServers": {
"tfmcp": {
"command": "tfmcp",
"args": ["mcp"]
}
}
}Initialize Terraform working directory from the MCP server, preparing backend, provider plugins, and initial state scaffolding.
Generate an execution plan and present the proposed changes before applying.
Analyze the plan with risk scoring and actionable recommendations.
Apply Terraform configuration to realize the planned changes (requires appropriate permissions).
Destroy Terraform-managed resources (restricted by safety settings).
Validate Terraform configuration syntax for correctness.
Provide a detailed validation with guidelines and best practices.
Show the current Terraform state for inspection.
Analyze the state with drift detection and health metrics.
List all resources managed by the current Terraform project.
Change the active Terraform project directory at runtime.
Manage Terraform workspaces with list, show, new, select, and delete operations.
Import existing resources into the Terraform state and configuration.
Taint or untaint resources to control recreation behavior.
Refresh the Terraform state to sync with real-world infrastructure.
Format Terraform code to standard style.
Generate a dependency graph for the Terraform configuration.
Retrieve Terraform output values for downstream usage.
Get provider information, including lock file parsing details.
Search available Terraform providers in registries.
Fetch details about a specific Terraform provider.
Retrieve provider documentation for quick reference.
Search for Terraform modules in registries.
Get details about a specific Terraform module.
Retrieve the latest version of a module.
Retrieve the latest version of a provider.
Run security scans with secret detection and policy checks.
Analyze the Terraform configuration for best practices.
Assess module health with cohesion/coupling metrics and refactoring suggestions.
Visualize resource dependencies with explicit and implicit links.
Provide refactoring suggestions to improve module quality.