<img src="public/images/Terraform-LogoMark_onDark.svg" width="30" align="left" style="margin-right: 12px;"/> Terraform MCP Server
The Terraform MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with Terraform Registry APIs, enabling advanced automation and interaction capabilities for Infrastructure as Code (IaC) development.
Features
- Dual Transport Support: Both Stdio and StreamableHTTP transports with configurable endpoints
- Terraform Registry Integration: Direct integration with public Terraform Registry APIs for providers, modules, and policies
- HCP Terraform & Terraform Enterprise Support: Full workspace management, organization/project listing, and private registry access
- Workspace Operations: Create, update, delete workspaces with support for variables, tags, and run management
- OTel metrics for monitoring tool usage: Integration with open telemetry meters to track tool-call volume, latency and failures in Streamable HTTP mode. Also exposes default http server metrics when this feature is enabled
Security Note: At this stage, the MCP server is intended for local use only. If using the StreamableHTTP transport, always configure the MCP_ALLOWED_ORIGINS environment variable to restrict access to trusted origins only. This helps prevent DNS rebinding attacks and other cross-origin vulnerabilities.
Security Note: Depending on the query, the MCP server may expose certain Terraform data to the MCP client and LLM. Do not use the MCP server with untrusted MCP clients or LLMs.
Legal Note: Your use of a third party MCP Client/LLM is subject solely to the terms of use for such MCP/LLM, and IBM is not responsible for the performance of such third party tools. IBM expressly disclaims any and all warranties and liability for third party MCP Clients/LLMs, and may not be able to provide support to resolve issues which are caused by the third party tools.
Caution: The outputs and recommendations provided by the MCP server are generated dynamically and may vary based on the query, model, and the connected MCP client. Users should thoroughly review all outputs/recommendations to ensure they align with their organizationβs security best practices, cost-efficiency goals, and compliance requirements before implementation.
Prerequisites
- Ensure Docker is installed and running to use the server in a containerized environment.
- Install an AI assistant that supports the Model Context Protocol (MCP).
Command Line Options
Environment Variables:
| Variable | Description | Default |
|---|---|---|
TFE_ADDRESS | HCP Terraform or TFE address | "https://app.terraform.io" |
TFE_TOKEN | Terraform Enterprise API token | "" (empty) |
TFE_SKIP_TLS_VERIFY | Skip HCP Terraform or Terraform Enterprise TLS verification | false |
LOG_LEVEL | Logging level: trace, debug, info, warn, error, fatal, panic (overrides --log-level flag) | info |
LOG_FORMAT | Logging format: text or json (overrides --log-format flag) | text |
TRANSPORT_MODE | Set to streamable-http to enable HTTP transport (legacy http value still supported) | stdio |
TRANSPORT_HOST | Host to bind the HTTP server | 127.0.0.1 |
TRANSPORT_PORT | HTTP server port | 8080 |
MCP_ENDPOINT | HTTP server endpoint path | /mcp |
MCP_KEEP_ALIVE | Keep-alive interval for SSE connections (e.g., 30s, 1m). 0 to disable | 0 |
MCP_SESSION_MODE | Session mode: stateful or stateless | stateful |
MCP_ALLOWED_ORIGINS | Comma-separated list of allowed origins for CORS | "" (empty) |
MCP_CORS_MODE | CORS mode: strict, development, or disabled | strict |
MCP_TLS_CERT_FILE | Path to TLS cert file, required for non-localhost deployment (e.g. /path/to/cert.pem) | "" (empty) |
MCP_TLS_KEY_FILE | Path to TLS key file, required for non-localhost deployment (e.g. /path/to/key.pem) | "" (empty) |
MCP_RATE_LIMIT_GLOBAL | Global rate limit (format: rps:burst) | 10:20 |
MCP_RATE_LIMIT_SESSION | Per-session rate limit (format: rps:burst) | 5:10 |
ENABLE_TF_OPERATIONS | Enable tools that require explicit approval | false |
OTEL_METRICS_ENABLED | Enable tools and server metrics using otel | false |
OTEL_METRICS_SERVICE_VERSION | Version of the terraform-mcp-server sending metrics, which is used to set metric attributes. It also helps track metrics across different deployments | latest |
OTEL_METRICS_SERVICE_NAME | Identifies the source of the metrics (e.g., "terraform-mcp-server") | terraform-mcp-server |
OTEL_METRICS_EXPORT_INTERVAL | Controls the frequency of metric flushes | 2 |
OTEL_METRICS_ENDPOINT | URL of your OTel Collector or backend | localhost:4318 |
# Stdio mode
terraform-mcp-server stdio [--log-file /path/to/log] [--log-level info] [--log-format text] [--toolsets <toolsets>] [--tools <tools>]
# StreamableHTTP mode
terraform-mcp-server streamable-http [--transport-port 8080] [--transport-host 127.0.0.1] [--mcp-endpoint /mcp] [--log-file /path/to/log] [--log-level info] [--log-format text] [--toolsets <toolsets>] [--tools <tools>]Instructions
Default instructions for the MCP server is located in cmd/terraform-mcp-server/instructions.md, if those do not seem appropriate for your organization's Terraform practices or if the MCP server is producing inaccurate responses, please replace them with your own instructions and rebuild the container or binary. An example of such instruction is located in instructions/example-mcp-instructions.md
AGENTS.md essentially behaves as READMEs for coding agents: a dedicated, predictable place to provide the context and instructions to help AI coding agents work on your project. One AGENTS.md file works with different coding agents. An example of such instruction is located in instructions/example-AGENTS.md, in order to use it commit a file name AGENTS.md to the directory where your Terraform configurations reside.
Installation
Usage with Visual Studio Code
Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
More about using MCP server tools in VS Code's agent mode documentation.
<table> <tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr> <tr valign=top> <td>{
"mcp": {
"servers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e", "TFE_TOKEN=${input:tfe_token}",
"-e", "TFE_ADDRESS=${input:tfe_address}",
"hashicorp/terraform-mcp-server:0.5.2"
]
}
},
"inputs": [
{
"type": "promptString",
"id": "tfe_token",
"description": "Terraform API Token",
"password": true
},
{
"type": "promptString",
"id": "tfe_address",
"description": "Terraform Address",
"password": false
}
]
}
}{
"mcp": {
"servers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"hashicorp/terraform-mcp-server:0.2.3"
]
}
}
}
}Optionally, you can add a similar example (i.e. without the mcp key) to a file called .vscode/mcp.json in your workspace. This will allow you to share the configuration with others.
{
"servers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e", "TFE_TOKEN=${input:tfe_token}",
"-e", "TFE_ADDRESS=${input:tfe_address}",
"hashicorp/terraform-mcp-server:0.5.2"
]
}
},
"inputs": [
{
"type": "promptString",
"id": "tfe_token",
"description": "Terraform API Token",
"password": true
},
{
"type": "promptString",
"id": "tfe_address",
"description": "Terraform Address",
"password": false
}
]
}{
"servers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"hashicorp/terraform-mcp-server:0.2.3"
]
}
}
}<img alt="Install in VS Code (docker)" src="https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Terraform%20MCP&color=0098FF"> <img alt="Install in VS Code Insiders (docker)" src="https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20Terraform%20MCP&color=24bfa5">
Usage with Cursor
Add this to your Cursor config (~/.cursor/mcp.json) or via Settings β Cursor Settings β MCP:
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e", "TFE_ADDRESS=<<PASTE_TFE_ADDRESS_HERE>>",
"-e", "TFE_TOKEN=<<PASTE_TFE_TOKEN_HERE>>",
"hashicorp/terraform-mcp-server:0.5.2"
]
}
}
}{
"servers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"hashicorp/terraform-mcp-server:0.2.3"
]
}
}
}Usage with Claude Desktop / Amazon Q Developer / Kiro CLI
More about using MCP server tools in Claude Desktop user documentation. Read more about using MCP server in Amazon Q Developer and Kiro CLI.
<table> <tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr> <tr valign=top> <td>{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e", "TFE_ADDRESS=<<PASTE_TFE_ADDRESS_HERE>>",
"-e", "TFE_TOKEN=<<PASTE_TFE_TOKEN_HERE>>",
"hashicorp/terraform-mcp-server:0.5.2"
]
}
}
}{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"hashicorp/terraform-mcp-server:0.2.3"
]
}
}
}Usage with Claude Code
More about using and adding MCP server tools in Claude Code user documentation
- Local (
stdio) Transport
claude mcp add terraform -s user -t stdio -- docker run -i --rm hashicorp/terraform-mcp-server- Remote (
streamable-http) Transport
# Run server (example)
docker run -p 8080:8080 --rm
β¦