terraform

This Terraform MCP Server provides an interface to interact with Terraform Registry APIs and manage Terraform workspaces, providers, modules, and policies through the MCP protocol. It supports both stdio and StreamableHTTP transports, enabling local or network-accessible operation. After starting the server (e.g., via Docker), you can query Terraform workspaces, list organizations/projects, and perform workspace operations such as create, update, and delete, including handling variables and run management. The server is designed to work with HCP Terraform or Terraform Enterprise deployments and supports private registry access. When using the StreamableHTTP transport, ensure you configure MCP_ALLOWED_ORIGINS to restrict access to trusted origins for security. The server may expose Terraform data to MCP clients and LLMs depending on the query scope, so review outputs carefully before applying changes.

Prerequisites:

• Docker installed and running
• Access token for Terraform Enterprise (if using TFE) and Terraform address information

Installation steps:

1. Ensure Docker is up and running on your host.
2. Pull and run the Terraform MCP Server using the provided Docker image:

# Run in stdio mode (default)
docker run -it --rm \
  -e TFE_TOKEN="<your-terraform-token>" \
  -e TFE_ADDRESS="<https://app.terraform.io>" \
  hashicorp/terraform-mcp-server:0.4.0

3. If you need StreamableHTTP transport, configure and run with the appropriate environment variables or CLI flags as described in the README, ensuring MCP_ENDPOINT and related TLS/CORS settings are secured.
4. Optional: Integrate with VS Code or your MCP client, using the provided examples in the README to format the server configuration for your environment.

Security notes:

• The server is intended for local use; if using StreamableHTTP transport, set MCP_ALLOWED_ORIGINS to trusted origins to mitigate DNS rebinding and cross-origin risks.
• Some Terraform data may be exposed to MCP clients; avoid using the server with untrusted MCP clients or LLMs.
• Review outputs and recommendations carefully to ensure they align with your security, cost, and compliance requirements before implementation.

Environment and configuration tips:

• Use TFE_ADDRESS and TFE_TOKEN to connect to your Terraform Enterprise or Cloud instance.
• Adjust MCP_RATE_LIMIT_GLOBAL and MCP_RATE_LIMIT_SESSION to enforce appropriate usage limits.
• For non-local deployments, provide valid TLS certificate and key in MCP_TLS_CERT_FILE and MCP_TLS_KEY_FILE.
• If enabling TF operations via ENABLE_TF_OPERATIONS, ensure explicit approvals are in place for tools that require elevated access.