Gene Library Courses Download Pricing Contact Sign in
terraform logo
developer-tools Official Website

Terraform MCP Server – Registry and Workspaces

HashiCorp's official Terraform MCP server gives AI agents structured access to current Terraform Registry information and supported HCP Terraform or Terraform Enterprise workflows. Use it to research providers and modules, generate more accurate Terraform configuration, and manage authorized workspace operations.

#infrastructure-as-code#terraform-registry#workspace-management

Overview

HashiCorp's official Terraform MCP server connects compatible AI agents to the
Terraform Registry and, when configured, HCP Terraform or Terraform Enterprise.
It provides current provider, module, and policy information so generated
Terraform configuration can be based on live registry data rather than only on
potentially outdated model training.

What the MCP server enables

The server organizes capabilities into toolsets. Depending on enabled toolsets
and authentication, an AI agent can:

  • Search Terraform providers and retrieve provider details and documentation.
  • Search public modules and inspect module metadata and usage information.
  • Search and retrieve Terraform policy information from the registry.
  • List HCP Terraform or Terraform Enterprise organizations and projects.
  • Access private registry providers and modules where permissions allow.
  • Create, inspect, update, and delete workspaces.
  • Work with workspace variables, tags, runs, and related supported operations.
  • Limit exposed functionality through --toolsets or --tools.

When to use it

Use Terraform MCP when an agent needs current Infrastructure as Code context or
must perform an approved Terraform platform operation. Typical workflows include
finding the latest resource arguments for a provider, selecting a reusable
module, resolving provider documentation, drafting configuration, inspecting
workspace settings, creating a development workspace, updating variables, and
reviewing or managing Terraform runs.

Connection and authentication

The default local transport is stdio. HashiCorp publishes the official Docker
image hashicorp/terraform-mcp-server, which can run without credentials for
public registry tools.

HCP Terraform and Terraform Enterprise features require TFE_TOKEN.
TFE_ADDRESS can specify the target HCP Terraform or Terraform Enterprise
address. The server also supports self-hosted Streamable HTTP mode. The
documented default endpoint is /mcp, commonly exposed locally at
http://localhost:8080/mcp.

Key considerations

HashiCorp currently describes the server as intended primarily for local use.
If Streamable HTTP is enabled, restrict MCP_ALLOWED_ORIGINS, use TLS where
appropriate, and do not expose the server openly. Some tools can reveal
Terraform workspace, variable, run, or registry information to the connected
client and model. Use least-privilege tokens, filter toolsets, require explicit
approval for workspace-changing operations, and avoid untrusted MCP clients or
language models.

Supported Transports

stdio

Command: docker

Args:

  • run
  • -i
  • --rm
  • -e
  • TFE_TOKEN
  • -e
  • TFE_ADDRESS
  • hashicorp/terraform-mcp-server

streamable_http

URL: http://localhost:8080/mcp

Frequently Asked Questions

When should an AI agent use the Terraform MCP server?
Use it when a workflow needs current Terraform Registry information or approved HCP Terraform or Terraform Enterprise operations, such as finding provider documentation, selecting modules, inspecting policies, managing workspaces, updating variables, or reviewing runs.
What does the Terraform MCP server add to an AI agent's capabilities?
It gives the agent structured access to current provider, module, and policy data from the Terraform Registry and, when authenticated, supported HCP Terraform or Terraform Enterprise resources and actions.
What can an AI agent access or manage through Terraform MCP?
Depending on enabled toolsets and permissions, the agent can search public and private registry content, retrieve provider and module documentation, list organizations and projects, and manage supported workspace, variable, tag, run, and related Terraform platform operations.
How is authentication configured for the Terraform MCP server?
Public Terraform Registry tools do not require authentication. HCP Terraform and Terraform Enterprise features require a token in TFE_TOKEN, while TFE_ADDRESS identifies the target service when needed. Store credentials in a protected environment or secret manager and grant minimum permissions.
Which transport should be used for the Terraform MCP server?
Use stdio with HashiCorp's official Docker image for local client integrations. Use Streamable HTTP only for a self-hosted deployment that requires network access, and secure it with allowed-origin restrictions, TLS, authentication controls, and limited toolsets.