Terraform MCP Server
Vendor-official Terraform MCP server from HashiCorp. Integrates with the public Terraform Registry (providers, modules, policies) and HCP Terraform / Terraform Enterprise (workspace management, organisation listing, run management, private registry access).
“HashiCorp's Terraform MCP server is the vendor-official surface for Terraform-on-MCP and the natural pair to the AWS IaC server we covered in Batch 1. Coverage spans the public Terraform Registry (provider, module, and policy lookups), HCP Terraform, and Terraform Enterprise (workspace management, organization listing, run management, private registry access). The architectural decision worth noting: the server ships with `ENABLE_TF_OPERATIONS` set to `false` by default, gating the destructive operations behind explicit opt-in. The Stdio transport is the default; StreamableHTTP is available for production deployments and pairs with OpenTelemetry metrics for observability of tool calls, latency, and failures. For teams running HCP Terraform or TFE, this is the server to install. The trade-off is the Docker-first install path: the README's recommended pattern is `docker run hashicorp/terraform-mcp-server:0.5.1`, which adds container overhead while matching HashiCorp's distribution practices.”
INSTALL THIS SERVER
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
7 TOOLS AVAILABLE
OUR ASSESSMENT
- Vendor-official from HashiCorp; the same team that ships Terraform maintains the MCP server.
- `ENABLE_TF_OPERATIONS=false` default gates destructive workspace operations behind explicit operator opt-in.
- StreamableHTTP transport with OTel metrics integration provides production-grade observability of agent activity.
- Triple coverage: public Terraform Registry, HCP Terraform, and Terraform Enterprise (private registry, workspace operations).
- Docker-first install path adds container overhead compared to single-binary MCP servers; Docker installation is a hard prerequisite per the README.
- Sets the StreamableHTTP transport for local use only by default; production HTTP exposure requires careful `MCP_ALLOWED_ORIGINS` configuration to prevent DNS rebinding attacks.
- Coverage is Terraform-specific; teams using OpenTofu or Pulumi will want a different tool.
The README carries explicit security guidance worth reading. StreamableHTTP transport requires `MCP_ALLOWED_ORIGINS` configured for trusted origins to prevent DNS rebinding attacks. Authentication uses `TFE_TOKEN` for HCP Terraform / TFE access; tokens carry the permissions of the issuing user, so least-privilege scoping at the HashiCorp identity layer applies. `ENABLE_TF_OPERATIONS=false` keeps the server in read-only mode by default, blocking destructive workspace operations until explicitly enabled. For multi-user deployments, the `MCP_SESSION_MODE=stateful` option provides per-session isolation. Rate limiting via `MCP_RATE_LIMIT_GLOBAL` and `MCP_RATE_LIMIT_SESSION` is configured by default at production-reasonable values.
Teams running HCP Terraform or Terraform Enterprise who want an agent that can search registry resources, manage workspaces, and inspect run state.
TECHNICAL DETAILS
ADOPTION METRICS
// Reading this1.3k stars in thirteen months reflect HashiCorp's vendor-stewardship of the server. Star traction tracks alongside HCP Terraform and TFE adoption among AI-first platform teams.
// Reading thisTop-3 dev-tools MCP. Pairs with the AWS IaC MCP in Batch 1 for teams running cross-platform IaC; the HashiCorp vendor-official status places it ahead of community Terraform MCPs.
SOURCES & VERIFICATION
We don't take any single directory's word for it. Before scoring, we cross-reference 5 public MCP sources, install the server ourselves against the clients we cover, and record when we last re-verified.
The same server, 5 different lenses. We reconcile these signals into our editorial score, which is why our number sometimes diverges from a directory-aggregate star count.
| Source | Their rating | Their star count | Their downloads | Last synced |
|---|---|---|---|---|
| AutomationSwitch This page | 4.5editorial | 1,346 | — | APR 28, 2026 |
| PulseMCP | — unrated | unavailable | unavailable | APR 28, 2026 |
| Official MCP Registry | — unrated | unavailable | unavailable | APR 28, 2026 |
| Awesome MCP Servers | — unrated | unavailable | unavailable | APR 28, 2026 |
| Smithery | — unrated | unavailable | unavailable | APR 28, 2026 |
| MCP.so | — unrated | unavailable | unavailable | APR 28, 2026 |
// Counts are directory-reported; we don't adjust them. Discrepancies usually come from different snapshot times or star-caching.
OTHER DEV TOOLS MCP SERVERS
GitHub
Codebase awareness layer for accessing repositories, pull requests, issues, code search, and GitHub Actions. Fine-grained PAT scopes keep access minimal.
OpenSpec
The leading spec-driven development workflow for AI agents. Implements the /opsx:propose → /opsx:apply → /opsx:archive cycle that scaffolds proposals, specs, design docs, and task checklists, then applies them and archives once shipped.
Chrome DevTools for Agents
Vendor-official Chrome DevTools MCP server from the Chrome DevTools team at Google. Lets agents control and inspect a live Chrome browser for automation, debugging, and performance analysis.
Browserbase MCP Server
Vendor-built Browserbase MCP server combining cloud browser automation (Browserbase) with natural-language-to-action mapping (Stagehand). 6 tools: start, end, navigate, act, observe, extract. Available as a hosted endpoint at https://mcp.browserbase.com/mcp (LLM costs covered for Gemini) or self-hostable via @browserbasehq/mcp.
AWS Infrastructure as Code MCP Server
AWS Labs server for Infrastructure as Code lifecycle. Validates CloudFormation templates with cfn-lint, checks compliance via cfn-guard against AWS Guard Rules and Control Tower controls, troubleshoots failed deployments with pattern-matched analysis, searches CloudFormation and CDK documentation.
Context7
Documentation quality layer that fetches current, version-specific library documentation. Resolves library IDs and returns focused doc sections so your agent works with accurate API references.
DISCUSS YOUR
MCP REQUIREMENTS.
Evaluating a server, scoping an internal deployment, or working out whether MCP is the right fit at all. Start the conversation and we will point you at the right piece of the ecosystem.