Terraform MCP Server
Vendor-official Terraform MCP server from HashiCorp. Integrates with the public Terraform Registry (providers, modules, policies) and HCP Terraform / Terraform Enterprise (workspace management, organisation listing, run management, private registry access).
“HashiCorp's Terraform MCP server is the vendor-official surface for Terraform-on-MCP and the natural pair to the AWS IaC server we covered in Batch 1. Coverage spans the public Terraform Registry (provider, module, and policy lookups), HCP Terraform, and Terraform Enterprise (workspace management, organization listing, run management, private registry access). The architectural decision worth noting: the server ships with `ENABLE_TF_OPERATIONS` set to `false` by default, gating the destructive operations behind explicit opt-in. The Stdio transport is the default; StreamableHTTP is available for production deployments and pairs with OpenTelemetry metrics for observability of tool calls, latency, and failures. For teams running HCP Terraform or TFE, this is the server to install. The trade-off is the Docker-first install path: the README's recommended pattern is `docker run hashicorp/terraform-mcp-server:0.5.1`, which adds container overhead while matching HashiCorp's distribution practices.”
INSTALL THIS SERVER
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
{
"mcpServers": {
"terraform": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"TFE_TOKEN",
"-e",
"TFE_ADDRESS",
"hashicorp/terraform-mcp-server:0.5.2"
],
"env": {
"TFE_TOKEN": "your-tfe-token",
"TFE_ADDRESS": "https://app.terraform.io"
}
}
}
}
7 TOOLS AVAILABLE
OUR ASSESSMENT
- Vendor-official from HashiCorp; the same team that ships Terraform maintains the MCP server.
- `ENABLE_TF_OPERATIONS=false` default gates destructive workspace operations behind explicit operator opt-in.
- StreamableHTTP transport with OTel metrics integration provides production-grade observability of agent activity.
- Triple coverage: public Terraform Registry, HCP Terraform, and Terraform Enterprise (private registry, workspace operations).
- Docker-first install path adds container overhead compared to single-binary MCP servers; Docker installation is a hard prerequisite per the README.
- Sets the StreamableHTTP transport for local use only by default; production HTTP exposure requires careful `MCP_ALLOWED_ORIGINS` configuration to prevent DNS rebinding attacks.
- Coverage is Terraform-specific; teams using OpenTofu or Pulumi will want a different tool.
The README carries explicit security guidance worth reading. StreamableHTTP transport requires `MCP_ALLOWED_ORIGINS` configured for trusted origins to prevent DNS rebinding attacks. Authentication uses `TFE_TOKEN` for HCP Terraform / TFE access; tokens carry the permissions of the issuing user, so least-privilege scoping at the HashiCorp identity layer applies. `ENABLE_TF_OPERATIONS=false` keeps the server in read-only mode by default, blocking destructive workspace operations until explicitly enabled. For multi-user deployments, the `MCP_SESSION_MODE=stateful` option provides per-session isolation. Rate limiting via `MCP_RATE_LIMIT_GLOBAL` and `MCP_RATE_LIMIT_SESSION` is configured by default at production-reasonable values.
Teams running HCP Terraform or Terraform Enterprise who want an agent that can search registry resources, manage workspaces, and inspect run state.
TECHNICAL DETAILS
ADOPTION METRICS
// Reading this1.3k stars in thirteen months reflect HashiCorp's vendor-stewardship of the server. Star traction tracks alongside HCP Terraform and TFE adoption among AI-first platform teams.
// Reading thisTop-3 dev-tools MCP. Pairs with the AWS IaC MCP in Batch 1 for teams running cross-platform IaC; the HashiCorp vendor-official status places it ahead of community Terraform MCPs.
SOURCES & VERIFICATION
We don't take any single directory's word for it. Before scoring, we cross-reference 5 public MCP sources, install the server ourselves against the clients we cover, and record when we last re-verified.
The same server, 5 different lenses. We reconcile these signals into our editorial score, which is why our number sometimes diverges from a directory-aggregate star count.
| Source | Their rating | Their star count | Their downloads | Last synced |
|---|---|---|---|---|
| AutomationSwitch This page | 4.5editorial | 1,346 | — | APR 28, 2026 |
| PulseMCP | — unrated | unavailable | unavailable | APR 28, 2026 |
| Official MCP Registry | — unrated | unavailable | unavailable | APR 28, 2026 |
| Awesome MCP Servers | — unrated | unavailable | unavailable | APR 28, 2026 |
| Smithery | — unrated | unavailable | unavailable | APR 28, 2026 |
| MCP.so | — unrated | unavailable | unavailable | APR 28, 2026 |
// Counts are directory-reported; we don't adjust them. Discrepancies usually come from different snapshot times or star-caching.
OTHER DEV TOOLS MCP SERVERS
GitHub
Official GitHub MCP server. 29,469 stars, MIT, 33 commits on main in the last 30 days. Repo, issue, PR, action, and code search tools backed by the GitHub REST + GraphQL APIs.
Playwright
Official Microsoft Playwright MCP server. Browser automation tools (navigate, click, fill, screenshot, evaluate JS, network capture) backed by Playwright. 31,942 stars, 35 commits/30d, Apache-2.0.
MCP Registry
The community-driven registry service for MCP servers, maintained by the Model Context Protocol project. Discover, list, and validate MCP servers from inside agents. 6,781 GitHub stars and 65 commits on main in the last 30 days.
MCP Inspector
The official MCP debugging and testing tool maintained by the Model Context Protocol project. Visual inspector for MCP servers: invoke tools, inspect transports, validate protocol behaviour during development. 9,647 GitHub stars and 32 commits on main in the last 30 days.
XcodeBuild MCP
MCP server and CLI for agent use of Xcode build tools. Build, test, run, and inspect iOS, macOS, watchOS, and visionOS projects from inside agents. 5,429 GitHub stars and 95 commits on main in the last 30 days. Maintained by Sentry.
GitLab MCP
GitLab MCP with 60+ tools covering merge requests, repositories, issues, branches, commits, files, discussions, draft notes, approvals, pipelines, and OAuth multi-user support. 54 commits on main in the last 30 days.
DISCUSS YOUR
MCP REQUIREMENTS.
Evaluating a server, scoping an internal deployment, or working out whether MCP is the right fit at all. Start the conversation and we will point you at the right piece of the ecosystem.