HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

Deploy the Terraform MCP server overview

This topic provides an overview of how to deploy the Terraform Model Context Protocol (MCP) server. The Terraform MCP server enables AI models to generate Terraform configuration using up-to-date information from the Terraform Registry. You can also connect the server to HCP Terraform or your Terraform Enterprise deployment. This lets you generate Terraform configuration using artifacts from your organizations.

Hands-on: Try the Integrate your private module registry with the Terraform MCP server tutorial.

Workflows

You can install the Terraform MCP server either on your local machine or in a remote environment. Local deployments are best for helping you get started or for one-off projects. Refer to Local deployments for instructions.

Remote deployments are best for centrally managing the server, which helps you implement good governance policies across your organizations and reduce operational overhead. Refer to Remote deployments for instructions.

Secure configuration

Implement the following recommendations to securely deploy the MCP server:

  • Hosting: We recommend running the MCP server locally at 127.0.0.1 through the STDIO or HTTP Streamable transport protocol to limit publicly exposing your Terraform environment. The default transport is set to STDIO. If you host the service remotely, we recommend implementing additional security controls at the application and network layers. For example, you can add an API gateway with authentication, TLS encryption, and IP whitelisting between the client and server.
  • CORS: By default, Terraform MCP server runs in strict CORS (cross-origin request) mode and the allowed origins are empty. As a result, all cross-origin requests are blocked unless the server is explicitly configured to allow them. Exercise caution when changing the allowed origins list.
  • Terraform authentication: The TFE_SKIP_TLS_VERIFY option is set to false by default so that the MCP server verifies that the HCP Terraform or Terraform Enterprise TLS certificate is valid. If you temporarily set this option to true for testing or other use cases, we strongly recommend resetting to false to ensure that encryption is enabled. We also recommend limiting the permissions of the TFE_TOKEN used to authenticate as described in the Terraform documentation. Refer to API tokens for more information.
  • Rate limiting: We recommend setting up global and per-session rate limits to prevent the server or dependent resources from becoming overloaded through excessive requests.
  • TLS: When making your MCP server accessible remotely, we recommend adding TLS certificates to the host infrastructure to protect in-transit communication.

Authentication

Terraform MCP server v0.3.0 or newer is required to authenticate with the Terraform registry. You must also obtain an authentication token from HCP Terraform or your Terraform Enterprise deployment so that the MCP server can access your private registry. Refer to API tokens for instructions.

We recommend authenticating the server with HCP Terraform or Terraform Enterprise so that you can interact with your organization and private registry. Refer to Connect to HCP Terraform or Terraform Enterprise for more information.

Edit this page on GitHub