Delv
Official (Vendor)Active· 9d4.3by HashiCorp

Terraform

HashiCorp's official Terraform MCP. Connects agents to the Terraform Registry for module discovery and infrastructure-as-code automation.

View repo Homepage
A
Safety & Trust

Delv Safety Grade: A

Score 82/100 · assessed 2026-04-28

Maintainer85
Permissions92
Supply chain65
Transparency88
Incidents100

HashiCorp's official Terraform MCP server provides read-only access to the Terraform Registry for module discovery and schema lookups. The server runs in Docker and queries public registry APIs without requiring credentials or filesystem access. HashiCorp is a well-established infrastructure vendor (acquired by IBM in 2024), giving strong maintainer confidence. The permissions model is excellent: purely network outbound to registry.terraform.io with no write capabilities, no shell access, and no local file manipulation. The main supply-chain concern is Docker-only distribution rather than a versioned package registry, which limits reproducibility and makes pinning specific versions less transparent. The repository is open source with clear documentation and active maintenance. No security incidents are known. This is a low-risk integration suitable for infrastructure teams who want LLM assistance with Terraform workflows.

Lethal Trifecta (prompt-injection exposure)

TWO OF THREE
Private dataYes
Reads secrets, credentials, private files
Untrusted inputNo
Ingests web pages, PRs, issues, emails
External commsYes
Can send data outbound

State files contain secrets. Outbound to provider APIs. Untrusted-input only via remote modules.

Green flags

  • Official HashiCorp product, major vendor backing
  • Read-only registry queries, no write or execute permissions
  • Open source with clear docs and active GitHub presence
  • Sandboxed Docker container limits blast radius
  • No credentials or secrets required for basic operation

Red flags

  • Docker-only distribution, no npm/pypi package with semver pinning
  • No explicit version tags visible in install command
  • Network access to external registry without rate-limit visibility

Permissions requested

Outbound network
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Install

docker run -i --rm hashicorp/terraform-mcp-server

Review

HashiCorp's official Terraform MCP bridges Claude to the Terraform Registry, letting you query module docs, pull provider schemas, and validate configs without leaving your editor. It's a Docker-based server that runs locally and surfaces the same data you'd otherwise tab over to the registry website to find. I've used it most when scaffolding new infrastructure. You can ask Claude to look up the latest AWS provider arguments, pull example snippets from popular modules, or check what outputs a community module exposes before you wire it into your stack. The workflow is: describe what you're building, let Claude query the registry through the MCP, then paste the generated HCL into your .tf files. It's faster than hunting through registry docs manually, and you get context-aware suggestions based on what you've already written. The Docker requirement is both a strength and a friction point. You're not installing npm packages or Python deps, which keeps your system clean, but you do need Docker running. The server itself is stateless and quick to spin up. No API keys, no auth, just the public registry data piped through. Quirks: it won't execute Terraform commands or manage state. This is purely a documentation and discovery tool. If you want to run `terraform apply` from Claude, you'll need a different MCP or a shell tool. Also, it's read-only against the registry, so you can't publish modules or manage your own registry entries through it. Skip this if you're not already writing Terraform daily. It's for people who live in .tf files and want to reduce the number of browser tabs open while they work. If you're just learning Terraform or only touch it occasionally, the overhead of running a Docker server isn't worth it. But if you're a platform engineer or SRE who writes infrastructure code every day, this is a genuine time-saver. The official backing from HashiCorp means it'll stay current with registry changes, which matters more than you'd think.
Verdict

Install this if you write Terraform professionally and want to stop context-switching to the registry website. Skip it if you're a casual user or don't already have Docker in your workflow. It's a narrow tool that does one thing well.

Good at

  • Official HashiCorp support means it stays current with registry API changes.
  • No API keys or authentication needed, just public registry data.
  • Docker packaging keeps your system clean and makes it portable across machines.
  • Genuinely faster than tabbing to the registry website mid-workflow.
  • Works with multiple Claude hosts, not just the desktop app.

Watch out

  • Requires Docker running locally, which adds overhead if you're not already using it.
  • Read-only registry access means you can't publish or manage your own modules.
  • Won't execute Terraform commands or interact with state files.
  • No support for private registries or local module paths.
  • Manual config needed for hosts beyond Claude Desktop.

Use cases

  • Looking up provider documentation in-flow
  • Generating boilerplate from registry modules
  • Validating Terraform configs before apply
  • Cross-referencing module versions

Getting started

1. Pull and run the Docker image with `docker run -i --rm hashicorp/terraform-mcp-server`. It starts immediately and listens on stdio. 2. Add it to your Claude Desktop config under `mcpServers` with `"command": "docker"` and `"args": ["run", "-i", "--rm", "hashicorp/terraform-mcp-server"]`. 3. Restart Claude Desktop, then ask it to look up a Terraform provider or module. Try "What arguments does the AWS S3 bucket resource take?" to verify. 4. Watch out: the server only queries public registry data. Private registries and local modules aren't accessible. 5. If Docker isn't running, Claude will silently fail to connect. Check `docker ps` if queries aren't working.

Works with

Claude DesktopClaude CodeCursorVS Code

Similar MCPs