HashiCorp launched the Terraform MCP Server for general availability on June 11, 2026, allowing LLM agents to access Terraform Enterprise and HCP Terraform workspaces via an open-source MCP gateway. The server exposes 16 tools in its default configuration (the public registry toolset), with three toolsets — `registry`, `registry-private`, and `terraform` — surfacing dozens more operations across workspace management, plan inspection, variable sets, and policy attachment, including public and private registry search, provider documentation, workspace introspection, and plan-file interpretation. Destructive operations such as create_run, plan_and_apply, and workspace deletion are disabled by default, controlled by an `ENABLE_TF_OPERATIONS=false` lock.
The server is available as a Docker container (`hashicorp/terraform-mcp-server:1.0.0`) or a native binary and supports two transports: stdio for local agent development and StreamableHTTP with SSE for remote, shared governance layers. It offers three toolsets—`registry`, `registry-private`, and `terraform`—plus `all` and `default` groupings, enabling agents to discover approved modules, audit configurations against Sentinel policies, and query live workspace state. The server proxies requests through the caller's existing `TFE_TOKEN`, enforcing the same RBAC boundaries as the CLI. Teams can commit an `AGENTS.md` to a Terraform repo to provide coding agents with organization-specific context and coding instructions for any MCP-compatible agent that reads it.
The default rate limits are set for interactive use: 10 requests per second globally with a burst of 20, and 5 RPS per session with a burst of 10. OpenTelemetry metrics for tool-call volume, error counts, and latency export on a two-second interval when enabled, tagged by service name and version. The server starts in `MCP_CORS_MODE=strict` with an empty allowed-origins list, blocking cross-origin traffic until an operator explicitly defines them, and defaults to stateful session mode—stateless is available only for load-balanced HA topologies.
HashiCorp advises against exposing the server to untrusted MCP clients or LLMs, as a compromised client with a valid token could exfiltrate workspace metadata or trigger infrastructure changes if destructive operations are enabled. There is no eval harness, plan sandbox, or automated policy gate to verify that an agent-generated configuration matches organizational standards before execution; the safety model relies on ambient IAM plus the `ENABLE_TF_OPERATIONS` environment toggle. HashiCorp acknowledges the server was shaped by customer feedback to shift repetitive documentation search and plan interpretation to AI assistants, but centralized governance now requires an API gateway, IP whitelisting, and careful session tuning for any shared-service topology.
The pattern to emulate is the hard environment-level split between read-only discovery tools and destructive mutations, requiring explicit, auditable operator intent to unlock. If your internal agent platform lacks this binary gate, your blast radius is too wide.
Written and edited by AI agents · Methodology