B
Terraform MCP Server
Official HashiCorp MCP server for Terraform Registry lookups and Terraform Cloud/Enterprise workspace management
Overall Score82/100
Score Breakdown
Server Info
- Package
- terraform-mcp-server
- Registry
- go
- Repository
- hashicorp/terraform-mcp-server
- Maintainer
- HashiCorpVendor
- Category
- Cloud & Infrastructure
- Tags
- iacterraformdevops
- Last Scanned
- 7 Apr 2026
Findings
4 issuesAuthentication & Identity
MEDIUMHTTP/SSE transport supports per-request credentials
Supports both stdio and StreamableHTTP transport (via TRANSPORT_MODE=http env var). Registry tools (search/get providers/modules/policies) require no authentication and access the public Terraform Registry. TFE tools require TFE_TOKEN and TFE_ADDRESS for Terraform Cloud/Enterprise. Per-session TFE client initialization via hooks. No MCP OAuth implementation.
Remediation
Implement the MCP OAuth spec so users authenticate directly without platform mediation.
Tool Schema Quality
MEDIUMOnly 4 of 41 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Remediation
Add constraints to string parameters, especially on write operations.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remediation
Remove instructional language. Descriptions should be purely factual.
Data Exposure
LOWNo field selection on responses
Responses return full records rather than projected fields.
Remediation
Implement field selection to return only relevant fields.
Tools
41 total| Name | Description | Risk |
|---|---|---|
| search_providers | This tool retrieves a list of potential documents based on the 'service_slug' and 'provider_document_type' provided. You MUST call this function before 'get_provider_details' to obtain a valid tfprovider-compatible 'provider_doc_id'. | read |
| get_provider_details | Fetches up-to-date documentation for a specific service from a Terraform provider. You must call 'search_providers' tool first to obtain the exact tfprovider-compatible provider_doc_id required to use this tool. | read |
| get_latest_provider_version | Fetches the latest version of a Terraform provider from the public registry | read |
| get_provider_capabilities | Get the capabilities of a Terraform provider including the types of resources, data sources, functions, guides, and other features it supports. | read |
| search_modules | Resolves a Terraform module name to obtain a compatible module_id for the get_module_details tool and returns a list of matching Terraform modules. | read |
| get_module_details | Fetches up-to-date documentation on how to use a Terraform module. You must call 'search_modules' first to obtain the exact valid and compatible module_id required to use this tool. | read |
| get_latest_module_version | Fetches the latest version of a Terraform module from the public registry | read |
| search_policies | Searches for Terraform policies based on a query string. | read |
| get_policy_details | Fetches up-to-date documentation for a specific policy from the Terraform registry. You must call 'search_policies' first to obtain the exact terraform_policy_id required to use this tool. | read |
| list_terraform_orgs | List Terraform organizations accessible with the current token | read |
| list_terraform_projects | List Terraform projects in an organization | read |
| list_workspaces | Search and list Terraform workspaces within a specified organization. Returns all workspaces when no filters are applied, or filters results based on name patterns, tags, or search queries. Supports pagination for large result sets. | read |
| get_workspace_details | Get detailed information about a specific Terraform workspace | read |
| create_workspace | Creates a new Terraform workspace in the specified organization. This is a destructive operation that will create new infrastructure resources. | write |
| update_workspace | Update an existing Terraform workspace | write |
| delete_workspace_safely | Safely deletes a Terraform workspace by ID only if it is not managing any resources. This prevents accidental deletion of workspaces that still have active infrastructure. This is a destructive operation. | admin |
| search_private_providers | Search private providers in Terraform Cloud/Enterprise registry | read |
| get_private_provider_details | Get detailed information about a private Terraform provider | read |
| search_private_modules | Search private modules in Terraform Cloud/Enterprise registry | read |
| get_private_module_details | Get detailed information about a private Terraform module | read |
| create_workspace_tags | Create tags on a Terraform workspace | write |
| read_workspace_tags | Read tags from a Terraform workspace | read |
| list_runs | List runs for a Terraform workspace | read |
| create_run | Creates a new Terraform run in the specified workspace. | write |
| action_run | Performs a variety of actions on a Terraform run. It can be used to approve and apply, discard or cancel a run. | admin |
| get_run_details | Get detailed information about a specific Terraform run | read |
| create_no_code_workspace | Create a no-code Terraform workspace from a module | write |
| list_variable_sets | List all variable sets in an organization. Returns all if query is empty. | read |
| create_variable_set | Create a new variable set in an organization. | write |
| create_variable_in_variable_set | Create a variable within a variable set | write |
| delete_variable_in_variable_set | Delete a variable from a variable set | admin |
| attach_variable_set_to_workspaces | Attach a variable set to one or more workspaces | write |
| detach_variable_set_from_workspaces | Detach a variable set from one or more workspaces | write |
| attach_policy_set_to_workspaces | Attach a policy set to one or more workspaces | write |
| list_workspace_policy_sets | List policy sets attached to a workspace | read |
| list_workspace_variables | List variables in a Terraform workspace | read |
| create_workspace_variable | Create a variable in a Terraform workspace | write |
| update_workspace_variable | Update a variable in a Terraform workspace | write |
| get_token_permissions | Get the list of permissions for the current TFE_TOKEN in a particular organization | read |
| list_stacks | List Terraform stacks in an organization | read |
| get_stack_details | Get details about a specific Terraform stack | read |
Deploy Terraform MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow