A Model Context Protocol (MCP) server that integrates AI assistants with the Terraform Cloud API, allowing you to manage your infrastructure through natural conversation. Built with Pydantic models and structured around domain-specific modules, this server is compatible with any MCP-supporting platform including Claude, Claude Code CLI, Claude Desktop, Cursor, Copilot Studio, and others.
- Account Management: Get account details for authenticated users or service accounts.
- Workspace Management: Create, read, update, lock/unlock workspaces, and optionally delete workspaces (with safety controls).
- Project Management: Create, list, update projects, and optionally delete projects; manage project tag bindings and move workspaces between projects.
- Run Management: Create runs, list runs, get run details, apply/discard/cancel runs.
- Plan Management: Retrieve plan details and JSON execution output with advanced HTTP redirect handling.
- Apply Management: Get apply details and recover from failed state uploads.
- Organization Management: List, create, update organizations, view organization entitlements, and optionally delete organizations (with safety controls).
- Cost Estimation: Retrieve detailed cost estimates for infrastructure changes including proposed monthly costs, prior costs, resource counts, and usage projections.
- Assessment Results: Retrieve health assessment details, JSON output, schema files, and logs from Terraform Cloud health assessments.
- State Version Management: List, retrieve, create, and download state versions; get current state for workspaces.
- State Version Outputs: List and retrieve specific outputs from state versions including values and sensitivity information.
- Variables Management: Complete workspace variable and variable set management including creation, updates, assignments, and optionally deletion (with safety controls).
- Audit-Safe Response Filtering: Conservative token optimization (5-15% reduction) with 100% audit compliance - preserves all user accountability, security configuration, and change tracking data for comprehensive compliance scenarios.
- Destructive Operation Controls: Delete operations are disabled by default and require explicit enablement via environment variable
- Destructive Hints: MCP clients receive proper destructive operation warnings for potentially dangerous tools
- Environment-Based Safety: Production and development environments can have different safety configurations
- Python 3.12+
- MCP (includes FastMCP and development tools)
uvpackage manager (recommended) orpip- Terraform Cloud API token
# Clone the repository
git clone https://github.com/severity1/terraform-cloud-mcp.git
cd terraform-cloud-mcp
# Create virtual environment and activate it
uv venv
source .venv/bin/activate
# Install package
uv pip install .# Add to Claude Code with your Terraform Cloud token
claude mcp add -e TFC_TOKEN=YOUR_TF_TOKEN -e ENABLE_DELETE_TOOLS=false -s user terraform-cloud-mcp -- "terraform-cloud-mcp"
# To enable delete operations (use with caution):
# claude mcp add -e TFC_TOKEN=YOUR_TF_TOKEN -e ENABLE_DELETE_TOOLS=true -s user terraform-cloud-mcp -- "terraform-cloud-mcp"Create a claude_desktop_config.json configuration file:
- mac: ~/Library/Application Support/Claude/claude_desktop_config.json
- win: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"terraform-cloud-mcp": {
"command": "/path/to/uv", # Get this by running: `which uv`
"args": [
"--directory",
"/path/to/your/terraform-cloud-mcp", # Full path to this project
"run",
"terraform-cloud-mcp"
],
"env": {
"TFC_TOKEN": "my token...", # replace with actual token
"ENABLE_DELETE_TOOLS": "false" # set to "true" to enable destructive operations
}
}
}
}Replace your_terraform_cloud_token with your actual Terraform Cloud API token.
For other platforms (like Cursor, Copilot Studio, or Glama), follow their platform-specific instructions for adding an MCP server. Most platforms require:
- The server path or command to start the server.
- Environment variables for the Terraform Cloud API token (
TFC_TOKEN). - Optional environment variable to enable delete operations (
ENABLE_DELETE_TOOLS=truefor destructive operations). - Configuration to auto-start the server when needed.
get_account_details(): Gets account information for the authenticated user or service account.
list_workspaces(organization, page_number, page_size, search): List and filter workspaces.get_workspace_details(workspace_id, organization, workspace_name): Get detailed information about a specific workspace.
create_workspace(organization, name, params): Create a new workspace with optional parameters.update_workspace(organization, workspace_name, params): Update an existing workspace's configuration.
delete_workspace(organization, workspace_name): Delete a workspace and all its content.safe_delete_workspace(organization, workspace_name): Delete only if the workspace isn't managing any resources.
Note: Delete operations are disabled by default for safety. Set ENABLE_DELETE_TOOLS=true to enable these destructive operations.
lock_workspace(workspace_id, reason): Lock a workspace to prevent runs.unlock_workspace(workspace_id): Unlock a workspace to allow runs.force_unlock_workspace(workspace_id): Force unlock a workspace locked by another user.
create_run(workspace_id, params): Create and queue a Terraform run in a workspace using its ID.list_runs_in_workspace(workspace_id, ...): List and filter runs in a specific workspace using its ID.list_runs_in_organization(organization, ...): List and filter runs across an entire organization.get_run_details(run_id): Get detailed information about a specific run.apply_run(run_id, comment): Apply a run waiting for confirmation.discard_run(run_id, comment): Discard a run waiting for confirmation.cancel_run(run_id, comment): Cancel a run currently planning or applying.force_cancel_run(run_id, comment): Forcefully cancel a run immediately.force_execute_run(run_id): Forcefully execute a pending run by canceling prior runs.
get_plan_details(plan_id): Get detailed information about a specific plan.get_plan_json_output(plan_id): Retrieve the JSON execution plan for a specific plan with proper redirect handling.get_run_plan_json_output(run_id): Retrieve the JSON execution plan from a run with proper redirect handling.get_plan_logs(plan_id): Retrieve logs from a plan operation.
get_apply_details(apply_id): Get detailed information about a specific apply.get_errored_state(apply_id): Retrieve the errored state from a failed apply for recovery.get_apply_logs(apply_id): Retrieve logs from an apply operation.
create_project(organization, name, params): Create a new project with optional parameters.update_project(project_id, params): Update an existing project's configuration.list_projects(organization, ...): List and filter projects in an organization.get_project_details(project_id): Get detailed information about a specific project.delete_project(project_id): Delete a project (fails if it contains workspaces). Requires ENABLE_DELETE_TOOLS=truelist_project_tag_bindings(project_id): List tags bound to a project.add_update_project_tag_bindings(project_id, tag_bindings): Add or update tag bindings on a project.move_workspaces_to_project(project_id, workspace_ids): Move workspaces into a project.
get_organization_details(organization): Get detailed information about a specific organization.get_organization_entitlements(organization): Show entitlement set for organization features.list_organizations(page_number, page_size, query, query_email, query_name): List and filter organizations.create_organization(name, email, params): Create a new organization with optional parameters.update_organization(organization, params): Update an existing organization's settings.delete_organization(organization): Delete an organization and all its content. Requires ENABLE_DELETE_TOOLS=true
get_cost_estimate_details(cost_estimate_id): Get detailed information about a specific cost estimate, including resource counts (matched and unmatched), prior monthly cost, proposed monthly cost, and delta monthly cost estimations. Use run relationships to find cost estimate IDs for specific runs.
get_assessment_result_details(assessment_result_id): Get detailed information about a specific health assessment result.get_assessment_json_output(assessment_result_id): Retrieve the JSON execution plan from an assessment result.get_assessment_json_schema(assessment_result_id): Retrieve the JSON schema file from an assessment result.get_assessment_log_output(assessment_result_id): Retrieve logs from an assessment result operation.
list_state_versions(organization, workspace_name, page_number, page_size, filter_status): List and filter state versions in a workspace.get_current_state_version(workspace_id): Get the current state version for a workspace.get_state_version(state_version_id): Get details for a specific state version.create_state_version(workspace_id, serial, md5, params): Create a new state version in a workspace.download_state_file(state_version_id, json_format): Download the raw or JSON formatted state file.
list_state_version_outputs(state_version_id, page_number, page_size): List outputs for a specific state version.get_state_version_output(state_version_output_id): Get details for a specific state version output.
list_workspace_variables(workspace_id): List all variables (Terraform and environment) for a workspace.create_workspace_variable(workspace_id, key, category, params): Create a new variable in a workspace.update_workspace_variable(workspace_id, variable_id, params): Update an existing workspace variable.delete_workspace_variable(workspace_id, variable_id): Delete a workspace variable. Requires ENABLE_DELETE_TOOLS=true
list_variable_sets(organization, page_number, page_size): List variable sets in an organization.get_variable_set(varset_id): Get details for a specific variable set.create_variable_set(organization, name, params): Create a new variable set.update_variable_set(varset_id, params): Update an existing variable set.delete_variable_set(varset_id): Delete a variable set and all its variables. Requires ENABLE_DELETE_TOOLS=trueassign_variable_set_to_workspaces(varset_id, workspace_ids): Assign a variable set to workspaces.unassign_variable_set_from_workspaces(varset_id, workspace_ids): Remove a variable set from workspaces.assign_variable_set_to_projects(varset_id, project_ids): Assign a variable set to projects.unassign_variable_set_from_projects(varset_id, project_ids): Remove a variable set from projects.
list_variables_in_variable_set(varset_id): List all variables in a variable set.create_variable_in_variable_set(varset_id, key, category, params): Create a variable in a variable set.update_variable_in_variable_set(varset_id, var_id, params): Update a variable in a variable set.delete_variable_from_variable_set(varset_id, var_id): Delete a variable from a variable set. Requires ENABLE_DELETE_TOOLS=true
Note: Variable management includes both Terraform input variables and environment variables. Sensitive variables have their values hidden for security. Delete operations are disabled by default and require ENABLE_DELETE_TOOLS=true.
For detailed development guidance including code standards, Pydantic patterns, and contribution workflows, see our Development Documentation.
# Clone the repository
git clone https://github.com/severity1/terraform-cloud-mcp.git
cd terraform-cloud-mcp
# Create virtual environment and activate it
uv venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# Install in development mode with development dependencies
uv pip install -e .
uv pip install black mypy pydantic ruff# Run the server in development mode
mcp dev terraform_cloud_mcp/server.py
# Run tests and quality checks
uv run -m mypy .
uv run -m ruff check .
uv run -m black .For detailed information on code organization, architecture, development workflows, and code quality guidelines, refer to docs/DEVELOPMENT.md.
The codebase includes comprehensive documentation:
- Code Comments: Focused on explaining the "why" behind implementation decisions
- Docstrings: All public functions and classes include detailed docstrings
- Implementation References: Development documentation now references actual code examples rather than using code snippets
- Example Files: The
docs/directory contains detailed examples for each domain:docs/FILTERING_SYSTEM.md: Comprehensive guide to the audit-safe response filtering system (5-15% token reduction, 100% audit compliance)docs/DEVELOPMENT.md: Development standards and coding guidelines with references to actual codedocs/API_REFERENCES.md: Terraform Cloud API documentation links with implementation statusdocs/CONTRIBUTING.md: Guidelines for contributing to the projectdocs/models/: Reference documentation for all model typesdocs/tools/: Detailed reference documentation for each tooldocs/conversations/: Sample conversation flows with the API
- Check server logs (debug logging is enabled by default)
- Use the MCP Inspector (http://localhost:5173) for debugging
- Debug logging is already enabled in
server.py:import logging logging.basicConfig(level=logging.DEBUG)
Contributions are welcome! Please open an issue or pull request if you'd like to contribute to this project.
See our Contributing Guide for detailed instructions on how to get started, code quality standards, and the pull request process.
This project is not affiliated with, associated with, or endorsed by HashiCorp or Terraform.
"Terraform" and "Terraform Cloud" are trademarks of HashiCorp.
This project merely interacts with the Terraform Cloud public API under fair use.