How to add tfmcp to Claude Desktop
Terraform MCP server letting AI assistants read, plan, apply, analyze, and manage Terraform infrastructure. Paste the config into ~/Library/Application Support/Claude/claude_desktop_config.json and restart Claude Desktop.
Last updated June 14, 2026 ยท 369โ ยท stdio ยท no auth
Claude Desktop config for tfmcp
cargo install tfmcp{
"mcpServers": {
"tfmcp": {
"command": "/path/to/your/tfmcp",
"args": [
"mcp"
],
"env": {
"HOME": "/Users/yourusername",
"PATH": "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
"TERRAFORM_DIR": "/path/to/your/terraform/project"
}
}
}
}Setup steps
- 1Open Claude Desktop โ Settings โ Developer โ Edit Config (this opens ~/Library/Application Support/Claude/claude_desktop_config.json).
- 2Paste the tfmcp config below under the top-level "mcpServers" key.
- 3Fill in any placeholder secrets (API keys, paths) in the snippet.
- 4Save the file, then fully quit and reopen Claude Desktop.
- 5Open a chat and confirm tfmcp's tools appear under the ๐ tools menu.
Before you start
- Rust (edition 2021; v0.1.9 requires Rust 1.85.0+ / Edition 2024)
- Terraform CLI installed and available in PATH
- Claude Desktop (for AI assistant integration)
- Docker (optional, for containerized deployment)
What tfmcp can do in Claude Desktop
init_terraformInitialize Terraform working directory.
get_terraform_planGenerate and show execution plan.
analyze_planAnalyze plan with risk scoring and recommendations.
apply_terraformApply Terraform configuration.
destroy_terraformDestroy Terraform-managed infrastructure.
validate_terraformValidate configuration syntax.
validate_terraform_detailedDetailed validation with guidelines.
get_terraform_stateShow current state.
Security
Dangerous operations (apply/destroy) are disabled by default and must be explicitly enabled via TFMCP_ALLOW_DANGEROUS_OPS=true. Auto-approve is off by default (TFMCP_ALLOW_AUTO_APPROVE). Resource count is capped (TFMCP_MAX_RESOURCES, default 50). Built-in access controls block prod*, production*, and secret* file patterns. Audit logging is enabled by default and written to ~/.tfmcp/audit.log. Always review AI-generated Terraform plans before applying, and apply appropriate IAM boundaries in cloud environments.
tfmcp + Claude Desktop FAQ
Where is the Claude Desktop config file?
Claude Desktop reads MCP servers from ~/Library/Application Support/Claude/claude_desktop_config.json. Paste the tfmcp config there under the "mcpServers" key and restart the client.
Is tfmcp safe to use with Claude Desktop?
Dangerous operations (apply/destroy) are disabled by default and must be explicitly enabled via TFMCP_ALLOW_DANGEROUS_OPS=true. Auto-approve is off by default (TFMCP_ALLOW_AUTO_APPROVE). Resource count is capped (TFMCP_MAX_RESOURCES, default 50). Built-in access controls block prod*, production*, and secret* file patterns. Audit logging is enabled by default and written to ~/.tfmcp/audit.log. Always review AI-generated Terraform plans before applying, and apply appropriate IAM boundaries in cloud environments.
Is tfmcp an official Terraform/HashiCorp product?
No. It is an independent open-source project by nwiizo, licensed under MIT. The README notes it is experimental and under active development.
How do I connect tfmcp to Claude Desktop?
Install it (`cargo install tfmcp`), find the binary path with `which tfmcp`, then add an mcpServers entry to ~/Library/Application Support/Claude/claude_desktop_config.json with command set to the tfmcp path and args set to ["mcp"]. Restart Claude Desktop and enable the tool.
Are apply and destroy operations safe?
By default they are disabled. You must set TFMCP_ALLOW_DANGEROUS_OPS=true to enable them, and TFMCP_ALLOW_AUTO_APPROVE remains false unless explicitly enabled. tfmcp also caps resource counts and blocks sensitive file patterns.