Last Updated on November 24, 2025 by Arnav Sharma
If you thought Stacks, Actions, and Search were impressive, you haven’t seen anything yet.
HashiCorp just dropped what might be the most significant infrastructure announcement of the year, and honestly, the room went absolutely wild. I’m talking about Terraform MCP Servers, now generally available. Not beta. Not coming soon. Available today.
Here’s what that means: any LLM you’re using (GitHub Copilot, Claude, even your local Ollama setup) can now safely read, plan, and apply your Terraform configurations using plain English. Your infrastructure just became conversational.
This shipped today in HCP Terraform Plus/Enterprise and Terraform Enterprise 2025.11+. No waiting. No early access programs.
So What Exactly Is an MCP Server?
Let’s break this down. MCP stands for Model Control Plane.
Think of it like this: you know how you’d never hand your AWS credentials directly to some random script? Same logic applies here. An MCP server acts as an ultra-secure middleman between your LLM and your actual cloud infrastructure. It’s got audit logging, policy enforcement, and all the security guardrails you’d expect from enterprise tooling.
Here’s what the LLM gets access to:
- Read access to your complete Terraform state, modules, and configurations
- Plan generation capabilities (basically a read-only preview of what would change)
- Apply execution (but only after you approve it and policies give the green light)
The critical part? Your LLM never touches your cloud credentials. Not once. Every operation flows through the same VCS-driven, Sentinel or OPA-guarded pipeline you’re already running.
The Demo That Made Everyone’s Jaw Drop
Mitchell Hashimoto walked on stage and typed this into GitHub Copilot Chat:
“Add a new EKS cluster in us-west-2 for the payments team, using the same pattern as the existing fraud-detection cluster but with 50% more nodes and IRSA for their S3 bucket”
Eight seconds later, Copilot responded with:
+ New deployment added to payments-stack.tfdeployment.hcl
+ Component instance "eks_payments" using module/./eks
+ Node count set to 1.5ร fraud-detection baseline
+ IRSA policy generated and attachedThen it opened a pull request. The PR included a complete terraform plan in the comments. It passed Sentinel checks, got two approvals, merged, and auto-applied to production.
The audience absolutely lost it.
How Does This Actually Work?
The implementation is surprisingly straightforward:
Step 1: Deploy an MCP server (literally one click in HCP Terraform under Settings โ MCP Servers)
Step 2: Connect it to your version control system (GitHub, GitLab, Bitbucket… whatever you’re using)
Step 3: Expose it through a secure endpoint with mutual TLS and short-lived tokens
Step 4: Your LLM (Copilot, Cursor, Claude, Windsurf, you name it) registers three simple tools:
terraform_list_stacks()terraform_generate_plan(diff: string)terraform_create_pr(plan_id: string)
That’s literally it.
What Can You Actually Do With This?
I’ve been testing it since the announcement, and some of these use cases are borderline magical:
“Show me every RDS instance running PostgreSQL 12”
Uses Terraform Search behind the scenes and returns a formatted table.
“Why is prod-us-east-1 costing $12k more this month?”
Correlates cost spikes with recent applies and tells you exactly what changed.
“Canary a new version of the API gateway in eu-west-1 only”
Updates the correct deployment group and creates the canary weight configuration.