HOME

manintheit.org

manintheit.org

Provide Terraform providers in Air gapped Environment

By default, Terraform fetches provider plugins from its official registry over the internet. However, this may not always be feasible in environments with strict compliance requirements, where direct internet access is restricted. Additionally, not all organizations may have Terraform Enterprise for managing such scenarios.

In these cases, it is possible to create your own local Terraform provider registry. This allows you to fetch providers from an internal web server, ensuring that Terraform can operate in air-gapped or isolated environments where external internet access is unavailable.

By setting up a local registry, you can maintain full control over the provider versions, ensure compliance with internal policies, and keep your infrastructure management fully secure.

Create TLS Certificate for webserver:

It seems that web server must be configured with TLS. First step is to create Self signed TLS certificate.

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout cert.pem -out key.pem -subj "/CN=127.0.0.1" \
  -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

Add Server certificate to Machine trust store.

sudo apt-get install -y ca-certificates
sudo cp cert.pem /usr/local/share/ca-certificates/local-cert.crt
sudo update-ca-certificates

Note: Suffix must be end with .crt

Pyhton HTTPS Server

Create simple HTTPs web server using Python http.server module

from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile='./cert.pem', keyfile='./key.pem')
context.check_hostname = False

with HTTPServer(("localhost", 4443), SimpleHTTPRequestHandler) as httpd:
    httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
    httpd.serve_forever()

Create Folder

Create folder in order to place terraform providers. In this example, it will be placed hashicorp/vault(4.6.0) provider.

mkdir -p terraform_repo/registry.terraform.io/hashicorp/vault

Every provider must contain index.json and <version>.json file inside corresponding provider folder.

index.json

{
  "versions": {
    "4.6.0": {}
  }
}

4.6.0.json

{
  "archives": {
    "linux_amd64": {
      "url": "terraform-provider-vault_4.6.0_linux_amd64.zip"
    }
  }
}

Pre-compile provider file can be downloaded from https://releases.hashicorp.com/

terraform_repo/registry.terraform.io/hashicorp/vault
.
├── 4.6.0.json
├── LICENSE.txt
├── index.json
└── terraform-provider-vault_4.6.0_linux_amd64.zip

Configure terraform to fetch providers from local secure webserver.

Create and Configure ~/.terraformrc file

provider_installation {
        network_mirror {
                url = "https://127.0.0.1:4443/registry.terraform.io"
    }
}
127.0.0.1 - - [23/Feb/2025 15:49:35] "GET /registry.terraform.io/hashicorp/vault/index.json HTTP/1.1" 200 -
127.0.0.1 - - [23/Feb/2025 15:49:35] "GET /registry.terraform.io/hashicorp/vault/4.6.0.json HTTP/1.1" 200 -
127.0.0.1 - - [23/Feb/2025 15:49:35] "GET /registry.terraform.io/hashicorp/vault/terraform-provider-vault_4.6.0_linux_amd64.zip HTTP/1.1" 200 -

Posted by:

admin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.