Terraform
Publish Public Providers to an Airgapped Private Registry
This topic describes how to publish an official HashiCorp provider hosted in the public registry to a private registry in an airgapped environment.
Introduction
Your Terraform Enterprise installation must be able to access the public Terraform Registry to build workspaces that rely on official public HashiCorp providers. However, this is a problem if your Terraform Enterprise installation is in an airgapped environment without internet access.
To solve this, you can download the public provider and re-upload it to your private registry. There are a few differences in the workflow for re-uploading a public HashiCorp provider. In this example, you will download the AWS provider and re-upload it to your private registry. You can use the same workflow for any official HashiCorp provider.
To re-upload a public HashiCorp provider to your private registry, complete the following steps.
Download required files
Download the provider binary files for the provider, the SHASUMS
file, and the SHA256SUMS.72D7468F.sig
file. These files are available at https://releases.hashicorp.com. For this example, you can refer to the AWS provider files for more details. You will only re-upload the binaries for the linux_amd64
architecture, but you can use this same process to re-upload multiple builds of the same provider.
First, download the SHASUMS
file. This file contains a SHA256 checksum for each build of this specific provider version.
$ curl \
https://releases.hashicorp.com/terraform-provider-aws/5.14.0/terraform-provider-aws_5.14.0_SHA256SUMS \
--output terraform-provider-aws_5.14.0_SHA256SUMS
Next, download the SHA256SUMS.72D7468F.sig
file. This file is a GPG binary signature of the SHA256SUMS
file.
$ curl \
https://releases.hashicorp.com/terraform-provider-aws/5.14.0/terraform-provider-aws_5.14.0_SHA256SUMS.72D7468F.sig \
--output terraform-provider-aws_5.14.0_SHA256SUMS.72D7468F.sig
Finally, download the linux_amd64
build of the provider binary.
$ curl \
https://releases.hashicorp.com/terraform-provider-aws/5.14.0/terraform-provider-aws_5.14.0_linux_amd64.zip \
--output terraform-provider-aws_5.14.0_linux_amd64.zip
Create the provider
Re-upload the provider by following the guide in Publishing a provider. There are two differences that you need to make in this workflow:
- Do not sign the binary with your GPG key; HashiCorp's public PGP key has already signed it.
- Do not upload your public GPG key. Instead, use HashiCorp's public key. Terraform Enterprise version v202309-1 and newer includes the public key by default. The key ID is
34365D9472D7468F
. You can verify the ID by importing the public key locally.