Publishing Public Providers in Airgapped Terraform Enterprise
Your Terraform Enterprise installation must be able to access the public Terraform Registry to build workspaces that rely on official public HashiCorp providers. However, this is a problem if your Terraform Enterprise installation is in an airgapped environment without internet access.
To solve this, you can download the public provider and re-upload it to your private registry. There are a few differences in the workflow for re-uploading a public HashiCorp provider. In this example, you will download the AWS provider and re-upload it to your private registry. You can use the same workflow for any official HashiCorp provider.
To reupload a public HashiCorp provider to your private registry, follow these steps.
Download the provider binary files for the provider, the
SHASUMS file, and the
SHA256SUMS.72D7468F.sig file. These files are available at https://releases.hashicorp.com. For this example, you can refer to the AWS provider files for more details. You will only re-upload the binaries for the
linux_amd64 architecture, but you can use this same process to re-upload multiple builds of the same provider.
First, download the
SHASUMS file. This file contains a SHA256 checksum for each build of this specific provider version.
$ curl \
Next, download the
SHA256SUMS.72D7468F.sig file. This file is a GPG binary signature of the
$ curl \
Finally, download the
linux_amd64 build of the provider binary.
$ curl \
Re-upload the provider by following the guide in Publishing a provider. There are two differences that you need to make in this workflow:
- Do not sign the binary with your GPG key; HashiCorp's public PGP key has already signed it.
- Do not upload your public GPG key. Instead, use HashiCorp's public key, which Terraform Enterprise version v202309-1 and newer includes by default. The key ID is
34365D9472D7468F, and you can verify the ID by importing the public key locally.