Terustry

Simple configurable proxy that implement terraform provider registry protocol, to build your own terraform provider private registry.

How it works

Terustry use a yaml file to describe how to discover versions and download urls.

providers:
  - name: hashicorp/hashicups # namespace/name of your provider
    protocols: [5.0]
    version: # vcs to fetch provider versions (gitlab and github are supported)
      type: github 
      uri: https://api.github.com/repos/hashicorp/terraform-provider-hashicups/releases # url of the release api of your vcs
      token: "{{terustry_github_token}}"
    binaries: [{os: linux, arch: arm64}]
    signature: # information about key used to sign your provider
      key_id: 97751AE79C450B19
      key_armor: "-----BEGIN PGP PUBLIC KEY BLOCK-----"
    artifact: # describe how to build download urls
      filename: terraform-provider-hashicups_{{version}}_{{os}}_{{arch}}.zip
      download_url: https://.../v{{version}}/terraform-provider-hashicups_{{version}}_{{os}}_{{arch}}.zip
      shasums_url: https://.../v{{version}}/terraform-provider-hashicups_{{version}}_SHA256SUMS
      shasums_signature_url: https://.../v{{version}}/terraform-provider-hashicups_{{version}}_SHA256SUMS.sig

Terustry will parse the result of the release api you provide (version.uri), assuming each release published is a provider version.

Then it will use the artifact section to build the download urls of your provider.

Run

With docker

docker run -p 8080:8080 -e TERUSTRY_GITHUB_TOKEN='XXX' -v $(pwd)/terustry-sample-github.yml:/etc/terustry.yml --rm -it vptech/terustry

With docker build

docker build -t terustry .
docker run -p 8080:8080 -e TERUSTRY_GITHUB_TOKEN='XXX' -v $(pwd)/terustry-sample-github.yml:/etc/terustry.yml --rm -it terustry

With cargo

TERUSTRY_GITHUB_TOKEN=XXXX cargo run -- --config terustry-sample-github.yml

If you want to embed the configuration in docker image, juste create a terustry.yml file with your configuration.

Test

With curl

$ curl http://localhost:8080/terraform/providers/v1/hashicorp/hashicups/versions

{
  id: "hashicorp/hashicups",
  versions: [{
    version: "0.3.1",
    protocols: [
      "5.0"
    ],
    platforms: [{
      os: "freebsd",
      arch: "386"
    }
  ]}]
}

With terraform

terraform {
  required_providers {
    hashicups = {
      source = "localhost:8081/hashicorp/hashicups"
      version = "0.3.1"
    }
  }
}

provider "hashicups" {
  # Configuration options
}

$ terraform init

Local ssl

Terraform provider registry need to have a valid SSL certificate to work.

If you want to test the all thing (terraform init) locally, you have to have a "ssl proxy".

Install mkcert and local-ssl-proxy

mkcert install
mkcert localhost
local-ssl-proxy --source 8081 --target 8080 --key localhost-key.pem --cert localhost.pem

Caching

By default, Terustry will cache responses from Github/Gitlab for 10 minutes. This may result in an unwanted behaviour where a recently released version for a given provider is not available.

The new version will become available once the cache is refreshed.

However, if you need a faster refresh timing, for example in a CI/CD pipeline, you may request a specific cache entry to be invalidated using the following route: GET /terraform/providers/v1/{namespace}/{provider_name}/invalidate

This should result in an empty 200 OK response.

For example:

curl http://localhost:8080/terraform/providers/v1/hashicorp/hashicups/invalidate