CDKTF ignoring private registries?

Hi!

We would like to use CDKTF to manage some of the more complex environments. The challenge is, that server running terraform and CDKTF can’t access the internet. For terraform we simply configured a private registry and everything works fine, but when we tried CDKTF it failed. The logs indicate, that it ignores the terraform configuration.
The config file looks like this:

provider_installation {
    direct {
        exclude = ["registry.terraform.io/*/*"]
    }
    network_mirror {
        url = https://my.private.registry/artifactory/api/terraform/terraform/providers/
    }
}

The log output is the following:

7:32:23  it-rbac-stage2-devfuture  2025-05-23T15:32:23.388Z [DEBUG] using github.com/hashicorp/go-tfe v1.26.0
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
….
17:32:23                            2025-05-23T15:32:23.388Z [TRACE] Stdin is not a terminal
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Attempting to open CLI config file: /opt/jenkins/terraform.tfrc
17:32:23                            2025-05-23T15:32:23.388Z [INFO]  Loading CLI configuration from /opt/jenkins/terraform.tfrc
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Not reading CLI config directory because config location is overridden by environment variable
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Using modified User-Agent: HashiCorp Terraform/1.5.7 (+https://www.terraform.io) cdktf/0.20.8 (+https://github.com/hashicorp/terraform-cdk)
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Explicit provider installation configuration is set
17:32:23                            2025-05-23T15:32:23.388Z [TRACE] Selected provider installation method cliconfig.ProviderInstallationDirect with includes [] and excludes [registry.terraform.io/*/*]
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Using modified User-Agent: Terraform/1.5.7 cdktf/0.20.8 (+https://github.com/hashicorp/terraform-cdk)
17:32:23                            2025-05-23T15:32:23.388Z [TRACE] Selected provider installation method cliconfig.ProviderInstallationNetworkMirror("https://my.private.registry/artifactory/api/terraform/terraform/providers/") with includes [] and excludes []
17:32:23                            2025-05-23T15:32:23.388Z [INFO]  CLI command args: []string{"providers", "lock", "-platform=linux_amd64"}
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Using modified User-Agent: Terraform/1.5.7 cdktf/0.20.8 (+https://github.com/hashicorp/terraform-cdk)
17:32:23                            2025-05-23T15:32:23.388Z [DEBUG] Using modified User-Agent: HashiCorp Terraform/1.5.7 (+https://www.terraform.io) cdktf/0.20.8 (+https://github.com/hashicorp/terraform-cdk)
17:32:23  [2025-05-23T15:32:23.467] [ERROR] default - 2025-05-23T15:32:23.467Z [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
17:32:23  2025-05-23T15:32:23.467Z [TRACE] HTTP client GET request to https://registry.terraform.io/.well-known/terraform.json
17:32:23  
17:32:23  it-rbac-stage2-devfuture  2025-05-23T15:32:23.467Z [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
17:32:23                            2025-05-23T15:32:23.467Z [TRACE] HTTP client GET request to https://registry.terraform.io/.well-known/terraform.json

Are there any extra settings I’m missing? Any hint would be much appreciated.

Thanks and best regards,
Andreas

I found the issue. It wasn’t CDKTF after all. At least not directly. The problem is was/is that it calls terraform providers lock after terraform init. While terraform init does honor the private registry, terraform providers lock does not.
I’ll need to read up on how we can handle this issue.

You may consider this topic solved for now.

Best regards,
Andreas