Completely lost on pushing my own terraform provider privately

I am trying to privately publish a terraform provider to the registry so that my team (and only my team) can use the provider. I have the provider written in Go and ready, however, I have a lot of questions about the documentation of publishing a private provider (Terraform Registry - Publishing Providers | Terraform | HashiCorp Developer)

  • I have installed GoReleaser and created the .goreleaser.yml file in my repo (note: I am using an internally hosted Gitlab, not Github). I have made it to step 3: Cache the password for your GPG private key with gpg --armor --detach-sign (see note below). And this is where I’m lost:
    • Should I already have a GPG private key or does this command create one for me?
    • Whenever I run this command on my Mac, the command just hangs with no output
    • Is there any way/outline of how to do this with Gitlab instead of Github?
    • Are there any steps that Im missing or doing out of order?..

Hi @SomniVertix,

The documentation you linked to is for Terraform’s public registry, which hosts modules and providers for general use by the community. It does not support private provider hosting.

The main private registry service that HashiCorp runs is the one built in to Terraform Cloud, and its documentation for provider publishing is here although you would need to create a Terraform Cloud account as a prerequisite:

There are some third-party implementations of Terraform’s provider registry protocol too. I haven’t used any of those so I cannot recommend any one in particular, but you should be able to find some examples using your favorite search engine if you search for “Terraform provider registry”.

Okay - I think I got a bit confused because of the part where it links you to " create a release locally" in the section: Publishing Private Providers - Private Registry | Terraform | HashiCorp Developer

Do I have to create release files before pushing privately too terraform cloud?

Terraform Cloud’s private registry uses a “push-style” model where you upload the files directly to its API, instead of the “pull-style” model used by the public registry where it automatically retrieves information from the GitHub releases API.

You will still need to create the same required files that constitute a provider release:

  • The .zip file for each of the platforms you intend to support.
  • The SHA256SUMS file that documents the expected checksums of those .zip files.
  • The SHA256SUMS.sig file that allows Terraform to verify that the checksums in SHA256SUMS are really the official checksums, signed by a valid key.

However, you don’t need to upload those artifacts to GitHub as part of a “GitHub Release”. Instead, you’ll upload them to the endpoints returned by the “Create a Provider Version” operation in the Terraform Cloud API, as described under “Create a Version and Platform” heading in the documentation I linked to previously. Those files will then be stored in Terraform Cloud’s own blob storage, which is what the example URLs in the documentation refer to.

Gotcha - would you happen to know how to generate these zip and SHA files? I think this is the part that I was hitting my head on

The GoReleaser configuration you were already looking at should be able to make the zip files and the checksums file.

If I’m remembering correctly, I think goreleaser build should be able to produce those artifacts without actually making a release, so you can rehearse it without making a lot of git tag noise in your repository.

The signature file is the trickiest part because it relies on you having already set up gpg with a private key on your system. The instructions you found earlier do seem to assume you’re working with the public registry rather than the private one, which is confusing, and I think for the private registry for manual upload you will need to use the key-registration API to tell Terraform Cloud your public key.

Unfortunately getting set up to publish the first version of the first provider in your organization does have a fair amount of one-time setup that’s difficult to summarize here in the forum, so it might be worth also sending a request to HashiCorp Support who can provide more individual help, since they can (with your permission) look into exactly how you’ve set things up and therefore give more specific directions.

Gotcha, thank you! Something that actually helped a bit more than the default documentation was this article:

I still haven’t gotten it fully working, but this felt like a better walkthrough

1 Like

@SomniVertix Hi, I’m likewise looking for a way to use a private custom provider. I’d love to know if you were able to set it up successfully and if so, which route you ultimately chose.