madenu
May 20, 2026, 11:45am
1
We have a private Terraform registry hosted in Artifactory that mirrors providers from registry.terraform.io, but also has custom providers that will not be published to registry.terraform.io.
I opened a PR to create a “mirror of a mirror”. It does what I need. It works, but the PR was rejected.
So is there a another solution?
For clarity: I want to create a filesystem mirror of myprivateregistry.company.com
Terraform CLI does not currently allow you to do that.
main ← madenu:36006-mirror-providers-from-mirror
opened 05:29AM - 08 May 26 UTC
## Summary
Fixes #36006
Adds a `-net-mirror=<url>` flag to `terraform prov… iders mirror`, allowing the command to fetch provider packages from a network mirror instead of always contacting the origin registry. This brings parity with `terraform providers lock`, which already supports `-net-mirror` (and `-fs-mirror`).
The motivation for this was a need to create a local mirror from a corporate mirror.
## Changes
- `internal/command/arguments/providers_mirror.go`: new `NetMirrorURL` field and `-net-mirror` flag.
- `internal/command/providers_mirror.go`: source selection is now a switch — when `-net-mirror=<url>` is set (and validated as `https:`), use `getproviders.NewHTTPMirrorSource` with the CLI's credentials source; otherwise fall back to the existing `NewRegistrySource` behavior.
- `internal/command/arguments/providers_mirror_test.go`: added a `net-mirror` test case for valid args.
The download path needed no changes: `HTTPMirrorSource.PackageMeta()` returns `PackageHTTPURL` (resolved to absolute) just like the registry source, and hash-based `PackageHashAuthentication` works through the existing `meta.Authentication.AuthenticatePackage()` call.
## Target Release
1.16.x
## Rollback Plan
- [x] If a change needs to be reverted, we will roll out an update to the code within 7 days.
## Changes to Security Controls
No changes to security controls. The new flag enforces `https:`-only URLs (matching the existing `-net-mirror` behavior in `providers lock`), and provider package authentication via the network mirror's hash list is performed by the existing `PackageHashAuthentication` path.
## CHANGELOG entry
- [x] This change is user-facing and I added a changelog entry.
- [ ] This change is not user-facing.
## Test plan
- [x] `go test ./internal/command/arguments/... -run TestParseProvidersMirror`
- [x] `go test ./internal/command/ -run TestProvidersMirror`
- [x] Create local mirror from my corporate mirror using the new arg
🤖 Co-authored with [Claude Code](https://claude.com/claude-code)