HI,
I want to execute the Terraform script on closed environment; where internet connectivity will not be provided.
Initially; terraform init command got executed with the internet connectivity and all plugins are in placed(working for AWS).
Now I am trying to execute the terraform Plan/Apply command without internet connectivity and command got stuck unless until you forcefully kill the command.
I am going to create cloud resources on same account/VPC where terraform master/controller machine is there.
Why internet is required during execution of the Terraform Plan/Apply command?
How we can make the setting to execute with internet connectivity?
Hi @goyalvickey78,
During terraform plan and terraform apply Terraform itself needs to be able to reach whatever backend you have configured, and the providers you are using need to be able to reach whatever remote endpoints youâve configured them to use.
If you select a backend that is on your internal network and only use providers configured to interact with internal network resources then both terraform plan and terraform apply should be able to operate without internet connectivity.
With that said, you made the following statement:
I am going to create cloud resources on same account/VPC where terraform master/controller machine is there.
From this I understand that you are running Terraform on an EC2 instance in a network that doesnât have an internet gateway or NAT gateway. As far as I know, the AWS APIs are not exposed on a local VPC network interface, so from the perspective of a private VPC they are âon the internetâ and thus not accessible.
AWS does have a mechanism called VPC endpoints that allows you to arrange to have a subset of AWS service APIs exposed via a private IP address in your VPC, which is exposed in the Terraform AWS provider as aws_vpc_endpoint. Of course, you would need to set up the VPC endpoint while running Terraform outside of your VPC, because an EC2 instance without internet access cannot access the API to create a VPC endpoint itself.
If you can then somehow provide your custom endpoint information to the Terraform configurations that are running in your EC2 instance, you can use custom endpoints configuration to tell the AWS provider to access specific services by custom endpoints, instead of using the default ones for a particular region.
1 Like
Hi @apparentlymart, thanks for the advice, I am facing a similar issue here where my credentials work, but am stuck at the terraform plan stage.
I have turned off my internet, and have various VPC endpoints set up. In the âprovidersâ config, I have added:
endpoints {
sts = âhttps://sts.ap-southeast-1.amazonaws.comâ
s3 = âhttps://s3.ap-southeast-1.amazonaws.comâ
dynamodb = âhttps://dynamodb.ap-southeast-1.amazonaws.comâ
}
But the terraform plan command still hangs. Is there a basic set of endpoints that I need to set up and configure in âprovidersâ, or is there a way to let terraform know that it should routing all the API calls via endpoints without having to explictly list all the AWS endpoints?
Thanks!
Terraform Supports command without internet connectivity with âAir Gapped Environmentsâ.