Terraform Plan/Apply execute without internet


I want to execute the Terraform script on closed environment; where internet connectivity will not be provided.

Initially; terraform init command got executed with the internet connectivity and all plugins are in placed(working for AWS).

Now I am trying to execute the terraform Plan/Apply command without internet connectivity and command got stuck unless until you forcefully kill the command.

I am going to create cloud resources on same account/VPC where terraform master/controller machine is there.

Why internet is required during execution of the Terraform Plan/Apply command?
How we can make the setting to execute with internet connectivity?

Hi @goyalvickey78,

During terraform plan and terraform apply Terraform itself needs to be able to reach whatever backend you have configured, and the providers you are using need to be able to reach whatever remote endpoints you’ve configured them to use.

If you select a backend that is on your internal network and only use providers configured to interact with internal network resources then both terraform plan and terraform apply should be able to operate without internet connectivity.

With that said, you made the following statement:

I am going to create cloud resources on same account/VPC where terraform master/controller machine is there.

From this I understand that you are running Terraform on an EC2 instance in a network that doesn’t have an internet gateway or NAT gateway. As far as I know, the AWS APIs are not exposed on a local VPC network interface, so from the perspective of a private VPC they are “on the internet” and thus not accessible.

AWS does have a mechanism called VPC endpoints that allows you to arrange to have a subset of AWS service APIs exposed via a private IP address in your VPC, which is exposed in the Terraform AWS provider as aws_vpc_endpoint. Of course, you would need to set up the VPC endpoint while running Terraform outside of your VPC, because an EC2 instance without internet access cannot access the API to create a VPC endpoint itself.

If you can then somehow provide your custom endpoint information to the Terraform configurations that are running in your EC2 instance, you can use custom endpoints configuration to tell the AWS provider to access specific services by custom endpoints, instead of using the default ones for a particular region.

1 Like