362 lines
17 KiB
Markdown
362 lines
17 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "CLI Configuration"
|
|
sidebar_current: "docs-commands-cli-config"
|
|
description: |-
|
|
The general behavior of the Terraform CLI can be customized using the CLI
|
|
configuration file.
|
|
---
|
|
|
|
# CLI Configuration File (`.terraformrc` or `terraform.rc`)
|
|
|
|
The CLI configuration file configures per-user settings for CLI behaviors,
|
|
which apply across all Terraform working directories. This is separate from
|
|
[your infrastructure configuration](/docs/configuration/index.html).
|
|
|
|
## Location
|
|
|
|
The configuration is placed in a single file whose location depends on the
|
|
host operating system:
|
|
|
|
* On Windows, the file must be named named `terraform.rc` and placed
|
|
in the relevant user's `%APPDATA%` directory. The physical location
|
|
of this directory depends on your Windows version and system configuration;
|
|
use `$env:APPDATA` in PowerShell to find its location on your system.
|
|
* On all other systems, the file must be named `.terraformrc` (note
|
|
the leading period) and placed directly in the home directory
|
|
of the relevant user.
|
|
|
|
On Windows, beware of Windows Explorer's default behavior of hiding filename
|
|
extensions. Terraform will not recognize a file named `terraform.rc.txt` as a
|
|
CLI configuration file, even though Windows Explorer may _display_ its name
|
|
as just `terraform.rc`. Use `dir` from PowerShell or Command Prompt to
|
|
confirm the filename.
|
|
|
|
The location of the Terraform CLI configuration file can also be specified
|
|
using the `TF_CLI_CONFIG_FILE` [environment variable](/docs/commands/environment-variables.html).
|
|
|
|
## Configuration File Syntax
|
|
|
|
The configuration file uses the same _HCL_ syntax as `.tf` files, but with
|
|
different attributes and blocks. The following example illustrates the
|
|
general syntax; see the following section for information on the meaning
|
|
of each of these settings:
|
|
|
|
```hcl
|
|
plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"
|
|
disable_checkpoint = true
|
|
```
|
|
|
|
## Available Settings
|
|
|
|
The following settings can be set in the CLI configuration file:
|
|
|
|
- `credentials` - configures credentials for use with Terraform Cloud or
|
|
Terraform Enterprise. See [Credentials](#credentials) below for more
|
|
information.
|
|
|
|
- `credentials_helper` - configures an external helper program for the storage
|
|
and retrieval of credentials for Terraform Cloud or Terraform Enterprise.
|
|
See [Credentials Helpers](#credentials-helpers) below for more information.
|
|
|
|
- `disable_checkpoint` — when set to `true`, disables
|
|
[upgrade and security bulletin checks](/docs/commands/index.html#upgrade-and-security-bulletin-checks)
|
|
that require reaching out to HashiCorp-provided network services.
|
|
|
|
- `disable_checkpoint_signature` — when set to `true`, allows the upgrade and
|
|
security bulletin checks described above but disables the use of an anonymous
|
|
id used to de-duplicate warning messages.
|
|
|
|
- `plugin_cache_dir` — enables
|
|
[plugin caching](#provider-plugin-cache)
|
|
and specifies, as a string, the location of the plugin cache directory.
|
|
|
|
- `provider_installation` - customizes the installation methods used by
|
|
`terraform init` when installing provider plugins. See
|
|
[Provider Installation](#provider-installation) below for more information.
|
|
|
|
## Credentials
|
|
|
|
[Terraform Cloud](/docs/cloud/index.html) provides a number of remote network
|
|
services for use with Terraform, and
|
|
[Terraform Enterprise](/docs/enterprise/index.html) allows hosting those
|
|
services inside your own infrastructure. For example, these systems offer both
|
|
[remote operations](/docs/cloud/run/cli.html) and a
|
|
[private module registry](/docs/cloud/registry/index.html).
|
|
|
|
When interacting with Terraform-specific network services, Terraform expects
|
|
to find API tokens in CLI configuration files in `credentials` blocks:
|
|
|
|
```hcl
|
|
credentials "app.terraform.io" {
|
|
token = "xxxxxx.atlasv1.zzzzzzzzzzzzz"
|
|
}
|
|
```
|
|
|
|
If you are running the Terraform CLI interactively on a computer with a web browser, you can use [the `terraform login` command](./login.html)
|
|
to get credentials and automatically save them in the CLI configuration. If
|
|
not, you can manually write `credentials` blocks.
|
|
|
|
You can have multiple `credentials` blocks if you regularly use services from
|
|
multiple hosts. Many users will configure only one, for either
|
|
Terraform Cloud (at `app.terraform.io`) or for their organization's own
|
|
Terraform Enterprise host. Each `credentials` block contains a `token` argument
|
|
giving the API token to use for that host.
|
|
|
|
~> **Important:** If you are using Terraform Cloud or Terraform Enterprise,
|
|
the token provided must be either a
|
|
[user token](/docs/cloud/users-teams-organizations/users.html#api-tokens)
|
|
or a
|
|
[team token](/docs/cloud/users-teams-organizations/api-tokens.html#team-api-tokens);
|
|
organization tokens cannot be used for command-line Terraform actions.
|
|
|
|
-> **Note:** The credentials hostname must match the hostname in your module
|
|
sources and/or backend configuration. If your Terraform Enterprise instance
|
|
is available at multiple hostnames, use only one of them consistently.
|
|
Terraform Cloud responds to API calls at both its current hostname
|
|
`app.terraform.io`, and its historical hostname `atlas.hashicorp.com`.
|
|
|
|
### Credentials Helpers
|
|
|
|
If you would prefer not to store your API tokens directly in the CLI
|
|
configuration as described in the previous section, you can optionally instruct
|
|
Terraform to use a different credentials storage mechanism by configuring a
|
|
special kind of plugin program called a _credentials helper_.
|
|
|
|
```hcl
|
|
credentials_helper "example" {
|
|
args = []
|
|
}
|
|
```
|
|
|
|
`credentials_helper` is a configuration block that can appear at most once
|
|
in the CLI configuration. Its label (`"example"` above) is the name of the
|
|
credentials helper to use. The `args` argument is optional and allows passing
|
|
additional arguments to the helper program, for example if it needs to be
|
|
configured with the address of a remote host to access for credentials.
|
|
|
|
A configured credentials helper will be consulted only to retrieve credentials
|
|
for hosts that are _not_ explicitly configured in a `credentials` block as
|
|
described in the previous section.
|
|
Conversely, this means you can override the credentials returned by the helper
|
|
for a specific hostname by writing a `credentials` block alongside the
|
|
`credentials_helper` block.
|
|
|
|
Terraform does not include any credentials helpers in the main distribution.
|
|
To learn how to write and install your own credentials helpers to integrate
|
|
with existing in-house credentials management systems, see
|
|
[the guide to Credentials Helper internals](/docs/internals/credentials-helpers.html).
|
|
|
|
## Provider Installation
|
|
|
|
The default way to install provider plugins is from a provider registry. The
|
|
origin registry for a provider is encoded in the provider's source address,
|
|
like `registry.terraform.io/hashicorp/aws`. For convenience in the common case,
|
|
Terraform allows omitting the hostname portion for providers on
|
|
`registry.terraform.io`, so you can write shorter public provider addresses like
|
|
`hashicorp/aws`.
|
|
|
|
Downloading a plugin directly from its origin registry is not always
|
|
appropriate, though. For example, the system where you are running Terraform
|
|
may not be able to access an origin registry due to firewall restrictions
|
|
within your organization or your locality.
|
|
|
|
To allow using Terraform providers in these situations, there are some
|
|
alternative options for making provider plugins available to Terraform which
|
|
we'll describe in the following sections.
|
|
|
|
### Explicit Installation Method Configuration
|
|
|
|
A `provider_installation` block in the CLI configuration allows overriding
|
|
Terraform's default installation behaviors, so you can force Terraform to use
|
|
a local mirror for some or all of the providers you intend to use.
|
|
|
|
The general structure of a `provider_installation` block is as follows:
|
|
|
|
```hcl
|
|
provider_installation {
|
|
filesystem_mirror {
|
|
path = "/usr/share/terraform/providers"
|
|
include = ["example.com/*/*"]
|
|
}
|
|
direct {
|
|
exclude = ["example.com/*/*"]
|
|
}
|
|
}
|
|
```
|
|
|
|
Each of the nested blocks inside the `provider_installation` block specifies
|
|
one installation method. Each installation method can take both `include`
|
|
and `exclude` patterns that specify which providers a particular installation
|
|
method can be used for. In the example above, we specify that any provider
|
|
whose origin registry is at `example.com` can be installed only from the
|
|
filesystem mirror at `/usr/share/terraform/providers`, while all other
|
|
providers can be installed only directly from their origin registries.
|
|
|
|
If you set both both `include` and `exclude` for a particular installation
|
|
method, the exclusion patterns take priority. For example, including
|
|
`registry.terraform.io/hashicorp/*` but also excluding
|
|
`registry.terraform.io/hashicorp/dns` will make that installation method apply
|
|
to everything in the `hashicorp` namespace with the exception of
|
|
`hashicorp/dns`.
|
|
|
|
As with provider source addresses in the main configuration, you can omit
|
|
the `registry.terraform.io/` prefix for providers distributed through the
|
|
public Terraform registry, even when using wildcards. For example,
|
|
`registry.terraform.io/hashicorp/*` and `hashicorp/*` are equivalent.
|
|
`*/*` is a shorthand for `registry.terraform.io/*/*`, not for
|
|
`*/*/*`.
|
|
|
|
The following are the two supported installation method types:
|
|
|
|
* `direct`: request information about the provider directly from its origin
|
|
registry and download over the network from the location that registry
|
|
indicates. This method expects no additional arguments.
|
|
|
|
* `filesystem_mirror`: consult a directory on the local disk for copies of
|
|
providers. This method requires the additional argument `path` to indicate
|
|
which directory to look in.
|
|
|
|
Terraform expects the given directory to contain a nested directory structure
|
|
where the path segments together provide metadata about the available
|
|
providers. The following two directory structures are supported:
|
|
|
|
* Packed layout: `HOSTNAME/NAMESPACE/TYPE/terraform-provider-TYPE_VERSION_TARGET.zip`
|
|
is the distribution zip file obtained from the provider's origin registry.
|
|
* Unpacked layout: `HOSTNAME/NAMESPACE/TYPE/VERSION/TARGET` is a directory
|
|
containing the result of extracting the provider's distribution zip file.
|
|
|
|
In both layouts, the `VERSION` is a string like `2.0.0` and the `TARGET`
|
|
specifies a particular target platform using a format like `darwin_amd64`,
|
|
`linux_arm`, `windows_amd64`, etc.
|
|
|
|
If you use the unpacked layout, Terraform will attempt to create a symbolic
|
|
link to the mirror directory when installing the provider, rather than
|
|
creating a deep copy of the directory. The packed layout prevents this
|
|
because Terraform must extract the zip file during installation.
|
|
|
|
You can include multiple `filesystem_mirror` blocks in order to specify
|
|
several different directories to search.
|
|
|
|
* `network_mirror`: consult a particular HTTPS server for copies of providers,
|
|
regardless of which registry host they belong to. This method requires the
|
|
additional argument `url` to indicate the mirror base URL, which should
|
|
use the `https:` scheme and end with a trailing slash.
|
|
|
|
Terraform expects the given URL to be a base URL for an implementation of
|
|
[the provider network mirror protocol](/docs/internals/provider-network-mirror-protocol.html),
|
|
which is designed to be relatively easy to implement using typical static
|
|
website hosting mechanisms.
|
|
|
|
~> **Warning:** Don't configure `network_mirror` URLs that you do not trust.
|
|
Provider mirror servers are subject to TLS certificate checks to verify
|
|
identity, but a network mirror with a TLS certificate can potentially serve
|
|
modified copies of upstream providers with malicious content.
|
|
|
|
Terraform will try all of the specified methods whose include and exclude
|
|
patterns match a given provider, and select the newest version available across
|
|
all of those methods that matches the version constraint given in each
|
|
Terraform configuration. If you have a local mirror of a particular provider
|
|
and intend Terraform to use that local mirror exclusively, you must either
|
|
remove the `direct` installation method altogether or use its `exclude`
|
|
argument to disable its use for specific providers.
|
|
|
|
### Implied Local Mirror Directories
|
|
|
|
If your CLI configuration does not include a `provider_installation` block at
|
|
all, Terraform produces an _implied_ configuration. The implied configuration
|
|
includes a selection of `filesystem_mirror` methods and then the `direct`
|
|
method.
|
|
|
|
The set of directories Terraform can select as filesystem mirrors depends on
|
|
the operating system where you are running Terraform:
|
|
|
|
* **Windows:** `%APPDATA%/HashiCorp/Terraform/plugins`
|
|
* **Mac OS X:** `~/Library/Application Support/io.terraform/plugins` and
|
|
`/Library/Application Support/io.terraform/plugins`
|
|
* **Linux and other Unix-like systems**: Terraform implements the
|
|
[XDG Base Directory](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html)
|
|
specification and appends `terraform/plugins` to all of the specified
|
|
data directories. Without any XDG environment variables set, Terraform
|
|
will use `~/.local/share/terraform/plugins`,
|
|
`/usr/local/share/terraform/plugins`, and `/usr/share/terraform/plugins`.
|
|
|
|
Terraform will create an implied `filesystem_mirror` method block for each of
|
|
the directories indicated above that exists when Terraform starts up.
|
|
|
|
In addition to the zero or more implied `filesystem_mirror` blocks, Terraform
|
|
also creates an implied `direct` block. Terraform will scan all of the
|
|
filesystem mirror directories to see which providers are placed there and
|
|
automatically exclude all of those providers from the implied `direct` block.
|
|
(This automatic `exclude` behavior applies only to _implicit_ `direct` blocks;
|
|
if you use explicit `provider_installation` you will need to write the intended
|
|
exclusions out yourself.)
|
|
|
|
### Provider Plugin Cache
|
|
|
|
By default, `terraform init` downloads plugins into a subdirectory of the
|
|
working directory so that each working directory is self-contained. As a
|
|
consequence, if you have multiple configurations that use the same provider
|
|
then a separate copy of its plugin will be downloaded for each configuration.
|
|
|
|
Given that provider plugins can be quite large (on the order of hundreds of
|
|
megabytes), this default behavior can be inconvenient for those with slow
|
|
or metered Internet connections. Therefore Terraform optionally allows the
|
|
use of a local directory as a shared plugin cache, which then allows each
|
|
distinct plugin binary to be downloaded only once.
|
|
|
|
To enable the plugin cache, use the `plugin_cache_dir` setting in
|
|
the CLI configuration file. For example:
|
|
|
|
```hcl
|
|
plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"
|
|
```
|
|
|
|
This directory must already exist before Terraform will cache plugins;
|
|
Terraform will not create the directory itself.
|
|
|
|
Please note that on Windows it is necessary to use forward slash separators
|
|
(`/`) rather than the conventional backslash (`\`) since the configuration
|
|
file parser considers a backslash to begin an escape sequence.
|
|
|
|
Setting this in the configuration file is the recommended approach for a
|
|
persistent setting. Alternatively, the `TF_PLUGIN_CACHE_DIR` environment
|
|
variable can be used to enable caching or to override an existing cache
|
|
directory within a particular shell session:
|
|
|
|
```bash
|
|
export TF_PLUGIN_CACHE_DIR="$HOME/.terraform.d/plugin-cache"
|
|
```
|
|
|
|
When a plugin cache directory is enabled, the `terraform init` command will
|
|
still use the configured or implied installation methods to obtain metadata
|
|
about which plugins are available, but once a suitable version has been
|
|
selected it will first check to see if the chosen plugin is already available
|
|
in the cache directory. If so, Terraform will use the previously-downloaded
|
|
copy.
|
|
|
|
If the selected plugin is not already in the cache, Terraform will download
|
|
it into the cache first and then copy it from there into the correct location
|
|
under your current working directory. When possible Terraform will use
|
|
symbolic links to avoid storing a separate copy of a cached plugin in multiple
|
|
directories.
|
|
|
|
The plugin cache directory _must not_ also be one of the configured or implied
|
|
filesystem mirror directories, since the cache management logic conflicts with
|
|
the filesystem mirror logic when operating on the same directory.
|
|
|
|
Terraform will never itself delete a plugin from the plugin cache once it has
|
|
been placed there. Over time, as plugins are upgraded, the cache directory may
|
|
grow to contain several unused versions which you must delete manually.
|
|
|
|
## Removed Settings
|
|
|
|
The following settings are supported in Terraform 0.12 and earlier but are
|
|
no longer recommended for use:
|
|
|
|
* `providers` - a configuration block that allows specifying the locations of
|
|
specific plugins for each named provider. This mechanism is deprecated
|
|
because it is unable to specify a version number and source for each provider.
|
|
See [Provider Installation](#provider-installation) above for the replacement
|
|
of this setting in Terraform 0.13 and later.
|