Terraform in Russia

Now due to sanctions there is a public Terraform repository https://registry.terraform.io blocks access from sanctioned regions.

When we try to bypass blocks on local devices, it is not very difficult. For example, by enabling a VPN with access in a different region. But there are situations when turning on a VPN is difficult or not advisable.

I encountered this when running terraform commands in CI/CD processes running in ephemeral containers stopped working. Raise VPN in a container? Raise VPN on the node? Looks like overengineering.

Attempt 1

After googling, I found a service on the Internet that sells Provider Network Mirror Protocol. A big plus is the ease of use. It was enough to create a file in your home directory .terraformrc:

provider_installation {
    network_mirror {
        url = "https://provider-registry-protocol-name/"
    }
}

and everything works!

But there were two problems with this approach:

  • what's inside? I don't see the source code. Will they introduce something bad into my downloaded packages?

  • what if it dies one day? All my processes will stop.

I accepted the risks and worked with this approach.

But then one fine day everything really died: the lease of the domain of that service (I won’t specify which one) ended. And everything broke for me.

Attempt 2

I urgently needed to get everything back on track; tomorrow was vacation, but nothing was working.

The first ones that came to mind were proxies and reverse proxies. A reverse proxy is easier to do, so I started with it. I started a basic nginx with a simple proxy_pass in a non-sanctioned region, pushed it into my network and changed it to .terraformrc address to yours.

At first I didn’t understand for a long time why everything wasn’t working. Then I was surprised to discover that the API Provider Network Mirror Protocol not at all similar to the API of the repository itself (Provider Registry Protocol). Why they did this is not clear. We need a service that will map one API to another. I couldn’t find anything like this freely available on the Internet. I decided to write my own in open source.

Attempt 3. Solution

So, I wrote an open source service that implements the protocol Provider Network Mirror Protocol. Anyone can deploy it in their infrastructure and not doubt the internals.

Source code link https://github.com/jonasasx/terraform-registry-mirror.

Those who don’t want or don’t have the opportunity to deploy it themselves can use my installation: https://terraform-registry-mirror.ru/. So far it has been launched as a prototype (not designed for heavy load). But if I see interest in her, we’ll prepare her for the load.

To work, just create a file in your home directory .terraformrc:

provider_installation {
    network_mirror {
        url = "https://terraform-registry-mirror.ru/"
    }
}

This can be easily done in any CI/CD job.

Anyone interested in helping with the project: welcome, open tickets, send pull requests, leave comments.

Thank you for your attention!

PS contact me: https://t.me/jonasasx

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *