Cloud Assembly users who need to design and run Terraform integrations while disconnected from the internet can set up their runtime environment by following this example.

Note: To obtain a source for image creation, setup involves briefly connecting to the internet. You might need to do those steps outside of your disconnected site if a temporary connection isn't possible.

This process assumes that you have your own Docker registry and can access its repositories without an internet connection.

Create the custom container image

  1. Build a custom container image that includes the Terraform provider plug-in binaries.

    The following Dockerfile shows an example of creating a custom image with the Terraform GCP provider.

    The base image projects.registry.vmware.com/vra/terraform:latest download in the Dockerfile requires internet access to the VMware Harbor registry at projects.registry.vmware.com.

    Firewall settings or proxy settings can cause the image build to fail. You might need to enable access to releases.hashicorp.com to download the Terraform provider plug-in binaries. However, you may use your private registry to supply the plug-in binaries as an option.

    FROM projects.registry.vmware.com/vra/terraform:latest as final
     
    # Create provider plug-in directory
    ARG plugins=/tmp/terraform.d/plugin-cache/linux_amd64
    RUN mkdir -m 777 -p $plugins
      
    # Download and unzip all required provider plug-ins from hashicorp to provider directory
    RUN cd $plugins \
        && wget -q https://releases.hashicorp.com/terraform-provider-google/3.58.0/terraform-provider-google_3.58.0_linux_amd64.zip \
        && unzip *.zip \
        && rm *.zip
      
    # For "terraform init" configure terraform CLI to use provider plug-in directory and not download from internet
    ENV TF_CLI_ARGS_init="-plugin-dir=$plugins -get-plugins=false"
  2. Build, tag, and push the custom container image to your own Docker repository at your disconnected site.
  3. In Cloud Assembly at your disconnected site, under Infrastructure > Connections > Integrations, go to your Terraform runtime integration.
  4. Create or edit the runtime container settings to add your repository for the custom container image. The example built custom container image name is registry.ourcompany.com/project1/image1:latest.
    Terraform container image

Host the Terraform CLI locally

  1. Download the Terraform CLI binaries.
  2. Upload the Terraform CLI binaries to your local web or FTP server.
  3. In Cloud Assembly, go to Infrastructure > Configure > Terraform Versions.
  4. Create or edit the Terraform version so that it includes the URL to the Terraform CLI binaries hosted on your local server.
  5. If your local web or FTP server requires login authentication, select Basic authentication, and enter username and password credentials that can access the server.

    To change the authentication type, you must have the cloud administrator role in Cloud Assembly.

    Terraform CLI URL

Design and deploy Terraform configurations

With the runtime in place, you can add Terraform configuration files to git, design cloud templates for them, and deploy.

To get started, see Preparing for Terraform configurations in Cloud Assembly.

Troubleshooting

When deploying, open the deployment in Cloud Assembly. Under the History tab, look for Terraform events, and click Show Logs to the right. When your local Terraform provider is working, the following messages appear in the log.

Initializing provider plugins

Terraform has been successfully initialized

For a more robust log, you can manually edit the cloud template code to add TF_LOG: DEBUG as shown in the following example.

resources:
  terraform:
    type: Cloud.Terraform.Configuration
    properties:
      providers:
        - name: google
          # List of available cloud zones: gcp/us-west1
          cloudZone: gcp/us-west1
      environment:
        # Configure terraform CLI debug log settings
        TF_LOG: DEBUG
      terraformVersion: 0.12.29
      configurationSource:
        repositoryId: fc569ef7-f013-4489-9673-6909a2791071
        commitId: 3e00279a843a6711f7857929144164ef399c7421
        sourceDirectory: gcp-simple

Creating your own base image

Although VMware occasionally updates the base image at projects.registry.vmware.com/vra/terraform:latest, that image might be out of date and contain vulnerabilities.

To build your own base image, use the following Dockerfile instead.

FROM alpine:latest as final
RUN apk add --no-cache git wget curl openssh