🔐 What is the Private Module Registry?
The Private Module Registry (PMR) allows you to:
Publish internal Terraform modules
Version, document, and share reusable infrastructure code
Enforce use of approved infrastructure patterns
Works like Terraform public registry, but scoped to your org
✅ Only available in Terraform Cloud (Free+) and Terraform Enterprise
🧱 Why Use It?
✅ Benefit | 🌐 Public Module Registry | 🔐 Private Module Registry |
Share modules within team/org | ❌ No | ✅ Yes |
Control versioning | ❌ No | ✅ Yes |
Restrict external module use | ❌ No | ✅ Yes (with Sentinel) |
Automatically register modules | ❌ | ✅ Via VCS integration |
Document module inputs/outputs | ❌ | ✅ UI auto-generates docs |
🧰 Supported VCS Providers for Module Source
GitHub.com
GitHub Enterprise
GitLab.com
GitLab CE/EE
Bitbucket.org
Azure Repos (via API)
📦 Module Naming Convention (Important!)
Terraform detects modules from VCS repos using this naming pattern:
<PROVIDER>-<NAME>
e.g., aws-network, azurerm-storage, google-cloudrun
You must follow this for auto-discovery.
Example Git repo name:
aws-vpc
📂 Example: Create & Use a Private Module
Step 1: ✅ Create a Module Repo
Repo name: aws-vpc
Directory structure:
aws-vpc/
├── main.tf
├── variables.tf
├── outputs.tf
├── README.md
Example: main.tf
resource "aws_vpc" "main" {
cidr_block = var.cidr_block
tags = {
Name = var.name
}
}
Example: variables.tf
variable "cidr_block" {
type = string
}
variable "name" {
type = string
}
Example: outputs.tf
output "vpc_id" {
value = aws_vpc.main.id
}
Step 2: 🔁 Push to GitHub / GitLab / Azure DevOps
Push the repo and create a tag:
git tag v1.0.0
git push origin v1.0.0
Terraform will detect this tag/version automatically.
Step 3: 🔄 Connect Registry to VCS in Terraform Cloud
Go to your Terraform Cloud UI → Modules
Click "Add Module"
Choose your VCS provider and repo (aws-vpc)
Terraform imports all .tf files and docs
Module is now available in your registry
🧪 Step 4: Use the Module in Code
main.tf of another project:
terraform {
required_version = ">= 1.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
module "vpc" {
source = "app.terraform.io/my-org/aws-vpc/aws"
version = "1.0.0"
cidr_block = "10.0.0.0/16"
name = "corp-vpc"
}
✅ Auto-completion, module docs, input/output references are shown in the TFC UI
🏷️ Bonus: How to Restrict to Only Private Modules
With Sentinel, you can enforce use of only approved modules.
Example Sentinel Policy:
import "tfplan/v2" as tfplan
main = rule {
all tfplan.module_calls as m {
m.source startswith "app.terraform.io/my-org/"
}
}
✅ Summary
Step | What to Do |
Create Module Repo | Use naming format aws-vpc, include version tag v1.0.0 |
VCS Integration | Link Terraform Cloud to your GitHub/GitLab |
Auto-discovery | Terraform detects module version from Git tags |
Use in Workspaces | Use source = "app.terraform.io/org/module/provider" |
Control Access | Use RBAC for team/module visibility |
Policy Enforcement | Use Sentinel to restrict module sources |
No comments:
Post a Comment