June 20-22 Announcing HashiConf Europe full schedule: keynotes, sessions, labs & more Register Now
  • Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Network Infrastructure
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Cloud and Enterprise

  • Overview
  • Plans and Features
  • Getting Started
    • API Docs template
    • Overview
    • Account
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • IP Ranges
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
    • Run Tasks
    • Run Tasks Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Changelog
    • Stability Policy
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
      • Overview
      • Microsoft Azure AD
      • Okta
      • SAML
      • Linking a User Account
      • Testing
    • Overview
    • GitHub.com
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Cloud
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Splunk Integration
    • Kubernetes Integration
    • Run Tasks Integration
    • Overview
    • IP Ranges
    • Data Security
    • Security Model
    • Overview
    • Part 1: Overview of Our Recommended Workflow
    • Part 2: Evaluating Your Current Provisioning Practices
    • Part 3: How to Evolve Your Provisioning Practices
    • Part 3.1: From Manual Changes to Semi-Automation
    • Part 3.2: From Semi-Automation to Infrastructure as Code
    • Part 3.3: From Infrastructure as Code to Collaborative Infrastructure as Code
    • Part 3.4: Advanced Workflow Improvements

  • Terraform Cloud Agents

  • Terraform Enterprise Admin

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»Publishing Private Modules to the Terraform Cloud Private Registry

Hands-on: Try the Share Modules in the Private Module Registry tutorial on HashiCorp Learn.

In addition to adding modules from the Terraform Registry, you can publish private modules to an organization's Terraform Cloud private registry. The registry handles downloads and controls access with Terraform Cloud API tokens, so consumers don't need access to the module's source repository, even when running Terraform from the command line.

The private registry uses your configured Version Control System (VCS) integrations and defers to your VCS provider for most management tasks. For example, your VCS provider handles new version releases. The only manual tasks are adding a new module and deleting module versions.

»Permissions

Private modules are only available to members of the organization where you add them. In Terraform Enterprise, they are also available to organizations that are configured to share modules with that organization.

Members of the owners team and teams with Manage Private Registry permissions can publish and delete modules from the private registry.

»Preparing a Module Repository

After you configure at least one connection to a VCS provider, you can publish a new module by specifying a properly formatted VCS repository (details below). The registry automatically detects the rest of the information it needs, including the module's name and its available versions.

A module repository must meet all of the following requirements before you can add it to the registry:

  • Location and permissions: The repository must be in one of your configured VCS providers, and Terraform Cloud's VCS user account must have admin access to the repository. The registry needs admin access to create the webhooks to import new module versions. GitLab repositories must be in the main organization or group, and not in any subgroups.

  • Named terraform-<PROVIDER>-<NAME>: Module repositories must use this three-part name format, where <NAME> reflects the type of infrastructure the module manages and <PROVIDER> is the main provider where it creates that infrastructure. The <PROVIDER> segment must be all lowercase. The <NAME> segment can contain additional hyphens. Examples: terraform-google-vault or terraform-aws-ec2-instance.

  • Standard module structure: The module must adhere to the standard module structure. This allows the registry to inspect your module and generate documentation, track resource usage, and more.

  • x.y.z tags for releases: At least one release tag must be present for you to publish a module. The registry uses release tags to identify module versions. Release tag names must be a semantic version, which can optionally be prefixed with a v. For example, v1.0.4 and 0.9.2. The registry ignores tags that do not look like version numbers.

»Publishing a New Module

You can publish modules through the UI as shown below or with the Registry Modules API. The API also supports publishing modules without a VCS repo as the source, which is not possible via the UI.

To publish a new module:

  1. Click Registry in the main navigation bar. The Registry page appears.

  2. Click Publish and select Module.

    Terraform Cloud screenshot: the "registry" button and the "+Add Module" button

    The Add Module page appears with a list of available repositories.

    Terraform Cloud screenshot: the "add module" page, with a repository name entered

  3. Select the repository containing the module you want to publish.

    You can search the list by typing part or all of a repository name into the filter field. Remember that VCS providers use <NAMESPACE>/<REPO NAME> strings to locate repositories. The namespace is an organization name for most providers, but Bitbucket Server (not Bitbucket Cloud) uses project keys, like INFRA.

  4. Click Publish module.

    Terraform Cloud displays a loading page while it imports the module versions and then takes you to the new module's details page. On the details page, you can view available versions, read documentation, and copy a usage example.

    Terraform Cloud screenshot: a module details page

»Releasing New Versions of a Module

To release a new version of a module, push a new release tag to its VCS repository. The registry will automatically import the new version.

Refer to Preparing a Module Repository for details about release tag requirements.

»Deleting Versions and Modules

Note: Deleting a tag from your VCS repository will not automatically remove the version from the private registry.

You can delete individual versions of a module or the entire module. If deleting a module version would leave a module with no versions, Terraform Cloud will remove the entire module. To delete a module or version:

  1. Navigate to the module's details page.

  2. If you want to delete a single version, use the Versions menu to select it.

  3. Click Delete module.

  4. Select an action from the menu:

    • Delete only this module version: Deletes only the version of the module you were viewing when you clicked Delete module.
    • Delete all versions for this provider for this module: Deletes the entire module for a single provider. This is important if you have modules with the same name but with different providers. For example, if you have module repos named terraform-aws-appserver and terraform-azure-appserver, the registry treats them as alternate providers of the same appserver module.
    • Delete all providers and versions for this module: Deletes all modules with this name, even if they are from different providers. For example, both terraform-aws-appserver and terraform-azure-appserver would be deleted.

    Terraform Cloud screenshot: the deletion dialog

  5. Type the module name and click Delete.

»Restoring a Deleted Module or Version

Deletion is permanent, but there are ways to restore deleted modules and module versions.

  • To restore a deleted module, re-add it as a new module.
  • To restore a deleted version, either delete the corresponding tag from your VCS and push a new tag with the same name, or delete the entire module from the registry and re-add it.

»Sharing Modules Across Organizations

Terraform Cloud does not typically allow one organization's workspaces to use private modules from a different organization. This is because Terraform Cloud gives Terraform temporary credentials to access modules that are only valid for that workspace's organization. Although it is possible to mix modules from multiple organizations when you run Terraform on the command line, we strongly recommend against it.

Instead, you can share modules across organizations by sharing the underlying VCS repository. Grant each organization access to the module's repository, and then add the module to each organization's registry. When you push tags to publish new module versions, both organizations will update accordingly.

In Terraform Enterprise version 202012-1 and later, the site admin can configure module sharing to allow organizations to use private modules from other organizations.

github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager