Terraform in internet restricted networks on AWS

Adithya
2 min readOct 30, 2021

--

In a usual setting, Terraform pulls the provider binaries from the internet. But if you are in a restricted network without access to these binaries, Terraform would not work. I was faced with a similar situation at work but on GCP. But GCP handles internal API endpoint connectivity differently compared to AWS. So I decided to try the same on AWS. We’ll try to create a S3 bucket with Terraform with no internet access.
Terraform file we start with:

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_s3_bucket" "def_s3_bucket" {
bucket = "def=s3=bucket-f4w90u"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}

terraform init fails since it cannot connect to the remote server on the internet.

Download the AWS provider from here and copy it to the VM. Then place the file like below. Terraform looks in a few places for the plugins and this is one of the paths.

init now works but plan/apply will still fail as the required AWS APIs for STS and the resources (S3 in this case) we are trying to create are not reachable. STS is required as we are using IAM instance profile and the provider makes a get-caller-identity call. To overcome this create VPC endpoints for STS and S3 and update the provider config with the custom endpoint.

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
provider "aws" {
region = "us-east-1"
skip_get_ec2_platforms = true
skip_requesting_account_id = true
endpoints {
sts = "https://sts.us-east-1.amazonaws.com"
}
}
resource "aws_s3_bucket" "def_s3_bucket" {
bucket = "def=s3=bucket-f4w90u"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}

Also the AWS provider connects to their Checkpoint service for security which we’ll need to disable by exporting the environment variable export CHECKPOINT_DISABLE=1 . More on checkpoint service.

Plan and apply should work now

--

--