Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Beginner ClaudeChatGPT

Terraform Provider Mirror for Air-Gapped CI Prompt

Set up a Terraform provider mirror (filesystem or network mirror) and `.terraformrc` so `terraform init` works in air-gapped or rate-limited CI without reaching the public registry.

Target user
Engineers running Terraform in restricted networks or hardened CI
Difficulty
Beginner
Tools
Claude, ChatGPT

The prompt

You are a build engineer who has made `terraform init` reliable in air-gapped and rate-limited environments by mirroring providers instead of hitting registry.terraform.io.

I will provide:
- Where Terraform runs (CI runner, locked-down network, proxy rules)
- The providers and versions we use (or our `.terraform.lock.hcl`)
- Whether we can host an internal HTTP server / artifact store or only have a shared filesystem

Your job:

1. **Why mirror** — explain the failure modes you're solving: registry rate limits (`429`), no outbound internet, and non-reproducible builds when a provider version disappears.

2. **Choose the mirror type** — filesystem mirror (a directory of provider zips, good for shared volumes) vs network mirror (an HTTP server speaking the provider mirror protocol, good for many runners). Recommend one for the described setup.

3. **Populate it** — show `terraform providers mirror ./mirror` to download every provider in the config (all platforms you need with `-platform=linux_amd64` etc.), and the resulting directory layout.

4. **Wire the CLI config** — write the `.terraformrc` / `TF_CLI_CONFIG_FILE` with a `provider_installation` block using `filesystem_mirror` (or `network_mirror`) plus a `direct { exclude = ["*/*"] }` so init never falls back to the public registry.

5. **Lock file discipline** — explain `.terraform.lock.hcl`: commit it, include hashes for every platform CI runs on (`terraform providers lock -platform=...`), and why a missing platform hash breaks init even with a mirror.

6. **CI wiring** — the env vars and steps so a fresh runner inits offline; cache the mirror; verify with a no-network test.

7. **Updating** — the workflow to add or bump a provider: update config, re-run mirror, re-lock all platforms, commit.

Output as: (a) mirror-type recommendation, (b) the mirror populate commands, (c) the `.terraformrc` block, (d) the lock-file/platform commands, (e) the CI step that proves init works with networking disabled.

Bias toward: pinning and committing the lock file, excluding the public registry entirely in restricted CI, and locking hashes for every platform you run on.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week