How to Authenticate to a Terraform Module Registry in CI
terraform init downloads modules, so a private registry or private Git source needs credentials supplied through a CLI credentials block or Git config.
For a private registry, provide a credentials block (or TF_TOKEN_<host>). For Git-sourced modules, inject a token so git can clone during init. Both take effect at terraform init.
Registry token
.github/workflows/ci.yml
env:
TF_TOKEN_registry_example_com: ${{ secrets.REGISTRY_TOKEN }}
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init -input=falsePrivate Git module source
.github/workflows/ci.yml
steps:
- run: git config --global url."https://${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
- run: terraform init -input=falseGotchas
- The
TF_TOKEN_<host>var uses underscores for dots in the hostname (registry.example.com to registry_example_com). - Prefer a short-lived token or app installation token over a long-lived PAT for Git module access.
Related guides
How to Trigger Terraform Cloud and HCP Runs From CIDrive remote plan and apply on HCP Terraform (Terraform Cloud) from GitHub Actions with a cloud block and a T…
How to Pin and Cache Terraform Providers in CIPin provider versions with required_providers and a committed .terraform.lock.hcl, then cache the plugin dire…