Terraform/OpenTofu and Terraform Backend Repositories

JFrog Artifactory Documentation
Products
JFrog Artifactory
Content Type
User Guide

The Terraform Registry in JFrog Artifactory acts as a private, secure, and centralized repository for managing Terraform providers and modules within your organization. It allows teams to store, version, and share their custom or third-party Terraform components, ensuring consistent and reliable infrastructure-as-code (IaC) workflows.

JFrog provides a fully-fledged Terraform repository solution, giving you full control over your deployment and the resolution process of Terraform Modules, Providers, and Backend packages.

Terraform is an infrastructure as code (IaC) tool that allows developers to build, change, and version infrastructure safely and efficiently. Terraform is written in HCL language. Code in the Terraform language is stored in plain text files with the .tf file extension. For more information, see the Terraform Language.

Artifactory supports two types of Terraform registries:

  • Terraform Registry: The Terraform/OpenTofu in Artifactory allows you to create dedicated repositories for each of the following unique Terraform components:

    • Providers: A set of plugins that interact with cloud providers, SaaS providers, and other APIs.

      Artifactory supports two modes of operation for Terraform providers:

      • Provider Registry Protocol: Available from V 7.125 (Cloud and Self-managed). It is the official, authoritative source for providers hosted under your hostname. Terraform is designed to discover and trust these registries using a standardized protocol automatically. This means users can consume providers without any extra configuration in their CLI—beyond a one-time terraform login for private registries. To enable this, the registry must handle GPG-based signing to secure and verify the providers it serves.

      • Network Mirror: Creates a local cache for Terraform providers. This requires you to add a network_mirror configuration to your Terraform CLI settings manually. With this setup, Terraform checks the downloaded files for corruption using checksums but relies on the original source for GPG signature trust

    • Modules: Serve as containers for multiple resources that are used together. Modules contain a collection of .tf files kept together in a directory.

      The Modules and Providers have different settings for local repositories, but are the same when it comes to configuring remote and virtual repositories.

      Terraform Modules are Terraform configurations that can be called and configured by other configurations. They serve as containers for multiple resources that are used together. They contain a collection of .tf files kept together in a directory. To create a module, pack all your .tf files into a Zip archive and deploy to the Terraform local repository. For more information, see Creating Terraform Modules.

  • Terraform Backend: A dedicated Remote State Storage Provider. It works together with and in parallel to the Terraform registry

    From JFrog Artifactory 7.38.4, the Terraform Backend repository serves as a dedicated Remote State Storage Provider. It works together with and in parallel to the Terraform registry, which also serves as the dedicated Terraform registry for hosting your modules and providers in the JFrog Platform. For more information, see Terraform Backends.

    Each Terraform Module can have an associated Backend that defines how operations are executed and a state file that tracks the resources created by your configuration and maps them to real-world resources. Certain backends support multiple named workspaces, allowing multiple states to be associated with a single configuration. The configuration still has only one backend, but multiple distinct instances of that configuration can be deployed without configuring a new backend or changing authentication credentials.

    Warning

    JFrog Artifactory provides encryption for Terraform state files stored in its backend repositories. The state files are encrypted using the Master Key. This encryption ensures that sensitive data within the Terraform state files is protected from unauthorized access. It is crucial to safeguard the master.key. If the master.key is lost the state files that rely on it for encryption are not recoverable. Therefore, proper measures should be taken to securely backup the master.key to prevent the loss of data secured by encryption.

    Did you know?

    Each Terraform configuration can specify a backend, which defines where and how operations are performed including where the snapshots are stored and more. Terraform uses persistent State data to keep track of the resources it manages and includes information on how real-world infrastructure objects correspond to the resources in a configuration. All users working on the collection of infrastructure resources need access to the same state data. For more information, see Terraform States.

    State Locking

    Terraform automatically locks all your operations that can change the State to prevent others from acquiring the lock and potentially damaging your state.

    JFrog Terraform Backend Repository Meets the Hashicorp Standards

    In the first half of 2022, Hashicorp announced the deprecation of a number of legacy providers, including the legacy artifactory provider, which served as a basic backend that only stored States in a generic JFrog repository, created and maintained by Hashicorp.

    To avoid confusion, please note that the official JFrog Artifactory Terraform Backend repository, described in this article, is unaffected by the Hashicorp artifactory backend provider deprecation action.

    As part of JFrog's alignment with the common Hashicorp main practices, the JFrog Terraform Backend repository supports the official Hashicorp enterprise-grade Terraform backend provider, and supports features such as locking, encoding of the data, smart comparisons, and additional common practices.

    Note

    Replication of Terraform Backend Repositories is fully supported from Artifactory version 7.77.x and later. To perform replication of Terraform Backend Repositories between two different Artifactory platforms, you must disable the encryptStates flag (i.e. set it to false) in the Local Repository Configuration JSON (the default value for this flag is true).Repository Configuration JSON

Note

After the initial configuration, all Terraform documentation instructions also apply to OpenTofu.

Benefits

  • The Terraform Registry in the JFrog Platform offers the following benefits:

    • Secure and private local Terraform Modules registry

    • Secure and private local Terraform Providers registry

    • Proxy remote Terraform Module and Provider resources with caching to keep you independent of the network and the remote resource.

    • Virtual Terraform repositories that support a single URL through which to manage the resolution and deployment of all your Terraform Modules and Providers.

  • The Terraform Backend Repository in the JFrog Platform offers the following benefits:

    • A Remote State Storage Provider

    • Support for multiple Workspaces

    • Built-in Secure State Encryption storage

    • Comprehensive State snapshot history

    • State content viewer with advanced search abilities

Available From:

  • Terraform: From JFrog Artifactory 7.38.4 Version

  • Terraform Backend: From JFrog Artifactory 7.38.4 Version

  • OpenTofu to manage Terraform Resources: From JFrog Artifactory 7.81.0 Version

art-terraform-package-intro-09-15.png