github.com/hs0210/hashicorp-terraform@v0.11.12-beta1/website/docs/modules/sources.html.markdown (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Module Sources"
     4  sidebar_current: "docs-modules-sources"
     5  description: The source argument within a module block specifies the location of the source code of a child module.
     6  ---
     7  
     8  # Module Sources
     9  
    10  As introduced in [the _Usage_ section](/docs/modules/usage.html), the `source`
    11  argument in a `module` block tells Terraform where to find the source code
    12  for the desired child module.
    13  
    14  Terraform uses this during the module installation step of `terraform init`
    15  to download the source code to a directory on local disk so that it can be
    16  used by other Terraform commands.
    17  
    18  The module installer supports installation from a number of different source
    19  types, as listed below.
    20  
    21    * [Local paths](#local-paths)
    22  
    23    * [Terraform Registry](#terraform-registry)
    24  
    25    * [GitHub](#github)
    26  
    27    * [Bitbucket](#bitbucket)
    28  
    29    * Generic [Git](#generic-git-repository), [Mercurial](#generic-mercurial-repository) repositories
    30  
    31    * [HTTP URLs](#http-urls)
    32  
    33    * [S3 buckets](#s3-bucket)
    34  
    35  Each of these is described in the following sections. Module source addresses
    36  use a _URL-like_ syntax, but with extensions to support unambiguous selection
    37  of sources and additional features.
    38  
    39  We recommend using local file paths for closely-related modules used primarily
    40  for the purpose of factoring out repeated code elements, and using a native
    41  Terraform module registry for modules intended to be shared by multiple calling
    42  configurations. We support other sources so that you can potentially distribute
    43  Terraform modules internally with existing infrastructure.
    44  
    45  Many of the source types will make use of "ambient" credentials available
    46  when Terraform is run, such as from environment variables or credentials files
    47  in your home directory. This is covered in more detail in each of the following
    48  sections.
    49  
    50  We recommend placing each module that is intended to be re-usable in the root
    51  of its own repository or archive file, but it is also possible to
    52  [reference modules from subdirectories](#modules-in-package-sub-directories).
    53  
    54  ## Local Paths
    55  
    56  Local path references allow for factoring out portions of a configuration
    57  within a single source repository.
    58  
    59  ```hcl
    60  module "consul" {
    61    source = "./consul"
    62  }
    63  ```
    64  
    65  A local path must begin with either `./` or `../` to indicate that a local
    66  path is intended, to distinguish from
    67  [a module registry address](#terraform-registry).
    68  
    69  Local paths are special in that they are not "installed" in the same sense
    70  that other sources are: the files are already present on local disk (possibly
    71  as a result of installing a parent module) and so can just be used directly.
    72  Their source code is automatically updated if the parent module is upgraded.
    73  
    74  ## Terraform Registry
    75  
    76  A module registry is the native way of distributing Terraform modules for use
    77  across multiple configurations, using a Terraform-specific protocol that
    78  has full support for module versioning.
    79  
    80  [Terraform Registry](https://registry.terraform.io/) is an index of modules
    81  shared publicly using this protocol. This public registry is the easiest way
    82  to get started with Terraform and find modules created by others in the
    83  community.
    84  
    85  You can also use a
    86  [private registry](/docs/registry/private.html), either
    87  via the built-in feature from Terraform Enterprise, or by running a custom
    88  service that implements
    89  [the module registry protocol](/docs/registry/api.html).
    90  
    91  Modules on the public Terraform Registry can be referenced using a registry
    92  source address of the form `<NAMESPACE>/<NAME>/<PROVIDER>`, with each
    93  module's information page on the registry site including the exact address
    94  to use.
    95  
    96  ```hcl
    97  module "consul" {
    98    source = "hashicorp/consul/aws"
    99    version = "0.1.0"
   100  }
   101  ```
   102  
   103  The above example will use the
   104  [Consul module for AWS](https://registry.terraform.io/modules/hashicorp/consul/aws)
   105  from the public registry.
   106  
   107  For modules hosted in other registries, prefix the source address with an
   108  additional `<HOSTNAME>/` portion, giving the hostname of the private registry:
   109  
   110  ```hcl
   111  module "consul" {
   112    source = "app.terraform.io/example-corp/k8s-cluster/azurerm"
   113    version = "1.1.0"
   114  }
   115  ```
   116  
   117  If you are using the managed version of Terraform Enterprise, its private
   118  registry hostname is `app.terraform.io`. If you are using Terraform Enterprise
   119  on-premises, its private registry hostname is the same hostname you use to
   120  access your Terraform Enterprise instance.
   121  
   122  Registry modules support versioning. You can provide a specific version as shown
   123  in the above examples, or use flexible
   124  [version constraints](/docs/modules/usage.html#module-versions).
   125  
   126  You can learn more about the registry at the
   127  [Terraform Registry documentation](/docs/registry/modules/use.html#using-modules).
   128  
   129  To access modules from a private registry, you may need to configure an access
   130  token [in the CLI config](/docs/commands/cli-config.html#credentials). Use the
   131  same hostname as used in the module source string. For a private registry
   132  within Terraform Enterprise, use the same authentication token as you would
   133  use with the Enterprise API or command-line clients.
   134  
   135  ## GitHub
   136  
   137  Terraform will recognize unprefixed `github.com` URLs and interpret them
   138  automatically as Git repository sources.
   139  
   140  ```hcl
   141  module "consul" {
   142    source = "github.com/hashicorp/example"
   143  }
   144  ```
   145  
   146  The above address scheme will clone over HTTPS. To clone over SSH, use the
   147  following form:
   148  
   149  ```hcl
   150  module "consul" {
   151    source = "git@github.com:hashicorp/example.git"
   152  }
   153  ```
   154  
   155  These GitHub schemes are treated as convenient aliases for
   156  [the general Git repository address scheme](#generic-git-repository), and so
   157  they obtain credentials in the same way and support the `ref` argument for
   158  selecting a specific revision. You will need to configure credentials in
   159  particular to access private repositories.
   160  
   161  ## Bitbucket
   162  
   163  Terraform will recognize unprefixed `bitbucket.org` URLs and interpret them
   164  automatically as BitBucket repositories:
   165  
   166  ```hcl
   167  module "consul" {
   168    source = "bitbucket.org/hashicorp/terraform-consul-aws"
   169  }
   170  ```
   171  
   172  This shorthand works only for public repositories, because Terraform must
   173  access the BitBucket API to learn if the given repository uses Git or Mercurial.
   174  
   175  Terraform treats the result either as [a Git source](#generic-git-repository)
   176  or [a Mercurial source](#generic-mercurial-repository) depending on the
   177  repository type. See the sections on each version control type for information
   178  on how to configure credentials for private repositories and how to specify
   179  a specific revision to install.
   180  
   181  ## Generic Git Repository
   182  
   183  Arbitrary Git repositories can be used by prefixing the address with the
   184  special `git::` prefix. After this prefix, any valid
   185  [Git URL](https://git-scm.com/docs/git-clone#_git_urls_a_id_urls_a)
   186  can be specified to select one of the protocols supported by Git.
   187  
   188  For example, to use HTTPS or SSH:
   189  
   190  ```hcl
   191  module "vpc" {
   192    source = "git::https://example.com/vpc.git"
   193  }
   194  
   195  module "storage" {
   196    source = "git::ssh://username@example.com/storage.git"
   197  }
   198  ```
   199  
   200  Terraform installs modules from Git repositories by running `git clone`, and
   201  so it will respect any local Git configuration set on your system, including
   202  credentials. To access a non-public Git repository, configure Git with
   203  suitable credentials for that repository.
   204  
   205  If you use the SSH protocol then any configured SSH keys will be used
   206  automatically. This is the most common way to access non-public Git
   207  repositories from automated systems beacuse it is easy to configure
   208  and allows access to private repositories without interactive prompts.
   209  
   210  If using the HTTP/HTTPS protocol, or any other protocol that uses
   211  username/password credentials, configure
   212  [Git Credentials Storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage)
   213  to select a suitable source of credentials for your environment.
   214  
   215  If your Terraform configuration will be used within [Terraform Enterprise](https://www.hashicorp.com/products/terraform),
   216  only SSH key authentication is supported, and
   217  [keys can be configured on a per-workspace basis](/docs/enterprise/workspaces/ssh-keys.html).
   218  
   219  ### Selecting a Revision
   220  
   221  By default, Terraform will clone and use the default branch (referenced by
   222  `HEAD`) in the selected repository. You can override this using the
   223  `ref` argument:
   224  
   225  ```hcl
   226  module "vpc" {
   227    source = "git::https://example.com/vpc.git?ref=v1.2.0"
   228  }
   229  ```
   230  
   231  The value of the `ref` argument can be any reference that would be accepted
   232  by the `git checkout` command, including branch and tag names.
   233  
   234  ## Generic Mercurial Repository
   235  
   236  You can use arbitrary Mercurial repositories by prefixing the address with the
   237  special `hg::` prefix. After this prefix, any valid
   238  [Mercurial URL](https://www.mercurial-scm.org/repo/hg/help/urls)
   239  can be specified to select one of the protocols supported by Mercurial.
   240  
   241  ```hcl
   242  module "vpc" {
   243    source = "hg::http://example.com/vpc.hg"
   244  }
   245  ```
   246  
   247  Terraform installs modules from Mercurial repositories by running `hg clone`, and
   248  so it will respect any local Mercurial configuration set on your system,
   249  including credentials. To access a non-public repository, configure Mercurial
   250  with suitable credentials for that repository.
   251  
   252  If you use the SSH protocol then any configured SSH keys will be used
   253  automatically. This is the most common way to access non-public Mercurial
   254  repositories from automated systems beacuse it is easy to configure
   255  and allows access to private repositories without interactive prompts.
   256  
   257  If your Terraform configuration will be used within [Terraform Enterprise](https://www.hashicorp.com/products/terraform),
   258  only SSH key authentication is supported, and
   259  [keys can be configured on a per-workspace basis](/docs/enterprise/workspaces/ssh-keys.html).
   260  
   261  ### Selecting a Revision
   262  
   263  You can select a non-default branch or tag using the optional `ref` argument:
   264  
   265  ```hcl
   266  module "vpc" {
   267    source = "hg::http://example.com/vpc.hg?ref=v1.2.0"
   268  }
   269  ```
   270  
   271  ## HTTP URLs
   272  
   273  When you use an HTTP or HTTPS URL, Terraform will make a `GET` request to
   274  the given URL, which can return _another_ source address. This indirection
   275  allows using HTTP URLs as a sort of "vanity redirect" over a more complicated
   276  module source address.
   277  
   278  Terraform will append an additional query string argument `terraform-get=1` to
   279  the given URL before sending the `GET` request, allowing the server to
   280  optionally return a different result when Terraform is requesting it.
   281  
   282  If the response is successful (`200`-range status code), Terraform looks in
   283  the following locations in order for the next address to access:
   284  
   285  * The value of a response header field named `X-Terraform-Get`.
   286  
   287  * If the response is an HTML page, a `meta` element with the name `terraform-get`:
   288  
   289    ```html
   290    <meta name="terraform-get"
   291          content="github.com/hashicorp/example" />
   292    ```
   293  
   294  In either case, the result is interpreted as another module source address
   295  using one of the forms documented elsewhere on this page.
   296  
   297  If an HTTP/HTTPS URL requires authentication credentials, use a `.netrc`
   298  file in your home directory to configure these. For information on this format,
   299  see [the documentation for using it in `curl`](https://ec.haxx.se/usingcurl-netrc.html).
   300  
   301  ### Fetching archives over HTTP
   302  
   303  As a special case, if Terraform detects that the URL has a common file
   304  extension associated with an archive file format then it will bypass the
   305  special `terraform-get=1` redirection described above and instead just use
   306  the contents of the referenced archive as the module source code:
   307  
   308  ```hcl
   309  module "vpc" {
   310    source = "https://example.com/vpc-module.zip"
   311  }
   312  ```
   313  
   314  The extensions that Terraform recognizes for this special behavior are:
   315  
   316  * `zip`
   317  * `tar.bz2` and `tbz2`
   318  * `tar.gz` and `tgz`
   319  * `tar.xz` and `txz`
   320  
   321  If your URL _doesn't_ have one of these extensions but refers to an archive
   322  anyway, use the `archive` argument to force this interpretation:
   323  
   324  ```hcl
   325  module "vpc" {
   326    source = "https://example.com/vpc-module?archive=zip"
   327  }
   328  ```
   329  
   330  ## S3 Bucket
   331  
   332  You can use archives stored in S3 as module sources using the special `s3::`
   333  prefix, followed by
   334  [an S3 bucket object URL](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro).
   335  
   336  ```hcl
   337  module "consul" {
   338    source = "s3::https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/vpc.zip"
   339  }
   340  ```
   341  
   342  The `s3::` prefix causes Terraform to use AWS-style authentication when
   343  accessing the given URL. As a result, this scheme may also work for other
   344  services that mimic the S3 API, as long as they handle authentication in the
   345  same way as AWS.
   346  
   347  The resulting object must be an archive with one of the same file
   348  extensions as for [archives over standard HTTP](#fetching-archives-over-http).
   349  Terraform will extract the archive to obtain the module source tree.
   350  
   351  The module installer looks for AWS credentials in the following locations,
   352  preferring those earlier in the list when multiple are available:
   353  
   354  * The `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
   355  * The default profile in the `.aws/credentials` file in your home directory.
   356  * If running on an EC2 instance, temporary credentials associated with the
   357    instance's IAM Instance Profile.
   358  
   359  ## Modules in Package Sub-directories
   360  
   361  When the source of a module is a version control repository or archive file
   362  (generically, a "package"), the module itself may be in a sub-directory relative
   363  to the root of the package.
   364  
   365  A special double-slash syntax is interpreted by Terraform to indicate that
   366  the remaining path after that point is a sub-directory within the package.
   367  For example:
   368  
   369  * `hashicorp/consul/aws//modules/consul-cluster`
   370  * `git::https://example.com/network.git//modules/vpc`
   371  * `https://example.com/network-module.zip//modules/vpc`
   372  * `s3::https://s3-eu-west-1.amazonaws.com/examplecorp-terraform-modules/network.zip//modules/vpc`
   373  
   374  If the source address has arguments, such as the `ref` argument supported for
   375  the version control sources, the sub-directory portion must be _before_ those
   376  arguments:
   377  
   378  * `git::https://example.com/network.git//modules/vpc?ref=v1.2.0`
   379  
   380  Terraform will still extract the entire package to local disk, but will read
   381  the module from the subdirectory. As a result, it is safe for a module in
   382  a sub-directory of a package to use [a local path](#local-paths) to another
   383  module as long as it is in the _same_ package.