Provider Registry
Provider Registry is currently pending release and will be available soon!
The Harness IaCM Provider Registry allows you to securely publish and distribute custom providersAn OpenTofu or Terraform provider built and maintained by your organization, usually for internal APIs or services not available in the public registry.. Providers are signed with GPG keysA cryptographic key used to verify the authenticity and integrity of files. In this case, it ensures provider binaries have not been tampered with., compiled as binary filesExecutable program files produced after compiling source code (for example, Go or Java). OpenTofu or Terraform uses these binaries to interact with your infrastructure. for multiple platformsSupported platforms include Darwin/macOS (arm64, amd64), Linux (amd64), and Windows (amd64)., and made available for use in OpenTofu or Terraform configurations.
- Found under IaCM > Registry (alongside Module Registry and GPG Keys).
- Providers are published as compiled binaries for supported operating systems like macOS, Linux, or Windows.
- GPG keys are required to sign provider binaries for verification.
A DevOps team creates a custom provider to integrate OpenTofu with their internal APIs.
By publishing it in the Provider Registry, developers across macOS, Linux, and Windows can seamlessly consume the provider during tofu init without manually managing binaries.
Prerequisites
Before you begin, make sure you have:
- Access and permissions to IaCM and the Registry area in your Harness project.
- A local build environment to compile your provider into platform-specific binaries (for example, Go or Java toolchains).
- GPG tooling installed on your machine.
Provider Preparation
Provider Registry assumes that your binaries are already signed with a GPG key. If you need to generate one, you can use the industry standard GPG commands shown below.
GPG Key Setup
GPG keys are required to sign provider binaries before publishing.
- Name
- Key ID
- ASCII armored public key
Follow the three steps below to generate a GPG key:
- 1. Generate a GPG key
- 2. List GPG keys
- 3. Export GPG key
gpg --full-generate-key
gpg --list-keys --keyid-format LONG
Export GPG key (in ASCII armor format)
gpg --armor --export <KEY_ID>
If you need more information on how to generate GPG Keys, go to Generating a new GPG key for full instructions.
Add your GPG key to IaCM
- Go to IaCM > Registry > GPG Keys
- Click New GPG Key
- Enter the Name, Key ID, and ASCII armored public key as generated in the previous steps above.
- Click Save
File Requirements
Each provider version requires the following artifacts:
- Compiled binaries for each supported OS/architecture.
- A SHA256SUMS checksum file.
- A SHA256SUMS.sig signature file.
- 1. Create CHECKSUM file
- 2. Sign the CHECKSUM file:
shasum -a 256 * > SHA256SUMS
gpg --default-key <KEY_ID> --output SHA256SUMS.sig --detach-sign SHA256SUMS
Provider Registration
- Interactive guide
- Step-by-Step
- YAML
- From the IaCM module, go to Registry, then select the Provider Registry tab.
- Click New Provider and enter a provider name.
- Add a version (must follow semantic versioning, e.g., 1.0.0).
- Select one of your stored GPG keys.
- Choose a provider protocol version, e.g. v4, v5, v6.
The provider protocol defines the interface and communication standard between OpenTofu or Terraform and external providers. Each protocol version (e.g., v4, v5, v6) specifies how providers should implement functions, handle requests, and structure their schemas. Newer protocol versions add features, improve security, and may deprecate older behaviors. Select the protocol version that matches your provider implementation and the Terraform/OpenTofu version you intend to support.
Selecting multiple provider protocol versions allows your provider to be compatible with a wider range of Terraform or OpenTofu versions, and to support users who may not yet have upgraded to the latest protocol.
- Upload the required files:
- Compiled binaries for all supported OS/architectures.
- SHA256SUMS checksum file.
- SHA256SUMS.sig signature file.
- Verify that all registry files are uploaded.
If you do not publish the version immediately, it remains in a draft state. Drafts allow you to upload additional binaries, checksums, or signature files later before finalizing the version. Draft versions are not available for consumption in OpenTofu/Terraform until they are published.
- Click Publish once all files are uploaded. The system will validate the upload and publish the provider version.
- Any required file is missing.
- Filename versions don’t match the version you entered.
- The .sig or checksum file does not match.
# Example placeholder for future CLI/YAML-based setup
provider:
name: myprovider
version: 1.0.0
gpg_key: <KEY_ID>
protocols: ["5"]
files:
- darwin_arm64/myprovider_v1.0.0
- darwin_amd64/myprovider_v1.0.0
- linux_amd64/myprovider_v1.0.0
- windows_amd64/myprovider_v1.0.0
- SHA256SUMS
- SHA256SUMS.sig
Use Published Providers
Once published, providers can be consumed directly in Tofu/Terraform configuration:
For example:
terraform {
required_providers {
<provider-name> = {
source = "<provider-name>.app.harness.io/account/<harness-account-id>/<provider-name>"
version = "1.0.0"
}
}
}
provider "<provider-name>" {
# Configuration options
}
When you run the initOpenTofu/Terraform command used to initialize a configuration. It downloads and configures providers, modules, and other dependencies. command, OpenTofu/Terraform will automatically pull the correct binary for your operating system.
Troubleshooting
- Version mismatches: Versions in your binary filenames must match the registry version exactly (e.g., 1.0.0 vs 1.0.1).
- Missing files: Publishing requires all binaries, checksum, and signature files.
Next Steps
Explore other reusable features in IaCM:
- Module Registry: publish and share Terraform/OpenTofu modules.
- Workspace Templates: standardize workspace configurations across teams.