v0.21+: Override mirror URL for terraform downloads

[nitrocode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

• I'd be willing to implement this feature (contributing guide)

Describe the user story

From comment #1776 (comment)

I think [mirrorURL] could be a configurable URL because some companies host TF exe in their private repos for setups with no public access and/or to control which TF versions are currently cleared to be used.

Describe the solution you'd like

Override the mirror URL to download terraform from airgapped environments using a flag such as --tf-download-mirror-url

The tf download url is in the user config

atlantis/server/user_config.go

Line 10 in d4c7cce

type UserConfig struct {

atlantis/server/user_config.go

Line 97 in d4c7cce

TFDownloadURL string `mapstructure:"tf-download-url"`

atlantis/cmd/server.go

Line 146 in d4c7cce

DefaultTFDownloadURL = "https://releases.hashicorp.com"

And it just needs to be passed here

atlantis/server/events/project_command_context_builder.go

Line 19 in d4c7cce

var mirrorURL = "https://releases.hashicorp.com/terraform"

Here is how the tf downloading works

atlantis/server/core/terraform/terraform_client.go

Lines 140 to 150 in d4c7cce

	if defaultVersionStr != "" {
	defaultVersion, err := version.NewVersion(defaultVersionStr)
	if err != nil {
	return nil, err
	}
	finalDefaultVersion = defaultVersion
	ensureVersionFunc := func() {
	// Since ensureVersion might end up downloading terraform,
	// we call it asynchronously so as to not delay server startup.
	versionsLock.Lock()
	_, err := ensureVersion(log, tfDownloader, versions, defaultVersion, binDir, tfDownloadURL)

atlantis/server/core/terraform/terraform_client.go

Line 421 in d4c7cce

func ensureVersion(log logging.SimpleLogging, dl Downloader, versions map[string]string, v *version.Version, binDir string, downloadURL string) (string, error) {

Describe the drawbacks of your solution

None

Describe alternatives you've considered

None

[nitrocode]

cc: @fblgit I did some research on how the current tf download url can be plumbed through if you have time to take a look, we'd really appreciate this.

[adam-verigin]

This is blocking us from updating since we run Atlantis in an environment where no internet-bound communication is allowed.

Using the latest release, when I run a plan, Atlantis dies, after logging:

<timestamp> [Error] : Getting url: Get "https://releases.hashicorp.com/terraform/": net/http: TLS handshake timeout

It doesn't log a line number/etc, so it took a while to track down where the error is coming from.

It also strikes me that this shouldn't kill Atlantis. Pulling this listing may intermitently fail (as all internet bound traffic does). It would make more sense to catch this and report it back to whatever VCS Atlantis is interacting with.

Finally, I'd like to request that, along with allowing someone to override the mirror URL, I would like to be able to disable the dynamic version fetching altogether.

[nitrocode]

Agreed. Please feel free to propose a pr. This would be a good fix.

cc @fblgit

[adam-verigin]

Was looking into this a little more.

I noticed --tf-download-url in the Arlantis docs. That shows up as TFDownloadURL in user_config.go, so if that property gets exposed in terraform_client.go, then it's a matter of passing that client to project_command_context_builder.go.

As for the error handling... that looks like a harder fix because terraform-switcher has embedded os.Exit(1) calls in its error handling. So, it might be easiest to replicate the version listing logic locally rather than depending on that library.

[nitrocode]

If you implemented your mirror the same way as hashicorp, then the tf switcher function wouldn't error out, no?

Or do you have a use case that could be better proposed in the upstream library? I think we'd prefer not replicating logic here if the upstream library could do it.

Thanks for diving into this!