opentofu/website/docs/internals/remote-service-discovery.html.md
Martin Atkins 63639defe9 website: Separate docs for the module registry protocol
We previously had the module registry protocol documented only as an
undefined subset of the full API of the official registry implementation.
However, the vast majority of endpoints documented in the official API
docs are not needed for a headless third-party module registry that only
intends to make modules available to Terraform CLI.

To make this clearer to potential third-party implementors, and also for
consistency with how the provider registry protocol is now documented,
here we create a new page to describe the subset required for all
registries, and then explain in the docs for the offical API that
potential third-party implementors should refer to the new page instead.

The longer page describing the full API of the official implementations
remains for those who wish to write clients for that API, because it is
part of the API surface area for Terraform Cloud and Terraform Enterprise.

I also took this opportunity to address the fact that module addresses
don't really contain "provider names" at all, but rather than the fourth
field in the address is _conventionally_ an official provider name but
can really be any string that serves to differentiate multiple
implementations of the same abstraction. The new docs therefore refer to
this field as "system" rather than "provider".
2020-06-11 09:32:39 -07:00

5.0 KiB

layout page_title sidebar_current description
docs Internals: Remote Service Discovery docs-internals-remote-service-discovery Remote service discovery is a protocol used to locate Terraform-native services provided at a user-friendly hostname.

Remote Service Discovery

Terraform implements much of its functionality in terms of remote services. While in many cases these are generic third-party services that are useful to many applications, some of these services are tailored specifically to Terraform's needs. We call these Terraform-native services, and Terraform interacts with them via the remote service discovery protocol described below.

User-facing Hostname

Terraform-native services are provided, from a user's perspective, at a user-facing "friendly hostname" which serves as the key for configuration and for any authentication credentials required.

The discovery protocol's purpose is to map from a user-provided hostname to the base URL of a particular service. Each host can provide different combinations of services -- or no services at all! -- and so the discovery protocol has a secondary purpose of allowing Terraform to identify which services are valid for a given hostname.

For example, module source strings can include a module registry hostname as their first segment, like example.com/namespace/name/provider, and Terraform uses service discovery to determine whether example.com has a module registry, and if so where its API is available.

A user-facing hostname is a fully-specified internationalized domain name expressed in its Unicode form (the corresponding "punycode" form is not allowed) which must be resolvable in DNS to an address that has an HTTPS server running on port 443.

User-facing hostnames are normalized for internal comparison using the standard Unicode Nameprep algorithm, which includes converting all letters to lowercase, normalizing combining diacritics to precomposed form where possible, and various other normalization steps.

Discovery Process

Given a hostname, discovery begins by forming an initial discovery URL using that hostname with the https: scheme and the fixed path /.well-known/terraform.json.

For example, given the hostname example.com the initial discovery URL would be https://example.com/.well-known/terraform.json.

Terraform then sends a GET request to this discovery URL and expects a JSON response. If the response does not have status 200, does not have a media type of application/json or, if the body cannot be parsed as a JSON object, then discovery fails and Terraform considers the host to not support any Terraform-native services.

If the response is an HTTP redirect then Terraform repeats this step with the new location as its discovery URL. Terraform is guaranteed to follow at least one redirect, but nested redirects are not guaranteed nor recommended.

If the response is a valid JSON object then its keys are Terraform native service identifiers, consisting of a service type name and a version string separated by a period. For example, the service identifier for version 1 of the module registry protocol is modules.v1.

The value of each object element is the base URL for the service in question. This URL may be either absolute or relative, and if relative it is resolved against the final discovery URL (after following redirects).

The following is an example discovery document declaring support for version 1 of the module registry protocol:

{
  "modules.v1": "https://modules.example.com/v1/"
}

Supported Services

At present, the following service identifiers are in use:

Authentication

If credentials for the given hostname are available in the CLI config then they will be included in the request for the discovery document.

The credentials may also be provided to endpoints declared in the discovery document, depending on the requirements of the service in question.

Non-standard Ports in User-facing Hostnames

It is strongly recommended to provide the discovery document for a hostname on the standard HTTPS port 443. However, in development environments this is not always possible or convenient, so Terraform allows a hostname to end with a port specification consisting of a colon followed by one or more decimal digits.

When a custom port number is present, the service on that port is expected to implement HTTPS and respond to the same fixed discovery path.

For day-to-day use it is strongly recommended not to rely on this mechanism and to instead provide the discovery document on the standard port, since this allows use of the most user-friendly hostname form.