terraform-provider-docker/docs/index.md

---
# generated by https://github.com/hashicorp/terraform-plugin-docs
layout: ""
page_title: "Provider: Docker"
description: |-
  The Docker provider is used to interact with Docker resources, like containers, images, service etc.
---

# Docker Provider

The Docker provider is used to interact with Docker containers and images.
It uses the Docker API to manage the lifecycle of Docker containers. Because
the Docker provider uses the Docker API, it is immediately compatible not
only with single server Docker but Swarm and any additional Docker-compatible
API hosts.

Use the navigation to the left to read about the available resources.

## Example Usage

Terraform 0.13 and later:

```terraform
terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "3.1.2"
    }
  }
}

provider "docker" {
  host = "unix:///var/run/docker.sock"
}

# Pulls the image
resource "docker_image" "ubuntu" {
  name = "ubuntu:latest"
}

# Create a container
resource "docker_container" "foo" {
  image = docker_image.ubuntu.image_id
  name  = "foo"
}
```

Terraform 0.12 and earlier:

```terraform
provider "docker" {
  version = "~> 3.1.2"
  host    = "unix:///var/run/docker.sock"
}

# Pulls the image
resource "docker_image" "ubuntu" {
  name = "ubuntu:latest"
}

# Create a container
resource "docker_container" "foo" {
  image = docker_image.ubuntu.image_id
  name  = "foo"
}
```

## Remote Hosts
You can also use the `ssh` protocol to connect to the docker host on a remote machine.
The configuration would look as follows:

```terraform
provider "docker" {
  host     = "ssh://user@remote-host:22"
  ssh_opts = ["-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null"]
}
```

When using a remote host, the daemon configuration on the remote host can apply default configuration to your resources when running `terraform apply`, for example by appling log options to containers. When running `terraform plan` the next time, it will show up as a diff. In such cases it is recommended to use the `ignore_changes` lifecycle meta-argument to ignore the changing attribute (See [this issue](https://github.com/kreuzwerker/terraform-provider-docker/issues/473) for more information).

## Registry credentials

Registry credentials can be provided on a per-registry basis with the `registry_auth`
field, passing either a config file or the username/password directly.
If you want to use an insecure http registry, please explicitly specify the `address` with the `http` protocol.

-> **Note**
The config file is loaded from the machine `terraform` runs on. This also applies when the specified docker host is on another machine.

```terraform
provider "docker" {
  host = "tcp://localhost:2376"

  registry_auth {
    address     = "registry-1.docker.io"
    config_file = pathexpand("~/.docker/config.json")
  }

  registry_auth {
    address             = "registry.my.company.com"
    config_file_content = var.plain_content_of_config_file
  }

  registry_auth {
    address  = "quay.io:8181"
    username = "someuser"
    password = "somepass"
  }
}

data "docker_registry_image" "quay" {
  name = "myorg/privateimage"
}

data "docker_registry_image" "quay" {
  name = "quay.io:8181/myorg/privateimage"
}
```

-> **Note**
When passing in a config file either the corresponding `auth` string of the repository is read or the os specific
[credential helpers](https://github.com/docker/docker-credential-helpers#available-programs) are
used to retrieve the authentication credentials.

-> **Note**
`config_file` has predence over all other options. You can theoretically specify values for every attribute but the credentials obtained through the `config_file` will override the manually set `username`/`password`

You can still use the environment variables `DOCKER_REGISTRY_USER` and `DOCKER_REGISTRY_PASS`.

An example content of the file `~/.docker/config.json` on macOS may look like follows:

```json
{
    "auths": {
        "repo.mycompany:8181": {
            "auth": "dXNlcjpwYXNz="
        },
        "otherrepo.other-company:8181": {}
    },
    "credsStore": "osxkeychain"
}
```

## Certificate information

Specify certificate information either with a directory or
directly with the content of the files for connecting to the Docker host via TLS.

```terraform
provider "docker" {
  host = "tcp://your-host-ip:2376/"

  # -> specify either
  cert_path = pathexpand("~/.docker")

  # -> or the following
  ca_material   = file(pathexpand("~/.docker/ca.pem")) # this can be omitted
  cert_material = file(pathexpand("~/.docker/cert.pem"))
  key_material  = file(pathexpand("~/.docker/key.pem"))
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Optional

- `ca_material` (String) PEM-encoded content of Docker host CA certificate
- `cert_material` (String) PEM-encoded content of Docker client certificate
- `cert_path` (String) Path to directory with Docker TLS config
- `host` (String) The Docker daemon address
- `key_material` (String) PEM-encoded content of Docker client private key
- `registry_auth` (Block Set) (see [below for nested schema](#nestedblock--registry_auth))
- `ssh_opts` (List of String) Additional SSH option flags to be appended when using `ssh://` protocol

<a id="nestedblock--registry_auth"></a>
### Nested Schema for `registry_auth`

Required:

- `address` (String) Address of the registry

Optional:

- `auth_disabled` (Boolean) Setting this to `true` will tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults to `false`.
- `config_file` (String) Path to docker json file for registry auth. Defaults to `~/.docker/config.json`. If `DOCKER_CONFIG` is set, the value of `DOCKER_CONFIG` is used as the path. `config_file` has predencen over all other options.
- `config_file_content` (String) Plain content of the docker json file for registry auth. `config_file_content` has precedence over username/password.
- `password` (String, Sensitive) Password for the registry. Defaults to `DOCKER_REGISTRY_PASS` env variable if set.
- `username` (String) Username for the registry. Defaults to `DOCKER_REGISTRY_USER` env variable if set.