6.7 KiB
| layout | page_title | description |
|---|---|---|
| Provider: Docker | The Docker provider is used to interact with Docker resources, like containers, images, service etc. |
Docker Provider
The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only with single server Docker but Swarm and any additional Docker-compatible API hosts.
Use the navigation to the left to read about the available resources.
Example Usage
Terraform 0.13 and later:
terraform {
required_providers {
docker = {
source = "kreuzwerker/docker"
version = "3.5.0"
}
}
}
provider "docker" {
host = "unix:///var/run/docker.sock"
}
# Pulls the image
resource "docker_image" "ubuntu" {
name = "ubuntu:latest"
}
# Create a container
resource "docker_container" "foo" {
image = docker_image.ubuntu.image_id
name = "foo"
}
Remote Hosts
You can also use the ssh protocol to connect to the docker host on a remote machine.
The configuration would look as follows:
provider "docker" {
host = "ssh://user@remote-host:22"
ssh_opts = ["-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null"]
}
When using a remote host, the daemon configuration on the remote host can apply default configuration to your resources when running terraform apply, for example by appling log options to containers. When running terraform plan the next time, it will show up as a diff. In such cases it is recommended to use the ignore_changes lifecycle meta-argument to ignore the changing attribute (See this issue for more information).
Disabling Docker Daemon Checking
The docker_registry_image data_source and resource do not require a connection to the Docker daemon. If you want to use those in an environment without a Docker daemon, you can disable the
connection check by setting the disable_docker_daemon_check argument to true. Be careful, this will break the provider for any resources that require a connection to the Docker daemon.
Registry credentials
Registry credentials can be provided on a per-registry basis with the registry_auth
field, passing either a config file or the username/password directly.
If you want to use an insecure http registry, please explicitly specify the address with the http protocol.
-> Note
The config file is loaded from the machine terraform runs on. This also applies when the specified docker host is on another machine.
provider "docker" {
host = "tcp://localhost:2376"
registry_auth {
address = "registry-1.docker.io"
config_file = pathexpand("~/.docker/config.json")
}
registry_auth {
address = "registry.my.company.com"
config_file_content = var.plain_content_of_config_file
}
registry_auth {
address = "quay.io:8181"
username = "someuser"
password = "somepass"
}
}
data "docker_registry_image" "quay" {
name = "myorg/privateimage"
}
data "docker_registry_image" "quay" {
name = "quay.io:8181/myorg/privateimage"
}
-> Note
When passing in a config file either the corresponding auth string of the repository is read or the os specific
credential helpers are
used to retrieve the authentication credentials.
-> Note
config_file has predence over all other options. You can theoretically specify values for every attribute but the credentials obtained through the config_file will override the manually set username/password
You can still use the environment variables DOCKER_REGISTRY_USER and DOCKER_REGISTRY_PASS.
An example content of the file ~/.docker/config.json on macOS may look like follows:
{
"auths": {
"repo.mycompany:8181": {
"auth": "dXNlcjpwYXNz="
},
"otherrepo.other-company:8181": {}
},
"credsStore": "osxkeychain"
}
Certificate information
Specify certificate information either with a directory or directly with the content of the files for connecting to the Docker host via TLS.
provider "docker" {
host = "tcp://your-host-ip:2376/"
# -> specify either
cert_path = pathexpand("~/.docker")
# -> or the following
ca_material = file(pathexpand("~/.docker/ca.pem")) # this can be omitted
cert_material = file(pathexpand("~/.docker/cert.pem"))
key_material = file(pathexpand("~/.docker/key.pem"))
}
Schema
Optional
ca_material(String) PEM-encoded content of Docker host CA certificatecert_material(String) PEM-encoded content of Docker client certificatecert_path(String) Path to directory with Docker TLS configcontext(String) The name of the Docker context to use. Can also be set viaDOCKER_CONTEXTenvironment variable. Overrides thehostif set.disable_docker_daemon_check(Boolean) If set totrue, the provider will not check if the Docker daemon is running. This is useful for resources/data_sourcess that do not require a running Docker daemon, such as the data sourcedocker_registry_image.host(String) The Docker daemon addresskey_material(String) PEM-encoded content of Docker client private keyregistry_auth(Block Set) (see below for nested schema)ssh_opts(List of String) Additional SSH option flags to be appended when usingssh://protocol
Nested Schema for registry_auth
Required:
address(String) Address of the registry
Optional:
auth_disabled(Boolean) Setting this totruewill tell the provider that this registry does not need authentication. Due to the docker internals, the provider will use dummy credentials (see https://github.com/kreuzwerker/terraform-provider-docker/issues/470 for more information). Defaults tofalse.config_file(String) Path to docker json file for registry auth. Defaults to~/.docker/config.json. IfDOCKER_CONFIGis set, the value ofDOCKER_CONFIGis used as the path.config_filehas predencen over all other options.config_file_content(String) Plain content of the docker json file for registry auth.config_file_contenthas precedence over username/password.password(String, Sensitive) Password for the registry. Defaults toDOCKER_REGISTRY_PASSenv variable if set.username(String) Username for the registry. Defaults toDOCKER_REGISTRY_USERenv variable if set.