Self-Signed Certificates
Terrateam supports the use of self-signed certificates for secure communication with services in your infrastructure. This is essential when working with internal services, private registries, or enterprise environments that use custom Certificate Authorities (CAs).
How It Works
Terrateam automatically installs any custom CA certificates provided through environment variables that follow the CUSTOM_CA_BUNDLE_*
naming pattern. These certificates are added to the system’s trusted CA store before any Terraform operations are executed, ensuring that all tools (Terraform, cloud CLIs, git, etc.) can properly validate SSL/TLS connections.
Configuration Methods
There are two primary ways to configure custom CA certificates in Terrateam:
Method 1: Using VCS Variables (Recommended)
This method stores your certificates as variables in your VCS provider, making them available to all Terrateam operations automatically.
-
Navigate to your repository’s settings:
- GitHub: Settings → Secrets and variables → Actions → Variables
- GitLab: Settings → CI/CD → Variables
-
Create a new variable:
- Name: Must start with
CUSTOM_CA_BUNDLE_
(e.g.,CUSTOM_CA_BUNDLE_CORP
,CUSTOM_CA_BUNDLE_INTERNAL
) - Value: The complete certificate content including headers
- Type: Variable (not secret, as certificates are not sensitive)
- Name: Must start with
-
Add your certificate content:
-----BEGIN CERTIFICATE-----MIIDXTCCAkWgAwIBAgIJAKLdQVPy90WjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV[... certificate content ...]nI7bfRn4YjSSiXzPuQVh66IYHIvw+xP6-----END CERTIFICATE----- -
The certificate is automatically installed:
- Terrateam detects all
CUSTOM_CA_BUNDLE_*
environment variables - Certificates are written to
/usr/local/share/ca-certificates/
- System CA store is updated via
update-ca-certificates
- Terrateam detects all
Method 2: Using Terrateam Configuration
You can also define custom CA certificates directly in your Terrateam configuration file using hooks and environment variables.
hooks: all: pre: - type: env name: CUSTOM_CA_BUNDLE_INTERNAL cmd: ['sh', '-c', 'cat <<EOF-----BEGIN CERTIFICATE-----MIIDXTCCAkWgAwIBAgIJAKLdQVPy90WjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV[... certificate content ...]nI7bfRn4YjSSiXzPuQVh66IYHIvw+xP6-----END CERTIFICATE-----EOF']
Multiple Certificates
You can add multiple custom CA certificates by using different variable names:
CUSTOM_CA_BUNDLE_CORP="-----BEGIN CERTIFICATE-----..."CUSTOM_CA_BUNDLE_INTERNAL="-----BEGIN CERTIFICATE-----..."CUSTOM_CA_BUNDLE_PARTNER="-----BEGIN CERTIFICATE-----..."
Each certificate will be installed separately and all will be trusted by the system.