Self-Signed Certificates

Terrateam supports the use of self-signed certificates for secure communication with services in your infrastructure. This is essential when working with internal services, private registries, or enterprise environments that use custom Certificate Authorities (CAs).

How It Works

Terrateam automatically installs any custom CA certificates provided through environment variables that follow the CUSTOM_CA_BUNDLE_* naming pattern. These certificates are added to the system’s trusted CA store before any Terraform operations are executed, ensuring that all tools (Terraform, cloud CLIs, git, etc.) can properly validate SSL/TLS connections.

Configuration Methods

There are two primary ways to configure custom CA certificates in Terrateam:

Method 1: Using VCS Variables (Recommended)

This method stores your certificates as variables in your VCS provider, making them available to all Terrateam operations automatically.

1. Navigate to your repository’s settings:

   • GitHub: Settings → Secrets and variables → Actions → Variables
   • GitLab: Settings → CI/CD → Variables

2. Create a new variable:

   • Name: Must start with CUSTOM_CA_BUNDLE_ (e.g., CUSTOM_CA_BUNDLE_CORP, CUSTOM_CA_BUNDLE_INTERNAL)
   • Value: The complete certificate content including headers
   • Type: Variable (not secret, as certificates are not sensitive)

3. Add your certificate content:

   -----BEGIN CERTIFICATE-----
   MIIDXTCCAkWgAwIBAgIJAKLdQVPy90WjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
   [... certificate content ...]
   nI7bfRn4YjSSiXzPuQVh66IYHIvw+xP6
   -----END CERTIFICATE-----

4. The certificate is automatically installed:

   • Terrateam detects all CUSTOM_CA_BUNDLE_* environment variables
   • Certificates are written to /usr/local/share/ca-certificates/
   • System CA store is updated via update-ca-certificates

Method 2: Using Terrateam Configuration

You can also define custom CA certificates directly in your Terrateam configuration file using hooks and environment variables.

hooks:
  all:
    pre:
      - type: env
        name: CUSTOM_CA_BUNDLE_INTERNAL
        cmd: ['sh', '-c', 'cat <<EOF
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKLdQVPy90WjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
[... certificate content ...]
nI7bfRn4YjSSiXzPuQVh66IYHIvw+xP6
-----END CERTIFICATE-----
EOF']

Tip

Using VCS variables is preferred as it keeps certificates out of your configuration files and makes them easier to manage and rotate.

Multiple Certificates

You can add multiple custom CA certificates by using different variable names:

CUSTOM_CA_BUNDLE_CORP="-----BEGIN CERTIFICATE-----..."
CUSTOM_CA_BUNDLE_INTERNAL="-----BEGIN CERTIFICATE-----..."
CUSTOM_CA_BUNDLE_PARTNER="-----BEGIN CERTIFICATE-----..."

Each certificate will be installed separately and all will be trusted by the system.