Introduction

Terraform modules are the building blocks of Infrastructure as Code (IaC) — reusable, versioned chunks of configuration that let teams standardize their cloud infrastructure. As organizations scale their IaC practices, managing hundreds of modules across dozens of repositories becomes a challenge. Where do you store modules? How do you version them? How do teams discover which modules exist?

The public Terraform Registry solves this for open-source modules, but enterprises and teams with private infrastructure need self-hosted solutions. In this guide, we compare three approaches to running your own Terraform module registry: Boring Registry, Terrareg, and Git-Based Module Sources.

Comparison at a Glance

FeatureBoring RegistryTerraregGit-Based (Raw)
Stars283343N/A
Web UI✅ Clean dashboard✅ Full-featured❌ None
Module Search✅ Built-in✅ Advanced filters❌ grep only
Version Tracking✅ Semantic versioning✅ Git tags + branches✅ Git tags
Provider Registry✅ Built-in❌ Modules only❌ None
API Compatibility✅ Terraform Registry API✅ Partial API❌ Manual only
Authentication✅ Token-based✅ OIDC + OAuth2✅ Git SSH/HTTPS
DeploymentGo binary / DockerDocker / pipGit server
GitHub Integration✅ Webhook sync✅ Deep Git analysis✅ Native
Storage BackendLocal / S3Local / S3Git repos

Boring Registry

Boring Registry is a minimalist but fully-featured Terraform provider and module registry written in Go. Designed to be simple to deploy and operate, it implements the standard Terraform Registry API — meaning terraform init works out of the box without additional configuration.

Key Features

  • Implements the full Terraform Registry protocol — both module and provider registry endpoints
  • S3-compatible storage backend — store modules and providers in MinIO, AWS S3, or any S3-compatible service
  • GitHub webhook integration — automatically index new module versions when releases are published
  • Simple deployment — single Go binary, no external database required (uses BoltDB internally)
  • Semantic versioning support — enforces proper module versioning conventions

Deployment with Docker

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

version: "3.8"
services:
  boring-registry:
    image: ghcr.io/boring-registry/boring-registry:latest
    ports:
      - "5601:5601"
    environment:
      BORING_REGISTRY_STORAGE_S3_BUCKET: "terraform-modules"
      BORING_REGISTRY_STORAGE_S3_ENDPOINT: "https://minio.example.com"
      BORING_REGISTRY_STORAGE_S3_REGION: "us-east-1"
      AWS_ACCESS_KEY_ID: "${MINIO_ACCESS_KEY}"
      AWS_SECRET_ACCESS_KEY: "${MINIO_SECRET_KEY}"
      BORING_REGISTRY_AUTH_OKTA_ISSUER: "https://your-org.okta.com"
    volumes:
      - ./data:/var/lib/boring-registry

Terrareg

Terrareg takes a more feature-rich approach, offering a comprehensive web UI for browsing, searching, and analyzing Terraform modules. It deeply integrates with Git repositories for metadata extraction and version tracking.

Key Features

  • Rich web interface — browse modules with README rendering, variable documentation, and usage examples
  • Deep Git integration — extracts module metadata, tracks version tags, and analyzes module structure
  • Namespace organization — organize modules by team, project, or domain using namespaces
  • Multiple authentication backends — supports OIDC, OAuth2, SAML, and local database authentication
  • Module security analysis — performs terraform validate and tflint checks on indexed modules
  • API compatibility — partial Terraform Registry API for terraform init support

Deployment with Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

version: "3.8"
services:
  terrareg:
    image: ghcr.io/matthewjohn/terrareg:latest
    ports:
      - "5000:5000"
    environment:
      DATABASE_URL: "mysql+pymysql://terrareg:password@db:3306/terrareg"
      ADMIN_AUTHENTICATION_TOKEN: "${ADMIN_TOKEN}"
      SECRET_KEY: "${SECRET_KEY}"
      GIT_PROVIDER_CONFIG: '[{"name":"GitHub","base_url":"https://github.com"}]'
      AUTO_CREATE_NAMESPACE: "true"
    volumes:
      - ./data:/data
    depends_on:
      - db

  db:
    image: mysql:8.0
    environment:
      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
      MYSQL_DATABASE: terrareg
      MYSQL_USER: terrareg
      MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
    volumes:
      - ./mysql:/var/lib/mysql

Git-Based Module Sources

The simplest approach is to use Git repositories directly as module sources. Terraform natively supports sourcing modules from any Git repository — public or private — with tag-based versioning.

Setup Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Direct Git reference with version pinning
module "vpc" {
  source = "git::https://github.com/org/terraform-aws-vpc.git?ref=v3.2.0"
  
  name = "production-vpc"
  cidr = "10.0.0.0/16"
}

# SSH-based private repo access
module "database" {
  source = "git::ssh://git@github.com/org/terraform-aws-rds.git?ref=v2.1.0"
  
  engine = "postgres"
  version = "15"
}

# Using GitHub releases (for monorepo setups)
module "networking" {
  source = "github.com/org/terraform-modules.git//networking?ref=v1.0.0"
}

Benefits and Limitations

Git-based modules require zero additional infrastructure — if you already use Git, you have a module registry. However, discoverability suffers dramatically. Without a UI or search capability, teams must rely on documentation, naming conventions, and tribal knowledge to find modules. Version management is manual, and there is no automated dependency tracking or security scanning.

For small teams with fewer than 20 modules, Git-based sources work well. For organizations managing 50+ modules across multiple teams, a proper registry becomes essential.

Choosing the Right Approach

Boring Registry is ideal for teams that want a simple, standards-compliant registry that just works. It implements the full Terraform Registry API, making it a drop-in replacement for Terraform Cloud’s private registry. Choose it when you need provider hosting in addition to modules.

Terrareg suits organizations that want rich module discovery capabilities. Its web UI with search, README rendering, and namespace organization makes it the best choice for large teams with many modules. The built-in security scanning is a bonus for compliance-focused environments.

Git-Based sources remain the pragmatic choice for small teams and individual developers. If you have a handful of modules and your team knows where they live, Git is the simplest and most reliable option. It can also serve as the backend storage for tools like Terrareg, which uses Git as its source of truth.

For related reading, see our Terragrunt vs Atmos vs Terraspace IaC orchestration guide and our Atlantis vs Digger vs Terrateam PR automation comparison.

Why Self-Host Your Module Registry?

Data sovereignty is the primary driver — private modules describe your internal infrastructure topology, and hosting them on a public registry or third-party SaaS can expose sensitive architectural details. A self-hosted registry keeps this information within your network boundary.

Cost is another factor. Terraform Cloud’s private registry starts at $20 per user per month, which adds up quickly for large engineering organizations. Running Boring Registry or Terrareg on a $10/month VM serves unlimited users.

Finally, self-hosting provides control over module review processes. You can integrate your registry with your CI/CD pipeline, enforce automated testing on all module submissions, and maintain a curated catalog of approved infrastructure patterns. For organizations adopting platform engineering, a self-hosted module registry is a foundational component of the internal developer platform.

Deployment Architecture

A production-grade module registry deployment typically layers multiple components:

1
2
3
4
5
6
7
8

# Reverse proxy with TLS termination
# file: caddy/Caddyfile
terraform-modules.example.com {
    reverse_proxy terrareg:5000
    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }
}

On the storage side, both Boring Registry and Terrareg support S3-compatible backends. Using MinIO as a self-hosted S3 gateway provides a fully air-gapped setup:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# MinIO for module storage
services:
  minio:
    image: quay.io/minio/minio:latest
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: admin
      MINIO_ROOT_PASSWORD: "${MINIO_PASSWORD}"
    volumes:
      - ./minio:/data
    ports:
      - "9000:9000"
      - "9001:9001"

Security Considerations for Module Registries

Securing your module registry is critical — it contains the blueprints for your entire cloud infrastructure. Implement API authentication for all registry endpoints: both Boring Registry and Terrareg support token-based authentication that you should enable from day one. For Git-based sources, use SSH keys with deploy keys scoped to specific repositories.

Network segmentation is equally important. Place your registry behind a reverse proxy with TLS termination, and restrict access to your internal network via firewall rules. If teams need remote access, use a VPN or SSH tunnel rather than exposing the registry directly to the internet.

Regularly audit your module registry access logs for unauthorized access attempts. Both Boring Registry and Terrareg log all API requests, making it straightforward to detect anomalous access patterns with standard log aggregation tools.

FAQ

Do I need a module registry for Terraform?

No, Terraform works perfectly with Git-sourced modules. However, a registry provides discoverability, version management, and automated documentation — all of which become essential as your module count grows beyond 20-30.

Can I use these registries with OpenTofu?

Yes. Both Boring Registry and Terrareg implement the standard Terraform Registry API, which OpenTofu also supports. OpenTofu’s init command is fully compatible with any registry that implements the module registry protocol.

How do I migrate from Git-based modules to a registry?

Start by indexing your existing modules in Terrareg (it can scan your Git repositories automatically). Update module source references gradually — Terraform allows migrating one module at a time. Run terraform state pull and terraform init after each change to verify.

What about provider hosting?

Boring Registry includes a full provider registry (hosting custom Terraform providers internally). Terrareg focuses exclusively on modules. If you build custom Terraform providers, Boring Registry is the better choice.

How does versioning work with self-hosted registries?

Both Boring Registry and Terrareg use Git tags for versioning — create a tag like v1.2.0 and the registry picks it up automatically. Semantic versioning is enforced by default. Terrareg additionally supports branch-based versioning for development modules.

Is there a performance impact?

Git-based modules require a full clone for each terraform init, which can be slow for large repositories with long histories. Registries serve pre-packaged module archives, making terraform init significantly faster — especially in CI/CD pipelines where you run init hundreds of times per day.

💰 想测试你的市场判断力?我用 Polymarket 做预测市场交易——这是全球最大的预测市场平台,从大选结果到技术监管时间线,什么都可以押注。和赌博不同,这是真正的信息市场:你懂的信息越多,胜率越高。我靠预测技术相关事件的走向已经赚了不少。用我的邀请链接注册:Polymarket.com