Skip to content
learn.tf

Terraform Provider

Terraform Providers are plugins that let Terraform talk to infrastructure platforms like AWS, Azure, and Google Cloud. Each provider translates your HCL configuration into the API calls that platform expects.

Providers handle the details of authenticating with a platform, mapping your resource definitions to its API, and tracking what exists so Terraform can plan changes accurately.

How Providers Work

Section titled “How Providers Work”

At their core, Terraform Providers operate as standalone programs that communicate with Terraform through its plugin system.

When you write Terraform configuration files, the Provider translates your desired infrastructure state into specific API calls that create, modify, or delete resources on your chosen platform. This happens seamlessly in the background, handling all the complexity of API interactions, authentication, and state management.

Provider Configuration

Section titled “Provider Configuration”

Configuring a Provider is typically straightforward but crucial for proper operation. Each Provider requires specific settings, such as authentication credentials, regions, and API endpoints. For example, when using the AWS Provider, you’ll need to specify the region and provide authentication details. These can be set through various methods, including environment variables, configuration files, or direct Provider blocks in your Terraform code.

Authentication and Security

Section titled “Authentication and Security”

Security is a paramount concern when working with Providers. Rather than hardcoding sensitive credentials directly in your Terraform files, Providers support multiple secure authentication methods. You can use environment variables, shared credential files, or platform-specific authentication mechanisms like IAM roles for AWS. This flexibility allows you to implement secure authentication practices while maintaining ease of use.

Multiple Provider Configurations

Section titled “Multiple Provider Configurations”

Sometimes you need to work with multiple instances of the same Provider, perhaps to manage resources in different regions or with different authentication credentials. Terraform supports this through Provider aliases, allowing you to maintain multiple configurations of the same Provider within a single Terraform project. This feature is particularly useful for multi-region deployments or when working with multiple accounts.

# Default AWS Provider (us-west-2)
provider "aws" {
  region = "us-west-2"
}


# Secondary AWS Provider for us-east-1
provider "aws" {
  alias  = "east"
  region = "us-east-1"
}


# Create EC2 instance in us-west-2 using the default AWS Provider
resource "aws_instance" "web_west" {
  ami           = "ami-0735c191cf914754d"
  instance_type = "t2.micro"
}


# Create EC2 instance in us-east-1
resource "aws_instance" "web_east" {
  provider      = aws.east
  ami           = "ami-0cff7528ff583bf9a"
  instance_type = "t2.micro"
}

Cross Platform Providers

Section titled “Cross Platform Providers”

Creating Providers for different platforms demonstrates one of Terraform’s most powerful capabilities: the ability to manage resources across multiple cloud Providers within a single configuration.

In practice, multi-cloud setups happen for a few common reasons: different teams already use different clouds, an acquisition brings in a second platform, or compliance rules require workloads in specific regions only one provider covers.

When that happens, managing everything through Terraform means one toolchain and one workflow instead of separate consoles and CLIs for each cloud.

Because every provider uses the same HCL syntax and workflow, your team writes infrastructure code the same way regardless of which cloud it targets.

In the below example, we’re simultaneously configuring infrastructure across AWS, Azure, and Google Cloud Platform (GCP).

# AWS Provider
provider "aws" {
  region = "us-west-2"
}


# Azure Provider
provider "azurerm" {
  features {}
}


# Google Cloud Provider
provider "google" {
  project = "my-project-id"
  region  = "us-central1"
}


# Create resources across different platforms
resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}


resource "azurerm_virtual_network" "main" {
  name                = "main-network"
  resource_group_name = "my-resource-group"
  location           = "West Europe"
  address_space      = ["10.1.0.0/16"]
}


resource "google_compute_network" "main" {
  name                    = "main-network"
  auto_create_subnetworks = false
}

Version Management

Section titled “Version Management”

Provider versions are critical for maintaining stability in your infrastructure code. When you specify a Provider version, you ensure that your Terraform configurations continue to work as expected, even as Providers evolve and update.

Version constraints help you control when and how Provider updates are adopted, allowing you to balance between staying current and maintaining stability.

Version constraints allow precise control over which Provider versions Terraform can use.

These constraints can be exact ("= 4.0.0"), flexible ("~> 4.0"), or bounded (">= 4.0.0, < 5.0.0").

Each approach serves different needs: exact versions ensure complete consistency, while flexible constraints allow for automatic updates within safe boundaries.

Version management ensures consistency across team environments and deployments. When all team members use the same Provider version, they can expect identical behavior and results. This standardization reduces errors and simplifies troubleshooting.

While staying current with Provider versions is important for security and functionality, updates should be tested thoroughly before implementation in production. A systematic approach to version management helps maintain infrastructure stability while enabling teams to benefit from Provider improvements and security updates.

# Tighter constraint — patch releases only:
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 6.0.0"  # Allows 6.0.x only (patch releases)
    }
  }
}


# Recommended — allows minor and patch releases:
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 6.0"  # Allows 6.x.y (minor and patch releases within major version 6)
    }
  }
}

Conclusion

Section titled “Conclusion”

Providers translate your HCL configuration into API calls for each platform, handle authentication, and manage version compatibility. By pinning provider versions and configuring authentication securely, you get consistent results across environments and team members.