Configuration¶
Terralist supports multiple types of configuration:
-
CLI arguments
Set the option by passing it with the--prefix on the CLI command (e.g.--port). -
Environment Variable
Any option can be set using an environment variable. To do such, replace any dash (-) with an underscore (_), uppercase everything and add theTERRALIST_prefix (e.g.TERRALIST_PORT). -
Configuration File
Set all options you want to a configuration file, then pass the path to the configuration file using theconfigoption (--configargument orTERRALIST_CONFIGenvironment variable). Supported file formats: JSON, TOML, YAML, HCL, INI, envfile and Java Properties files.
It is also possible to mix those types.
Terralist also supports reading the environment at run-time. For example, if you only know the port value at run-time (e.g. you are running on Heroku), you can set the TERRALIST_PORT environment variable to ${PORT}; this instruction will inform Terralist to read the value, at run-time, from the environment variable called PORT. It is also possible to set a default value, in case the given one is not present, by using a colon (:), example: ${PORT:5758}.
Options¶
config¶
Path to YAML config file where flag values are set.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --config |
| env | TERRALIST_CONFIG |
log-level¶
The log level.
| Name | Value |
|---|---|
| type | select |
| choices | trace, debug, info, warn, error |
| required | no |
| default | info |
| cli | --log-level |
| env | TERRALIST_LOG_LEVEL |
port¶
The port to bind to.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | 5758 |
| cli | --port |
| env | TERRALIST_PORT |
url¶
The URL that Terralist is accessible from.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | http://localhost:5758 |
| cli | --url |
| env | TERRALIST_URL |
cert-file¶
The path to the certificate file (pem format).
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --cert-file |
| env | TERRALIST_CERT_FILE |
key-file¶
The path to the certificate key file (pem format).
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --key-file |
| env | TERRALIST_KEY_FILE |
metrics-port¶
Serve Prometheus metrics on a separate port. When set, /metrics is not exposed on the main port, preventing public access to metrics data. Set to 0 to serve metrics on the main port (not recommended for production).
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | 9090 |
| cli | --metrics-port |
| env | TERRALIST_METRICS_PORT |
token-signing-secret¶
The secret to use when signing authorization tokens.
| Name | Value |
|---|---|
| type | string |
| required | yes |
| default | n/a |
| cli | --token-signing-secret |
| env | TERRALIST_TOKEN_SIGNING_SECRET |
rbac-policy-path¶
Path to the RBAC server-side policy.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --rbac-policy-path |
| env | TERRALIST_RBAC_POLICY_PATH |
rbac-default-role¶
The name of the RBAC role that should be assigned by default to all users.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | readonly |
| cli | --rbac-default-role |
| env | TERRALIST_RBAC_DEFAULT_ROLE |
master-api-key¶
A pre-shared API key with full administrative access for bootstrapping environments without requiring web UI login. When set, this key can be used via the X-API-Key header or the Authorization: Bearer x-api-key:<key> header to authenticate as an admin with unrestricted access to all resources and actions.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --master-api-key |
| env | TERRALIST_MASTER_API_KEY |
auth-token-expiration¶
The duration for which auth tokens remain valid.
| Name | Value |
|---|---|
| type | select |
| choices | 1d, 1w, 1m, 1y, never |
| required | no |
| default | 1d |
| cli | --auth-token-expiration |
| env | TERRALIST_AUTH_TOKEN_EXPIRATION |
oauth-provider¶
The OAuth 2.0 provider.
| Name | Value |
|---|---|
| type | select |
| choices | github, bitbucket, gitlab, oidc, saml |
| required | yes |
| default | n/a |
| cli | --oauth-provider |
| env | TERRALIST_OAUTH_PROVIDER |
oauth-preferred-email-domain¶
Preferred email domain for authentication. When set, providers that return multiple email addresses (GitHub, BitBucket) will select an email matching this domain instead of the primary email. Falls back to the primary email if no match is found.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oauth-preferred-email-domain |
| env | TERRALIST_OAUTH_PREFERRED_EMAIL_DOMAIN |
gh-client-id¶
The GitHub OAuth Application client ID.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gh-client-id |
| env | TERRALIST_GH_CLIENT_ID |
gh-client-secret¶
The GitHub OAuth Application client secret.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gh-client-secret |
| env | TERRALIST_GH_CLIENT_SECRET |
gh-organization¶
The GitHub organization to use for user validation.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gh-organization |
| env | TERRALIST_GH_ORGANIZATION |
gh-teams¶
The GitHub team slugs in CSV format to use for user validation. This requires gh-organization to be set.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gh-teams |
| env | TERRALIST_GH_TEAMS |
gh-domain¶
The GitHub base domain if you are using GitHub Enterprise.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | github.com |
| cli | --gh-domain |
| env | TERRALIST_GH_DOMAIN |
bb-client-id¶
The BitBucket OAuth Application client ID.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --bb-client-id |
| env | TERRALIST_BB_CLIENT_ID |
bb-client-secret¶
The BitBucket OAuth Application client secret.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --bb-client-secret |
| env | TERRALIST_BB_CLIENT_SECRET |
bb-workspace¶
The BitBucket workspace to use for user validation.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --bb-workspace |
| env | TERRALIST_BB_WORKSPACE |
gl-client-id¶
The GitLab OAuth Application client ID.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gl-client-id |
| env | TERRALIST_GL_CLIENT_ID |
gl-client-secret¶
The Gitlab OAuth Application client secret.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gl-client-secret |
| env | TERRALIST_GL_CLIENT_SECRET |
gl-host¶
The (self hosted) GitLab host to use. E.g. gitlab.mycompany.com:8443
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | gitlab.com |
| cli | --gl-host |
| env | TERRALIST_GL_HOST |
gl-groups¶
The GitLab groups names the user must be member of. It must be comma separated with no spaces.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gl-groups |
| env | TERRALIST_GL_GROUPS |
oi-client-id¶
The OpenID Connect client ID.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oi-client-id |
| env | TERRALIST_OI_CLIENT_ID |
oi-client-secret¶
The OpenID Connect client secret.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oi-client-secret |
| env | TERRALIST_OI_CLIENT_SECRET |
oi-host¶
The OpenID Connect issuer URL used for OIDC discovery. Terralist fetches authorization_endpoint, token_endpoint, userinfo_endpoint, and supported_scopes from /.well-known/openid-configuration. If discovery fails, or discovery does not provide one of the required endpoints, Terralist falls back to the corresponding manual OIDC endpoint flag when it is set. If the provider does not advertise scopes, or does not advertise all of Terralist's required scopes, Terralist logs a warning and continues. Prefer this over configuring all endpoints manually.
Recommended OIDC configuration:
oauth-provider: "oidc"
oi-client-id: "${OIDC_CLIENT_ID}"
oi-client-secret: "${OIDC_CLIENT_SECRET}"
oi-host: "https://login.example.com/realms/platform"
Manual fallback configuration:
oauth-provider: "oidc"
oi-client-id: "${OIDC_CLIENT_ID}"
oi-client-secret: "${OIDC_CLIENT_SECRET}"
oi-authorize-url: "https://login.example.com/realms/platform/protocol/openid-connect/auth"
oi-token-url: "https://login.example.com/realms/platform/protocol/openid-connect/token"
oi-userinfo-url: "https://login.example.com/realms/platform/protocol/openid-connect/userinfo"
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oi-host |
| env | TERRALIST_OI_HOST |
oi-authorize-url¶
Fallback manual value for the OpenID Connect authorization endpoint. If discovery via oi-host provides this endpoint, the discovered value is used instead.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oi-authorize-url |
| env | TERRALIST_OI_AUTHORIZE_URL |
oi-token-url¶
Fallback manual value for the OpenID Connect token endpoint. If discovery via oi-host provides this endpoint, the discovered value is used instead.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oi-token-url |
| env | TERRALIST_OI_TOKEN_URL |
oi-userinfo-url¶
Fallback manual value for the OpenID Connect userinfo endpoint. If discovery via oi-host provides this endpoint, the discovered value is used instead.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --oi-userinfo-url |
| env | TERRALIST_OI_USERINFO_URL |
saml-display-name¶
The label displayed on the login button when SAML is enabled.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | SSO |
| cli | --saml-display-name |
| env | TERRALIST_SAML_DISPLAY_NAME |
saml-idp-metadata-url¶
URL to fetch Identity Provider metadata XML. Either this, saml-idp-metadata-file, or both saml-idp-entity-id and saml-idp-sso-url are required.
| Name | Value |
|---|---|
| type | string |
| required | conditional |
| default | n/a |
| cli | --saml-idp-metadata-url |
| env | TERRALIST_SAML_IDP_METADATA_URL |
saml-idp-metadata-file¶
Path to a local Identity Provider metadata XML file. Either this, saml-idp-metadata-url, or both saml-idp-entity-id and saml-idp-sso-url are required.
| Name | Value |
|---|---|
| type | string |
| required | conditional |
| default | n/a |
| cli | --saml-idp-metadata-file |
| env | TERRALIST_SAML_IDP_METADATA_FILE |
saml-idp-entity-id¶
Identity Provider entity ID for direct SAML configuration (without metadata URL/file). Must be used with saml-idp-sso-url.
| Name | Value |
|---|---|
| type | string |
| required | conditional |
| default | n/a |
| cli | --saml-idp-entity-id |
| env | TERRALIST_SAML_IDP_ENTITY_ID |
saml-idp-sso-url¶
Identity Provider Single Sign-On URL for direct SAML configuration (without metadata URL/file). Must be used with saml-idp-entity-id.
| Name | Value |
|---|---|
| type | string |
| required | conditional |
| default | n/a |
| cli | --saml-idp-sso-url |
| env | TERRALIST_SAML_IDP_SSO_URL |
saml-idp-sso-certificate¶
Identity Provider signing certificate (PEM). Required if certificate is not present in metadata.
| Name | Value |
|---|---|
| type | string |
| required | conditional |
| default | n/a |
| cli | --saml-idp-sso-certificate |
| env | TERRALIST_SAML_IDP_SSO_CERTIFICATE |
saml-name-attribute, saml-email-attribute, saml-groups-attribute¶
SAML attribute names used to map user identity and RBAC groups.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | displayName / email / n/a |
| cli | --saml-name-attribute, --saml-email-attribute, --saml-groups-attribute |
saml-cert-file, saml-key-file, saml-private-key-secret¶
Service Provider key material for signing requests and metadata.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --saml-cert-file, --saml-key-file, --saml-private-key-secret |
SAML timing and security flags¶
saml-http-client-timeout, saml-assertion-clock-skew, saml-request-id-expiration, saml-request-id-cleanup-interval, saml-metadata-refresh-interval, saml-metadata-refresh-check-interval, saml-max-assertion-age, saml-allow-idp-initiated, and saml-disable-request-id-validation control metadata refresh, replay protection, and assertion validity windows.
Refer to the dedicated guide for end-to-end examples: docs/user-guide/saml-configuration.md.
database-backend¶
The database backend.
| Name | Value |
|---|---|
| type | select |
| choices | sqlite, postgresql, mysql |
| required | no |
| default | sqlite |
| cli | --database-backend |
| env | TERRALIST_DATABASE_BACKEND |
postgres-url¶
The URL that can be used to connect to PostgreSQL database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --postgres-url |
| env | TERRALIST_POSTGRES_URL |
postgres-host¶
The host where the PostgreSQL database can be found.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --postgres-host |
| env | TERRALIST_POSTGRES_HOST |
postgres-port¶
The port on which the PostgreSQL database listens.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | n/a |
| cli | --postgres-port |
| env | TERRALIST_POSTGRES_PORT |
postgres-username¶
The username that can be used to authenticate to PostgreSQL database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --postgres-username |
| env | TERRALIST_POSTGRES_USERNAME |
postgres-password¶
The password that can be used to authenticate to PostgreSQL database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --postgres-password |
| env | TERRALIST_POSTGRES_PASSWORD |
postgres-database¶
The schema name on which application data should be stored.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --postgres-database |
| env | TERRALIST_POSTGRES_DATABASE |
mysql-url¶
The URL that can be used to connect to MySQL database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --mysql-url |
| env | TERRALIST_MYSQL_URL |
mysql-host¶
The host where the MySQL database can be found.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --mysql-host |
| env | TERRALIST_MYSQL_HOST |
mysql-port¶
The port on which the MySQL database listens.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | n/a |
| cli | --mysql-port |
| env | TERRALIST_MYSQL_PORT |
mysql-username¶
The username that can be used to authenticate to MySQL database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --mysql-username |
| env | TERRALIST_MYSQL_USERNAME |
mysql-password¶
The password that can be used to authenticate to MySQL database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --mysql-password |
| env | TERRALIST_MYSQL_PASSWORD |
mysql-database¶
The schema name on which application data should be stored.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --mysql-database |
| env | TERRALIST_MYSQL_DATABASE |
sqlite-path¶
The path to the SQLite database.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --sqlite-path |
| env | TERRALIST_SQLITE_PATH |
session-store¶
The session store backend. The cookie backend stores all session data in the browser cookie (subject to the 4KB cookie size limit). The database backend stores session data in the configured database and only places a session ID in the cookie, removing the size limit.
| Name | Value |
|---|---|
| type | select |
| choices | cookie, database |
| required | no |
| default | cookie |
| cli | --session-store |
| env | TERRALIST_SESSION_STORE |
If your users belong to many groups (e.g. large GitHub organizations with 100+ teams), use the database backend to avoid cookie size limits that cause authentication failures.
cookie-secret¶
The secret used for cookie signing. When using the cookie session store, this also encrypts the session data. When using the database session store, this signs the session ID cookie.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --cookie-secret |
| env | TERRALIST_COOKIE_SECRET |
modules-storage-resolver¶
The modules storage resolver.
| Name | Value |
|---|---|
| type | select |
| choices | proxy, local, s3, azure, gcs |
| required | no |
| default | proxy |
| cli | --modules-storage-resolver |
| env | TERRALIST_MODULES_STORAGE_RESOLVER |
providers-storage-resolver¶
The providers storage resolver.
| Name | Value |
|---|---|
| type | select |
| choices | proxy, local, s3, azure, gcs |
| required | no |
| default | proxy |
| cli | --providers-storage-resolver |
| env | TERRALIST_PROVIDERS_STORAGE_RESOLVER |
modules-anonymous-read¶
Allows anonymous read and download of modules.
| Name | Value |
|---|---|
| type | bool |
| required | no |
| default | false |
| cli | --modules-anonymous-read |
| env | TERRALIST_MODULES_ANONYMOUS_READ |
providers-anonymous-read¶
Allows anonymous read and download of providers.
| Name | Value |
|---|---|
| type | bool |
| required | no |
| default | false |
| cli | --providers-anonymous-read |
| env | TERRALIST_PROVIDERS_ANONYMOUS_READ |
s3-endpoint¶
The endpoint where the S3 SDK should connect. By default, Terralist will connect to the AWS S3 endpoint.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --s3-endpoint |
| env | TERRALIST_S3_ENDPOINT |
s3-bucket-name¶
The S3 bucket name.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --s3-bucket-name |
| env | TERRALIST_S3_BUCKET_NAME |
s3-bucket-region¶
The S3 bucket region.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --s3-bucket-region |
| env | TERRALIST_S3_BUCKET_REGION |
s3-bucket-prefix¶
A prefix to be added to the S3 bucket keys.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --s3-bucket-prefix |
| env | TERRALIST_S3_BUCKET_PREFIX |
s3-presign-expire¶
The number of minutes after which the presigned URLs should expire.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | 15 |
| cli | --s3-presign-expire |
| env | TERRALIST_S3_PRESIGN_EXPIRE |
s3-access-key-id¶
The AWS access key ID to access the S3 bucket.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --s3-access-key-id |
| env | TERRALIST_S3_ACCESS_KEY_ID |
s3-secret-access-key¶
The AWS secret access key to access the S3 bucket.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --s3-secret-access-key |
| env | TERRALIST_S3_SECRET_ACCESS_KEY |
s3-use-path-style¶
Set this to true to force the request to use path-style addressing (i.e. http://s3.amazonaws.com/BUCKET/KEY).
By default, the S3 client will use virtual hosted bucket addressing when possible (i.e. http://BUCKET.s3.amazonaws.com/KEY).
| Name | Value |
|---|---|
| type | bool |
| required | no |
| default | false |
| cli | --s3-use-path-style |
| env | TERRALIST_S3_USE_PATH_STYLE |
s3-server-side-encryption¶
The server-side encryption algorithm that was used when you store this object in Amazon S3.
| Name | Value |
|---|---|
| type | select |
| choices | none, AES256, aws:kms, aws:kms:dsse |
| required | no |
| default | AES256 |
| cli | --s3-server-side-encryption |
| env | TERRALIST_S3_SERVER_SIDE_ENCRYPTION |
s3-use-acls¶
Use S3 ACLs for access control. By default, Terralist relies on the S3 bucket configuration (e.g. via AWS S3 Bucket Policy) for enforcing the privacy of the artifacts.
| Name | Value |
|---|---|
| type | bool |
| required | no |
| default | false |
| cli | --s3-use-acls |
| env | TERRALIST_S3_USE_ACLS |
local-store¶
The path to a directory in which Terralist can store files.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | ~/.terralist.d |
| cli | --local-store |
| env | TERRALIST_LOCAL_STORE |
local-registry¶
Directory where locally stored module/provider artifacts are written when using the local resolver.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | ~/.terralist.d/registry |
| cli | --local-registry |
| env | TERRALIST_LOCAL_REGISTRY |
local-token-signing-secret¶
Secret used by local storage to sign JWT download tokens for /v1/files/*.
| Name | Value |
|---|---|
| type | string |
| required | yes when any storage resolver is local |
| default | n/a |
| cli | --local-token-signing-secret |
| env | TERRALIST_LOCAL_TOKEN_SIGNING_SECRET |
local-presign-expire¶
Number of minutes local download tokens remain valid.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | 15 |
| cli | --local-presign-expire |
| env | TERRALIST_LOCAL_PRESIGN_EXPIRE |
azure-account-name¶
The Azure account name.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --azure-account-name |
| env | TERRALIST_AZURE_ACCOUNT_NAME |
azure-account-key¶
The Azure account key.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --azure-account-key |
| env | TERRALIST_AZURE_ACCOUNT_KEY |
azure-container-name¶
The Azure container name.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --azure-container-name |
| env | TERRALIST_AZURE_CONTAINER_NAME |
azure-sas-expire¶
The number of minutes after which the Azure Shared Access Signature(SAS) should expire.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | 15 |
| cli | --azure-sas-expire |
| env | TERRALIST_AZURE_SAS_EXPIRE |
gcs-bucket-name¶
The GCS bucket name.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gcs-bucket-name |
| env | TERRALIST_GCS_BUCKET_NAME |
gcs-bucket-prefix¶
A prefix to be added to the GCS bucket objects.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gcs-bucket-prefix |
| env | TERRALIST_GCS_BUCKET_PREFIX |
gcs-sign-expire¶
The number of minutes after which the signed URLs should expire.
| Name | Value |
|---|---|
| type | int |
| required | no |
| default | 15 |
| cli | --gcs-sign-expire |
| env | TERRALIST_GCS_SIGN_EXPIRE |
gcs-service-account-cred-file-path¶
The GCP Service Account key path access key ID to access the GCS bucket. Leave empty for default credentials
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --gcs-service-account-cred-file-path |
| env | TERRALIST_GCS_SERVICE_ACCOUNT_CRED_FILE_PATH |
custom-company-name¶
A small NIT branding of Terralist. The name of the company set by this variable will appear on the login page.
| Name | Value |
|---|---|
| type | string |
| required | no |
| default | n/a |
| cli | --custom-company-name |
| env | TERRALIST_CUSTOM_COMPANY_NAME |
Example YAML configuration file¶
# Try to read PORT from the environment variable, and if it's missing,
# fallback to 5758
port: "${PORT:5758}"
log-level: "debug"
oauth-provider: "github"
gh-client-id: "${GITHUB_OAUTH_CLIENT_ID}"
gh-client-secret: "${GITHUB_OAUTH_CLIENT_SECRET}"
# gh-organization is optional, you can set it to restrict access to the registry
# only to members of your GitHub organization
gh-organization: "my-org"
# gh-teams is optional, only users that are part of one of the teams will be able to access the registry
# gh-organization is required for gh-teams to work
# you must use the slug version of the team
gh-teams: "team-a,team-b"
token-signing-secret: "supersecretstring"
database-backend: "sqlite"
sqlite-path: "terralist.db"
# database-backend: "postgresql"
# postgres-url: "${DATABASE_URL:postgres://admin:admin@localhost:5678/public}"
# database-backend: "mysql"
# mysql-url: "admin:admin@tcp(localhost:3306)/terralist"
modules-storage-resolver: "s3" # or "azure"
providers-storage-resolver: "proxy"
s3-bucket-name: "my-bucket"
s3-bucket-region: "us-east-1"
s3-access-key-id: "${AWS_ACCESS_KEY_ID}"
s3-secret-access-key: "${AWS_SECRET_ACCESS_KEY}"
# azure-account-name: "Globally unique name of your storage account"
# azure-container-name: "Name of the container in the storage account"
# azure-account-key: "Access key of the storage account" # If not using DefaultAzureCredentials
# azure-sas-expire: 45 # The number of minutes after which the SAS should expire.
# local-store: "~/.terralist.d"
session-store: "cookie"
cookie-secret: "anothersupersecretstring"