100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
HCL

Providers Explained

Providers are Terraform plugins that translate HCL resource definitions into API calls against a specific platform, such as AWS, Azure, GCP, or Kubernetes.

Terraform Core WorkflowBeginner8 min readJul 9, 2026
Analogies

Providers Explained

A provider is a plugin that Terraform uses to communicate with an external platform's API — AWS, Azure, Google Cloud, Kubernetes, GitHub, Datadog, Cloudflare, and hundreds of others. The provider translates generic Terraform operations (create, read, update, delete) into that platform's specific API calls, and translates the platform's responses back into Terraform's internal resource model. Without a provider, Terraform's core engine has no idea how to talk to any external system — providers are what make Terraform's plugin architecture extensible to virtually any API-driven service.

🏏

Cricket analogy: A provider is like a translator who converts a captain's tactical calls into the specific rules of whichever cricket board is hosting the match (ICC vs a domestic league), letting the same strategy work across different governing systems.

Declaring and Configuring Providers

A provider is declared in two places: first, in a required_providers block (typically inside the top-level terraform block) specifying its source address and version constraint, and second, in a provider block that configures how it should authenticate and which region or scope it should target. Multiple provider blocks for the same provider type can coexist using the alias argument, which is essential for multi-region or multi-account deployments — for example, provisioning resources in both us-east-1 and eu-west-1 from a single configuration.

🏏

Cricket analogy: It's like registering a player in the tournament roster (required_providers with version) and then assigning them a specific squad and role with an alias, letting the same player represent both the domestic team and the national team in different fixtures.

The Provider Registry

HashiCorp maintains the Terraform Registry (registry.terraform.io), which hosts both official providers (maintained by HashiCorp or the platform vendor directly, like hashicorp/aws or hashicorp/google) and community/partner providers. Each provider has its own versioned release cycle independent of the Terraform CLI itself, which is why pinning a version constraint (e.g. ~> 5.0) matters: a major version bump in a provider can introduce breaking changes to resource schemas even if your Terraform CLI version hasn't changed at all.

🏏

Cricket analogy: Like the ICC maintaining an official registry of certified coaches (official providers like hashicorp/aws) alongside independently certified regional coaches (community providers), each updating their certification on their own schedule independent of the tournament calendar.

Think of Terraform's core as a universal remote control and providers as the code libraries for each specific brand of TV. The remote knows generic concepts like 'power on' and 'change channel', but it needs the brand-specific library (provider) to know exactly which infrared signal accomplishes that for a Samsung versus a Sony television.

Provider Authentication

Each provider defines its own authentication mechanism, generally following that platform's native conventions rather than a Terraform-specific scheme. The aws provider, for instance, supports environment variables, shared credentials files, IAM instance profiles, and assumed roles via assume_role blocks. The azurerm provider supports Azure CLI authentication, service principals, and managed identities. Hardcoding credentials inside a provider block is technically possible but strongly discouraged for the same reasons as hardcoding them anywhere else in configuration.

🏏

Cricket analogy: Like each cricket board having its own accreditation process for umpires — some via written exams, others via apprenticeship — the aws provider supports multiple auth paths (env vars, credentials files, IAM roles) rather than one universal method.

Forgetting to pin a provider version constraint can cause terraform init to silently pull in a new major version of a provider on a fresh machine or CI run, potentially introducing breaking schema changes that cause plan or apply to fail unexpectedly in ways that didn't happen locally.

hcl
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# Default provider configuration (us-east-1)
provider "aws" {
  region = "us-east-1"
}

# Aliased provider for a second region
provider "aws" {
  alias  = "euwest"
  region = "eu-west-1"
}

resource "aws_instance" "primary" {
  provider      = aws
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.micro"
}

resource "aws_instance" "backup" {
  provider      = aws.euwest
  ami           = "ami-0d71ea3d7c0ce7a11"
  instance_type = "t3.micro"
}
  • Providers are plugins that translate Terraform's generic operations into a specific platform's API calls.
  • Providers are declared in required_providers (source + version) and configured in provider blocks.
  • The alias argument allows multiple configurations of the same provider, e.g. for multi-region deployments.
  • The Terraform Registry hosts official, partner, and community providers with independent versioning.
  • Each provider authenticates using that platform's native mechanisms, not a Terraform-specific scheme.
  • Always pin provider version constraints to avoid unexpected breaking changes from major version bumps.

Practice what you learned

Was this page helpful?

Topics covered

#HCL#TerraformInfrastructureAsCodeStudyNotes#DevOps#ProvidersExplained#Providers#Explained#Declaring#Configuring#StudyNotes#SkillVeris