Pull OpenTofu Modules Directly from OCI Registries in Scalr
Scalr now integrates with Docker-compatible OCI registries: store credentials once, and every plan and apply run can pull OpenTofu modules over oci:// without touching your code.
Pull OpenTofu Modules Directly from OCI Registries in Scalr
OpenTofu's oci:// module source scheme lets you store and version Terraform modules as OCI artifacts alongside your container images. The new OCI registry integration in Scalr closes the credentials gap: store your registry credentials once in Scalr, and every plan and apply run can authenticate with your private registry automatically. There is no need for environment variables, no hardcoded secrets, no per-workspace configuration.
How It Works
When you create a Docker-compatible registry integration and enable Export credentials, Scalr encrypts the credentials at rest and injects them into the Docker auth configuration on each run. When tofu init encounters an oci:// source, it finds the credentials already in place and pulls the module without any additional setup.
module "networking" {
source = "oci://ghcr.io/your-org/terraform-networking?tag=1.4.0"
}That's all the change required in your configuration. The credential injection happens at the platform level, invisible to the workspace consumer.
Supported Registries
The integration works with any registry that speaks the Docker Registry HTTP API V2 with username/password or PAT authentication:
- Docker Hub (
https://registry-1.docker.io) - GitHub Container Registry (
https://ghcr.io) - GitLab Container Registry (
https://registry.gitlab.com) - JFrog Artifactory (
https://<your-subdomain>.jfrog.io) - Any other Docker-compatible private registry
One caveat worth knowing upfront: registries that require provider-specific auth flows, like Amazon ECR, Azure ACR, and Google Artifact Registry, are not yet supported.
Setting It Up
The setup is three steps for any of the supported registries:
- Generate a PAT in your registry with at least read access to the repository holding your modules.
- Create the integration in Scalr under Account → Integrations → Docker registry. Enter the registry URL, username, and PAT, and enable Export credentials.
- Reference your modules using the
oci://source scheme in your OpenTofu configurations.
One integration per registry host is all you need. Scalr injects a single credential set per host per run, so if you're pulling from multiple registries, create one integration for each.
Credentials Stay Out of Your Code
The credentials are encrypted at rest and never returned in API responses. There's nothing to rotate in your workspaces when a token changes — update the integration once and every run picks it up automatically. The same RBAC model that governs other account-scoped integrations in Scalr controls who can create, update, or delete registry credentials.
For setup details per registry, see the OCI Registry documentation.