Provider Configuration

Simfra uses AWS_ENDPOINT_URL, the standard environment variable supported by all AWS SDKs and the Terraform AWS provider since v5.0. This routes every service to Simfra on a single port - no endpoints {} block needed.

Prerequisites

• Simfra running on localhost:4599 (see Installation)
• Terraform 1.6+ with AWS Provider v5.0+

Environment Variables

Set these before running any Terraform command:

export AWS_ENDPOINT_URL=http://localhost:4599
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
export AWS_S3_USE_PATH_STYLE=true

The AWS_S3_USE_PATH_STYLE=true variable is required because Simfra runs on localhost and cannot use virtual-hosted-style S3 bucket addressing (bucket.localhost does not resolve). This makes the SDK use path-style URLs (http://localhost:4599/bucket/key).

These are the default root account credentials. Override them via SIMFRA_ROOT_ACCESS_KEY_ID and SIMFRA_ROOT_SECRET_ACCESS_KEY on the Simfra side, or create IAM users with their own credentials.

Provider Block

provider "aws" {
  region = "us-east-1"
}

That is the complete configuration. No special flags, no endpoints {} block, no skip_* settings. Simfra validates credentials, responds to the metadata API, and returns a real account ID - just like AWS. The AWS_ENDPOINT_URL and AWS_S3_USE_PATH_STYLE environment variables handle everything at the SDK level, so your provider block is identical to what you'd use with real AWS.

Multiple Regions

Use provider aliases to work with multiple regions:

provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "eu"
  region = "eu-west-1"
}

resource "aws_s3_bucket" "us_bucket" {
  bucket = "my-us-bucket"
}

resource "aws_s3_bucket" "eu_bucket" {
  provider = aws.eu
  bucket   = "my-eu-bucket"
}

Each provider alias routes to the same Simfra instance. Simfra multiplexes accounts and regions on a single port - the SigV4 signature carries the target region.

HTTPS for Docker-Backed Services

When Docker is enabled (SIMFRA_DOCKER=true), services like ALB, API Gateway, CloudFront, and RDS expose HTTPS endpoints signed by Simfra's built-in CA. If your Terraform configuration references these HTTPS endpoints (for example, making HTTP requests to an ALB during provisioning), set AWS_CA_BUNDLE so the Terraform provider and any HTTP clients trust the CA:

export AWS_CA_BUNDLE=~/.simfra/ca/root-ca.crt

This is only needed when your Terraform code or provisioners connect to Docker-backed service endpoints over HTTPS. It is not needed for the Simfra API itself, which runs on HTTP.

Terraform Version Requirements

• Terraform 1.6+ - required for AWS_ENDPOINT_URL support via the AWS provider.
• AWS Provider v5.0+ - required for AWS_ENDPOINT_URL support. Earlier versions require the endpoints {} block.
• OpenTofu - also supported. Simfra is provider-agnostic.

Example: Full Setup Script

#!/bin/bash
# Configure shell for Terraform + Simfra

export AWS_ENDPOINT_URL=http://localhost:4599
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
export AWS_S3_USE_PATH_STYLE=true

# Optional: trust Simfra CA for Docker-backed HTTPS services
# export AWS_CA_BUNDLE=~/.simfra/ca/root-ca.crt

terraform init
terraform apply

Next Steps

• Bootstrapping Your Account - pre-create default VPCs, KMS keys, and IAM roles
• Testing Patterns - plan/apply/verify/destroy patterns for Terraform modules
• Multi-Account Terraform - testing cross-account patterns