Deploy Registry Credentials with Terraform

A registry stores the credentials Bahriya needs to pull images from a private container registry (Docker Hub, GitHub Container Registry, GitLab, etc.). Registries are scoped to your organisation and referenced by handle when creating containers.

Updated 23 Jun 20262 min read

Required fields

Field	Type	Description
`handle`	string	A unique identifier. Released on delete (reusable).
`name`	string	A display name.
`server`	string	The registry hostname (e.g. `ghcr.io`, `registry-1.docker.io`).
`username`	string	Registry username or access token name.
`password`	string	Registry password or access token. Marked sensitive.

Example

resource "bahriya_registry" "ghcr" {
  handle   = "ghcr"
  name     = "GitHub Container Registry"
  server   = "ghcr.io"
  username = var.ghcr_username
  password = var.ghcr_token
}

Reference it from a container:

resource "bahriya_container" "api" {
  # ... other fields ...
  image    = "ghcr.io/myorg/api:v1.0.0"
  registry = bahriya_registry.ghcr.handle
}

Common registries

Registry	Server value
Docker Hub	`registry-1.docker.io`
GitHub Container Registry	`ghcr.io`
GitLab Container Registry	`registry.gitlab.com`
Google Artifact Registry	`<region>-docker.pkg.dev`
AWS ECR	`<account>.dkr.ecr.<region>.amazonaws.com`

Variables for credentials

Keep credentials out of your .tf files:

variable "ghcr_username" {
  type = string
}
 
variable "ghcr_token" {
  type      = string
  sensitive = true
}

Set them via environment variables, a .tfvars file, or your CI/CD pipeline secrets.

Notes

Registry handles are released on delete and can be reused.
The password field is sensitive. Terraform will not display it in plan output, and the API returns a masked sentinel on read. The real value is preserved in your Terraform state file — protect your state.
Registries are organisation-scoped, not project-scoped. Any container in the organisation can reference a registry by handle.