Overview
Organizations running self-hosted Terraform Cloud agents may operate in environments with strict outbound firewall policies that restrict internet access. In some regions and cloud environments (for example, Tencent Cloud environments operating within China), firewall policies may require explicit domain allowlisting and do not permit wildcard entries.
This can create challenges because Terraform Cloud agents communicate with several services and endpoints, some of which are normally documented using wildcard domains.
This article outlines the minimum known domains required and clarifies the current limitation regarding obtaining a complete non-wildcard domain list.
Environment
Self-Hosted Terraform Cloud Agents
Environments with strict outbound firewall policies
Infrastructure where wildcard domains are not permitted
Example: Tencent Cloud environments operating behind restricted internet gateways
Problem
When deploying Terraform Cloud agents in environments with strict firewall rules, outbound traffic from the agent may be blocked because the firewall only allows specific domain names and does not permit wildcard domain entries.
Administrators therefore require a complete list of exact domain names that must be allowed for Terraform Cloud agents to function correctly.
However, Terraform Cloud documentation typically references wildcard domains, which may not be compatible with these firewall restrictions.
Cause
Terraform Cloud relies on multiple services and third-party integrations for platform functionality, telemetry, feature flags, and user interface services. Many of these services are delivered through infrastructure that uses dynamic hostnames behind wildcard domains.
Because of this architecture, a comprehensive static list of exact domain names (without wildcards) is not currently available.
Solution / Workaround
Although a complete list of exact domain names cannot currently be provided, the following domains are required or commonly used by Terraform Cloud agents and should be allowlisted where possible.
Core Terraform Cloud API Endpoints
Allow access to the Terraform Cloud application endpoints:
app.terraform.ioapp.eu.terraform.io(for EU region environments)
These endpoints are required for:
Agent registration
Run execution
Communication with Terraform Cloud APIs
Terraform Registry
Agents may need access to the Terraform Registry for provider and module downloads.
registry.terraform.io
Supporting Services
Terraform Cloud also uses several third-party services for functionality such as search, feature flagging, and UI tooling.
These typically require wildcard access.
Algolia (Search Service)
*.algolia.net
CommandBar (UI Command Interface)
*.commandbar.com
LaunchDarkly (Feature Flagging Service)
LaunchDarkly endpoints are also commonly required. Refer to LaunchDarkly’s official documentation for their domain requirements.
Current Limitation
At this time, HashiCorp does not provide a fully enumerated list of Terraform Cloud domains without wildcard usage. Internal verification confirms that the service architecture depends on wildcard-based domains and dynamic endpoints.