docker_coder: preinstall Terraform providers via local mirror

[haobibo]

Motivation

• Terraform provider downloads fail in restricted/networked environments when attempting to pull from remote registries, causing image build or runtime failures.

Description

• Add setup_terraform_providers to docker_coder/work/script-setup-coder.sh to bootstrap a minimal main.tf, run terraform init and terraform providers mirror to mirror required providers into /opt/terraform-providers.
• Generate /etc/terraform.d/terraform.rc (and symlink /root/.terraformrc) to configure Terraform to prefer the local filesystem mirror and set a plugin cache directory at /opt/terraform-plugin-cache.
• Invoke setup_terraform_providers from docker_coder/coder.Dockerfile immediately after setup_terraform to bake providers into the image at build time.

Testing

• Run a shell syntax check with bash -n docker_coder/work/script-setup-coder.sh which completed successfully.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1f83d7b567

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow direct fallback for mirrored providers

The provider_installation config excludes coder/coder, hashicorp/http, and kreuzwerker/docker from the direct source, so those providers can only be installed from the baked mirror. Because the mirror is populated once at image build time, any workspace that later requires a newer version than what was mirrored will fail terraform init even when network access is available, which undermines the stated goal to prefer (not require) the local mirror.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Expose Terraform mirror config to non-root users

The config is only linked into /root/.terraformrc, so Terraform runs under any non-root account will not pick up the new mirror/cache settings and will continue downloading providers from remote registries. In environments where this image is used with non-root workspace users, the preinstalled provider mirror is effectively unused.

Useful? React with 👍 / 👎.