Skip to content

A Terraform module for provisioning and installing Terraform Enterprise on AWS EC2 as described in HashiCorp Validated Designs

License

Notifications You must be signed in to change notification settings

hashicorp/terraform-aws-terraform-enterprise-hvd

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Terraform Enterprise HVD on AWS EC2

Terraform module aligned with HashiCorp Validated Designs (HVD) to deploy Terraform Enterprise (TFE) on Amazon Web Services (AWS) using EC2 instances with a container runtime. This module defaults to deploying TFE in the active-active operational mode, but external is also supported. Docker and Podman are the supported container runtimes.

TFE architecture

Prerequisites

General

  • TFE license file (e.g. terraform.hclic)
  • Terraform CLI >= 1.9 installed on clients/workstations that will be used to deploy TFE
  • General understanding of how to use Terraform (Community Edition)
  • General understanding of how to use AWS
  • git CLI and Visual Studio Code editor installed on workstations are strongly recommended
  • AWS account that TFE will be deployed in with permissions to provision these resources via Terraform CLI
  • (Optional) AWS S3 bucket for S3 remote state backend that will be used to manage the Terraform state of this TFE deployment (out-of-band from the TFE application) via Terraform CLI (Community Edition)

Networking

  • AWS VPC ID and the following subnets:
    • Load balancer subnet IDs (can be the same as EC2 subnets if desirable)
    • EC2 (compute) subnet IDs
    • RDS (database) subnet IDs
    • Redis subnet IDs (can be the same as RDS subnets if desirable)
  • (Optional) S3 VPC endpoint configured within VPC
  • (Optional) AWS Route53 hosted zone for TFE DNS record creation
  • Chosen fully qualified domain name (FQDN) for your TFE instance (e.g. tfe.aws.example.com)

đź“ť Note: It is recommended to specify a minimum of two subnets for each subnet input to enable high availability.

Security groups

TLS certificates

  • TLS certificate (e.g. cert.pem) and private key (e.g. privkey.pem) that matches your chosen fully qualified domain name (FQDN) for TFE
    • TLS certificate and private key must be in PEM format
    • Private key must not be password protected
  • TLS certificate authority (CA) bundle (e.g. ca_bundle.pem) corresponding with the CA that issues your TFE TLS certificates
    • CA bundle must be in PEM format
    • You may include additional certificate chains corresponding to external systems that TFE will make outbound connections to (e.g. your self-hosted VCS, if its certificate was issued by a different CA than your TFE certificate).

đź“ť Note: All three of these files will be created as secrets in AWS Secrets Manager per the next section.

Secrets management

The following bootstrap secrets stored in AWS Secrets Manager in order to bootstrap the TFE deployment and installation:

  • TFE license file - raw contents of license file stored as a plaintext secret (e.g. cat terraform.hclic)
  • TFE encryption password - random characters stored as a plaintext secret (used to protect internally-managed Vault unseal key and root token)
  • TFE database password - used to create RDS Aurora (PostgreSQL) database cluster; random characters stored as a plaintext secret; value must be between 8 and 128 characters long and must not contain @, ", or / characters
  • TFE Redis password - used to create Redis (Elasticache Replication Group) cluster; random characters stored as a plaintext secret; value must be between 16 and 128 characters long and must not contain @, ", or / characters
  • TFE TLS certificate - file in PEM format, base64-encoded into a string, and stored as a plaintext secret
  • TFE TLS certificate private key - file in PEM format, base64-encoded into a string, and stored as a plaintext secret
  • TFE TLS CA bundle - file in PEM format , base64-encoded into a string, and stored as a plaintext secret

đź“ť Note: See the TFE Bootstrap Secrets doc for more details on how these secrets should be stored in AWS Secrets Manager.

Compute

Connecting to shell of EC2 instances

One of the following mechanisms for shell access to TFE EC2 instances:

  • EC2 SSH key pair
  • AWS SSM (can be enabled by setting ec2_allow_ssm boolean input variable to true)

Log forwarding (optional)

One of the following logging destinations:

  • AWS CloudWatch log group
  • AWS S3 bucket
  • A custom fluent bit configuration that will forward logs to custom destination

Usage

  1. Create/configure/validate the applicable prerequisites.

  2. Nested within the examples directory are subdirectories containing ready-made Terraform configurations for example scenarios on how to call and deploy this module. To get started, choose the example scenario that most closely matches your requirements. You can customize your deployment later by adding additional module inputs as you see fit (see the Deployment-Customizations doc for more details).

  3. Copy all of the Terraform files from your example scenario of choice into a new destination directory to create your Terraform configuration that will manage your TFE deployment. This is a common directory structure for managing multiple TFE deployments:

    .
    └── environments
        ├── production
        │   ├── backend.tf
        │   ├── main.tf
        │   ├── outputs.tf
        │   ├── terraform.tfvars
        │   └── variables.tf
        └── sandbox
            ├── backend.tf
            ├── main.tf
            ├── outputs.tf
            ├── terraform.tfvars
            └── variables.tf
    

    đź“ť Note: In this example, the user will have two separate TFE deployments; one for their sandbox environment, and one for their production environment. This is recommended, but not required.

  4. (Optional) Uncomment and update the S3 remote state backend configuration provided in the backend.tf file with your own custom values. While this step is highly recommended, it is technically not required to use a remote backend config for your TFE deployment.

  5. Populate your own custom values into the terraform.tfvars.example file that was provided (in particular, values enclosed in the <> characters). Then, remove the .example file extension such that the file is now named terraform.tfvars.

  6. Navigate to the directory of your newly created Terraform configuration for your TFE deployment, and run terraform init, terraform plan, and terraform apply.

  7. After your terraform apply finishes successfully, you can monitor the installation progress by connecting to your TFE EC2 instance shell via SSH or AWS SSM and observing the cloud-init (user_data) logs:

    Connecting to the EC2 instance

    SSH when ec2_os_distro is ubuntu:

    ssh -i /path/to/ec2_ssh_key_pair.pem ubuntu@<ec2-private-ip>

    SSH when ec2_os_distro is rhel or al2023:

    ssh -i /path/to/ec2_ssh_key_pair.pem ec2-user@<ec2-private-ip>

    Viewing the logs

    View the higher-level logs:

    tail -f /var/log/tfe-cloud-init.log

    View the lower-level logs:

    journalctl -xu cloud-final -f

    đź“ť Note: The -f argument is to follow the logs as they append in real-time, and is optional. You may remove the -f for a static view.

    Successful install log message

    The log files should display the following log message after the cloud-init (user_data) script finishes successfully:

    [INFO] tfe_user_data script finished successfully!
  8. After the cloud-init (user_data) script finishes successfully, while still connected to the TFE EC2 instance shell, you can check the health status of TFE:

    cd /etc/tfe
    sudo docker compose exec tfe tfe-health-check-status
  9. Follow the steps to create the TFE initial admin user.

Docs

Below are links to various docs related to the customization and management of your TFE deployment:

Module support

This open source software is maintained by the HashiCorp Technical Field Organization, independently of our enterprise products. While our Support Engineering team provides dedicated support for our enterprise offerings, this open source software is not included.

  • For help using this open source software, please engage your account team.
  • To report bugs/issues with this open source software, please open them directly against this code repository using the GitHub issues feature.

Please note that there is no official Service Level Agreement (SLA) for support of this software as a HashiCorp customer. This software falls under the definition of Community Software/Versions in your Agreement. We appreciate your understanding and collaboration in improving our open source projects.

Requirements

Name Version
terraform >= 1.9
aws ~> 5.73

Providers

Name Version
aws ~> 5.73

Resources

Name Type
aws_autoscaling_group.tfe resource
aws_db_parameter_group.tfe resource
aws_db_subnet_group.tfe resource
aws_elasticache_replication_group.redis_cluster resource
aws_elasticache_subnet_group.tfe resource
aws_iam_instance_profile.tfe_ec2 resource
aws_iam_policy.s3_crr resource
aws_iam_policy_attachment.s3_crr resource
aws_iam_role.s3_crr resource
aws_iam_role.tfe_ec2 resource
aws_iam_role_policy.tfe_ec2 resource
aws_iam_role_policy_attachment.aws_ssm resource
aws_launch_template.tfe resource
aws_lb.alb resource
aws_lb.nlb resource
aws_lb_listener.alb_443 resource
aws_lb_listener.lb_nlb_443 resource
aws_lb_target_group.alb_443 resource
aws_lb_target_group.nlb_443 resource
aws_rds_cluster.tfe resource
aws_rds_cluster_instance.tfe resource
aws_rds_cluster_parameter_group.tfe resource
aws_rds_global_cluster.tfe resource
aws_route53_record.alias_record resource
aws_s3_bucket.tfe resource
aws_s3_bucket_public_access_block.tfe resource
aws_s3_bucket_replication_configuration.tfe resource
aws_s3_bucket_server_side_encryption_configuration.tfe resource
aws_s3_bucket_versioning.tfe resource
aws_security_group.ec2_allow_egress resource
aws_security_group.ec2_allow_ingress resource
aws_security_group.lb_allow_egress resource
aws_security_group.lb_allow_ingress resource
aws_security_group.rds_allow_ingress resource
aws_security_group.redis_allow_ingress resource
aws_security_group_rule.ec2_allow_cidr_ingress_tfe_metrics_http resource
aws_security_group_rule.ec2_allow_cidr_ingress_tfe_metrics_https resource
aws_security_group_rule.ec2_allow_egress_all resource
aws_security_group_rule.ec2_allow_egress_dns_tcp resource
aws_security_group_rule.ec2_allow_egress_dns_udp resource
aws_security_group_rule.ec2_allow_egress_http resource
aws_security_group_rule.ec2_allow_egress_https resource
aws_security_group_rule.ec2_allow_egress_proxy_http resource
aws_security_group_rule.ec2_allow_egress_proxy_https resource
aws_security_group_rule.ec2_allow_egress_rds resource
aws_security_group_rule.ec2_allow_egress_redis resource
aws_security_group_rule.ec2_allow_egress_vault resource
aws_security_group_rule.ec2_allow_ingress_ssh resource
aws_security_group_rule.ec2_allow_ingress_tfe_https_from_lb resource
aws_security_group_rule.ec2_allow_ingress_vault resource
aws_security_group_rule.lb_allow_egress_all resource
aws_security_group_rule.lb_allow_ingress_tfe_https_from_cidr resource
aws_security_group_rule.lb_allow_ingress_tfe_https_from_ec2 resource
aws_security_group_rule.rds_allow_ingress_from_ec2 resource
aws_security_group_rule.redis_allow_ingress_from_ec2 resource
aws_ami.al2023 data source
aws_ami.rhel data source
aws_ami.selected data source
aws_ami.ubuntu data source
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_cloudwatch_log_group.log_fwd data source
aws_ecr_repository.tfe_run_pipeline_image data source
aws_iam_policy_document.s3_crr data source
aws_iam_policy_document.s3_crr_assume_role data source
aws_iam_policy_document.tfe_ec2_allow_cloudwatch data source
aws_iam_policy_document.tfe_ec2_allow_cost_estimation data source
aws_iam_policy_document.tfe_ec2_allow_ebs_kms_cmk data source
aws_iam_policy_document.tfe_ec2_allow_get_redis_password_secret data source
aws_iam_policy_document.tfe_ec2_allow_rds_kms_cmk data source
aws_iam_policy_document.tfe_ec2_allow_redis_kms_cmk data source
aws_iam_policy_document.tfe_ec2_allow_s3 data source
aws_iam_policy_document.tfe_ec2_allow_s3_kms_cmk data source
aws_iam_policy_document.tfe_ec2_allow_s3_log_fwd data source
aws_iam_policy_document.tfe_ec2_assume_role data source
aws_iam_policy_document.tfe_ec2_combined data source
aws_iam_policy_document.tfe_ec2_ecr_image_pull data source
aws_iam_policy_document.tfe_ec2_get_enc_password_secret data source
aws_iam_policy_document.tfe_ec2_get_license_secret data source
aws_iam_policy_document.tfe_ec2_get_rds_password_secret data source
aws_iam_policy_document.tfe_ec2_get_tls_ca_bundle_secret data source
aws_iam_policy_document.tfe_ec2_get_tls_cert_secret data source
aws_iam_policy_document.tfe_ec2_get_tls_privkey_secret data source
aws_partition.current data source
aws_region.current data source
aws_route53_zone.tfe data source
aws_s3_bucket.log_fwd data source
aws_secretsmanager_secret_version.tfe_database_password data source
aws_secretsmanager_secret_version.tfe_redis_password data source

Inputs

Name Description Type Default Required
ec2_subnet_ids List of subnet IDs to use for the EC2 instance. Private subnets is the best practice here. list(string) n/a yes
friendly_name_prefix Friendly name prefix used for uniquely naming all AWS resources for this deployment. Most commonly set to either an environment (e.g. 'sandbox', 'prod'), a team name, or a project name. string n/a yes
lb_subnet_ids List of subnet IDs to use for the load balancer. If lb_is_internal is false, then these should be public subnets. Otherwise, these should be private subnets. list(string) n/a yes
rds_subnet_ids List of subnet IDs to use for RDS database subnet group. Private subnets is the best practice here. list(string) n/a yes
tfe_database_password_secret_arn ARN of AWS Secrets Manager secret for the TFE database password used to create RDS Aurora (PostgreSQL) database cluster. Secret type should be plaintext. Value of secret must be from 8 to 128 alphanumeric characters or symbols (excluding @, ", and /). string n/a yes
tfe_encryption_password_secret_arn ARN of AWS Secrets Manager secret for TFE encryption password. Secret type should be plaintext. string n/a yes
tfe_fqdn Fully qualified domain name (FQDN) of TFE instance. This name should resolve to the DNS name or IP address of the TFE load balancer and will be what clients use to access TFE. string n/a yes
tfe_license_secret_arn ARN of AWS Secrets Manager secret for TFE license file. Secret type should be plaintext. string n/a yes
tfe_tls_ca_bundle_secret_arn ARN of AWS Secrets Manager secret for private/custom TLS Certificate Authority (CA) bundle in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext. string n/a yes
tfe_tls_cert_secret_arn ARN of AWS Secrets Manager secret for TFE TLS certificate in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext. string n/a yes
tfe_tls_privkey_secret_arn ARN of AWS Secrets Manager secret for TFE TLS private key in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext. string n/a yes
vpc_id ID of VPC where TFE will be deployed. string n/a yes
additional_no_proxy Comma-separated list of domains, IP addresses, or CIDR ranges that TFE should bypass the proxy when making outbound requests, provided http_proxy or https_proxy are set. This list is in addition to automatically included addresses like RDS, S3, and Redis, which are dynamically added to no_proxy by the user_data script. Do not set if http_proxy and/or https_proxy are not configured. string null no
asg_health_check_grace_period The amount of time to wait for a new TFE EC2 instance to become healthy. If this threshold is breached, the ASG will terminate the instance and launch a new one. number 900 no
asg_instance_count Desired number of TFE EC2 instances to run in autoscaling group. Must be 1 when tfe_operational_mode is external. number 1 no
asg_max_size Max number of TFE EC2 instances to run in autoscaling group. Only valid when tfe_operational_mode is active-active. Value is hard-coded to 1 when tfe_operational_mode is external. number 3 no
cidr_allow_egress_ec2_dns List of destination CIDR ranges to allow TCP/53 and UDP/53 (DNS) outbound from TFE EC2 instances. Only set if you want to use custom DNS servers instead of the AWS-provided DNS resolver within your VPC. list(string) [] no
cidr_allow_egress_ec2_http List of destination CIDR ranges to allow TCP/80 outbound from TFE EC2 instances. list(string)
[
"0.0.0.0/0"
]
no
cidr_allow_egress_ec2_https List of destination CIDR ranges to allow TCP/443 outbound from TFE EC2 instances. Include the CIDR range of your VCS provider if you are configuring VCS integration with TFE. list(string)
[
"0.0.0.0/0"
]
no
cidr_allow_egress_ec2_proxy List of destination CIDR range(s) where proxy server exists. Required and only valid when http_proxy and/or https_proxy are set. list(string) null no
cidr_allow_ingress_ec2_ssh List of CIDR ranges to allow SSH ingress to TFE EC2 instance (i.e. bastion IP, client/workstation IP, etc.). list(string) [] no
cidr_allow_ingress_tfe_443 List of CIDR ranges to allow ingress traffic on port 443 to TFE server or load balancer. list(string)
[
"0.0.0.0/0"
]
no
cidr_allow_ingress_tfe_metrics_http List of CIDR ranges to allow TCP/9090 (HTTP) inbound to metrics endpoint on TFE EC2 instances. list(string) [] no
cidr_allow_ingress_tfe_metrics_https List of CIDR ranges to allow TCP/9091 (HTTPS) inbound to metrics endpoint on TFE EC2 instances. list(string) [] no
cloudwatch_log_group_name Name of CloudWatch Log Group to configure as log forwarding destination. Only valid when tfe_log_forwarding_enabled is true. string null no
common_tags Map of common tags for all taggable AWS resources. map(string) {} no
container_runtime Container runtime to use for TFE. Supported values are docker or podman. string "docker" no
create_route53_tfe_dns_record Boolean to create Route53 Alias Record for tfe_hostname resolving to Load Balancer DNS name. If true, route53_tfe_hosted_zone_name is also required. bool false no
custom_fluent_bit_config Custom Fluent Bit configuration for log forwarding. Only valid when tfe_log_forwarding_enabled is true and log_fwd_destination_type is custom. string null no
docker_version Version of Docker to install on TFE EC2 instances. Not applicable to Amazon Linux 2023 distribution (when ec2_os_distro is al2023). string "24.0.9" no
ebs_iops Amount of IOPS to configure when EBS volume type is gp3. Must be greater than or equal to 3000 and less than or equal to 16000. number 3000 no
ebs_is_encrypted Boolean to encrypt the EBS root block device of the TFE EC2 instance(s). An AWS managed key will be used when true unless a value is also specified for ebs_kms_key_arn. bool true no
ebs_kms_key_arn ARN of KMS customer managed key (CMK) to encrypt TFE EC2 EBS volumes. string null no
ebs_throughput Throughput (MB/s) to configure when EBS volume type is gp3. Must be greater than or equal to 125 and less than or equal to 1000. number 250 no
ebs_volume_size Size (GB) of the root EBS volume for TFE EC2 instances. Must be greater than or equal to 50 and less than or equal to 16000. number 50 no
ebs_volume_type EBS volume type for TFE EC2 instances. string "gp3" no
ec2_allow_all_egress Boolean to allow all egress traffic from TFE EC2 instances. bool false no
ec2_allow_ssm Boolean to attach the AmazonSSMManagedInstanceCore policy to the TFE instance role, allowing the SSM agent (if present) to function. bool false no
ec2_ami_id Custom AMI ID for TFE EC2 launch template. If specified, value of ec2_os_distro must coincide with this custom AMI OS distro. string null no
ec2_instance_size EC2 instance type for TFE EC2 launch template. string "m7i.xlarge" no
ec2_os_distro Linux OS distribution type for TFE EC2 instance. Choose from al2023, ubuntu, rhel, centos. string "ubuntu" no
ec2_ssh_key_pair Name of existing SSH key pair to attach to TFE EC2 instance. string null no
http_proxy Proxy address (including port number) for TFE to use for outbound HTTP requests (e.g. http://proxy.example.com:3128). string null no
https_proxy Proxy address (including port number) for TFE to use for outbound HTTPS requests (e.g. http://proxy.example.com:3128). string null no
is_secondary_region Boolean indicating whether this TFE deployment is in the primary or secondary (replica) region. bool false no
lb_is_internal Boolean to create an internal (private) load balancer. The lb_subnet_ids must be private subnets when this is true. bool true no
lb_type Indicates which type of AWS load balancer is created: Application Load Balancer (alb) or Network Load Balancer (nlb). string "nlb" no
log_fwd_destination_type Type of log forwarding destination for Fluent Bit. Supported values are s3, cloudwatch, or custom. string "cloudwatch" no
rds_apply_immediately Boolean to apply changes immediately to RDS cluster instance. bool true no
rds_aurora_engine_mode RDS Aurora database engine mode. string "provisioned" no
rds_aurora_engine_version Engine version of RDS Aurora PostgreSQL. number 16.2 no
rds_aurora_instance_class Instance class of Aurora PostgreSQL database. string "db.r6i.xlarge" no
rds_aurora_replica_count Number of replica (reader) cluster instances to create within the RDS Aurora database cluster (within the same region). number 1 no
rds_availability_zones List of AWS availability zones to spread Aurora database cluster instances across. Leave as null and RDS will automatically assign 3 availability zones. list(string) null no
rds_backup_retention_period The number of days to retain backups for. Must be between 0 and 35. Must be greater than 0 if the database cluster is used as a source of a read replica cluster. number 35 no
rds_deletion_protection Boolean to enable deletion protection for RDS global cluster. bool false no
rds_force_destroy Boolean to enable the removal of RDS database cluster members from RDS global cluster on destroy. bool false no
rds_global_cluster_id ID of RDS global cluster. Only required only when is_secondary_region is true, otherwise leave as null. string null no
rds_kms_key_arn ARN of KMS customer managed key (CMK) to encrypt TFE RDS cluster. string null no
rds_parameter_group_family Family of Aurora PostgreSQL DB Parameter Group. string "aurora-postgresql16" no
rds_performance_insights_enabled Boolean to enable performance insights for RDS cluster instance(s). bool true no
rds_performance_insights_retention_period Number of days to retain RDS performance insights data. Must be between 7 and 731. number 7 no
rds_preferred_backup_window Daily time range (UTC) for RDS backup to occur. Must not overlap with rds_preferred_maintenance_window. string "04:00-04:30" no
rds_preferred_maintenance_window Window (UTC) to perform RDS database maintenance. Must not overlap with rds_preferred_backup_window. string "Sun:08:00-Sun:09:00" no
rds_replication_source_identifier ARN of source RDS cluster or cluster instance if this database cluster is to be created as a read replica. Only required when is_secondary_region is true, otherwise leave as null. string null no
rds_skip_final_snapshot Boolean to enable RDS to take a final database snapshot before destroying. bool false no
rds_source_region Source region for RDS cross-region replication. Only required when is_secondary_region is true, otherwise leave as null. string null no
rds_storage_encrypted Boolean to encrypt RDS storage. An AWS managed key will be used when true unless a value is also specified for rds_kms_key_arn. bool true no
redis_apply_immediately Boolean to apply changes immediately to Redis cluster. bool true no
redis_at_rest_encryption_enabled Boolean to enable encryption at rest on Redis cluster. An AWS managed key will be used when true unless a value is also specified for redis_kms_key_arn. bool true no
redis_auto_minor_version_upgrade Boolean to enable automatic minor version upgrades for Redis cluster. bool true no
redis_automatic_failover_enabled Boolean for deploying Redis nodes in multiple availability zones and enabling automatic failover. bool true no
redis_engine_version Redis version number. string "7.1" no
redis_kms_key_arn ARN of KMS customer managed key (CMK) to encrypt Redis cluster with. string null no
redis_multi_az_enabled Boolean to create Redis nodes across multiple availability zones. If true, redis_automatic_failover_enabled must also be true, and more than one subnet must be specified within redis_subnet_ids. bool true no
redis_node_type Type (size) of Redis node from a compute, memory, and network throughput standpoint. string "cache.m5.large" no
redis_parameter_group_name Name of parameter group to associate with Redis cluster. string "default.redis7" no
redis_port Port number the Redis nodes will accept connections on. number 6379 no
redis_subnet_ids List of subnet IDs to use for Redis cluster subnet group. Private subnets is the best practice here. list(string) [] no
redis_transit_encryption_enabled Boolean to enable TLS encryption between TFE and the Redis cluster. bool true no
route53_tfe_hosted_zone_is_private Boolean indicating if route53_tfe_hosted_zone_name is a private hosted zone. bool false no
route53_tfe_hosted_zone_name Route53 Hosted Zone name to create tfe_hostname Alias record in. Required if create_route53_tfe_dns_record is true. string null no
s3_destination_bucket_arn ARN of destination S3 bucket for cross-region replication configuration. Bucket should already exist in secondary region. Required when s3_enable_bucket_replication is true. string "" no
s3_destination_bucket_kms_key_arn ARN of KMS key of destination S3 bucket for cross-region replication configuration if it is encrypted with a customer managed key (CMK). string null no
s3_enable_bucket_replication Boolean to enable cross-region replication for TFE S3 bucket. Do not enable when is_secondary_region is true. An s3_destination_bucket_arn is also required when true. bool false no
s3_kms_key_arn ARN of KMS customer managed key (CMK) to encrypt TFE S3 bucket with. string null no
s3_log_fwd_bucket_name Name of S3 bucket to configure as log forwarding destination. Only valid when tfe_log_forwarding_enabled is true. string null no
tfe_alb_tls_certificate_arn ARN of existing TFE TLS certificate imported in ACM to be used for application load balancer (ALB) HTTPS listeners. Required when lb_type is alb. string null no
tfe_capacity_concurrency Maximum number of concurrent Terraform runs to allow on a TFE node. number 10 no
tfe_capacity_cpu Maximum number of CPU cores that a Terraform run is allowed to consume in TFE. Set to 0 for no limit. number 0 no
tfe_capacity_memory Maximum amount of memory (in MiB) that a Terraform run is allowed to consume in TFE. number 2048 no
tfe_cost_estimation_iam_enabled Boolean to add AWS pricing actions to TFE IAM instance profile for cost estimation feature. string true no
tfe_database_name Name of TFE database to create within RDS global cluster. string "tfe" no
tfe_database_parameters PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection. string "sslmode=require" no
tfe_database_user Username for TFE RDS database cluster. string "tfe" no
tfe_hairpin_addressing Boolean to enable hairpin addressing for layer 4 load balancer with loopback prevention. Must be true when lb_type is nlb and lb_is_internal is true. bool true no
tfe_image_name Name of the TFE container image. Only set this if you are hosting the TFE container image in your own custom repository. string "hashicorp/terraform-enterprise" no
tfe_image_repository_password Password for container registry where TFE container image is hosted. Leave as null if using the default TFE registry as the default password is the TFE license. string null no
tfe_image_repository_url Repository for the TFE image. Only change this if you are hosting the TFE container image in your own custom repository. string "images.releases.hashicorp.com" no
tfe_image_repository_username Username for container registry where TFE container image is hosted. string "terraform" no
tfe_image_tag Tag for the TFE image. This represents the version of TFE to deploy. string "v202407-1" no
tfe_license_reporting_opt_out Boolean to opt out of TFE license reporting. bool false no
tfe_log_forwarding_enabled Boolean to enable TFE log forwarding feature. bool false no
tfe_metrics_enable Boolean to enable TFE metrics endpoints. bool false no
tfe_metrics_http_port HTTP port for TFE metrics scrape. number 9090 no
tfe_metrics_https_port HTTPS port for TFE metrics scrape. number 9091 no
tfe_object_storage_s3_access_key_id Access key ID for S3 bucket. Required when tfe_object_storage_s3_use_instance_profile is false. string null no
tfe_object_storage_s3_secret_access_key Secret access key for S3 bucket. Required when tfe_object_storage_s3_use_instance_profile is false. string null no
tfe_object_storage_s3_use_instance_profile Boolean to use TFE instance profile for S3 bucket access. If false, tfe_object_storage_s3_access_key_id and tfe_object_storage_s3_secret_access_key are required. bool true no
tfe_operational_mode Operational mode for TFE. Valid values are active-active or external. string "active-active" no
tfe_redis_password_secret_arn ARN of AWS Secrets Manager secret for the TFE Redis password used to create Redis (Elasticache Replication Group) cluster. Secret type should be plaintext. Value of secret must be from 16 to 128 alphanumeric characters or symbols (excluding @, ", and /). string null no
tfe_run_pipeline_docker_network Docker network where the containers that execute Terraform runs will be created. The network must already exist, it will not be created automatically. Leave as null to use the default network created by TFE. string null no
tfe_run_pipeline_image Name of the Docker image to use for the run pipeline driver. string null no
tfe_run_pipeline_image_ecr_repo_name Name of the AWS ECR repository containing your custom TFE run pipeline image. string null no
tfe_tls_enforce Boolean to enforce TLS. bool false no
tfe_vault_disable_mlock Boolean to disable mlock for internal Vault. bool false no

Outputs

Name Description
elasticache_replication_group_arn ARN of ElastiCache Replication Group (Redis) cluster.
elasticache_replication_group_id ID of ElastiCache Replication Group (Redis) cluster.
elasticache_replication_group_primary_endpoint_address Primary endpoint address of ElastiCache Replication Group (Redis) cluster.
lb_dns_name DNS name of the Load Balancer.
rds_aurora_cluster_arn ARN of RDS Aurora database cluster.
rds_aurora_cluster_endpoint RDS Aurora database cluster endpoint.
rds_aurora_cluster_members List of instances that are part of this RDS Aurora database cluster.
rds_aurora_global_cluster_id RDS Aurora global database cluster identifier.
s3_bucket_arn ARN of TFE S3 bucket.
s3_bucket_name Name of TFE S3 bucket.
s3_crr_iam_role_arn ARN of S3 cross-region replication IAM role.
tfe_create_initial_admin_user_url URL to create TFE initial admin user.
tfe_database_host PostgreSQL server endpoint in the format that TFE will connect to.
tfe_url URL to access TFE application based on value of tfe_fqdn input.

About

A Terraform module for provisioning and installing Terraform Enterprise on AWS EC2 as described in HashiCorp Validated Designs

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published