Terraform
Configure network access
This topic describes how to configure network settings to allow Terraform to send and receive traffic. Refer to Create deployment configuration overview for an overview of the configuration process.
Overview
You must configure the Linux instance that runs Terraform Enterprise to allow incoming network traffic across several ports. You must also configure Terraform Enterprise to access several external services so that Terraform can download and update resources.
Configure the following parameters in your deployment configuration file to configure network access:
- Ports for ingress traffic. The Terraform binary accepts traffic from the following sources:
- users
- clients
- VCS
- metrics
- TFE servers
- Egress destination endpoints. To run Terraform Enterprise in an airgapped environment, you must also whitelist the domains that serve the Terraform Enterprise image from the registry.
- For Docker deployments, you can also disable access to EC2 instance metadata service.
- Specify any optional network settings, such cloud provider API endpoints for cost estimation.
- Specify any specific network settings necessary for your environment, such as allowing traffic through firewalls.
Refer to environment variables configuration reference for information about all environment variables.
Define ingress settings
Specify the following values in your deployment configuration file to configure access into Terraform Enterprise. Refer to Configuration reference for information about all configuration settings.
Enable access from users, clients, and VCS
Specify the following variables in your deployment configuration file to enable ingress from users, clients, and the VCS:
TFE_HTTP_PORT
: Specifies the port for accessing Terraform Enterprise over HTTP. HTTP redirects to HTTPS. The default value is80
.TFE_HTTPS_PORT
: Specifies the port for accessing Terraform Enterprise over HTTPS. The default is443
.
Ports for Podman
Podman does not expose privileged ports. If you are deploying to Podman, specify the variables in the kube.yaml
pod specification file:
- name: "TFE_HTTP_PORT"
value: "8080"
- name: "TFE_HTTPS_PORT"
value: "8443"
You must also specify the port values in the kube.yaml
pod specification file:
"ports":
- "containerPort": 8080
"hostPort": 80
- "containerPort": 8443
"hostPort": 443
- "containerPort": 9090
"hostPort": 9090
Integrate with SaaS version control provider
To integrate with SaaS VCSs, such as GitHub.com, GitLab.com, Bitbucket Cloud, Azure DevOps Services, you must enable ingress from the public internet so that you can use inbound web hooks to reach Terraform Enterprise. Refer Webhooks for additional information.
You should also configure appropriate security controls, such as a web application firewall (WAF). Refer to your cloud provider documentation for instructions about deploying a WAF.
Enable requests for metrics
Specify the following variables in your deployment configuration file to enable Terraform Enterprise to receive requests for system metrics:
TFE_METRICS_HTTP_PORT
: TCP port on which Terraform Enterprise handles HTTP metrics requests. Default is9090
.TFE_METRICS_HTTPS_PORT
: TCP port on which Terraform Enterprise handles HTTPS metrics requests. Default is9091
.
The metrics endpoints are optional. You can enable metrics collection by setting TFE_METRICS_ENABLE
to true
.
Terraform Enterprise servers
If you plan to operate Terraform Enterprise in active-active
mode, forward requests to port 8201
to enable high availability requests from Vault.
Define egress settings
Add the following destination endpoints to your deployment configuration file so that Terraform can connect to external services.
HashiCorp container registry
https://images.releases.hashicorp.com
: The endpoint hosts release container images.https://helm.releases.hashicorp.com
: The endpoint hosts the helm chart for Kubernetes installation.
Domains to whitelist for airgapped environments
To run Terraform Enterprise in an airgapped environment, you must also whitelist the following domains. This because the service that provides the container image is globally routable and may come from any of the regions:
s3-r-w.us-east-1.amazonaws.com
s3-r-w.us-west-2.amazonaws.com
s3-r-w.eu-central-1.amazonaws.com
s3-r-w.eu-west-1.amazonaws.com
Note that the domains are owned by Amazon, not HashiCorp, and may change at any time. Refer to this documentation to verify the domains each time you run the deployment configuration.
HashiCorp service APIs
Terraform Enterprise calls the following hostnames unless you have supplied a custom Terraform bundle. Refer to Custom and Community Providers for additional information:
registry.terraform.io
releases.hashicorp.com
https://yy0ffni7mf-dsn.algolia.net/
: Specifies the API endpoint of the Terraform Registry's Algolia application. Terraform Enterprise uses Algolia to index resources in the registry and power the public search feature.reporting.hashicorp.services
: Specifies the license entitlement reporting API endpoint. Refer to Enable automated license reports for additional information.
Additional outbound network targets
Terraform Enterprise also needs egress access to the following systems:
- Any VCS servers and services you that you plan to use.
- Login or authentication servers if you want to enable ADFS, Okta, or other SAML services.
- Cloud API endpoints that you intend to manage with Terraform
- Third party services that you intend to integrate or manage with the Terraform Enterprise server.
Cost estimation APIs
When Cost Estimation is enabled, Terraform Enterprise uses the following cloud provider's APIs to get up-to-date pricing information:
Specify additional configuration settings
If a firewall is configured on the instance, run one of the following commands to allow traffic to flow out of the
docker0
interface to the instance's primary address. We recommend doing this before you install Docker.- To use UFW, run:
ufw allow in on docker0
- To use firewalld, run:
firewall-cmd --permanent --zone=trusted --change-interface=docker0
- To use UFW, run:
Get a domain name for the instance. Using an IP address to access the product is not supported as many systems use TLS and need to verify that the certificate is correct, which can only be done with a hostname at present.
For GCP only: Configure Docker to use an MTU (maximum transmission unit) of
1460
, as required by Google (GCP Cloud VPN Documentation: MTU Considerations).To configure Docker's MTU, create an
/etc/docker/daemon.json
file with the following content:{ "mtu": 1460 }
Ensure the Docker bridge network address is not in use elsewhere on the network. If it is, please refer to the Docker documentation for information on how to change it.
You may use the
TFE_RUN_PIPELINE_DOCKER_NETWORK
configuration to specify the network where the container used to execute Terraform runs will be created. The network must already exist; it will not be created automatically. Leave blank to use the default network. Defaults to""
.