IMPORTANT: You are viewing a beta version of the official module to install Terraform Enterprise. This new version is incompatible with earlier versions, and it is not currently meant for production use. Please contact your Customer Success Manager for details before using.
This is a Terraform module for provisioning a Terraform Enterprise Cluster on Azure. Terraform Enterprise is our self-hosted distribution of Terraform Cloud. It offers enterprises a private instance of the Terraform Cloud application, with no resource limits and with additional enterprise-grade architectural features like audit logging and SAML single sign-on.
This module will install Terraform Enterprise on Azure according to the HashiCorp Reference Architecture. This module is intended to be used by practitioners seeking a Terraform Enterprise installation which requires minimal configuration in the Azure cloud.
As the goal for this main module is to provide a drop-in solution for installing Terraform Enterprise via the Golden Path it leverages Azure native solutions such as Azure Database for PostgreSQL and Azure Cache for Redis. We have provided guidance and limited examples for other use cases.
This module is intended to run in an Azure account with minimal preparation, however it does have the following prerequisites:
0.13
or greater to be installed on the running machine.var.is_replicated_deployment
is true
, a Terraform Enterprise license file is required, and it must be provided as a Base64 encoded secret in Azure Key Vault. Otherwise, the var.hc_license
can be provided as a string for Flexible Deployment Options.Resource groups
resource_group_name
, but it is not necessary. This existing resource group should also contain an existing DNS zone, Key Vault, and Key Vault Certificate unless stated in an example or otherwise required for a particular scenario.DNS
resource_group_name
or, if it exists in another resource group, resource_group_name_dns
domain_name
tfe_subdomain
tfe_subdomain
.domain_name
load_balancer_ip
Key Vault
az login
az account list
az account set --subscription="SUBSCRIPTION_ID"
terraform init
terraform plan
terraform apply
As stated in the prerequisites, there are a number of variables concerning certificates and secrets. This section provides additional context on the use of each of those variables.
All of the certificate and secret resources will expect to use the same key vault.
IMPORTANT: In order to keep PEM formatted secrets properly formatted,
they must be uploaded to Key Vault via Terraform (as the whole file or
via az keyvault secret set
). Uploading them manually through the Azure
Portal will result in newline formatting issues.
Variable Name | Variable Description | Explanation |
---|---|---|
load_balancer_certificate |
A PFX formatted certificate found in the Azure Key Vault | Required This certificate is used for TLS. We recommend using certificates signed by well known CA authorities. This certificate will be placed on the Application Gateway if that is your load balancing option. (Reference) |
vm_certificate |
A PFX formatted certificate found in the Azure Key Vault | Required This certificate is used for TLS. We recommend using certificates signed by well known CA authorities. This certificate will be placed on the TFE instance via the virtual machine scale set. (Reference) TFE will also use this certificate in its TlsBootstrap* settings via the user_data module. |
ca_certificate |
A PEM formatted certificate of a custom Certificate Authority (CA) public certificate found in the Azure Key Vault | Optional If TLS certificates in the deployment are signed by an unknown CA then this argument is required to enable end-to-end TLS. Reference |
Azure Bastion is used in this module to connect to the TFE instance. Additional information on connecting to a Linux instance using SSH through Azure Bastion is available here.
instance_user_name
and instance_private_key
Terraform outputsconnect
-> bastion
-> use bastion
instance_user_name
for username
SSH Private Key
as the authentication typeinstance_private_key
for ssh private key
connect
The TFE Console is only available in a standalone environment (vm_node_count == 1).
tfe_console_url
Terraform outputtfe_console_password
Terraform outputUnlock
login_url
Terraform output (it may take several minutes for this to be available after initial deployment - you may monitor the progress of cloud init if desired on one of the instances)username
, email
, and password
for the initial userCreate an account
tfe_application_url
Terraform outputThis code is released under the Mozilla Public License 2.0. Please see LICENSE for more details.