IMPORTANT: You are viewing a beta version of the official module to install Terraform Enterprise. This new version is incompatible with earlier versions, and it is not currently meant for production use. Please contact your Customer Success Manager for details before using.
This is a Terraform module for provisioning a Terraform Enterprise Cluster on Azure. Terraform Enterprise is our self-hosted distribution of Terraform Cloud. It offers enterprises a private instance of the Terraform Cloud application, with no resource limits and with additional enterprise-grade architectural features like audit logging and SAML single sign-on.
This module will install Terraform Enterprise on Azure according to the HashiCorp Reference Architecture. This module is intended to be used by practitioners seeking a Terraform Enterprise installation which requires minimal configuration in the Azure cloud.
As the goal for this main module is to provide a drop-in solution for installing Terraform Enterprise via the Golden Path it leverages Azure native solutions such as Azure Database for PostgreSQL and Azure Cache for Redis. We have provided guidance and limited examples for other use cases.
This module is intended to run in an Azure account with minimal preparation, however it does have the following prerequisites:
- This module requires Terraform version
0.13
or greater to be installed on the running machine.
- A Terraform Enterprise license file is required, and it must be provided as a Base64 encoded secret in Azure Key Vault.
-
Resource groups
- An existing resource group can be supplied for
resource_group_name
, but it is not necessary. This existing resource group should also contain an existing DNS zone, Key Vault, and Key Vault Certificate unless stated in an example or otherwise required for a particular scenario.
- An existing resource group can be supplied for
-
DNS
- If you are managing DNS via Azure DNS:
- Existing resource group with DNS zone should be supplied as
resource_group_name
or, if it exists in another resource group,resource_group_name_dns
- Existing DNS zone should exist matching
domain_name
- Desired subdomain should be supplied as
tfe_subdomain
- DNS record will be created as
tfe_subdomain
.domain_name
- Existing resource group with DNS zone should be supplied as
- If you are managing DNS outside of Azure DNS:
- Module will output resulting load balancer or application gateway IP address as
load_balancer_ip
- You must configured external DNS record for the aforementioned IP address
- Module will output resulting load balancer or application gateway IP address as
- If you are managing DNS via Azure DNS:
-
Key Vault
- The Key Vault should have enabled access for deployment for Azure Virtual Machines, as the virtual machines will pull the certificate (and secrets, if applicable) from Key Vault.
- Azure Active Directory
- Azure Application Gateway
- Azure Bastion
- Azure Blob Storage
- Azure Cache for Redis
- Azure Database for PostgreSQL
- Azure DNS
- Azure Key Vault
- Azure Load Balancer
- Azure Virtual Machines
- Azure Virtual Network
- Azure Resource Groups
- Clone repository to local machine
- Change directory into desired example (such as ./examples/active_active)
- Replace license file (./files/license.rli) with your own using the same name or modify tfe_license_filepath variable with appropriate local path
- Authenticate against provider
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/azure_cli
az login
az account list
az account set --subscription="SUBSCRIPTION_ID"
terraform init
terraform plan
terraform apply
As stated in the prerequisites, there are a number of variables concerning certificates and secrets. This section provides additional context on the use of each of those variables.
-
All of the certificate and secret resources will expect to use the same key vault.
-
IMPORTANT: In order to keep PEM formatted secrets properly formatted, they must be uploaded to Key Vault via Terraform (as the whole file or via
az keyvault secret set
). Uploading them manually through the Azure Portal will result in newline formatting issues.
Variable Name | Variable Description | Explanation |
---|---|---|
load_balancer_certificate |
A PFX formatted certificate found in the Azure Key Vault | Required This certificate is used for TLS. We recommend using certificates signed by well known CA authorities. This certificate will be placed on the Application Gateway if that is your load balancing option. (Reference) |
vm_certificate |
A PFX formatted certificate found in the Azure Key Vault | Required This certificate is used for TLS. We recommend using certificates signed by well known CA authorities. This certificate will be placed on the TFE instance via the virtual machine scale set. (Reference) TFE will also use this certificate in its TlsBootstrap* settings via the user_data module. |
ca_certificate |
A PEM formatted certificate of a custom Certificate Authority (CA) public certificate found in the Azure Key Vault | Optional If TLS certificates in the deployment are signed by an unknown CA then this argument is required to enable end-to-end TLS. Reference |
Azure Bastion is used in this module to connect to the TFE instance. Additional information on connecting to a Linux instance using SSH through Azure Bastion is available here.
- Follow the steps in the Deployment section
- Copy the
instance_user_name
andinstance_private_key
Terraform outputs - Open the Azure portal
- Navigate to the virtual machine instance
- Click
connect
->bastion
->use bastion
- Enter the
instance_user_name
forusername
- Select
SSH Private Key
as the authentication type - Enter the
instance_private_key
forssh private key
- Click
connect
The TFE Console is only available in a standalone environment (vm_node_count == 1).
- Follow the steps in the Deployment section
- Navigate to the URL supplied via
tfe_console_url
Terraform output - Copy the
tfe_console_password
Terraform output - Enter the console password
- Click
Unlock
- Follow the steps in the Deployment section
- Navigate to the URL supplied via
login_url
Terraform output (it may take several minutes for this to be available after initial deployment - you may monitor the progress of cloud init if desired on one of the instances) - Enter a
username
,email
, andpassword
for the initial user - Click
Create an account
- After the initial user is created you may access the TFE Application normally using the URL supplied via
tfe_application_url
Terraform output
This code is released under the Mozilla Public License 2.0. Please see LICENSE for more details.