Terraform
Connect to an external Vault server
This topic describes how to configure Terraform Enterprise to connect to an external Vault server.
Introduction
Using an external Vault server may be necessary if your organization is subject to specific data encryption and auditing compliance requirements. The internal Vault server shipped with Terraform Enterprise that is suitable for most cases.
You should only use an external Vault server if you have experience managing Vault in production. You are responsible for all Vault server operations, including sealing, unsealing, and replication.
Do not configure multiple Terraform Enterprise instances to use the same namespace on an external Vault server unless they are part of a Terraform Enterprise deployment in active-active
mode because doing so will result in data loss. Refer to Configure the operational mode for additional information about operational modes.
Complete the following steps to connect to Terraform Enterprise to an external Vault server:
- Configure the Vault server: You must enable settings and create policies that allow Terraform Enterprise to connect to Vault.
- Specify the Vault settings in the Terraform Enterprise configuration: Refer to the deployment overview for additional information about configuring Terraform Enterprise.
Requirements
You must configure the settings for your external Vault connection before the initial Terraform Enterprise installation. You can only change the configuration after installing Terraform Enterprise using the backup and restore API.
Specify Vault settings
Add the following settings to your Terraform Enterprise configuration:
- Set
TFE_VAULT_USE_EXTERNAL
totrue
- Set
TFE_VAULT_ADDRESS
to the address of your Vault server. - Set
TFE_VAULT_ROLE_ID
to the Vault secret ID. - Configure any additional settings specific to your implementation. Refer to the Vault settings reference for details.