Terraform
Credentials
Terraform Enterprise requires the following credentials and permissions.
License File
To deploy Terraform Enterprise, you must obtain a license file from HashiCorp.
TLS Certificate and Private Key
Terraform Enterprise requires a TLS certificate and private key in order to operate. This certificate must match Terraform Enterprise's hostname, either by being issued for the FQDN or being a wildcard certificate.
The certificate can be signed by a public or private CA, but it must be trusted by all of the services that Terraform Enterprise is expected to interface with; this includes your VCS provider, any CI systems or other tools that call Terraform Enterprise's API, and any services that Terraform Enterprise workspaces might send notifications to (for example: Slack). Due to these wide-ranging interactions, we recommend using a certificate signed by a public CA.
The key and X.509 certificate must be PEM (base64) encoded, and should be provided to the installer as text.
Important: If you use a certificate issued by a private Certificate
Authority, you must provide the certificate for that CA in the
Certificate Authority (CA) Bundle
section of the installation. This allows services
running within Terraform Enterprise to access each other properly.
See Installation: Certificate Authority (CA) Bundle
for more on this.
Terraform Enterprise validates the certificate to ensure it uses a Subject Alternative Name (SAN) for Domain Names (DN) entries and not just a Common Name (CN) entry.
IAM Policies - External Services Mode
If you choose the external services operational mode, Terraform Enterprise requires access to an S3-compliant endpoint for object storage. You can grant access to the object storage endpoint by either assigning an AWS instance profile or an equivalent IAM system in non-AWS environments.
S3 Policy
At a minimum, Terraform Enterprise requires the following S3 permissions:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"<BUCKET_ARN>",
"<BUCKET_ARN>/*"
]
}
Note: The s3:ListAllMyBuckets
permission is necessary when testing authentication via the Replicated web console. However, the permission is not required for Terraform Enterprise to function and can be removed once the authentication is successfully tested.
KMS Policy
At a minimum, Terraform Enterprise will require the following permissions if the objects in the bucket are to be encrypted via resources in AWS's KMS:
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": [
"<KMS_KEY_ARN>"
]
}
Instance Profile as Default Credentials
You can use Terraform Enterprise's instance profile to provide default credentials to workspaces. When using IMDSv2, configure the PUT response hop limit with a value of 2 within the instance metadata options. Terraform will attempt to use the instance profile to provision resources when you do not set credentials as environment variables. However, this approach presents a few security risks:
- All workspaces will have the same permissions because they have access to the same instance profile. You cannot selectively allow or deny access to the instance profile for each workspace.
- Workspaces will share the instance profile with the Terraform Enterprise application. All workspaces within the application will have access to any resources that Terraform Enterprise depends on, such as its S3 bucket, KMS keys, etc.
Important: If you choose not to use the instance profile for default credentials, we highly recommend that you restrict build worker metadata access to prevent workspaces from accessing the instance profile.