Terraform
Network Requirements for Terraform Enterprise
The Linux instance that runs Terraform Enterprise must allow several kinds of incoming network access. Terraform Enterprise also needs to access several external services to handle updates and resource downloads.
Ingress
Source — User/Client/VCS
- 443: Terraform Enterprise application access (HTTPS)
Important: Integration with a SaaS VCS provider (GitHub.com, GitLab.com, Bitbucket Cloud, or Azure DevOps Services) requires ingress from the public internet. This lets the inbound web hooks reach Terraform Enterprise. You should also configure appropriate security controls, such as a Web Application Firewall (WAF).
Source — Administrators
- 22: SSH access (administration and debugging)
- 8800: Replicated (TFE setup dashboard, HTTPS)
Source - Metrics
- 9090 TCP port on which Terraform Enterprise handles HTTP metrics requests
- 9091 TCP port on which Terraform Enterprise handles HTTPS metrics requests
The metrics endpoints are optional. You can enable them in the application settings when you install Terraform Enterprise.
Source — TFE Server(s)
- 8201: Vault HA request forwarding (only necessary when operating in Active/Active mode)
Additionally, the following ports are used by various application components internally. This list serves as a point of reference; it is not necessary to expose these ports for accessibility in a firewall:
- 2003: Graphite (Carbon) feeding port (monitoring, metrics)
- 2004: Graphite (Carbon) feeding port (monitoring, metrics)
- 3121: Terraform Enterprise private registry
- 4150-4151, 4160-4161, 4170-4171: Replicated NSQD (messaging platform daemon for internal communication)
- 5432: PostgreSQL
- 6379: Redis (application-level caching and coordination)
- 7586: Terraform Enterprise ingress (pulls in version control system data for application, stores it via Archivist)
- 7588: Terraform Enterprise state parser
- 7675: Terraform Enterprise Archivist (stores data in object storage, encrypts it via Vault)
- 8086: InfluxDB default UDP Service (monitoring, metrics)
- 8125: StatsD (monitoring, metrics)
- 8200: Vault (encryption service)
- 9292: Atlas engine (old name of Terraform Enterprise engine)
- 9870-9880 (inclusive): host and subnet traffic only; not publicly accessible
- 9873: Replicated Retraced engine API (Replicated audit subcomponent)
- 9874-9879: Replicated entry point span
- 23000-23100 (inclusive): host and subnet traffic only; not publicly accessible
- 23005: Terraform Enterprise health check point
- 23020: Nomad (scheduler for Sentinel runs)
- 32774-32776, 49150-49165: Replicated internal Graphite and StatsD ports (mapped to external ports 2003, 2004, and 8125)
Egress
Destination - Online Installations
If Terraform Enterprise is installed in online mode, it accesses the following hostnames to get software updates:
api.replicated.com
get.replicated.com
registry-data.replicated.com
registry.replicated.com
*.quay.io
cdn.quay.io
quay-registry.s3.amazonaws.com
*.cloudfront.net
hub.docker.com
index.docker.io
auth.docker.io
registry-1.docker.io
download.docker.com
production.cloudflare.docker.com
install.terraform.io
Note: We recommend allowing traffic by FQDN and not IP Address or range. IP address allowlists make your service dependent on an external factor, like an external IP address, that you do not control.
The following hostnames are accessed unless a custom Terraform bundle is supplied:
registry.terraform.io
(when using Terraform 0.12 and later)releases.hashicorp.com
https://yy0ffni7mf-dsn.algolia.net/
- this URL is specific to the Terraform Registry’s Algolia application. The Terraform Registry uses Algolia to index the current resources in the registry and power Terraform Cloud public-facing search for public providers and module curation.github.com
- Public providers and modules are hosted in Github.
Additionally, unless you have opted out of license entitlement reporting, Terraform Enterprise will need egress access to:
Note: Airgapped installs do not check for updates over the network.
Destination - Additional Outbound Network Targets
Terraform Enterprise also needs egress access to:
- any VCS servers/services that will be utilized
- login/authentication servers if SAML will be configured (ADFS, Okta, etc)
- the various cloud API endpoints that will be managed with Terraform
- any other third party services that will either be integrated with the Terraform Enterprise server or managed with it.
Destination - Cost Estimation APIs
When Cost Estimation is enabled, it uses the respective cloud provider's APIs to get up-to-date pricing info.
Note: Versions of Terraform Enterprise earlier than v202105-1 used management.azure.com
and ratecard.azure-api.net
rather than prices.azure.com
.
Other Configuration
If a firewall is configured on the instance, run one of the following to allow traffic to flow out of the
docker0
interface to the instance's primary address. We recommend doing this before you install Docker.- To use UFW, run:
ufw allow in on docker0
- To use firewalld, run:
firewall-cmd --permanent --zone=trusted --change-interface=docker0
- To use UFW, run:
Get a domain name for the instance. Using an IP address to access the product is not supported as many systems use TLS and need to verify that the certificate is correct, which can only be done with a hostname at present.
For GCP only: Configure Docker to use an MTU (maximum transmission unit) of 1460, as required by Google (GCP Cloud VPN Documentation: MTU Considerations).
To configure Docker's MTU, create an
/etc/docker/daemon.json
file with the following content:{ "mtu": 1460 }
Note: The above only affects the default network
bridge
akadocker0
. To apply this to the networkstfe_services
andtfe_terraform_isolation
, it is required to delete these two networks and recreate them with the correct MTU for an existing install or to create these two networks prior to installing Terraform Enterprise for a new install.Ensure the Docker bridge network address is not in use elsewhere on the network. If it is, please refer to the Docker documentation for information on how to change it.
Note: Beginning in version v202004-1
, non-default Docker networks named tfe_services
and tfe_terraform_isolation
were added for the Terraform Enterprise component Docker containers as part of a network segmentation update. Custom configuration may be required for MTU settings.