Terraform
Network Requirements for Terraform Enterprise
The Linux instance that runs Terraform Enterprise must allow several kinds of incoming network access. Terraform Enterprise also needs to access several external services to handle updates and resource downloads.
Additionally, all of the port numbers are configurable via the configuration reference environment variables. See Configuration Reference for details.
Ingress
Source — User/Client/VCS
TFE_HTTP_PORT
: Terraform Enterprise application access (HTTP; redirects to HTTPS). Default is80
.TFE_HTTPS_PORT
: Terraform Enterprise application access (HTTPS). Default is443
.
Important: Integration with a SaaS VCS provider (GitHub.com, GitLab.com, Bitbucket Cloud, or Azure DevOps Services) requires ingress from the public internet. This lets the inbound web hooks reach Terraform Enterprise. You should also configure appropriate security controls, such as a Web Application Firewall (WAF).
Source - Metrics
TFE_METRICS_HTTP_PORT
: TCP port on which Terraform Enterprise handles HTTP metrics requests. Default is9090
.TFE_METRICS_HTTPS_PORT
: TCP port on which Terraform Enterprise handles HTTPS metrics requests. Default is9091
.
The metrics endpoints are optional. You can enable metrics collection by setting TFE_METRICS_ENABLE
to true
.
Source — TFE Server(s)
- 8201: Vault HA request forwarding (only necessary when operating in Active/Active mode)
Egress
Destination - HashiCorp container registry
https://images.releases.hashicorp.com
: The endpoint hosts release container images.https://helm.releases.hashicorp.com
: The endpoint hosts the helm chart for Kubernetes installation.
Destination - HashiCorp Service APIs
The following hostnames are accessed unless a custom Terraform bundle is supplied:
registry.terraform.io
(when using Terraform 0.12 and later)releases.hashicorp.com
https://yy0ffni7mf-dsn.algolia.net/
- The API endpoint of the Terraform Registry's Algolia application which is used to index the current resources in the registry and power the public search feature in TFE.
Additionally, unless you have opted out of license entitlement reporting, Terraform Enterprise will need egress access to:
Destination - Additional Outbound Network Targets
Terraform Enterprise also needs egress access to:
- any VCS servers/services that will be utilized
- login/authentication servers if SAML will be configured (ADFS, Okta, etc)
- the various cloud API endpoints that will be managed with Terraform
- any other third party services that will either be integrated with the Terraform Enterprise server or managed with it.
Destination - Cost Estimation APIs
When Cost Estimation is enabled, it uses the respective cloud provider's APIs to get up-to-date pricing info.
Other Configuration
If a firewall is configured on the instance, run one of the following to allow traffic to flow out of the
docker0
interface to the instance's primary address. We recommend doing this before you install Docker.- To use UFW, run:
ufw allow in on docker0
- To use firewalld, run:
firewall-cmd --permanent --zone=trusted --change-interface=docker0
- To use UFW, run:
Get a domain name for the instance. Using an IP address to access the product is not supported as many systems use TLS and need to verify that the certificate is correct, which can only be done with a hostname at present.
For GCP only: Configure Docker to use an MTU (maximum transmission unit) of
1460
, as required by Google (GCP Cloud VPN Documentation: MTU Considerations).To configure Docker's MTU, create an
/etc/docker/daemon.json
file with the following content:{ "mtu": 1460 }
Ensure the Docker bridge network address is not in use elsewhere on the network. If it is, please refer to the Docker documentation for information on how to change it.
You may use the
TFE_RUN_PIPELINE_DOCKER_NETWORK
configuration to specify the network where the container used to execute Terraform runs will be created. The network must already exist; it will not be created automatically. Leave blank to use the default network. Defaults to""
.