HashiCorp Developer AI Private beta now available Sign up today
Terraform
Terraform Home

You are viewing documentation for version v202409-1. View latest version.

Configure network access

This topic describes how to configure network settings to allow Terraform to send and receive traffic. Refer to Create deployment configuration overview for an overview of the configuration process.

Overview

You must configure the Linux instance that runs Terraform Enterprise to allow incoming network traffic across several ports. You must also configure Terraform Enterprise to access several external services so that Terraform can download and update resources.

Configure the following parameters in your deployment configuration file to configure network access:

  1. Ports for ingress traffic. The Terraform binary accepts traffic from the following sources:
    • users
    • clients
    • VCS
    • metrics
    • TFE servers
  2. Egress destination endpoints.
  3. Specify any optional network settings, such cloud provider API endpoints for cost estimation.
  4. Specify any specific network settings necessary for your environment, such as allowing traffic through firewalls.

Refer to environment variables configuration reference for information about all environment variables.

Define ingress settings

Specify the following values in your deployment configuration file to configure access into Terraform Enterprise. Refer to Configuration reference for information about all configuration settings.

Enable access from users, clients, and VCS

Specify the following variables in your deployment configuration file to enable ingress from users, clients, and the VCS:

  • TFE_HTTP_PORT: Specifies the port for accessing Terraform Enterprise over HTTP. HTTP redirects to HTTPS. The default value is 80.
  • TFE_HTTPS_PORT: Specifies the port for accessing Terraform Enterprise over HTTPS. The default is 443.

Ports for Podman

Podman does not expose privileged ports. If you are deploying to Podman, specify the variables in the kube.yaml pod specification file:

- name: "TFE_HTTP_PORT"
  value: "8080"
- name: "TFE_HTTPS_PORT"
  value: "8443"

You must also specify the port values in the kube.yaml pod specification file:

"ports":
- "containerPort": 8080
  "hostPort": 80
- "containerPort": 8443
  "hostPort": 443
- "containerPort": 9090
  "hostPort": 9090

Integrate with SaaS version control provider

To integrate with SaaS VCSs, such as GitHub.com, GitLab.com, Bitbucket Cloud, Azure DevOps Services, you must enable ingress from the public internet so that you can use inbound web hooks to reach Terraform Enterprise. Refer Webhooks for additional information.

You should also configure appropriate security controls, such as a web application firewall (WAF). Refer to your cloud provider documentation for instructions about deploying a WAF.

Enable requests for metrics

Specify the following variables in your deployment configuration file to enable Terraform Enterprise to receive requests for system metrics:

  • TFE_METRICS_HTTP_PORT: TCP port on which Terraform Enterprise handles HTTP metrics requests. Default is 9090.
  • TFE_METRICS_HTTPS_PORT: TCP port on which Terraform Enterprise handles HTTPS metrics requests. Default is 9091.

The metrics endpoints are optional. You can enable metrics collection by setting TFE_METRICS_ENABLE to true.

Terraform Enterprise servers

If you plan to operate Terraform Enterprise in active-active mode, forward requests to port 8201 to enable high availability requests from Vault.

Define egress settings

Add the following destination endpoints to your deployment configuration file so that Terraform can connect to external services.

HashiCorp container registry

HashiCorp service APIs

Terraform Enterprise calls the following hostnames unless you have supplied a custom Terraform bundle. Refer to Custom and Community Providers for additional information:

Additional outbound network targets

Terraform Enterprise also needs egress access to the following systems:

  • Any VCS servers and services you that you plan to use.
  • Login or authentication servers if you want to enable ADFS, Okta, or other SAML services.
  • Cloud API endpoints that you intend to manage with Terraform
  • Third party services that you intend to integrate or manage with the Terraform Enterprise server.

Cost estimation APIs

When Cost Estimation is enabled, Terraform Enterprise uses the following cloud provider's APIs to get up-to-date pricing information:

Specify additional configuration settings

  1. If a firewall is configured on the instance, run one of the following commands to allow traffic to flow out of the docker0 interface to the instance's primary address. We recommend doing this before you install Docker.

    • To use UFW, run: ufw allow in on docker0
    • To use firewalld, run: firewall-cmd --permanent --zone=trusted --change-interface=docker0

  2. Get a domain name for the instance. Using an IP address to access the product is not supported as many systems use TLS and need to verify that the certificate is correct, which can only be done with a hostname at present.

  3. For GCP only: Configure Docker to use an MTU (maximum transmission unit) of 1460, as required by Google (GCP Cloud VPN Documentation: MTU Considerations).

    To configure Docker's MTU, create an /etc/docker/daemon.json file with the following content:

    {
  "mtu": 1460
}

  4. Ensure the Docker bridge network address is not in use elsewhere on the network. If it is, please refer to the Docker documentation for information on how to change it.

  5. You may use the TFE_RUN_PIPELINE_DOCKER_NETWORK configuration to specify the network where the container used to execute Terraform runs will be created. The network must already exist; it will not be created automatically. Leave blank to use the default network. Defaults to "".