Terraform
Terraform Enterprise Flexible Deployment Options configuration reference
Terraform Enterprise receives its configuration via the following environment
variables. Specify these environment variables in your
Compose file (Docker)
, in your Helm chart (Kubernetes)
or in the env
block of your Nomad job.
Application settings
TFE_CAPACITY_CONCURRENCY
Maximum number of Terraform runs that can execute concurrently on each
Terraform Enterprise node. Defaults to 10
.
TFE_CAPACITY_CPU
Maximum number of CPU cores a Terraform run is allowed to use. Set to 0
for
no limit. Defaults to 0
.
Ignored if TFE_RUN_PIPELINE_DRIVER
is set to nomad
.
TFE_CAPACITY_MEMORY
Maximum amount of memory (MiB) a Terraform run is allowed to use. Defaults to
2048
.
Ignored if TFE_RUN_PIPELINE_DRIVER
is set to nomad
.
TFE_ENCRYPTION_PASSWORD
Encryption password used to encrypt and decrypt the internal Vault root token and unseal key.
Required when TFE_VAULT_USE_EXTERNAL
is false
.
TFE_HOSTNAME
Hostname where Terraform Enterprise is accessed (e.g.,
terraform.example.com
).
Required always.
TFE_LICENSE
The raw HashiCorp license (e.g., 02MV4UU4...MSEKE6T2
). Defaults to ""
.
Required when TFE_LICENSE_PATH
is unset.
TFE_LICENSE_PATH
Path to a file containing the raw HashiCorp license. Must be mounted inside the
container (e.g., /opt/terraform-enterprise-license
). Defaults to ""
.
Required when TFE_LICENSE
is unset.
TFE_LICENSE_REPORTING_OPT_OUT
Whether to opt out of reporting licensing information to HashiCorp. Defaults to false
.
TFE_USAGE_REPORTING_OPT_OUT
Whether to opt out of reporting usage information to HashiCorp. Defaults to false
.
TFE_RUN_PIPELINE_DRIVER
Driver for Terraform runs. Must be one of nomad
, docker
or kubernetes
. Defaults to
docker
.
If set to nomad
, the TFE_CAPACITY_CPU
and TFE_CAPACITY_MEMORY
settings are ignored.
Required for all deployment options.
TFE_OPERATIONAL_MODE
Terraform Enterprise operational mode. Must be one of disk
, external
, or
active-active
.
Required for Docker runtime. This setting is not applicable for Kubernetes.
TFE_RUN_PIPELINE_IMAGE
Container image used to execute Terraform runs. Leave blank to use the default
image that comes with Terraform Enterprise. Defaults to ""
.
TFE_DISK_PATH
Path where Terraform Enterprise stores application data. Must be backed by
persistent and performant storage such as a container volume or block storage.
Defaults to /var/lib/terraform-enterprise
.
Required when TFE_OPERATIONAL_MODE
is disk
on Docker runtime.
TFE_BACKUP_RESTORE_TOKEN
The authentication token for the backup/restore API. Leave blank to have it be automatically generated. Defaults to ""
.
TFE_NODE_ID
A unique identifier for this node. Useful to identify nodes in an active/active
installation. Leave blank to have it be automatically generated. Defaults to
""
.
TFE_HTTP_PORT
Port application listens on for HTTP. Default 80
.
TFE_HTTPS_PORT
Port application listens to HTTPS on. Default 443
.
Database settings
TFE_DATABASE_HOST
The PostgreSQL server to connect to in the format HOST[:PORT]
(e.g.,
db.example.com
or db.example.com:5432
). If only HOST
is provided then the
:PORT
defaults to :5432
.
Required when PostgreSQL server is externalized.
TFE_DATABASE_NAME
Name of the PostgreSQL database to store application data in.
Required when PostgreSQL server is externalized.
TFE_DATABASE_PARAMETERS
PostgreSQL server parameters for the connection URI. Used to configure the
PostgreSQL connection (e.g., sslmode=require
).
TFE_DATABASE_PASSWORD
PostgreSQL password.
Required when PostgreSQL server is externalized.
TFE_DATABASE_USER
PostgreSQL user.
Required when PostgreSQL server is externalized.
Redis settings
TFE_REDIS_HOST
The Redis server to connect to in the format HOST[:PORT]
(e.g.,
redis.example.com
or redis.example.com:
). If only HOST
is provided then
the :PORT
defaults to :6379
.
Required when Redis server is externalized.
TFE_REDIS_USE_AUTH
Must be true
or false
. true
indicates Redis server is configured to use TFE_REDIS_PASSWORD
and TFE_REDIS_USER
(optional) for authentication. Defaults to false
.
TFE_REDIS_USE_TLS
Must be true
or false
. true
indicates to use TLS to access Redis. Defaults to false
.
TFE_REDIS_USER
Redis server user. This value is required when TFE_REDIS_USE_AUTH
is set to true
, and Redis server is configured to use username for authentication. There is no need to set this config when running Redis server internally as credential is not required.
TFE_REDIS_PASSWORD
Redis server password. This value is required when TFE_REDIS_USE_AUTH
is set to true
. There is no need to set this config when running Redis server internally as credential is not required.
Network settings
TFE_IACT_SUBNETS
Comma-separated list of subnets in CIDR notation that are allowed to retrieve
the initial admin creation token via the API (e.g.,
10.0.0.0/8,192.168.0.0/24
). Leave blank to disable retrieving the initial
admin creation token via the API from outside the host. Defaults to
""
.
If you do not set this value, you must gain access to the container or pod command line and run curl http://localhost:80/admin/retrieve-iact
to retrieve the initial admin token.
TFE_IACT_TIME_LIMIT
Number of minutes that the initial admin creation token can be retrieved via
the API after the application starts. Defaults to 60
.
TFE_IACT_TRUSTED_PROXIES
Comma-separated list of proxy IP addresses that are allowed to retrieve the initial admin creation token via the API. Leave blank to disable retrieving the initial admin creation token through a proxy. Defaults to ""
.
http_proxy
Configures the proxy address to use for HTTP requests, for examplehttp://proxy.example.com:8080
. Do not set a value blank to disable using a proxy server. Defaults to ""
.
https_proxy
Configures the proxy address to use for HTTPS requests, for example http://proxy.example.com:8080
. Leave blank to disable using a proxy server. Defaults to ""
.
no_proxy
Specifies a list of domains that instances, such as S3, are allowed to connect directly to without going through the proxy, for example localhost,127.0.0.1
. Defaults to ""
.
Observability settings
TFE_LOG_FORWARDING_CONFIG_PATH
The path to a file containing valid Fluent Bit [OUTPUT]
configuration. The
contents of the file you specify are appended to your existing Fluent Bit
configuration if you set TFE_LOG_FORWARDING_ENABLED
to true
.
Refer to the logging documentation
for more information.
This setting is not applicable for Kubernetes.
TFE_LOG_FORWARDING_ENABLED
Whether to enable log forwarding. Defaults to false
.
This setting is not applicable for Kubernetes.
TFE_METRICS_ENABLE
Whether to enable metrics collection. Defaults to false
.
TFE_METRICS_HTTP_PORT
The HTTP port that metrics will be exposed on. Defaults to 9090
.
TFE_METRICS_HTTPS_PORT
The HTTPS port that metrics will be exposed on. Defaults to 9091
.
Object storage settings
TFE_OBJECT_STORAGE_TYPE
Type of object storage to use. Must be one of s3
, azure
, or google
.
Required when object storage is externalized.
Azure blob Storage settings
TFE_OBJECT_STORAGE_AZURE_ACCOUNT_KEY
Azure Blob Storage access key.
Required when TFE_OBJECT_STORAGE_TYPE
is azure
and
TFE_OBJECT_STORAGE_AZURE_USE_MSI
is false
.
TFE_OBJECT_STORAGE_AZURE_ACCOUNT_NAME
Azure Blob Storage account name.
Required when TFE_OBJECT_STORAGE_TYPE
is azure
.
TFE_OBJECT_STORAGE_AZURE_CLIENT_ID
Client ID of a user-assigned Managed Service Identity. Leave blank to use the
system-assigned Managed Service Identity. Defaults to ""
.
TFE_OBJECT_STORAGE_AZURE_CONTAINER
Azure Blob Storage container name.
Required when TFE_OBJECT_STORAGE_TYPE
is azure
.
TFE_OBJECT_STORAGE_AZURE_ENDPOINT
Azure Storage endpoint. Useful if using a private endpoint for Azure Storage.
Leave blank to use the default Azure Storage endpoint. Defaults to ""
.
TFE_OBJECT_STORAGE_AZURE_USE_MSI
Whether to use Managed Service Identity (MSI) for authentication. Defaults to
false
.
Google Cloud Platform storage
TFE_OBJECT_STORAGE_GOOGLE_BUCKET
Google Cloud Storage bucket name.
Required when TFE_OBJECT_STORAGE_TYPE
is google
.
TFE_OBJECT_STORAGE_GOOGLE_CREDENTIALS
Google Cloud Storage JSON credentials. Must be given as an escaped string of
JSON or Base64 encoded JSON. Leave blank to use the attached service account.
Defaults to ""
.
TFE_OBJECT_STORAGE_GOOGLE_PROJECT
Google Cloud Storage project name.
Required when TFE_OBJECT_STORAGE_TYPE
is google
.
S3-compatible Storage
TFE_OBJECT_STORAGE_S3_ACCESS_KEY_ID
S3 access key ID.
Required when TFE_OBJECT_STORAGE_TYPE
is s3
and
TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE
is false
.
TFE_OBJECT_STORAGE_S3_BUCKET
S3 bucket name.
Required when TFE_OBJECT_STORAGE_TYPE
is s3
.
TFE_OBJECT_STORAGE_S3_ENDPOINT
S3 endpoint. Useful when using a private S3 endpoint. Leave blank to use the
default AWS S3 endpoint. Defaults to ""
.
TFE_OBJECT_STORAGE_S3_REGION
S3 region.
Required when TFE_OBJECT_STORAGE_TYPE
is s3
.
TFE_OBJECT_STORAGE_S3_SECRET_ACCESS_KEY
S3 secret access key.
Required when TFE_OBJECT_STORAGE_TYPE
is s3
and
TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE
is false
.
TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION
Server-side encryption algorithm to use. Leave blank to have the AWS SDK use a
default value. Set to AES256
to use AES-256 encryption, the AWS S3 default
since January 5, 2023. Set to aws:kms
to use an AWS KMS key to encrypt data
in which case you must specify
TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION_KMS_KEY_ID
. Defaults to ""
.
TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION_KMS_KEY_ID
KMS key ID to use for server-side encryption. Leave blank to use AWS-managed
keys. Defaults to ""
.
TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE
Whether to use the instance profile for authentication. Defaults to false
.
TLS settings
TFE_TLS_CA_BUNDLE_FILE
Path to a file containing TLS CA certificates to be added to the OS CA
certificates bundle. Leave blank to not add CA certificates to the OS CA
certificates bundle. Defaults to ""
.
TFE_TLS_CERT_FILE
Path to a file containing the TLS certificate Terraform Enterprise will use when serving TLS connections to clients.
Required always.
TFE_TLS_CIPHERS
TLS ciphers to use for TLS. Must be valid OpenSSL format. Leave blank to use
the default ciphers. Defaults to ""
.
TFE_TLS_ENFORCE
Whether or not to enforce TLS, Strict-Transport-Security headers, and secure
cookies. Defaults to false
.
TFE_TLS_KEY_FILE
Path to a file containing the TLS private key Terraform Enterprise will use when serving TLS connections to clients.
TFE_TLS_VERSION
TLS version to use. Must be one of tls_1_2
, tls_1_3
, or blank. Leave blank
to use both TLS v1.2 and TLS v1.3. Defaults to ""
.
Vault settings
TFE_VAULT_ADDRESS
Address of the external Vault server (e.g., https://vault.example.com:8200).
Defaults to ""
.
Required when TFE_VAULT_USE_EXTERNAL
is true
.
TFE_VAULT_CLUSTER_ADDRESS
Cluster URL of the internal Vault server on this node (e.g.,
http://192.168.0.1:8201). Must be reachable across nodes. Defaults to
http://{{ GetPrivateIP }}:8201
.
Required when TFE_OPERATIONAL_MODE
is active-active
.
TFE_VAULT_DISABLE_MLOCK
Disable mlock for internal Vault. Defaults to false
.
TFE_VAULT_NAMESPACE
Vault namespace. External Vault only. Leave blank to use the default namespace.
Defaults to ""
.
TFE_VAULT_PATH
Vault path when AppRole is mounted. External Vault only. Defaults to
auth/approle
.
TFE_VAULT_ROLE_ID
Vault role ID. External Vault only.
Required when TFE_VAULT_USE_EXTERNAL
is true
.
TFE_VAULT_SECRET_ID
Vault secret ID. External Vault only.
Required when TFE_VAULT_USE_EXTERNAL
is true
.
TFE_VAULT_TOKEN_RENEW
How often, in seconds, to renew the Vault token. External Vault only. Defaults
to 3600
.
TFE_VAULT_USE_EXTERNAL
Whether to use external Vault. Defaults to false
.
Docker driver settings
TFE_RUN_PIPELINE_DOCKER_EXTRA_HOSTS
Comma-separated list of extra hosts in the format HOST:IP,HOST:IP
to set in
the /etc/hosts
file within the container used to execute Terraform runs.
Leave blank to not set any extra hosts. Defaults to ""
.
TFE_RUN_PIPELINE_DOCKER_NETWORK
Network where the container used to execute Terraform runs will be created. The
network must already exist, it will not be created automatically. Leave blank
to use the default network. Defaults to ""
.
TFE_DISK_CACHE_PATH
Path where Terraform Enterprise caches Terraform binaries. The volume specified
in TFE_DISK_CACHE_VOLUME_NAME
must be mounted to this path. Defaults to
/var/cache/tfe-task-worker
.
Required when TFE_RUN_PIPELINE_DRIVER
is docker
.
TFE_DISK_CACHE_VOLUME_NAME
Container volume name backing the TFE_DISK_CACHE_PATH
.
Required when TFE_RUN_PIPELINE_DRIVER
is docker
.
Kubernetes driver settings
TFE_RUN_PIPELINE_KUBERNETES_IMAGE_PULL_SECRET_NAME
The name of an ImagePullSecret in the [namespace]-agents namespace to use when pulling the custom source tfc-agent image. If an ImagePullSecret is required to access a private repository you must create the secret within the [namespace]-agents namespace after this helm chart has installed, but before attempting a plan or apply. See Prerequisites for instructions for creating ImagePullSecrets.
TFE_RUN_PIPELINE_KUBERNETES_KUBECONFIG_PATH
The path to a Kubernetes configuration file.
TFE_RUN_PIPELINE_KUBERNETES_NAMESPACE
The Kubernetes namespace to create ephemeral run containers. Defaults to
default
.
TFE_RUN_PIPELINE_KUBERNETES_OPEN_SHIFT_ENABLED
A feature toggle to enable or disable compatibility with an OpenShift runtime
environment. Defaults to false
.
TFE_RUN_PIPELINE_KUBERNETES_DEBUG_ENABLED
Boolean flag that will delay the deletion of jobs from the cluster for their inspection.
TFE_RUN_PIPELINE_KUBERNETES_DEBUG_JOBS_TTL
Time in seconds after which the jobs delayed by the TFE_RUN_PIPELINE_KUBERNETES_DEBUG_ENABLED
flag will get deleted. Defaults to 86400, 1 day.
TFE_RUN_PIPELINE_KUBERNETES_POD_TEMPLATE
This is a base64-encoded custom pod template in JSON format, equivalent to Kubernetes' corev1.PodTemplateSpec
, used in a job. The values here will override corresponding values from Terraform Enterprise configuration. Note that only one container is allowed in the pod template.
TFE_RUN_PIPELINE_KUBERNETES_WORKER_TIMEOUT
Time in seconds after which Terraform Enterprise will fails jobs submitted to Kubernetes. Defaults to 60
.
Nomad driver settings
TFE_RUN_PIPELINE_NOMAD_ADDRESS
Address of the Nomad server where Terraform Enterprise and Terraform Enterprise agents run. Defaults to "http://localhost:4646"
.
TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CA_CERT
File path to CA certificate for mTLS/TLS communication with Nomad.
Required if Nomad has mTLS/TLS enabled.
TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_CERT
File path to client certificate for mTLS/TLS communication with Nomad.
Required if Nomad has mTLS enabled.
TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_KEY
File path to the client certificate key for mTLS/TLS communication with Nomad.
Required if Nomad has mTLS enabled.
TFE_RUN_PIPELINE_NOMAD_NAMESPACE
The Nomad namespace where Terraform Enterprise agent job starts. Defaults to tfe-agents
.
TFE_RUN_PIPELINE_NOMAD_AGENT_JOB_ID
Specifies the ID of the batch job that runs the Terraform Enterprise agent. Defaults to tfe-agent-job
.
TFE_RUN_PIPELINE_NOMAD_WORKER_TIMEOUT
Max timeout in seconds used by Terraform Enterprise workers to connect with Nomad and start an agent job. Defaults to 60
.
TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_INSECURE
If set disables SSL verification while connecting with Nomad. Defaults to true
when Nomad address schema is http
. Defaults to false
when Nomad address schema is https
Proxy configuration
Terraform Enterprise relies on the native application runtime for setting proxy values. For configuring proxies in Docker, refer to the offical Docker proxy configuration guide. For Kubernetes, refer to the Kubernetes proxy configuration guide. For Nomad deployments, refer to the reference architecture guide
Replicated to Flexible Deployment Options configuration mapping
This section provides guidance on how the Replicated configuration maps to the Flexible Deployment Options configuration.
Refer to settings for more information about the variables.