Terraform Enterprise Console Settings: Hints and Tricks for Useful Features

5 min readDec 4, 2020

In this post, we will discuss Terraform Enterprise (TFE) installation Settings on AWS using external services focusing on the S3 bucket when using profiling and the advanced configuration features targeting Initial Admin Creation Token and how to use it to create the admin user.

To find these sections, you need to open your TFE console on a web browser and go to the Settings tab. Remember, you must have the console password to access the replicated Console.

To access the replicated Console, you need to point to port 8800 of your TFE instance as in the example below.

tfe.<domain>.com:8800

Object Storage — S3

The S3 bucket is where Terraform will hold application data which is stored securely and away from the Terraform Enterprise application server. In addition, the data stored within the S3 bucket is encrypted by Vault.

When using the AWS S3 bucket, there are two different options to set it up within our Terraform Enterprise application:

Using Access id and Secret access key
Using Instance Profile for Access

Case Scenarios

The advantage of Access ID + Secret Access key is that it is easy to set up as it only requires Access ID and Secret key.

The advantage of Instance Profile for Access is that it is easy in that you just need to select the check box

Security considerations

With the first approach, you only need to provide a working Access ID and Secret Access key that have the appropriate rights to read and write to S3 buckets. That sounds fine but the problem with using this approach is — the fact that for some unknown situation your systems can become compromised when someone breaks into your configuration or for some reason gets access to this data.

There is a chance they can retrieve those two items and then you’re in trouble because that unwanted individual will have access at least to your S3 buckets and can perform unwanted actions and other sorts of damage by destroying resources, stealing information, or generating unexpected costs by spinning up unwanted resources.

For the reasons stated above, it is better to take precautions and follow the Instance Profile Access approach because it leaves less information exposed while granting the same functionality.

Below are some examples using the profile and the data that it requires.

I would like to clarify that the two following scenarios depend on your organization’s configuration.

Where you need to set up the Endpoint URL which specifies the region of the S3 bucket.

Example:

https://<s3-bucket-name>.<s3-bucket-region>.amazonaws.com

S3 Configuration Endpoint URL with Region

2. Where you need to set up the Endpoint URL without specifying the region of the S3 bucket.

Example:

https://<s3-bucket-name>.amazonaws.com

S3 Configuration Endpoint URL without Region

You might be wondering what happens when you do not provide the Endpoint URL for the S3 when using the instance profile option.

Error when the Endpoint URL is left empty

As you can see, it throws an authentication error which can be easily solved by following one of the scenarios above.

The rest of the settings are self-explanatory (Bucket, and Region).

The Server-side encryption of S3 objects and the KMS key are highly recommended since it protects data in case it falls into the wrong hands.

Advanced Configuration

In this section, we will explain the purpose of the Initial Admin Creation Token Subnets and the Initial Admin Creation Token Time Limit.

Initial Admin Creation Token Subnets

This field is used when you want specific subnets or IP addresses reach the TFE API through a REST call.

Follow the format below with no spaces only commas.

X.X.X.X/Y,X.X.X.X/Y

If you wish to use replicated, leave this field empty and use the replicated command within the TFE server instance to retrieve the Initial Admin Creation Token (IACT) instead.

Initial Admin Creation Token Time Limit

This field expects a timespan in minutes or the word unlimited (will be explained later) to allow the user to retrieve the Initial Admin Creation Token. This can be performed with a GET REST call to the TFE API (this can be done with postman or cURL using the terminal). The keyword unlimited allows the token to be retrieved anytime within one of the specified subnets.

Retrieving the IACT

In this section, we will show the two ways to retrieve the IACT, which are through replicated or a REST call to TFE API.

Replicated

Log into the TFE server and run the following command.

replicated admin retrieve-iact

This command will return the token which is later used with the API to generate the initial user.

TFE API

When TFE is already started, to retrieve the IACT perform a Get REST call (with postman or curl) to your TFE instance endpoint:

https://tfe.<domain>.com/admin/retrieve-iact

Where this section of the URL, /admin/retrieve-iact , is what will let you retrieve the token.

IACT Token and its Usage

The IACT Token is a single-use token that allows, the user or automation, to create the initial user (admin) of TFE.

This is done by performing a POST REST call like in the following URL:

https://tfe.<domain>.com/admin/initial-admin-user?token=<IACT>

Content-type:

application/json

Provide a body:

{
  "username": "admin",
  "email": "name@domain.com",
  "password": "notagoodpassword"
}

Response (200):

{
  "status": "created",
  "token": "aabbccdd.v1.atlas.someverylongadmintoken"
}

cURL

curl --request POST \
  -k \
  --url 'https://tfe.<domain>.com/admin/initial-admin-user?token=<IACT>' \
  --header 'Content-Type: application/json' \
  --data @payload.json

Where payload is a file with the body of the request.