»Credentials

Terraform Enterprise requires the following credentials and permissions.

»License File

To deploy Terraform Enterprise, you must obtain a license file from HashiCorp.

»TLS Certificate and Private Key

Terraform Enterprise requires a TLS certificate and private key in order to operate. This certificate must match Terraform Enterprise's hostname, either by being issued for the FQDN or being a wildcard certificate.

The certificate can be signed by a public or private CA, but it must be trusted by all of the services that Terraform Enterprise is expected to interface with; this includes your VCS provider, any CI systems or other tools that call Terraform Enterprise's API, and any services that Terraform Enterprise workspaces might send notifications to (for example: Slack). Due to these wide-ranging interactions, we recommend using a certificate signed by a public CA.

The key and X.509 certificate must be PEM (base64) encoded, and should be provided to the installer as text.

»IAM Policies - External Services Mode

If you choose the external services operational mode, Terraform Enterprise requires access to an S3-compliant endpoint for object storage. You can grant access to the object storage endpoint by either assigning an AWS instance profile or an equivalent IAM system in non-AWS environments.

»S3 Policy

At a minimum, Terraform Enterprise requires the following S3 permissions:

{
    "Effect": "Allow",
    "Action": [
        "s3:PutObject",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
    ],
    "Resource": [
        "<BUCKET_ARN>",
        "<BUCKET_ARN>/*"
    ]
}

{
    "Effect": "Allow",
    "Action": [
        "s3:PutObject",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
    ],
    "Resource": [
        "<BUCKET_ARN>",
        "<BUCKET_ARN>/*"
    ]
}

»KMS Policy

At a minimum, Terraform Enterprise will require the following permissions if the objects in the bucket are to be encrypted via resources in AWS's KMS:

{
    "Effect": "Allow",
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
    ],
    "Resource": [
        "<KMS_KEY_ARN>"
    ]
}

{
    "Effect": "Allow",
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:DescribeKey",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
    ],
    "Resource": [
        "<KMS_KEY_ARN>"
    ]
}

»Instance Profile as Default Credentials

You can use Terraform Enterprise's instance profile to provide default credentials to workspaces. When using IMDSv2, configure the PUT response hop limit with a value of 2 within the instance metadata options. Terraform will attempt to use the instance profile to provision resources when you do not set credentials as environment variables. However, this approach presents a few security risks:

1. All workspaces will have the same permissions because they have access to the same instance profile. You cannot selectively allow or deny access to the instance profile for each workspace.
2. Workspaces will share the instance profile with the Terraform Enterprise application. All workspaces within the application will have access to any resources that Terraform Enterprise depends on, such as its S3 bucket, KMS keys, etc.