• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHub
Download
Try Terraform Cloud
    • v202208-2 (latest)
    • v202208-1
    • v202207-2
    • v202207-1
    • v202206-1

    Terraform Enterprise

  • Overview
    • API Docs template
    • Overview
    • Account
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Assessment Results
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
    • Changelog
    • Stability Policy
    • Credentials
    • Hardware
      • Supported OS
      • RedHat Linux
      • CentOS Linux
      • Operational Mode
      • PostgreSQL
      • Minio Setup Guide
      • External Vault
    • Network
    • Docker Engine
  • Operational Modes
    • Overview
    • AWS Reference Architecture
    • Azure Reference Architecture
    • GCP Reference Architecture
    • VMware Reference Architecture
    • Pre-Install Checklist
      • 1. Run Installer
      • 2. Configure in Browser
      • Automated Installation
      • Active/Active
      • Initial User Automation
      • Encryption Password
    • Uninstall
    • Overview
      • Automated Recovery
      • Upgrades
      • Log Forwarding
      • Monitoring
      • Backups and Restores
      • Admin CLI Commands
      • Terraform Cloud Agents on TFE
      • Demo to Mounted Disk Migration
    • Terraform Cloud Agents on TFE
      • Accessing the Admin Interface
      • General Settings
      • Customization
      • Integration Settings
      • Managing Accounts & Resources
      • Module Sharing
      • Admin API
      • Updating Terraform Enterprise License
    • Terraform Enterprise Logs
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
    • Configuration
    • Team Membership
    • Attributes
    • Login
      • Sample Auth Request
      • ADFS
      • Azure Active Directory
      • Okta
      • OneLogin
    • Troubleshooting
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Overview
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Enterprise
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Run Tasks Integration
    • Overview
    • Architecture Summary
    • Reliability & Availability
    • Capacity & Performance
    • Security Model
    • Data Security
    • Overview
      • Overview
      • v202208-2
      • v202208-1
      • v202207-2
      • v202207-1
      • v202206-1
      • v202205-1
      • v202204-2
      • v202204-1
      • v202203-1
      • v202202-1
      • v202201-2
      • v202201-1
      • Overview
      • v202112-2
      • v202112-1
      • v202111-1
      • v202110-1
      • v202109-2
      • v202109-1
      • v202108-1
      • v202107-1
      • v202106-1
      • v202105-1
      • v202104-1
      • v202103-3
      • v202103-2
      • v202103-1
      • v202102-2
      • v202102-1
      • v202101-1
      • Overview
      • Overview
      • Overview
  • Support

  • Terraform Cloud Agents

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»External Vault Requirements for Terraform Enterprise

Terraform Enterprise automatically creates an internally-managed Vault server that stores its data in the PostgreSQL Database. We strongly recommend that organizations use this internally-managed Vault server. However, some organizations have specific requirements around data encryption and auditing. Those organizations can configure Terraform Enterprise to use an external Vault server rather than the internally-managed Vault server.

We only recommend using external Vault when you have experience managing Vault in production. This approach requires that you assume full responsibility for the Vault server, including sealing, unsealing, replication, etc.

Warning: Do not configure multiple Terraform Enterprise instances to use the same external Vault server unless they are part of an Active/Active installation. Doing so will result in data loss.

»External Vault Configuration

Important: You must configure External Vault during initial installation. After installation, you can only change the configuration using the backup and restore API.

Run the following commands to configure your external Vault server for use with Terraform Enterprise.

  1. Enable the AppRole Auth Method.

    vault auth enable approle
    
    vault auth enable approle
    
  2. Enable the Transit Secrets Engine.

    vault secrets enable transit
    
    vault secrets enable transit
    
  3. Create the tfe-policy.hcl file with the following content:

    # To renew leases.
    path "sys/leases/renew" {
      capabilities = ["create", "update"]
    }
    path "sys/renew" {
      capabilities = ["create", "update"]
    }
    
    # To renew tokens.
    path "auth/token/renew" {
      capabilities = ["create", "update"]
    }
    path "auth/token/renew-self" {
      capabilities = ["create", "update"]
    }
    
    # To perform a login.
    path "auth/approle/login" {
      capabilities = ["create", "update"]
    }
    
    # To upsert transit keys used for key generation.
    path "transit/keys/atlas_*" {
     capabilities = ["read", "create", "update"]
    }
    path "transit/keys/archivist_*" {
      capabilities = ["read", "create", "update"]
    }
    
    # To allow for signing using transit keys
    path "transit/sign/atlas_*" {
      capabilities = ["create", "update"]
    }
    
    # Encryption and decryption of data.
    path "transit/encrypt/atlas_*" {
      capabilities = ["create", "update"]
    }
    path "transit/decrypt/atlas_*" {
      capabilities = ["create", "update"]
    }
    path "transit/encrypt/archivist_*" {
      capabilities = ["create", "update"]
    }
    path "transit/decrypt/archivist_*" {
      capabilities = ["create", "update"]
    }
    
    # For performing key derivation.
    path "transit/datakey/plaintext/archivist_*" {
      capabilities = ["create", "update"]
    }
    
    # For backup/restore operations.
    path "transit/keys/atlas_*/config" {
      capabilities = ["read", "create", "update"]
    }
    path "transit/backup/atlas_*" {
      capabilities = ["read"]
    }
    path "transit/restore/atlas_*" {
      capabilities = ["read", "create", "update"]
    }
    path "transit/keys/archivist_*/config" {
      capabilities = ["read", "create", "update"]
    }
    path "transit/backup/archivist_*" {
      capabilities = ["read"]
    }
    path "transit/restore/archivist_*" {
      capabilities = ["read", "create", "update"]
    }
    
    # For health checks to read the mount table.
    path "sys/mounts" {
      capabilities = ["read"]
    }
    
    # To renew leases.
    path "sys/leases/renew" {
      capabilities = ["create", "update"]
    }
    path "sys/renew" {
      capabilities = ["create", "update"]
    }
    
    # To renew tokens.
    path "auth/token/renew" {
      capabilities = ["create", "update"]
    }
    path "auth/token/renew-self" {
      capabilities = ["create", "update"]
    }
    
    # To perform a login.
    path "auth/approle/login" {
      capabilities = ["create", "update"]
    }
    
    # To upsert transit keys used for key generation.
    path "transit/keys/atlas_*" {
     capabilities = ["read", "create", "update"]
    }
    path "transit/keys/archivist_*" {
      capabilities = ["read", "create", "update"]
    }
    
    # To allow for signing using transit keys
    path "transit/sign/atlas_*" {
      capabilities = ["create", "update"]
    }
    
    # Encryption and decryption of data.
    path "transit/encrypt/atlas_*" {
      capabilities = ["create", "update"]
    }
    path "transit/decrypt/atlas_*" {
      capabilities = ["create", "update"]
    }
    path "transit/encrypt/archivist_*" {
      capabilities = ["create", "update"]
    }
    path "transit/decrypt/archivist_*" {
      capabilities = ["create", "update"]
    }
    
    # For performing key derivation.
    path "transit/datakey/plaintext/archivist_*" {
      capabilities = ["create", "update"]
    }
    
    # For backup/restore operations.
    path "transit/keys/atlas_*/config" {
      capabilities = ["read", "create", "update"]
    }
    path "transit/backup/atlas_*" {
      capabilities = ["read"]
    }
    path "transit/restore/atlas_*" {
      capabilities = ["read", "create", "update"]
    }
    path "transit/keys/archivist_*/config" {
      capabilities = ["read", "create", "update"]
    }
    path "transit/backup/archivist_*" {
      capabilities = ["read"]
    }
    path "transit/restore/archivist_*" {
      capabilities = ["read", "create", "update"]
    }
    
    # For health checks to read the mount table.
    path "sys/mounts" {
      capabilities = ["read"]
    }
    
  4. Create the tfe policy using the tfe-policy.hcl policy content.

    vault policy write tfe tfe-policy.hcl
    
    vault policy write tfe tfe-policy.hcl
    
  5. Create an AppRole with a periodic token using the tfe policy.

    vault write auth/approle/role/tfe policies="tfe" token_period=24h
    
    vault write auth/approle/role/tfe policies="tfe" token_period=24h
    
  6. Fetch the RoleID of the AppRole. This maps back to the extern_vault_role_id Terraform Enterprise configuration setting.

    vault read auth/approle/role/tfe/role-id
    
    vault read auth/approle/role/tfe/role-id
    
  7. Fetch the SecretID of the AppRole. This maps back to the extern_vault_secret_id Terraform Enterprise configuration setting.

    vault write -f auth/approle/role/tfe/secret-id
    
    vault write -f auth/approle/role/tfe/secret-id
    
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager