Terraform
Terraform Enterprise Consolidated Services Architecture
Terraform Enterprise is adopting a simplified architecture where all server
services are consolidated into a single container called
terraform-enterprise
. This change lays the foundation for future improvements
to how you install and operate Terraform Enterprise and includes an immediate
security benefit of running containers as a non-root user.
This architecture will become the default and only option in v202308-1. For
now, you can test it out by manually enabling the consolidated_services
setting.
What’s changed?
When consolidated_services
is enabled:
- Terraform Enterprise services run inside the
terraform-enterprise
container. - Logs from the
terraform-enterprise
container will be prefaced by the name of the service that generated the log message. (e.g.==> /var/log/terraform-enterprise/vault.log <==
) - Containers run as a non-root user.
This architecture will be the default and only option in v202308-1 and later.
What hasn’t changed?
Terraform runs continue to execute in isolated, short-lived containers.
How can I test this change before it becomes the default and only option in v202308-1?
Install or upgrade to Terraform Enterprise v202305-1 or higher, following your usual install or upgrade workflow.
Enable the
consolidated_services
setting.replicatedctl app-config set consolidated_services --value 1
Restart Terraform Enterprise.
replicatedctl app stop replicatedctl app status replicatedctl app start
You’ll notice that the many containers have been consolidated down to a few.
The most notable is the terraform-enterprise container
where the Terraform
Enterprise services now run. The terraform-enterprise
container has a
consolidated log stream of the Terraform Enterprise services.
Frequently Asked Questions (F.A.Q)
What should I test?
We advise users to evaluate the impact this will have on your monitoring and log forwarding implementation.
All server services are now included in a single container. If you are monitoring container metrics, please note that you will have fewer containers reporting information. Run containers are not impacted by this change, they remain separate and short-lived.
Service logs have been consolidated into a single log stream.
How can I test this in my non-production environments?
We encourage customers to test this in an environment that closely resembles their production TFE installation. You can test this new architecture by:
Executing common application workflows such as:
- Adding teams, users, organizations, projects and workspaces.
- Executing Terraform runs.
- Publishing modules and providers to the registry.
Execute security scans, to ensure the fix is picked up by your scan logic.
Toggle between enabling and disabling consolidated services mode to ensure there are no issues failing back to the default architecture in your specific environment.
Check out the changes to logs and observe your normal monitoring stack to familiarize yourself with the new architecture and provide usability feedback to TFE product management.
Where should I send feedback?
Please share feedback with your HashiCorp account team. They will engage product management directly.
Will this always be an optional architecture?
No. In v202308-1, consolidated services will become the default and only option.
Can I deploy this to production?
Once you have thoroughly tested this in a lower environment, you can deploy this in production environments. Please be aware that if issues occur, you may be asked to disable this setting.