hashicorp / terraform-aws-terraform-enterprise Goto Github PK

What problem would you like to address?

Currently there is no configuration for the load balancers or security groups for the metrics ports to be open.

Who is the audience for this request?

all

What would the ideal solution look like?

Here is the Azure solution.
hashicorp/terraform-azurerm-terraform-enterprise#214

What alternatives have you considered?

n/a

How does this impact you?

This is an important customer feature that we need to not manually configuring.

Are there any deadlines?

n/a

Is there any additional context?

I have ran into multiple issues trying to use this module with TF v0.12.13 and I am still working through them.

Can documentation be update to reflect the known working version this module should be used with?

Some key breaking areas are handling variable lists.
Example:

resource "aws_security_group_rule" "allow_list" {
  count             = "${length(var.allow_list) > 0 ? 1 : 0}"
  type              = "ingress"
  protocol          = "-1"
  from_port         = 0
  to_port           = 0
  cidr_blocks       = ["${var.allow_list}"]
  security_group_id = "${aws_security_group.intra_vpc_and_egress.id}"
} 

This breaks because var.allow_list is a list. Had to change to

cidr_blocks  = var.allow_list

To get plan to move past that error. I'm still working through the errors as I need version 0.12 in my current setup.

Expected Behavior

We need this fix for the default tags.

Actual Behavior

If you change default tags, it won't init.

Steps to Reproduce

spin something up on aws provider 4.0
change the default tags
failure

Hello,

This issue is to track the ability to add tags to the resources managed by this module. Currently, it is required for the user to make manual edits to the module to tag the resources. Perhaps an input variable can be added that a user can pass a map of tags into.

In the airgapped install example, where is the source for the external module located? Can't seem to locate this source "hashicorp/terraform-enterprise/aws/modules/external-services"

What problem would you like to address?

Support a configurable health check for the auto scaling group. The current settings are too aggressive and cause the instance to terminate during an upgrade.

• Add support for configuring the health_check_grace_period.
• Add support for configuring the health_check_type.

Who is the audience for this request?

Everyone.

What would the ideal solution look like?

Expose variable to configure the aforementioned settings.

What alternatives have you considered?

Using Azure and GCP.

How does this impact you?

It making doing automated upgrade testing difficult.

Are there any deadlines?

N/A

Is there any additional context?

N/A

What problem would you like to address?

Currently for someone to run the slash commands (i.e. /test all), the user must be admin of the repo. This security posture is not preferred.

Who is the audience for this request?

TFE engineers / maintainers of this repo

What would the ideal solution look like?

Implement a conditional that is a check of authorized users for the slash command dispatcher action, like done here

What alternatives have you considered?

What we're doing now

How does this impact you?

Currently we have to add everyone as a user and remember to remove admins when they're offboarded.

Are there any deadlines?

Is there any additional context?

What problem would you like to address?

@jkerry created this branch which he's using here.
Who is the audience for this request?

TFE Engineer

What would the ideal solution look like?

The branch is behind main and needs to be updated and merged into main.

What problem would you like to address?
Take a govcloud deployment for example. In govcloud, the project may not be able to create VPC or other resources. The govcloud governance and cloud service provider may create those resources for the project. I would like to be able to pass those values in and instead of the module creating the resource, consume the given resource. ie. vpc_id, public_subnets, or IAM_role

Who is the audience for this request?
The end users are initially a govcloud user, but could be any cloud tenant depending on governance.

What would the ideal solution look like?
If the resource has been provided then consume the resource. If the resource is not provided, attempt to create the resources as currently designed to do.

What alternatives have you considered?
A. Writing our own modules.
B. Tearing apart the current upstream deployment to perform resource creation using a different IAM roles.

How does this impact you?
We cannot create iam roles/policies due to govcloud and company governance policies.
We have been working to provide values to each of the services and implement a count in the resources to check if provided.

Are there any deadlines?
1 May 2023

Is there any additional context?
Govcloud account

What problem would you like to address?

Who is the audience for this request?

What would the ideal solution look like?

What alternatives have you considered?

How does this impact you?

Are there any deadlines?

Is there any additional context?

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

Hello,
I've noticed that all primary tfe instances do not have access to internet (egress rule is missing).
Without the access some updates are failing. Is this an expected behaviour?

I did enable the access by adding the following egress rule:

resource "aws_security_group" "allow_ptfe" {
...
...
  egress {
    description = "Allow EC2 to have access to internet"

    from_port = 0
    to_port   = 0
    protocol  = "-1"

    cidr_blocks = ["0.0.0.0/0"]
  }
}

What problem would you like to address?

Who is the audience for this request?

What would the ideal solution look like?

What alternatives have you considered?

How does this impact you?

Are there any deadlines?

Is there any additional context?

We are currently working on the deployment of Terraform Enterprise to our AWS Account and we are facing a problem with the EC2 instances, that we don't really know how to debug (or even find useful logs to investigate further)

Without making any change on the code of the terraform-aws-terraform-enterprise module, all resources are provisioned but as i mentioned previously the ec2 instances (both primary and secondaries) are marked as healthy when they try to register to the TargetGroup.

Health checks failed with these codes: [502]

Any ideas where to find logs to help us investigate this further?

The primary count variable is ignored, because the number of primaries is hard-coded to 3.

What problem would you like to address?

Who is the audience for this request?

What would the ideal solution look like?

What alternatives have you considered?

How does this impact you?

Are there any deadlines?

Is there any additional context?

Hello,

This issue is to track adding the ability to pin the Terraform Enterprise version that is installed by this module. In non-clustered installations this was configured using ReleaseSequence within the /etc/replicated.conf file.

Can we look at exposing more outputs from the main module such as:

• Load Balancer ARN
• Load Balancer Security Group(s)

What problem would you like to address?

Customers and team members alike have needed an AWS active/active installation that they can easily SSH to, and currently, this module does not support that; instead SSM is strictly enforced.

Who is the audience for this request?

TFE Engineers, internal teams needed test instances

What would the ideal solution look like?

I have started a branch here. You will notice that there is a bastion_host fixture module. I would continue working on this to get it to a streamlined build.

I attempted to build out the solution here, running it in tf-onprem-dev-infra/modules/release-testing, but I didn't have time to complete it.

Ideally, someone would just pick up on this work.

What alternatives have you considered?

Being able to SSH directly to the TFE instances for DEV scenarios, but I'm not sure if that's possible.

How does this impact you?

Not having this adds a lot of toil to building out this scenario manually.

Are there any deadlines?

No, but we waste a lot of time on it.

Is there any additional context?

I had to build a module for someone (convo here) who didn't have access to our AWS account to use SSM, so me and another engineer spent two hours figuring it out manually. Having a prebuilt solution would reduce toil.

Would be good to give users options as to which subnet they would like TFE to be installed in, rather than assuming everyone wants to use public subnet for primary.

For v5 architecture, the airgapped install example appears to use 'external' resources like the public module registry (to get modules) and s3 buckets (to get the installer bits). Airgapped implies that the install will not require any sort of external internet access.

Airgapped installer example code:
https://github.com/hashicorp/terraform-aws-terraform-enterprise/blob/master/examples/airgap/main.tf

Calling v5 module from public module registry:
module "terraform-enterprise" { source = "hashicorp/terraform-enterprise/aws" version = "0.1.0" ... }

Calling external s3 bucket:
installer_url = "https://${local.setup_bucket}.s3-${local.region}.amazonaws.com/tfe-setup/ptfe.zip"