HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

Configure admin console

The admin console is a separate interface from the main Terraform Enterprise application and is designed specifically for administration tasks. The admin console provides the following administrative capabilities:

  • View system health, including node readiness and diagnostic checks
  • Generate and download product usage bundles
  • Create diagnostic bundles for troubleshooting
  • Collect system logs and configuration data
  • Export bundles for IBM Support
  • Run readiness and diagnostic checks of your Terraform Enterprise instance

Refer to Manage Terraform Enterprise deployment overview for additional information about performing administrative tasks.

Requirements

  • Terraform Enterprise v1.1.x or newer
  • Administrative access to the Terraform Enterprise deployment
  • Network access to the admin console port. By default, admin console runs on port 8443.

Configuration

  1. Admin console runs on port 8443 by default, but you can set the TFE_ADMIN_HTTPS_PORT environment variable to a different port.
  2. To disable the admin console, set the TFE_ADMIN_CONSOLE_DISABLE environment variable to true in your deployment configuration.

Access admin console

To access the admin console, go to the following address in a browser window to access the console:

https://<your-tfe-hostname>:<admin_console_port>

You must present an API token with administrative access to authenticate to the admin console. Refer to the Access admin console for more information.

Audit logging

Terraform Enterprise logs access and authentication events for the admin console and system API operations for auditing purposes. Terraform Enterprise emits the events with structured fields so that downstream systems can parse them consistently. The admin console does not provide a UI for viewing audit logs directly. For more information about audit logging for security-related events, refer to Enable logs.

View system health

The admin console includes a System health page that provides an overview of the health of your Terraform Enterprise deployment. The system health page is divided into a node readiness section and a diagnostics section.

View node readiness

The Node readiness section displays the readiness status of all active nodes in your deployment. Readiness checks verify that critical subsystems are operational and that each node can accept requests. Terraform Enterprise only presents nodes that are actively running and registered in the list. It does not show stopped or deregistered nodes.

To view node readiness:

  1. In the admin console, select System health from the sidebar navigation. Readiness checks run automatically across all nodes when the page loads.
  2. The Node readiness section displays a summary showing the number of nodes, the number of errors, and how long ago the checks ran.
  3. To run the checks again, click Recheck node readiness.

Each node in the results list shows an overall status:

  • OK: All subsystem checks passed.
  • ERROR: One or more subsystem checks failed.
  • DRAINING: The node is draining and not accepting requests.

Click a node row to expand it and view the status of each subsystem check. Errored nodes automatically expand to show the failed check groups. Each subsystem check displays a color-coded badge that indicates its status.

The readiness checks verify the following subsystems:

  • Archivist
  • Atlas
  • Database
  • Disk
  • Redis
  • Task Worker
  • Vault

Refer to the readiness endpoint reference for descriptions of each check.

The admin console uses the /api/v1/nodes/readiness endpoint to aggregate readiness results from all active nodes.

Run diagnostic checks

The Diagnostics section lets you run comprehensive diagnostic checks that perform deeper analysis of subsystem health compared to readiness checks. Diagnostic checks validate configurations, permissions, versions, and connectivity for each subsystem.

To run diagnostic checks:

  1. In the admin console, select System health from the sidebar navigation.
  2. In the Diagnostics section, choose which nodes to diagnose:
    • To run diagnostics on all nodes, click Run diagnostics on all nodes.
    • To run diagnostics on specific nodes, use the Select nodes for diagnostics dropdown to choose one or more nodes, then click Run on selected nodes.
  3. Wait for the diagnostic checks to complete. A loading indicator displays while the checks run.

Note

The diagnostics API enforces a rate limit of one concurrent diagnostic run. If another diagnostic check is already running, the admin console displays a Diagnostic suite busy message. Click Check again to recheck after the previous run completes. Refer to Rate limiting for more information.

After the diagnostics complete, the results display as expandable rows grouped by node. Each node row shows an overall status and a summary of detected issues.

Click a node row to expand it and review the detailed results. Expanded results display:

  • Check groups: Each subsystem check group and its status.
  • Error messages: Error details display with a red left-border indicator.
  • Warning messages: Warning details display with a yellow left-border indicator.
  • Error and warning text: The specific check name and associated message.

Errored nodes automatically expand to show their error details.

Manage diagnostic results

After running diagnostics, you can use the Manage dropdown to perform the following actions:

  • Re-run diagnostics: Run the same diagnostic scope again.
  • New diagnostics: Return to the initial diagnostics state to select different nodes.
  • Generate support bundle: Create a support bundle for the diagnosed nodes.
  • Download report: Download the diagnostic results as a JSON file for offline analysis or sharing with support teams.

The admin console uses the /api/v1/diagnostics endpoint to run diagnostic checks. Refer to the Diagnostics API reference for details on query parameters and response format.

Troubleshooting

Complete the following troubleshooting steps to diagnose and resolve issues with admin console.

Check port accessibility

Verify that the admin console port is accessible from your network. Refer to the TFE_ADMIN_HTTPS_PORT reference for more information.

Test the API functionality

Confirm that the system API responds to requests by testing the ping endpoint. Refer to the /ping endpoint documentation for testing instructions.

Validate access token

Test access using a new authentication token to rule out token-related issues. Refer to the token generation documentation for creating new tokens.

Review system logs

Check system logs for error messages related to the Admin Console. If you cannot access the Admin Console interface, you can generate support bundles using the tfectl command-line tool as an alternative method. Refer to the support bundle generation documentation for details.

Check Audit Logs

Review audit logs to identify authentication issues or failed access attempts. Use the details described in Audit logging to access and interpret log entries.

Edit this page on GitHub