Terraform Enterprise Consolidated Services Architecture
Terraform Enterprise is adopting a simplified architecture where all server
services are consolidated into a single container called
terraform-enterprise. This change lays the foundation for future improvements
to how you install and operate Terraform Enterprise and includes an immediate
security benefit of running containers as a non-root user.
This architecture will become the default and only option in v202308-1. For
now, you can test it out by manually enabling the
consolidated_services is enabled:
- Terraform Enterprise services run inside the
- Logs from the
terraform-enterprisecontainer will be prefaced by the name of the service that generated the log message. (e.g.
==> /var/log/terraform-enterprise/vault.log <==)
- Containers run as a non-root user.
This architecture will be the default and only option in v202308-1 and later.
Terraform runs continue to execute in isolated, short-lived containers.
Install or upgrade to Terraform Enterprise v202305-1 or higher, following your usual install or upgrade workflow.
replicatedctl app-config set consolidated_services --value 1
Restart Terraform Enterprise.
replicatedctl app stop replicatedctl app status replicatedctl app start
You’ll notice that the many containers have been consolidated down to a few.
The most notable is the
terraform-enterprise container where the Terraform
Enterprise services now run. The
terraform-enterprise container has a
consolidated log stream of the Terraform Enterprise services.
We advise users to evaluate the impact this will have on your monitoring and log forwarding implementation.
All server services are now included in a single container. If you are monitoring container metrics, please note that you will have fewer containers reporting information. Run containers are not impacted by this change, they remain separate and short-lived.
Service logs have been consolidated into a single log stream.
We encourage customers to test this in an environment that closely resembles their production TFE installation. You can test this new architecture by:
Executing common application workflows such as:
- Adding teams, users, organizations, projects and workspaces.
- Executing Terraform runs.
- Publishing modules and providers to the registry.
Execute security scans, to ensure the fix is picked up by your scan logic.
Toggle between enabling and disabling consolidated services mode to ensure there are no issues failing back to the default architecture in your specific environment.
Check out the changes to logs and observe your normal monitoring stack to familiarize yourself with the new architecture and provide usability feedback to TFE product management.
Please share feedback with your HashiCorp account team. They will engage product management directly.
No. In v202308-1, consolidated services will become the default and only option.
Once you have thoroughly tested this in a lower environment, you can deploy this in production environments. Please be aware that if issues occur, you may be asked to disable this setting.