Terraform Enterprise admin CLI commands

Terraform Enterprise provides CLI commands via tfectl to change its configuration, stop the application safely, and produce support bundles. You must have access into the Docker container or Kubernetes pod to run these commands. For instructions on connecting to the command line, refer to Access the Terraform Enterprise command line.

Commands

tfectl exposes a number of commands to perform different operations.

Most of the commands run directly on the node where Terraform Enterprise executes them. Some commands support a --node flag that you can use to specify which node to run a command on. The value of --node depends on the runtime environment of the Terraform Enterprise installation i.e:

Container ID (Docker)
Pod Name (Kubernetes)
Hostname

Multi node commands

Multi node commands are only relevant and possible if you are running Terraform Enterprise on Kubernetes, or on another deployment option using the 'active-active' operational mode.

Gracefully stop work on a node

This command stops a terraform-enterprise node from executing new plans and applies. It allows the current work to complete before safely stopping the node from picking up any new tasks, which lets you safely stop the application.a

Drain a single node.

$ tfectl node drain --node NODE_NAME

If you do not provide the --node flag, the command will drain the node you run it on.

$ tfectl node drain

Use the --all flag to drain all the nodes.

$ tfectl node drain --all

Restart the application to resume processing work after draining all the nodes.

Support bundle

The support bundle command generates support bundle on a Terraform Enterprise installation.

Generate a support bundle on a specific node.

$ tfectl support bundle --node NODE_NAME

If you do not provide the --node flag, Terraform Enterprise will by default generate the support bundle on the same node where you run the command.

$ tfectl support bundle

Use the --all flag to generate the support bundle on all the nodes.

$ tfectl support bundle --all

For mounted disk installations, Terraform Enterprise will generate support bundles in /run/terraform-enterprise/support-bundles. Downloading this file makes it immediately available, but it should be disabled once the file has been downloaded.

For External Services, Active/Active and Kubernetes installations, Terraform Enterprise will upload the support bundles to the same object store bucket where Terraform state files are stored. Each specific run of the admin support bundle command will upload the bundle to a directory with the same JobID, which is a timestamp in RFC3339 format (bucket/node/timestamp).

If you are sending a support bundle to HashiCorp Support, package and send all associated bundles to ensure that we have all the necessary information.

Example upload structure:

support-bundles
└── 2020-11-10T02:03:05Z
    ├── 10.0.0.5
    │   └── 10.0.0.5-support-bundle-timestamp.tar.gz
    └── 10.0.0.6
        └── 10.0.0.6-support-bundle-timestamp.tar.gz

Enable or disable support bundle downloads

The support bundle-download command enables the administrator of a mounted disk installation to access support bundles via https in the Terraform Enterprise node.

To enable downloads, use the --enable flag.

$ tfectl support bundle-download --enable

By enabling this feature, you will be able to download support bundles from https://${TFE_HOSTNAME}/_support-bundles/${timestamp}/${filename}. The filename follows the structure of ${node_hostname}-support-bundle-${timestamp}.tar.gz.

Once you have finished downloading support bundles, it is recommended to disable this feature using the following command:

$ tfectl support bundle-download --disable

If the command is executed in a Terraform Enterprise installation that is not running on a mounted disk, it will have no effect and perform no action.

Connect to the internal Rails Console

At times, it may become necessary to modify the internal state of the Terraform Enterprise application. An example is when you have lost credentials for all your admin accounts and need to manually set an existing user as an administrator.

This operation is very dangerous, and we strongly advise against using this command without the guidance of HashiCorp support. Once you have a concrete action plan on what needs to be changed via the Rails console, execute:

$ tfectl support console

This will prompt you for confirmation. Only the word yes is a valid response to proceed.

Review HashiCorp license status

This command displays the status of the license installed on your Terraform Enterprise application.

$ tfectl app license

Retrieve the initial admin user creation token

To create the first admin user in your Terraform Enterprise installation, you will need the Initial Admin Creation Token or IACT. You can retrieve this from any Terraform Enterprise node using:

$ tfectl admin token

This command should return the token value. You can also retrieve the REST resource that will allow you to create your initial admin user with the IACT token appended at the end via the flag:

$ tfectl admin token --url

This will provide the URL formatted to be used with curl or wget, and it only supports POST operations.

List all Terraform Enterprise installation nodes

To get a list of valid node values, use the following command:

$ tfectl node list

This will return a list of all active nodes in the installation that are sharing the same database connection.

View application health

Terraform Enterprise runs several integral systems for the application's overall health. To view the health of these systems, run the following command:

$ tfectl app status

You can also view the health on other nodes in the Terraform Enterprise installation. To see the status of a specific node, use the --node flag, e.g.:

$ tfectl app status --node NODE_NAME

For a health check on every node in the Terraform Enterprise installation, you could run:

$ tfectl app status --all

View application configuration

Reviewing the actual values used by the Terraform Enterprise application during execution is a useful method to verify correct configuration. To view it, simply run:

$ tfectl app config

This command will print the application's configuration in JSON format, with sensitive values redacted. To see the configuration without redaction, use:

$ tfectl app config --unredacted

However, some values, like the TLS CA Bundle Data, are truncated for readability. For the full configuration without truncation, use:

$ tfectl app config --full

You can save the configuration to a file with:

$ tfectl app config --out /path/to/config.json

To get the node's configuration from a specific node:

$ tfectl app config --node NODE_NAME

To read the configuration from all the nodes in the Terraform Enterprise installation, you can use:

$ tfectl app config --all

To convert your Terraform Enterprise configuration into a suitable Docker Compose file format, use the following command:

$ tfectl app config --format docker

We typically use this formatting command for migrating from a Replicated installation to an installation using Flexible Deployment Options with Docker.

Change encryption password

The TFE_ENCRYPTION_PASSWORD is used as a key for envelope encryption. This password is necessary to start and run Terraform Enterprise. The blob data cannot be decrypted without it. To change it, use:

$ tfectl app rotate-encryption-password

You'll be prompted for confirmation, where 'yes' is the only acceptable value. Then, you'll need to provide your current and new passwords:

$ tfectl app rotate-encryption-password --current CURRENT_PASSWORD --new NEW_PASSWORD

WARNING: After changing the encryption password, restart your Terraform Enterprise nodes with the new password as the value of the TFE_ENCRYPTION_PASSWORD environment variable. Ensure no one is using the system to avoid corrupting the application's state.

Back up the old password in case you need to restore the application. Otherwise, data in the backup can't be accessed.

Trigger startup checks

Terraform Enteprise Flexible Deployment Options runs validations to ensure proper application configuration. You can retrigger these with:

$ tfectl app startup-check

View database migration status

This command queries the status of all in-flight or required migrations:

$ tfectl db migration-status

Use the --required-only flag to return the status of required migrations:

$ tfectl db migration-status --required-only

Mounted disk commands

These commands are not relevant if you manage your own database instance or run Terraform Enterprise with an external database.

When using TFE_OPERATIONAL_MODE: disk, Terraform Enterprise runs its Postgres instance managed through the container. Admin CLI provides commands for common operations.

Create a database backup

To create backups of the internal database instance, use the following command:

$ tfectl db backup

This command will generate the backup in the directory passed via the environment variable TFE_DISK_PATH, default /var/lib/terraform-enterprise. The backup filename will be created in the format TIMESTAMP_hashicorp.db. `

You can specify the backup's destination via the --out flag, e.g.

$ tfectl db backup --out /path/to/backup.db

Recreate database indices

Rebuild Postgres database indices using:

$ tfectl db reindex

Restore database from a backup

The execution of this command will momentarily shut down your Terraform Enterprise instance. Please make sure that no work is being executed, and no one is using the instance before running this command. After the restore takes place, Atlas will come back online.
This operation is irreversible, once a database backup has been loaded, all data created between the time of the backup and the date of restoration will be lost.

To restore a database from a backup file, run:

$ tfectl db restore --file /path/to/backup.db

Confirmation is needed, with only yes as a valid response.