Terraform Enterprise HVD on AWS EC2

Terraform module aligned with HashiCorp Validated Designs (HVD) to deploy Terraform Enterprise (TFE) on Amazon Web Services (AWS) using EC2 instances with a container runtime. This module defaults to deploying TFE in the active-active operational mode, but external is also supported. Docker and Podman are the supported container runtimes.

Prerequisites

General

TFE license file (e.g. terraform.hclic)
Terraform CLI >= 1.9 installed on clients/workstations that will be used to deploy TFE
General understanding of how to use Terraform (Community Edition)
General understanding of how to use AWS
git CLI and Visual Studio Code editor installed on workstations are strongly recommended
AWS account that TFE will be deployed in with permissions to provision these resources via Terraform CLI
(Optional) AWS S3 bucket for S3 remote state backend that will be used to manage the Terraform state of this TFE deployment (out-of-band from the TFE application) via Terraform CLI (Community Edition)

Networking

AWS VPC ID and the following subnets:
- Load balancer subnet IDs (can be the same as EC2 subnets if desirable)
- EC2 (compute) subnet IDs
- RDS (database) subnet IDs
- Redis subnet IDs (can be the same as RDS subnets if desirable)
(Optional) S3 VPC endpoint configured within VPC
(Optional) AWS Route53 hosted zone for TFE DNS record creation
Chosen fully qualified domain name (FQDN) for your TFE instance (e.g. tfe.aws.example.com)

📝 Note: It is recommended to specify a minimum of two subnets for each subnet input to enable high availability.

Security groups

This module will automatically create the necessary security groups and attach them to the applicable resources
Identify CIDR range(s) that will need to access the TFE application (managed via cidr_allow_ingress_tfe_443 input variable)
Identify CIDR range(s) that will need to access the shell of the TFE EC2 instances (managed via cidr_allow_ingress_ec2_ssh input variable)
Be familiar with the TFE ingress requirements
Be familiar with the TFE egress requirements

TLS certificates

TLS certificate (e.g. cert.pem) and private key (e.g. privkey.pem) that matches your chosen fully qualified domain name (FQDN) for TFE
- TLS certificate and private key must be in PEM format
- Private key must not be password protected
TLS certificate authority (CA) bundle (e.g. ca_bundle.pem) corresponding with the CA that issues your TFE TLS certificates
- CA bundle must be in PEM format
- You may include additional certificate chains corresponding to external systems that TFE will make outbound connections to (e.g. your self-hosted VCS, if its certificate was issued by a different CA than your TFE certificate).

📝 Note: All three of these files will be created as secrets in AWS Secrets Manager per the next section.

Secrets management

The following bootstrap secrets stored in AWS Secrets Manager in order to bootstrap the TFE deployment and installation:

TFE license file - raw contents of license file stored as a plaintext secret (e.g. cat terraform.hclic)
TFE encryption password - random characters stored as a plaintext secret (used to protect internally-managed Vault unseal key and root token)
TFE database password - used to create RDS Aurora (PostgreSQL) database cluster; random characters stored as a plaintext secret; value must be between 8 and 128 characters long and must not contain @, ", or / characters
TFE Redis password - used to create Redis (Elasticache Replication Group) cluster; random characters stored as a plaintext secret; value must be between 16 and 128 characters long and must not contain @, ", or / characters
TFE TLS certificate - file in PEM format, base64-encoded into a string, and stored as a plaintext secret
TFE TLS certificate private key - file in PEM format, base64-encoded into a string, and stored as a plaintext secret
TFE TLS CA bundle - file in PEM format , base64-encoded into a string, and stored as a plaintext secret

📝 Note: See the TFE Bootstrap Secrets doc for more details on how these secrets should be stored in AWS Secrets Manager.

Compute

Connecting to shell of EC2 instances

One of the following mechanisms for shell access to TFE EC2 instances:

EC2 SSH key pair
AWS SSM (can be enabled by setting ec2_allow_ssm boolean input variable to true)

Log forwarding (optional)

One of the following logging destinations:

AWS CloudWatch log group
AWS S3 bucket
A custom fluent bit configuration that will forward logs to custom destination

Usage

Create/configure/validate the applicable prerequisites.
Nested within the examples directory are subdirectories containing ready-made Terraform configurations for example scenarios on how to call and deploy this module. To get started, choose the example scenario that most closely matches your requirements. You can customize your deployment later by adding additional module inputs as you see fit (see the Deployment-Customizations doc for more details).

Copy all of the Terraform files from your example scenario of choice into a new destination directory to create your Terraform configuration that will manage your TFE deployment. This is a common directory structure for managing multiple TFE deployments:

.
└── environments
    ├── production
    │   ├── backend.tf
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── terraform.tfvars
    │   └── variables.tf
    └── sandbox
        ├── backend.tf
        ├── main.tf
        ├── outputs.tf
        ├── terraform.tfvars
        └── variables.tf

📝 Note: In this example, the user will have two separate TFE deployments; one for their sandbox environment, and one for their production environment. This is recommended, but not required.

(Optional) Uncomment and update the S3 remote state backend configuration provided in the backend.tf file with your own custom values. While this step is highly recommended, it is technically not required to use a remote backend config for your TFE deployment.
Populate your own custom values into the terraform.tfvars.example file that was provided (in particular, values enclosed in the <> characters). Then, remove the .example file extension such that the file is now named terraform.tfvars.
Navigate to the directory of your newly created Terraform configuration for your TFE deployment, and run terraform init, terraform plan, and terraform apply.
After your terraform apply finishes successfully, you can monitor the installation progress by connecting to your TFE EC2 instance shell via SSH or AWS SSM and observing the cloud-init (user_data) logs:

Connecting to EC2 instance

SSH when ec2_os_distro is ubuntu:
```
ssh -i /path/to/ec2_ssh_key_pair.pem ubuntu@<ec2-private-ip>
```
SSH when ec2_os_distro is rhel or al2023:
```
ssh -i /path/to/ec2_ssh_key_pair.pem ec2-user@<ec2-private-ip>
```
Viewing the logs

View the higher-level logs:
```
tail -f /var/log/tfe-cloud-init.log
```
View the lower-level logs:
```
journalctl -xu cloud-final -f
```
📝 Note: The -f argument is to follow the logs as they append in real-time, and is optional. You may remove the -f for a static view.

Successful install log message

The log files should display the following log message after the cloud-init (user_data) script finishes successfully:
```
[INFO] tfe_user_data script finished successfully!
```
After the cloud-init (user_data) script finishes successfully, while still connected to the TFE EC2 instance shell, you can check the health status of TFE:
```
cd /etc/tfe
sudo docker compose exec tfe tfe-health-check-status
```
Follow the steps to here to create the TFE initial admin user.

Docs

Below are links to various docs related to the customization and management of your TFE deployment:

Requirements

Name	Version
terraform	>= 1.9
aws	~> 5.64

Providers

Name	Version
aws	~> 5.64

Resources

Name	Type
aws_autoscaling_group.tfe	resource
aws_db_parameter_group.tfe	resource
aws_db_subnet_group.tfe	resource
aws_elasticache_replication_group.redis_cluster	resource
aws_elasticache_subnet_group.tfe	resource
aws_iam_instance_profile.tfe_ec2	resource
aws_iam_policy.s3_crr	resource
aws_iam_policy_attachment.s3_crr	resource
aws_iam_role.s3_crr	resource
aws_iam_role.tfe_ec2	resource
aws_iam_role_policy.tfe_ec2	resource
aws_iam_role_policy_attachment.aws_ssm	resource
aws_launch_template.tfe	resource
aws_lb.alb	resource
aws_lb.nlb	resource
aws_lb_listener.alb_443	resource
aws_lb_listener.lb_nlb_443	resource
aws_lb_target_group.alb_443	resource
aws_lb_target_group.nlb_443	resource
aws_rds_cluster.tfe	resource
aws_rds_cluster_instance.tfe	resource
aws_rds_cluster_parameter_group.tfe	resource
aws_rds_global_cluster.tfe	resource
aws_route53_record.alias_record	resource
aws_s3_bucket.tfe	resource
aws_s3_bucket_public_access_block.tfe	resource
aws_s3_bucket_replication_configuration.tfe	resource
aws_s3_bucket_server_side_encryption_configuration.tfe	resource
aws_s3_bucket_versioning.tfe	resource
aws_security_group.ec2_allow_egress	resource
aws_security_group.ec2_allow_ingress	resource
aws_security_group.lb_allow_egress	resource
aws_security_group.lb_allow_ingress	resource
aws_security_group.rds_allow_ingress	resource
aws_security_group.redis_allow_ingress	resource
aws_security_group_rule.ec2_allow_cidr_ingress_tfe_metrics_http	resource
aws_security_group_rule.ec2_allow_cidr_ingress_tfe_metrics_https	resource
aws_security_group_rule.ec2_allow_egress_all	resource
aws_security_group_rule.ec2_allow_egress_dns_tcp	resource
aws_security_group_rule.ec2_allow_egress_dns_udp	resource
aws_security_group_rule.ec2_allow_egress_http	resource
aws_security_group_rule.ec2_allow_egress_https	resource
aws_security_group_rule.ec2_allow_egress_rds	resource
aws_security_group_rule.ec2_allow_egress_redis	resource
aws_security_group_rule.ec2_allow_egress_vault	resource
aws_security_group_rule.ec2_allow_ingress_ssh	resource
aws_security_group_rule.ec2_allow_ingress_tfe_https_from_lb	resource
aws_security_group_rule.ec2_allow_ingress_vault	resource
aws_security_group_rule.lb_allow_egress_all	resource
aws_security_group_rule.lb_allow_ingress_tfe_https_from_cidr	resource
aws_security_group_rule.lb_allow_ingress_tfe_https_from_ec2	resource
aws_security_group_rule.rds_allow_ingress_from_ec2	resource
aws_security_group_rule.redis_allow_ingress_from_ec2	resource
aws_ami.al2023	data source
aws_ami.rhel	data source
aws_ami.selected	data source
aws_ami.ubuntu	data source
aws_availability_zones.available	data source
aws_caller_identity.current	data source
aws_cloudwatch_log_group.log_fwd	data source
aws_ecr_repository.tfe_run_pipeline_image	data source
aws_iam_policy_document.s3_crr	data source
aws_iam_policy_document.s3_crr_assume_role	data source
aws_iam_policy_document.tfe_ec2_allow_cloudwatch	data source
aws_iam_policy_document.tfe_ec2_allow_cost_estimation	data source
aws_iam_policy_document.tfe_ec2_allow_ebs_kms_cmk	data source
aws_iam_policy_document.tfe_ec2_allow_get_redis_password_secret	data source
aws_iam_policy_document.tfe_ec2_allow_rds_kms_cmk	data source
aws_iam_policy_document.tfe_ec2_allow_redis_kms_cmk	data source
aws_iam_policy_document.tfe_ec2_allow_s3	data source
aws_iam_policy_document.tfe_ec2_allow_s3_kms_cmk	data source
aws_iam_policy_document.tfe_ec2_allow_s3_log_fwd	data source
aws_iam_policy_document.tfe_ec2_assume_role	data source
aws_iam_policy_document.tfe_ec2_combined	data source
aws_iam_policy_document.tfe_ec2_ecr_image_pull	data source
aws_iam_policy_document.tfe_ec2_get_enc_password_secret	data source
aws_iam_policy_document.tfe_ec2_get_license_secret	data source
aws_iam_policy_document.tfe_ec2_get_rds_password_secret	data source
aws_iam_policy_document.tfe_ec2_get_tls_ca_bundle_secret	data source
aws_iam_policy_document.tfe_ec2_get_tls_cert_secret	data source
aws_iam_policy_document.tfe_ec2_get_tls_privkey_secret	data source
aws_region.current	data source
aws_route53_zone.tfe	data source
aws_s3_bucket.log_fwd	data source
aws_secretsmanager_secret_version.tfe_database_password	data source
aws_secretsmanager_secret_version.tfe_redis_password	data source

Inputs

Name	Description	Type	Default	Required
ec2_subnet_ids	List of subnet IDs to use for the EC2 instance. Private subnets is the best practice here.	`list(string)`	n/a	yes
friendly_name_prefix	Friendly name prefix used for uniquely naming all AWS resources for this deployment. Most commonly set to either an environment (e.g. 'sandbox', 'prod'), a team name, or a project name.	`string`	n/a	yes
lb_subnet_ids	List of subnet IDs to use for the load balancer. If `lb_is_internal` is `false`, then these should be public subnets. Otherwise, these should be private subnets.	`list(string)`	n/a	yes
rds_subnet_ids	List of subnet IDs to use for RDS database subnet group. Private subnets is the best practice here.	`list(string)`	n/a	yes
tfe_database_password_secret_arn	ARN of AWS Secrets Manager secret for the TFE database password used to create RDS Aurora (PostgreSQL) database cluster. Secret type should be plaintext. Value of secret must be from 8 to 128 alphanumeric characters or symbols (excluding `@`, `"`, and `/`).	`string`	n/a	yes
tfe_encryption_password_secret_arn	ARN of AWS Secrets Manager secret for TFE encryption password. Secret type should be plaintext.	`string`	n/a	yes
tfe_fqdn	Fully qualified domain name (FQDN) of TFE instance. This name should resolve to the DNS name or IP address of the TFE load balancer and will be what clients use to access TFE.	`string`	n/a	yes
tfe_license_secret_arn	ARN of AWS Secrets Manager secret for TFE license file. Secret type should be plaintext.	`string`	n/a	yes
tfe_tls_ca_bundle_secret_arn	ARN of AWS Secrets Manager secret for private/custom TLS Certificate Authority (CA) bundle in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext.	`string`	n/a	yes
tfe_tls_cert_secret_arn	ARN of AWS Secrets Manager secret for TFE TLS certificate in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext.	`string`	n/a	yes
tfe_tls_privkey_secret_arn	ARN of AWS Secrets Manager secret for TFE TLS private key in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext.	`string`	n/a	yes
vpc_id	ID of VPC where TFE will be deployed.	`string`	n/a	yes
asg_health_check_grace_period	The amount of time to wait for a new TFE EC2 instance to become healthy. If this threshold is breached, the ASG will terminate the instance and launch a new one.	`number`	`900`	no
asg_instance_count	Desired number of TFE EC2 instances to run in autoscaling group. Must be `1` when `tfe_operational_mode` is `external`.	`number`	`1`	no
asg_max_size	Max number of TFE EC2 instances to run in autoscaling group. Only valid when `tfe_operational_mode` is `active-active`. Value is hard-coded to `1` when `tfe_operational_mode` is `external`.	`number`	`3`	no
cidr_allow_egress_ec2_dns	List of destination CIDR ranges to allow TCP/53 and UDP/53 (DNS) outbound from TFE EC2 instances. Only set if you want to use custom DNS servers instead of the AWS-provided DNS resolver within your VPC.	`list(string)`	`[]`	no
cidr_allow_egress_ec2_http	List of destination CIDR ranges to allow TCP/80 outbound from TFE EC2 instances.	`list(string)`	[ "0.0.0.0/0"]	no
cidr_allow_egress_ec2_https	List of destination CIDR ranges to allow TCP/443 outbound from TFE EC2 instances. Include the CIDR range of your VCS provider if you are configuring VCS integration with TFE.	`list(string)`	[ "0.0.0.0/0"]	no
cidr_allow_ingress_ec2_ssh	List of CIDR ranges to allow SSH ingress to TFE EC2 instance (i.e. bastion IP, client/workstation IP, etc.).	`list(string)`	`[]`	no
cidr_allow_ingress_tfe_443	List of CIDR ranges to allow ingress traffic on port 443 to TFE server or load balancer.	`list(string)`	[ "0.0.0.0/0"]	no
cidr_allow_ingress_tfe_metrics_http	List of CIDR ranges to allow TCP/9090 (HTTP) inbound to metrics endpoint on TFE EC2 instances.	`list(string)`	`[]`	no
cidr_allow_ingress_tfe_metrics_https	List of CIDR ranges to allow TCP/9091 (HTTPS) inbound to metrics endpoint on TFE EC2 instances.	`list(string)`	`[]`	no
cloudwatch_log_group_name	Name of CloudWatch Log Group to configure as log forwarding destination. Only valid when `tfe_log_forwarding_enabled` is `true`.	`string`	`null`	no
common_tags	Map of common tags for all taggable AWS resources.	`map(string)`	`{}`	no
container_runtime	Container runtime to use for TFE. Supported values are `docker` or `podman`.	`string`	`"docker"`	no
create_route53_tfe_dns_record	Boolean to create Route53 Alias Record for `tfe_hostname` resolving to Load Balancer DNS name. If `true`, `route53_tfe_hosted_zone_name` is also required.	`bool`	`false`	no
custom_fluent_bit_config	Custom Fluent Bit configuration for log forwarding. Only valid when `tfe_log_forwarding_enabled` is `true` and `log_fwd_destination_type` is `custom`.	`string`	`null`	no
docker_version	Version of Docker to install on TFE EC2 instances. Not applicable to Amazon Linux 2023 distribution (when `ec2_os_distro` is `al2023`).	`string`	`"24.0.9"`	no
ebs_iops	Amount of IOPS to configure when EBS volume type is `gp3`. Must be greater than or equal to `3000` and less than or equal to `16000`.	`number`	`3000`	no
ebs_is_encrypted	Boolean to encrypt the EBS root block device of the TFE EC2 instance(s). An AWS managed key will be used when `true` unless a value is also specified for `ebs_kms_key_arn`.	`bool`	`true`	no
ebs_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt TFE EC2 EBS volumes.	`string`	`null`	no
ebs_throughput	Throughput (MB/s) to configure when EBS volume type is `gp3`. Must be greater than or equal to `125` and less than or equal to `1000`.	`number`	`250`	no
ebs_volume_size	Size (GB) of the root EBS volume for TFE EC2 instances. Must be greater than or equal to `50` and less than or equal to `16000`.	`number`	`50`	no
ebs_volume_type	EBS volume type for TFE EC2 instances.	`string`	`"gp3"`	no
ec2_allow_all_egress	Boolean to allow all egress traffic from TFE EC2 instances.	`bool`	`false`	no
ec2_allow_ssm	Boolean to attach the `AmazonSSMManagedInstanceCore` policy to the TFE instance role, allowing the SSM agent (if present) to function.	`bool`	`false`	no
ec2_ami_id	Custom AMI ID for TFE EC2 launch template. If specified, value of `ec2_os_distro` must coincide with this custom AMI OS distro.	`string`	`null`	no
ec2_instance_size	EC2 instance type for TFE EC2 launch template.	`string`	`"m7i.xlarge"`	no
ec2_os_distro	Linux OS distribution type for TFE EC2 instance. Choose from `al2023`, `ubuntu`, `rhel`, `centos`.	`string`	`"ubuntu"`	no
ec2_ssh_key_pair	Name of existing SSH key pair to attach to TFE EC2 instance.	`string`	`null`	no
is_secondary_region	Boolean indicating whether this TFE deployment is in the primary or secondary (replica) region.	`bool`	`false`	no
lb_is_internal	Boolean to create an internal (private) load balancer. The `lb_subnet_ids` must be private subnets when this is `true`.	`bool`	`true`	no
lb_type	Indicates which type of AWS load balancer is created: Application Load Balancer (`alb`) or Network Load Balancer (`nlb`).	`string`	`"nlb"`	no
log_fwd_destination_type	Type of log forwarding destination for Fluent Bit. Supported values are `s3`, `cloudwatch`, or `custom`.	`string`	`"cloudwatch"`	no
rds_apply_immediately	Boolean to apply changes immediately to RDS cluster instance.	`bool`	`true`	no
rds_aurora_engine_mode	RDS Aurora database engine mode.	`string`	`"provisioned"`	no
rds_aurora_engine_version	Engine version of RDS Aurora PostgreSQL.	`number`	`16.2`	no
rds_aurora_instance_class	Instance class of Aurora PostgreSQL database.	`string`	`"db.r6i.xlarge"`	no
rds_aurora_replica_count	Number of replica (reader) cluster instances to create within the RDS Aurora database cluster (within the same region).	`number`	`1`	no
rds_availability_zones	List of AWS availability zones to spread Aurora database cluster instances across. Leave as `null` and RDS will automatically assign 3 availability zones.	`list(string)`	`null`	no
rds_backup_retention_period	The number of days to retain backups for. Must be between 0 and 35. Must be greater than 0 if the database cluster is used as a source of a read replica cluster.	`number`	`35`	no
rds_deletion_protection	Boolean to enable deletion protection for RDS global cluster.	`bool`	`false`	no
rds_force_destroy	Boolean to enable the removal of RDS database cluster members from RDS global cluster on destroy.	`bool`	`false`	no
rds_global_cluster_id	ID of RDS global cluster. Only required only when `is_secondary_region` is `true`, otherwise leave as `null`.	`string`	`null`	no
rds_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt TFE RDS cluster.	`string`	`null`	no
rds_parameter_group_family	Family of Aurora PostgreSQL DB Parameter Group.	`string`	`"aurora-postgresql16"`	no
rds_performance_insights_enabled	Boolean to enable performance insights for RDS cluster instance(s).	`bool`	`true`	no
rds_performance_insights_retention_period	Number of days to retain RDS performance insights data. Must be between 7 and 731.	`number`	`7`	no
rds_preferred_backup_window	Daily time range (UTC) for RDS backup to occur. Must not overlap with `rds_preferred_maintenance_window`.	`string`	`"04:00-04:30"`	no
rds_preferred_maintenance_window	Window (UTC) to perform RDS database maintenance. Must not overlap with `rds_preferred_backup_window`.	`string`	`"Sun:08:00-Sun:09:00"`	no
rds_replication_source_identifier	ARN of source RDS cluster or cluster instance if this database cluster is to be created as a read replica. Only required when `is_secondary_region` is `true`, otherwise leave as `null`.	`string`	`null`	no
rds_skip_final_snapshot	Boolean to enable RDS to take a final database snapshot before destroying.	`bool`	`false`	no
rds_source_region	Source region for RDS cross-region replication. Only required when `is_secondary_region` is `true`, otherwise leave as `null`.	`string`	`null`	no
rds_storage_encrypted	Boolean to encrypt RDS storage. An AWS managed key will be used when `true` unless a value is also specified for `rds_kms_key_arn`.	`bool`	`true`	no
redis_apply_immediately	Boolean to apply changes immediately to Redis cluster.	`bool`	`true`	no
redis_at_rest_encryption_enabled	Boolean to enable encryption at rest on Redis cluster. An AWS managed key will be used when `true` unless a value is also specified for `redis_kms_key_arn`.	`bool`	`true`	no
redis_auto_minor_version_upgrade	Boolean to enable automatic minor version upgrades for Redis cluster.	`bool`	`true`	no
redis_automatic_failover_enabled	Boolean for deploying Redis nodes in multiple availability zones and enabling automatic failover.	`bool`	`true`	no
redis_engine_version	Redis version number.	`string`	`"7.1"`	no
redis_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt Redis cluster with.	`string`	`null`	no
redis_multi_az_enabled	Boolean to create Redis nodes across multiple availability zones. If `true`, `redis_automatic_failover_enabled` must also be `true`, and more than one subnet must be specified within `redis_subnet_ids`.	`bool`	`true`	no
redis_node_type	Type (size) of Redis node from a compute, memory, and network throughput standpoint.	`string`	`"cache.m5.large"`	no
redis_parameter_group_name	Name of parameter group to associate with Redis cluster.	`string`	`"default.redis7"`	no
redis_port	Port number the Redis nodes will accept connections on.	`number`	`6379`	no
redis_subnet_ids	List of subnet IDs to use for Redis cluster subnet group. Private subnets is the best practice here.	`list(string)`	`[]`	no
redis_transit_encryption_enabled	Boolean to enable TLS encryption between TFE and the Redis cluster.	`bool`	`true`	no
route53_tfe_hosted_zone_is_private	Boolean indicating if `route53_tfe_hosted_zone_name` is a private hosted zone.	`bool`	`false`	no
route53_tfe_hosted_zone_name	Route53 Hosted Zone name to create `tfe_hostname` Alias record in. Required if `create_route53_tfe_dns_record` is `true`.	`string`	`null`	no
s3_destination_bucket_arn	ARN of destination S3 bucket for cross-region replication configuration. Bucket should already exist in secondary region. Required when `s3_enable_bucket_replication` is `true`.	`string`	`""`	no
s3_destination_bucket_kms_key_arn	ARN of KMS key of destination S3 bucket for cross-region replication configuration if it is encrypted with a customer managed key (CMK).	`string`	`null`	no
s3_enable_bucket_replication	Boolean to enable cross-region replication for TFE S3 bucket. Do not enable when `is_secondary_region` is `true`. An `s3_destination_bucket_arn` is also required when `true`.	`bool`	`false`	no
s3_kms_key_arn	ARN of KMS customer managed key (CMK) to encrypt TFE S3 bucket with.	`string`	`null`	no
s3_log_fwd_bucket_name	Name of S3 bucket to configure as log forwarding destination. Only valid when `tfe_log_forwarding_enabled` is `true`.	`string`	`null`	no
tfe_alb_tls_certificate_arn	ARN of existing TFE TLS certificate imported in ACM to be used for application load balancer (ALB) HTTPS listeners. Required when `lb_type` is `alb`.	`string`	`null`	no
tfe_capacity_concurrency	Maximum number of concurrent Terraform runs to allow on a TFE node.	`number`	`10`	no
tfe_capacity_cpu	Maximum number of CPU cores that a Terraform run is allowed to consume in TFE. Set to `0` for no limit.	`number`	`0`	no
tfe_capacity_memory	Maximum amount of memory (in MiB) that a Terraform run is allowed to consume in TFE.	`number`	`2048`	no
tfe_cost_estimation_iam_enabled	Boolean to add AWS pricing actions to TFE IAM instance profile for cost estimation feature.	`string`	`true`	no
tfe_database_name	Name of TFE database to create within RDS global cluster.	`string`	`"tfe"`	no
tfe_database_parameters	PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection.	`string`	`"sslmode=require"`	no
tfe_database_user	Username for TFE RDS database cluster.	`string`	`"tfe"`	no
tfe_hairpin_addressing	Boolean to enable hairpin addressing for layer 4 load balancer with loopback prevention. Must be `true` when `lb_type` is `nlb` and `lb_is_internal` is `true`.	`bool`	`true`	no
tfe_image_name	Name of the TFE container image. Only set this if you are hosting the TFE container image in your own custom repository.	`string`	`"hashicorp/terraform-enterprise"`	no
tfe_image_repository_password	Password for container registry where TFE container image is hosted. Leave as `null` if using the default TFE registry as the default password is the TFE license.	`string`	`null`	no
tfe_image_repository_url	Repository for the TFE image. Only change this if you are hosting the TFE container image in your own custom repository.	`string`	`"images.releases.hashicorp.com"`	no
tfe_image_repository_username	Username for container registry where TFE container image is hosted.	`string`	`"terraform"`	no
tfe_image_tag	Tag for the TFE image. This represents the version of TFE to deploy.	`string`	`"v202407-1"`	no
tfe_license_reporting_opt_out	Boolean to opt out of TFE license reporting.	`bool`	`false`	no
tfe_log_forwarding_enabled	Boolean to enable TFE log forwarding feature.	`bool`	`false`	no
tfe_metrics_enable	Boolean to enable TFE metrics endpoints.	`bool`	`false`	no
tfe_metrics_http_port	HTTP port for TFE metrics scrape.	`number`	`9090`	no
tfe_metrics_https_port	HTTPS port for TFE metrics scrape.	`number`	`9091`	no
tfe_object_storage_s3_access_key_id	Access key ID for S3 bucket. Required when `tfe_object_storage_s3_use_instance_profile` is `false`.	`string`	`null`	no
tfe_object_storage_s3_secret_access_key	Secret access key for S3 bucket. Required when `tfe_object_storage_s3_use_instance_profile` is `false`.	`string`	`null`	no
tfe_object_storage_s3_use_instance_profile	Boolean to use TFE instance profile for S3 bucket access. If `false`, `tfe_object_storage_s3_access_key_id` and `tfe_object_storage_s3_secret_access_key` are required.	`bool`	`true`	no
tfe_operational_mode	Operational mode for TFE. Valid values are `active-active` or `external`.	`string`	`"active-active"`	no
tfe_redis_password_secret_arn	ARN of AWS Secrets Manager secret for the TFE Redis password used to create Redis (Elasticache Replication Group) cluster. Secret type should be plaintext. Value of secret must be from 16 to 128 alphanumeric characters or symbols (excluding `@`, `"`, and `/`).	`string`	`null`	no
tfe_run_pipeline_docker_network	Docker network where the containers that execute Terraform runs will be created. The network must already exist, it will not be created automatically. Leave as `null` to use the default network created by TFE.	`string`	`null`	no
tfe_run_pipeline_image	Name of the Docker image to use for the run pipeline driver.	`string`	`null`	no
tfe_run_pipeline_image_ecr_repo_name	Name of the AWS ECR repository containing your custom TFE run pipeline image.	`string`	`null`	no
tfe_tls_enforce	Boolean to enforce TLS.	`bool`	`false`	no
tfe_vault_disable_mlock	Boolean to disable mlock for internal Vault.	`bool`	`false`	no

Outputs

Name	Description
elasticache_replication_group_arn	ARN of ElastiCache Replication Group (Redis) cluster.
elasticache_replication_group_id	ID of ElastiCache Replication Group (Redis) cluster.
elasticache_replication_group_primary_endpoint_address	Primary endpoint address of ElastiCache Replication Group (Redis) cluster.
lb_dns_name	DNS name of the Load Balancer.
rds_aurora_cluster_arn	ARN of RDS Aurora database cluster.
rds_aurora_cluster_endpoint	RDS Aurora database cluster endpoint.
rds_aurora_cluster_members	List of instances that are part of this RDS Aurora database cluster.
rds_aurora_global_cluster_id	RDS Aurora global database cluster identifier.
s3_bucket_arn	ARN of TFE S3 bucket.
s3_bucket_name	Name of TFE S3 bucket.
s3_crr_iam_role_arn	ARN of S3 cross-region replication IAM role.
tfe_database_host	PostgreSQL server endpoint in the format that TFE will connect to.
tfe_url	URL to access TFE application based on value of `tfe_fqdn` input.