Personnel and access

This section defines the roles required from the participants, and includes authority and access needs to the working environment.

Personnel

Focusing on the deployment activity alone, we recommend enlisting a project leader and a cloud administration team. A project leader coordinates events, facilitates resources and assigns duties to the Cloud Administration Team.

Members of the Cloud Administration Team carry out functional tasks to install Terraform Enterprise. For cloud administrators, we make assumptions about general knowledge of the following:

• Cloud architecture and administration
• Administration-level experience with Linux
• Practical knowledge of Docker
• Practical knowledge of Terraform

In addition, we strongly recommend requesting assistance from a security operations team. The emphasis is on integrating formal security controls required for services hosted in your preferred cloud environment.

It is also essential to specify a role for the production services team who will take over the deployment when the project goes live.

Access

• Infrastructure access: Significant access to various infrastructure elements will be required depending your type of installation.

  • The installation team requires direct access (including admin) to various resources to install and configure Terraform Enterprise including:
    • Compute/storage instances
    • Network objects such as firewalls, load balancers etc.
    • Certificates: a TLS certificate is required either on the ALB or Terraform Enterprise compute node(s) - also see below.
    • Identity such as AWS IAM, GCP Cloud Identity, AAD etc.
    • Secrets management e.g. AWS Secrets Manager, GCP Secret Manager, Azure KeyVault or vSphere Native Key Provider
    • Data encryption services e.g. AWS KMS

• License File: To deploy Terraform Enterprise you must obtain a license from HashiCorp.

• Certificate authority:

  • Terraform Enterprise requires a TLS certificate and private key on each node in order to operate securely. This certificate must match the Terraform Enterprise hostname, either by being issued for the FQDN or being a wildcard certificate.
  • The certificate can be signed by a public or private CA, but it must be trusted by all of the services that Terraform Enterprise is expected to interface with; this includes your VCS provider, any CI systems or other tools that call the Terraform Enterprise API, and any services that Terraform Enterprise workspaces might send notifications to (for example: Slack).
  • The key and X.509 TLS certificate must be PEM encoded, and should be provided to the installer as text. Terraform Enterprise validates the certificate to ensure it uses a Subject Alternative Name (SAN) for Domain Names (DN) entries and not just a Common Name (CN) entry.
  • It is possible to put the TLS certificate on the application load balancer, but in this case, the route from the inside of the LB to the compute nodes also requires certificate(s) which we recommend should be official and from the same CA. As such, certificates are still required on each Terraform Enterprise instance.

• DNS: Ensure that a DNS record exists for Terraform Enterprise and that the certificates mentioned above have been configured with the correct DNS name.