Introduction
The default Terraform Cloud agent image does not contain certificates for private internal endpoints so certificate errors such as "x509: certificate signed by unknown authority" can occur when running the agent.
A customized version of the agent docker image that contains the required certificates and launches the agent binary will need to be created.
Procedure
- Create a directory to make the image.
$ mkdir test
- Change directories to the new directory.
$ cd test
- Create an empty file named
Dockerfile
.
$ touch Dockerfile
- Using a text or code editor add the following contents to the Dockerfile and replace the certificate name and path in the example below.
$ vi Dockerfile
FROM hashicorp/tfc-agent:latest
USER root
# Install sudo. The container runs as a non-root user, but people may rely on
# the ability to apt-get install things.
RUN apt-get -y install sudo
###############################
### Add custom certificates ###
###############################
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
# Permit tfc-agent to use sudo apt-get commands.
RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent
USER tfc-agent
- Run Docker build to compile the image.
$ docker build -t custom-tfc-agent .
root@ip-10-0-103-122:~/test# docker build -t custom-tfc-agent .
Sending build context to Docker daemon 2.048kB
Step 1/5 : FROM hashicorp/tfc-agent:latest
latest: Pulling from hashicorp/tfc-agent
846c0b181fff: Pull complete
297427bf89cf: Pull complete
7df33b67c35a: Pull complete
4f4fb700ef54: Pull complete
a7a0555abf7d: Pull complete
32c21efaa1b7: Pull complete
6c8e201eed42: Pull complete
f969f3e94b98: Pull complete
22e19abdef46: Pull complete
6f15ceb1af9b: Pull complete
8cdaafe54617: Pull complete
fadd0604722a: Pull complete
a1640cbfc6d2: Pull complete
d4a51b574718: Pull complete
Digest: sha256:dc90884b7b81ee6fc8745836a64fc943517d39afa60033576fc0f6b491e5e385
Status: Downloaded newer image for hashicorp/tfc-agent:latest
---> 4e1cb2c281bf
Step 2/5 : USER root
---> Running in e3ca430ff305
Removing intermediate container e3ca430ff305
---> d8e1685fa936
Step 3/5 : RUN apt-get -y install sudo
---> Running in 4c9b06a74f6a
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 514 kB of archives.
After this operation, 2257 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 sudo amd64 1.8.31-1ubuntu1.2 [514 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 514 kB in 1s (891 kB/s)
Selecting previously unselected package sudo.
(Reading database ... 10579 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.31-1ubuntu1.2_amd64.deb ...
Unpacking sudo (1.8.31-1ubuntu1.2) ...
Setting up sudo (1.8.31-1ubuntu1.2) ...
Removing intermediate container 4c9b06a74f6a
---> a89b97a46b1d
Step 4/5 : RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent
---> Running in 63d3216d0aec
Removing intermediate container 63d3216d0aec
---> 541ca8772f75
Step 5/5 : USER tfc-agent
---> Running in 4dde18ae94f0
Removing intermediate container 4dde18ae94f0
---> d397992c1e39
Successfully built d397992c1e39
Successfully tagged custom-tfc-agent:latest
- Verify Docker has registered the image.
$ docker image ls
root@ip-0.0.0.0:~/test# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
custom-tfc-agent latest 58dd7d0547ec 9 seconds ago 385MB
- Start the container using the
docker run
command specifying the name of the image along with the TFC_AGENT_TOKEN , TFC_AGENT_NAME, and TFC_ADDRESS environment variables.
docker run -e TFC_AGENT_TOKEN=your-token -e TFC_AGENT_NAME=your-agent-name -e TFC_ADDRESS=your-TFE-hostname custom-tfc-agent
- Configure a workspace to use the Terraform Cloud Agent pool using the following instructions: https://developer.hashicorp.com/terraform/cloud-docs/agents/agent-pools
- Once the workspace has been configured, start a terraform plan and apply.