Introduction
Before enabling Single Sign On (SSO) in a TFE instance, a non SSO recovery account should be created. This account is used to access the TFE instance if SSO is not behaving as expected, such as while testing team management.
Use Case
These Rails commands should be used if a TFE instance is in a state where it cannot be accessed through the GUI due to a lack of non-SSO recovery admin accounts.
Procedure
Access the Rails console by SSHing into the TFE instance and running the following command:
sudo docker exec -ti ptfe_atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -ic 'cd /app && bin/rails c'For Terraform Enterprise v202205-1 or later:
Access the Rails console by SSHing into the TFE instance and running the following command:
sudo docker exec -ti tfe-atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -ic 'cd /app && bin/rails c'Create a user via Rails console, assigning it to the u variable:
u = User.create!(email: "example@email.com", username: "example", password: "example", is_admin: true)Confirm the user, otherwise Terraform Enterprise will request email confirmation:
u.confirm u.save
Add a user to the owners team of an organization via Rails console:
Organization.find_by_name("your-org").add_owner!(u)Once the user is an admin and an owner of the org, it can be used to log into the TFE instance without SSO. Then, SSO can be disabled to allow for general access to the system.