Introduction
When running a Terraform Enterprise Active-Active installation, certain environments require a locked down (not publicly routable) configuration. In situations where no inbound connectivity is permitted and does not automatically route outbound requests back to internal addresses (hairpinning) at the load balancer, Terraform Enterprise application will encounter issues.
This guide will detail how to enable hairpinning inside the Docker network.
Scenario
Terraform Enterprise build workers attempt to connect to the tfe-atlas container (Terraform Enterprise v202204-1 and earlier, this container is called ptfe_atlas) when they initialize, and by default use the FQDN of the installation. If the build worker can’t reach the Atlas container, the following error will occur.
Error: Failed to request discovery document: Get "https://<TFE_HOSTNAME>/.well-known/terraform.json": context deadline exceeded
on zzz_backend_override.tf.json line 5, in terraform[0].backend[0].remote:
5: "hostname": "<TFE_HOSTNAME>",Recommendation
If you experience the above error, the following steps may be used to enable hairpinning:
Use the app-config command to set hairpin_addressing to “1”
$ tfe-admin app-config -k hairpin_addressing -v "1"Note: When using the automated installation method, the value that must be updated is hairpin_addressing
Restart the Terraform Enterprise Application on all nodes
replicatedctl app stop
watch replicatedctl app status to confirm the application is stopped
replicatedctl app start
Additional Information
The above solution is recommended, however there are several ways to fix this type of issue, a few basic examples are provided below.
- Using a proxy sandwich where you intercept that outbound request and send it back to the TFE application.
- Use a tool like dnsmasq to override the DNS at the container level to send requests to the FQDN to the internal address of the application.