When running a Terraform Enterprise Active-Active installation, certain environments require a locked down (not publicly routable) configuration. In situations where no inbound connectivity is permitted and does not automatically route outbound requests back to internal addresses (hairpinning) at the load balancer, Terraform Enterprise application will encounter issues.
This guide will detail how to enable hairpinning inside the Docker network.
Terraform Enterprise build workers attempt to connect to the
tfe-atlas container (Terraform Enterprise
v202204-1 and earlier, this container is called
ptfe_atlas) when they initialize, and by default use the FQDN of the installation. If the build worker can’t reach the Atlas container, the following error will occur.
Error: Failed to request discovery document: Get "https://<TFE_HOSTNAME>/.well-known/terraform.json": context deadline exceeded
on zzz_backend_override.tf.json line 5, in terraform.backend.remote:
5: "hostname": "<TFE_HOSTNAME>",
If you experience the above error, the following steps may be used to enable hairpinning:
app-config command to set hairpin_addressing to “1”
$ tfe-admin app-config -k hairpin_addressing -v "1"
Note: When using the automated installation method, the value that must be updated is hairpin_addressing
Restart the Terraform Enterprise Application on all nodes
replicatedctl app stop
watch replicatedctl app status to confirm the application is stopped
replicatedctl app start
The above solution is recommended, however there are several ways to fix this type of issue, a few basic examples are provided below.
- Using a proxy sandwich where you intercept that outbound request and send it back to the TFE application.
- Use a tool like dnsmasq to override the DNS at the container level to send requests to the FQDN to the internal address of the application.