Create the initial admin user token (from v202309 onwards)

Avatar
Tarun Bansal
  • Updated

 

Problem

After the initial installation of Terraform Enterprise (TFE) Flexible Deployment Options (FDO) there is a need to generate the first admin user. 

To create the initial admin user from the remote machine's browser:

  • Retrieve your initial admin creation token (IACT) from https://${TFE_HOSTNAME}/admin/retrieve-iact.

Note: You need to replace the ${TFE_HOSTNAME} with your hostname. 

Error Message

  • When you are using the above url from the machine's browser, you will see the following error:
2023-08-09 13:00:26 [WARN] [99f9db57-b728-4ef7-9ca1-9b3425543e0c] [dd.service=atlas dd.trace_id=2819091706892531992 dd.span_id=0] FirstUserAccountController#not_local_client: request.remote_ip = 'XXX.XXX.XXX.XXX'
2023-08-09 13:00:26 [WARN] [99f9db57-b728-4ef7-9ca1-9b3425543e0c] [dd.service=atlas dd.trace_id=2819091706892531992 dd.span_id=0] FirstUserAccountController#not_local_client: allowed = 'false'
2023-08-09 13:00:26 [INFO] [99f9db57-b728-4ef7-9ca1-9b3425543e0c] [dd.service=atlas dd.trace_id=2819091706892531992 dd.span_id=0] {"method":"GET","path":"/admin/retrieve-iact","format":"html","status":401,"duration":1.68,"view":0.39,"db":0.0,"dd":{"trace_id":"2819091706892531992","span_id":"0","env":"","service":"atlas","version":""},"ddsource":["ruby"],"uuid":"99f9db57-b728-4ef7-9ca1-9b3425543e0c","remote_ip":"49.36.138.241","request_id":"99f9db57-b728-4ef7-9ca1-9b3425543e0c","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.2 Safari/605.1.15","user":null,"auth_source":null}
  • The remote machine IP in the above error message "XXX.XXX.XXX.XXX". 
  • Method":"GET","path":"/admin/retrieve-iact" is getting the status 401 response

Prerequisites

Terraform enterprise Flexible Deployment Option (FDO)

 

Cause:

  • By default you cannot access that url from outside the TFE network of because of the security risks.
  • This is because  the TFE_IACT_SUBNETS parameter missing in the default docker file. 

Solution

  • In order to retrieve the IACT token from a remote subnet, you need to add that subnet to the allowed list by using the TFE_IACT_SUBNETS env variable in the docker compose file.

For example:

.......
TFE_TLS_CERT_FILE: /etc/ssl/private/terraform-enterprise/cert.pem
TFE_TLS_KEY_FILE: /etc/ssl/private/terraform-enterprise/key.pem
TFE_TLS_CA_BUNDLE_FILE: /etc/ssl/private/terraform-enterprise/bundle.pem
TFE_IACT_SUBNETS: 49.36.138.241/32
........

More information can be found here.

  • Run the docker compose up <file name> --detach

  • Navigate to https://${TFE_HOSTNAME}/admin/account/new?token=${IACT_TOKEN}

  • Follow the prompts to create your initial admin user.

 

Reference link:

https://developer.hashicorp.com/terraform/enterprise/flexible-deployments-beta/install/docker

https://developer.hashicorp.com/terraform/enterprise/flexible-deployments-beta/install/initial-admin-user

 

Articles in this section

See more

Related articles