Password Prompt When Accessing User Setting in Terraform Enterprise

Avatar
Zachary Isom
  • Updated

Problem

When a user attempts to access their user settings page in Terraform Enterprise, they are unexpectedly prompted to enter a password.

Prerequisites

This issue occurs in the following Terraform Enterprise (TFE) versions and configurations:

  • TFE version 202309-1.
  • TFE version 202310-1 with the application setting consolidated_services_enabled set to 0.

Cause

An authentication feature intended for HCP Terraform was erroneously enabled in these specific builds of Terraform Enterprise.

Solutions

The recommended solution is to upgrade your Terraform Enterprise instance. If an immediate upgrade is not possible, administrators can manually reset a user's password as a temporary workaround.

Solution 1: Upgrade Terraform Enterprise

Upgrade your instance to a version where the issue is resolved.

  • If you are using TFE version 202309-1, upgrade to version 202310-1 or later.
  • If you are using TFE version 202310-1 with consolidated_services_enabled set to 0, either set the value to 1 or upgrade to version 202311-1 or later.

Solution 2: Manually Reset the User's Password

This procedure allows a TFE administrator to reset the password for a user, including those created via SSO who may not have a password.

Note: The commands differ based on the value of the consolidated_services_enabled setting.

If consolidated_services_enabled is 1 (default)

  1. Obtain the user's TFE username.
    • For users created via SSO, this is typically the part of their email address before the @ symbol.
  2. SSH into a TFE node.

  3. Start an interactive shell session inside the terraform-enterprise container.

    $ docker exec -it terraform-enterprise bash

  4. Connect to the TFE Rails console.

    $ tfectl support console

    Enter yes when prompted to continue.

  5. Find the user account. Replace CHANGE_ME with the user's username.

    u = User.find_by_username("CHANGE_ME")

  6. Set the new password. Replace CHANGE_ME with a secure temporary password.

    u.password = 'CHANGE_ME'

  7. Save the changes and exit the console.

    u.save!
exit
  8. Instruct the user to log in with the new password.

If consolidated_services_enabled is 0

  1. Obtain the user's TFE username.
    • For users created via SSO, this is typically the part of their email address before the @ symbol.
  2. SSH into a TFE node.

  3. Connect to the Rails console using the appropriate command for this configuration.

    $ sudo docker exec -it tfe-atlas /usr/bin/init.sh /app/scripts/wait-for-token -- \
  bash -ic 'cd /app && bin/rails c'

  4. Find the user account. Replace CHANGE_ME with the user's username.

    u = User.find_by_username("CHANGE_ME")

  5. Set the new password. Replace CHANGE_ME with a secure temporary password.

    u.password = 'CHANGE_ME'

  6. Save the changes and exit the console.

    u.save!
exit
  7. Instruct the user to log in with the new password.

Articles in this section

See more

Related articles