Problem
When running a terraform apply in Terraform Enterprise, you may encounter a permission denied error related to writing local sensitive files.
Cause
This error occurs because the Terraform Enterprise task worker container no longer runs as the root user. When a Terraform configuration attempts to write a local sensitive file to a directory where the tfc-agent user lacks permissions, the operation fails.
Solutions
There are two potential solutions to address this permissions issue.
Solution 1: Utilize the tfc-agent Binary
As a workaround, you can use the tfc-agent binary directly on a host instead of the containerized agent image. Running the binary on a properly configured host may provide the necessary permissions for the successful execution of Terraform plans in a non-root user environment.
Solution 2: Create a Custom Agent Image
You can build a custom agent image to modify directory permissions and bypass the issue. The following Dockerfile provides an example of how to create a custom agent that grants the tfc-agent group write access to the /root directory.
FROM hashicorp/tfc-agent:latest ## Switch the to root user in order to perform privileged actions such as ## installing software. USER root ## Install sudo. The container runs as a non-root user, but people may rely on ## the ability to apt-get install things. RUN apt-get -y install sudo ################################## Add custom certificates ################################## ADD ca.crt /usr/local/share/ca-certificates/ca.crt RUN chmod 644 /usr/local/share/ca-certificates/ca.crt && update-ca-certificates ## Permit tfc-agent to use sudo apt-get commands. RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent ## Update /root permissions to allow tfc-agent group read/write access RUN umask 0000 && chown -R :tfc-agent /root RUN umask 0000 && chmod -R g+rwx /root ## Switch back to the tfc-agent user as needed by Terraform agents. USER tfc-agent