Introduction
Problem
Users encounter a permission denied error when running an apply on Terraform Enterprise , specifically related to writing local sensitive files to the root directory.
Cause
The error arises because the task worker container no longer runs as root, following the recent changes in Terraform Enterprise. As a result, when attempting to write a local sensitive file, the process encounters a permission denied error. This issue may be encountered during Terraform plan execution.
Solution:
Utilize tfc-agent Binary
As a workaround, consider using the tfc-agent binary instead of using the TFC Agent image. The binary may provide the necessary permissions for successful execution of Terraform plans within the non-root user environment.
Solution # 2:
Make use of a custom agent to bypass the issue:
As a workaround a custom agent can be created to bypass this issue. Below is an example of the dockerfile used to create the custom agent:
FROM hashicorp/tfc-agent:latest
# Switch the to root user in order to perform privileged actions such as
# installing software.
USER root
# Install sudo. The container runs as a non-root user, but people may rely on
# the ability to apt-get install things.
RUN apt-get -y install sudo
###############################
### Add custom certificates ###
###############################
ADD ca.crt /usr/local/share/ca-certificates/ca.crt
RUN chmod 644 /usr/local/share/ca-certificates/ca.crt && update-ca-certificates
# Permit tfc-agent to use sudo apt-get commands.
RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent
# Update /root permissions to allow tfc-agent group read/write access
RUN umask 0000 && chown -R :tfc-agent /root
RUN umask 0000 && chmod -R g+rwx /root
# Switch back to the tfc-agent user as needed by Terraform agents.
USER tfc-agent