Terraform Enterprise Flexible Deployment Options deployment fails with PostgreSQL 15 AND ssl disable option on AWS

Problem

When using Terraform Enterprise (TFE) Flexible Deployment Options (FDO) with a PostgreSQL 15 database, the deployment fails if TFE_DATABASE_PARAMETERS is set to "sslmode=disable" in the docker-compose.yaml file.

The deployment logs show a timeout error when TFE attempts to connect to the database.

[ERROR] terraform-enterprise: check failed: name=database duration=1m30.003031872s err=\"timeout: context deadline exceeded\"","component":"terraform-enterprise"}
[ERROR] terraform-enterprise: check failed: name=upgrade duration=1m30.00187011s err=\"timeout: context deadline exceeded\"","component":"terraform-enterprise"}
terraform-enterprise: the following startup checks failed: checks=[\"database\", \"upgrade\"]","component":"terraform-enterprise"}

Prerequisites

• Terraform Enterprise Flexible Deployment Options
• PostgreSQL version 15 database (e.g., AWS RDS)

Cause

PostgreSQL 15 enables SSL mode by default, which differs from previous versions like PostgreSQL 14. The error occurs because the TFE configuration TFE_DATABASE_PARAMETERS: "sslmode=disable" conflicts with the database's default requirement for an SSL connection, causing the connection to fail.

Solutions

There are two primary solutions to resolve this configuration mismatch.

Solution 1: Set sslmode to 'require'

Update the TFE_DATABASE_PARAMETERS environment variable in your docker-compose.yaml file to align with the database's SSL requirement.

## docker-compose.yaml

services:
  terraform-enterprise:
    environment:
      TFE_DATABASE_PARAMETERS: "sslmode=require"
      ## ... other environment variables

This change instructs TFE to use SSL when connecting to the PostgreSQL database, satisfying the default setting in PostgreSQL 15.

Solution 2: Disable force_ssl in the AWS RDS Parameter Group

If your security policy allows for non-SSL database connections, you can modify the AWS RDS instance's parameter group to disable forced SSL.

Note: You cannot modify a default parameter group. If your instance uses a default group, you must create a custom parameter group, apply it to your RDS instance, and then modify the parameter.

1. Navigate to the Amazon RDS console.
2. In the navigation pane, select Parameter groups.
3. Choose the custom parameter group associated with your RDS instance.
4. Select Parameter group actions, then choose Edit.
5. Find the rds.force_ssl parameter and change its value from 1 (enabled) to 0 (disabled).
6. Save the changes and reboot the RDS instance for the new parameter group settings to take effect.

After applying this change, TFE will be able to connect to the database with sslmode=disable.

Additional Information

• For more details on PostgreSQL SSL support, refer to the official PostgreSQL 15 Documentation on SSL.