Secure Method of Providing Sensitive Configuration Values to Terraform Enterprise Helm Chart

The Terraform Enterprise Helm chart provides several approaches to providing application configuration settings. This article outlines secure approaches to providing sensitive values such as passwords and the TLS certificate key pair to the Helm chart. Some of these methods allow the use of external Kubernetes secrets. The method of creating these Kubernetes secrets or of syncing them with external secrets managers is intentionally left to the user, however a simple imperative create command is provided here as an example.

Procedure

TLS Certificate Key Pair

Securely provide a certificate key pair to the Terraform Enterprise Helm chart by referencing an external Kubernetes secret. Begin by creating a Kubernetes TLS secret in the Terraform Enterprise namespace in the cluster.

kubectl create secret tls terraform-enterprise-certificates -n terraform-enterprise --cert /path/to/cert --key /path/to/key

Provide the name of this TLS secret through the the tls.certificateSecret value or through the command line with --set tls.certificateSecret=<SECRET>.

tls:
  certificateSecret: terraform-enterprise-certificates

The resulting pod template of the Terraform Enterprise deployment will be configured with a volume referencing this secret and volume mounts which mount the certificate and key data to the configured paths in the container.

containers:
- envFrom:
  ...
  - secretRef:
    name: terraform-enterprise-env-secrets
  image: images.releases.hashicorp.com/hashicorp/terraform-enterprise:v202405-1
  imagePullPolicy: Always
  name: terraform-enterprise
  ...
  volumeMounts:
  - mountPath: /etc/ssl/private/terraform-enterprise/cert.pem
    name: certificates
    subPath: tls.crt
  - mountPath: /etc/ssl/private/terraform-enterprise/key.pem
    name: certificates
    subPath: tls.key
volumes:
- name: certificates
  secret:
    defaultMode: 420
    secretName: terraform-enterprise-certificates

Configuration Options

External Kubernetes Secrets

Sensitive configuration options such as the encryption password or database user's password can also be sourced from external Kubernetes secrets. First, create a generic secret in the Terraform Enterprise namespace.

kubectl create secret generic terraform-enterprise-secret-config -n terraform-enterprise --from-literal=TFE_DATABASE_PASSWORD=<PASSWORD> --from-literal=TFE_ENCRYPTION_PASSWORD=<ENC_PASSWORD> ...

Add this secret to the list of secrets under env.secretRefs in the override values file or via the command line with  --set 'env.secretRefs[0].name=terraform-enterprise-secret-config'.

env:
  secretRefs:
  - name: terraform-enterprise-secret-config

The resulting pod template of the Terraform Enterprise deployment will be configured with envFrom secretRef for each provided secret.

containers:
- envFrom:
  ...
  - secretRef:
    name: terraform-enterprise-secret-config
  ...

Secrets File

Another option is to provide the path to a local file containing secret values. First, create a local yaml file with secret values (env-secrets.yaml in this example).

TFE_ENCRYPTION_PASSWORD: "enc-password"
TFE_DATABASE_PASSWORD: "db-password"

Then, reference the file with under the env.secretsFilePath value or through the command line with --set env.secretsFilePath=env-secrets.yaml.

env:
  secretsFilePath: env-secrets.yaml

The secrets defined in the environment file will be added to a terraform-enterprise-env-secrets secret created by Helm and used as a secretRef by the resulting pod template of the Terraform Enterprise deployment.

containers:
- envFrom:
  ...
  - secretRef:
    name: terraform-enterprise-env-secrets
  ...

Additional Information

• Terraform Enterprise Flexible Deployment Options configuration reference
• Terraform Enterprise Helm Chart