Introduction
You might be required by your security team to rotate the database password for your Terraform Enterprise Mounted Disk installation.
In Terraform Enterprise Mounted Disk, the database password (TFE_DATABASE_PASSWORD) is derived from the encryption password (TFE_ENCRYPTION_PASSWORD).
The setting in your config file for TFE_DATABASE_PASSWORD is ignored. The TFE_ENCRYPTION_PASSWORD is used instead to generate the database password.
This means that if you want to change to database password, you will need to rotate your encryption password.
Expected Outcome
Able to rotate your database password in your Terraform Enterprise Mounted disk environment.
Prerequisites (if applicable)
- Terraform Enterprise Mounted Disk
Use Case
You are required by your security team to rotate the database password.
Procedure
- Save your current encryption password.
- Back up the old password in case you need to restore the application. Otherwise, data in the backup can't be accessed!!
- On replicated:
replicatedctl app-config export | grep "enc_password"
- On FDO:
tfectl app config --unredacted | grep "encryption_password"
- On replicated:
- Back up the old password in case you need to restore the application. Otherwise, data in the backup can't be accessed!!
- Perform a node drain to to stop TFE from picking up any new tasks.
-
Rotate your encryption password
- You will get a prompt similar to this, you will need to accept with `yes`:
WARNING: this operation is irreversible, and you will need to restart all of the TFE nodes once this operation is done. Make sure that no one is using TFE at this time.
Do you desire to continue? 'yes' is the only valid option. [yes/no]: yes
Encryption key successfully rotated
Current value of the TFE_ENCRYPTION_PASSWORD environment variable is invalid, please change it to the new password value and restart the container.
- You will get a prompt similar to this, you will need to accept with `yes`:
- Change the TFE_ENCRYPTION_PASSWORD in your configuration.
- Restart your TFE instance.