How to enable Terraform core logging in Terraform Enterprise application logging >=v202306-1 – HashiCorp Help Center

Introduction

In the v202306-1 release of Terraform Enterprise (TFE), the "Terraform Build Worker" image for performing Terraform runs was retired in favor of the hashicorp/tfc-agent image. See Migrate Alternative Worker Images to Agents for more information.

The legacy Terraform Build Worker image logged the core terraform command output in the TFE application logging by default. The new agent image does not by default. While Terraform core logs are still available by navigating to a Workspace Run and from the API, it requires additional configuration to include these logs in the application logs, e.g. those configured for log forwarding on Flexible Deployment Options (FDO) or Replicated.

Expected Outcome

Terraform core logging is available in the standard output produced by the Terraform Enterprise application.

Prerequisites

Terraform Enterprise application using the agent image pipeline (all releases v202306-1 and later including the latest release v202410-1 at the time of this article)
A need for consuming the Terraform core logs from the standard output of Terraform Enterprise

Procedure

Terraform core logging can be enabled by setting the TFC_AGENT_LOG_LEVEL environment variable to "trace" on the tfc-agent image responsible for executing Terraform runs. The trace verbosity level "contains all debug-level messages, plus verbose process logs such as the line-by-line output of the terraform command".

Steps

1. Build a custom worker image with the following addition:

ENV TFC_AGENT_LOG_LEVEL='trace'

A complete Dockerfile could look like:

FROM hashicorp/tfc-agent:latest

# Switch the to root user in order to perform privileged actions such as
# installing software.
USER root

# Install sudo. The container runs as a non-root user, but people may rely on
# the ability to apt-get install things.
RUN apt-get -y install sudo

# Permit tfc-agent to use sudo apt-get commands.
RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent

# Switch back to the tfc-agent user as needed by Terraform agents.
USER tfc-agent

# Enable Terraform core logging
ENV TFC_AGENT_LOG_LEVEL='trace'

2. Update Terraform Enterprise to use this custom image:

For FDO configure the TFE_RUN_PIPELINE_IMAGE environment variable to use this custom image.
For Replicated configure the custom_agent_image_tag setting to use this custom image.

Additional Information

HCP Terraform Agents > Logging