Problem:
When attempting to configure agent pools and agents to trigger Terraform runs, users often encounter the error "Failed to create a new agent pool" with an "unauthorized" status.
Cause:
This issue typically arises due to a mismatch between the Terraform Enterprise (TFE) application configuration and the agent pool manifest. Specifically:
- Users create a secret token in their Terraform Enterprise application at a custom domain.
-
However, the agent pool manifest is configured to work with the default HCP Terraform endpoint (app.terraform.io):
apiVersion: app.terraform.io/v1alpha2
kind: AgentPool
metadata:
name: agent-pool-demo
spec:
organization: ORGANIZATION_NAME
token:
secretKeyRef:
name: terraformrc
key: token
name: agent-pool-demo
agentTokens:
- name: agent-pool-demo-token
agentDeployment:
replicas: 1
spec:
containers:
- name: tfc-agent
image: "hashicorp/tfc-agent:1.13.1"
- There is no explicit attribute in the agent pool manifest to specify the TFE address.
Solution:
To resolve this issue, you need to configure the HCP Terraform Operator to recognize your TFE instance during installation. Here's how to do it:
1. Install the HCP Terraform Operator using Helm, specifying the TFE address:
helm install tfe-operator hashicorp/hcp-terraform-operator \
--version 2.7.0 \
--namespace ns-tfe-operator \
--set operator.tfeAddress="https://your-tfe-domain.com" \
--set customCAcertificates="$(cat /path/to/your/cert/ca_cert.crt)"Replace https://your-tfe-domain.com with your actual TFE domain.
2. Ensure you have a PEM or CRT file that includes both the CA Certificate and the Leaf certificate. All certificates in the chain should be part of this file, which should then be included in the Dockerfile.
3. After successful installation, apply your agent pool YAML in the same namespace where you created the token.