Overview:
In Terraform Enterprise (TFE), user accounts are locked by default after three consecutive unsuccessful login attempts for security reasons. The locked account will remain inaccessible for 30 minutes unless it is manually unlocked by an administrator. This article provides step-by-step instructions to unlock a user account via the Rails console.
Symptoms:
- The user is unable to log in to Terraform Enterprise after multiple failed attempts.
- Even after resetting the password, login attempts fail, and the account remains locked.
Cause:
As per Terraform Enterprise’s source code, the UI user account will be locked after 3 unsuccessful login attempts. The lock automatically expires after 30 minutes, but administrators can unlock the account manually if needed.
Resolution:
Step 1: Access the Rails Console
- Log in to the server running Terraform Enterprise.
- Open the Rails console using the following command:
docker exec -it terraform-enterprise tfectl support console
Step 2: Identify the Locked User
- Search for the user account using their username:
user = User.find_by(username: "<username>")
- Check if the account is currently locked:
user.locked_at
Step 3: Unlock the User Account
- Unlock the user account by running the following command:
user.unlock_access!
- Save the changes to the database:
user.save!
- Exit the Rails console:
exit
Step 4: Verify Access
-
Ask the user to log in again using their credentials.
-
If login fails, ensure that the password reset process was followed correctly, and no other security mechanisms (e.g., SSO/SAML) are interfering.
Important Notes
- This process should only be performed by authorized administrators.
- If the user continues to face issues, ensure they clear their browser cache and cookies or try accessing the UI in incognito mode.
References
If you encounter further issues, contact HashiCorp Support with relevant logs and a detailed description of the problem.