Introduction
This article addresses an issue specific to Terraform Enterprise installations that use an external Vault instance. This guidance applies to the standalone or active/active installation modes.
Problem
Terraform Enterprise may stop functioning after a period of time, displaying Vault 500 errors in the user interface. When inspecting the ptfe_vault container logs, administrators may find multiple occurrences of the following error message leading up to the failure.
To view the logs, run the following command on the Terraform Enterprise instance:
$ docker logs ptfe_vault
The log output may contain the following error:
[ERROR] Unable to renew vault token, retry in 60 seconds
While this error indicates that the token is not being renewed, the token acquired during the application's startup phase will continue to function until its Time-To-Live (TTL) expires. This can delay the discovery of the issue. Restarting the application provides a temporary fix, as it will become functional again until the new initial token expires.
Cause
In Terraform Enterprise version v201908-1, the Vault CLI version included in the ptfe_vault container was upgraded from 0.9.6 to 1.2.0. This newer Vault CLI version deprecated the command that Terraform Enterprise previously used to renew its Vault token.
Solution
In Terraform Enterprise version v202001-1, the command used to renew the Vault token was updated to use the correct syntax for newer versions of the Vault CLI. Upgrading Terraform Enterprise to version v202001-1 or a later release resolves this issue.
Additional Information
For more details on product versions, please see the official Terraform Enterprise release notes.