How To Recover PostgreSQL Password on Mounted Disk

Introduction

This guide provides procedures to manually reset the PostgreSQL database password for a Terraform Enterprise instance in a mounted disk installation. You may need to perform this recovery if the password was not saved during a migration or initial setup.

Prerequisites

• Terraform Enterprise version v202010-1 or later.
• An installation using the Mounted Disk operational mode.

Solutions

There are two methods for recovery, depending on whether the original Terraform Enterprise instance is still available.

Solution 1: When the Original TFE Instance is Available

If the instance where the mounted disk contents originated is still running, you can retrieve the password directly from its configuration.

Procedure

1. On the original Terraform Enterprise instance, export the application configuration to reveal the generated password.

   $ replicatedctl app-config export --hidden

2. In the JSON output, locate the value for the generated_postgres_password key.
3. On the new Terraform Enterprise instance, set the pg_password value in the application configuration to the password you retrieved in the previous step.
4. Apply the configuration change and restart the application to complete the recovery.

Solution 2: When the Original TFE Instance is Not Available

If the original instance is unavailable, the password is unknown. This procedure involves directly accessing the PostgreSQL container to manually set a new password.

Warning: This is a sensitive operation. Do not access the application console or run commands other than those provided unless directed by HashiCorp Support. If any command produces unexpected output, stop immediately and seek assistance.

Procedure

1. Stop the Terraform Enterprise application, but ensure the Replicated services remain running.

   $ replicatedctl app stop

2. Export the application configuration to find the generated_postgres_password value. You will use this value to reset the password.

   $ replicatedctl app-config export --hidden

3. Identify the mounted disk path on the host machine. This path will be referred to as ${DISK_PATH} in subsequent commands.

4. Find the Docker image ID for the PostgreSQL container.

   # docker image ls | grep 'ptfe-postgres'

   The command output is similar to the following example. The image ID is in the third column.

   ## registry.replicated.com/terraformenterprise/wirqzhu7kinrk.hashicorp-ptfe-postgres a6f7616 ecec249ca541 5 weeks ago 214MB

   In this example, the image ID is ecec249ca541. This will be referred to as ${DOCKER_IMAGE_ID}.

5. Start an interactive shell in a new Docker container using the PostgreSQL image. This command mounts the necessary data volumes from your mounted disk.

   # docker run -it \
     --user postgres \
     --env PGDATA=/data/pgdata \
     --entrypoint /bin/bash \
     -v ${DISK_PATH}/postgres:/data \
     -v ${DISK_PATH}/postgres-backup:/backup \
     ${DOCKER_IMAGE_ID}

6. From inside the container's shell, start the PostgreSQL service in the background.

   $ postgres &

7. Connect to the hashicorp database as the hashicorp user.

   $ psql -U hashicorp -H 127.0.0.1 -d hashicorp

8. Once connected to the database, run the ALTER ROLE command to set the password. Replace GENERATED_PASSWORD with the generated_postgres_password value you retrieved in step 2.

   ALTER ROLE hashicorp WITH PASSWORD 'GENERATED_PASSWORD';

9. Disconnect from the database.

   \q

10. Exit the container shell.

    $ exit

11. Start the Terraform Enterprise application to complete the process.

    $ replicatedctl app start