Error in Database Permissions Post TFE Upgrade Causes UI Failure

Avatar
Pritam Das
  • Updated

Introduction

This article outlines the troubleshooting steps for an issue where the Terraform Enterprise (TFE) user interface (UI) failed to load after an upgrade. It details the root cause, diagnostics performed, and corrective actions to restore service availability.

Problem

After upgrading Terraform Enterprise (TFE), the User Interface (UI) fails to load.

An inspection of the sidekiq.log or atlas.log reveals the following database privilege error:

PG::InsufficientPrivilege: ERROR: must be owner of type service_account_type

Cause

This issue is caused by the database user lacking ownership privileges for the custom type service_account_type.

During the upgrade, TFE attempts to migrate or utilize this custom type. If the Postgres user assigned to TFE does not own this specific type, the application fails to start services dependent on the database schema.

Solution

1. Update Database Permissions

You must assign ownership of the service_account_type to the TFE database user.

  1. Connect to your TFE database instance using an admin account (e.g., a superuser or the RDS master user).

  2. Run the following SQL command, replacing <postgres_username_used_by_TFE> with the actual username defined in your TFE configuration:

     

    ALTER TYPE service_account_type OWNER TO <postgres_username_used_by_TFE>;

2. Restart TFE Services

Once the permissions are updated, you must restart the application services to ensure the new database privileges are recognized. Choose the command below that matches your deployment method.

Docker Compose Perform a full stop and start to ensure a clean state.

$ docker compose down
$ docker compose up -d

Kubernetes (Helm) Trigger a rolling restart of the TFE deployment. Replace <TFE_NAMESPACE> with your specific namespace (default is often terraform-enterprise).

$ kubectl rollout restart deployment terraform-enterprise -n <TFE_NAMESPACE>

Outcome

After granting the ownership privilege and restarting the services:

  • The TFE UI should load successfully.

  • The PG::InsufficientPrivilege error should no longer appear in atlas.log or sidekiq.log.

Articles in this section

Related articles