How to Connect Terraform Enterprise to Azure PostgreSQL using Managed Identity (MSI)

Avatar
Saumya Rai
  • Updated

Terraform Enterprise (TFE) version 202507-1 introduces native support for Azure Managed Identity (MSI) authentication with PostgreSQL — enabling password less, secure access to your database.
This article walks you through the complete setup to connect TFE to your Azure PostgreSQL DB using a User-Assigned Managed Identity.
 
 
 

 Prerequisites
 

  • TFE version is 202507-1 or later
  • You’re using Azure PostgreSQL Flexible Server
  • You have a User-Assigned Managed Identity created in Azure
  • TFE is deployed in Azure AKS (or VMSS) with permissions to use the Managed Identity
 
 

Step-by-Step Guide
 

 
 

Step 1: Create & Assign the Managed Identity
 

  1. Create a User-Assigned Managed Identity (UAMI)/ Or use an existing one .

     

az identity create --name <your-msi-name> --resource-group <your-rg>

 

 

 

  2. Assign the Managed Identity as Admin on the PostgreSQL server:

 

 

az postgres flexible-server ad-admin create \
  --resource-group <your-rg> \
  --server-name <your-db-server> \
  --display-name <your-msi-name> \
  --object-id <object-id-of-msi>

 

 
 
 

 Step 2: Assign Managed Identity to the Host (AKS VMSS)
 

 
TFE must retrieve the access token from the Managed Identity assigned to the VM/VMSS it's running on.
 
  1. Identify your AKS node pool VMSS: 
az vmss list --resource-group <aks-nodepool-rg>

 2. Assign the Managed Identity to the VMSS:

az vmss identity assign \
  --name <vmss-name> \
  --resource-group <aks-nodepool-rg> \
  --identities <msi-resource-id>
 

 

Step 3: Set TFE Environment Variables
 

 

In your TFE configuration file or TFE environment, add the following variables:
 
environment {
  TFE_DATABASE_HOST                         = "<your-db-host>
  TFE_DATABASE_NAME                         = "db_name"
  TFE_DATABASE_USER                         = "<your-msi-name>"   # Must match identity name in DB
  TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI   = "true"
  TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = "<client-id-of-your-msi>"
}
:pushpin: Important: The value of TFE_DATABASE_USER must exactly match the identity name registered in the PostgreSQL DB.
 
 

 Step 4: Verify Connectivity
 

Restart your TFE deployment and validate DB connectivity:

Log in to the TFE container and connect to the DB and run the query 
 
 # Retrieve the access token

export PGPASSWORD=`curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fossrdbms-aad.database.windows.net&client_id=CLIENT_ID' -H Metadata:true | jq -r .access_token`

# Connect to the database

psql -h SERVER --user USER DBNAME
SELECT 1 FROM information_schema.schemata WHERE schema_name='terraform_enterprise';
Expected Output:
 
text
 ?column? 
----------
        1
You can also verify:
 
psql "host=<db-host> dbname=tfe user=<msi-name> sslmode=require"
 
 
 
 
 
 
References
 
 
Feel free to reach out to HashiCorp Support if you encounter issues during setup. This configuration not only improves security but also simplifies the management of credentials in production environments.

Articles in this section

See more

Related articles