How-to Deploy Terraform Enterprise (TFE) with Redis mTLS

Introduction

Terraform Enterprise (TFE) version v202506-1 and later supports connecting to an external Redis instance over mutual TLS (mTLS). This configuration ensures secure communication by requiring both server and client certificates for authentication. This document provides the steps to configure Terraform Enterprise to connect to an external Redis instance using mTLS.

Prerequisites

Before you begin, ensure you have the following:

• An external Redis instance configured with TLS and mTLS enabled.
• The following Redis certificates and keys are available:
  • ca.crt: The Certificate Authority file.
  • client.crt: The client certificate for TFE.
  • client.key: The client private key for TFE.

Use Case

Organizations that deploy TFE in Kubernetes may require all external services, such as Redis, to use encrypted and mutually authenticated communication. Configuring mTLS for Redis ensures:

• Data in transit is encrypted.
• Both TFE and Redis authenticate each other.
• Compliance with strict security requirements is maintained.

Procedure

Follow these steps to configure TFE for Redis mTLS in a Kubernetes environment, such as Azure Kubernetes Service (AKS).

1. Set Environment Variables:

   Add the following environment variables to your TFE deployment configuration. These variables instruct TFE to use mTLS and specify the paths to the mounted certificates.

   TFE_REDIS_HOST: "redis.example.com:6379"
   TFE_REDIS_USE_TLS: "false"
   TFE_REDIS_USE_AUTH: "false"
   TFE_REDIS_USE_MTLS: "true"
   ## Paths to mounted certs
   TFE_REDIS_CA_CERT_PATH: "<certs path mounted in pod>/ca.crt"
   TFE_REDIS_CLIENT_CERT_PATH: "<certs path mounted in pod>/client.crt"
   TFE_REDIS_CLIENT_KEY_PATH: "<certs path mounted in pod>/client.key"

2. Create a Kubernetes Secret:

   Create a Kubernetes secret containing the Redis mTLS certificates. This secret will be mounted into the TFE pod.

   $ kubectl -n terraform-enterprise create secret generic redis-mtls-certs \
     --from-file=ca.crt=/path/to/ca.crt \
     --from-file=client.crt=/path/to/client.crt \
     --from-file=client.key=/path/to/client.key

3. Mount the Secret as a Volume:

   Update your TFE deployment configuration to mount the secret as a volume in the TFE pod. Add the extraVolumes and extraVolumeMounts sections to your configuration file.

   ## Mount redis certs
   extraVolumes:
   - name: redis-mtls-certs
     secret:
       secretName: redis-mtls-certs
   extraVolumeMounts:
   - name: redis-mtls-certs
     mountPath: <certs path to mount in pod>
     readOnly: true

Additional Information

• Kubernetes Installation: AWS Elastic Kubernetes Service (EKS)