Terraform Enterprise Redis MSI authentication

Avatar
Patrick Munne
  • Updated

Introduction

Since Terraform Enterprise version 1.x.x there is the option of connecting to Redis on Azure using MSI authentication as documented here

 

Problem

Terraform Enterprise doesn't start with the Redis MSI authentication

 

Prerequisites

  • Terraform Enterprise version >= 1.0.0

Cause

The issue could be that there is still something wrong with the MSI authentication configuration in Azure itself. 


Solutions:

Verify with the Redis client if a connection can be made. 

  • Connect to the Terraform Enterprise container

# docker
docker exec -it <terraform_enterprise_container> bash

# Kubernetes
kubectl -n terraform-enterprise exec -it <terraform_enterprise_container> -- bash

 

  • Verify if you have all the environment variables correctly set for the Redis connection

# command
env | grep REDIS

# output
TFE_REDIS_USE_AUTH=false
TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID=<client_id>
TFE_REDIS_HOST=<redis_fqdn>:6380
TFE_REDIS_USER=<principal_id>
TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI=true
TFE_REDIS_USE_TLS=true
TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI=true

 

  • Get a MSI authentication token for Redis. Alter the CLIENT_ID with your actual value

curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://redis.azure.com/&client_id=<CLIENT_ID>" | jq -r .access_token

 

  • The output should be a token that is needed in a later step

eyJ0<<<<<<<<<<<<<<<<<<<<<<<<<<<EXAMPLE>>>>>>>>>>>>>>>>>>>>>>>>>>>eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtpZCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyJ9.eyJhdWQiOiJodHRwczovL3JlZGlzLmF6dXJlLmNvbS8iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81NmY3NzVhMy0yNTQwLTRmMDUtYWI1OC03MmNkNzJkMTdkM2UvIiwiaWF0IjoxNzYwMzU0NTQxLCJuYmYiOjE3NjAzNTQ1NDEsImV4cCI6MTc2MDQ0MTI0MSwiYWlvIjoiazJKZ1lPQ1pkK0pjN1hmT3kyZXRaNnp0MFhoN0R3QT0iLCJhcHBpZCI6ImIxY2IzN2Q3LWEwYmItNDBhNi1hYWY4LWUwYjFjYjFiOWY0ZSIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzU2Zjc3NWEzLTI1NDAtNGYwNS1hYjU4LTcyY2Q3MmQxN2QzZS8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6IjkxZmIyNTQyLTcxY2YtNGYxZS05NGQ3LTYxMmJhMmM0MGY0NiIsInJoIjoiMS5BV0VCb

 

  • Make the connection to Redis

redis-cli -h <redis_fqdn> -p 6380 --tls
tfe19-redis2.redis.cache.windows.net:6380

# Redis prompt should appear
<redis_fqdn>:6380>

 

  • Authenticate using the principal_id and the token using the AUTH command

<redis_fqdn>:6380> AUTH <principal_id> <TOKEN_FROM_PREVIOUS_STEP>
OK

 

  • Test the access using the PING command which should give a PONG response back if 

<redis_fqdn>:6380> ping
PONG

 

Outcome

The above steps prove that the Redis MSI connection is correctly setup. 

  • If the above steps fail then please contact your Azure administrator team to resolve the issue. 
     

  • If the above steps succeed, but Terraform Enterprise fails to start then please contact support

    • Share a support bundle for review with the ticket creation

 

 

Additional Information

  • Official documentation can be found here

Articles in this section

See more