How to Verify Terraform Enterprise Active/Active Status via Built-In Vault

Avatar
Bruce Lok
  • Updated

Introduction

Terraform Enterprise (TFE)'s Active-Active operational mode utilizes HashiCorp Vault's built-in high-availability feature. This means there will be a single Vault cluster spanning across all TFE nodes. You can verify if the Active-Active setup been successfully formed by checking the Vault status.

 

Prerequisites

  • Terraform Enterprise
  • Flexible Deployment Options: All
  • Operational Mode: Active/Active

 

Procedure

The following procedure uses a Kubernetes deployment with two replicas as an example, substitute with equivalent steps for other deployment options and repeat the steps when there are more nodes.

1. Check node statuses

Ensure all nodes are up and running:

$ kubectl -n <TFE Namespace> get pod -o wide
NAME                                    READY   STATUS    RESTARTS   AGE   IP
terraform-enterprise-66b8f8cc45-g7vkk   1/1     Running   0          18h   10.0.1.79
terraform-enterprise-66b8f8cc45-pwzlt   1/1     Running   0          23m   10.0.3.112

 

2. Verify Status of the First Node

Use kubectl exec to attach to the pod:

$ kubectl -n <TFE Namespace> exec -it terraform-enterprise-66b8f8cc45-g7vkk -- bash

Use vault status to inspect the status of the node:

This command requires you to explicitly set environment VAULT_ADDR=http://127.0.0.1:8200 which tells the Vault CLI to use the HTTP protocol instead.

Example output:

$ VAULT_ADDR=http://127.0.0.1:8200 vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.17.6
Build Date      2024-09-24T19:48:40Z
Storage Type    postgresql
Cluster Name    vault-cluster-a2cad030
Cluster ID      3f053fbf-9680-456f-d6d8-d909112722b0
HA Enabled      true
HA Cluster      https://10.0.1.79:8201
HA Mode         active
Active Since    2025-01-15T04:53:39.078602529Z

 

3. Verify Status of the Second Node

Attach to the second pod and run vault status:

$ kubectl -n <TFE Namespace> exec -it terraform-enterprise-66b8f8cc45-pwzlt -- bash

Example output:

$ VAULT_ADDR=http://127.0.0.1:8200 vault status
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false
Total Shares           1
Threshold              1
Version                1.17.6
Build Date             2024-09-24T19:48:40Z
Storage Type           postgresql
Cluster Name           vault-cluster-a2cad030
Cluster ID             3f053fbf-9680-456f-d6d8-d909112722b0
HA Enabled             true
HA Cluster             https://10.0.1.79:8201
HA Mode                standby
Active Node Address    http://127.0.0.1:8200

 

4. Interpreting the Vault Status Output

The output shows that the Vault instances are in HA mode, HA Enabled true, with first pod in active mode and the second in standby. For installations with more nodes, one node will report active with all other nodes reporting standby.

The Cluster Name, Cluster ID, and IP addresses should be identical across all pods. The standby nodes will reference the address of the active pod, in this example 10.0.1.79.

This configuration confirms that TFE is operating correctly in an Active-Active setup.  If any of these values differ or the standby does not properly reference the active node 

Articles in this section

See more

Related articles