Problem
After upgrading Terraform Enterprise to version v202207-2 or later, the application may fail to start when configured with an external Vault instance.
The tfe-atlas.stderr log in the support bundle displays a 403 error with a permission denied message.
Vault::HTTPClientError: The Vault server at `https://example.com/Vault/general/prod/v2' responded with a 403. Any additional information the server supplied is shown below: * 1 error occurred: * permission denied
Cause
Terraform Enterprise release v202207-2 introduced a security enhancement that updated the required external Vault policy to use specific API paths instead of wildcard matching. If the existing policy is not updated, Terraform Enterprise will lack the necessary permissions to access Vault, causing the startup failure.
You can review this change in the v202207-2 release notes.
Solution
To resolve this issue, you must update the external Vault policy and restart the Terraform Enterprise application.
Procedure
- Update your external Vault policy to match the latest specifications. You can find the required policy in the updated external Vault policy requirements documentation.
-
Stop the Terraform Enterprise application. Execute the following command on the application host.
# replicatedctl app stop
-
Start the Terraform Enterprise application to apply the changes.
# replicatedctl app start
After the application restarts, it will use the updated Vault policy, and the startup process should complete successfully.