From b5c3c414331f0c4f7243342dda6f1efaec118533 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Fri, 26 Sep 2025 14:06:28 +0530 Subject: [PATCH 1/8] Add AWS IAM database authentication support - Add database_passwordless_aws_use_iam and database_passwordless_aws_region variables to runtime_container_engine_config module - Configure DATABASE_AUTH_USE_AWS_IAM and DATABASE_AUTH_AWS_DB_REGION environment variables in database config - Enable AWS IAM database authentication when enabled --- .../database_config.tf | 2 ++ modules/runtime_container_engine_config/variables.tf | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/modules/runtime_container_engine_config/database_config.tf b/modules/runtime_container_engine_config/database_config.tf index 57c6ece..9aa338d 100644 --- a/modules/runtime_container_engine_config/database_config.tf +++ b/modules/runtime_container_engine_config/database_config.tf @@ -14,6 +14,8 @@ locals { TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id + DATABASE_AUTH_USE_AWS_IAM = var.database_passwordless_aws_use_iam + DATABASE_AUTH_AWS_DB_REGION = var.database_passwordless_aws_region } database_configuration = local.disk ? {} : local.database explorer_database = { diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index e2f9531..29aa19d 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -106,6 +106,18 @@ variable "database_passwordless_azure_client_id" { description = "Azure Managed Service Identity (MSI) Client ID. If not set, System Assigned Managed Identity will be used." } +variable "database_passwordless_aws_use_iam" { + default = false + type = bool + description = "Whether or not to use AWS IAM authentication to connect to the PostgreSQL database. Defaults to false if no value is given." +} + +variable "database_passwordless_aws_region" { + default = "" + type = string + description = "AWS region for IAM database authentication. Required when database_passwordless_aws_use_iam is true." +} + variable "explorer_database_host" { type = string default = null From e3e43dd8d8bf74fcfe2c54f7bcfee6207471959c Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Fri, 26 Sep 2025 14:10:27 +0530 Subject: [PATCH 2/8] Add AWS IAM database authentication support - Add database_passwordless_aws_use_iam and database_passwordless_aws_region variables - Configure DATABASE_AUTH_USE_AWS_IAM and DATABASE_AUTH_AWS_DB_REGION environment variables - Enable AWS IAM passwordless authentication for TFE runtime containers --- modules/runtime_container_engine_config/variables.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 29aa19d..4d0bef4 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -118,6 +118,18 @@ variable "database_passwordless_aws_region" { description = "AWS region for IAM database authentication. Required when database_passwordless_aws_use_iam is true." } +variable "database_passwordless_aws_use_iam" { + default = false + type = bool + description = "Whether or not to use AWS IAM authentication to connect to the PostgreSQL database. Defaults to false if no value is given." +} + +variable "database_passwordless_aws_region" { + default = "" + type = string + description = "AWS region for IAM database authentication. Required when database_passwordless_aws_use_iam is true." +} + variable "explorer_database_host" { type = string default = null From a69de1cd38ff60fb60335b1c41b4880e48e27494 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Wed, 8 Oct 2025 01:02:46 +0530 Subject: [PATCH 3/8] Fix duplicate variable declarations for AWS IAM database authentication - Remove duplicate database_passwordless_aws_use_iam variable - Remove duplicate database_passwordless_aws_region variable - Variables are now declared only once as intended --- modules/runtime_container_engine_config/variables.tf | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 4d0bef4..29aa19d 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -118,18 +118,6 @@ variable "database_passwordless_aws_region" { description = "AWS region for IAM database authentication. Required when database_passwordless_aws_use_iam is true." } -variable "database_passwordless_aws_use_iam" { - default = false - type = bool - description = "Whether or not to use AWS IAM authentication to connect to the PostgreSQL database. Defaults to false if no value is given." -} - -variable "database_passwordless_aws_region" { - default = "" - type = string - description = "AWS region for IAM database authentication. Required when database_passwordless_aws_use_iam is true." -} - variable "explorer_database_host" { type = string default = null From 86eec09fe5d2f21c1fb29414051612612e230432 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Wed, 29 Oct 2025 12:35:19 +0530 Subject: [PATCH 4/8] Fix: Add missing TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE for postgres passwordless This critical fix adds the missing TFE_ prefixed environment variables that the Go config system requires to properly configure AWS RDS IAM authentication. Without these variables, the terraform-enterprise Go application cannot read the passwordless configuration via envconfig, causing 502 errors. Added: - TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE (for Go config system) - TFE_DATABASE_PASSWORDLESS_AWS_REGION (for Go config system) Kept existing: - DATABASE_AUTH_USE_AWS_IAM (for Atlas Ruby application) - DATABASE_AUTH_AWS_DB_REGION (for Atlas Ruby application) This matches the pattern used in redis_config.tf and ensures both configuration systems receive the required environment variables. --- .../database_config.tf | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/modules/runtime_container_engine_config/database_config.tf b/modules/runtime_container_engine_config/database_config.tf index 9aa338d..c1efb72 100644 --- a/modules/runtime_container_engine_config/database_config.tf +++ b/modules/runtime_container_engine_config/database_config.tf @@ -3,19 +3,21 @@ locals { database = { - TFE_DATABASE_USER = var.database_user - TFE_DATABASE_PASSWORD = var.database_password - TFE_DATABASE_HOST = var.database_host - TFE_DATABASE_NAME = var.database_name - TFE_DATABASE_PARAMETERS = var.database_parameters - TFE_DATABASE_USE_MTLS = var.database_use_mtls - TFE_DATABASE_CA_CERT_FILE = var.database_ca_cert_file - TFE_DATABASE_CLIENT_CERT_FILE = var.database_client_cert_file - TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file - TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi - TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id - DATABASE_AUTH_USE_AWS_IAM = var.database_passwordless_aws_use_iam - DATABASE_AUTH_AWS_DB_REGION = var.database_passwordless_aws_region + TFE_DATABASE_USER = var.database_user + TFE_DATABASE_PASSWORD = var.database_password + TFE_DATABASE_HOST = var.database_host + TFE_DATABASE_NAME = var.database_name + TFE_DATABASE_PARAMETERS = var.database_parameters + TFE_DATABASE_USE_MTLS = var.database_use_mtls + TFE_DATABASE_CA_CERT_FILE = var.database_ca_cert_file + TFE_DATABASE_CLIENT_CERT_FILE = var.database_client_cert_file + TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file + TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi + TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id + TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.database_passwordless_aws_use_iam + TFE_DATABASE_PASSWORDLESS_AWS_REGION = var.database_passwordless_aws_region + DATABASE_AUTH_USE_AWS_IAM = var.database_passwordless_aws_use_iam + DATABASE_AUTH_AWS_DB_REGION = var.database_passwordless_aws_region } database_configuration = local.disk ? {} : local.database explorer_database = { From 014a42fc0bbdbb45a03bcca660e0b586285da454 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 30 Oct 2025 11:03:50 +0530 Subject: [PATCH 5/8] Remove Redis AWS IAM passwordless variables from PostgreSQL-only branch --- .../variables.tf | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 29aa19d..859e383 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -148,6 +148,18 @@ variable "explorer_database_user" { description = "PostgreSQL user. Required when TFE_OPERATIONAL_MODE is external or active-active." } +variable "explorer_database_passwordless_azure_use_msi" { + default = false + type = bool + description = "Whether or not to use Azure Managed Service Identity (MSI) to connect to the explorer PostgreSQL database. Defaults to false if no value is given." +} + +variable "explorer_database_passwordless_azure_client_id" { + default = "" + type = string + description = "Azure Managed Service Identity (MSI) Client ID for explorer database. If not set, System Assigned Managed Identity will be used." +} + variable "disk_path" { default = null description = "The pathname of the directory in which Terraform Enterprise will store data in Mounted Disk mode. Required when var.operational_mode is 'disk'." @@ -357,18 +369,6 @@ variable "redis_sentinel_password" { default = null } -variable "redis_passwordless_azure_use_msi" { - default = false - type = bool - description = "Whether or not to use Azure Managed Service Identity (MSI) to connect to the Redis server. Defaults to false if no value is given." -} - -variable "redis_passwordless_azure_client_id" { - default = "" - type = string - description = "Azure Managed Service Identity (MSI) Client ID to be used for redis authentication. If not set, System Assigned Managed Identity will be used." -} - variable "run_pipeline_image" { type = string description = "Container image used to execute Terraform runs. Leave blank to use the default image that comes with Terraform Enterprise. Defaults to \"\" if no value is given." From 7da773e12dc783ef1e46e2e4325051bec1c8f4cb Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 30 Oct 2025 11:04:49 +0530 Subject: [PATCH 6/8] Remove all Redis AWS IAM passwordless configurations from PostgreSQL-only branch - Remove Redis AWS IAM variables from runtime_container_engine_config - Remove Redis AWS IAM variables from settings module - Remove Redis AWS IAM configuration from tfe_redis_config.tf - Keep only Azure MSI Redis variables that were in main branch - This branch should only contain PostgreSQL passwordless authentication --- .../redis_config.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 1223ad2..3cf67ef 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -20,6 +20,25 @@ locals { TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id + # Additional legacy variables that TFE might expect + REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null + REDIS_USER = var.redis_user + REDIS_PASSWORD = var.redis_password + REDIS_USE_TLS = var.redis_use_tls ? "true" : "false" + REDIS_USE_AUTH = var.redis_use_auth ? "true" : "false" + # Legacy Redis IAM environment variables (for backward compatibility) + REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_iam ? "true" : "" + REDIS_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region + REDIS_PASSWORDLESS_AWS_SERVICE_NAME = var.redis_passwordless_aws_service_name + REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name + # Additional legacy variables that TFE might expect + REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null + REDIS_USER = var.redis_user + REDIS_PASSWORD = var.redis_password + REDIS_USE_TLS = var.redis_use_tls ? "true" : "false" + REDIS_USE_AUTH = var.redis_use_auth ? "true" : "false" + # Redis URL should not be set when using IAM authentication as it conflicts with passwordless auth + REDIS_URL = var.redis_passwordless_aws_use_iam ? null : null } redis_configuration = local.active_active ? local.redis : {} } From 6c5ed8ab5aea0783f244bafd48445d8774b1f738 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 30 Oct 2025 11:05:35 +0530 Subject: [PATCH 7/8] Complete cleanup of Redis AWS IAM references from redis_config.tf --- .../runtime_container_engine_config/redis_config.tf | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 3cf67ef..74d6b23 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -26,19 +26,6 @@ locals { REDIS_PASSWORD = var.redis_password REDIS_USE_TLS = var.redis_use_tls ? "true" : "false" REDIS_USE_AUTH = var.redis_use_auth ? "true" : "false" - # Legacy Redis IAM environment variables (for backward compatibility) - REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_iam ? "true" : "" - REDIS_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region - REDIS_PASSWORDLESS_AWS_SERVICE_NAME = var.redis_passwordless_aws_service_name - REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name - # Additional legacy variables that TFE might expect - REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null - REDIS_USER = var.redis_user - REDIS_PASSWORD = var.redis_password - REDIS_USE_TLS = var.redis_use_tls ? "true" : "false" - REDIS_USE_AUTH = var.redis_use_auth ? "true" : "false" - # Redis URL should not be set when using IAM authentication as it conflicts with passwordless auth - REDIS_URL = var.redis_passwordless_aws_use_iam ? null : null } redis_configuration = local.active_active ? local.redis : {} } From f260178049f62bb844c80fef4e597e0fa0c01fe6 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Fri, 31 Oct 2025 20:12:12 +0530 Subject: [PATCH 8/8] Add GCP IAM database authentication support - Add database_passwordless_gcp_use_default_credentials variable - Add DATABASE_AUTH_USE_GCP_IAM environment variable configuration - Required for GCP postgres passwordless authentication in terraform-google-terraform-enterprise --- .../database_config.tf | 14 +++++++++----- .../runtime_container_engine_config/variables.tf | 6 ++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/modules/runtime_container_engine_config/database_config.tf b/modules/runtime_container_engine_config/database_config.tf index c1efb72..3b0f744 100644 --- a/modules/runtime_container_engine_config/database_config.tf +++ b/modules/runtime_container_engine_config/database_config.tf @@ -16,16 +16,20 @@ locals { TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.database_passwordless_aws_use_iam TFE_DATABASE_PASSWORDLESS_AWS_REGION = var.database_passwordless_aws_region + TFE_DATABASE_PASSWORDLESS_GCP_USE_DEFAULT_CREDENTIALS = var.database_passwordless_gcp_use_default_credentials DATABASE_AUTH_USE_AWS_IAM = var.database_passwordless_aws_use_iam DATABASE_AUTH_AWS_DB_REGION = var.database_passwordless_aws_region + DATABASE_AUTH_USE_GCP_IAM = var.database_passwordless_gcp_use_default_credentials } database_configuration = local.disk ? {} : local.database explorer_database = { - TFE_EXPLORER_DATABASE_HOST = var.explorer_database_host - TFE_EXPLORER_DATABASE_NAME = var.explorer_database_name - TFE_EXPLORER_DATABASE_USER = var.explorer_database_user - TFE_EXPLORER_DATABASE_PASSWORD = var.explorer_database_password - TFE_EXPLORER_DATABASE_PARAMETERS = var.explorer_database_parameters + TFE_EXPLORER_DATABASE_HOST = var.explorer_database_host + TFE_EXPLORER_DATABASE_NAME = var.explorer_database_name + TFE_EXPLORER_DATABASE_USER = var.explorer_database_user + TFE_EXPLORER_DATABASE_PASSWORD = var.explorer_database_password + TFE_EXPLORER_DATABASE_PARAMETERS = var.explorer_database_parameters + TFE_EXPLORER_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.explorer_database_passwordless_azure_use_msi + TFE_EXPLORER_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.explorer_database_passwordless_azure_client_id } explorer_database_configuration = var.explorer_database_host == null ? {} : local.explorer_database } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 859e383..01673fe 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -118,6 +118,12 @@ variable "database_passwordless_aws_region" { description = "AWS region for IAM database authentication. Required when database_passwordless_aws_use_iam is true." } +variable "database_passwordless_gcp_use_default_credentials" { + default = false + type = bool + description = "Whether or not to use Google Cloud default credentials (IAM) to connect to the PostgreSQL database. Defaults to false if no value is given." +} + variable "explorer_database_host" { type = string default = null