# Terraform Enterprise HVD on AWS EC2 Terraform module aligned with HashiCorp Validated Designs (HVD) to deploy Terraform Enterprise (TFE) on Amazon Web Services (AWS) using EC2 instances with a container runtime. This module defaults to deploying TFE in the \`active-active\` [operational mode](https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/operation-modes), but \`external\` is also supported. Docker and Podman are the supported container runtimes.  ## Prerequisites ### General - TFE license file (_e.g._ \`terraform.hclic\`) - Terraform CLI \`>= 1.9\` installed on clients/workstations that will be used to deploy TFE - General understanding of how to use Terraform (Community Edition) - General understanding of how to use AWS - \`git\` CLI and Visual Studio Code editor installed on workstations are strongly recommended - AWS account that TFE will be deployed in with permissions to create these [resources](#resources) via Terraform CLI - (Optional) AWS S3 bucket for [S3 remote state backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3) that will be used to manage the Terraform state of this TFE deployment (out-of-band from the TFE application) via Terraform CLI (Community Edition) ### Networking - AWS VPC ID and the following subnets: - Load balancer subnet IDs (can be the same as EC2 subnets if desirable) - EC2 (compute) subnet IDs - RDS (database) subnet IDs - Redis subnet IDs (can be the same as RDS subnets if desirable) - (Optional) S3 VPC endpoint configured within VPC - (Optional) AWS Route53 hosted zone for TFE DNS record creation - Chosen fully qualified domain name (FQDN) for your TFE instance (_e.g._ \`tfe.aws.example.com\`) > Note: It is recommended to specify a minimum of two subnets for each subnet input to enable high availability. #### Security groups - This module will automatically create the necessary security groups and attach them to the applicable resources - Identify CIDR range(s) that will need to access the TFE application (managed via [cidr_allow_ingress_tfe_443](#input_cidr_allow_ingress_tfe_443) input variable) - Identify CIDR range(s) that will need to access the shell of the TFE EC2 instances (managed via [cidr_allow_ingress_ec2_ssh](#input_cidr_allow_ingress_ec2_ssh) input variable) - Be familiar with the [TFE ingress requirements](https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/requirements/network#ingress) - Be familiar with the [TFE egress requirements](https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/requirements/network#egress) ### TLS certificates - TLS certificate (_e.g._ \`cert.pem\`) and private key (_e.g._ \`privkey.pem\`) that matches your chosen fully qualified domain name (FQDN) for TFE - TLS certificate and private key must be in PEM format - Private key must **not** be password protected - TLS certificate authority (CA) bundle (_e.g._ \`ca_bundle.pem\`) corresponding with the CA that issues your TFE TLS certificates - CA bundle must be in PEM format - You may include additional certificate chains corresponding to external systems that TFE will make outbound connections to (_e.g._ your self-hosted VCS, if its certificate was issued by a different CA than your TFE certificate). > Note: All three of these files will be created as secrets in AWS Secrets Manager per the next section. ### Secrets management The following _bootstrap_ secrets stored in **AWS Secrets Manager** in order to bootstrap the TFE deployment and installation: - **TFE license file** - raw contents of license file stored as a plaintext secret (_e.g._ \`cat terraform.hclic\`) - **TFE encryption password** - random characters stored as a plaintext secret (used to protect internally-managed Vault unseal key and root token) - **TFE database password** - used to create RDS Aurora (PostgreSQL) database cluster; random characters stored as a plaintext secret; value must be between 8 and 128 characters long and must **not** contain \`@\`, \`"\`, or \`/\` characters - **TFE Redis password** - used to create Redis (Elasticache Replication Group) cluster; random characters stored as a plaintext secret; value must be between 16 and 128 characters long and must **not** contain \`@\`, \`"\`, or \`/\` characters - **TFE TLS certificate** - file in PEM format, base64-encoded into a string, and stored as a plaintext secret - **TFE TLS certificate private key** - file in PEM format, base64-encoded into a string, and stored as a plaintext secret - **TFE TLS CA bundle** - file in PEM format , base64-encoded into a string, and stored as a plaintext secret > Note: See the [TFE bootstrap secrets](./docs/tfe-bootstrap-secrets.md) doc for more details on how these secrets should be stored in AWS Secrets Manager. ### Compute #### Connecting to shell of EC2 instances One of the following mechanisms for shell access to TFE EC2 instances: - EC2 SSH key pair - AWS SSM (can be enabled by setting [ec2_allow_ssm](#input_ec2_allow_ssm) boolean input variable to \`true\`) ### Log forwarding (optional) One of the following logging destinations: - AWS CloudWatch log group - AWS S3 bucket - A custom fluent bit configuration that will forward logs to custom destination ## Usage 1. Create/configure/validate the applicable [prerequisites](#prerequisites). 2. Refer to the ready-made Terraform configuration provided in the [main](./examples/main) example subdirectory within the [examples](./examples) directory for how to deploy this module. To get started, copy all of the Terraform files from the [main](./examples/main) example into a new destination directory. This will serve as your root Terraform configuration for managing your TFE deployment. Below is a common directory structure for managing multiple TFE deployments: \`\`\`pre . └── environments ├── production │   ├── backend.tf │   ├── main.tf │   ├── outputs.tf │   ├── terraform.tfvars │   └── variables.tf └── sandbox ├── backend.tf ├── main.tf ├── outputs.tf ├── terraform.tfvars └── variables.tf \`\`\` > Note: In this example, the user will have two separate TFE deployments; one for their \`sandbox\` environment, and one for their \`production\` environment. This is recommended, but not required. 3. (Optional) Uncomment and update the [S3 remote state backend](https://developer.hashicorp.com/terraform/language/settings/backends/s3) configuration provided in the \`backend.tf\` file with your own custom values. While this step is highly recommended, it is technically not required to use a remote backend config for your TFE deployment. 4. Copy the provided \`terraform.tfvars.example\` file and rename it to \`terraform.tfvars\`. Then, replace or validate all of the variable values enclosed in the \`< >\` characters with your own custom values. Inline helper comments are included with some of the variables to help guide you in setting appropriate values. For detailed information about each input variable, as well as additional optional inputs, refer to the variable descriptions or the [deployment customizations](./docs/deployment-customizations.md) documentation. 5. Ensure the module \`source\` meta-argument within your \`main.tf\` accurately reflects the location from which you are calling this module. We recommend calling the module directly from its [Terraform registry](https://registry.terraform.io/modules/hashicorp/terraform-enterprise-hvd/aws/latest) location as shown below: \`\`\`hcl module "tfe" \{ source = "hashicorp/terraform-enterprise-hvd/aws" version = "x.x.x" ... \} \`\`\` 6. Navigate to the directory containing your newly created root Terraform configuration for the TFE deployment, and run \`terraform init\`, \`terraform plan\`, and \`terraform apply\`. 7. After your \`terraform apply\` finishes successfully, you can monitor the installation progress by connecting to your TFE EC2 instance shell via SSH or AWS SSM and observing the cloud-init (user_data) logs: **Connecting to the EC2 instance** SSH when \`ec2_os_distro\` is \`ubuntu\`: \`\`\`shell ssh -i /path/to/ec2_ssh_key_pair.pem ubuntu@ \`\`\` SSH when \`ec2_os_distro\` is \`rhel\` or \`al2023\`: \`\`\`shell ssh -i /path/to/ec2_ssh_key_pair.pem ec2-user@ \`\`\` **Viewing the logs** View the higher-level logs: \`\`\`shell tail -f /var/log/tfe-cloud-init.log \`\`\` View the lower-level logs: \`\`\`shell journalctl -xu cloud-final -f \`\`\` > Note: The \`-f\` argument is to _follow_ the logs as they append in real-time, and is optional. You may remove the \`-f\` for a static view. **Successful install log message** The log files should display the following log message after the cloud-init (user_data) script finishes successfully: \`\`\`shell [INFO] tfe_user_data script finished successfully! \`\`\` 8. After the cloud-init (user_data) script finishes successfully, while still connected to the TFE EC2 instance shell, you can check the health status of TFE: \`\`\`shell cd /etc/tfe sudo docker compose exec tfe tfe-health-check-status \`\`\` 9. Follow the steps to [create the TFE initial admin user](https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/initial-admin-user). ## Docs Below are links to various docs related to the customization and management of your TFE deployment: - [Deployment customizations](./docs/deployment-customizations.md) - [TFE version upgrades](./docs/tfe-version-upgrades.md) - [TFE TLS certificate rotation](./docs/tfe-cert-rotation.md) - [TFE configuration settings](./docs/tfe-config-settings.md) - [TFE bootstrap secrets](./docs/tfe-bootstrap-secrets.md) ## Module support This open source software is maintained by the HashiCorp Technical Field Organization, independently of our enterprise products. While our Support Engineering team provides dedicated support for our enterprise offerings, this open source software is not included. - For help using this open source software, please engage your account team. - To report bugs/issues with this open source software, please open them directly against this code repository using the GitHub issues feature. Please note that there is no official Service Level Agreement (SLA) for support of this software as a HashiCorp customer. This software falls under the definition of Community Software/Versions in your Agreement. We appreciate your understanding and collaboration in improving our open source projects. ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.9 | | [aws](#requirement\_aws) | ~> 5.100 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | 5.84.0 | ## Modules No modules. ======= ## Resources | Name | Type | |------|------| | [aws_autoscaling_group.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource | | [aws_db_parameter_group.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource | | [aws_db_subnet_group.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_elasticache_replication_group.redis_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource | | [aws_elasticache_subnet_group.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource | | [aws_iam_instance_profile.tfe_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_policy.s3_crr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_attachment.s3_crr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_role.s3_crr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.tfe_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.tfe_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.aws_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_launch_template.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | | [aws_lb.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | | [aws_lb.nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | | [aws_lb_listener.alb_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | | [aws_lb_listener.lb_nlb_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | | [aws_lb_target_group.alb_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | | [aws_lb_target_group.nlb_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | | [aws_rds_cluster.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | | [aws_rds_cluster_instance.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource | | [aws_rds_cluster_parameter_group.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource | | [aws_rds_global_cluster.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_global_cluster) | resource | | [aws_route53_record.alias_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_s3_bucket.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_public_access_block.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_replication_configuration.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource | | [aws_s3_bucket_server_side_encryption_configuration.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [aws_security_group.ec2_allow_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.ec2_allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.lb_allow_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.lb_allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.rds_allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.redis_allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.ec2_allow_cidr_ingress_tfe_metrics_http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_cidr_ingress_tfe_metrics_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_dns_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_dns_udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_proxy_http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_proxy_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_egress_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_ingress_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_ingress_tfe_https_from_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ec2_allow_ingress_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.lb_allow_egress_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.lb_allow_ingress_tfe_https_from_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.lb_allow_ingress_tfe_https_from_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.rds_allow_ingress_from_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.redis_allow_ingress_from_ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_ami.al2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_ami.rhel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_ami.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_ami.ubuntu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_cloudwatch_log_group.log_fwd](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source | | [aws_ecr_repository.tfe_app_container_image](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository) | data source | | [aws_iam_policy_document.s3_crr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_crr_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_cost_estimation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_ebs_kms_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_get_redis_password_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_rds_kms_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_redis_kms_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_s3_kms_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_s3_log_fwd](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_allow_tfe_app_image_pull_from_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_get_enc_password_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_get_license_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_get_rds_password_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_get_tls_ca_bundle_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_get_tls_cert_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.tfe_ec2_get_tls_privkey_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_route53_zone.tfe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | | [aws_s3_bucket.log_fwd](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | | [aws_secretsmanager_secret_version.tfe_database_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | | [aws_secretsmanager_secret_version.tfe_redis_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_no\_proxy](#input\_additional\_no\_proxy) | Comma-separated list of domains, IP addresses, or CIDR ranges that TFE should bypass the proxy when making outbound requests, provided \`http_proxy\` or \`https_proxy\` are set. This list is in addition to automatically included addresses like RDS, S3, and Redis, which are dynamically added to \`no_proxy\` by the user\_data script. Do not set if \`http_proxy\` and/or \`https_proxy\` are not configured. | \`string\` | \`null\` | no | | [asg\_health\_check\_grace\_period](#input\_asg\_health\_check\_grace\_period) | The amount of time to wait for a new TFE EC2 instance to become healthy. If this threshold is breached, the ASG will terminate the instance and launch a new one. | \`number\` | \`900\` | no | | [asg\_instance\_count](#input\_asg\_instance\_count) | Desired number of TFE EC2 instances to run in autoscaling group. Must be \`1\` when \`tfe_operational_mode\` is \`external\`. | \`number\` | \`1\` | no | | [asg\_max\_size](#input\_asg\_max\_size) | Max number of TFE EC2 instances to run in autoscaling group. Only valid when \`tfe_operational_mode\` is \`active-active\`. Value is hard-coded to \`1\` when \`tfe_operational_mode\` is \`external\`. | \`number\` | \`3\` | no | | [cidr\_allow\_egress\_ec2\_dns](#input\_cidr\_allow\_egress\_ec2\_dns) | List of destination CIDR ranges to allow TCP/53 and UDP/53 (DNS) outbound from TFE EC2 instances. Only set if you want to use custom DNS servers instead of the AWS-provided DNS resolver within your VPC. | \`list(string)\` | \`null\` | no | | [cidr\_allow\_egress\_ec2\_http](#input\_cidr\_allow\_egress\_ec2\_http) | List of destination CIDR ranges to allow TCP/80 outbound from TFE EC2 instances. | \`list(string)\` |

[
  "0.0.0.0/0"
]

| no | | [cidr\_allow\_egress\_ec2\_https](#input\_cidr\_allow\_egress\_ec2\_https) | List of destination CIDR ranges to allow TCP/443 outbound from TFE EC2 instances. Include the CIDR range of your VCS provider if you are configuring VCS integration with TFE. | \`list(string)\` |

[
  "0.0.0.0/0"
]

| no | | [cidr\_allow\_egress\_ec2\_proxy](#input\_cidr\_allow\_egress\_ec2\_proxy) | List of destination CIDR range(s) where proxy server exists. Required and only valid when \`http_proxy\` and/or \`https_proxy\` are set. | \`list(string)\` | \`null\` | no | | [cidr\_allow\_ingress\_ec2\_ssh](#input\_cidr\_allow\_ingress\_ec2\_ssh) | List of CIDR ranges to allow SSH ingress to TFE EC2 instance (i.e. bastion IP, client/workstation IP, etc.). | \`list(string)\` | \`null\` | no | | [cidr\_allow\_ingress\_tfe\_443](#input\_cidr\_allow\_ingress\_tfe\_443) | List of CIDR ranges allowed to access the TFE application over HTTPS (port 443). | \`list(string)\` |

[
  "0.0.0.0/0"
]

| no | | [cidr\_allow\_ingress\_tfe\_metrics\_http](#input\_cidr\_allow\_ingress\_tfe\_metrics\_http) | List of CIDR ranges to allow TCP/9090 (HTTP) inbound to metrics endpoint on TFE EC2 instances. | \`list(string)\` | \`null\` | no | | [cidr\_allow\_ingress\_tfe\_metrics\_https](#input\_cidr\_allow\_ingress\_tfe\_metrics\_https) | List of CIDR ranges to allow TCP/9091 (HTTPS) inbound to metrics endpoint on TFE EC2 instances. | \`list(string)\` | \`null\` | no | | [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Name of CloudWatch Log Group to configure as log forwarding destination. Only valid when \`tfe_log_forwarding_enabled\` is \`true\`. | \`string\` | \`null\` | no | | [common\_tags](#input\_common\_tags) | Map of common tags for all taggable AWS resources. | \`map(string)\` | \`\{\}\` | no | | [container\_runtime](#input\_container\_runtime) | Container runtime to use for TFE. Supported values are \`docker\` or \`podman\`. | \`string\` | \`"docker"\` | no | | [create\_route53\_tfe\_dns\_record](#input\_create\_route53\_tfe\_dns\_record) | Boolean to create Route53 Alias Record for \`tfe_hostname\` resolving to Load Balancer DNS name. If \`true\`, \`route53_tfe_hosted_zone_name\` is also required. | \`bool\` | \`false\` | no | | [custom\_fluent\_bit\_config](#input\_custom\_fluent\_bit\_config) | Custom Fluent Bit configuration for log forwarding. Only valid when \`tfe_log_forwarding_enabled\` is \`true\` and \`log_fwd_destination_type\` is \`custom\`. | \`string\` | \`null\` | no | | [custom\_tfe\_startup\_script\_template](#input\_custom\_tfe\_startup\_script\_template) | Filename of a custom TFE startup script template to use in place of of the built-in user\_data script. The file must exist within a directory named './templates' in your current working directory. | \`string\` | \`null\` | no | | [docker\_version](#input\_docker\_version) | Version of Docker to install on TFE EC2 instances. Not applicable to Amazon Linux 2023 distribution (when \`ec2_os_distro\` is \`al2023\`). | \`string\` | \`"28.0.1"\` | no | | [ebs\_iops](#input\_ebs\_iops) | Amount of IOPS to configure when EBS volume type is \`gp3\`. Must be greater than or equal to \`3000\` and less than or equal to \`16000\`. | \`number\` | \`3000\` | no | | [ebs\_is\_encrypted](#input\_ebs\_is\_encrypted) | Boolean to encrypt the EBS root block device of the TFE EC2 instance(s). An AWS managed key will be used when \`true\` unless a value is also specified for \`ebs_kms_key_arn\`. | \`bool\` | \`true\` | no | | [ebs\_kms\_key\_arn](#input\_ebs\_kms\_key\_arn) | ARN of KMS customer managed key (CMK) to encrypt TFE EC2 EBS volumes. | \`string\` | \`null\` | no | | [ebs\_throughput](#input\_ebs\_throughput) | Throughput (MB/s) to configure when EBS volume type is \`gp3\`. Must be greater than or equal to \`125\` and less than or equal to \`1000\`. | \`number\` | \`250\` | no | | [ebs\_volume\_size](#input\_ebs\_volume\_size) | Size (GB) of the root EBS volume for TFE EC2 instances. Must be greater than or equal to \`50\` and less than or equal to \`16000\`. | \`number\` | \`50\` | no | | [ebs\_volume\_type](#input\_ebs\_volume\_type) | EBS volume type for TFE EC2 instances. | \`string\` | \`"gp3"\` | no | | [ec2\_allow\_all\_egress](#input\_ec2\_allow\_all\_egress) | Boolean to allow all egress traffic from TFE EC2 instances. | \`bool\` | \`false\` | no | | [ec2\_allow\_ssm](#input\_ec2\_allow\_ssm) | Boolean to attach the \`AmazonSSMManagedInstanceCore\` policy to the TFE instance role, allowing the SSM agent (if present) to function. | \`bool\` | \`false\` | no | | [ec2\_ami\_id](#input\_ec2\_ami\_id) | Custom AMI ID for TFE EC2 launch template. If specified, value of \`ec2_os_distro\` must coincide with this custom AMI OS distro. | \`string\` | \`null\` | no | | [ec2\_instance\_size](#input\_ec2\_instance\_size) | EC2 instance type for TFE EC2 launch template. | \`string\` | \`"m7i.xlarge"\` | no | | [ec2\_os\_distro](#input\_ec2\_os\_distro) | Linux OS distribution type for TFE EC2 instance. Choose from \`al2023\`, \`ubuntu\`, \`rhel\`, \`centos\`. | \`string\` | \`"ubuntu"\` | no | | [ec2\_ssh\_key\_pair](#input\_ec2\_ssh\_key\_pair) | Name of existing SSH key pair to attach to TFE EC2 instance. | \`string\` | \`null\` | no | | [ec2\_subnet\_ids](#input\_ec2\_subnet\_ids) | List of subnet IDs to use for the EC2 instance. Private subnets is the best practice here. | \`list(string)\` | n/a | yes | | [friendly\_name\_prefix](#input\_friendly\_name\_prefix) | Friendly name prefix used for uniquely naming all AWS resources for this deployment. Most commonly set to either an environment (e.g. 'sandbox', 'prod'), a team name, or a project name. | \`string\` | n/a | yes | | [http\_proxy](#input\_http\_proxy) | Proxy address (including port number) for TFE to use for outbound HTTP requests (e.g. \`http://proxy.example.com:3128\`). | \`string\` | \`null\` | no | | [https\_proxy](#input\_https\_proxy) | Proxy address (including port number) for TFE to use for outbound HTTPS requests (e.g. \`http://proxy.example.com:3128\`). | \`string\` | \`null\` | no | | [is\_secondary\_region](#input\_is\_secondary\_region) | Boolean indicating whether this TFE deployment is in the primary or secondary (replica) region. | \`bool\` | \`false\` | no | | [lb\_is\_internal](#input\_lb\_is\_internal) | Boolean to create an internal (private) load balancer. The \`lb_subnet_ids\` must be private subnets when this is \`true\`. | \`bool\` | \`true\` | no | | [lb\_subnet\_ids](#input\_lb\_subnet\_ids) | List of subnet IDs to use for the load balancer. If \`lb_is_internal\` is \`false\`, then these should be public subnets. Otherwise, these should be private subnets. | \`list(string)\` | n/a | yes | | [lb\_stickiness\_enabled](#input\_lb\_stickiness\_enabled) | Boolean to enable sticky sessions for the load balancer. When \`lb_type\` is \`nlb\`, sticky sessions enabled by client IP Address. | \`bool\` | \`true\` | no | | [lb\_type](#input\_lb\_type) | Indicates which type of AWS load balancer is created: Application Load Balancer (\`alb\`) or Network Load Balancer (\`nlb\`). | \`string\` | \`"nlb"\` | no | | [log\_fwd\_destination\_type](#input\_log\_fwd\_destination\_type) | Type of log forwarding destination for Fluent Bit. Supported values are \`s3\`, \`cloudwatch\`, or \`custom\`. | \`string\` | \`"cloudwatch"\` | no | | [rds\_apply\_immediately](#input\_rds\_apply\_immediately) | Boolean to apply changes immediately to RDS cluster instance. | \`bool\` | \`true\` | no | | [rds\_aurora\_engine\_mode](#input\_rds\_aurora\_engine\_mode) | RDS Aurora database engine mode. | \`string\` | \`"provisioned"\` | no | | [rds\_aurora\_engine\_version](#input\_rds\_aurora\_engine\_version) | Engine version of RDS Aurora PostgreSQL. | \`number\` | \`16.2\` | no | | [rds\_aurora\_instance\_class](#input\_rds\_aurora\_instance\_class) | Instance class of Aurora PostgreSQL database. | \`string\` | \`"db.r6i.xlarge"\` | no | | [rds\_aurora\_replica\_count](#input\_rds\_aurora\_replica\_count) | Number of replica (reader) cluster instances to create within the RDS Aurora database cluster (within the same region). | \`number\` | \`1\` | no | | [rds\_availability\_zones](#input\_rds\_availability\_zones) | List of AWS availability zones to spread Aurora database cluster instances across. Leave as \`null\` and RDS will automatically assign 3 availability zones. | \`list(string)\` | \`null\` | no | | [rds\_backup\_retention\_period](#input\_rds\_backup\_retention\_period) | The number of days to retain backups for. Must be between 0 and 35. Must be greater than 0 if the database cluster is used as a source of a read replica cluster. | \`number\` | \`35\` | no | | [rds\_deletion\_protection](#input\_rds\_deletion\_protection) | Boolean to enable deletion protection for RDS Aurora global cluster. | \`bool\` | \`false\` | no | | [rds\_force\_destroy](#input\_rds\_force\_destroy) | Boolean to enable the removal of RDS database cluster members from RDS global cluster on destroy. | \`bool\` | \`false\` | no | | [rds\_global\_cluster\_id](#input\_rds\_global\_cluster\_id) | ID of RDS global cluster. Only required only when \`is_secondary_region\` is \`true\`, otherwise leave as \`null\`. | \`string\` | \`null\` | no | | [rds\_kms\_key\_arn](#input\_rds\_kms\_key\_arn) | ARN of KMS customer managed key (CMK) to encrypt TFE RDS cluster. | \`string\` | \`null\` | no | | [rds\_parameter\_group\_family](#input\_rds\_parameter\_group\_family) | Family of RDS Aurora PostgreSQL database parameter group. | \`string\` | \`"aurora-postgresql16"\` | no | | [rds\_performance\_insights\_enabled](#input\_rds\_performance\_insights\_enabled) | Boolean to enable performance insights for RDS cluster instance(s). | \`bool\` | \`true\` | no | | [rds\_performance\_insights\_retention\_period](#input\_rds\_performance\_insights\_retention\_period) | Number of days to retain RDS performance insights data. Must be between 7 and 731. | \`number\` | \`7\` | no | | [rds\_preferred\_backup\_window](#input\_rds\_preferred\_backup\_window) | Daily time range (UTC) for RDS backup to occur. Must not overlap with \`rds_preferred_maintenance_window\`. | \`string\` | \`"04:00-04:30"\` | no | | [rds\_preferred\_maintenance\_window](#input\_rds\_preferred\_maintenance\_window) | Window (UTC) to perform RDS database maintenance. Must not overlap with \`rds_preferred_backup_window\`. | \`string\` | \`"Sun:08:00-Sun:09:00"\` | no | | [rds\_replication\_source\_identifier](#input\_rds\_replication\_source\_identifier) | ARN of source RDS cluster or cluster instance if this database cluster is to be created as a read replica. Only required when \`is_secondary_region\` is \`true\`, otherwise leave as \`null\`. | \`string\` | \`null\` | no | | [rds\_skip\_final\_snapshot](#input\_rds\_skip\_final\_snapshot) | Boolean to enable RDS to take a final database snapshot before destroying. | \`bool\` | \`false\` | no | | [rds\_source\_region](#input\_rds\_source\_region) | Source region for RDS cross-region replication. Only required when \`is_secondary_region\` is \`true\`, otherwise leave as \`null\`. | \`string\` | \`null\` | no | | [rds\_storage\_encrypted](#input\_rds\_storage\_encrypted) | Boolean to encrypt RDS storage. An AWS managed key will be used when \`true\` unless a value is also specified for \`rds_kms_key_arn\`. | \`bool\` | \`true\` | no | | [rds\_subnet\_ids](#input\_rds\_subnet\_ids) | List of subnet IDs to use for RDS database subnet group. Private subnets is the best practice here. | \`list(string)\` | n/a | yes | | [redis\_apply\_immediately](#input\_redis\_apply\_immediately) | Boolean to apply changes immediately to Redis cluster. | \`bool\` | \`true\` | no | | [redis\_at\_rest\_encryption\_enabled](#input\_redis\_at\_rest\_encryption\_enabled) | Boolean to enable encryption at rest on Redis cluster. An AWS managed key will be used when \`true\` unless a value is also specified for \`redis_kms_key_arn\`. | \`bool\` | \`true\` | no | | [redis\_auto\_minor\_version\_upgrade](#input\_redis\_auto\_minor\_version\_upgrade) | Boolean to enable automatic minor version upgrades for Redis cluster. | \`bool\` | \`true\` | no | | [redis\_automatic\_failover\_enabled](#input\_redis\_automatic\_failover\_enabled) | Boolean for deploying Redis nodes in multiple availability zones and enabling automatic failover. | \`bool\` | \`true\` | no | | [redis\_engine\_version](#input\_redis\_engine\_version) | Redis version number. | \`string\` | \`"7.1"\` | no | | [redis\_kms\_key\_arn](#input\_redis\_kms\_key\_arn) | ARN of KMS customer managed key (CMK) to encrypt Redis cluster with. | \`string\` | \`null\` | no | | [redis\_multi\_az\_enabled](#input\_redis\_multi\_az\_enabled) | Boolean to create Redis nodes across multiple availability zones. If \`true\`, \`redis_automatic_failover_enabled\` must also be \`true\`, and more than one subnet must be specified within \`redis_subnet_ids\`. | \`bool\` | \`true\` | no | | [redis\_node\_type](#input\_redis\_node\_type) | Type (size) of Redis node from a compute, memory, and network throughput standpoint. | \`string\` | \`"cache.m5.large"\` | no | | [redis\_parameter\_group\_name](#input\_redis\_parameter\_group\_name) | Name of parameter group to associate with Redis cluster. | \`string\` | \`"default.redis7"\` | no | | [redis\_port](#input\_redis\_port) | Port number the Redis nodes will accept connections on. | \`number\` | \`6379\` | no | | [redis\_subnet\_ids](#input\_redis\_subnet\_ids) | List of subnet IDs to use for Redis cluster subnet group. Private subnets is the best practice here. | \`list(string)\` | \`[]\` | no | | [redis\_transit\_encryption\_enabled](#input\_redis\_transit\_encryption\_enabled) | Boolean to enable TLS encryption between TFE and the Redis cluster. | \`bool\` | \`true\` | no | | [route53\_tfe\_hosted\_zone\_is\_private](#input\_route53\_tfe\_hosted\_zone\_is\_private) | Boolean indicating if \`route53_tfe_hosted_zone_name\` is a private hosted zone. | \`bool\` | \`false\` | no | | [route53\_tfe\_hosted\_zone\_name](#input\_route53\_tfe\_hosted\_zone\_name) | Route53 Hosted Zone name to create \`tfe_hostname\` Alias record in. Required if \`create_route53_tfe_dns_record\` is \`true\`. | \`string\` | \`null\` | no | | [s3\_destination\_bucket\_arn](#input\_s3\_destination\_bucket\_arn) | ARN of destination S3 bucket for cross-region replication configuration. Bucket should already exist in secondary region. Required when \`s3_enable_bucket_replication\` is \`true\`. | \`string\` | \`""\` | no | | [s3\_destination\_bucket\_kms\_key\_arn](#input\_s3\_destination\_bucket\_kms\_key\_arn) | ARN of KMS key of destination S3 bucket for cross-region replication configuration if it is encrypted with a customer managed key (CMK). | \`string\` | \`null\` | no | | [s3\_enable\_bucket\_replication](#input\_s3\_enable\_bucket\_replication) | Boolean to enable cross-region replication for TFE S3 bucket. An \`s3_destination_bucket_arn\` is required when \`true\`. | \`bool\` | \`false\` | no | | [s3\_enable\_bucket\_replication\_bidirectional](#input\_s3\_enable\_bucket\_replication\_bidirectional) | Enables bidirectional replication from secondary region to primary region. Only valid when \`s3_enable_bucket_replication\` and \`is_secondary_region\` are true. | \`bool\` | \`false\` | no | | [s3\_enable\_bucket\_replication\_rtc](#input\_s3\_enable\_bucket\_replication\_rtc) | Boolean to enable real-time change (RTC) monitoring for TFE S3 bucket replication. Only valid when \`s3_enable_bucket_replication\` is \`true\`. | \`bool\` | \`false\` | no | | [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | ARN of KMS customer managed key (CMK) to encrypt TFE S3 bucket with. | \`string\` | \`null\` | no | | [s3\_log\_fwd\_bucket\_name](#input\_s3\_log\_fwd\_bucket\_name) | Name of S3 bucket to configure as log forwarding destination. Only valid when \`tfe_log_forwarding_enabled\` is \`true\`. | \`string\` | \`null\` | no | | [tfe\_admin\_https\_port](#input\_tfe\_admin\_https\_port) | Port the TFE application container listens on for [system (admin) API endpoints](https://developer.hashicorp.com/terraform/enterprise/api-docs#system-endpoints-overview) HTTPS traffic. This value is used for both the host and container port. | \`number\` | \`9443\` | no | | [tfe\_alb\_tls\_certificate\_arn](#input\_tfe\_alb\_tls\_certificate\_arn) | ARN of existing TFE TLS certificate imported in ACM to be used for application load balancer (ALB) HTTPS listeners. Required when \`lb_type\` is \`alb\`. | \`string\` | \`null\` | no | | [tfe\_capacity\_concurrency](#input\_tfe\_capacity\_concurrency) | Maximum number of concurrent Terraform runs to allow on a TFE node. | \`number\` | \`10\` | no | | [tfe\_capacity\_cpu](#input\_tfe\_capacity\_cpu) | Maximum number of CPU cores that a Terraform run is allowed to consume in TFE. Set to \`0\` for no limit. | \`number\` | \`0\` | no | | [tfe\_capacity\_memory](#input\_tfe\_capacity\_memory) | Maximum amount of memory (in MiB) that a Terraform run is allowed to consume in TFE. | \`number\` | \`2048\` | no | | [tfe\_cost\_estimation\_iam\_enabled](#input\_tfe\_cost\_estimation\_iam\_enabled) | Boolean to add AWS pricing actions to TFE IAM instance profile for cost estimation feature. | \`string\` | \`true\` | no | | [tfe\_database\_name](#input\_tfe\_database\_name) | Name of TFE database to create within RDS global cluster. | \`string\` | \`"tfe"\` | no | | [tfe\_database\_parameters](#input\_tfe\_database\_parameters) | PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection. | \`string\` | \`"sslmode=require"\` | no | | [tfe\_database\_password\_secret\_arn](#input\_tfe\_database\_password\_secret\_arn) | ARN of AWS Secrets Manager secret for the TFE database password used to create RDS Aurora (PostgreSQL) database cluster. Secret type should be plaintext. Value of secret must be from 8 to 128 alphanumeric characters or symbols (excluding \`@\`, \`"\`, and \`/\`). | \`string\` | n/a | yes | | [tfe\_database\_user](#input\_tfe\_database\_user) | Username for TFE RDS database cluster. | \`string\` | \`"tfe"\` | no | | [tfe\_encryption\_password\_secret\_arn](#input\_tfe\_encryption\_password\_secret\_arn) | ARN of AWS Secrets Manager secret for TFE encryption password. Secret type should be plaintext. | \`string\` | n/a | yes | | [tfe\_fqdn](#input\_tfe\_fqdn) | Fully qualified domain name (FQDN) of TFE instance. This name should resolve to the DNS name or IP address of the TFE load balancer and will be what clients use to access TFE. | \`string\` | n/a | yes | | [tfe\_hairpin\_addressing](#input\_tfe\_hairpin\_addressing) | Boolean to enable hairpin addressing for layer 4 load balancer with loopback prevention. Must be \`true\` when \`lb_type\` is \`nlb\` and \`lb_is_internal\` is \`true\`. | \`bool\` | \`true\` | no | | [tfe\_http\_port](#input\_tfe\_http\_port) | Port the TFE application container listens on for HTTP traffic. This is not the host port. | \`number\` | \`8080\` | no | | [tfe\_https\_port](#input\_tfe\_https\_port) | Port the TFE application container listens on for HTTPS traffic. This is not the host port. | \`number\` | \`8443\` | no | | [tfe\_iact\_subnets](#input\_tfe\_iact\_subnets) | Comma-separated list of subnets in CIDR notation (e.g., \`10.0.0.0/8,192.168.0.0/24\`) that are allowed to retrieve the TFE initial admin creation token (IACT) via the API or web browser. Leave as \`null\` to disable IACT retrieval via the API from external clients. | \`string\` | \`null\` | no | | [tfe\_iact\_time\_limit](#input\_tfe\_iact\_time\_limit) | Number of minutes that the TFE initial admin creation token (IACT) can be retrieved via the API after the application starts. | \`number\` | \`60\` | no | | [tfe\_iact\_token](#input\_tfe\_iact\_token) | A pre-populated TFE initial admin creation token (IACT). Leave as \`null\` for the system to generate a random one. | \`string\` | \`null\` | no | | [tfe\_iact\_trusted\_proxies](#input\_tfe\_iact\_trusted\_proxies) | Comma-separated list of proxy IP addresses that are allowed to retrieve the TFE initial admin creation token (IACT) via the API or web browser. Leave as \`null\` to disable IACT retrieval via the API from external clients through a proxy. | \`string\` | \`null\` | no | | [tfe\_image\_name](#input\_tfe\_image\_name) | Name of the TFE application container image. Override this only if you are hosting the image in a custom registry. If you are using Amazon ECR, specify only the repository name here (e.g., 'tfe-app'), not the full image path. | \`string\` | \`"hashicorp/terraform-enterprise"\` | no | | [tfe\_image\_repository\_password](#input\_tfe\_image\_repository\_password) | Password for authenticating to the container registry that hosts the TFE application container image. Leave as \`null\` if using the default TFE registry, as the TFE license will be used as the password. If you are using Amazon ECR, this should be a valid ECR token or leave as \`null\` to use the instance profile. | \`string\` | \`null\` | no | | [tfe\_image\_repository\_url](#input\_tfe\_image\_repository\_url) | Container registry hostname for the TFE application container image. Override this only if you are hosting the image in a custom registry. If you are using Amazon ECR, specify only the registry URI (e.g., '.dkr.ecr..amazonaws.com'), not the full image path. | \`string\` | \`"images.releases.hashicorp.com"\` | no | | [tfe\_image\_repository\_username](#input\_tfe\_image\_repository\_username) | Username for authenticating to the container registry that hosts the TFE application container image. Override this only if you are hosting the image in a custom registry. If you are using Amazon ECR, specify 'AWS'. | \`string\` | \`"terraform"\` | no | | [tfe\_image\_tag](#input\_tfe\_image\_tag) | Tag for the TFE application container image, representing the specific version of Terraform Enterprise to install. | \`string\` | \`"v202505-1"\` | no | | [tfe\_ipv6\_enabled](#input\_tfe\_ipv6\_enabled) | Boolean to enable TFE to listen on IPv6 and IPv4 addresses. When \`false\`, TFE listens on IPv4 addresses only. | \`bool\` | \`false\` | no | | [tfe\_license\_reporting\_opt\_out](#input\_tfe\_license\_reporting\_opt\_out) | Boolean to opt out of reporting TFE licensing information to HashiCorp. | \`bool\` | \`false\` | no | | [tfe\_log\_forwarding\_enabled](#input\_tfe\_log\_forwarding\_enabled) | Boolean to enable TFE log forwarding feature. | \`bool\` | \`false\` | no | | [tfe\_metrics\_enable](#input\_tfe\_metrics\_enable) | Boolean to enable TFE metrics endpoints. | \`bool\` | \`false\` | no | | [tfe\_metrics\_http\_port](#input\_tfe\_metrics\_http\_port) | HTTP port for TFE metrics scrape. | \`number\` | \`9090\` | no | | [tfe\_metrics\_https\_port](#input\_tfe\_metrics\_https\_port) | HTTPS port for TFE metrics scrape. | \`number\` | \`9091\` | no | | [tfe\_object\_storage\_s3\_access\_key\_id](#input\_tfe\_object\_storage\_s3\_access\_key\_id) | Access key ID for S3 bucket. Required when \`tfe_object_storage_s3_use_instance_profile\` is \`false\`. | \`string\` | \`null\` | no | | [tfe\_object\_storage\_s3\_secret\_access\_key](#input\_tfe\_object\_storage\_s3\_secret\_access\_key) | Secret access key for S3 bucket. Required when \`tfe_object_storage_s3_use_instance_profile\` is \`false\`. | \`string\` | \`null\` | no | | [tfe\_object\_storage\_s3\_use\_instance\_profile](#input\_tfe\_object\_storage\_s3\_use\_instance\_profile) | Boolean to use TFE instance profile for S3 bucket access. If \`false\`, \`tfe_object_storage_s3_access_key_id\` and \`tfe_object_storage_s3_secret_access_key\` are required. | \`bool\` | \`true\` | no | | [tfe\_operational\_mode](#input\_tfe\_operational\_mode) | [Operational mode](https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/operation-modes) for TFE. Valid values are \`active-active\` or \`external\`. | \`string\` | \`"active-active"\` | no | | [tfe\_redis\_password\_secret\_arn](#input\_tfe\_redis\_password\_secret\_arn) | ARN of AWS Secrets Manager secret for the TFE Redis password used to create Redis (Elasticache Replication Group) cluster. Secret type should be plaintext. Value of secret must be from 16 to 128 alphanumeric characters or symbols (excluding \`@\`, \`"\`, and \`/\`). | \`string\` | \`null\` | no | | [tfe\_run\_pipeline\_docker\_network](#input\_tfe\_run\_pipeline\_docker\_network) | Docker network where the containers that execute Terraform runs will be created. The network must already exist, it will not be created automatically. Leave as \`null\` to use the default network created by TFE. | \`string\` | \`null\` | no | | [tfe\_run\_pipeline\_image](#input\_tfe\_run\_pipeline\_image) | Name of the Docker image to use for the run pipeline driver. | \`string\` | \`null\` | no | | [tfe\_run\_pipeline\_image\_ecr\_repo\_name](#input\_tfe\_run\_pipeline\_image\_ecr\_repo\_name) | Name of the AWS ECR repository containing your custom TFE run pipeline image. | \`string\` | \`null\` | no | | [tfe\_tls\_ca\_bundle\_secret\_arn](#input\_tfe\_tls\_ca\_bundle\_secret\_arn) | ARN of AWS Secrets Manager secret for private/custom TLS Certificate Authority (CA) bundle in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext. | \`string\` | n/a | yes | | [tfe\_tls\_cert\_secret\_arn](#input\_tfe\_tls\_cert\_secret\_arn) | ARN of AWS Secrets Manager secret for TFE TLS certificate in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext. | \`string\` | n/a | yes | | [tfe\_tls\_enforce](#input\_tfe\_tls\_enforce) | Boolean to enforce TLS. | \`bool\` | \`false\` | no | | [tfe\_tls\_privkey\_secret\_arn](#input\_tfe\_tls\_privkey\_secret\_arn) | ARN of AWS Secrets Manager secret for TFE TLS private key in PEM format. Secret must be stored as a base64-encoded string. Secret type should be plaintext. | \`string\` | n/a | yes | | [tfe\_vault\_disable\_mlock](#input\_tfe\_vault\_disable\_mlock) | Boolean to disable mlock for internal Vault. | \`bool\` | \`false\` | no | | [vpc\_id](#input\_vpc\_id) | ID of VPC where TFE will be deployed. | \`string\` | n/a | yes | ## Outputs | Name | Description | |------|-------------| | [elasticache\_replication\_group\_arn](#output\_elasticache\_replication\_group\_arn) | ARN of ElastiCache Replication Group (Redis) cluster. | | [elasticache\_replication\_group\_id](#output\_elasticache\_replication\_group\_id) | ID of ElastiCache Replication Group (Redis) cluster. | | [elasticache\_replication\_group\_primary\_endpoint\_address](#output\_elasticache\_replication\_group\_primary\_endpoint\_address) | Primary endpoint address of ElastiCache Replication Group (Redis) cluster. | | [lb\_dns\_name](#output\_lb\_dns\_name) | DNS name of the Load Balancer. | | [rds\_aurora\_cluster\_arn](#output\_rds\_aurora\_cluster\_arn) | ARN of RDS Aurora database cluster. | | [rds\_aurora\_cluster\_endpoint](#output\_rds\_aurora\_cluster\_endpoint) | RDS Aurora database cluster endpoint. | | [rds\_aurora\_cluster\_members](#output\_rds\_aurora\_cluster\_members) | List of instances that are part of this RDS Aurora database cluster. | | [rds\_aurora\_global\_cluster\_id](#output\_rds\_aurora\_global\_cluster\_id) | RDS Aurora global database cluster identifier. | | [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | ARN of TFE S3 bucket. | | [s3\_bucket\_name](#output\_s3\_bucket\_name) | Name of TFE S3 bucket. | | [s3\_crr\_iam\_role\_arn](#output\_s3\_crr\_iam\_role\_arn) | ARN of S3 cross-region replication IAM role. | | [tfe\_create\_initial\_admin\_user\_url](#output\_tfe\_create\_initial\_admin\_user\_url) | URL to create TFE initial admin user. | | [tfe\_database\_host](#output\_tfe\_database\_host) | PostgreSQL server endpoint in the format that TFE will connect to. | | [tfe\_url](#output\_tfe\_url) | URL to access TFE application based on value of \`tfe_fqdn\` input. |