» Terraform Enterprise Logs
This document contains information about interacting with Private Terraform Enterprise logs. There are two types of logs, application logs and audit logs. Application logs emit information about the services that comprise Terraform Enterprise. Audit logs emit information whenever any resource managed by Terraform Enterprise is changed.
» Application Logs
» Installer
Installer-based PTFE runs in a set of Docker containers. As such, any tooling that can interact with Docker logs can read the logs. This includes the command docker logs
, as well as access via the Docker API.
An example of a tool that can automatically pull logs for all docker containers is logspout. Logspout can be configured to take the Docker logs and send them to a syslog endpoint. Here's an example invocation:
$ docker run --name="logspout" \
--volume=/var/run/docker.sock:/var/run/docker.sock \
gliderlabs/logspout \
syslog+tls://logs.mycompany.com:55555
The logspout container uses the Docker API internally to find other running containers and ingress their logs, then send them to logs.mycompany.com
on port 55555 using syslog with TCP/TLS.
NOTE: While docker has support for daemon-wide log drivers that can send all logs for all containers to various services,
Private Terraform Enterprise only supports having the Docker log-driver
configured to either json-file
or journald
.
All other log drivers prevent the support bundle functionality from gathering logs, making it
impossible to provide product support. DO NOT change the log driver of an installation to anything other than json-file
or journald
.
» AMI based installs
Private Terraform Enterprise's application-level services all log to CloudWatch logs, with one stream per service. The stream names take the format:
{hostname}-{servicename}
Where hostname
is the fqdn you provided when setting up Private Terraform Enterprise, and servicename
is the name of the service whose logs can be found in the stream. More information about each service can be found in tfe-architecture
.
For example, if your Private Terraform Enterprise installation is available at tfe.mycompany.io
, you'll find CloudWatch Log streams like the following:
tfe.mycompany.io-atlas-frontend
tfe.mycompany.io-atlas-worker
tfe.mycompany.io-binstore
tfe.mycompany.io-logstream
tfe.mycompany.io-packer-build-manager
tfe.mycompany.io-packer-build-worker
tfe.mycompany.io-slug-extract
tfe.mycompany.io-slug-ingress
tfe.mycompany.io-slug-merge
tfe.mycompany.io-storagelocker
tfe.mycompany.io-terraform-build-manager
tfe.mycompany.io-terraform-build-worker
tfe.mycompany.io-terraform-state-parser
CloudWatch logs can be searched, filtered, and read from either from the AWS Web Console or (recommended) the command line awslogs
tool.
Note: All other system-level logs can be found in the standard locations for an Ubuntu 16.04 system.
» Audit Logs
Audit log entries are written to the application logs. To distinguish audit Log entries from other log entries, the JSON is prefixed with [Audit Log]
.
» Installer
The audit logs are emitted along with other logs by the ptfe_atlas
container.
» AMI based installs
As of Private Terraform Enterprise release v201802-1, audit logging is available in Private Terraform Enterprise. These are written out to CloudWatch logs just like all other application-level logs.
» Log Contents
The audit log will be updated when any resource managed by Terraform Enterprise is changed. Read requests will be logged for resources deemed sensitive. These include:
- Authentication Tokens
- Configuration Versions
- Policy Versions
- OAuth Tokens
- SSH Keys
- State Versions
- Users
- Variables
When requests occur, these pieces of information will be logged:
- The actor
- Users (including IP address)
- Version Control System users (identified in webhooks)
- Service accounts
- Terraform Enterprise
- The action
- Reading sensitive resources
- Creation of new resources
- Updating existing resources
- Deletion of existing resources
- Additional actions as defined in /actions/* namespaces
- Webhook API calls
- The target of the action (any resource exposed by the V2 API)
- The time that the action occurred
- Where the action was taken (web/API request, background job, etc.)
» Log Format
Log entries are in JSON, just like other Terraform logs. Most audit log entries are formatted like this:
{
"timestamp": "2017-12-19T15:23:45.148Z",
"resource": "workspace",
"action": "destroy",
"resource_id": "ws-9a3hrbYfFsTzg2FZ",
"actor": "jsmith",
"actor_ip": "94.122.17.37"
}
Certain entries will contain additional information in the payload, but all audit log entries will contain the above keys.
» Log Location
Audit log entries are written to the application logs. To distinguish audit log entries from other log entries, the JSON is prefixed with [Audit Log]
. These are written out to CloudWatch logs just like all other application-level logs. For example:
2018-03-27 21:55:29 [INFO] [Audit Log] {"resource":"oauth_client","action":"create","resource_id":"oc-FErAhnuHHwcad3Kx","actor":"atlasint","timestamp":"2018-03-27T21:55:29Z","actor_ip":"11.22.33.44"}