Wazuh_Terraform_Setup
12 views
Skip to first unread message
Shihab Hossain Shifat
Feb 3, 2026, 7:12:19 AM (20 hours ago) Feb 3
to Wazuh | Mailing List
I want to install a wazuh docker setup with persistent storage.
Here I have attached the script file for your analysis.
Problem:
Every first time terraform apply it works but when I destroy the EC2 instance and re-apply Terraform, the Wazuh dashboard starts showing API connection errors.
AxiosError: Error getting the authorization token
3000 - Error getting the authorization token: API host with host ID [1513629884013] could not check the ability to use the run as. Ensure the API host is accesible and the internal user has the minimal permissions to check this capability.
3000 - Error getting the authorization token: API host with host ID [1513629884013] could not check the ability to use the run as. Ensure the API host is accesible and the internal user has the minimal permissions to check this capability.
regars
shifat
musbau....@wazuh.com
Feb 3, 2026, 8:42:44 AM (18 hours ago) Feb 3
to Wazuh | Mailing List
Hi,
The reason you get this error "AxiosError: Error getting the authorization token" is because when you reuse persistent data on EBS but recreate the EC2 instance, you are reusing Wazuh internal security state that is tied to the old API host ID and node identity. This causes the Wazuh Dashboard to start successfully. The Dashboard then tries to authenticate to Wazuh API, the API rejects the request because the stored RBAC run-as capability metadata references an old API host ID and the new container identity no longer matches what’s persisted. It’s state mismatch caused by persisting too much.
From your script, these directories are critical:
# /var/lib/wazuh/wazuh-api-configuration
# /var/lib/wazuh/wazuh-etc
# /var/lib/wazuh/wazuh-indexer-data
They contain the API internal users & RBAC cache, API host ID (api.yaml, internal metadata), Dashboard -> API trust state, Indexer security plugin metadata
When the instance is destroyed using terraform destroy command and the apply command is used again the EC2 instance ID, Container IDs, Network identity changes but the API security metadata does not. Wazuh API thinks it’s still running on the old node.
The files below are safe to persist
* wazuh-indexer-data (alerts, indices)
* wazuh-logs
* wazuh-queue
* wazuh-var-multigroups
* wazuh-active-response
* wazuh-integrations
* wazuh-wodles
* filebeat-*
while the files below could cause issues when it persist across EC2 rebuilds
* wazuh-api-configuration
* wazuh-etc (partially)
* wazuh-dashboard-config (auth cache)
* Indexer security plugin state
you can wipe identity-bound state on every fresh EC2 boot, before docker-compose up, add this once per new instance to force API to regenerate host ID, Dashboard to re-bootstrap auth, RBAC to be rebuilt cleanly. Don't wipe indexer data unless you want to lose alerts.
rm -rf /var/lib/wazuh/wazuh-api-configuration/*
rm -rf /var/lib/wazuh/wazuh-dashboard-config/*
I would advise that for long term, don’t persist API config at all. Remove the bind mount entirely
/var/lib/wazuh/wazuh-api-configuration:/var/ossec/api/configuration
Regards,
The reason you get this error "AxiosError: Error getting the authorization token" is because when you reuse persistent data on EBS but recreate the EC2 instance, you are reusing Wazuh internal security state that is tied to the old API host ID and node identity. This causes the Wazuh Dashboard to start successfully. The Dashboard then tries to authenticate to Wazuh API, the API rejects the request because the stored RBAC run-as capability metadata references an old API host ID and the new container identity no longer matches what’s persisted. It’s state mismatch caused by persisting too much.
From your script, these directories are critical:
# /var/lib/wazuh/wazuh-api-configuration
# /var/lib/wazuh/wazuh-etc
# /var/lib/wazuh/wazuh-indexer-data
They contain the API internal users & RBAC cache, API host ID (api.yaml, internal metadata), Dashboard -> API trust state, Indexer security plugin metadata
When the instance is destroyed using terraform destroy command and the apply command is used again the EC2 instance ID, Container IDs, Network identity changes but the API security metadata does not. Wazuh API thinks it’s still running on the old node.
The files below are safe to persist
* wazuh-indexer-data (alerts, indices)
* wazuh-logs
* wazuh-queue
* wazuh-var-multigroups
* wazuh-active-response
* wazuh-integrations
* wazuh-wodles
* filebeat-*
while the files below could cause issues when it persist across EC2 rebuilds
* wazuh-api-configuration
* wazuh-etc (partially)
* wazuh-dashboard-config (auth cache)
* Indexer security plugin state
you can wipe identity-bound state on every fresh EC2 boot, before docker-compose up, add this once per new instance to force API to regenerate host ID, Dashboard to re-bootstrap auth, RBAC to be rebuilt cleanly. Don't wipe indexer data unless you want to lose alerts.
rm -rf /var/lib/wazuh/wazuh-api-configuration/*
rm -rf /var/lib/wazuh/wazuh-dashboard-config/*
I would advise that for long term, don’t persist API config at all. Remove the bind mount entirely
/var/lib/wazuh/wazuh-api-configuration:/var/ossec/api/configuration
Regards,
Reply all
Reply to author
Forward
0 new messages