Problem
Requests to URLs in the hosted-state-download-url or hosted-json-state-download-url attributes returned by the State Versions API result in a 401 unauthorized error.
{"errors":[{"status":"401","title":"unauthorized"}]}
Prerequisites
- Terraform Enterprise releases > v202311-1
Cause
Terraform Enterprise v202311-1 introduces a change to the State Versions API to accommodate the data retention policies feature. While the API previously returned pre-signed URLs in the hosted-state-download-url and hosted-json-state-download-url attributes from which to download state directly, it now returns a Terraform Enterprise URL that redirects to a pre-signed URL.
"hosted-state-download-url": "https://tfe.mycompany.com/api/state-versions/sv-6VyZcPj4cdNRWZxL/hosted_state",
"hosted-json-state-download-url": "https://tfe.mycompany.com/api/state-versions/sv-6VyZcPj4cdNRWZxL/hosted_json_state"
Solution
Going forward, HTTP clients which extract URLs from the hosted-state-download-url or hosted-json-state-download-url attributes in the API response will need to follow redirects and provide authentication.
Using curl as an example, a request such as the following would need to be changed to include the flag to make it follow redirects and provide an Authorization header in the request.
$ export HOSTED_STATE_DOWNLOAD_URL=$(curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
https://tfe.mycompany.com/api/v2/workspaces/ws-Kq2fvtVAzF2eFmU4/current-state-version | jq -r '.data.attributes."hosted-state-download-url"')
$ curl $HOSTED_STATE_DOWNLOAD_URL
{"errors":[{"status":"401","title":"unauthorized"}]}
curl -L -H "Authorization: Bearer $TOKEN" $HOSTED_STATE_DOWNLOAD_URL
Additional Information
If you have additional questions or concerns, please contact HashiCorp Support.