Problem
Sentinel policy checks and plan export jobs (jobs triggered from attempts to download Sentinel mocks) on runs that are speculative plans and use a Terraform version <0.12 fail, manifesting the following symptoms.
- Policy checks will fail with the following error in the UI.
- The policy check log will contain an error message similar to the following:
An error occurred: Error opening a gzip reader for /tmp/getter1628610727/archive: EOF
- Attempts to download Sentinel mocks fail and the task-worker will log the following error from the plan export worker (Terraform Enterprise, only).
failed exporting data: failed unpacking plan data: failed to uncompress slug: EOF
Prerequisites
- Terraform Cloud and Terraform Enterprise v202311-1 to v202403-1
- Workspaces using a Terraform version <0.12 with enforced Sentinel policy sets
Cause
Some changes were introduced in Terraform Cloud (Terraform Enterprise v202311-1) to limit the amount and size of objects being uploaded to object storage in order to reduce the storage footprint of Terraform Cloud/Enterprise. One of these changes was to omit uploading an archive of the filesystem after a speculative plan. Policy check and plan export jobs on runs using a Terraform version <0.12 require this artifact. Because it is no longer uploaded, these workers' attempts to download and extract it result in the errors above, as it is never uploaded to storage after the plan stage of the run. This does not impact runs using a Terraform version >0.12 because the policy check and plan export jobs use a different artifact (a JSON execution plan), which is created and uploaded during the plan stage of those runs.
Solutions
This has been fixed in v202403-1. In the meantime, affected workspaces can be excluded from the scope of the policy set to prevent speculative plans from being marked as errored. Additionally, as this issue involves a version of Terraform which is EOL, consider upgrading affected workspaces to a version of Terraform >0.12.
Additional Information