Problem
Sentinel policy checks and plan export jobs fail on speculative plan runs for workspaces using a Terraform version less than 0.12. This issue manifests with the following symptoms.
- Policy checks fail with an error in the UI.
- The policy check log contains an error message similar to the following.
An error occurred: Error opening a gzip reader for /tmp/getter1628610727/archive: EOF
- In Terraform Enterprise, attempts to download Sentinel mocks fail, and the task-worker logs the following error from the plan export worker.
failed exporting data: failed unpacking plan data: failed to uncompress slug: EOF
Prerequisites
- HCP Terraform or Terraform Enterprise versions
v202311-1tov202403-1. - Workspaces using a Terraform version
<0.12with enforced Sentinel policy sets.
Cause
In HCP Terraform and Terraform Enterprise v202311-1, changes were introduced to reduce the storage footprint by limiting the size and number of objects uploaded to object storage. One of these changes omitted the upload of a filesystem archive after a speculative plan.
Policy check and plan export jobs for runs using a Terraform version <0.12 require this filesystem archive. Because the artifact is no longer uploaded, any attempt by the workers to download and extract it results in an EOF error.
This issue does not impact runs using a Terraform version >0.12 because their policy check and plan export jobs use a different artifact (a JSON execution plan), which is created and uploaded during the plan stage.
Solutions
Solution 1: Upgrade Terraform Enterprise
The underlying issue is resolved in Terraform Enterprise version v202403-1 and later. Upgrading your instance is the recommended permanent solution.
Solution 2: Implement a Workaround
If you cannot upgrade immediately, you can use one of the following workarounds.
- Exclude affected workspaces: You can temporarily prevent speculative plans from being marked as errored by having them excluded from the scope of the policy set.
-
Upgrade Terraform version: This issue affects a version of Terraform that is End-of-Life (EOL). Consider upgrading affected workspaces to a supported version of Terraform greater than
0.12.