Introduction
Scenario
During the installation of Terraform Enterprise using the flexible deployment method, the Terraform Enterprise image needs to be downloaded from the Hashicorp docker registry using the below command:
docker pull images.releases.hashicorp.com/hashicorp/terraform-enterprise:<vYYYYMM-#>
There will be an API traffic via the domain images.releases.hashicorp.com, however the response could potentially come from other domains as the registry is in a multi region replication model , using tcpdump , these traces are found to point to s3-us-east-1-r-w.amazonaws.com
Out IP ip-x.x.x.x.ec2.internal.55556 > s3-us-east-1-r-w.amazonaws.com.https: Flags [.], ack 133212217, win 725, length 0
Recommendation
Because our service is globally routable, a response may come from any of four regions with a strong preference to the "nearest" region to the client, Hence customers with strong whitelisting policies need to allowlist these domains:
- s3-r-w.us-east-1.amazonaws.com
- s3-r-w.us-west-2.amazonaws.com
- s3-r-w.eu-central-1.amazonaws.com
- s3-r-w.eu-west-1.amazonaws.com
Since this is hosted on AWS, Please be aware that the domains shared could changed at any moment.