Introduction
Problem
When performing a run on a workspace in Terraform Enterprise with an OPA policy set attached, the run fails with a null in the logs.
See screenshot below:
In the Terraform Enterprise logs you can see an error similar to below:
{"@level":"info","@message":"2024-09-18T09:39:08.952Z [ERROR] policy:
Failed handling policy evaluation: error=\"operation failed:
failed fetching opa binary: failed downloading opa:
failed downloading \\\"https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static\\\": GET https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static giving up after 5 attempt(s): Get \\\"https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static\\\": Forbidden\"","@module":"task-worker.executor.task-output","@timestamp":"2024-09-18T09:39:08.952767Z","id":"dda71914-8823-41a9-baee-0bfec0bf2c5c","name":"agent-run","stream":"stdout"}
Prerequisites
- Using OPA policies
- Terraform Enterprise without access to Github
Cause
The environment your Terraform Enterprise server is hosted in does not have access to Github.com.
This is the default location where Terraform Enterprise will download the OPA binary from.
Solutions:
- Navigate to the OPA Versions admin page at
https://$YOUR_TFE_URL/app/admin/opa-versions - Click on an OPA version and check the URL for the version you need.
Example URL:
https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static
- Download the binary from this URL and save it to a hosted location that is reachable for Terraform Enterprise.
- Adjust the URL to the newly hosted location.
- Click
Update OPA version
Please see Add Open Policy Agent (OPA) Tool Versions for adding a new version of OPA.
Outcome
Able to perform runs in Terraform Enterprise workspaces that have an OPA policy set connected.