Problem
When you perform a run on a workspace in Terraform Enterprise with an Open Policy Agent (OPA) policy set attached, the run fails with a null error in the logs.
The Terraform Enterprise logs may contain an error message similar to the following, indicating a failure to download the OPA binary from GitHub.
{
"@level": "info",
"@message": "[ERROR] policy: Failed handling policy evaluation: error=\"operation failed: failed fetching opa binary: failed downloading opa: failed downloading \\\"https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static\\\": GET https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static giving up after 5 attempt(s): Get \\\"https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static\\\": Forbidden\"",
"@module": "task-worker.executor.task-output",
"@timestamp": "2024-09-18T09:39:08.952767Z",
"id": "dda71914-8823-41a9-baee-0bfec0bf2c5c",
"name": "agent-run",
"stream": "stdout"
}Prerequisites
- You are using OPA policies in Terraform Enterprise.
- Your Terraform Enterprise installation does not have direct internet access to
github.com.
Cause
By default, Terraform Enterprise attempts to download the required OPA binary from github.com. If your Terraform Enterprise server is in an air-gapped or restricted network environment that cannot reach this external endpoint, the download fails, causing the policy evaluation to error.
Solution
To resolve this issue, you must download the OPA binary and host it in a location that Terraform Enterprise can access. You can then update the OPA version configuration to point to this internal location.
Procedure
- In your browser, navigate to the OPA Versions admin page at
https://$YOUR_TFE_URL/app/admin/opa-versions. -
Click on an OPA version to identify the official download URL for the binary you need. The URL will resemble the following example.
https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static
- From a machine with internet access, download the binary from this URL.
- Upload the binary to an internally hosted location, such as an artifact repository or web server, that is reachable by your Terraform Enterprise instance.
- Return to the OPA version settings page in Terraform Enterprise and update the URL field to point to the new, internally hosted location of the binary.
- Click Update OPA version to save the changes.
Outcome
After updating the URL to the internally hosted binary, you will be able to perform runs in Terraform Enterprise workspaces that use OPA policy sets without encountering download errors.