Problem
VCS driven workflows cannot be started in Terraform Enterprise, despite a successful deployment. New VCS-driven workspaces remain stuck in the "Parsing configuration" stage:
The workspace overview page displays the a "Configuration errored" error message with a SIC-001 error code.
The following error log from the archivist service is visible in the Terraform Enterprise logs,indicating that the configuration could not be uploaded to object storage.
{"component":"archivist","log":"{\"@level\":\"error\",
\"@message\":\"writing to archive store failed\",
\"@module\":\"archivist.server.http.upload\",
\\"failed uploading RequestID \\....\":
InvalidArgument: The encryption method specified is not supported\\n\\t
status code: 400,
request id: ....}
Cause
View error logs from the Archivist service in the terraform enterprise container with the following command.
docker exec -it <TFE_CONTAINER> bash -c "cat /var/log/terraform-enterprise/archivist.log | grep error"
The following error, InvalidArgument: The encryption method specified is not supported, will be present in the archivist logs.
{"component":"archivist","log":"{"@level":"error",
"@message":"writing to archive store failed",
"@module":"archivist.server.http.upload",
\"failed uploading RequestID \....":
InvalidArgument: The encryption method specified is not supported\n\t
status code: 400,
request id: ....}
The root cause is a misconfiguration in the TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION setting in the Terraform Enterprise configuration.
The TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION setting accepts only two values, AES256 and aws:kms. Any other value will result in the error The encryption method specified is not supported as shown above.
Solution
- Review the value of the TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION environment variable in the Terraform Enterprise settings and correct any wrong values.
- Redeploy Terraform Enterprise with the updated configuration.
- Reattempt to create a VCS driven workspace.