TFE FDO Docker external services error: "InvalidArgument: The encryption method specified is not supported"

Avatar
Stamatios Chrysinas
  • Updated

Problem

After deploying Terraform Enterprise with an FDO Docker installation using external services, version control system (VCS) driven workflows fail to start. New VCS-driven workspaces remain indefinitely in the "Parsing configuration" stage.

Workspace stuck in Parsing configuration stage

The workspace overview page displays a "Configuration errored" message with error code SIC-001.

Workspace overview showing Configuration errored message

Reviewing the archivist service logs reveals an error indicating that the configuration could not be uploaded to object storage.

{
  "component": "archivist",
  "log": "{\"@level\":\"error\",\"@message\":\"writing to archive store failed\",
  \"@module\":\"archivist.server.http.upload\",\\"failed uploading RequestID \\
  ....\":InvalidArgument: The encryption method specified is not supported\\n\\
  tstatus code: 400,request id: ....}"
}

Cause

The error InvalidArgument: The encryption method specified is not supported indicates a misconfiguration of the TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION setting in your Terraform Enterprise configuration.

This environment variable accepts only two specific values: AES256 and aws:kms. Providing any other value will cause object storage uploads to fail.

You can confirm this issue by viewing the error logs from the archivist service in the Terraform Enterprise container. Execute the following command to search the logs for errors.

$ docker exec -it <TFE_CONTAINER> bash -c "cat /var/log/terraform-enterprise/archivist.log | grep error"

The presence of the InvalidArgument error in the output confirms the configuration issue.

Solution

To resolve this issue, you must correct the server-side encryption setting and redeploy Terraform Enterprise.

  1. Review the value of the TFE_OBJECT_STORAGE_S3_SERVER_SIDE_ENCRYPTION environment variable in your Terraform Enterprise settings.
  2. Ensure the value is set to one of the supported options: AES256 or aws:kms.
  3. Redeploy Terraform Enterprise to apply the updated configuration.
  4. Verify the resolution by creating a new VCS-driven workspace. The workspace should now proceed past the "Parsing configuration" stage successfully.

Additional Information

Articles in this section

See more

Related articles