Problem
Terraform Enterprise fails to perform runs with a log message similar to the following during the plan phase:
Operation failed: failed uploading plan JSON: failed uploading: PUT https://<TFE hostname>/_archivist/v1/object/<object id> giving up after 16 attempt(s)A permission error is logged to the container logs, as well as /var/log/terraform-enterprise/archivist.log log file in the container, referencing the configured external object storage:
{"@level":"error","@message":"writing to archive store failed","@module":"archivist.server.http.upload","@timestamp":"2025-08-12T01:20:44.035802Z","body-size":779462,"copied":779462,"err":"failed uploading RequestID \"UUID\": operation error S3: PutObject, https response error StatusCode: 403, RequestID: UUID, HostID: , api error AccessDenied: Access Denied","obj.compressed":true,"obj.encrypted":true,"obj.expire":1754965825,"obj.key":"terraform/json-plan/xxx/asmt-yyy","obj.mode":"w","req.amazon_trace_id":"-","req.id":"-"}
Another error that might appear in the archivist log is:
{"@level":"error","@message":"writing to archive store failed","@module":"archivist.server.http.upload","@timestamp":"2025-08-14T13:10:43.617381Z","body-size":1443,"copied":1443,"err":"failed uploading RequestID \"ac1c6f29:195922864dc:1f783c:194a\": operation error S3: PutObject, https response error StatusCode: 400, RequestID: ac1c6f29:195922864dc:1f783c:194a, HostID: 9e32f9be08be25a3686d7dd1c8169685b1ea375ea88edd1b9c6bf8708164c585, api error XAmzContentSHA256Mismatch: The Content-SHA256 you specified did not match what we received","obj.compressed":true,"obj.encrypted":true,"obj.expire":1755187719,"obj.key":"terraform/json-plans/62f1cfdd/plan-TycJjC52hDR6LbsA","obj.mode":"w","req.amazon_trace_id":"-","req.id":"-"}Here it is shown that there is an issue with the XAmzContentSHA256Mismatch header.
Prerequisites
- Terraform Enterprise:
>= v202507-1 - External S3-compatible object storage
Cause
Terraform Enterprise v202507-1 includes an update to the SDK used when communicating with S3 and S3-compatible object storage services.
This update includes the introduction of default integrity checks, which some S3-compatible services are incompatible with.
The error written to the application logs may differ depending on the S3-compatible object storage service being used, for example it may contain errors such as: AccessDenied, MissingContentLength, Unsupported header.
Solution
There is currently no workaround available, and our engineering teams are actively working on a solution for future release.
If you encounter this issue when testing the upgrade in a lower environment, please submit a ticket to HashiCorp Support noting the S3-compatible storage service you are using and attaching application logs.
Any upgrades performed that encounter this issue will need to be rolled back.
Additional Information
If you continue to experience issues, please contact HashiCorp Support.