Error accessing remote module registry

Avatar
Kampanart Mekaumput
  • Updated

Introduction

Terraform resources can be structured into modules, and these modules can be located in the Private Module Registry of Terraform Enterprise. In order to access the modules located in the Private Module Registry, a client needs an appropriate API token located in the Terraform CLI Configuration File. This token will be used to authenticate the client during terraform init.

 

Problem

There are chances that the terraform init operation fails with the error Error accessing remote module registry. This article outlines the possible causes of the symptom and the steps to verify the token along with the solutions.

 

Cause

  • The API token does not exist.
  • SAML session expired or the user has been removed from the organization.

 

Solutions

  • Ensure that the token is able to access the required modules via API

On Bash Shell:

TOKEN=<<YOUR TOKEN>>
HOSTNAME=<<YOUR TFE HOSTNAME>>
ORG_NAME=<<YOUR TFE ORGANIZATION NAME>>
MODULE=<<MODULE NAME>>
PROVIDER=<<PROVIDER NAME>>

curl -v -H "Authorization: Bearer ${TOKEN}" \
  https://${HOSTNAME}/api/registry/v1/modules/${ORG_NAME}/${MODULE}/${PROVIDER}/versions

On Powershell:

$TOKEN = '<<YOUR TOKEN>>'
$HOSTNAME = '<<YOUR TFE HOSTNAME>>'
$ORG_NAME = '<<YOUR TFE ORGANIZATION NAME>>'
$MODULE = '<<MODULE NAME>>'
$PROVIDER = '<<PROVIDER NAME>>'

$params = @{
      Uri          = "https://${HOSTNAME}/api/registry/v1/modules/${ORG_NAME}/${MODULE}/${PROVIDER}/versions"
      Headers      = @{ 'Authorization' = "Bearer ${TOKEN}"; 'Content-Type' = "application/vnd.api+json" }
      Method       = 'GET'
    }

Invoke-RestMethod @params | ConvertTo-Json -Depth 20
  • If successful, the JSON response back with the list of versions, therefore this implies that the API token should have access to the module and the module versions, please compare the API token against the Terraform CLI Configuration File and ensure that the API token is located under the correct hostname which should be the same name as ${HOSTNAME} from the API test. Please note since Terraform 1.2.0 it is also possible to override the local credentials configuration with an Environment Variable, so verify this is set with the correct token as needed.
  • On failure, proceed to check if the token is a user token associated with SAML session which may have already expired and caused the user API token to be temporarily disabled until the user is reauthenticated at https://<TFE HOSTNAME>/session or the user is completely removed from the organization according to the team membership mapping. In the scenario where the user still has the membership of the organization, proceed to generate a new token and repeat the steps above to ensure that the token works with the API then update the Terraform CLI Configuration File with the valid token.

Articles in this section

See more

Related articles