When the plan phase of a run completes, the run is errored and the last line of the plan output is:
failed to upload plan json: Bad status code: 403
- Terraform Enterprise
When the plan is completed, the generated plan is captured for use in the apply phase. To store this file, requests are made to Terraform Enterprise endpoints, using the FQDN for the instance.
If request filtering is configured, care must be taken to ensure that legitimate requests are not blocked.
This issue is commonly caused by Web Application Firewalls inspecting the request and blocking it due to it containing trigger phrases.
Inspect the logging provided by your filtering infrastructure to determine which rule is blocking the request, then either disable it, reconfigure it, or permit certain hosts to bypass the rule. This communication is expected so the Terraform Enterprise instance can be permitted to make these requests.
The exact steps needed to be performed will depend on the filtering service in use and are beyond the scope of this article.
If it isn't possible to disable the filtering, another option is to enable hairpinning for your installation. For instructions and more information please see these articles:
- For standalone installs: Terraform Enterprise Hairpin Addressing Feature - Standalone
- For active/active installs: Enable Hairpinning on Active-Active Terraform Enterprise
Please note that hairpinning will not impact externally managed agents as they aren't managed directly by Terraform Enterprise.
Once the rule is disabled or reconfigured, subsequent plans should complete successfully. If the issue persists and no rules are being triggered, please reach out to HashiCorp support for additional assistance.