Problem
When the plan phase of a run completes, the run is errored and the last line of the plan output is:
failed to upload plan json: Bad status code: 403
Prerequisites
- Terraform Enterprise
Cause
When the plan is completed, the generated plan is captured for use in the apply phase. To store this file, requests are made to Terraform Enterprise endpoints, using the FQDN for the instance.
If request filtering is configured, care must be taken to ensure that legitimate requests are not blocked.
This issue is commonly caused by Web Application Firewalls inspecting the request and blocking it due to it containing trigger phrases.
Solution
Inspect the logging provided by your filtering infrastructure to determine which rule is blocking the request, then either disable it, reconfigure it, or permit certain hosts to bypass the rule. This communication is expected so the Terraform Enterprise instance can be permitted to make these requests.
The exact steps needed to be performed will depend on the filtering service in use and are beyond the scope of this article.
If it isn't possible to disable the filtering, another option is to enable hairpinning for your installation. For instructions and more information please see these articles:
- For standalone installations: Terraform Enterprise Hairpin Addressing Feature - Standalone
- For active/active installations: Enable Hairpinning on Active-Active Terraform Enterprise
- Fro Flexible Deployment Options installations: How-to enable "hairpin_addressing" in Terraform Enterprise FDO Docker
Please note that hairpinning will not impact externally managed agents as they aren't managed directly by Terraform Enterprise.
Outcome
Once the rule is disabled or reconfigured, subsequent plans should complete successfully.