Problem
When the plan phase of a run completes, the run is errored and the last line of the plan output is:
failed to upload plan json: Bad status code: 403
Prerequisites
- Terraform Enterprise
Cause
When the plan is completed, the generated plan is captured for use in the apply phase. To store this file, requests are made to Terraform Enterprise endpoints, using the FQDN for the instance.
If request filtering is configured, care must be taken to ensure that legitimate requests are not blocked.
This issue is commonly caused by Web Application Firewalls inspecting the request and blocking it due to it containing trigger phrases.
Solution
Inspect the logging provided by your filtering infrastructure to determine which rule is blocking the request, then either disable it, reconfigure it, or permit certain hosts to bypass the rule. This communication is expected so the Terraform Enterprise instance can be permitted to make these requests.
The exact steps needed to be performed will depend on the filtering service in use and are beyond the scope of this article.
If it isn't possible to disable the filtering, another option is to enable hairpinning for your installation. For instructions and more information please see these articles:
- For standalone installs: Terraform Enterprise Hairpin Addressing Feature - Standalone
- For active/active installs: Enable Hairpinning on Active-Active Terraform Enterprise
Outcome
Once the rule is disabled or reconfigured, subsequent plans should complete successfully. If the issue persists and no rules are being triggered, please reach out to HashiCorp support for additional assistance.