When running Terraform Enterprise (TFE) behind a corporate proxy in a Flexible Deployment Option (FDO) with Docker Compose, outbound network requests may fail if required endpoints are not whitelisted. This can cause Terraform runs to hang or fail when downloading providers, modules, or verifying licenses.
This article lists the required network endpoints that must be accessible for Terraform Enterprise to function correctly behind a proxy.
Problem
You may encounter the following issues:
- Terraform runs remain in a stuck or failed state.
- Provider or module downloads fail with errors similar to the following.
Error: Failed to install provider could not query provider registry for registry.terraform.io
Cause
Terraform Enterprise relies on several external services for core operations, including:
- Downloading Terraform CLI binaries.
- Downloading providers and modules from registries.
- Accessing Version Control Systems (VCS) like GitHub, GitLab, Bitbucket, and Azure DevOps.
- Validating licenses and performing telemetry (if enabled).
If the proxy or firewall blocks access to these required endpoints, TFE cannot complete Terraform runs successfully.
Solution
To resolve this issue, you must ensure all required external endpoints are whitelisted in your proxy and firewall configurations.
Step 1: Whitelist Required Endpoints
Ensure the following domains are allowed for outbound traffic from your Terraform Enterprise installation.
| Purpose | Endpoint(s) |
|---|---|
| Terraform CLI & Provider Downloads | https://releases.hashicorp.com/ |
| Terraform Provider Registry | https://registry.terraform.io/ |
| GitHub Release Assets (for community providers) |
https://github.com/ and https://objects.githubusercontent.com/
|
| HCP Terraform/Enterprise Communication | https://app.terraform.io/ |
| AWS Provider Dependencies |
https://sts.amazonaws.com/ and region-specific endpoints (e.g., https://sts.us-east-1.amazonaws.com/) |
| GCP Provider Dependencies | https://www.googleapis.com/ |
| Azure Provider Dependencies |
https://management.azure.com/ and https://login.microsoftonline.com/
|
| VCS Integration (if applicable) | Your organization’s VCS provider endpoints (e.g., https://dev.azure.com/, https://gitlab.com/, https://bitbucket.org/) |
Step 2: Validate Connectivity
After updating your whitelist, validate connectivity by running a test command from within a TFE container. This confirms that the container can reach a critical external service.
-
Execute a
curlcommand from thetfe-workercontainer.$ docker exec -it <tfe_worker_container> curl -I https://registry.terraform.io/
-
Confirm that the command returns a successful HTTP status code.
HTTP/2 200 ## ...
Additional Information
For a comprehensive list of networking requirements, refer to the official Terraform Enterprise Network Requirements documentation.