Failure to upload a module to Private Module Registry

Avatar
Darrell Williams
  • Updated

Problem

When you attempt to upload a module to the private module registry in Terraform Enterprise, the operation fails and displays a SIC-001 error code in the user interface.

Prerequisites

  • Root or sudo access to the Terraform Enterprise instance host.

Cause

This error typically occurs when the object storage backend connected to the Terraform Enterprise instance does not have the required write permissions. You can confirm this by inspecting the tfe-archivist container logs for an AccessDenied error.

To access the logs, run the appropriate command for your Terraform Enterprise version on the instance host.

For Terraform Enterprise v202205-1 or later, run this command.

# docker logs tfe-archivist

For versions prior to v202205-1, run this command.

# docker logs ptfe_archivist

The log output may contain an error similar to the following, indicating that the kms:GenerateDataKey action is not allowed.

2022/04/25 17:32:04 [ERROR] http.upload: writing to archive store failed { body-size=10789805 copied=0 duration="64.700726ms" err="failed uploading RequestID \"zzzzzzzzzzz\": AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/pl_tfe_role/i-xxxxxxxxxx is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-west-2:/xxxxxxxx because no identity-based policy allows the kms:GenerateDataKey action\n\tstatus code: 403, request id: xxxxxxxxxx, host id: abcdefghij/xxxxxxx/xxxxxxxxxxx=" obj.encrypted=true obj.expire= obj.key="terraform/modules/" obj.mode="w" }

Solutions

Solution 1: Update S3 Bucket Policy

Validate that the IAM policy associated with the S3 bucket grants the necessary permissions for Terraform Enterprise. Update the policy to include the minimum required actions.

For detailed guidance, refer to the official S3 bucket access policy documentation.

The following example shows the minimum required permissions.

{
  "Effect": "Allow",
  "Action": [
    "s3:PutObject",
    "s3:ListBucket",
    "s3:GetObject",
    "s3:DeleteObject",
    "s3:GetBucketLocation"
  ],
  "Resource": [
    "<BUCKET_ARN>",
    "<BUCKET_ARN>/*"
  ]
}

Outcome

After you configure the S3 bucket with the minimum required permissions, you can successfully upload modules to the private module registry.

Additional Information

• For additional assistance please contact HashiCorp Support to request additional assistance.

Articles in this section

See more

Related articles