Failure to upload a module to Private Module Registry

Avatar
Darrell F. Williams
  • Updated

Problem

Attempting to upload a module into the private module registry fails, resulting in a SIC-001 error code displayed in the UI.

Cause

  • The blog storage that is connected to the Terraform Enterprise instance may not have the proper permissions to be written.
  • A clue to the cause can be found in the archivist logs located on the Terraform Enterprise Instance. 
    • The archivist log can be accessed from the Terraform Enterprise instance by running the following command from the command prompt as root:
      • $ docker logs ptfe_archivist
    • For Terraform Enterprise v202205-1 or later:
      • $ docker logs tfe-archivist
  • The Archivist log should report something similar to:

2022-04-25T17:32:04.374189128Z 2022/04/25 17:32:04 [ERROR] http.upload: writing to archive store failed { body-size=10789805 copied=0 duration="64.700726ms" err="failed uploading RequestID \"zzzzzzzzzzz\": AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/pl_tfe_role/i-xxxxxxxxxx is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-west-2:/xxxxxxxx because no identity-based policy allows the kms:GenerateDataKey action\n\tstatus code: 403, request id: xxxxxxxxxx, host id: abcdefghij/xxxxxxx/xxxxxxxxxxx=" obj.encrypted=true obj.expire= obj.key="terraform/modules/" obj.mode="w" }

  • This message indicates write access is denied to the storage location which is necessary to upload a module.

Solutions:

Validate the user has the proper access to the storage location in accordance with Terraform Enterprise S3 bucket access policy and update the policy if necessary.   

Here is a snippet of the minimum requirements below: 

{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"<BUCKET_ARN>",
"<BUCKET_ARN>/*"
]
}

Outcome

When the minimum requirements are configured on the S3 bucket appropriately, uploading a module to the Private Module registry should be accomplished.   

Additional Information

  • For additional assistance please contact HashiCorp Support to request additional assistance.

Articles in this section

See more

Related articles