Problem
Attempting to upload a module into the private module registry fails resulting in a SIC-001 error code displayed in the UI.
Cause
- The blob storage that is connected to the Terraform Enterprise instance may not have the proper permissions to be written to.
- A clue to the cause can be found in the archivist logs located on the Terraform Enterprise Instance. The archivist log can be accessed from the Terraform Enterprise instance by running the following command from the command prompt as root or using sudo
docker logs ptfe_archivist.
-
The Archivist log should report something similar to: 2022-04-25T17:32:04.374189128Z 2022/04/25 17:32:04 [ERROR] http.upload: writing to archive store failed { body-size=10789805 copied=0 duration="64.700726ms" err="failed uploading RequestID \"zzzzzzzzzzz\": AccessDenied: User: arn:aws:sts::xxxxxxxxx:assumed-role/pl_tfe_role/i-xxxxxxxxxx is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-west-2:/xxxxxxxx because no identity-based policy allows the kms:GenerateDataKey action\n\tstatus code: 403, request id: xxxxxxxxxx, host id: abcdefghij/xxxxxxx/xxxxxxxxxxx=" obj.encrypted=true obj.expire= obj.key="terraform/modules/" obj.mode="w" }
-
This message indicates write access is denied to the storage location which is necessary to upload a module.
Solutions:
Validate the user has the proper access to the storage location in accordance to Terraform Enterprise S3 bucket access policy and update the policy if necessary. Here is a snippet of the minimum requirements:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"<BUCKET_ARN>",
"<BUCKET_ARN>/*"
]
}
Outcome
When the minimum requirements are configured on the S3 bucket appropriately, uploading a module to the Private Module registry should be accomplished.
Additional Information
- For additional assistance please contact HashiCorp Support to request additional assistance.