Hi,
We are running Terraform in CI/CD pipeline (self-hosted Gitlab runners with Atlantis) and today we started getting errors like this:
╷
│ Error: Error accessing remote module registry
│
│ Failed to retrieve available versions for module "keycloak_realm"
│ (keycloak.tf:1) from registry.terraform.io: Failed to request discovery
│ document: 403 Forbidden.
╵
╷
│ Error: Error accessing remote module registry
│
│ Failed to retrieve available versions for module "keycloak_realm"
│ (keycloak.tf:1) from registry.terraform.io: Failed to request discovery
│ document: 403 Forbidden.
╵
This is not specific to the keycloak_realm
, downloading other modules results in the same error as well:
│ Error: Failed to query available provider packages
│
│ Could not retrieve the list of available versions for provider
│ hashicorp/kubernetes: host registry.terraform.io requires authentication
│ credentials
GitLab runners are hosted on Alicloud in London, UK region, in case it matters.
Is any else having similar issues?
Thanks,
Martin
Hi @martinkubrak,
It seems like you are seeing intermittent errors when making requests to different endpoints on registry.terraform.io
.
The first of these errors is referring to the “discovery document”, which in practice means this URL:
https://registry.terraform.io/.well-known/terraform.json
The last error you shared seems like it did manage to request the discovery document and found the needed API endpoint, but then the request to that other endpoint returned 403 Forbidden.
The registry itself doesn’t have formal access control on these endpoints because this is a public registry, so this suggests that some intermediary is interfering. But I’m sure what to suggest to debug it; can you reproduce the error if you directly request the URL above (e.g. using curl
)?
Hi @apparentlymart,
Thanks for quick reply. I am getting This content is not available in your region
(with link to Trade Controls) more or less half of the time. I assume this is because we are using Alicloud. Mind you, the server from which requests are made is located in London, UK.
Thanks,
Martin
Hi @martinkubrak,
Indeed, we are required to comply with trade control legislation so it is possible that your client appears to originate from an IP range that has been designated in that way.
If so I’m afraid I don’t have any suggestions for how to proceed. I don’t personally have any view into how those controls are implemented and cannot suggest ways to circumvent them.
The trade controls page suggests contacting HashiCorp Support if you are incorrectly impacted by these rules. If you are able to do so that would be my recommendation for what to try next.
Hi @apparentlymart ,
Thanks, I have contacted Hashicorp support. I am not aware of Alicloud being targeted by trade restrictions, so it seems like an imperfect geo IP match to me. Funnily enough, if I make the same request from servers in China, it works almost every time. Perhaps it’s the UK that is being sanctioned
Marcin