Upgrading from 0.11 to 0.12 (Terraform couldn't reach the Terraform Registry)

We are attempting to begin the upgrade of our terraform version we use from v0.11.14 to v0.12. In order to do so, it is advised that we run the command below to check if there are any pre-upgrade tasks.

terraform 0.12checklist

Our expected behaviour is to get a list of task to perform in order to update the configuration files to for compatibility with v0.12. However, we get the following message.
/*****
After analyzing this configuration and working directory, we have identified some necessary steps that we recommend you take before upgrading to Terraform v0.12:

  • Terraform couldn’t reach the Terraform Registry (at registry.terraform.io) to determine whether current provider plugins are v0.12-compatible.

    In general, we recommend upgrading to the latest version of each provider before upgrading to Terraform v0.12.

Taking these steps before upgrading to Terraform v0.12 will simplify the upgrade process by avoiding syntax errors and other compatibility problems.
***/
I do have provider plugin installed locally. Our projects are being executed from a virtual machine on our private network. It has connectivity to trusted sites on the internet typically over https.

Have you verified that https://registry.hashicorp.com is accessible from the virtual machine?

https://registry.hashicorp.com is accessible from the virtual machine. Due to security constraint, internet is not accessible from VM. Provider (aws) is installed locally in ~/.terraform.d/plugin. Is there a way/setting so that it does not try to check the registry?

I think the important part is whether you can download updated providers.

Can you do terraform init -get-plugins=true -upgrade=true without errors?

You can also try to run the checklist with TF_LOG=DEBUG to see the actual call which fails.

I don’t get any error when I run… terraform init -get-plugins=true -upgrade=true

After setting TF_LOG to debug, I see following error…
[ERR] Checkpoint error: Get https://checkpoint-api.hashicorp.com/v1/check/terraform?arch

It obviously fails because internet is not accessible from VM.

I was able to fix the “checkpoint” error by adding disable_checkpoint=true in .terraformrc file. However, the main problem still exists…

After analyzing this configuration and working directory, we have identified some necessary steps that we recommend you take before upgrading to Terraform v0.12:

* Terraform couldn’t reach the Terraform Registry (at `registry.terraform.io` ) to determine whether current provider plugins are v0.12-compatible.In general, we recommend upgrading to the latest version of each provider before upgrading to Terraform v0.12.

Taking these steps before upgrading to Terraform v0.12 will simplify the upgrade process by avoiding syntax errors and other compatibility problems.

Okay so maybe you can get that URL whitelisted also?

I’m not sure what is causing the connectivity problems for you here, but perhaps you can avoid this problem altogether by knowing what terraform 0.12checklist was going to do here:

The checklist command is accessing a Terraform Registry API endpoint that returns metadata about which provider protocol versions are supported by which releases of a particular provider. In your case it sounds like the aws provider is one of the providers it would need to check.

So the checklist command would access the following URL:

https://registry.terraform.io/v1/providers/hashicorp/aws/versions

It would then scan that result looking for the version you already have installed (assuming the filename is such that Terraform can recognize the version) and making sure it lists 5.0 under the "protocols" property. That endpoint tells us that the earliest AWS provider release that supported this protocol was 2.7.0, and so the checklist tool would prompt you to upgrade if your current version were earlier than that.

If your current AWS provider version is already 2.7.0 or newer then no upgrade of that provider is needed and you can ignore that checklist item.

In the above I’m assuming that the AWS provider is the only one used by your configurations, but note that the same would apply to any other providers such as null or template that your configurations might be using. If you run terraform providers after a successful terraform init then it should print out all of the providers being used by that particular configuration, so you can check whether any others might need upgrading.

As the message mentions, the Terraform team does recommend upgrading to the latest version of each provider before upgrading, just to separate the provider upgrade task from the Terraform 0.12 upgrade task and thus avoid compounding problems, but upgrading to the earliest version that supports the Terraform 0.12 provider protocol (protocol version 5.0) is sufficient for protocol compatibility.