IBM Support

OPA Policy run in Terraform Enterprise errors with null

Troubleshooting


Problem

When you perform a run on a workspace in Terraform Enterprise with an Open Policy Agent (OPA) policy set attached, the run fails with a null error in the logs.

Terraform Enterprise run log showing a null error during policy check

The Terraform Enterprise logs may contain an error message similar to the following, indicating a failure to download the OPA binary from GitHub.

{
  "@level": "info",
  "@message": "[ERROR] policy: Failed handling policy evaluation: error=\"operation failed: failed fetching opa binary: failed downloading opa: failed downloading \\\"https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static\\\": GET https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static giving up after 5 attempt(s): Get \\\"https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static\\\": Forbidden\"",
  "@module": "task-worker.executor.task-output",
  "@timestamp": "2024-09-18T09:39:08.952767Z",
  "id": "dda71914-8823-41a9-baee-0bfec0bf2c5c",
  "name": "agent-run",
  "stream": "stdout"
}

Prerequisites

  • You are using OPA policies in Terraform Enterprise.
  • Your Terraform Enterprise installation does not have direct internet access to github.com.

Cause

By default, Terraform Enterprise attempts to download the required OPA binary from github.com. If your Terraform Enterprise server is in an air-gapped or restricted network environment that cannot reach this external endpoint, the download fails, causing the policy evaluation to error.

Solution

To resolve this issue, you must download the OPA binary and host it in a location that Terraform Enterprise can access. You can then update the OPA version configuration to point to this internal location.

Procedure

  1. In your browser, navigate to the OPA Versions admin page at https://$YOUR_TFE_URL/app/admin/opa-versions.

  2. Click on an OPA version to identify the official download URL for the binary you need. The URL will resemble the following example.

    https://github.com/open-policy-agent/opa/releases/download/v0.61.0/opa_linux_amd64_static
  3. From a machine with internet access, download the binary from this URL.
  4. Upload the binary to an internally hosted location, such as an artifact repository or web server, that is reachable by your Terraform Enterprise instance.
  5. Return to the OPA version settings page in Terraform Enterprise and update the URL field to point to the new, internally hosted location of the binary.
  6. Click Update OPA version to save the changes.

Outcome

After updating the URL to the internally hosted binary, you will be able to perform runs in Terraform Enterprise workspaces that use OPA policy sets without encountering download errors.

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGH5YK","label":"IBM Terraform Self-Managed"},"ARM Category":[{"code":"","label":""}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Historical Number

33562237085715

Document Information

Modified date:
16 March 2026

UID

ibm17265158

Page Feedback