Improve "terraform init" error message when requiring sudo

[lamw]

Terraform Version

Terraform v0.12.24

Expected Behavior

If sudo or elevated privileges is required, the error message should state as such rather than connectivity issue which is miss-leading and incorrect.

Actual Behavior

The error thrown when performing terraform init on my MacOS system was that it was unable to reach TF Registry.

Steps to Reproduce

terraform init

Initializing the backend...

Initializing provider plugins...
- Checking for available provider plugins...

Registry service unreachable.

This may indicate a network issue, or an issue with the requested Terraform Registry.

Error: registry service is unreachable, check https://status.hashicorp.com/ for status updates

References

• Not able to run terraform init command #21876

[danieldreier]

terraform init doesn't normally require sudo. Can you tell me why you think this was sudo-related?

[lamw]

@danieldreier See reference Issue and this is why I tried sudo and it ended up working for me

[danieldreier]

@lamw that referenced issue ended somewhat ambiguously, and I don't have enough data on your particular issue to confirm that it's the same, so I'd like to start over troubleshooting-wise.

Can you please include the output of a terraform init when you run TF_LOG=TRACE terraform init to help me understand what's going on? I can't tell whether you are actually running into a network error, or if you're having some local filesystem permissions issue and terraform is incorrectly reporting a network error.

[lamw]

Sure. Here's the output

┌─[lamw] - [~] - [2020-05-12 05:40:55]
└─[0] <> TF_LOG=TRACE terraform init
2020/05/12 17:40:56 [INFO] Terraform version: 0.12.24
2020/05/12 17:40:56 [INFO] Go runtime version: go1.12.13
2020/05/12 17:40:56 [INFO] CLI args: []string{"/usr/local/bin/terraform", "init"}
2020/05/12 17:40:56 [DEBUG] Attempting to open CLI config file: /Users/lamw/.terraformrc
2020/05/12 17:40:56 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2020/05/12 17:40:56 [INFO] CLI command args: []string{"init"}

Initializing the backend...
2020/05/12 17:40:56 [TRACE] Meta.Backend: no config given or present on disk, so returning nil config
2020/05/12 17:40:56 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory
2020/05/12 17:40:56 [DEBUG] New state was assigned lineage "0dd15e54-d467-76e5-81f2-8ccdda6b6ac7"
2020/05/12 17:40:56 [TRACE] Meta.Backend: using default local state only (no backend configuration, and no existing initialized backend)
2020/05/12 17:40:56 [TRACE] Meta.Backend: instantiated backend of type <nil>
2020/05/12 17:40:56 [DEBUG] checking for provider in "."
2020/05/12 17:40:56 [DEBUG] checking for provider in "/usr/local/bin"
2020/05/12 17:40:56 [DEBUG] checking for provisioner in "."
2020/05/12 17:40:56 [DEBUG] checking for provisioner in "/usr/local/bin"
2020/05/12 17:40:56 [INFO] Failed to read plugin lock file .terraform/plugins/darwin_amd64/lock.json: open .terraform/plugins/darwin_amd64/lock.json: no such file or directory
2020/05/12 17:40:56 [TRACE] Meta.Backend: backend <nil> does not support operations, so wrapping it in a local backend
2020/05/12 17:40:56 [TRACE] backend/local: state manager for workspace "default" will:
 - read initial snapshot from terraform.tfstate
 - write new snapshots to terraform.tfstate
 - create any backup at terraform.tfstate.backup
2020/05/12 17:40:56 [TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate
2020/05/12 17:40:56 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay
2020/05/12 17:40:56 [TRACE] statemgr.Filesystem: read nil snapshot
2020/05/12 17:40:56 [DEBUG] checking for provider in "."
2020/05/12 17:40:56 [DEBUG] checking for provider in "/usr/local/bin"

2020/05/12 17:40:56 [DEBUG] plugin requirements: "vsphere"=""
Initializing provider plugins...
- Checking for available provider plugins...
2020/05/12 17:40:56 [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
2020/05/12 17:40:56 [TRACE] HTTP client GET request to https://registry.terraform.io/.well-known/terraform.json
2020/05/12 17:40:59 [ERR] Checkpoint error: Get https://checkpoint-api.hashicorp.com/v1/check/terraform?arch=amd64&os=darwin&signature=04f49a35-36bc-295a-5ec0-8fe18c37942a&version=0.12.24: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
2020/05/12 17:41:06 [DEBUG] Failed to request discovery document: Get https://registry.terraform.io/.well-known/terraform.json: net/http: TLS handshake timeout

Registry service unreachable.

This may indicate a network issue, or an issue with the requested Terraform Registry.


Error: registry service is unreachable, check https://status.hashicorp.com/ for status updates

Also, if I manually curl terraform.json file, it works fine :) So its not network issue

┌─[lamw] - [~] - [2020-05-12 05:41:06]
└─[1] <> curl https://registry.terraform.io/.well-known/terraform.json
{"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}

[danieldreier]

Interesting. I'm surprised to see this fail and curl work. Do you have to configure a VPN or proxy for any of your other applications?

[lamw]

Disconnected all VPNs already, no proxy of any sorts. I've even dropped my network interface and re-added (in case there were any issues). Same behavior :(

[danieldreier]

This is absolutely odd. Is it possible you have HTTP_PROXY or HTTPS_PROXY environment variables set as your user but not as root?

If that is not the case, my next suggestion would be to try creating a different user account on your mac and running from there to check the different between that vs actually needing root permissions.

[rnsv]

I have a similar issue. Even root does not seem to fix the issue. I am running the whole thing within a docker container. HTTP_PROXY and HTTPS_PORXY are unset

I am using hashicorp/terraform:0.12.26

For debugging purposes, I did a curl before init. Curl works fine

Step 8/11 : RUN curl -O https://registry.terraform.io/.well-known/terraform.json
[91m  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    62  100    62    0     0    430[0m[91m      0 --:--:-- --:--:-- --:--:--   430

Step 9/11 : RUN cat terraform.json
{"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}

Step 11/11 : RUN terraform init

[INFO] Terraform version: 0.12.26  
[INFO] Go runtime version: go1.12.13
[INFO] CLI args: []string{"/bin/terraform", "init"}
[DEBUG] Attempting to open CLI config file: /root/.terraformrc
[DEBUG] File doesn't exist, but doesn't need to. Ignoring.
[INFO] CLI command args: []string{"init"}

Initializing the backend...
[TRACE] Meta.Backend: no config given or present on disk, so returning nil config
[TRACE] Meta.Backend: backend has not previously been initialized in this working directory
[DEBUG] New state was assigned lineage "e6b77f39-89e2-9469-b422-fef0ad55fcae"
[TRACE] Meta.Backend: using default local state only (no backend configuration, and no existing initialized backend)
[TRACE] Meta.Backend: instantiated backend of type <nil>
[DEBUG] checking for provider in "."
[DEBUG] checking for provider in "/bin"
[DEBUG] checking for provisioner in "."
[DEBUG] checking for provisioner in "/bin"
[INFO] Failed to read plugin lock file .terraform/plugins/linux_amd64/lock.json: open .terraform/plugins/linux_amd64/lock.json: no such file or directory
[TRACE] Meta.Backend: backend <nil> does not support operations, so wrapping it in a local backend
[TRACE] backend/local: state manager for workspace "default" will:
 - read initial snapshot from terraform.tfstate
 - write new snapshots to terraform.tfstate
 - create any backup at terraform.tfstate.backup
[TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate
[TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay
[TRACE] statemgr.Filesystem: read nil snapshot
[DEBUG] checking for provider in "."
[DEBUG] checking for provider in "/bin"

Initializing provider plugins...
[DEBUG] plugin requirements: "aws"=">= 2.36.0"
Checking for available provider plugins...
[DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
[TRACE] HTTP client GET request to https://registry.terraform.io/.well-known/terraform.json
[DEBUG] Failed to request discovery document: Get https://registry.terraform.io/.well-known/terraform.json: net/http: TLS handshake timeout

Registry service unreachable.

This may indicate a network issue, or an issue with the requested Terraform Registry.
Error: registry service is unreachable, check https://status.hashicorp.com/ for status updates

[danieldreier]

@rnsv are you able to share the dockerized environment where you're able to reproduce this?

[lamw]

Finally solved this problem and thanks to https://discuss.hashicorp.com/t/error-when-running-terraform-init/3135/4?u=lamw

This was PITA to figure out the issue and it would be really nice to see this enhanced for when this occurs as it has nothing to do with not being able to connect to registry. I don't even why these expired certs are considered "valid" even though they expired but could be due to Microsoft RDP mentioned in thread which I also use