Getting error "Failed to retrieve available versions for module "vpc"" when running Terraform plan

[Heathfie]

Terraform Version

Terraform v1.5.7

Terraform Configuration Files

terraform { required_version = ">= 0.13.2" backend "s3" {} }

module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~>2.0" }

Debug Output

Initializing modules...

Error: Error accessing remote module registry

Failed to retrieve available versions for module "vpc" (network/main.tf:113) from registry.terraform.io: Failed to request discovery document: Get "https://registry.terraform.io/.well-known/terraform.json": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).

Expected Behavior

Show changes for plan

Actual Behavior

Initializing modules...

Error: Error accessing remote module registry

Failed to retrieve available versions for module "vpc" (network/main.tf:113) from registry.terraform.io: Failed to request discovery document: Get "https://registry.terraform.io/.well-known/terraform.json": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).

Steps to Reproduce

1. terraform init
2. terraform plan

Additional Context

No response

References

22774

[apparentlymart]

Hi @Heathfie! Sorry this didn't work for you.

The error you shared is one I'd expect from terraform init rather than from terraform plan, because it's related to dependency installation and that's a job done by the init command.

Unfortunately this appears to be a network problem rather than a bug in Terraform, since Terraform does appear to be using the correct URL to fetch this information but apparently the response from the server didn't arrive in time.

Is there anything unusual about the network where you are running Terraform? For example, does it have anything blocking access to some remote servers which might include the Terraform Registry?

The Terraform Registry doesn't seem to be down for everyone, and so I'm assuming a problem on your own network to start. Unfortunately this sort of problem is classically hard to resolve because we cannot know how your connection to the internet is configured and cannot access any systems on your network to debug with. 😖

[Heathfie]

The strange thing is that this worked and then yesterday, it stopped.

If I do a curl, it works which is weird for a network issue.

while true; do curl -v https://registry.terraform.io/.well-known/terraform.json ; sleep 1; done

• About to connect() to registry.terraform.io port 443 (#0)
• Trying 52.85.61.2...
• Connected to registry.terraform.io (52.85.61.2) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
• SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• Server certificate:
• subject: CN=cf-registry.tf-registry-prod-use1.terraform.io
• start date: Jan 18 00:00:00 2023 GMT
• expire date: Feb 16 23:59:59 2024 GMT
• common name: cf-registry.tf-registry-prod-use1.terraform.io
• issuer: CN=Amazon RSA 2048 M02,O=Amazon,C=US

  GET /.well-known/terraform.json HTTP/1.1 User-Agent: curl/7.29.0 Host: registry.terraform.io Accept: /

  < HTTP/1.1 200 OK < Content-Type: application/json < Content-Length: 62 < Connection: keep-alive < Date: Wed, 01 Nov 2023 14:45:03 GMT < Accept-Ranges: bytes < Cache-Control: public, max-age=3600, stale-if-error=31536000 < Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://cdn.segment.com https://unpkg.com/@segment/consent-manager@5.6.0/standalone/consent-manager.js https://www.googletagmanager.com https://a.optnmstr.com; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://p.typekit.net https://use.typekit.net; img-src 'self' data: https: https://www.google-analytics.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://fonts.gstatic.com https://use.typekit.net; connect-src 'self' https://www.google-analytics.com https://*.launchdarkly.com https://api.segment.io https://cdn.segment.com https://sentry.io https://api.omappapi.com https://api.opmnstr.com https://api.optmnstr.com https://*.algolia.net https://*.algolianet.com https://app.terraform.io https://app.staging.terraform.io https://api.github.com/emojis < Feature-Policy: < Last-Modified: Tue, 31 Oct 2023 18:34:55 GMT < Referrer-Policy: no-referrer-when-downgrade < Server: terraform-registry/73974bbfba0a71ac6ba9ae85eef128cd27320bbb < Strict-Transport-Security: max-age=31536000; includeSubDomains; preload < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Xss-Protection: 1; mode=block < Vary: Accept-Encoding < X-Cache: Hit from cloudfront < Via: 1.1 c45a9630d6506aeeffefe81fbc0ed0ae.cloudfront.net (CloudFront) < X-Amz-Cf-Pop: EWR53-P1 < X-Amz-Cf-Id: CdZ4-l8dY1YsUVna2wYdL1Q35tEExhghipzMicIrwflR9VutCKJ6ag== < Age: 1703 < {"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}

• Connection #0 to host registry.terraform.io left intact
• About to connect() to registry.terraform.io port 443 (#0)
• Trying 52.85.61.122...
• Connected to registry.terraform.io (52.85.61.122) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
• SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• Server certificate:
• subject: CN=cf-registry.tf-registry-prod-use1.terraform.io
• start date: Jan 18 00:00:00 2023 GMT
• expire date: Feb 16 23:59:59 2024 GMT
• common name: cf-registry.tf-registry-prod-use1.terraform.io
• issuer: CN=Amazon RSA 2048 M02,O=Amazon,C=US

  GET /.well-known/terraform.json HTTP/1.1 User-Agent: curl/7.29.0 Host: registry.terraform.io Accept: /

  < HTTP/1.1 200 OK < Content-Type: application/json < Content-Length: 62 < Connection: keep-alive < Date: Wed, 01 Nov 2023 14:45:03 GMT < Accept-Ranges: bytes < Cache-Control: public, max-age=3600, stale-if-error=31536000 < Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://cdn.segment.com https://unpkg.com/@segment/consent-manager@5.6.0/standalone/consent-manager.js https://www.googletagmanager.com https://a.optnmstr.com; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://p.typekit.net https://use.typekit.net; img-src 'self' data: https: https://www.google-analytics.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://fonts.gstatic.com https://use.typekit.net; connect-src 'self' https://www.google-analytics.com https://*.launchdarkly.com https://api.segment.io https://cdn.segment.com https://sentry.io https://api.omappapi.com https://api.opmnstr.com https://api.optmnstr.com https://*.algolia.net https://*.algolianet.com https://app.terraform.io https://app.staging.terraform.io https://api.github.com/emojis < Feature-Policy: < Last-Modified: Tue, 31 Oct 2023 18:34:55 GMT < Referrer-Policy: no-referrer-when-downgrade < Server: terraform-registry/73974bbfba0a71ac6ba9ae85eef128cd27320bbb < Strict-Transport-Security: max-age=31536000; includeSubDomains; preload < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Xss-Protection: 1; mode=block < Vary: Accept-Encoding < X-Cache: Hit from cloudfront < Via: 1.1 c4460641b6e6b194f0c11732a1b10d1c.cloudfront.net (CloudFront) < X-Amz-Cf-Pop: EWR53-P1 < X-Amz-Cf-Id: H1IG-MMbU20EMn-hfCZ6aA8cV_dCjiELqi0x9LX2XRrB04XLqCQj8Q== < Age: 1704 < {"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}

• Connection #0 to host registry.terraform.io left intact
• About to connect() to registry.terraform.io port 443 (#0)
• Trying 52.85.61.28...
• Connected to registry.terraform.io (52.85.61.28) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
• SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• Server certificate:
• subject: CN=cf-registry.tf-registry-prod-use1.terraform.io
• start date: Jan 18 00:00:00 2023 GMT
• expire date: Feb 16 23:59:59 2024 GMT
• common name: cf-registry.tf-registry-prod-use1.terraform.io
• issuer: CN=Amazon RSA 2048 M02,O=Amazon,C=US

  GET /.well-known/terraform.json HTTP/1.1 User-Agent: curl/7.29.0 Host: registry.terraform.io Accept: /

  < HTTP/1.1 200 OK < Content-Type: application/json < Content-Length: 62 < Connection: keep-alive < Date: Wed, 01 Nov 2023 14:45:03 GMT < Accept-Ranges: bytes < Cache-Control: public, max-age=3600, stale-if-error=31536000 < Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://cdn.segment.com https://unpkg.com/@segment/consent-manager@5.6.0/standalone/consent-manager.js https://www.googletagmanager.com https://a.optnmstr.com; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://p.typekit.net https://use.typekit.net; img-src 'self' data: https: https://www.google-analytics.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://fonts.gstatic.com https://use.typekit.net; connect-src 'self' https://www.google-analytics.com https://*.launchdarkly.com https://api.segment.io https://cdn.segment.com https://sentry.io https://api.omappapi.com https://api.opmnstr.com https://api.optmnstr.com https://*.algolia.net https://*.algolianet.com https://app.terraform.io https://app.staging.terraform.io https://api.github.com/emojis < Feature-Policy: < Last-Modified: Tue, 31 Oct 2023 18:34:55 GMT < Referrer-Policy: no-referrer-when-downgrade < Server: terraform-registry/73974bbfba0a71ac6ba9ae85eef128cd27320bbb < Strict-Transport-Security: max-age=31536000; includeSubDomains; preload < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Xss-Protection: 1; mode=block < Vary: Accept-Encoding < X-Cache: Hit from cloudfront < Via: 1.1 19e58616339f974c22a3a07f8f637718.cloudfront.net (CloudFront) < X-Amz-Cf-Pop: EWR53-P1 < X-Amz-Cf-Id: DvLbbqx2INNx7x_2cjity2o-iyHG7OfTB9-UlmlVlYjUD4VLZVCMwQ== < Age: 1705 < {"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}

• Connection #0 to host registry.terraform.io left intact ^C

[apparentlymart]

Thanks for the extra context, @Heathfie.

When you made those requests with curl, did you notice them taking a long time to resolve? I'm wondering if curl by default has a more liberal timeout than Terraform does, since the error message from Terraform suggests that there was too long a delay before it started recieving the response headers from the server.

[Heathfie]

No, actually went through pretty fast. The confusion for me is how that works but the plan wont.

[apparentlymart]

Thanks for confirming.

Unfortunately I'm not sure what to suggest next. The fact that it was working for you previously and you are still using the same Terraform release as before, and that I've not noticed anyone else reporting unavailability of Terraform Registry at the this time, suggests that there's something unique about your particular computer or network, but I can't guess what that might be.

Can you try this on a different computer in a different network -- for example, perhaps on a virtual machine in a cloud platform whose internet connection is distinct from the network you're currently using -- and see if you get different results? Another possibility would be to try to capture the raw TLS packets using a packet capture tool and see if there's any obvious difference between what curl is doing and what Terraform is doing, but of course with this being a TLS connection only the high-level connection metadata will be visible, not the underlying HTTP request.

[Heathfie]

I attempted this on a jump host and also had one of my coworkers attempt this from his home. Both had the same error.

[Heathfie]

If you look at the curl output above, it shows last modified date on the 31st right around the time I started to have issues. Is there any way to find out what was modified?

< Feature-Policy: < Last-Modified: Tue, 31 Oct 2023 18:34:55 GMT

[apparentlymart]

Hi @Heathfie,

This /.well-known/terraform.json document is implemented just as a static file in the registry codebase, and I can see in the relevant Git repository (not open source) that this file hasn't changed since almost exactly five years ago (plus a few days).

Because this is a static file, I suspect that this Last-Modified header is populated just using the mtime of the file on disk at the time of serving, and so the modified time would end up changing each time the registry codebase gets deployed (creating a new copy of the same file), even if the file hasn't actually changed. The registry gets redeployed relatively often, so I'd be inclined to say that this similarity of timestamps is just a coincidence, but I also can't think of a way to prove that; the only actual code change I see on October 31 is dealing with a relatively minor implementation detail in the backend of the registry web UI, rather than in the service discovery document.

I think my big question here is: what do your computer, the jump host you tried, and your coworkers computer have in common that isn't true for my computer and those of many other folks who are apparently currently able to install providers from the registry? The registry is served through a CDN with a large number of different regional access points, so one possibility is that there's some sort of problem with the access point that's closest to you, but that explanation would only make sense if the three hosts you tried from all have a similar position in the network and are thus likely to get routed to the same access point.

[Heathfie]

Thanks for your time @apparentlymart , I was able to bypass this by using a Git repo to pull the module.

This can be closed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.