How to Fix Terraform Cloud Workspace Errors

Terraform Cloud (TFC) and Terraform Enterprise (TFE) workspaces add a managed execution layer that introduces unique error patterns. This guide covers diagnosing and fixing common TFE workspace errors.

Understanding TFE Workspace Errors

Common Terraform Cloud errors: `` Error: Failed to create workspace: unauthorized Error: Run failed: configuration error Error: Workspace locked: run in progress Error: Failed to upload configuration: invalid TAR file

Issue 1: Authentication and Authorization Errors

Problems with API tokens and workspace permissions.

Error Example: `` Error: Failed to create workspace: unauthorized Error: Failed to get workspace: 401 Unauthorized

Diagnosis: ```bash # Verify API token curl -H "Authorization: Bearer $TFE_TOKEN" \ https://app.terraform.io/api/v2/account/details

# Check token permissions curl -H "Authorization: Bearer $TFE_TOKEN" \ https://app.terraform.io/api/v2/organizations/$ORG/workspaces ```

Solution:

Create proper API tokens: ```bash # Create team API token (recommended) # Go to Organization Settings > Teams > Create API Token

# Or use user token (less secure) # Go to User Settings > Tokens > Create API Token

# Set environment variable export TFE_TOKEN="your-api-token" ```

Verify team permissions in Terraform Cloud: - Navigate to Organization > Teams - Ensure team has required permissions: - write for creating/modifying workspaces - read for viewing workspaces - admin for managing workspace settings

Issue 2: Workspace Configuration Errors

Invalid workspace configuration parameters.

Error Example: `` Error: Invalid workspace configuration Execution mode must be one of: "remote", "local", or "agent"

Solution:

Configure workspace properly using the tfe provider: ```hcl provider "tfe" { organization = "my-organization" }

resource "tfe_workspace" "production" { name = "production" execution_mode = "remote" # or "local", "agent"

# Auto apply on successful plans auto_apply = false speculative_runs = false

# Terraform version terraform_version = "1.3.0"

# Working directory (for monorepos) working_directory = "terraform/aws"

# VCS connection vcs_repo { identifier = "organization/repository" branch = "main" oauth_token_id = "ot-abc123" } }

# Workspace variables resource "tfe_variable" "aws_region" { key = "AWS_REGION" value = "us-east-1" category = "terraform" workspace_id = tfe_workspace.production.id sensitive = false }

resource "tfe_variable" "aws_access_key" { key = "AWS_ACCESS_KEY_ID" value = var.aws_access_key category = "env" workspace_id = tfe_workspace.production.id sensitive = true # Mark sensitive } ```

Issue 3: Run Execution Failures

Runs fail due to configuration or infrastructure issues.

Error Example: `` Error: Run failed: configuration error Error: Error running plan: Provider initialization error

Diagnosis: ```bash # Get run details curl -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/runs/$RUN_ID"

# Get run logs curl -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/runs/$RUN_ID/logs" ```

Solution:

Check common run failure causes:

1. 1.Missing credentials:
2. 2.```hcl
3. 3.# Add environment variables in workspace
4. 4.resource "tfe_variable" "aws_credentials" {
5. 5.workspace_id = tfe_workspace.production.id
6. 6.category = "env"
7. 7.key = "AWS_ACCESS_KEY_ID"
8. 8.value = var.aws_access_key_id
9. 9.sensitive = true
10. 10.}

resource "tfe_variable" "aws_secret" { workspace_id = tfe_workspace.production.id category = "env" key = "AWS_SECRET_ACCESS_KEY" value = var.aws_secret_key sensitive = true } ```

1. 1.Invalid Terraform version:
2. 2.```hcl
3. 3.resource "tfe_workspace" "production" {
4. 4.name = "production"
5. 5.terraform_version = "1.3.7" # Must match available versions
6. 6.}
7. 7.`
8. 8.Missing provider credentials:
9. 9.```hcl
10. 10.# For AWS provider with workspace identity
11. 11.# Use dynamic credentials via OIDC
12. 12.resource "tfe_variable" "tfc_aws_provider_auth" {
13. 13.key = "TFC_AWS_PROVIDER_AUTH"
14. 14.value = "true"
15. 15.category = "env"
16. 16.workspace_id = tfe_workspace.production.id
17. 17.}

resource "tfe_variable" "tfc_aws_run_role_arn" { key = "TFC_AWS_RUN_ROLE_ARN" value = "arn:aws:iam::ACCOUNT_ID:role/TerraformCloudRole" category = "env" workspace_id = tfe_workspace.production.id } ```

Issue 4: Workspace Lock Conflicts

Cannot start run when workspace is locked.

Error Example: `` Error: Workspace is locked The workspace 'production' is currently locked by run run-abc123

Solution:

Check for active runs: ``bash # View runs via API curl -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/workspaces/$WORKSPACE_ID/runs"

Options to resolve: ```bash # Cancel pending run if safe curl -X POST -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/runs/$RUN_ID/actions/cancel"

# Force cancel if run stuck curl -X POST -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/runs/$RUN_ID/actions/force-cancel" ```

1. 1.Or use the Terraform Cloud UI:
2. 2.Navigate to workspace
3. 3.Go to Runs
4. 4.Find stuck run
5. 5.Click "Cancel Run" or "Force Cancel"

Issue 5: Configuration Upload Issues

Problems uploading Terraform configuration.

Error Example: `` Error: Failed to upload configuration: invalid TAR file Error: Configuration version failed: validation error

Solution:

Proper configuration upload format: ```bash # Create valid TAR archive tar -cvzf config.tar.gz \ --exclude='.terraform' \ --exclude='.git' \ --exclude='*.tfstate' \ --exclude='.terraform.lock.hcl' \ *.tf

# Upload via API curl -X PUT \ -H "Authorization: Bearer $TFE_TOKEN" \ -H "Content-Type: application/octet-stream" \ --data-binary @config.tar.gz \ "https://app.terraform.io/api/v2/configuration-versions/$CV_ID/upload-url" ```

For VCS-connected workspaces, ensure repository structure: ``bash # Valid repository structure terraform/ main.tf variables.tf outputs.tf modules/ vpc/ main.tf

Issue 6: Remote State Access Problems

Cannot access state from other workspaces.

Error Example: `` Error: Error accessing remote state: workspace not found Error: Unauthorized to access workspace state

Solution:

Configure state sharing: ```hcl # Allow workspace to read state from another workspace resource "tfe_workspace" "app" { name = "app" }

resource "tfe_workspace" "network" { name = "network" }

# Grant state read access resource "tfe_state_share" "network_to_app" { workspace_id = tfe_workspace.app.id workspace_sharing = tfe_workspace.network.id } ```

Reference shared state: ```hcl data "terraform_remote_state" "network" { backend = "remote"

config = { organization = "my-organization" workspaces = { name = "network" } } }

resource "aws_instance" "web" { subnet_id = data.terraform_remote_state.network.outputs.subnet_ids[0] } ```

Issue 7: Sentinel Policy Failures

Policy checks blocking runs.

Error Example: `` Error: Sentinel policy check failed Policy "require-tags": failed

Solution:

Review policy failures: ``bash # Get policy check results curl -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/policy-checks/$POLICY_CHECK_ID"

Update Terraform code to comply: ```hcl # Example: Required tags policy resource "aws_instance" "web" { ami = var.ami instance_type = "t3.micro"

tags = { Name = "web-server" Environment = "production" Owner = "team-name" CostCenter = "cc-123" # Required by policy } } ```

Override for specific workspaces (if allowed): ```hcl # Policy set with override resource "tfe_policy_set" "main" { name = "main-policies" organization = "my-organization"

# Override for development workspace workspace_ids = [ tfe_workspace.production.id, tfe_workspace.staging.id ] } ```

Issue 8: Agent Pool Configuration

Problems with agent execution mode.

Error Example: `` Error: No available agents in pool Error: Agent pool not found

Solution:

Configure agent pool: ```hcl resource "tfe_agent_pool" "production" { name = "production-agents" organization = "my-organization" }

resource "tfe_agent_token" "agent_token" { agent_pool_id = tfe_agent_pool.production.id description = "Token for production agents" }

resource "tfe_workspace" "production" { name = "production" execution_mode = "agent" agent_pool_id = tfe_agent_pool.production.id } ```

Deploy agents: ```bash # Download agent curl -Lo terraform-cloud-agent.tar.gz \ "https://releases.hashicorp.com/tfe-agent/1.2.0/tfe-agent_1.2.0_linux_amd64.tar.gz"

# Configure agent export TFE_AGENT_TOKEN="your-agent-token" export TFE_AGENT_POOL="production-agents" export TFE_ADDRESS="https://app.terraform.io"

# Run agent ./tfe-agent ```

Verification Steps

Verify workspace configuration: ```bash # List workspaces terraform-cloud workspace list

# Get workspace details curl -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/organizations/$ORG/workspaces/$NAME"

# Test run creation curl -X POST -H "Authorization: Bearer $TFE_TOKEN" \ "https://app.terraform.io/api/v2/runs" \ -d '{"data":{"type":"runs","relationships":{"workspace":{"data":{"type":"workspaces","id":"ws-abc"}}}}}' ```

Prevention Best Practices

1. 1.Use team API tokens with appropriate permissions
2. 2.Configure dynamic provider credentials via OIDC
3. 3.Set up workspace state sharing before referencing remote state
4. 4.Test policies in staging before production
5. 5.Monitor agent pool health for agent execution mode
6. 6.Use VCS integration for configuration version control
7. 7.Document workspace dependencies in organization wiki