Our HTTP/HTTPS proxy requires client authentication using Windows domain user authentication, which is smart-card based 2FA. Since it’s not a plain username and password, it’s not clear how to specify it with Terraform. The proxy itself is reachable when configured as environmental variable HTTPS_PROXY, but it returns “Proxy Authentication Required” when attempting to init, and HTTPS_USER/HTTPS_PASSWORD doesn’t help. So the question is rather how to authenticate in such conditions.
As far as I know, Terraform only supports username/password-based authentication to proxies, and so I don’t think it will be possible to configure it to directly use this Windows-specific authentication scheme.
If you cannot avoid using this proxy then I think a workaround would be to set up another proxy server on your own computer which knows how to perform the special authentication scheme your proxy needs when it’s acting as a client, and does not require authentication when it’s acting as a server. Then you would configure Terraform to use that local secondary proxy instead, and that proxy server would be responsible for dealing with the special authentication scheme.
I don’t have any specific suggestions on that idea though, since I have not worked in an environment that requires a proxy that only supports a non-standard auth scheme. I expect this problem would arise with some other software too, and so maybe someone else in your organization who has experience dealing with this in another context can share their workaround with you.
To work around this limitation, you can consider the following solutions:
Proxy Bypass: Configure network rules to allow Terraform traffic to bypass the proxy for specific, controlled endpoints it needs to access.
Proxy Chaining: Use an intermediate proxy that Terraform can authenticate with using basic credentials. This proxy then forwards requests to the main, more securely authenticated proxy.
Custom Tooling: Develop a custom script or tool that handles the complex proxy authentication and sets up a simpler, local proxy that Terraform can use directly.
External Modules/Tools: Explore external tools that might facilitate the authentication process, though compatibility with smart-card based 2FA needs to be verified.