How to set up terraform behind proxy?

nobac3 · January 28, 2021, 2:51pm

Hello everybody,

Does anyone know the answer to this question? I will be very grateful if you can help How to set up terraform behind proxy? - Stack Overflow

Regards,

Antoine.

apparentlymart · January 28, 2021, 6:40pm

Hi @nobac3,

I’m just going to copy the error message over here so that folks who find this topic rather than the Stack Overflow question can easily see what we’re talking about:

Initializing provider plugins...
- Finding latest version of hashicorp/aws...

Error: Failed to query available provider packages

Could not retrieve the list of available versions for provider hashicorp/aws:
could not connect to registry.terraform.io: Failed to request discovery
document: Get "https://registry.terraform.io/.well-known/terraform.json":
proxyconnect tcp: tls: first record does not look like a TLS handshake

This error suggests to me that Terraform did attempt to make use of the proxies you configured, but that the proxy you chose isn’t a TLS (HTTPS) proxy, and so the connection failed.

If your proxy has both a cleartext HTTP and an HTTPS interface then I think you’d need to set HTTPS_PROXY to the HTTPS interface, which will then allow Terraform to make a secure connection to the proxy before using the proxy to make a connection to the registry.

papanito · October 18, 2023, 5:23am

Is environment variables the only way? We have some complex no_proxy rules and I would like to use a proxy auto-config script (PAC) provided by our IT department

apparentlymart · October 18, 2023, 2:34pm

Hi @papanito,

The Proxy Auto-config concept is essentially just a small JavaScript program with a specific API for returning a proxy address given a URL.

That design makes sense for the context it was originally designed for – web browsers, which tend to already have a JavaScript runtime for other more important reasons – but we can’t really justify including an entire JavaScript runtime in Terraform just to run a proxy auto-config script.

Unfortunately there’s a significant impedance mismatch between some arbitrary code that can decide however it wants which proxy to use vs. static environment variables that can only be declarative, and so I can’t think of a good way to use your PAC file to automatically populate the environment variables either: it isn’t possible in general to take an arbitrary function and turn it into a finite set of which hostnames should and should not use a proxy, and even that would only work if there were only a single proxy possible.

With all that said then, unfortunately I think there isn’t a viable path to using a PAC file for non-browser software like Terraform that cannot execute a JavaScript program.

papanito · October 18, 2023, 2:47pm

yeah I figured so much, but did not hurt to clarify. Many thanks.