Http provider not returning "location" in response

Beany · September 20, 2023, 3:49pm

I’m trying to use the http provider to make an authorization call to an API endpoint, which returns a 302 redirect, but if you change the method = “HEAD”, it should return a location response, which can be parsed to get the authorization token for further automation.
I found

github.com/hashicorp/terraform-provider-http

Do not follow HTTP redirects

opened 01:28PM - 08 Aug 22 UTC

relvacode

enhancement

### Terraform CLI and Provider Versions ``` terraform version Terraform v1.2.…6 on darwin_amd64 ``` ### Use Cases or Problem Statement The current version of this provider does not expose an option to **not** implictly follow HTTP redirects. It also does not document the behaviour of HTTP redirection, as highlighted in #60. In my use-case, I would like to use this module to call an HTTP server with some specific headers, such as Authorization. This server will then respond with a S3 URL which I would like to pass to another module that I do not want to propagate the origin server-specific request headers to. ### Proposal I propose that the provider adds the option `no_follow_redirects` to explicitly disable HTTP redirection and instead return the response of the first HTTP request made. `no_follow_redirects` instead of `follow_redirects` to make it obvious the default behaviour is to follow redirects, and setting the option to `true` disables this behaviour. I also propose that it adds an output named `location` that describes the absolute URL of the request that made the final response returned by the provider. In the case that the server responds with a Location header, the `location` attribute is the absolute URL of the Location header value relative to the request that made the final HTTP request. ### Example 1 `url` is `http://example.org` which returns HTTP 200 OK `status_code` is `200` `location` is `http://example.org` ### Example 2 `url` is `http://example.org` which returns HTTP 302 Found and Location of `/redirected` `no_follow_redirects` is `false` <-- provider makes another request --> `status_code` is `200` `location` is `http://example.org/redirected` ### Example 3 `url` is `http://example.org` which returns HTTP 302 Found and Location of `/redirected` `no_follow_redirects` is `true` `status_code` is `302` `location` is `http://example.org/redirected` ### How much impact is this issue causing? Medium ### Additional Information I have written an implementation of this proposal at https://github.com/relvacode/terraform-provider-http/tree/feature/explicit-follow-redirects ### Code of Conduct - [X] I agree to follow this project's Code of Conduct

which goes a step further to prevent the 302 redirect in a very similar use case as what I’m trying to do, but I just need the location returned. I have a PoC that works, I’m just wondering what the next steps would be to get it looked at as possibly a PR?

is where I have my updates… full disclosure, I’m learning Go as I go through this, so feel free to provide suggestions please.

bendbennett · September 21, 2023, 7:38am

Hi @Beany

As you mentioned, the http provider currently follows redirects.

RFC7321 describes that a 302 should return a Location header and further describes what should happen in the case of other 3xx status codes.

The behaviour of the http client used within the provider would need to be modified on the basis of optional, practitioner-supplied configuration (e.g., no_follow_redirects, redirects_disabled), which could then be used to to determine whether to configure CheckRedirect on the http client, as has been suggested in the proposal linked from the Do not follow HTTP redirects issue that you mentioned.

Perhaps it’s worth commenting on the Do not follow HTTP redirects issue as the author of that issue recently asked about raising a PR, and discussion of that issue might provide one way to converge on a solution.

Beany · September 21, 2023, 2:20pm

Hi @bendbennett
I’m kalsto on Github, but was trying to follow the contributing guidelines which suggested starting a conversation here… so … here I am.

I used relvacode’s code to help me figure out what was needed for the location output I was looking for. I did this mostly because their enhancement was submitted almost a year ago and I hadn’t seen a PR for it yet, so I thought I’d take it to a slightly smaller piece of the puzzle that I felt I could figure out.

If you’d like, I can take a crack at updating relvacode’s Go, as it is slightly different from the current implementation of the http provider… I’m just really new at Go, so wasn’t sure if I could get it fully updated successfully.