In our environment, we use a proxy tool for SSL packet inspection. On their website, there are already some options to add a certificate to some applications, for ex: Node, Ruby, Git, NPM, etc. But I couldn’t figure out at the forum if Terraform supports this Custom Certificate field.
Article of other tools/frameworks, to exemplify:
Here’s what I got whenever the application is on:
terraform init
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v4.63.0...
╷
│ Error: Failed to install provider
│
│ Error while installing hashicorp/aws v4.63.0: unsuccessful request to https://releases.hashicorp.com/terraform-provider-aws/4.63.0/terraform-provider-aws_4.63.0_windows_386.zip: 403 Forbidden
When I turn off the proxy the Terraform init runs cleanly with no issues.
PS: I am not talking of Terraform somehow managing certificates or something like this, I am referring at the Terraform as application couldn’t being able to run.
Hi @gabriel-a-caldas,
In Terraform there are lots of different components that could possibly be making network requests:
- Terraform CLI itself makes requests to install providers and to read and write state from remote state storage.
- If you’re installing modules from external packages, Terraform CLI will either directly request those packages itself (e.g. for http and https sources) or it will launch an external program like
git to fetch the package, which will then itself make network requests.
- Any providers you are using will make their own network requests when needed. Providers are separate programs that Terraform Core calls into, so their interaction with the network is independent of Terraform CLI/Core.
The error you’ve shared is specifically about provider installation, and is interesting in a few ways:
- The fact that Terraform CLI reached that particular request suggests that it was already able to successfully perform some other requests. Specifically, it was able to retrieve some metadata from
registry.terraform.io which then told Terraform CLI it could find this package on releases.hashicorp.com. That suggests that Terraform has sufficient access to the network to make some requests.
- This response is an HTTP status code rather than a TLS certificate negotiation error, which suggests that Terraform CLI was able to successfully negotiate a secure connection with
releases.hashicorp.com, but then the server for some reason returned “403 Forbidden” instead of the requested package.
I don’t know what exactly is going on here, but it seems like we can rule out it being directly related to TLS certificates, because Terraform would’ve failed much earlier in this process if an incorrect TLS certificate were the problem.
I don’t know what else to ask, unfortunately. Do you know if “403 Forbidden” is something your middlebox would be expected to return if it decided that the server’s response is suspicious in some way? I don’t know exactly what Zscaler does but I’ve seen some middleboxes before which perform scans on the response and will refuse to return it if it “looks suspicious”, using whatever definition of “suspicious” is encoded into that software.
To me seems like a simple deny rule targeting zip files containing executables.