`r/vsphere_content_library_item` not working when run behind a proxy

[hornet83]

Community Guidelines

• [X] I have read and agree to the HashiCorp Community Guidelines .
• [X] Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
• [X] Do not leave "+1" or other comments that do not add relevant information or questions.
• [X] If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Terraform

v1.3.7

Terraform Provider

v2.2.0

VMware vSphere

v7.0.3

Description

Hi,

we want to deploy a content library with a content library item using terraform, this works fine without a proxy, but the VM that is running the terraform scripts is sitting behind a proxy now. Here the info from our test environment where we could reproduce the issue as well.

main.tf

terraform {
  required_providers {
    vsphere = {
      source = "hashicorp/vsphere"
      version = "2.2.0"
    }
  }
}

provider "vsphere" {
  user                 = var.vsphere_user
  password             = var.vsphere_password
  vsphere_server       = var.vsphere_server
  allow_unverified_ssl = true
}

data "vsphere_datacenter" "datacenter" {
  name = var.vsphere_datacenter
}

data "vsphere_datastore" "datastore" {
  name          = var.vsphere_datastore
  datacenter_id = data.vsphere_datacenter.datacenter.id
}

resource "vsphere_content_library" "library" {
  name            = var.cl_name
  storage_backing = [data.vsphere_datastore.datastore.id]
  description     = "Terraform managed content library"
}

resource "vsphere_content_library_item" "cl_template" {
  name        = var.cl_item_name
  description = var.cl_item_description
  library_id  = vsphere_content_library.library.id
  file_url    = var.cl_item_url
}

terraform.tfvars:

vsphere_user = "administrator@vsphere.local"
vsphere_password = ""
vsphere_server = ""

vsphere_datacenter = "DevOpsLab"
cl_item_name = "sts-ubuntu-image"
cl_item_description = "sts-ubuntu-test" 
cl_item_url = "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.ova"
cl_name = "sts-ubuntu-test"

vsphere_datastore = "default-container-80975640325584"

I can see the initial connection during the init, plan and while creating the content library going to our proxy:

1674101044.663   4481 10.10.240.102 TCP_TUNNEL/200 8302329 CONNECT releases.hashicorp.com:443 - HIER_DIRECT/18.65.39.82 -
1674101044.663   8062 10.10.240.102 TCP_TUNNEL/200 9780 CONNECT releases.hashicorp.com:443 - HIER_DIRECT/18.65.39.82 -
1674101044.663  11679 10.10.240.102 TCP_TUNNEL/200 15451 CONNECT registry.terraform.io:443 - HIER_DIRECT/18.65.39.50 -
1674101044.663  19113 10.10.240.102 TCP_TUNNEL/200 7695 CONNECT registry.terraform.io:443 - HIER_DIRECT/18.65.39.50 -
1674101044.663  15501 10.10.240.102 TCP_TUNNEL/200 33237 CONNECT registry.terraform.io:443 - HIER_DIRECT/18.65.39.50 -
1674101058.749      0 10.10.240.102 TCP_DENIED/403 3897 CONNECT checkpoint-api.hashicorp.com:443 - HIER_NONE/- text/html
1674101110.505      0 10.10.240.102 TCP_DENIED/403 3897 CONNECT checkpoint-api.hashicorp.com:443 - HIER_NONE/- text/html

but as soon as terraform tries to create the content_library_item it tries to go directly through our firewall, which gets blocked and the script eventually runs into a timeout:

Deny: policy violation 10.10.240.102 16 minutes ago 185.125.190.40 (cloud-images.ubuntu.com) ubuntuguest

The proxy is configured on the VM as shown here:

root@frames1601:~/vmware-v2-provisioner/template# env | grep -i proxy
no_proxy=localhost,127.*,10.*,10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,192.168.0.0/16,192.168.*,*.devops.lab,devops.lab,.devops.lab
https_proxy=http://proxy.devops.lab:3129
NO_PROXY=localhost,127.*,10.*,10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,192.168.0./16,192.168.*,*.devops.lab,devops.lab,.devops.lab
HTTPS_PROXY=http://proxy.devops.lab:3129
HTTP_PROXY=http://proxy.devops.lab:3129
http_proxy=http://proxy.devops.lab:3129

are we missing something or is this a bug in the provider?

Thanks, Stefan

Affected Resources or Data Sources

resource/vsphere_content_library_item

Terraform Configuration

shown above

Debug Output

Enter a value: yes

https://gist.github.com/hornet83/ae54ca6e11c556040caffa5442270077

Panic Output

No response

Expected Behavior

vsphere_content_library_item is being added directly from the ubuntu cloud image url

Actual Behavior

connection is going directly to the firewall rather then the proxy - script runs into a timeout

Steps to Reproduce

terraform init terraform apply

Environment Details

No response

Screenshots

No response

References

No response

[github-actions[bot]]

Hello, hornet83! 🖐

Thank you for submitting an issue for this provider. The issue will now enter into the issue lifecycle.

If you want to contribute to this project, please review the contributing guidelines and information on submitting pull requests.

[tenthirtyam]

Hello, @hornet83! 🖐 - could you please use the GitHub markdown tools to format the configuration per the issue form for readability? Also, please post the debug to a Gist. Learn more about Code Formatting.

[tenthirtyam]

Based on a quick review this would call the following:

uploadSession.deployRemoteOva(file, ovfDescriptor)

which is equivalent to the following in govc:

govc library.import sts-ubuntu-image https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.ova

Both of which should be initiated by vCenter Server.

Does the vCenter Server instance have the proxy configured?

[nnoethling]

Just confirmed this in my test environment.

govc library.import sts-ubuntu-image https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.ova is working:

[19-01-23 19:07:41] Uploading ubuntu-focal-20.04-cloudimg.ovf... OK
[19-01-23 19:08:19] Uploading ubuntu-focal-20.04-cloudimg.vmdk... OK

while the terraform plan from above result in an error:

vsphere_content_library.library: Creating...
vsphere_content_library.library: Creation complete after 1s [id=4379b4ef-2f03-46cf-b617-0292d2653011]
vsphere_content_library_item.cl_template: Creating...
vsphere_content_library_item.cl_template: Still creating... [10s elapsed]
vsphere_content_library_item.cl_template: Still creating... [20s elapsed]
vsphere_content_library_item.cl_template: Still creating... [30s elapsed]
vsphere_content_library_item.cl_template: Still creating... [40s elapsed]
vsphere_content_library_item.cl_template: Still creating... [50s elapsed]
vsphere_content_library_item.cl_template: Still creating... [1m0s elapsed]
vsphere_content_library_item.cl_template: Still creating... [1m10s elapsed]
vsphere_content_library_item.cl_template: Still creating... [1m20s elapsed]
vsphere_content_library_item.cl_template: Still creating... [1m30s elapsed]
vsphere_content_library_item.cl_template: Still creating... [1m40s elapsed]
vsphere_content_library_item.cl_template: Still creating... [1m50s elapsed]
vsphere_content_library_item.cl_template: Still creating... [2m0s elapsed]
vsphere_content_library_item.cl_template: Still creating... [2m10s elapsed]
vsphere_content_library_item.cl_template: Still creating... [2m20s elapsed]
vsphere_content_library_item.cl_template: Still creating... [2m30s elapsed]
vsphere_content_library_item.cl_template: Still creating... [2m40s elapsed]
vsphere_content_library_item.cl_template: Still creating... [2m50s elapsed]
vsphere_content_library_item.cl_template: Still creating... [3m0s elapsed]
vsphere_content_library_item.cl_template: Still creating... [3m10s elapsed]
vsphere_content_library_item.cl_template: Still creating... [3m20s elapsed]
vsphere_content_library_item.cl_template: Still creating... [3m30s elapsed]
vsphere_content_library_item.cl_template: Still creating... [3m40s elapsed]
vsphere_content_library_item.cl_template: Still creating... [3m50s elapsed]
vsphere_content_library_item.cl_template: Still creating... [4m0s elapsed]
vsphere_content_library_item.cl_template: Still creating... [4m10s elapsed]
vsphere_content_library_item.cl_template: Still creating... [4m20s elapsed]
╷
│ Error: Get "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.ova": dial tcp 185.125.190.37:443: connect: connection timed out: RESOURCE (ubuntu-ova), ACTION (CreateLibraryItem)
│
│   with vsphere_content_library_item.cl_template,
│   on main.tf line 32, in resource "vsphere_content_library_item" "cl_template":
│   32: resource "vsphere_content_library_item" "cl_template" {
│
╵

Seems just the terraform provider ignores the proxy.

[nnoethling]

@tenthirtyam about the proxy in vcenter:

As far as i understand library.import docs, govc will download the ova locally and upload to vcenter. Only if the -pull flag is added, vcenter will download the ova directly. So from understanding the vcenter proxy doesnt matter?

govc library.import library_name http://example.com/file.ovf # download and push to vCenter
govc library.import -pull library_name http://example.com/file.ova # direct pull from vCenter

(snippet from https://github.com/vmware/govmomi/blob/main/govc/USAGE.md#libraryimport)

The firewall log of @hornet83 suggest the same, that terraform pulls locally first and upload to vcenter then.

[tenthirtyam]

Ah, yes, that's correct.

[tenthirtyam]

Does the proxy require authentication?

[nnoethling]

Proxy do not use any authentication.

[hornet83]

Hi, updated the ticket with formatting and put the debug output into a github gist. let me know if you need any other information.

[nnoethling]

Hi @tenthirtyam, any updates on this?

[tenthirtyam]

Hi @tenthirtyam, any updates on this?

Unfortunately, not at this time.

[lucathecreator]

Hi,

I am having the same problem right now, are there any updates?

[tenthirtyam]

Hi,

I am having the same problem right now, are there any updates?

https://github.com/hashicorp/terraform-provider-vsphere/issues/1821#issuecomment-1413651379

[nnoethling]

Any updates? this is still an issue for my customers!

[tenthirtyam]

Any updates? this is still an issue for my customers!

No change in status at this time. Other efforts are underway by the maintainers to improve testing and the prioritize bug fixes and enhancements.