hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
43.14k stars 9.58k forks source link

Behind firewall and no external DNS resolution #19297

Closed rajeshnaik2 closed 6 years ago

rajeshnaik2 commented 6 years ago

Hi

My office network is behind proxy firewall. From the windows command prompt, DNS dose not happen.

When I run Terraform Plan I get the following error. But the same terraform .tf script runs all well on my personal laptop with out proxy.

provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/xxxxxxxxxxx/providers?api-version=2017-05-10: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/xxxxxxxxxx/oauth2/token?api-version=1.0: x509: certificate signed by unknown authority'

From the windows command prompt, I also tried setting the HTTP_PROXY command. The http request does not reach the proxyserver anyways. But it seems the dns does not resolve due to company policy.

Is there a list of URLs \ sitenames which I can whitelist and also ask DNS team to add them as forwarder ? So that DNS gets resolved. Or is there any alternate solution to it.

I know the following ones: releases.harshicorp.com:443 checkpoint-api.hashicorp.com:443 checkpoint-api.hashicorp.com:443

Regards, Raj

apparentlymart commented 6 years ago

Hi @rajeshnaik2,

Unfortunately there is no fixed set of hostnames we can tell you here because each provider implements its own behaviors for connecting, authenticating, and making changes, and they are subject to change at any time in new versions as most of these decisions are made by the cloud provider SDKs rather than by Terraform directly.

Given the very heavy constraints of your local environment, it may work out better for you to run Terraform in a remote system in a more reasonable environment rather than on your laptop. For example, since you seem to be using Microsoft Azure you could potentially use Azure Cloud Shell to run Terraform. Cloud Shell has a particular version of Terraform pre-installed but you can also download any other version you like and run it there. For more control, you could simply create a compute instance in Azure (or any other cloud provider) with a Linux operating system of your choice and install Terraform in it.

rajeshnaik2 commented 6 years ago

Thanks for your reply.

I managed to run the Terraform from my work laptop. It started working. I downloaded the new version. Used command set http_proxy=http://USERNAME:PASSWORD@PROXYIP:PROXYPORT.

The Terraform script is now running on the laptop behind proxy and firewall.

apparentlymart commented 6 years ago

I'm glad that worked, @rajeshnaik2!

I will caution that the HTTP requests to remote APIs within providers are not under the direct control of Terraform Core, so Terraform can't guarantee that all providers will respect that environment variable, though Terraform Core itself always does and I expect most providers do where it is technically possible for them to do so.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.