Support proxy client authentication

[bugok]

Current Terraform Version

v0.11.14

Use-cases

This is required when running terraform behind a proxy which required client authentication.

Attempted Solutions

From what I saw, there isn't a way to achieve this using environment variables alone. Terraform is currently using at aws go sdk, which uses net/http to configure the proxy from environment variables. Going deeper into the httpproxy file, I couldn't find anything about authentication there.

Proposal

I'm not a terraform no golang expert - so I'm not sure how valuable my proposals are, but here it goes:

• Adding support in net/http: There is the possibility of adding support for reading the proxy cert and proxy key to the net/http golang library (by reading something like HTTPS_PROXY_CERT and HTTPS_PROXY_KEY environment variables). That, however, seems like an overkill, as there are many other options that could be added in the future. I don't think this is a very scalable approach.
• A terraform proxy configuration file: We could add a proxy config in which we could configure all kinds of things like a proxy certificate file and a proxy key file.

If I'm looking at the corresponding curl options, I'm looking for a way to configure terraform to be able to use the --proxy-cert and --proxy-key options.

[teamterraform]

Hi @bugok!

Terraform uses the de-facto standard .netrc file as a source for HTTP credentials, though since each Terraform provider uses a vendor-specific SDK that might configure its own HTTP client there's unfortunately no guarantee that all of them will honor this.

Terraform prefers to use existing general mechanisms for credentials where available, rather than invent its own, so that you can configure the credentials just once and use it with lots of different software, rather than having to configure each application separately.

We're not sure if .netrc is consulted for HTTP proxy credentials in particular, but it might work to add a machine entry for your proxy server's hostname in order to configure the credentials. Could you give that a try?

Unfortunately if it is not currently supported then it will need to be added to each provider separately, because the providers are separate programs that create and configure their own HTTP clients. If .netrc isn't already working in the AWS provider then we'll need to instead request this in the AWS provider repository. The implementation could potentially use the same library Terraform Core uses for .netrc handling: github.com/bgentry/go-netrc.

[bugok]

@teamterraform, thanks for the detailed response. This is a great approach (as it's even programming language agnostic). I'll look into this.

Not sure how to continue with this issue - should I just close this?