search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.71k stars 9.55k forks source link

Terraform login to remote backend ignores custom port when opening browser to approve CLI login #32155

Closed vrvaderom closed 2 years ago

vrvaderom commented 2 years ago

Terraform Version

Terraform v1.3.4
on linux_amd64

Terraform Configuration Files

terraform {
    backend "remote" {
        hostname = "artifactory.dev.local:8443"
        organization = "lab-backend"
        workspaces {
            prefix = "test-"
        }
   }
}
resource null_resource "test" {}

Debug Output

>terraform login artifactory.dev.local:8443
2022-11-03T14:49:45.389+0200 [INFO]  Terraform version: 1.2.6
2022-11-03T14:49:45.439+0200 [DEBUG] using [github.com/hashicorp/go-tfe](http://github.com/hashicorp/go-tfe) v1.0.0
2022-11-03T14:49:45.440+0200 [DEBUG] using [github.com/hashicorp/hcl/v2](http://github.com/hashicorp/hcl/v2) v2.12.0
2022-11-03T14:49:45.440+0200 [DEBUG] using [github.com/hashicorp/terraform-config-inspect](http://github.com/hashicorp/terraform-config-inspect) v0.0.0-20210209133302-4fd17a0faac2
2022-11-03T14:49:45.440+0200 [DEBUG] using [github.com/hashicorp/terraform-svchost](http://github.com/hashicorp/terraform-svchost) v0.0.0-20200729002733-f050f53b9734
2022-11-03T14:49:45.440+0200 [DEBUG] using [github.com/zclconf/go-cty](http://github.com/zclconf/go-cty) v1.10.0
2022-11-03T14:49:45.440+0200 [INFO]  Go runtime version: go1.18.1
2022-11-03T14:49:45.440+0200 [INFO]  CLI args: []string{"C:\\Program Files\\tftools\\terraform.exe", "login", "artifactory.dev.local:8443"}
2022-11-03T14:49:45.441+0200 [TRACE] Stdout is a terminal of width 225
2022-11-03T14:49:45.441+0200 [TRACE] Stderr is a terminal of width 225
2022-11-03T14:49:45.441+0200 [TRACE] Stdin is a terminal
2022-11-03T14:49:45.442+0200 [DEBUG] Attempting to open CLI config file: C:\Users\d382624\AppData\Roaming\terraform.rc
2022-11-03T14:49:45.444+0200 [INFO]  Loading CLI configuration from C:\Users\d382624\AppData\Roaming\terraform.rc
2022-11-03T14:49:45.445+0200 [INFO]  Loading CLI configuration from C:\Users\d382624\AppData\Roaming\terraform.d\credentials.tfrc.json
2022-11-03T14:49:45.446+0200 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2022-11-03T14:49:45.446+0200 [DEBUG] ignoring non-existing provider search directory C:\Users\d382624\AppData\Roaming\terraform.d\plugins
2022-11-03T14:49:45.448+0200 [DEBUG] ignoring non-existing provider search directory C:\Users\d382624\AppData\Roaming\HashiCorp\Terraform\plugins
2022-11-03T14:49:45.448+0200 [INFO]  Checkpoint disabled. Not running.
2022-11-03T14:49:45.448+0200 [INFO]  CLI command args: []string{"login", "artifactory.dev.local:8443"}
2022-11-03T14:49:45.449+0200 [DEBUG] Service discovery for artifactory.dev.local:8443 at https://artifactory.dev.local:8443/.well-known/terraform.json
Terraform will request an API token for artifactory.dev.local:8443 using OAuth.

This will work only if you are able to use a web browser on this computer to

complete a login process. If not, you must obtain an API token by another

means and configure it in the CLI configuration manually.

If login is successful, Terraform will store the token in plain text in

the following file for use by subsequent commands:

    C:\Users\d382624\AppData\Roaming\terraform.d\credentials.tfrc.json

2022-11-03T14:49:45.698+0200 [DEBUG] command: asking for input: "Do you want to proceed?"

Do you want to proceed?

  Only 'yes' will be accepted to confirm.

  Enter a value: yes

2022-11-03T14:49:47.705+0200 [TRACE] login: trying [127.0.0.1:12662](http://127.0.0.1:12662/) as a listen address for temporary OAuth callback server

2022-11-03T14:49:47.706+0200 [TRACE] login: callback URL will be http://localhost:12662/login

Terraform must now open a web browser to the login page for artifactory.dev.local:8443.

If a browser does not open this automatically, open the following URL to proceed:

    https://artifactory.dev.local/ui/terraform/oauth2/authorize?client_id=terraform-cli&code_challenge=VsCsm9bbELKkoiij3q267djPPy7RDXaWa8jlbRpQMI0&code_challenge_method=S256&redirect_uri=http%3A%2F%2Flocalhost%3A12662%2Flogin&response_type=code&state=02de0aec-e281-166a-502b-0b94790c4c68

Terraform will now wait for the host to signal that login was successful.

Expected Behavior

Browser should open with the backend oauth login url for the host https://artifactory.dev.local:8443

Actual Behavior

Browser opens and browses to https://artifactory.dev.local instead (default HTTPS port)

Steps to Reproduce

  1. terraform init
  2. terraform login artifactory.dev.local:8443

Additional Context

This was tested with remote backend hosted on artifactory, but I expect the mechanism to be the same for all remote backends.

References

No response

apparentlymart commented 2 years ago

Hi @vrvaderom! Thanks for reporting this.

Could you share what content you see in the discovery document for this host, at https://artifactory.dev.local:8443/.well-known/terraform.json ? The login.v1 section of that document is what Terraform is reacting to when building this URL. I'd like to see which URLs your server is advertising to try to understand why the port number is being lost.

Thanks!

vrvaderom commented 2 years ago

Hi

Here is the content of https://artifactory.dev.local:8443/.well-known/terraform.json

{

  "modules.v1" : "https://artifactory.dev.local:8443/artifactory/api/terraform/v1/modules/",

  "state.v2" : "https://artifactory.dev.local:8443/artifactory/api/terraform/remote/v2",

  "tfe.v2" : "https://artifactory.dev.local:8443/artifactory/api/terraform/remote/v2",

  "tfe.v2.1" : "https://artifactory.dev.local:8443/artifactory/api/terraform/remote/v2",

  "tfe.v2.2" : "https://artifactory.dev.local:8443/artifactory/api/terraform/remote/v2",

  "login.v1" : {

    "client" : "terraform-cli",

    "authz" : "https://artifactory.dev.local/ui/terraform/oauth2/authorize",

    "token" : "https://artifactory.dev.local:8443/artifactory/api/oauth2/token",

    "grant_types" : [ "authz_code" ]

  }

}

Indeed for some reason the authz is ignoring the custom port.

A bug in the Artifactory implementation of the terraform remote backend?

apparentlymart commented 2 years ago

Hi @vrvaderom ! Thanks for sharing that.

Indeed, it seems like there is a small bug in the software that is generating this document, where for that particular URL it is not including your nonstandard port number.

I expect that correcting that URL will allow terraform login to complete the OAuth flow.

vrvaderom commented 2 years ago

Manually correcting the URL does indeed allow completing the auth flow. I will open an issue with Jfrog Artifactory support about this.

You can close this. Thank you!

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.