prudhvigodithi
commented
10 months ago Thanks for your contribution @timwisbauer-contsec , can you please add some unit tests to your change?
Closed timwisbauer-contsec closed 10 months ago
prudhvigodithi
commented
10 months ago Thanks for your contribution @timwisbauer-contsec , can you please add some unit tests to your change?
timwisbauer-contsec
commented
10 months ago @prudhvigodithi thank you for the review. I've added some unit tests to validate the proxy URL can be configured.
prudhvigodithi
commented
10 months ago Hey @timwisbauer-contsec thanks for adding unit tests, can you please resolve the conflicts and generate the documentation for this change ? Please check https://github.com/hashicorp/terraform-plugin-docs. We should merge this PR soon. :) Thank you @bbarani
timwisbauer-contsec
commented
10 months ago @prudhvigodithi I have resolved the conflicts and generated documentation. Thanks for your attention and please let me know if there's anything else I can do to help.
prudhvigodithi
commented
10 months ago Hey @timwisbauer-contsec thanks again, on qq, so if user uses proxy url does he still need the AWS credentials? or the idea is to bypass the AWS credentials and directly connect to the proxy URL ? Thank you
timwisbauer-contsec
commented
10 months ago Hey @timwisbauer-contsec thanks again, on qq, so if user uses
proxyurl does he still need the AWS credentials? or the idea is to bypass the AWS credentials and directly connect to theproxyURL ? Thank you
Hey @prudhvigodithi the proxy URL is separate from any credentials. The provider still needs to authenticate to the OpenSearch instance whether they're connecting to AWS or another OpenSearch instance.
For example, in our environment using the forked version I have the provider configured like this
provider "opensearch" {
url = var.opensearch_provider_enabled ? "https://${data.aws_opensearch_domain.domain[0].endpoint}" : ""
proxy = "socks5://${var.socks_proxy_host}:${var.socks_proxy_port}"
}The provider still needs to authenticate to AWS. In my case it reads my environment variable AWS_PROFILE when planning locally or container credentials (outlined here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) when deploying from an ECS container.
prudhvigodithi
commented
10 months ago Thanks @timwisbauer-contsec so correct me if I'm wrong the proxy setting is not just for socks5:// but also can work with any other frontend proxies like haproxy, nginx etc (even though they start with https://)?
Example
provider "opensearch" {
url = var.opensearch_provider_enabled ? "https://${data.aws_opensearch_domain.domain[0].endpoint}" : ""
proxy = "https://${var.ha_proxy_host}:${var.ha_proxy_port}"
}So does the above code work ?
timwisbauer-contsec
commented
10 months ago Thanks @timwisbauer-contsec so correct me if I'm wrong the
proxysetting is not just forsocks5://but also can work with any other frontend proxies like haproxy, nginx etc (even though they start withhttps://)?Example
provider "opensearch" { url = var.opensearch_provider_enabled ? "https://${data.aws_opensearch_domain.domain[0].endpoint}" : "" proxy = "https://${var.ha_proxy_host}:${var.ha_proxy_port}" }So does the above code work ?
@prudhvigodithi haproxy and nginx are reverse proxies which are different than the forward proxy configured here. Cloudflare has a decent explanation of the difference here: https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/
That being said, a proxy URL can alternatively use HTTP or HTTPS as the protocol so your example of
proxy = "https://${var.ha_proxy_host}:${var.ha_proxy_port}"may be valid depending on the network topology between the client running terraform and the OpenSearch instance.
prudhvigodithi
commented
10 months ago Thanks @timwisbauer-contsec, my point is irrespective of proxy or revery proxy as the code looks generic
provider "opensearch" {
url = var.opensearch_provider_enabled ? "https://${data.aws_opensearch_domain.domain[0].endpoint}" : ""
proxy = "https:// or http://"
}does this logic work for any proxy ?
timwisbauer-contsec
commented
10 months ago Thanks @timwisbauer-contsec, my point is irrespective of proxy or revery proxy as the code looks generic
provider "opensearch" { url = var.opensearch_provider_enabled ? "https://${data.aws_opensearch_domain.domain[0].endpoint}" : "" proxy = "https:// or http://" }does this logic work for any proxy ?
@prudhvigodithi yes, it works for any forward proxy. Basically if the HTTP transport in Go supports it you can use it here.
prudhvigodithi
commented
10 months ago Thanks, just thinking aloud, what If a user configure a revere proxy proxy = "https:// or http://" trying to access the OpenSearch server via terraform, will this setting still work ? @timwisbauer-contsec
timwisbauer-contsec
commented
10 months ago Thanks, just thinking aloud, what If a user configure a revere proxy
proxy = "https:// or http://"trying to access the OpenSearch server via terraform, will this setting still work ? @timwisbauer-contsec
@prudhvigodithi yeah this setting just needs to meet the URL requirements here: https://pkg.go.dev/net/http#ProxyFromEnvironment
As long as the URL you've provided for the proxy is capable of handling those requests then this setting will work.
I haven't used nginx as a forward proxy before, but it looks like it's possible to be configured that way: https://www.baeldung.com/nginx-forward-proxy
prudhvigodithi
commented
10 months ago Thanks @timwisbauer-contsec LGTM.
Description
Add a new optional parameter to the provider configuration to allow for setting a proxy. Using a proxy can be an easier method for connecting to clusters within a VPC.
Issues Resolved
Closes https://github.com/opensearch-project/terraform-provider-opensearch/issues/93
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.