search

zitadel / terraform-provider-zitadel

Official Terraform provider for ZITADEL
https://zitadel.com
Apache License 2.0
25 stars 16 forks source link

Cloudflare proxy support #159

Closed 23doors closed 6 months ago

23doors commented 7 months ago

Preflight Checklist

Version

1.0.5

ZITADEL Version

No response

Describe the problem caused by this bug

When using proxied subdomain for zitadel in cloudflare I can't seem to use terraform zitadel provider. Possibly also zitadel sdk in general as I guess it uses that.

Enabled grpc support on cloudflare side but it requires content-type to be application/grpc. Zitadel seems to be returning an incorrect content-type. Getting: 520 (); transport: received unexpected content-type "text/plain; charset=UTF-8"

To reproduce

Pretty self explanatory.

  1. Use zitadel with cloudflare proxied domain.
  2. Enable grpc on cloudflare side.
  3. Try to do anything in zitadel terraform provider.

Screenshots

No response

Expected behavior

Cloudflare supports proxying grpc so it should work normally. It seems to be a matter of wrong content-type being used.

Relevant Configuration

No response

Additional Context

TF_LOG=trace logs

2024-02-19T13:40:44.455+0100 [ERROR] provider.terraform-provider-zitadel_v1.0.5: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov6/internal/diag/diagnostics.go:55 diagnostic_summary="error while getting org by id ICS: rpc error: code = Unknown desc = unexpected HTTP status code received from server: 520 (); transport: received unexpected content-type \"text/plain; charset=UTF-8\"" tf_provider_addr=registry.terraform.io/zitadel/zitadel tf_proto_version=6.3 diagnostic_detail="" tf_data_source_type=zitadel_orgs tf_req_id=934c9b50-b738-673c-1804-6fb77844f482 @module=sdk.proto diagnostic_severity=ERROR tf_rpc=ReadDataSource timestamp="2024-02-19T13:40:44.454+0100"
2024-02-19T13:40:44.455+0100 [TRACE] provider.terraform-provider-zitadel_v1.0.5: Served request: tf_data_source_type=zitadel_orgs tf_provider_addr=registry.terraform.io/zitadel/zitadel tf_req_id=934c9b50-b738-673c-1804-6fb77844f482 @module=sdk.proto tf_proto_version=6.3 tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov6/tf6server/server.go:668 timestamp="2024-02-19T13:40:44.454+0100"
2024-02-19T13:40:44.455+0100 [ERROR] vertex "data.zitadel_orgs.zitadel_ics_org" error: error while getting org by id ICS: rpc error: code = Unknown desc = unexpected HTTP status code received from server: 520 (); transport: received unexpected content-type "text/plain; charset=UTF-8"
2024-02-19T13:40:44.455+0100 [TRACE] vertex "data.zitadel_orgs.zitadel_ics_org": visit complete, with errors
2024-02-19T13:40:44.455+0100 [TRACE] dag/walk: upstream of "root" errored, so skipping
2024-02-19T13:40:44.455+0100 [TRACE] vertex "data.zitadel_orgs.zitadel_ics_org (expand)": dynamic subgraph encountered errors: error while getting org by id ICS: rpc error: code = Unknown desc = unexpected HTTP status code received from server: 520 (); transport: received unexpected content-type "text/plain; charset=UTF-8"

When disabled cloudflare proxying, it works fine.

vavsab commented 6 months ago

I had a similar issue with cloudflare. Maybe my case helps you.

TL DR; Pressing "Enable GRPC" checkbox in cloudflare is not enough 😭. You need to struggle more to make it work.

I'm using cloudflare tunnels. When I tried to setup a sample GRPC server I could not query it through cloudflare. So I spent a couple of weeks playing with this https://github.com/cloudflare/cloudflared/issues/491 And after my sample GRPC server was working - terraform also started to work.

23doors commented 6 months ago

Not sure if this relates to this issue to be honest. I'm not using cloudflare tunnels, they're completely different from normal proxying. And briefly checking issue you linked, it doesn't exactly provide any solution to try either.

According to docs, Enable GRPC checkbox for cloudflare proxied resources (not argo tunnels) is actually enough.

vavsab commented 6 months ago

Ok. Then it does not relate to you. Do you have other grpc services working there?

23doors commented 6 months ago

Fixed it. For anyone encountering this, this was not a bug in zitadel.

In cloudflare docs:

Make sure that the hostname that hosts your gRPC endpoint: - Is set to proxied - Uses at least the Full SSL/TLS encryption mode.

The last part is actually really important here. I was sure I had "Full" already on, but turns out it was on "Flexible". After switching it to "Full" it works just fine.

Thank you @vavsab for giving me an incentive to start digging a bit more!

ToroNZ commented 3 months ago

Using Tunnels, Zitadel provider works by following this comment: https://github.com/cloudflare/cloudflared/issues/491#issuecomment-1643233485