Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The s3 backend does not respect the NO_PROXY variable #33987

Closed
mnival opened this issue Oct 5, 2023 · 5 comments · Fixed by #34243
Closed

The s3 backend does not respect the NO_PROXY variable #33987

mnival opened this issue Oct 5, 2023 · 5 comments · Fixed by #34243
Assignees
@gdavison
Labels
backend/s3 bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases

Comments

@mnival
Copy link

mnival commented Oct 5, 2023

Terraform Version

Terraform v1.6.0
on linux_amd64

Terraform Configuration Files

terraform {
  backend "s3" {
    bucket="tf-state-test"
    region="eu-central-1"
    key="test/test.tfstate"
  }
}

Debug Output

https://gist.github.com/mnival/cb0857de9b72e2020bdc46b3ae00fbba

Expected Behavior

For requests to http://169.254.169.254/, Terraform should not use the proxy because I have the following NO_PROXY value:
NO_PROXY=169.254.169.254
Below is the result with Curl which uses the HTTP_PROXY, HTTPS_PROXY and NO_PROXY variables:

$ curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" -v -o /dev/null
* Uses proxy env variable NO_PROXY == '169.254.169.254'
*   Trying 169.254.169.254:80...
* Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
> PUT /latest/api/token HTTP/1.1
> Host: 169.254.169.254
> User-Agent: curl/8.0.1
> Accept: */*
> X-aws-ec2-metadata-token-ttl-seconds: 21600
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Length: 56
< Content-Type: text/plain
< Date: Thu, 05 Oct 2023 09:40:58 GMT
< X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600
< Connection: close
< Server: EC2ws
<
{ [56 bytes data]
* Closing connection 0

Actual Behavior

Terraform only uses HTTP_PROXY and HTTPS_PROXY variables but not NO_PROXY. So some requests use a proxy even though they are only available when local and therefore without a proxy

Steps to Reproduce

terraform init

Additional Context

export HTTP_PROXY="http://proxy:3128"
export HTTP_PROXY="http://proxy:3128"
export NO_PROXY="169.254.169.254"

References
@mnival mnival added bug new new issue not yet triaged labels Oct 5, 2023
@apparentlymart apparentlymart added the v1.6 Issues (primarily bugs) reported against v1.6 releases label Oct 5, 2023
@DerPauli
Copy link

DerPauli commented Oct 6, 2023

We encounter this problem as well, but the other way around. Our atlantis server uses Terraform v1.6.0 and can't refresh the state from S3 anymore through our corporate proxy.
The atlantis output for terraform init looks like:

│ Error: No valid credential sources found
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, failed to retrieve
│ credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded
│ maximum number of attempts, 3, https response error StatusCode: 0,
│ RequestID: , request send failed, Post
│ "https://sts.eu-central-1.amazonaws.com/": proxyconnect tcp: dial tcp :0:
│ connect: connection refused
│ 

@StevenKGER
Copy link

StevenKGER commented Oct 6, 2023
edited
Loading

We encounter this problem as well.

It seems like it's due to #33765 and there due to hashicorp/aws-sdk-go-base#81. Why did it work before? Because Golang uses the environmental proxy settings in the standard HTTPTransport, which has been used before.

image
This function returns always the same url - therefore ignoring NO_PROXY.

An issue should be opened in aws-sdk-go-base to support NO_PROXY settings and after it has been changed there, we can add NO_PROXY here again. Otherwise reverting the changes which have been added with the minor update 1.6.0 can recover the state which used the work before.

@Yantrio Yantrio mentioned this issue Oct 6, 2023
Closed
@gdavison gdavison self-assigned this Oct 7, 2023
@wernerwws
Copy link

Is there any workaround?

@joaquin386
Copy link

@wernerwws 1.5.2 will work 1.6.X will not

This was referenced Nov 11, 2023
Merged
Merged
@teamterraform teamterraform mentioned this issue Nov 15, 2023
Merged
@github-actions GitHub Actions
Copy link
Contributor

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gdavison gdavison

Labels
backend/s3 bug new new issue not yet triaged v1.6 Issues (primarily bugs) reported against v1.6 releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

backend/s3: Adds https_proxy and no_proxy parameters hashicorp/terraform
8 participants
@apparentlymart @jbardin @gdavison @mnival @wernerwws @joaquin386 @StevenKGER @DerPauli