How to configure Terraform Custom Agent to use Proxy

Avatar
Dmitry Uchuvatov
  • Updated

Use Case

By default, the Terraform Enterprise proxy configurations are injected into the TFC Agent containers.

This article can be useful in case you need to build a new Agent with a custom proxy configuration, which will overwrite the default one.

Terraform agents can communicate through a proxy (e.g. Zscaler). SSL termination can either happen at the proxy or at HCP Terraform/Terraform Enterprise. This requires a custom agent to be built with environment variables to point to the proxy. Load the CA certificate on the agent if you are using SSL termination on the proxy and if the proxy uses a self-signed certificate issued by a non-trusted CA.

 

Procedure

  • Create a directory to make the image:

$ mkdir test

  • Switch to the new directory:

$ cd test

  • Create an empty file named Dockerfile:

$ touch Dockerfile

  • Using a text or code editor, add the following contents to the Dockerfile and replace the values of environment variables in the http://IP:PORT format:

$ vim Dockerfile
FROM hashicorp/tfc-agent:latest  

USER root

# Add environment variables to use custom proxy
ENV HTTP_PROXY=http://xxx.xxx.xxx.xxx:xxxx
ENV HTTPS_PROXY=http://xxx.xxx.xxx.xxx:xxxx
ENV http_proxy=http://xxx.xxx.xxx.xxx:xxxx
ENV https_proxy=http://xxx.xxx.xxx.xxx:xxxx
# Domains, hostnames or IPs allowed to bypass the proxy
ENV NO_PROXY: localhost,127.0.0.1,tfe.example.net 
ENV no_proxy: localhost,127.0.0.1,tfe.example.net

# Install sudo. The container runs as a non-root user, but people may rely on the ability to apt-get install things. 
RUN apt-get -y install sudo

###############################
### Add custom certificates ###
###############################
# ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
# RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates

# Permit tfc-agent to use sudo apt-get commands. 
RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent

USER tfc-agent
  • Run Docker build to compile the image:
$ docker build -t custom-tfc-agent . 

Replicated

  • To start using this newly built Custom Agent for TFE runs, execute the following command for Replicated installation:
$ replicatedctl app-config set custom_agent_image_tag --value 'custom-tfc-agent:latest'
  • To apply the settings and restart Replicated service:
$ replicatedctl app apply-config
  • Once TFE is up and running, test a terraform plan and terraform apply

FDO

  • Use the created custom agent image name and tag via TFE_RUN_PIPELINE_IMAGE parameter in your Docker Compose / Helm chart / Kubernetes YAML:
TFE_RUN_PIPELINE_IMAGE: "custom-tfc-agent:latest"
  • To apply the settings, you will need to re-deploy TFE
  • Once TFE is up and running, test a terraform plan and terraform apply

 

Additional Information

Articles in this section

See more

Related articles