Use Case
By default, the Terraform Enterprise proxy configurations are injected into the TFC Agent containers.
This article can be useful in case you need to build a new Agent with a custom proxy configuration, which will overwrite the default one.
Terraform agents can communicate through a proxy (e.g. Zscaler). SSL termination can either happen at the proxy or at HCP Terraform/Terraform Enterprise. This requires a custom agent to be built with environment variables to point to the proxy. Load the CA certificate on the agent if you are using SSL termination on the proxy and if the proxy uses a self-signed certificate issued by a non-trusted CA.
Procedure
-
Create a directory to make the image:
$ mkdir test
-
Switch to the new directory:
$ cd test
-
Create an empty file named
Dockerfile
:
$ touch Dockerfile
-
Using a text or code editor, add the following contents to the
Dockerfile
and replace the values of environment variables in thehttp://IP:PORT
format:
$ vim Dockerfile
FROM hashicorp/tfc-agent:latest
USER root
# Add environment variables to use custom proxy
ENV HTTP_PROXY=http://xxx.xxx.xxx.xxx:xxxx
ENV HTTPS_PROXY=http://xxx.xxx.xxx.xxx:xxxx
ENV http_proxy=http://xxx.xxx.xxx.xxx:xxxx
ENV https_proxy=http://xxx.xxx.xxx.xxx:xxxx
# Domains, hostnames or IPs allowed to bypass the proxy
ENV NO_PROXY: localhost,127.0.0.1,tfe.example.net
ENV no_proxy: localhost,127.0.0.1,tfe.example.net
# Install sudo. The container runs as a non-root user, but people may rely on the ability to apt-get install things.
RUN apt-get -y install sudo
###############################
### Add custom certificates ###
###############################
# ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
# RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
# Permit tfc-agent to use sudo apt-get commands.
RUN echo 'tfc-agent ALL=NOPASSWD: /usr/bin/apt-get , /usr/bin/apt' >> /etc/sudoers.d/50-tfc-agent
USER tfc-agent
- Run Docker build to compile the image:
$ docker build -t custom-tfc-agent .
Replicated
- To start using this newly built Custom Agent for TFE runs, execute the following command for Replicated installation:
$ replicatedctl app-config set custom_agent_image_tag --value 'custom-tfc-agent:latest'
- To apply the settings and restart Replicated service:
$ replicatedctl app apply-config
- Once TFE is up and running, test a
terraform plan
andterraform apply
FDO
- Use the created custom agent image name and tag via
TFE_RUN_PIPELINE_IMAGE
parameter in your Docker Compose / Helm chart / Kubernetes YAML:
TFE_RUN_PIPELINE_IMAGE: "custom-tfc-agent:latest"
- To apply the settings, you will need to re-deploy TFE
- Once TFE is up and running, test a
terraform plan
andterraform apply