Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dealing with firewalls: Provider network proxy #11893

Closed
greenboxal opened this issue Feb 12, 2017 · 2 comments
Closed

Dealing with firewalls: Provider network proxy #11893

greenboxal opened this issue Feb 12, 2017 · 2 comments

Comments

@greenboxal
Copy link

greenboxal commented Feb 12, 2017
edited
Loading

Use case

We are using terraform at our company to build a full environment on AWS. This includes IAM, security groups, databases, instances, firing a nomad cluster and putting settings on consul. As we have tight security requirements (credit card processing), the inbound rules of all resources are strictly locked.

On environments like ours, we end up with the following situation: I want to use the provider X (consul, docker, nomad...), but the machine that is running terraform doesn't- and wont ever- have access to that provider server.

Currently, we saw two ways of solving this:

  • For simple configurations, use a provisioner connected through the bastion and execute a script on a machine that has access. The downside is that you don't use terraform state management here.
  • For more complex situations, give the bastion direct access to the service and execute terraform inside it. Downside: Bastion shouldn't have access to that service and you need to have AWS + Git credentials inside the bastion.

Proposal

Terraform should have a way to "proxy" the requests made by supported providers through some kind of connection. At first I would imagine something like this:

provider "consul" {
  address = "127.0.0.1:8500"
  datacenter = "dc1"
  
  connection {
    type = "ssh"
    host = "consul01.example.com"
    user = "ec2-user"
    bastion_host = "bastion.example.com"
    bastion_user = "ec2-user"
  }
}

In this case we could start SSH forwarding and the provider will connect through it.

What are your thoughts about this? If we agree on some solution like this I will be happy to start a pull request.
@apparentlymart
Copy link
Contributor

Hi @greenboxal. Thanks for this proposal!

I think this is the same idea as was discussed in #8367. There was some discussion over there as to different ways to approach the design of this, though the original proposal looks a lot like what you proposed here. I suggested a few different formulations over there which I thought might fit better into Terraform's existing architecture; I'd be interested to hear what you think about those.

I'm going to close this to consolidate the discussion over there. I personally am pretty excited to have a feature like this.

@ghost
Copy link

ghost commented Apr 16, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@apparentlymart @greenboxal