OSS backend does not recognize NO_PROXY environment variable, causing unintended proxy usage

[xingjiu]

Terraform Version

Terraform v1.11.4
on darwin_arm64

Terraform Configuration Files

terraform {
    backend "oss" {
        region = "cn-hangzhou"
        bucket = "xxx"
        prefix = "xxx"
        key = "terraform.tfstate"
        access_key = "xxx"
        secret_key = "xxx"
        security_token = null
    }
}

Debug Output

n/a

Expected Behavior

n/a

Actual Behavior

n/a

Steps to Reproduce

1. Set environment variables HTTP_PROXY/HTTPS_PROXY and NO_PROXY="my-oss-endpoint".
2. Run Terraform commands using the OSS backend.
3. Observe that requests to the OSS endpoint still go through the proxy, violating NO_PROXY exclusion rules.

Additional Context

Background:

• Multi-cloud Provider Usage: My infrastructure uses multiple cloud providers including Alibaba Cloud, AWS, and GCP for managing resources across clouds.
• Backend Configuration: The OSS is used as the backend for Terraform.
• Network and Security Constraints: Our corporate environment has specific security configurations, including an IP whitelist for the OSS ACL that restricts write access to certain IP addresses. The proxy server is not included in this whitelist.
• Proxy Configuration: To enhance access speed to AWS and GCP services, environment variables HTTP_PROXY and HTTPS_PROXY have been set.

Issue:

When HTTPS_PROXY is not set, Terraform operates normally, but access to AWS and GCP services is highly unstable, likely due to network limitations.

Upon setting the HTTPS_PROXY, running Terraform commands such as terraform init leads to a 403 error:

Initializing the backend...
╷
│ Error: Failed to get existing workspaces: oss: service returned error: StatusCode=403, ErrorCode=AccessDenied, ErrorMessage="Access denied by bucket policy.", RequestId=680188D773EC81393491C1DC, Ec=0003-00000101
╵

This 403 error is due to the OSS ACL configuration restricting access based on IP whitelist. I've attempted to use NO_PROXY to bypass the proxy for the OSS endpoint (NO_PROXY="$oss_endpoint"), but it appears to be ignored by the OSS backend logic.

Problem Summary:

• Disable HTTPS_PROXY: Causes unstable connections to AWS and GCP providers due to lack of proxy benefits.
• Enable HTTPS_PROXY: Results in Terraform initialization failure with a 403 error from the OSS backend.
• Adjust OSS ACL: This is not permissible due to corporate security policies.

These challenges indicate the OSS client's override of default proxy settings and the lack of NO_PROXY handling logic is indeed a bug. It is generally expected that systems support HTTP_PROXY, HTTPS_PROXY, and NO_PROXY configurations simultaneously to provide comprehensive and flexible proxy management. Proper support for NO_PROXY would allow Terraform to selectively bypass the proxy for allowed OSS endpoint connections while maintaining proxy usage for other providers.

References

No response

Generative AI / LLM assisted development?

No response

[xingjiu]

I would like to work on this issue. Could you please assign it to me? Thank you!

[crw]

Thanks for this enhancement request, @xingjiu. We do not typically assign issues, but thanks for opening a PR!

If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

[xingjiu]

Got it, @crw , thank you.

I have edited the "Additional Context" section of the issue to provide a more detailed explanation of the problem, and to clarify why I believe this issue is a bug rather than an enhancement.