Capturing Terraform Azure CLI Traffic with Fiddler

Azure , Terraform

This topic is a bit specific, but it’s a problem I spent quite a long time on this week, so I’m documenting it for anyone who tries to do the same thing.

When working with Azure in Terraform, you occasionally find you need to something that isn’t supported by the Terraform Azure modules for whatever reason. On these occasions, I tend to fall back onto using the “local-exec” resource, which calls the Azure CLI. 

resource "null_resource" "test" {
  provisioner "local-exec" {
    command = "az aks get-credentials -n name -g resourcegroup

This method works reasonably well as the CLI can use the same credentials as your Terraform connection and now you have access to do anything the CLI can do. You have to be careful to keep your process idempotent, but it gets you out of a pinch when nothing else will do it.

This week I was trying to run a command through the CLI, and I was having some issues getting the syntax correct. What I needed to write in Terraform, using the correct string escaping and so on, was failing when it hit the Azure API. It seemed like what I thought I was generating wasn’t what was getting sent, so I had the bright idea of running Fiddler to capture the command being sent to the API. Using this, I could compare this to what was being sent when I ran this command in the CLI manually (which worked), simple right? Now ensued many hours that I’m not getting back.

Using Fiddler Proxy

The first issue I needed to contend with was the fact that the Python library behind the CLI doesn’t seem to use the system proxy, which Fiddler sets up automatically. So to make it work, you need to set some environment variables in the same command line window you are using to run Terraform, to force it to use Fiddler as the proxy. The commands below assume you are running Fiddler on the default port of 8888

PowerShell 

$env:HTTP_PROXY="http://localhost:8888"
$env:HTTPS_PROXY="http://localhost:8888"

Bash 

SET HTTP_PROXY="http://localhost:8888"
SET HTTPS_PROXY="http://localhost:8888"

Certificate

Now our traffic is routing via Fiddler. However, all our Terraform/CLI traffic is going over HTTPS, so to be able to read this traffic, we need to enable Fiddler to intercept HTTPS traffic. This is a built-in feature of Fiddler and is documented here . The issue is, to be able to intercept traffic Fiddler presents its HTTPS certificate to calls to its proxy, this causes the CLI to error as it does not trust this certificate. You’ll see an error like this: 

Please ensure you have a network connection. Error detail: HTTPSConnectionPool(host='login.microsoftonline.com',