loading...
Cover image for Debugging Terraform with Fiddler

Debugging Terraform with Fiddler

bengreenier profile image Ben Greenier ・3 min read

Hi! I’m Ben Greenier — I’m an engineer at Microsoft working to create awesome open source projects with our partners. We get to create software to help solve really tricky problems, and share our stories as we go. This means that as part of my job I get to play with lots of new technologies, learn how to use them, and help other folks do the same.

Lately I've been working with Terraform to help manage infrastructure for a new app. The app itself isn't support important to this post, so I'll omit a description. However, it's going to run on Azure and will be built on Azure Functions. To help limit downtime, the plan is to use Blue/Green Deployments backed by App Slots.

While I was configuring this setup, I ran into some platform errors (from Azure) saying that my azurerm_app_service_slot block was failing - yet it was a really simple configuration. Again, the actual error here isn't a focus (maybe that's a good candidate for a second post) - but I couldn't find any solutions online, and felt it was time to dig deeper.

I first used TF_LOG=DEBUG to get a bit more visibility, but I wanted to be able to see the full HTTP traffic (including bodies) to and from Azure, as terraform ran. No amount of logging seemed able to provide that. I decided to try and hook up Fiddler - my favorite tool for this kind of thing.

With Fiddler running, I disabled explicit traffic capture, and set the go's http proxy environment variables in my shell session to point at Fiddler. On Windows this is two quick commands:

set HTTP_PROXY=http://localhost:8888
set HTTPS_PROXY=http://localhost:8888

I also went into the Fiddler options, and disabled https decryption for the Azure CLI Authentication endpoints - we're not interested in this traffic anyway, and while the CLI has more advanced solutions, we don't need them here.

A screenshot of the Fiddler Options UI, showing my modified settings to ignore authentication sites

These are the sites I disabled decryption for:

login.microsoftonline.com
graph.windows.net

After that, I was able to see my Terraform traffic in Fiddler - and inspect the differences between my desired configuration and what was actually being sent to Azure over the wire. With that, I was able to fix my issue!

Thanks for reading - If you'd like to further support me and see similar content, follow me on twitch and/or twitter. If you're stuck on a similar problem, or you were and this helped, I'd love to learn more about that situation - leave me a note in the comments.

💙🌈
-Ben

P.S: Header Photo by Marc Kleen on Unsplash

Posted on by:

bengreenier profile

Ben Greenier

@bengreenier

Software Engineer @ Microsoft! I like all things full-stack, Game development, Dev tools, and more. 🌈

Discussion

pic
Editor guide