### Terraform Version ```shell Terraform v1.10.2 on linux_amd64 ``` ### Terraform Configuration Files ```terraform terraform { required_providers { restapi = { source = "registry.playground.mdr.huntandhackett.com/huntandhackett/restapi" } } } ``` ```bash export TF_TOKEN_registry_playground_mdr_huntandhackett_com="REDACTED" ``` ### Debug Output ``` - Finding latest version of registry.playground.mdr.huntandhackett.com/huntandhackett/restapi... 2025-02-15T18:14:12.750Z [DEBUG] Service discovery for registry.playground.mdr.huntandhackett.com at https://registry.playground.mdr.huntandhackett.com/.well-known/terraform.json 2025-02-15T18:14:12.750Z [TRACE] HTTP client GET request to https://registry.playground.mdr.huntandhackett.com/.well-known/terraform.json 2025-02-15T18:14:13.275Z [DEBUG] GET https://registry.playground.mdr.huntandhackett.com/v1/providers/huntandhackett/restapi/versions 2025-02-15T18:14:13.275Z [TRACE] HTTP client GET request to https://registry.playground.mdr.huntandhackett.com/v1/providers/huntandhackett/restapi/versions 2025-02-15T18:14:13.962Z [TRACE] providercache.fillMetaCache: using cached result from previous scan of /home/user/.terraform/examples/private_registry/providers 2025-02-15T18:14:13.962Z [DEBUG] GET https://registry.playground.mdr.huntandhackett.com/v1/providers/huntandhackett/restapi/1.0.0/download/linux/amd64 2025-02-15T18:14:13.962Z [TRACE] HTTP client GET request to https://registry.playground.mdr.huntandhackett.com/v1/providers/huntandhackett/restapi/1.0.0/download/linux/amd64 2025-02-15T18:14:14.292Z [DEBUG] GET https://registry.playground.mdr.huntandhackett.com/binaries/huntandhackett/terraform-provider-restapi/1.0.0/terraform-provider-restapi_1.0.0_SHA256SUMS 2025-02-15T18:14:14.292Z [TRACE] HTTP client GET request to https://registry.playground.mdr.huntandhackett.com/binaries/huntandhackett/terraform-provider-restapi/1.0.0/terraform-provider-restapi_1.0.0_SHA256SUMS 2025-02-15T18:14:14.352Z [TRACE] HTTP client GET request to https://accounts.google.com/o/oauth2/v2/auth?client_id=REDACTED 2025-02-15T18:14:14.495Z [TRACE] HTTP client GET request to https://accounts.google.com/v3/signin/identifier?REDACTED 2025-02-15T18:14:14.626Z [DEBUG] GET https://registry.playground.mdr.huntandhackett.com/binaries/huntandhackett/terraform-provider-restapi/1.0.0/terraform-provider-restapi_1.0.0_SHA256SUMS.sig 2025-02-15T18:14:14.626Z [TRACE] HTTP client GET request to https://registry.playground.mdr.huntandhackett.com/binaries/huntandhackett/terraform-provider-restapi/1.0.0/terraform-provider-restapi_1.0.0_SHA256SUMS.sig 2025-02-15T18:14:14.682Z [TRACE] HTTP client GET request to https://accounts.google.com/o/oauth2/v2/auth?client_id=REDACTED - Installing registry.playground.mdr.huntandhackett.com/huntandhackett/restapi v1.0.0... 2025-02-15T18:14:14.855Z [TRACE] providercache.Dir.InstallPackage: installing registry.playground.mdr.huntandhackett.com/huntandhackett/restapi v1.0.0 from https://registry.playground.mdr.huntandhackett.com/binaries/huntandhackett/terraform-provider-restapi/1.0.0/terraform-provider-restapi_1.0.0_linux_amd64.zip 2025-02-15T18:14:14.855Z [TRACE] HTTP client GET request to https://registry.playground.mdr.huntandhackett.com/binaries/huntandhackett/terraform-provider-restapi/1.0.0/terraform-provider-restapi_1.0.0_linux_amd64.zip 2025-02-15T18:14:14.948Z [TRACE] HTTP client GET request to https://accounts.google.com/o/oauth2/v2/auth?client_id=REDACTED ``` ### Expected Behavior The TF_TOKEN should be used for all HTTP calls made to install the provider. ### Actual Behavior The TF_TOKEN is only used for the first two HTTP calls, precisely; https://registry.playground.mdr.huntandhackett.com/.well-known/terraform.json https://registry.playground.mdr.huntandhackett.com/v1/providers/huntandhackett/restapi/versions All API calls after that, are blocked by our Google Identity Aware Proxy - as the authorization header is missing. You can see this by the redirect response from Google, asking for authentication. This blocks a successful installation of the provider. All files it tries to obtain, exist in the backend - and are retrievable when trying using the exact same JWT token with curl. All requests are behind the same security barrier. We have also confirmed this using Google Logging. ### Steps to Reproduce This will be hard to reproduce, as this is a proprietary setup to begin with. Our PoC setup is a refactored version of https://github.com/mollie/tf-provider-registry-api-generator Essentially, install a provider from a custom Terraform registry - that is dependent on the authorization header as configured using TF_TOKEN. ### Additional Context _No response_ ### References _No response_ ### Generative AI / LLM assisted development? _No response_