Request forwarding docs (#93)

* Updating index * Update requirements * Add optional request forwarding configuration * Add initial request forwarding page * Add required agent version * Mention HTTP CONNECT * Add security section * Fix memory recommendation * Adding blurbs for timeouts and monitoring * Apply suggestions from code review Co-authored-by: Claire Knutson <117297128+clairevnext@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Claire Knutson <117297128+clairevnext@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Brian McClain <brianmmcclain@gmail.com> * Update website/docs/cloud-docs/agents/agents.mdx Co-authored-by: Brian McClain <brianmmcclain@gmail.com> * Update website/docs/cloud-docs/agents/agents.mdx Co-authored-by: Brian McClain <brianmmcclain@gmail.com> * Update website/docs/cloud-docs/agents/request-forwarding.mdx Co-authored-by: Brian McClain <brianmmcclain@gmail.com> * Update website/docs/cloud-docs/agents/request-forwarding.mdx Co-authored-by: Brian McClain <brianmmcclain@gmail.com> * Add missing link --------- Co-authored-by: Claire Knutson <117297128+clairevnext@users.noreply.github.com> Co-authored-by: Brian McClain <brianmmcclain@gmail.com>

Author: 3 people

website/data/cloud-docs-agents-nav-data.json

@@ -7,6 +7,7 @@
  { "title": "Install and Run Agents", "path": "agents" },
  { "title": "Inject Custom Run Actions (Hooks)", "path": "hooks" },
  { "title": "Manage Agent Pools", "path": "agent-pools" },
+ { "title": "Request Forwarding", "path": "request-forwarding" },
  { "title": "Telemetry", "path": "telemetry" },
  { "title": "Logging", "path": "logging" },
  { "title": "Metrics", "path": "metrics" },

website/docs/cloud-docs/agents/agents.mdx

@@ -89,6 +89,12 @@ You can also configure the agent to run in single-execution mode, which ensures
 
 To use single-execution mode, start the agent with the `-single` command line argument.
 
+### Optional Configuration: Request Forwarding
+
+You can configure the agent to accept forwarded requests from Terraform Cloud. Request forwarding enables Terraform Cloud to securely access private infrastructure resources, such as private VCS systems. See [Request Forwarding](/terraform/cloud-docs/agents/request-forwarding) for more details. By default, request forwarding is disabled. To enable it, start the agent with the `-request-forwarding` command line argument.
+
+Agents handle forwarded requests separately from other workloads and may process requests in parallel to plans, applies, policy checks, etc. You can modify this behavior by enabling or disabling certain workload types via the `-accept` parameter, and selectively setting the `-request-forwarding` flag on certain agent(s) only. For example, you may have a pool of 4 agents, where two are configured to handle only plans and applies, and the other two are configured to handle only request forwarding.
+
 ## Stop the Agent
 
 ~> **Important:** We strongly recommend that you only terminate the agent using one of these methods. Abruptly terminating an agent by forcefully stopping the process or power cycling the host does not let the agent deregister and results in an **Unknown** agent status. Abrupt termination may cause further capacity issues. Refer to [capacity issues](/terraform/cloud-docs/agents/agent-pools#agent-capacity-usage) for details.

website/docs/cloud-docs/agents/index.mdx

@@ -13,23 +13,9 @@ description: >-
 
 Terraform Cloud Agents allow Terraform Cloud to communicate with isolated, private, or on-premises infrastructure. By deploying lightweight agents within a specific network segment, you can establish a simple connection between your environment and Terraform Cloud which allows for provisioning operations and management. This is useful for on-premises infrastructure types such as vSphere, Nutanix, OpenStack, enterprise networking providers, and anything you might have in a protected enclave.
 
-The agent architecture is pull-based, so no inbound connectivity is required. Any agent you provision will poll Terraform Cloud for work and carry out execution of that work locally.
+The agent only requires outbound connectivity to Terraform Cloud, enabling private networks to remain secure and typically requiring no special networking configuration or exceptions.
 
 ## Terraform Enterprise
 
 Terraform Enterprise supports Terraform Cloud Agents. Refer to
 [Terraform Cloud Agents on TFE](/terraform/enterprise/application-administration/agents-on-tfe) for Terraform Enterprise specific documentation and requirements.
-
-## Limitations
-
-Agents allow you to run Terraform operations from a Terraform Cloud workspace on your private infrastructure. Agents do not support:
-
-- Connecting to private infrastructure from Sentinel policies using the [http import](https://docs.hashicorp.com/sentinel/imports/http).
-- Connecting Terraform Cloud workspaces to VCS instances that do not allow access from the public internet. For example, you cannot use agents to connect to a GitHub Enterprise Server instance that requires access to your VPN.
-
-For these use cases, we recommend you leverage the information provided by the [IP Ranges documentation](/terraform/cloud-docs/architectural-details/ip-ranges) to permit direct communication from the appropriate Terraform Cloud service to your internal infrastructure.
-
-
-
-
-

website/docs/cloud-docs/agents/request-forwarding.mdx

@@ -0,0 +1,109 @@
+---
+page_title: Terraform Cloud Agents - Request Forwarding
+description: >-
+ Access private network resources using agents with request forwarding.
+---
+
+# Request Forwarding
+
+You can configure Terraform Cloud Agents to handle HTTP and HTTPS
+request forwarding on behalf of Terraform Cloud. This enables Terraform Cloud to access
+services in private networks without requiring direct inbound network access.
+
+Only specific features and use cases will use agent request forwarding to
+fulfill requests.
+
+-> **Note:** Refer to [Terraform Cloud pricing](https://www.hashicorp.com/products/terraform/pricing) for details on which features can use request forwarding.
+
+## Request Forwarding Architecture
+
+Request forwarding is an additional function that you can enable on a per-agent
+basis. Agents are deployed into private networks where they have direct access
+to the target private services, such as private version control systems or other APIs.
+Agents register with Terraform Cloud via outbound-only connections. Terraform Cloud 
+holds these connections open and uses them to transmit requests and responses 
+between the target API and Terraform Cloud.
+
+![Request forwarding architecture diagram](/img/request-forwarding-arch.png)
+
+## Forwarded Request Routing
+
+Request forwarding requires the use of [agent pools](/terraform/cloud-docs/agents/agent-pools).
+Each agent pool may have multiple agents registered with request forwarding enabled. The agent pool is
+then selected by the user in Terraform Cloud as the target for various features
+which require access to private network resources. This creates the mapping from
+Terraform Cloud resources (such as VCS connections) to a pool of agents capable
+of accessing the target API.
+
+## Agent Configuration
+
+To enable request forwarding, start the agent with the `-request-forwarding`
+flag, or set the environment variable `TFC_AGENT_REQUEST_FORWARDING=true`. When
+the agent starts, you will see the following log messages:
+
+```
+[INFO] core: Request forwarding is enabled
+[INFO] grpc_connector: Connected to broker, awaiting requests
+```
+
+These log messages indicate that the agent has successfully connected to Terraform Cloud
+and is ready to start forwarding requests.
+
+## Requirements and Limitations
+
+Agent version 1.15.0+ is required to use request forwarding.
+
+We recommend that you allocate at least 250MB of additional system memory specifically
+for request forwarding. This is in addition to the minimum
+[system requirements](/terraform/cloud-docs/agents/requirements).
+
+Forwarded requests are limited to a 10MB response body. This limit comfortably 
+supports all Terraform Cloud operations while providing protection against 
+unbounded responses.
+
+All forwarded requests are subject to a request timeout. The default timeout is
+60 seconds, but this value is tuned for specific features and use cases and may
+be set slightly higher or lower depending on the type of request being made.
+
+Agents must be able to connect to Terraform Cloud outbound over the internet, as
+well as to private infrastructure targets for request forwarding via HTTP and HTTPS.
+
+## Performance and Scaling
+
+Each agent may handle multiple requests simultaneously. In many cases, a single
+agent may provide sufficient throughput to handle all forwarded requests. It is
+recommended that 2 or more agents with request forwarding enabled are deployed
+for each pool which will leverage request forwarding features. Running multiple
+request forwarding agents provides better fault tolerance and distribution of
+requests.
+
+We recommend that you monitor the memory and CPU utilization on your agents with 
+request forwarding enabled to determine if you need to deploy additional agents. Refer to
+[runtime metrics](/terraform/cloud-docs/agents/metrics#runtime-metrics) for more details.
+
+Since an agent may handle more than one forwarded request simultaneously, both horizontal
+(number of agents) and vertical (system resources per agent host) scaling vectors are important.
+
+## Egress Proxy Support
+
+If your agents require an egress proxy to reach Terraform Cloud over the internet, you can set the
+`HTTPS_PROXY` environment variable with your proxy's address when starting the agent. Your 
+proxy software must support the [HTTP CONNECT](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT) protocol,
+which the agent will use to establish a secure tunnel through the proxy to Terraform Cloud.
+
+## Security considerations
+
+The agent application secures forwarded requests by ensuring that requests may 
+only be forwarded through the agent which originate from Terraform Cloud. The agent
+guarantees this by requiring an authenticated session to be established prior to forwarding any requests.
+
+Because forwarded requests and responses may contain sensitive information,
+such as API tokens to 3rd party vendors and PII, we recommend
+that production use cases use dedicated agents to handle request
+forwarding functionality. This ensures that no other processes executing user
+code will be running within the same process space and avoids certain
+attack vectors.
+
+To dedicate an agent to request forwarding only, set the [accepted
+workload types](/terraform/cloud-docs/agents/agents#accept) to `none`. This
+disables all workloads except for request forwarding from being executed.

website/docs/cloud-docs/agents/requirements.mdx

@@ -9,7 +9,6 @@ description: >-
 
 Ensure your system meets the following requirements before installing and configuring Terraform Cloud Agents. Refer to [Terraform Cloud Agents on TFE](/terraform/enterprise/admin/agents-on-tfe) for additional Terraform Enterprise requirements.
 
-
 ## Supported Operating Systems
 
 [Agents](https://releases.hashicorp.com/tfc-agent/) currently only support x86_64 bit Linux operating systems. You can also run the agent within Docker using our official [Terraform Cloud Agent Docker container](https://hub.docker.com/r/hashicorp/tfc-agent).
@@ -20,24 +19,27 @@ Agents support Terraform versions 0.12 and above. Workspaces configured to use T
 
 ## Hardware Requirements
 
-The host running the agent has varying resource requirements depending on the workspace. A host can be a dedicated or shared cloud instance, virtual machine, bare metal server, or a container. You should monitor and adjust memory, CPU, and disk space based on each workspace's usage and performance. The name of your instance type may vary depending on your deployment environment.
+The host running the agent has varying resource requirements depending on the workspaces the agent will serve and the agent's configuration. A host can be a dedicated or shared cloud instance, virtual machine, bare metal server, or a container. You should monitor and adjust memory, CPU, and disk space based on each workspace's usage and performance.
 
 Use the following specifications as a reference:
 
 - At least 4GB of free disk space
  - Each run requires the agent to temporarily store local copies of the tarred repository, extracted repository, state file, any providers or modules, and the Terraform binary itself.
+ - When using agents for private VCS operations, we recommend that the agent has storage capacity equal to at least twice the maximum expected repository size.
 - At least 2GB of system memory
+ - This provides the agent with enough memory to complete run operations, such as `terraform plan`, `git clone`, and `sentinel apply`. This also supports operations such as uploading and downloading artifacts, constructing temporary execution environments, and parsing configurations.
+ - If you enable request forwarding, we recommend that you add at least 250MB of additional memory. The agent may hold multiple forwarded requests and responses in memory until they are successfully executed and relayed to Terraform Cloud. 
 
 ## Networking Requirements
 
-In order for an agent to function properly, it must be able to make outbound requests over HTTPS (TCP port 443) to the Terraform Cloud application APIs. These requests may require perimeter networking as well as container host networking changes, depending on your environment. Refer to the [Terraform Cloud IP Ranges documentation](/terraform/cloud-docs/architectural-details/ip-ranges) for more details on the IP ranges.
+In order for an agent to function properly, it must be able to make outbound TCP connections to the Terraform Cloud application APIs. These requests may require perimeter networking as well as container host networking changes, depending on your environment. Refer to the [Terraform Cloud IP Ranges documentation](/terraform/cloud-docs/architectural-details/ip-ranges) for more details on the IP ranges.
 
-Additionally, the agent must also be able to communicate with any services required by the Terraform code it is executing. This includes the Terraform releases distribution service, [releases.hashicorp.com](https://releases.hashicorp.com) (supported by [Fastly](https://api.fastly.com/public-ip-list)), as well as any provider APIs. The following services run on these IP ranges:
+Additionally, the agent must also be able to communicate with any services required by the Terraform code it is executing. This includes the Terraform releases distribution service, [releases.hashicorp.com](https://releases.hashicorp.com), as well as any provider APIs. The following services run on these IP ranges:
 
 | Hostname | Port/Protocol | Directionality | Purpose |
 | ---------------------- | -------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
 | app.terraform.io | tcp/443, HTTPS | Outbound | Polling for new workloads, providing status updates, and downloading private modules from Terraform Cloud's Private Module Registry |
 | registry.terraform.io | tcp/443, HTTPS | Outbound | Downloading public modules from the Terraform Registry |
 | releases.hashicorp.com | tcp/443, HTTPS | Outbound | Updating agent components and downloading Terraform binaries |
 | archivist.terraform.io | tcp/443, HTTPS | Outbound | Blob Storage |
-
+| agents.terraform.io | tcp/7146, TCP | Outbound | Agent RPC interface (currently used for request forwarding only) |