Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[QUESTION] - Unauthorized IP Address when running Terraform Apply using Terraform Cloud Remote Agents #375

Open
cindrmon opened this issue Jul 6, 2023 · 2 comments
Assignees
Labels

Comments

@cindrmon
Copy link

cindrmon commented Jul 6, 2023

Describe the bug
I don't know if it is exactly a bug, but it is something to consider with this provider. Apparently, I don't know when did Vultr started implementing this, but they added API Access Control, which gives you the setting to set a specific range of IP addresses for the Vultr API to give access to. I recently tried out Terraform Cloud to be used with the Vultr Provider, and unfortunately, it blocks out all the Terraform Remote Agents it tried to run the terraform apply to, giving out this error:
terraform remote agent unauthorized IP

The API Token is correct, however it blocks off any terraform remote agent that that tries to create a resource in Vultr. In my case, I was just trying out to spin up a simple Vultr Instance with a Marketplace Image.

The only possible solution (in which I don't recommend doing in production) is to change the API Access Control to 'Allow All IPv4' Addresses in the Vultr API Access Control:
vultr api access control settings

Doing this makes the aforementioned Terraform Cloud Remote Agents to be able to apply to add the services to Vultr, but now it is leaving a gaping hole where if you might have your API Token be accidentally exposed, any IP Address can do whatever they want to your Vultr Account, and chaos ensues.

I would like to know anyone's thoughts with this, and if there is a better solution if you are using Terraform Cloud to deploying Vultr Instances.

To Reproduce
Steps to reproduce the behavior:

  1. Create a Terraform Codebase Git Repository for Terraform Cloud to link to
  2. Create a new Workspace and set it to 'Git-based workflow', then link the TF Codebase Git Repository to the workspace.
  3. Go to Vultr and acquire your API Token and set it as an environment variable in Terraform Cloud
  4. Go back to Terraform Cloud and click Actions > Start new run > Start run using the 'Plan and Apply (standard)' run type.
  5. See that the run failed as similar to this image:
    terraform remote agent unauthorized IP

Expected behavior
It should apply the Terraform Plan onto Vultr and create the Vultr Instances without allowing all IPv4 addresses in the Vultr API Access Control.

Screenshots
terraform remote agent unauthorized IP
vultr api access control settings

Desktop (please complete the following information where applicable:

  • OS: Windows 11
  • Browser: Mozilla Firefox 115.0 (64-bit)
  • Version: 1.5.0

Additional Context

I am testing out Terraform Cloud with different providers (Proxmox, Vultr, AWS) using different Execution Modes, in particular the 'Agent' and 'Remote' execution modes.

@cindrmon cindrmon added the bug label Jul 6, 2023
@optik-aper optik-aper added question and removed bug labels Jul 6, 2023
@optik-aper
Copy link
Member

@cindrmon The API key IP restrictions are irrelevant to the provider itself, but the question is a good one. By design, the IP filter for API keys won't allow IPs that aren't specified in the whitelist. I'm not familiar enough with Terraform Cloud to comment on best practices but it's something I'll look in to come up with a suggestion if there appears to be a workaround.

@optik-aper optik-aper self-assigned this Jul 6, 2023
@optik-aper optik-aper changed the title [BUG] - Unauthorized IP Address when running Terraform Apply using Terraform Cloud Remote Agents [QUESTION] - Unauthorized IP Address when running Terraform Apply using Terraform Cloud Remote Agents Jul 6, 2023
@cindrmon
Copy link
Author

cindrmon commented Jul 7, 2023

@cindrmon The API key IP restrictions are irrelevant to the provider itself, but the question is a good one. By design, the IP filter for API keys won't allow IPs that aren't specified in the whitelist. I'm not familiar enough with Terraform Cloud to comment on best practices but it's something I'll look in to come up with a suggestion if there appears to be a workaround.

I see. Thank you for the input.

As for some other workarounds, I haven't done this in practice yet but, another idea to bypass the IP whitelist is setting up another Vultr Instance as a Terraform Agent and use its IP for the Vultr whitelist and at the same time, it is within a network you setup in Vultr and make Vultr Instances that way, but the caveat is that you have to pay more than what you need if you just want to deploy a single instance, and I don't know if setting up a network would also cost money too, but I think it isn't. I haven't done a setup like that yet in vultr, as I'm trying to be as conservative and budget-friendly as possible when running vultr instances. But yeah, it is something to consider when using the vultr terraform provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants