dnsimple / terraform-provider-dnsimple

Terraform DNSimple provider.
https://www.terraform.io/docs/providers/dnsimple/
Mozilla Public License 2.0
21 stars 20 forks source link

dnsimple_zone_record Error: API returned a Validation Error for: value #165

Closed arenoir closed 1 year ago

arenoir commented 1 year ago

First thanks for maintaining a terraform provider to the dnsimple service. We have been using it for over a year. We did recently upgrade from 0.11.1 to 1.3.0 but have not run into any issues until today.

We use the dnsimple provider to add the necessary txt records to our dns server in our CI/CD pipeline.

Today we received the following error when trying to apply our configuration to a new workspace (every PR creates a new terraform workspace).

Error: API returned a Validation Error for: value
Txt must be wrapped between double-quotes ("")

The thing is nothing has changed with the configuration and the value is wrapped in double quotes.

resource "dnsimple_zone_record" "outbound_messaging_spf_record" {
  zone_name = var.domain
  name      = var.messaging_host
  value     = "v=spf1 include:spf.mandrillapp.com ?all"
  type      = "TXT"
  ttl       = 3600
}

Terraform Version

Terraform v1.6.2 on linux_amd64

Affected Resource(s)

Terraform Configuration Files

resource "dnsimple_zone_record" "outbound_messaging_spf_record" {
  zone_name = var.domain
  name      = var.messaging_host
  value     = "v=spf1 include:spf.mandrillapp.com ?all"
  type      = "TXT"
  ttl       = 3600
}

Debug Output

Error: API returned a Validation Error for: value

   with dnsimple_zone_record.outbound_messaging_spf_record,
   on main.tf line 320, in resource "dnsimple_zone_record" "outbound_messaging_spf_record":
   320:   value     = "v=spf1 include:spf.mandrillapp.com ?all"

Txt must be wrapped between double-quotes ("")

Expected Behavior

Terraform should apply all changes and the txt record should be created

Actual Behavior

Terraform exits on apply and the txt record is not created.

Steps to Reproduce

  1. terraform apply
arenoir commented 1 year ago

Here is a response from DNSimple Customer Service

Apologies!

We are rolling out new validation schemes for DNS records to enhance our adoption of industry-standard formats.

In this case, TXT record contents containing whitespace characters must be wrapped between double quotes as per RFC 1035.

However, we have just rolled out an enhancement that will normalize your content to add the wrapper double quotes for you, so you should be able to provision that record now without having to modify anything on your end.

Please let me know if you need further assistance.

Don't know if this is correct but it does appear to be a server validation error.

weppos commented 1 year ago

Hi @arenoir, thanks for your feedback. We're making some internal changes on how we store TXT/SPF records, to enhance our RFC compliance. In theory, the correct value for the TXT record (when DNS-serialized, which is what we accept there as input) is a quoted string:

"v=spf1 include:spf.mandrillapp.com ?all"

hence your code should be:

value     = "\"v=spf1 include:spf.mandrillapp.com ?all"\"

Truth is, we've historically accepted both. We should continue to accept both for the foreseeable future. The team is investigating.

arenoir commented 1 year ago

Hi @weppos

Thanks for the follow up. I assumed double quotes meant " opposed to single quotes '. Anyhow I went ahead and tried escaping the second quote and have received the following error.

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ dnsimple_zone_record.outbound_messaging_verification_record, provider
│ "provider[\"registry.terraform.io/dnsimple/dnsimple\"]" produced an
│ unexpected new value: .value: was
│ cty.StringVal("mandrill_verify.22UeG0R4VF96iltuQk132Q"), but now
│ cty.StringVal("\"mandrill_verify.22UeG0R4VF96iltuQk132Q\"").
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Any thoughts or workaround would be greatly appreciated.

Thanks

tzahari commented 1 year ago

Same issue here. we set the TXT record to: value = "v=spf1 include:amazonses.com -all"

But the value is in the dnsimple portal now: "v=spf1 include:amazonses.com -all" and should be without the "

What can I do?

tzahari commented 1 year ago

It seems that the dnsimple API and the webfrontend works now differently as before. We have an old TXT record without " and new TXT records gets additionally " in the value field.

weppos commented 1 year ago

Hi @tzahari,

But the value is in the dnsimple portal now: "v=spf1 include:amazonses.com -all" and should be without the "

Actually, this behavior is correct. As per RFC, the RData of a TXT record should be encoded in quotes. If you look at the response from a dig query, that's more evident:

dig TXT example.com

;; ANSWER SECTION:
example.com.        86400   IN  TXT "v=spf1 -all"
example.com.        86400   IN  TXT "wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn"

it is unfortunately common (and convenient) for TXT records (and a few others, such as HINFO and SPF) to colloquially refer to the non quoted version. And this leads to TXT implementations being notably inconsistent.

We used to accept both quoted and non quoted version, and normalize the data behind the scenes with a best effort. But this led to some transformation ambiguity, and subtle bugs.

Therefore, we are currently working to standardize the process and normalize values upfront so that what ends up being stored in the database, and transmitted to the public, is what our name servers will serve. This is the most common approach adopted by various DNS libraries and providers.

We have decided for the time being to continue accepting a non well-formed value. Which means you can still provide us a quoted or non quoted version. But in either cases, we'll normalize it to the RFC-compliant, quoted version.

We're working to publish additional documentation, and emails will go out this week to inform about some upcoming validation changes.

weppos commented 1 year ago

We have an old TXT record without " and new TXT records gets additionally " in the value field.

Correct. New records are now being explicitly normalized to be RFC compliant. We'll be applying this normalization to all existing entries in the upcoming weeks, but before taking any actions we'll be sending out emails to inform customers.

The only change we made so far is to make sure that new values are RFC compliant even if the input is not.

weppos commented 1 year ago

@tzahari @arenoir regarding this particular report, we agree the change of behavior is a bug and we have identified the issue that is dependent to some Terraform expectations.

The team is working to address the issue, and release a version that will continue to accept both well formed and non-well formed TXT values. We'll post updates on this ticket as soon as it's ready. We are on it right now.

AGS4NO commented 1 year ago

@arenoir @tzahari Thanks for the report. Record normalization has been addressed in #167 and released as v1.3.1

Please let us know if you encounter any other issues.

tzahari commented 1 year ago

Hi @AGS4NO, it is now woking as expected! Thank you Best Regards Thomas

arenoir commented 1 year ago

Hi @AGS4NO thanks for the quick fix! Everything is back in working order.