search

namecheap / terraform-provider-namecheap

Terraform provider for Namecheap
Apache License 2.0
147 stars 30 forks source link

NameCheap Whitelisted IPs #59

Open Engrave-zz opened 3 years ago

Engrave-zz commented 3 years ago

Have issues running this module through CI/CD solution, im using Azure Devops and the problem im having is that the client ips of the managed service constantly changes. Is there anyway I can whitelist a CIDR instead of a specific IP?

StyleT commented 2 years ago

Hi! Unfortunately this is a limitation of the Namecheap public API itself, rather than Terraform provider. Also there is no way to change whitelist via API as far as I know :(

I would advice you to contact our customer support team. They do track such client requests and as soon as there is enough demand on certain feature - it get's processed by respective product team.

Or you can always fallback to the static agents, if possible.

dgershman commented 2 years ago

Is it possible to allowlist a CIDR range on the Namecheap API instead?

vetal2409 commented 9 months ago

Duplicate of #62 Duplicate of #67

vetal2409 commented 9 months ago

Thank you for reaching out and bringing this issue to our attention. After reviewing your request, it appears that the matter you're experiencing is tied to the underlying API implementation rather than the terraform-provider-namecheap directly.

Currently, the team responsible for the API does not have plans to implement this feature in the near term. However, understanding the importance of your request, I will forward your feedback to them. While I can't guarantee a change in priorities or timelines, highlighting user demand like yours can often influence future decision-making and prioritization.

AlexFBP commented 3 months ago

Hi @vetal2409 , Where could be placed a feature request for the API itself then?

Currently there is a single API key that all whitelisted IPs can use. In terms of security, that's the same as having the same password for everything. If for any reason one of the whitelisted IPs gets compromised and the -master- API key have to be revoked/regenerated, all other whitelisted IPs get affected too.

With that in mind, please consider the following proposal:

  1. Allow that each Whitelisted IP also have its own API key. With this, each key can be revoked/regenerated without affecting the remainig IPs.
  2. Make the input of the IP as optional parameter. So, if a customer still wants to restrict the API usage per IP, can still do that too
  3. (Optional) Disable the use of the "main" API key (thus effectively "moving" the API key to each "IP")

With that being said, would be best to rename the "Whitelisted IPs" as "API keys". Also, for safety, the API key (either main or per IP) shall only be visible once, either when being generated or in creation/regeneration of each API key.