search

namecheap / terraform-provider-namecheap

Terraform provider for Namecheap
Apache License 2.0
146 stars 30 forks source link

Error if CAA 'iodef' record defined #73

Open bgre033 opened 1 year ago

bgre033 commented 1 year ago

Hi,

It seems if a zone in Namecheap contains a CAA 'iodef' record, the Namecheap Terraform provider fails to create DNS records. If the CAA record is removed, the creation succeeds. I've tested with A and CNAME records, using Terraform 1.4.0 and 1.4.6, with Namecheap provider 2.1.0.

Terraform Version

Terraform v1.4.6

Namecheap provider version

What version of terraform-provider-namecheap are you using? 2.1.0

Steps to Reproduce

  1. Create a CAA record such as below in the zone file on Namecheap
CAA Record
@
iodef
"mailto:support@domain.com"
  1. Create Namecheap resource block
resource "namecheap_domain_records" "create-record" {

    domain = "domain.com"
    mode = "MERGE"

    # ACM Certificate Validation Record
    record {
        hostname = "test"
        type = "A"
        address = "1.1.1.1"
        ttl = 1800
    }
}
  1. Run 'terraform apply'
  2. Output is an error such as below.

Error: Records[10].Address "0 iodef "mailto:support@domain.com"" must contain a protocol prefix for CAA iodef record

psa commented 1 year ago

I'm not sure why they're not merging it, but https://github.com/namecheap/terraform-provider-namecheap/pull/66 has the fix you're looking for.

bgre033 commented 1 year ago

Thanks, and good work! I have a case open with Namecheap and have passed this on. Fingers crossed they actually do something about it.

LarsArtmann commented 8 months ago

I just tried to add the following records and failed with the error message below. If I add it in the Web GUI it works without any complaints.

I'm sure somehow the validation logic does not recognise mailto: correctly.

Code

 record {
    address  = "0 issue \"pki.goog\""
    hostname = "@"
    mx_pref  = 10
    ttl      = 1799
    type     = "CAA"
  }
  record {
    address  = "0 iodef \"mailto:security@larsartmann.com\""
    hostname = "@"
    mx_pref  = 10
    ttl      = 1799
    type     = "CAA"
  }

Error

│ Error: Records[18].Address "0 iodef "mailto:security@larsartmann.com"" must contain a protocol prefix for CAA iodef record │ │ with namecheap_domain_records.larsartmann_com, │ on larsartmann.com.tf line 5, in resource "namecheap_domain_records" "larsartmann_com": │ 5: resource "namecheap_domain_records" "larsartmann_com" { │

locating the bug

After adding the CAA iodef record manually through the namecheap Web GUI (Image 1), the error stayed the same. Only after applying CAA issue record manually through the namecheap Web GUI (Image 2), there by fully syncing the real state and the terraform target state, did the error disappear. It's also noticeable that terraform plan did not find anything to do after fully syncing them manually.

Screenshot 2024-01-05 at 03 50 32 Screenshot 2024-01-05 at 03 57 15
LarsArtmann commented 2 months ago

Update: if it's fully synced but you want to change any other part of the domain e.g. TXT _dmarc it wouldn't let you/me. Version: 2.1.2

LarsArtmann commented 2 months ago

The problem

https://github.com/namecheap/terraform-provider-namecheap/blob/5e44263d262d771fbc46c6cda8b2bf5bcd98810b/vendor/github.com/namecheap/go-namecheap-sdk/v2/namecheap/domains_dns_set_hosts.go#L40

validURLProtocolPrefix checks for :// but mailto: doesn't contain // See: https://www.rfc-editor.org/rfc/rfc6844#:~:text=5.4.%20%20CAA%20iodef%20Property

https://github.com/namecheap/terraform-provider-namecheap/blob/5e44263d262d771fbc46c6cda8b2bf5bcd98810b/vendor/github.com/namecheap/go-namecheap-sdk/v2/namecheap/domains_dns_set_hosts.go#L193

Suggested fix

if strings.Contains(*record.Address, "iodef") && (!validURLProtocolPrefix.MatchString(*record.Address) && !strings.HasPrefix(*record.Address, "mailto:")) {