[QUESTION] - Unauthorized IP Address when running Terraform Apply using Terraform Cloud Remote Agents

[cindrmon]

Describe the bug I don't know if it is exactly a bug, but it is something to consider with this provider. Apparently, I don't know when did Vultr started implementing this, but they added API Access Control, which gives you the setting to set a specific range of IP addresses for the Vultr API to give access to. I recently tried out Terraform Cloud to be used with the Vultr Provider, and unfortunately, it blocks out all the Terraform Remote Agents it tried to run the terraform apply to, giving out this error:

The API Token is correct, however it blocks off any terraform remote agent that that tries to create a resource in Vultr. In my case, I was just trying out to spin up a simple Vultr Instance with a Marketplace Image.

The only possible solution (in which I don't recommend doing in production) is to change the API Access Control to 'Allow All IPv4' Addresses in the Vultr API Access Control:

Doing this makes the aforementioned Terraform Cloud Remote Agents to be able to apply to add the services to Vultr, but now it is leaving a gaping hole where if you might have your API Token be accidentally exposed, any IP Address can do whatever they want to your Vultr Account, and chaos ensues.

I would like to know anyone's thoughts with this, and if there is a better solution if you are using Terraform Cloud to deploying Vultr Instances.

To Reproduce Steps to reproduce the behavior:

1. Create a Terraform Codebase Git Repository for Terraform Cloud to link to
2. Create a new Workspace and set it to 'Git-based workflow', then link the TF Codebase Git Repository to the workspace.
3. Go to Vultr and acquire your API Token and set it as an environment variable in Terraform Cloud
4. Go back to Terraform Cloud and click Actions > Start new run > Start run using the 'Plan and Apply (standard)' run type.
5. See that the run failed as similar to this image:

Expected behavior It should apply the Terraform Plan onto Vultr and create the Vultr Instances without allowing all IPv4 addresses in the Vultr API Access Control.

Screenshots

Desktop (please complete the following information where applicable:

• OS: Windows 11
• Browser: Mozilla Firefox 115.0 (64-bit)
• Version: 1.5.0

Additional Context

I am testing out Terraform Cloud with different providers (Proxmox, Vultr, AWS) using different Execution Modes, in particular the 'Agent' and 'Remote' execution modes.

[optik-aper]

@cindrmon The API key IP restrictions are irrelevant to the provider itself, but the question is a good one. By design, the IP filter for API keys won't allow IPs that aren't specified in the whitelist. I'm not familiar enough with Terraform Cloud to comment on best practices but it's something I'll look in to come up with a suggestion if there appears to be a workaround.

[cindrmon]

@cindrmon The API key IP restrictions are irrelevant to the provider itself, but the question is a good one. By design, the IP filter for API keys won't allow IPs that aren't specified in the whitelist. I'm not familiar enough with Terraform Cloud to comment on best practices but it's something I'll look in to come up with a suggestion if there appears to be a workaround.

I see. Thank you for the input.

As for some other workarounds, I haven't done this in practice yet but, another idea to bypass the IP whitelist is setting up another Vultr Instance as a Terraform Agent and use its IP for the Vultr whitelist and at the same time, it is within a network you setup in Vultr and make Vultr Instances that way, but the caveat is that you have to pay more than what you need if you just want to deploy a single instance, and I don't know if setting up a network would also cost money too, but I think it isn't. I haven't done a setup like that yet in vultr, as I'm trying to be as conservative and budget-friendly as possible when running vultr instances. But yeah, it is something to consider when using the vultr terraform provider.