Source ip addresses/networks - Whitelisting API range does not work

Dear Terraform community
I got today this issue in a couple of our terraform cloud runs by interaction with atlas mongodb API:

Error: error getting Team information: GET https://cloud.mongodb.com/api/atlas/v1.0/orgs/{ORG_ID}/teams/{TEAM_ID}: 403 (request "IP_ADDRESS_NOT_ON_ACCESS_LIST") IP address 3.230.120.28 is not allowed to access this resource.

I know the IP range list is variable, from time to time, and also I already read these answers where the API range list is referenced.

I’ve tried adding the range gotten from this curl request to my mongo API access list, without success, since the range is wide, sometimes the IP I got from terraform cloud run is not included on the api, notifications, sentinel or vcs

> curl \
  --request GET \
  -H "If-Modified-Since: Tue, 26 May 2020 15:10:05 GMT" \
  https://app.terraform.io/api/meta/ip-ranges
{
	"api": ["75.2.98.97/32", "99.83.150.238/32"],
	"notifications": ["52.86.200.106/32", "52.86.201.227/32", "52.70.186.109/32"],
	"sentinel": ["52.86.200.106/32", "52.86.201.227/32", "52.70.186.109/32"],
	"vcs": ["52.86.200.106/32", "52.86.201.227/32", "52.70.186.109/32"]
}%

What can I do? Being the ranges the correct ones, is there some special feature/service to have/know terraform cloud jobs with non-variable IP ranges?

Hello, @bgarcial!

Depending on your use case, it might benefit you to use Terraform Cloud Agents (self-hosted runners) if you’re looking to lock down your IP space. The Terraform Cloud runners that we host have ever-changing IPs, and we don’t provide static IPs at this time.

Does that answer your question, and is there anything else I can do to help?

Dear @onlydole thanks for your update.
I read about self-hosted runners, are they part of terraform enterprise plan right?
It will be indeed a solution, but is just that I am wondering why the terraform cloud runners hosted by terraform cloud (the public ones - let’s say that -) were working well until yesterday without whitelist any IP address on my API access list on MongoDB service and now terraform logs demand from me to do so?

Perhaps the range list has changed recently?
I ask this because here the docs says:

Under normal circumstances, HashiCorp will publish any expected changes to Terraform Cloud’s IP ranges at least 24 hours in advance of implementing them. This should allow sufficient time for users to update any connected systems to reflect the changes. In the event of an emergency outage or failover operation, it may not be possible to pre-publish these changes.

Hi @bgarcial!

Just to further clarify, the IP Ranges API you mention above does not include ranges for Terraform Cloud’s internal build workers, as Agents are the preferred secure solution for this problem (as @onlydole mentions).

working well until yesterday without whitelist any IP address on my API access list

This seems like a change in your MongoDB organization or the Atlas MongoDB API then, if it used to work and now requires a specific IP allowlist. The error is returned in Terraform but is a response from that service, not Terraform itself.

1 Like

Hi @chrisarcand thanks for your clarification, I will have it a look then.

Hi wondering how you got around this pls? The runner IP is not in the list here https://app.terraform.io/api/meta/ip-ranges

I am looking into the Cloud Agents… but was hoping for a simpler solution