feat: add ip address validation for A and AAAA records (#194)

* feat: add ip address validation for A and AAAA records

* test: add test cases for  ip validation function

* test: add test cases for record ressource

* feat: add provider toggle for IP address validation in A and AAAA records

Author: kimdre

docs/index.md

@@ -40,5 +40,6 @@ resource "hetznerdns_record" "web" {
 ### Optional
 
 - `api_token` (String, Sensitive) The Hetzner DNS API token. You can pass it using the env variable `HETZNER_DNS_TOKEN` as well. The old env variable `HETZNER_DNS_API_TOKEN` is deprecated and will be removed in a future release.
+- `enable_ip_validation` (Boolean) `Default: true` Toggles the validation of IP addresses in A and AAAA records. You can pass it using the env variable `HETZNER_DNS_ENABLE_IP_VALIDATION` as well.
 - `enable_txt_formatter` (Boolean) `Default: true` Toggles the automatic formatter for TXT record values. Values greater than 255 bytes get split into multiple quoted chunks ([RFC4408](https://datatracker.ietf.org/doc/html/rfc4408#section-3.1.3)). You can pass it using the env variable `HETZNER_DNS_ENABLE_TXT_FORMATTER` as well.
 - `max_retries` (Number) `Default: 1` The maximum number of retries to perform when an API request fails. You can pass it using the env variable `HETZNER_DNS_MAX_RETRIES` as well.

internal/provider/provider.go

@@ -35,12 +35,14 @@ type hetznerDNSProviderModel struct {
 	ApiToken           types.String `tfsdk:"api_token"`
 	MaxRetries         types.Int64  `tfsdk:"max_retries"`
 	EnableTxtFormatter types.Bool   `tfsdk:"enable_txt_formatter"`
+	EnableIPValidation types.Bool   `tfsdk:"enable_ip_validation"`
 }
 
 type providerClient struct {
 	apiClient    *api.Client
 	maxRetries   int64
 	txtFormatter bool
+	ipValidation bool
 }
 
 func (p *hetznerDNSProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
@@ -73,6 +75,11 @@ func (p *hetznerDNSProvider) Schema(_ context.Context, _ provider.SchemaRequest,
 					"You can pass it using the env variable `HETZNER_DNS_ENABLE_TXT_FORMATTER` as well.",
 				Optional: true,
 			},
+			"enable_ip_validation": schema.BoolAttribute{
+				Description: "`Default: true` Toggles the validation of IP addresses in A and AAAA records. " +
+					"You can pass it using the env variable `HETZNER_DNS_ENABLE_IP_VALIDATION` as well.",
+				Optional: true,
+			},
 		},
 	}
 }
@@ -122,6 +129,11 @@ func (p *hetznerDNSProvider) Configure(ctx context.Context, req provider.Configu
 		resp.Diagnostics.AddAttributeError(path.Root("enable_txt_formatter"), "must be a boolean", err.Error())
 	}
 
+	client.ipValidation, err = utils.ConfigureBoolAttribute(data.EnableIPValidation, "HETZNER_DNS_ENABLE_IP_VALIDATION", true)
+	if err != nil {
+		resp.Diagnostics.AddAttributeError(path.Root("enable_ip_validation"), "must be a boolean", err.Error())
+	}
+
 	if resp.Diagnostics.HasError() {
 		return
 	}

internal/provider/record_resource.go

@@ -179,6 +179,15 @@ func (r *recordResource) Create(ctx context.Context, req resource.CreateRequest,
 		}
 	}
 
+	if (plan.Type.ValueString() == "A" || plan.Type.ValueString() == "AAAA") && r.provider.ipValidation {
+		err := utils.CheckIPAddress(value)
+		if err != nil {
+			resp.Diagnostics.AddError("Invalid IP address", err.Error())
+
+			return
+		}
+	}
+
 	var (
 		err     error
 		record  *api.Record
@@ -302,6 +311,15 @@ func (r *recordResource) Update(ctx context.Context, req resource.UpdateRequest,
 		value = utils.PlainToTXTRecordValue(value)
 	}
 
+	if (plan.Type.ValueString() == "A" || plan.Type.ValueString() == "AAAA") && r.provider.ipValidation {
+		err := utils.CheckIPAddress(value)
+		if err != nil {
+			resp.Diagnostics.AddError("Invalid IP address", err.Error())
+
+			return
+		}
+	}
+
 	if !plan.Name.Equal(state.Name) || !plan.TTL.Equal(state.TTL) || !plan.Type.Equal(state.Type) || !plan.Value.Equal(state.Value) {
 		updateTimeout, diags := plan.Timeouts.Update(ctx, 5*time.Minute)
 		resp.Diagnostics.Append(diags...)

internal/provider/record_resource_test.go

@@ -162,7 +162,7 @@ func TestAccRecord_ResourcesWithDeprecatedApiToken(t *testing.T) {
 	})
 }
 
-func TestAccRecord_Invalid(t *testing.T) {
+func TestAccRecord_InvalidIP(t *testing.T) {
 	zoneName := acctest.RandString(10) + ".online"
 	aZoneTTL := 60
 
@@ -183,7 +183,63 @@ func TestAccRecord_Invalid(t *testing.T) {
 						testAccRecordResourceConfigWithTTL("record1", aName, aType, value, ttl),
 					}, "\n",
 				),
-				ExpectError: regexp.MustCompile("invalid A record"),
+				ExpectError: regexp.MustCompile(utils.ErrInvalidIPAddress.Error()),
+			},
+			// Delete testing automatically occurs in TestCase
+		},
+	})
+}
+
+func TestAccRecord_InvalidIPv4(t *testing.T) {
+	zoneName := acctest.RandString(10) + ".online"
+	aZoneTTL := 60
+
+	value := "9.9.9.999"
+	aName := acctest.RandString(10)
+	aType := "A"
+	ttl := aZoneTTL * 2
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Create and Read testing
+			{
+				Config: strings.Join(
+					[]string{
+						testAccZoneResourceConfig("test", zoneName, aZoneTTL),
+						testAccRecordResourceConfigWithTTL("record1", aName, aType, value, ttl),
+					}, "\n",
+				),
+				ExpectError: regexp.MustCompile(utils.ErrInvalidIPAddress.Error()),
+			},
+			// Delete testing automatically occurs in TestCase
+		},
+	})
+}
+
+func TestAccRecord_InvalidIPv6(t *testing.T) {
+	zoneName := acctest.RandString(10) + ".online"
+	aZoneTTL := 60
+
+	value := "2001:4860:4860:::8888"
+	aName := acctest.RandString(10)
+	aType := "A"
+	ttl := aZoneTTL * 2
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Create and Read testing
+			{
+				Config: strings.Join(
+					[]string{
+						testAccZoneResourceConfig("test", zoneName, aZoneTTL),
+						testAccRecordResourceConfigWithTTL("record1", aName, aType, value, ttl),
+					}, "\n",
+				),
+				ExpectError: regexp.MustCompile(utils.ErrInvalidIPAddress.Error()),
 			},
 			// Delete testing automatically occurs in TestCase
 		},

internal/utils/ip.go

@@ -0,0 +1,19 @@
+package utils
+
+import (
+	"errors"
+	"fmt"
+	"net"
+)
+
+var ErrInvalidIPAddress = errors.New("invalid IP address")
+
+// CheckIPAddress checks if the given string is a valid IP address.
+func CheckIPAddress(ip string) error {
+	parsedIP := net.ParseIP(ip)
+	if parsedIP == nil {
+		return fmt.Errorf("%w: %s", ErrInvalidIPAddress, ip)
+	}
+
+	return nil
+}

internal/utils/ip_test.go

@@ -0,0 +1,65 @@
+package utils_test
+
+import (
+	"testing"
+
+	"github.com/germanbrew/terraform-provider-hetznerdns/internal/utils"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckIPAddress(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		name    string
+		ip      string
+		isValid bool
+	}{
+		{
+			name:    "valid IPv4",
+			ip:      "9.9.9.9",
+			isValid: true,
+		},
+		{
+			name:    "invalid IPv4",
+			ip:      "9.9.9.999",
+			isValid: false,
+		},
+		{
+			name:    "invalid IPv4 with space",
+			ip:      "9.9.9.9 ",
+			isValid: false,
+		},
+		{
+			name:    "valid IPv6",
+			ip:      "2001:4860:4860::8888",
+			isValid: true,
+		},
+		{
+			name:    "invalid IPv6",
+			ip:      "2001:4860:4860:::8888",
+			isValid: false,
+		},
+		{
+			name:    "invalid IPv6 with space",
+			ip:      "2001:4860:4860::8888 ",
+			isValid: false,
+		},
+		{
+			name:    "invalid IP",
+			ip:      "invalid",
+			isValid: false,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := utils.CheckIPAddress(tc.ip)
+			if tc.isValid {
+				require.NoError(t, err)
+			} else {
+				require.Error(t, err)
+			}
+		})
+	}
+}