forked from huaweicloud/terraform-provider-huaweicloud
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add WAF policy management support huaweicloud#1257
- Loading branch information
1 parent
7d3414c
commit 2e21dd5
Showing
6 changed files
with
552 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
--- | ||
subcategory: "Web Application Firewall (WAF)" | ||
--- | ||
|
||
# huaweicloud_waf_policy | ||
|
||
Manages a WAF policy resource within HuaweiCloud. | ||
|
||
## Example Usage | ||
|
||
```hcl | ||
resource "huaweicloud_waf_policy" "policy_1" { | ||
name = "policy_1" | ||
protection_mode = "log" | ||
level = 2 | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
* `region` - (Optional, String, ForceNew) The region in which to create the WAF policy resource. | ||
If omitted, the provider-level region will be used. | ||
Changing this setting will push a new certificate. | ||
|
||
* `name` - (Required, String) Specifies the policy name. The maximum length is 256 characters. Only digits, letters, | ||
underscores(_), and hyphens(-) are allowed. | ||
|
||
* `protection_mode` - (Optional, String) Specifies the protective action after a rule is matched. Defaults to `log`. | ||
Valid values are: | ||
* `block`: WAF blocks and logs detected attacks. | ||
* `log`: WAF logs detected attacks only. | ||
|
||
* `level` - (Optional, Int) Specifies the protection level. Defaults to `2`. Valid values are: | ||
* `1`: low | ||
* `2`: medium | ||
* `3`: high | ||
|
||
## Attributes Reference | ||
|
||
In addition to all arguments above, the following attributes are exported: | ||
|
||
* `id` - The policy ID in UUID format. | ||
|
||
* `full_detection` - The detection mode in Precise Protection. | ||
* `true`: full detection, Full detection finishes all threat detections before blocking requests that meet Precise | ||
Protection specified conditions. | ||
* `false`: instant detection. Instant detection immediately ends threat detection after blocking a request that meets | ||
Precise Protection specified conditions. | ||
|
||
* `options` - The protection switches. The options object structure is documented below. | ||
|
||
The `options` block supports: | ||
|
||
* `basic_web_protection` - Indicates whether Basic Web Protection is enabled. | ||
|
||
* `general_check` - Indicates whether General Check in Basic Web Protection is enabled. | ||
|
||
* `crawler` - Indicates whether the master crawler detection switch in Basic Web Protection is enabled. | ||
|
||
* `crawler_engine` - Indicates whether the Search Engine switch in Basic Web Protection is enabled. | ||
|
||
* `crawler_scanner` - Indicates whether the Scanner switch in Basic Web Protection is enabled. | ||
|
||
* `crawler_script` - Indicates whether the Script Tool switch in Basic Web Protection is enabled. | ||
|
||
* `crawler_other` - Indicates whether detection of other crawlers in Basic Web Protection is enabled. | ||
|
||
* `webshell` - Indicates whether webshell detection in Basic Web Protection is enabled. | ||
|
||
* `cc_attack_protection` - Indicates whether CC Attack Protection is enabled. | ||
|
||
* `precise_protection` - Indicates whether Precise Protection is enabled. | ||
|
||
* `blacklist` - Indicates whether Blacklist and Whitelist is enabled. | ||
|
||
* `data_masking` - Indicates whether Data Masking is enabled. | ||
|
||
* `false_alarm_masking` - Indicates whether False Alarm Masking is enabled. | ||
|
||
* `web_tamper_protection` - Indicates whether Web Tamper Protection is enabled. | ||
|
||
## Import | ||
|
||
Policies can be imported using the `id`, e.g. | ||
|
||
```sh | ||
terraform import huaweicloud_waf_policy.policy_2 25e1df831bea4022a6e22bebe678915a | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
122 changes: 122 additions & 0 deletions
122
huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
package waf | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config" | ||
"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance" | ||
"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/utils/fmtp" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/helper/acctest" | ||
"github.com/hashicorp/terraform-plugin-sdk/helper/resource" | ||
"github.com/hashicorp/terraform-plugin-sdk/terraform" | ||
|
||
"github.com/huaweicloud/golangsdk/openstack/waf_hw/v1/policies" | ||
) | ||
|
||
func TestAccWafPolicyV1_basic(t *testing.T) { | ||
var policy policies.Policy | ||
randName := acctest.RandString(5) | ||
resourceName := "huaweicloud_waf_policy.policy_1" | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { acceptance.TestAccPreCheck(t) }, | ||
Providers: acceptance.TestAccProviders, | ||
CheckDestroy: testAccCheckWafPolicyV1Destroy, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccWafPolicyV1_basic(randName), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckWafPolicyV1Exists(resourceName, &policy), | ||
resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s", randName)), | ||
resource.TestCheckResourceAttr(resourceName, "level", "1"), | ||
resource.TestCheckResourceAttr(resourceName, "full_detection", "false"), | ||
), | ||
}, | ||
{ | ||
Config: testAccWafPolicyV1_update(randName), | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckWafPolicyV1Exists(resourceName, &policy), | ||
resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy_%s_updated", randName)), | ||
resource.TestCheckResourceAttr(resourceName, "protection_mode", "block"), | ||
resource.TestCheckResourceAttr(resourceName, "level", "3"), | ||
), | ||
}, | ||
{ | ||
ResourceName: resourceName, | ||
ImportState: true, | ||
ImportStateVerify: true, | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccCheckWafPolicyV1Destroy(s *terraform.State) error { | ||
config := acceptance.TestAccProvider.Meta().(*config.Config) | ||
wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME) | ||
if err != nil { | ||
return fmtp.Errorf("error creating HuaweiCloud WAF client: %s", err) | ||
} | ||
|
||
for _, rs := range s.RootModule().Resources { | ||
if rs.Type != "huaweicloud_waf_policy" { | ||
continue | ||
} | ||
_, err := policies.Get(wafClient, rs.Primary.ID).Extract() | ||
if err == nil { | ||
return fmtp.Errorf("Waf policy still exists") | ||
} | ||
} | ||
return nil | ||
} | ||
|
||
func testAccCheckWafPolicyV1Exists(n string, policy *policies.Policy) resource.TestCheckFunc { | ||
return func(s *terraform.State) error { | ||
rs, ok := s.RootModule().Resources[n] | ||
if !ok { | ||
return fmtp.Errorf("Not found: %s", n) | ||
} | ||
|
||
if rs.Primary.ID == "" { | ||
return fmtp.Errorf("No ID is set") | ||
} | ||
|
||
config := acceptance.TestAccProvider.Meta().(*config.Config) | ||
wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME) | ||
if err != nil { | ||
return fmtp.Errorf("error creating huaweicloud WAF client: %s", err) | ||
} | ||
|
||
found, err := policies.Get(wafClient, rs.Primary.ID).Extract() | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if found.Id != rs.Primary.ID { | ||
return fmtp.Errorf("Waf policy not found") | ||
} | ||
|
||
*policy = *found | ||
return nil | ||
} | ||
} | ||
|
||
func testAccWafPolicyV1_basic(name string) string { | ||
return fmt.Sprintf(` | ||
resource "huaweicloud_waf_policy" "policy_1" { | ||
name = "policy-%s" | ||
level = 1 | ||
} | ||
`, name) | ||
} | ||
|
||
func testAccWafPolicyV1_update(name string) string { | ||
return fmt.Sprintf(` | ||
resource "huaweicloud_waf_policy" "policy_1" { | ||
name = "policy_%s_updated" | ||
protection_mode = "block" | ||
level = 3 | ||
} | ||
`, name) | ||
} |
Oops, something went wrong.