Skip to content

Commit

Permalink
Add WAF policy management support huaweicloud#1257
Browse files Browse the repository at this point in the history
  • Loading branch information
chengxiangdong committed Jul 14, 2021
1 parent 7d3414c commit 2e21dd5
Show file tree
Hide file tree
Showing 6 changed files with 552 additions and 1 deletion.
90 changes: 90 additions & 0 deletions docs/resources/waf_policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
---
subcategory: "Web Application Firewall (WAF)"
---

# huaweicloud_waf_policy

Manages a WAF policy resource within HuaweiCloud.

## Example Usage

```hcl
resource "huaweicloud_waf_policy" "policy_1" {
name = "policy_1"
protection_mode = "log"
level = 2
}
```

## Argument Reference

The following arguments are supported:

* `region` - (Optional, String, ForceNew) The region in which to create the WAF policy resource.
If omitted, the provider-level region will be used.
Changing this setting will push a new certificate.

* `name` - (Required, String) Specifies the policy name. The maximum length is 256 characters. Only digits, letters,
underscores(_), and hyphens(-) are allowed.

* `protection_mode` - (Optional, String) Specifies the protective action after a rule is matched. Defaults to `log`.
Valid values are:
* `block`: WAF blocks and logs detected attacks.
* `log`: WAF logs detected attacks only.

* `level` - (Optional, Int) Specifies the protection level. Defaults to `2`. Valid values are:
* `1`: low
* `2`: medium
* `3`: high

## Attributes Reference

In addition to all arguments above, the following attributes are exported:

* `id` - The policy ID in UUID format.

* `full_detection` - The detection mode in Precise Protection.
* `true`: full detection, Full detection finishes all threat detections before blocking requests that meet Precise
Protection specified conditions.
* `false`: instant detection. Instant detection immediately ends threat detection after blocking a request that meets
Precise Protection specified conditions.

* `options` - The protection switches. The options object structure is documented below.

The `options` block supports:

* `basic_web_protection` - Indicates whether Basic Web Protection is enabled.

* `general_check` - Indicates whether General Check in Basic Web Protection is enabled.

* `crawler` - Indicates whether the master crawler detection switch in Basic Web Protection is enabled.

* `crawler_engine` - Indicates whether the Search Engine switch in Basic Web Protection is enabled.

* `crawler_scanner` - Indicates whether the Scanner switch in Basic Web Protection is enabled.

* `crawler_script` - Indicates whether the Script Tool switch in Basic Web Protection is enabled.

* `crawler_other` - Indicates whether detection of other crawlers in Basic Web Protection is enabled.

* `webshell` - Indicates whether webshell detection in Basic Web Protection is enabled.

* `cc_attack_protection` - Indicates whether CC Attack Protection is enabled.

* `precise_protection` - Indicates whether Precise Protection is enabled.

* `blacklist` - Indicates whether Blacklist and Whitelist is enabled.

* `data_masking` - Indicates whether Data Masking is enabled.

* `false_alarm_masking` - Indicates whether False Alarm Masking is enabled.

* `web_tamper_protection` - Indicates whether Web Tamper Protection is enabled.

## Import

Policies can be imported using the `id`, e.g.

```sh
terraform import huaweicloud_waf_policy.policy_2 25e1df831bea4022a6e22bebe678915a
```
2 changes: 2 additions & 0 deletions huaweicloud/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,8 @@ func Provider() terraform.ResourceProvider {
"huaweicloud_scm_certificate": resourceScmCertificateV3(),
"huaweicloud_waf_certificate": waf.ResourceWafCertificateV1(),
"huaweicloud_waf_domain": waf.ResourceWafDomainV1(),
"huaweicloud_waf_policy": waf.ResourceWafPolicyV1(),

// Legacy
"huaweicloud_compute_instance_v2": ResourceComputeInstanceV2(),
"huaweicloud_compute_interface_attach_v2": ResourceComputeInterfaceAttachV2(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,33 @@ func TestAccWafDomainV1_basic(t *testing.T) {
})
}

func TestAccWafDomainV1_policy(t *testing.T) {
var domain domains.Domain
resourceName := "huaweicloud_waf_domain.domain_1"
randName := acctest.RandString(8)
certificateName := acctest.RandString(8)

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.TestAccPreCheck(t) },
Providers: acceptance.TestAccProviders,
CheckDestroy: testAccCheckWafDomainV1Destroy,
Steps: []resource.TestStep{
{
Config: testAccWafDomainV1_policy(certificateName, randName),
Check: resource.ComposeTestCheckFunc(
testAccCheckWafDomainV1Exists(resourceName, &domain),
resource.TestCheckResourceAttr(resourceName, "domain", fmt.Sprintf("www.%s.com", randName)),
resource.TestCheckResourceAttr(resourceName, "proxy", "true"),
resource.TestCheckResourceAttr(resourceName, "server.0.client_protocol", "HTTPS"),
resource.TestCheckResourceAttr(resourceName, "server.0.server_protocol", "HTTP"),
resource.TestCheckResourceAttr(resourceName, "server.0.port", "8080"),
resource.TestCheckResourceAttrSet(resourceName, "policy_id"),
),
},
},
})
}

func testAccCheckWafDomainV1Destroy(s *terraform.State) error {
config := acceptance.TestAccProvider.Meta().(*config.Config)
wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
Expand Down Expand Up @@ -150,3 +177,28 @@ resource "huaweicloud_waf_domain" "domain_1" {
}
`, testAccWafCertificateV1_conf(name), name)
}

func testAccWafDomainV1_policy(certificateName string, name string) string {
return fmt.Sprintf(`
%s
resource "huaweicloud_waf_policy" "policy_1" {
name = "policy_%s"
}
resource "huaweicloud_waf_domain" "domain_1" {
domain = "www.%s.com"
certificate_id = huaweicloud_waf_certificate.certificate_1.id
certificate_name = huaweicloud_waf_certificate.certificate_1.name
policy_id = huaweicloud_waf_policy.policy_1.id
proxy = true
server {
client_protocol = "HTTPS"
server_protocol = "HTTP"
address = "119.8.0.14"
port = 8080
}
}
`, testAccWafCertificateV1_conf(certificateName), name, name)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
package waf

import (
"fmt"
"testing"

"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config"
"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance"
"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/utils/fmtp"

"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/terraform"

"github.com/huaweicloud/golangsdk/openstack/waf_hw/v1/policies"
)

func TestAccWafPolicyV1_basic(t *testing.T) {
var policy policies.Policy
randName := acctest.RandString(5)
resourceName := "huaweicloud_waf_policy.policy_1"

resource.Test(t, resource.TestCase{
PreCheck: func() { acceptance.TestAccPreCheck(t) },
Providers: acceptance.TestAccProviders,
CheckDestroy: testAccCheckWafPolicyV1Destroy,
Steps: []resource.TestStep{
{
Config: testAccWafPolicyV1_basic(randName),
Check: resource.ComposeTestCheckFunc(
testAccCheckWafPolicyV1Exists(resourceName, &policy),
resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s", randName)),
resource.TestCheckResourceAttr(resourceName, "level", "1"),
resource.TestCheckResourceAttr(resourceName, "full_detection", "false"),
),
},
{
Config: testAccWafPolicyV1_update(randName),
Check: resource.ComposeTestCheckFunc(
testAccCheckWafPolicyV1Exists(resourceName, &policy),
resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy_%s_updated", randName)),
resource.TestCheckResourceAttr(resourceName, "protection_mode", "block"),
resource.TestCheckResourceAttr(resourceName, "level", "3"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func testAccCheckWafPolicyV1Destroy(s *terraform.State) error {
config := acceptance.TestAccProvider.Meta().(*config.Config)
wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
if err != nil {
return fmtp.Errorf("error creating HuaweiCloud WAF client: %s", err)
}

for _, rs := range s.RootModule().Resources {
if rs.Type != "huaweicloud_waf_policy" {
continue
}
_, err := policies.Get(wafClient, rs.Primary.ID).Extract()
if err == nil {
return fmtp.Errorf("Waf policy still exists")
}
}
return nil
}

func testAccCheckWafPolicyV1Exists(n string, policy *policies.Policy) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmtp.Errorf("Not found: %s", n)
}

if rs.Primary.ID == "" {
return fmtp.Errorf("No ID is set")
}

config := acceptance.TestAccProvider.Meta().(*config.Config)
wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
if err != nil {
return fmtp.Errorf("error creating huaweicloud WAF client: %s", err)
}

found, err := policies.Get(wafClient, rs.Primary.ID).Extract()
if err != nil {
return err
}

if found.Id != rs.Primary.ID {
return fmtp.Errorf("Waf policy not found")
}

*policy = *found
return nil
}
}

func testAccWafPolicyV1_basic(name string) string {
return fmt.Sprintf(`
resource "huaweicloud_waf_policy" "policy_1" {
name = "policy-%s"
level = 1
}
`, name)
}

func testAccWafPolicyV1_update(name string) string {
return fmt.Sprintf(`
resource "huaweicloud_waf_policy" "policy_1" {
name = "policy_%s_updated"
protection_mode = "block"
level = 3
}
`, name)
}
Loading

0 comments on commit 2e21dd5

Please sign in to comment.