Add WAF policy management support huaweicloud#1257

chengxiangdong · Jul 5, 2021 · ee2690c · ee2690c
1 parent 706e340
commit ee2690c
Show file tree

Hide file tree

Showing 4 changed files with 493 additions and 29 deletions.
diff --git a/docs/resources/waf_policy.md b/docs/resources/waf_policy.md
@@ -0,0 +1,85 @@
+---
+subcategory: "Web Application Firewall (WAF)"
+---
+
+# huaweicloud_waf_policy
+
+Manages a WAF policy resource within HuaweiCloud.
+
+## Example Usage
+
+```hcl
+resource "huaweicloud_waf_policy" "policy_1" {
+  name = "policy_1"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `region` - (Optional, String, ForceNew) The region in which to create the WAF policy resource.
+  If omitted, the provider-level region will be used.
+  Changing this setting will push a new certificate.
+
+* `name` - (Required, String) Specifies the policy name. The maximum length is 256 characters.
+  Only digits, letters, underscores(_), and hyphens(-) are allowed.
+
+* `protection_mode` - (Optional, String) Specifies the protective action after a rule is matched. Valid values are:
+  - `block`: WAF blocks and logs detected attacks.
+  - `log`: WAF logs detected attacks only.
+
+* `level` - (Optional, Int) Specifies the protection level. Valid values are:
+  - `1`: low
+  - `2`: medium
+  - `3`: high
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The policy ID in UUID format.
+
+* `full_detection` - The detection mode in Precise Protection.
+  * `true`: full detection, Full detection finishes all threat detections before blocking requests that meet Precise Protection specified conditions.
+  * `false`: instant detection. Instant detection immediately ends threat detection after blocking a request that meets Precise Protection specified conditions.
+
+* `options` - The protection switches. The options object structure is documented below.
+
+The `options` block supports:
+
+* `webattack` - Indicates whether Basic Web Protection is enabled.
+
+* `common` - Indicates whether General Check in Basic Web Protection is enabled.
+
+* `crawler` - Indicates whether the master crawler detection switch in Basic Web Protection is enabled.
+
+* `crawler_engine` - Indicates whether the Search Engine switch in Basic Web Protection is enabled.
+
+* `crawler_scanner` - Indicates whether the Scanner switch in Basic Web Protection is enabled.
+
+* `crawler_script` - Indicates whether the Script Tool switch in Basic Web Protection is enabled.
+
+* `crawler_other` - Indicates whether detection of other crawlers in Basic Web Protection is enabled.
+
+* `webshell` - Indicates whether webshell detection in Basic Web Protection is enabled.
+
+* `cc` - Indicates whether CC Attack Protection is enabled.
+
+* `custom` - Indicates whether Precise Protection is enabled.
+
+* `whiteblackip` - Indicates whether Blacklist and Whitelist is enabled.
+
+* `privacy` - Indicates whether Data Masking is enabled.
+
+* `ignore` - Indicates whether False Alarm Masking is enabled.
+
+* `antitamper` - Indicates whether Web Tamper Protection is enabled.
+
+## Import
+
+Policies can be imported using the `id`, e.g.
+
+```sh
+terraform import huaweicloud_waf_policy.policy_2 25e1df831bea4022a6e22bebe678915a
+```
diff --git a/huaweicloud/provider.go b/huaweicloud/provider.go
@@ -505,37 +505,38 @@ func Provider() terraform.ResourceProvider {
 			"huaweicloud_scm_certificate":                 resourceScmCertificateV3(),
 			"huaweicloud_waf_certificate":                 waf.ResourceWafCertificateV1(),
 			"huaweicloud_waf_domain":                      waf.ResourceWafDomainV1(),
+			"huaweicloud_waf_policy":                      waf.ResourceWafPolicyV1(),
 
 			// Legacy
-			"huaweicloud_compute_instance_v2":                ResourceComputeInstanceV2(),
-			"huaweicloud_compute_interface_attach_v2":        ResourceComputeInterfaceAttachV2(),
-			"huaweicloud_compute_keypair_v2":                 ResourceComputeKeypairV2(),
-			"huaweicloud_compute_servergroup_v2":             ResourceComputeServerGroupV2(),
-			"huaweicloud_compute_volume_attach_v2":           ResourceComputeVolumeAttachV2(),
-			"huaweicloud_dns_ptrrecord_v2":                   ResourceDNSPtrRecordV2(),
-			"huaweicloud_dns_recordset_v2":                   ResourceDNSRecordSetV2(),
-			"huaweicloud_dns_zone_v2":                        ResourceDNSZoneV2(),
-			"huaweicloud_dcs_instance_v1":                    ResourceDcsInstanceV1(),
-			"huaweicloud_dds_instance_v3":                    ResourceDdsInstanceV3(),
-			"huaweicloud_fw_firewall_group_v2":               resourceFWFirewallGroupV2(),
-			"huaweicloud_fw_policy_v2":                       resourceFWPolicyV2(),
-			"huaweicloud_fw_rule_v2":                         resourceFWRuleV2(),
-			"huaweicloud_kms_key_v1":                         ResourceKmsKeyV1(),
-			"huaweicloud_dms_queue_v1":                       ResourceDmsQueuesV1(),
-			"huaweicloud_dms_group_v1":                       ResourceDmsGroupsV1(),
-			"huaweicloud_dms_instance_v1":                    ResourceDmsInstancesV1(),
-			"huaweicloud_images_image_v2":                    resourceImagesImageV2(),
-			"huaweicloud_lb_certificate_v2":                  ResourceCertificateV2(),
-			"huaweicloud_lb_loadbalancer_v2":                 ResourceLoadBalancerV2(),
-			"huaweicloud_lb_listener_v2":                     ResourceListenerV2(),
-			"huaweicloud_lb_pool_v2":                         ResourcePoolV2(),
-			"huaweicloud_lb_member_v2":                       ResourceMemberV2(),
-			"huaweicloud_lb_monitor_v2":                      ResourceMonitorV2(),
-			"huaweicloud_lb_l7policy_v2":                     ResourceL7PolicyV2(),
-			"huaweicloud_lb_l7rule_v2":                       ResourceL7RuleV2(),
-			"huaweicloud_lb_whitelist_v2":                    ResourceWhitelistV2(),
-			"huaweicloud_mrs_cluster_v1":                     ResourceMRSClusterV1(),
-			"huaweicloud_mrs_job_v1":                         ResourceMRSJobV1(),
+			"huaweicloud_compute_instance_v2":         ResourceComputeInstanceV2(),
+			"huaweicloud_compute_interface_attach_v2": ResourceComputeInterfaceAttachV2(),
+			"huaweicloud_compute_keypair_v2":          ResourceComputeKeypairV2(),
+			"huaweicloud_compute_servergroup_v2":      ResourceComputeServerGroupV2(),
+			"huaweicloud_compute_volume_attach_v2":    ResourceComputeVolumeAttachV2(),
+			"huaweicloud_dns_ptrrecord_v2":            ResourceDNSPtrRecordV2(),
+			"huaweicloud_dns_recordset_v2":            ResourceDNSRecordSetV2(),
+			"huaweicloud_dns_zone_v2":                 ResourceDNSZoneV2(),
+			"huaweicloud_dcs_instance_v1":             ResourceDcsInstanceV1(),
+			"huaweicloud_dds_instance_v3":             ResourceDdsInstanceV3(),
+			"huaweicloud_fw_firewall_group_v2":        resourceFWFirewallGroupV2(),
+			"huaweicloud_fw_policy_v2":                resourceFWPolicyV2(),
+			"huaweicloud_fw_rule_v2":                  resourceFWRuleV2(),
+			"huaweicloud_kms_key_v1":                  ResourceKmsKeyV1(),
+			"huaweicloud_dms_queue_v1":                ResourceDmsQueuesV1(),
+			"huaweicloud_dms_group_v1":                ResourceDmsGroupsV1(),
+			"huaweicloud_dms_instance_v1":             ResourceDmsInstancesV1(),
+			"huaweicloud_images_image_v2":             resourceImagesImageV2(),
+			"huaweicloud_lb_certificate_v2":           ResourceCertificateV2(),
+			"huaweicloud_lb_loadbalancer_v2":          ResourceLoadBalancerV2(),
+			"huaweicloud_lb_listener_v2":              ResourceListenerV2(),
+			"huaweicloud_lb_pool_v2":                  ResourcePoolV2(),
+			"huaweicloud_lb_member_v2":                ResourceMemberV2(),
+			"huaweicloud_lb_monitor_v2":               ResourceMonitorV2(),
+			"huaweicloud_lb_l7policy_v2":              ResourceL7PolicyV2(),
+			"huaweicloud_lb_l7rule_v2":                ResourceL7RuleV2(),
+			"huaweicloud_lb_whitelist_v2":             ResourceWhitelistV2(),
+			//"huaweicloud_mrs_cluster_v1":                     ResourceMRSClusterV1(),
+			//"huaweicloud_mrs_job_v1":                         ResourceMRSJobV1(),
 			"huaweicloud_networking_port_v2":                 ResourceNetworkingPortV2(),
 			"huaweicloud_networking_secgroup_v2":             ResourceNetworkingSecGroupV2(),
 			"huaweicloud_networking_secgroup_rule_v2":        ResourceNetworkingSecGroupRuleV2(),

diff --git a/huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go b/huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go
@@ -0,0 +1,147 @@
+package waf
+
+import (
+	"fmt"
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config"
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+
+	"github.com/huaweicloud/golangsdk/openstack/waf_hw/v1/policies"
+)
+
+func TestAccWafPolicyV1_basic(t *testing.T) {
+	var policy policies.Policy
+	randName := acctest.RandString(5)
+	resourceName := "huaweicloud_waf_policy.policy_1"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acceptance.TestAccPreCheck(t) },
+		Providers:    acceptance.TestAccProviders,
+		CheckDestroy: testAccCheckWafPolicyV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWafPolicyV1_basic(randName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafPolicyV1Exists(resourceName, &policy),
+					resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s", randName)),
+					resource.TestCheckResourceAttr(resourceName, "protection_mode", "log"),
+					resource.TestCheckResourceAttr(resourceName, "level", "2"),
+					resource.TestCheckResourceAttr(resourceName, "full_detection", "false"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccWafPolicyV1_update(t *testing.T) {
+	var policy policies.Policy
+	randName := acctest.RandString(5)
+	resourceName := "huaweicloud_waf_policy.policy_1"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acceptance.TestAccPreCheck(t) },
+		Providers:    acceptance.TestAccProviders,
+		CheckDestroy: testAccCheckWafPolicyV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWafPolicyV1_basic(randName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafPolicyV1Exists(resourceName, &policy),
+					resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s", randName)),
+					resource.TestCheckResourceAttr(resourceName, "protection_mode", "log"),
+					resource.TestCheckResourceAttr(resourceName, "level", "2"),
+					resource.TestCheckResourceAttr(resourceName, "full_detection", "false"),
+				),
+			},
+			{
+				Config: testAccWafPolicyV1_update(randName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafPolicyV1Exists(resourceName, &policy),
+					resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy_%s_updated", randName)),
+					resource.TestCheckResourceAttr(resourceName, "protection_mode", "block"),
+					resource.TestCheckResourceAttr(resourceName, "level", "1"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccCheckWafPolicyV1Destroy(s *terraform.State) error {
+	config := acceptance.TestAccProvider.Meta().(*config.Config)
+	wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
+	if err != nil {
+		return fmt.Errorf("error creating HuaweiCloud WAF client: %s", err)
+	}
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "huaweicloud_waf_policy" {
+			continue
+		}
+
+		_, err := policies.Get(wafClient, rs.Primary.ID).Extract()
+		if err == nil {
+			return fmt.Errorf("Waf policy still exists")
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckWafPolicyV1Exists(n string, policy *policies.Policy) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		config := acceptance.TestAccProvider.Meta().(*config.Config)
+		wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
+		if err != nil {
+			return fmt.Errorf("error creating huaweicloud WAF client: %s", err)
+		}
+
+		found, err := policies.Get(wafClient, rs.Primary.ID).Extract()
+		if err != nil {
+			return err
+		}
+
+		if found.Id != rs.Primary.ID {
+			return fmt.Errorf("Waf policy not found")
+		}
+
+		*policy = *found
+
+		return nil
+	}
+}
+
+func testAccWafPolicyV1_basic(name string) string {
+	return fmt.Sprintf(`
+resource "huaweicloud_waf_policy" "policy_1" {
+  name = "policy-%s"
+}
+`, name)
+}
+
+func testAccWafPolicyV1_update(name string) string {
+	return fmt.Sprintf(`
+resource "huaweicloud_waf_policy" "policy_1" {
+  name            = "policy_%s_updated"
+  protection_mode = "block"
+  level           = 1
+}
+`, name)
+}