From ee2690cac1a0a9854290740d0857f2d214537e18 Mon Sep 17 00:00:00 2001 From: ChengXiangdong Date: Mon, 5 Jul 2021 16:42:16 +0800 Subject: [PATCH] Add WAF policy management support #1257 --- docs/resources/waf_policy.md | 85 +++++++ huaweicloud/provider.go | 59 ++--- .../resource_huaweicloud_waf_policy_test.go | 147 +++++++++++ .../waf/resource_huaweicloud_waf_policy.go | 231 ++++++++++++++++++ 4 files changed, 493 insertions(+), 29 deletions(-) create mode 100644 docs/resources/waf_policy.md create mode 100644 huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go create mode 100644 huaweicloud/services/waf/resource_huaweicloud_waf_policy.go diff --git a/docs/resources/waf_policy.md b/docs/resources/waf_policy.md new file mode 100644 index 00000000000..9897836c1fa --- /dev/null +++ b/docs/resources/waf_policy.md @@ -0,0 +1,85 @@ +--- +subcategory: "Web Application Firewall (WAF)" +--- + +# huaweicloud_waf_policy + +Manages a WAF policy resource within HuaweiCloud. + +## Example Usage + +```hcl +resource "huaweicloud_waf_policy" "policy_1" { + name = "policy_1" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `region` - (Optional, String, ForceNew) The region in which to create the WAF policy resource. + If omitted, the provider-level region will be used. + Changing this setting will push a new certificate. + +* `name` - (Required, String) Specifies the policy name. The maximum length is 256 characters. + Only digits, letters, underscores(_), and hyphens(-) are allowed. + +* `protection_mode` - (Optional, String) Specifies the protective action after a rule is matched. Valid values are: + - `block`: WAF blocks and logs detected attacks. + - `log`: WAF logs detected attacks only. + +* `level` - (Optional, Int) Specifies the protection level. Valid values are: + - `1`: low + - `2`: medium + - `3`: high + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The policy ID in UUID format. + +* `full_detection` - The detection mode in Precise Protection. + * `true`: full detection, Full detection finishes all threat detections before blocking requests that meet Precise Protection specified conditions. + * `false`: instant detection. Instant detection immediately ends threat detection after blocking a request that meets Precise Protection specified conditions. + +* `options` - The protection switches. The options object structure is documented below. + +The `options` block supports: + +* `webattack` - Indicates whether Basic Web Protection is enabled. + +* `common` - Indicates whether General Check in Basic Web Protection is enabled. + +* `crawler` - Indicates whether the master crawler detection switch in Basic Web Protection is enabled. + +* `crawler_engine` - Indicates whether the Search Engine switch in Basic Web Protection is enabled. + +* `crawler_scanner` - Indicates whether the Scanner switch in Basic Web Protection is enabled. + +* `crawler_script` - Indicates whether the Script Tool switch in Basic Web Protection is enabled. + +* `crawler_other` - Indicates whether detection of other crawlers in Basic Web Protection is enabled. + +* `webshell` - Indicates whether webshell detection in Basic Web Protection is enabled. + +* `cc` - Indicates whether CC Attack Protection is enabled. + +* `custom` - Indicates whether Precise Protection is enabled. + +* `whiteblackip` - Indicates whether Blacklist and Whitelist is enabled. + +* `privacy` - Indicates whether Data Masking is enabled. + +* `ignore` - Indicates whether False Alarm Masking is enabled. + +* `antitamper` - Indicates whether Web Tamper Protection is enabled. + +## Import + +Policies can be imported using the `id`, e.g. + +```sh +terraform import huaweicloud_waf_policy.policy_2 25e1df831bea4022a6e22bebe678915a +``` diff --git a/huaweicloud/provider.go b/huaweicloud/provider.go index b6ec53a8803..b9e6437d305 100644 --- a/huaweicloud/provider.go +++ b/huaweicloud/provider.go @@ -505,37 +505,38 @@ func Provider() terraform.ResourceProvider { "huaweicloud_scm_certificate": resourceScmCertificateV3(), "huaweicloud_waf_certificate": waf.ResourceWafCertificateV1(), "huaweicloud_waf_domain": waf.ResourceWafDomainV1(), + "huaweicloud_waf_policy": waf.ResourceWafPolicyV1(), // Legacy - "huaweicloud_compute_instance_v2": ResourceComputeInstanceV2(), - "huaweicloud_compute_interface_attach_v2": ResourceComputeInterfaceAttachV2(), - "huaweicloud_compute_keypair_v2": ResourceComputeKeypairV2(), - "huaweicloud_compute_servergroup_v2": ResourceComputeServerGroupV2(), - "huaweicloud_compute_volume_attach_v2": ResourceComputeVolumeAttachV2(), - "huaweicloud_dns_ptrrecord_v2": ResourceDNSPtrRecordV2(), - "huaweicloud_dns_recordset_v2": ResourceDNSRecordSetV2(), - "huaweicloud_dns_zone_v2": ResourceDNSZoneV2(), - "huaweicloud_dcs_instance_v1": ResourceDcsInstanceV1(), - "huaweicloud_dds_instance_v3": ResourceDdsInstanceV3(), - "huaweicloud_fw_firewall_group_v2": resourceFWFirewallGroupV2(), - "huaweicloud_fw_policy_v2": resourceFWPolicyV2(), - "huaweicloud_fw_rule_v2": resourceFWRuleV2(), - "huaweicloud_kms_key_v1": ResourceKmsKeyV1(), - "huaweicloud_dms_queue_v1": ResourceDmsQueuesV1(), - "huaweicloud_dms_group_v1": ResourceDmsGroupsV1(), - "huaweicloud_dms_instance_v1": ResourceDmsInstancesV1(), - "huaweicloud_images_image_v2": resourceImagesImageV2(), - "huaweicloud_lb_certificate_v2": ResourceCertificateV2(), - "huaweicloud_lb_loadbalancer_v2": ResourceLoadBalancerV2(), - "huaweicloud_lb_listener_v2": ResourceListenerV2(), - "huaweicloud_lb_pool_v2": ResourcePoolV2(), - "huaweicloud_lb_member_v2": ResourceMemberV2(), - "huaweicloud_lb_monitor_v2": ResourceMonitorV2(), - "huaweicloud_lb_l7policy_v2": ResourceL7PolicyV2(), - "huaweicloud_lb_l7rule_v2": ResourceL7RuleV2(), - "huaweicloud_lb_whitelist_v2": ResourceWhitelistV2(), - "huaweicloud_mrs_cluster_v1": ResourceMRSClusterV1(), - "huaweicloud_mrs_job_v1": ResourceMRSJobV1(), + "huaweicloud_compute_instance_v2": ResourceComputeInstanceV2(), + "huaweicloud_compute_interface_attach_v2": ResourceComputeInterfaceAttachV2(), + "huaweicloud_compute_keypair_v2": ResourceComputeKeypairV2(), + "huaweicloud_compute_servergroup_v2": ResourceComputeServerGroupV2(), + "huaweicloud_compute_volume_attach_v2": ResourceComputeVolumeAttachV2(), + "huaweicloud_dns_ptrrecord_v2": ResourceDNSPtrRecordV2(), + "huaweicloud_dns_recordset_v2": ResourceDNSRecordSetV2(), + "huaweicloud_dns_zone_v2": ResourceDNSZoneV2(), + "huaweicloud_dcs_instance_v1": ResourceDcsInstanceV1(), + "huaweicloud_dds_instance_v3": ResourceDdsInstanceV3(), + "huaweicloud_fw_firewall_group_v2": resourceFWFirewallGroupV2(), + "huaweicloud_fw_policy_v2": resourceFWPolicyV2(), + "huaweicloud_fw_rule_v2": resourceFWRuleV2(), + "huaweicloud_kms_key_v1": ResourceKmsKeyV1(), + "huaweicloud_dms_queue_v1": ResourceDmsQueuesV1(), + "huaweicloud_dms_group_v1": ResourceDmsGroupsV1(), + "huaweicloud_dms_instance_v1": ResourceDmsInstancesV1(), + "huaweicloud_images_image_v2": resourceImagesImageV2(), + "huaweicloud_lb_certificate_v2": ResourceCertificateV2(), + "huaweicloud_lb_loadbalancer_v2": ResourceLoadBalancerV2(), + "huaweicloud_lb_listener_v2": ResourceListenerV2(), + "huaweicloud_lb_pool_v2": ResourcePoolV2(), + "huaweicloud_lb_member_v2": ResourceMemberV2(), + "huaweicloud_lb_monitor_v2": ResourceMonitorV2(), + "huaweicloud_lb_l7policy_v2": ResourceL7PolicyV2(), + "huaweicloud_lb_l7rule_v2": ResourceL7RuleV2(), + "huaweicloud_lb_whitelist_v2": ResourceWhitelistV2(), + //"huaweicloud_mrs_cluster_v1": ResourceMRSClusterV1(), + //"huaweicloud_mrs_job_v1": ResourceMRSJobV1(), "huaweicloud_networking_port_v2": ResourceNetworkingPortV2(), "huaweicloud_networking_secgroup_v2": ResourceNetworkingSecGroupV2(), "huaweicloud_networking_secgroup_rule_v2": ResourceNetworkingSecGroupRuleV2(), diff --git a/huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go b/huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go new file mode 100644 index 00000000000..be734309a0f --- /dev/null +++ b/huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_policy_test.go @@ -0,0 +1,147 @@ +package waf + +import ( + "fmt" + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config" + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" + + "github.com/huaweicloud/golangsdk/openstack/waf_hw/v1/policies" +) + +func TestAccWafPolicyV1_basic(t *testing.T) { + var policy policies.Policy + randName := acctest.RandString(5) + resourceName := "huaweicloud_waf_policy.policy_1" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acceptance.TestAccPreCheck(t) }, + Providers: acceptance.TestAccProviders, + CheckDestroy: testAccCheckWafPolicyV1Destroy, + Steps: []resource.TestStep{ + { + Config: testAccWafPolicyV1_basic(randName), + Check: resource.ComposeTestCheckFunc( + testAccCheckWafPolicyV1Exists(resourceName, &policy), + resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s", randName)), + resource.TestCheckResourceAttr(resourceName, "protection_mode", "log"), + resource.TestCheckResourceAttr(resourceName, "level", "2"), + resource.TestCheckResourceAttr(resourceName, "full_detection", "false"), + ), + }, + }, + }) +} + +func TestAccWafPolicyV1_update(t *testing.T) { + var policy policies.Policy + randName := acctest.RandString(5) + resourceName := "huaweicloud_waf_policy.policy_1" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { acceptance.TestAccPreCheck(t) }, + Providers: acceptance.TestAccProviders, + CheckDestroy: testAccCheckWafPolicyV1Destroy, + Steps: []resource.TestStep{ + { + Config: testAccWafPolicyV1_basic(randName), + Check: resource.ComposeTestCheckFunc( + testAccCheckWafPolicyV1Exists(resourceName, &policy), + resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s", randName)), + resource.TestCheckResourceAttr(resourceName, "protection_mode", "log"), + resource.TestCheckResourceAttr(resourceName, "level", "2"), + resource.TestCheckResourceAttr(resourceName, "full_detection", "false"), + ), + }, + { + Config: testAccWafPolicyV1_update(randName), + Check: resource.ComposeTestCheckFunc( + testAccCheckWafPolicyV1Exists(resourceName, &policy), + resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy_%s_updated", randName)), + resource.TestCheckResourceAttr(resourceName, "protection_mode", "block"), + resource.TestCheckResourceAttr(resourceName, "level", "1"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccCheckWafPolicyV1Destroy(s *terraform.State) error { + config := acceptance.TestAccProvider.Meta().(*config.Config) + wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME) + if err != nil { + return fmt.Errorf("error creating HuaweiCloud WAF client: %s", err) + } + + for _, rs := range s.RootModule().Resources { + if rs.Type != "huaweicloud_waf_policy" { + continue + } + + _, err := policies.Get(wafClient, rs.Primary.ID).Extract() + if err == nil { + return fmt.Errorf("Waf policy still exists") + } + } + + return nil +} + +func testAccCheckWafPolicyV1Exists(n string, policy *policies.Policy) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No ID is set") + } + + config := acceptance.TestAccProvider.Meta().(*config.Config) + wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME) + if err != nil { + return fmt.Errorf("error creating huaweicloud WAF client: %s", err) + } + + found, err := policies.Get(wafClient, rs.Primary.ID).Extract() + if err != nil { + return err + } + + if found.Id != rs.Primary.ID { + return fmt.Errorf("Waf policy not found") + } + + *policy = *found + + return nil + } +} + +func testAccWafPolicyV1_basic(name string) string { + return fmt.Sprintf(` +resource "huaweicloud_waf_policy" "policy_1" { + name = "policy-%s" +} +`, name) +} + +func testAccWafPolicyV1_update(name string) string { + return fmt.Sprintf(` +resource "huaweicloud_waf_policy" "policy_1" { + name = "policy_%s_updated" + protection_mode = "block" + level = 1 +} +`, name) +} diff --git a/huaweicloud/services/waf/resource_huaweicloud_waf_policy.go b/huaweicloud/services/waf/resource_huaweicloud_waf_policy.go new file mode 100644 index 00000000000..a87911875a4 --- /dev/null +++ b/huaweicloud/services/waf/resource_huaweicloud_waf_policy.go @@ -0,0 +1,231 @@ +package waf + +import ( + "fmt" + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/common" + "github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config" + "log" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/helper/validation" + "github.com/huaweicloud/golangsdk/openstack/waf_hw/v1/policies" +) + +func ResourceWafPolicyV1() *schema.Resource { + return &schema.Resource{ + Create: resourceWafPolicyV1Create, + Read: resourceWafPolicyV1Read, + Update: resourceWafPolicyV1Update, + Delete: resourceWafPolicyV1Delete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(10 * time.Minute), + Delete: schema.DefaultTimeout(10 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "region": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + Computed: true, + }, + "name": { + Type: schema.TypeString, + Required: true, + }, + "protection_mode": { + Type: schema.TypeString, + Optional: true, + Default: "log", + ValidateFunc: validation.StringInSlice([]string{ + "log", "block", + }, false), + }, + "level": { + Type: schema.TypeInt, + Optional: true, + Default: 2, + ValidateFunc: validation.IntBetween(0, 3), + }, + "options": { + Type: schema.TypeList, + Computed: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "webattack": { + Type: schema.TypeBool, + Computed: true, + }, + "common": { + Type: schema.TypeBool, + Computed: true, + }, + "crawler": { + Type: schema.TypeBool, + Computed: true, + }, + "crawler_engine": { + Type: schema.TypeBool, + Computed: true, + }, + "crawler_scanner": { + Type: schema.TypeBool, + Computed: true, + }, + "crawler_script": { + Type: schema.TypeBool, + Computed: true, + }, + "crawler_other": { + Type: schema.TypeBool, + Computed: true, + }, + "webshell": { + Type: schema.TypeBool, + Computed: true, + }, + "cc": { + Type: schema.TypeBool, + Computed: true, + }, + "custom": { + Type: schema.TypeBool, + Computed: true, + }, + "whiteblackip": { + Type: schema.TypeBool, + Computed: true, + }, + "privacy": { + Type: schema.TypeBool, + Computed: true, + }, + "ignore": { + Type: schema.TypeBool, + Computed: true, + }, + "antitamper": { + Type: schema.TypeBool, + Computed: true, + }, + }, + }, + }, + + "full_detection": { + Type: schema.TypeBool, + Computed: true, + }, + }, + } +} + +func resourceWafPolicyV1Create(d *schema.ResourceData, meta interface{}) error { + config := meta.(*config.Config) + wafClient, err := config.WafV1Client(config.GetRegion(d)) + if err != nil { + return fmt.Errorf("Error creating HuaweiCloud WAF client: %s", err) + } + + createOpts := policies.CreateOpts{ + Name: d.Get("name").(string), + } + policy, err := policies.Create(wafClient, createOpts).Extract() + if err != nil { + return fmt.Errorf("Error creating waf policy: %s", err) + } + + log.Printf("[DEBUG] Waf policy created: %#v", policy) + d.SetId(policy.Id) + d.Set("name", policy.Name) + + return resourceWafPolicyV1Read(d, meta) +} + +func resourceWafPolicyV1Read(d *schema.ResourceData, meta interface{}) error { + config := meta.(*config.Config) + wafClient, err := config.WafV1Client(config.GetRegion(d)) + if err != nil { + return fmt.Errorf("error creating HuaweiCloud WAF client: %s", err) + } + + n, err := policies.Get(wafClient, d.Id()).Extract() + if err != nil { + return common.CheckDeleted(d, err, "Waf Policy") + } + + d.Set("region", config.GetRegion(d)) + d.Set("name", n.Name) + d.Set("level", n.Level) + d.Set("protection_mode", n.Action.Category) + d.Set("full_detection", n.FullDetection) + + options := []map[string]interface{}{ + { + "webattack": n.Options.Webattack, + "common": n.Options.Common, + "crawler": n.Options.Crawler, + "crawler_engine": n.Options.CrawlerEngine, + "crawler_scanner": n.Options.CrawlerScanner, + "crawler_script": n.Options.CrawlerScript, + "crawler_other": n.Options.CrawlerOther, + "webshell": n.Options.Webshell, + "cc": n.Options.Cc, + "custom": n.Options.Custom, + "whiteblackip": n.Options.Whiteblackip, + "ignore": n.Options.Ignore, + "privacy": n.Options.Privacy, + "antitamper": n.Options.Antitamper, + }, + } + d.Set("options", options) + return nil +} + +func resourceWafPolicyV1Update(d *schema.ResourceData, meta interface{}) error { + config := meta.(*config.Config) + wafClient, err := config.WafV1Client(config.GetRegion(d)) + if err != nil { + return fmt.Errorf("error creating HuaweiCloud WAF Client: %s", err) + } + + if d.HasChanges("name", "level", "protection_mode") { + updateOpts := policies.UpdateOpts{ + Name: d.Get("name").(string), + Level: d.Get("level").(int), + Action: &policies.Action{ + Category: d.Get("protection_mode").(string), + }, + } + + log.Printf("[DEBUG] updateOpts: %#v", updateOpts) + _, err = policies.Update(wafClient, d.Id(), updateOpts).Extract() + if err != nil { + return fmt.Errorf("error updating WAF Policy: %s", err) + } + } + + return resourceWafPolicyV1Read(d, meta) +} + +func resourceWafPolicyV1Delete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*config.Config) + wafClient, err := config.WafV1Client(config.GetRegion(d)) + if err != nil { + return fmt.Errorf("error creating HuaweiCloud WAF client: %s", err) + } + + err = policies.Delete(wafClient, d.Id()).ExtractErr() + if err != nil { + return fmt.Errorf("error deleting WAF Policy: %s", err) + } + + d.SetId("") + return nil +}