feat: Add WAF policy blacklist rule management supports (#1283)

docs/resources/waf_rule_blacklist.md

@@ -0,0 +1,52 @@
+---
+subcategory: "Web Application Firewall (WAF)"
+---
+
+# huaweicloud_waf_rule_blacklist
+
+Manages a WAF blacklist and whitelist rule resource within HuaweiCloud.
+
+## Example Usage
+
+```hcl
+resource "huaweicloud_waf_policy" "policy_1" {
+  name = "policy_1"
+}
+
+resource "huaweicloud_waf_rule_blacklist" "rule_1" {
+  policy_id  = huaweicloud_waf_policy.policy_1.id
+  ip_address = "192.168.0.0/24"
+  action     = 0
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+* `region` - (Optional, String, ForceNew) The region in which to create the WAF blacklist and whitelist rule resource.
+  If omitted, the provider-level region will be used. Changing this setting will push a new certificate.
+
+* `policy_id` - (Required, String, ForceNew) Specifies the WAF policy ID. Changing this creates a new rule.
+  Please make sure that the region which the policy belongs to be consistent with the `region`.
+
+* `ip_address` - (Required, String) Specifies the IP address or range. For example, 192.168.0.125 or 192.168.0.0/24.
+
+* `action` - (Optional, Int) Specifies the protective action. Defaults is `0`.
+  The value can be:
+  * `0`: block the request.
+  * `1`: allow the request.
+  * `2`: log the request only.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The rule ID in UUID format.
+
+## Import
+
+Blacklist and Whiltelist Rules can be imported using the policy ID and rule ID separated by a slash, e.g.:
+
+```sh
+terraform import huaweicloud_waf_rule_blacklist.rule_1 d78b439fd5e54ea08886e5f63ee7b3f5/ac01a092d50e4e6ba3cd622c1128ba2c
+```

huaweicloud/provider.go

@@ -511,6 +511,7 @@ func Provider() terraform.ResourceProvider {
 			"huaweicloud_waf_certificate":                 waf.ResourceWafCertificateV1(),
 			"huaweicloud_waf_domain":                      waf.ResourceWafDomainV1(),
 			"huaweicloud_waf_policy":                      waf.ResourceWafPolicyV1(),
+			"huaweicloud_waf_rule_blacklist":              waf.ResourceWafRuleBlackListV1(),
 
 			// Legacy
 			"huaweicloud_compute_instance_v2":                ResourceComputeInstanceV2(),

huaweicloud/services/acceptance/waf/resource_huaweicloud_waf_rule_blacklist_test.go

@@ -0,0 +1,176 @@
+package waf
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config"
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+
+	rules "github.com/huaweicloud/golangsdk/openstack/waf_hw/v1/whiteblackip_rules"
+)
+
+func TestAccWafRuleBlackList_basic(t *testing.T) {
+	var rule rules.WhiteBlackIP
+	randName := acctest.RandString(5)
+	rName1 := "huaweicloud_waf_rule_blacklist.rule_1"
+	rName2 := "huaweicloud_waf_rule_blacklist.rule_2"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.TestAccPreCheck(t) },
+		Providers:    acceptance.TestAccProviders,
+		CheckDestroy: testAccCheckWafRuleBlackListDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWafRuleBlackList_basic(randName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafRuleBlackListExists(rName1, &rule),
+					resource.TestCheckResourceAttr(rName1, "ip_address", "192.168.0.0/24"),
+					resource.TestCheckResourceAttr(rName1, "action", "0"),
+
+					testAccCheckWafRuleBlackListExists(rName2, &rule),
+					resource.TestCheckResourceAttr(rName2, "ip_address", "192.165.0.0/24"),
+					resource.TestCheckResourceAttr(rName2, "action", "1"),
+				),
+			},
+			{
+				Config: testAccWafRuleBlackList_update(randName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafRuleBlackListExists(rName1, &rule),
+					resource.TestCheckResourceAttr(rName1, "ip_address", "192.168.0.125"),
+					resource.TestCheckResourceAttr(rName1, "action", "2"),
+
+					testAccCheckWafRuleBlackListExists(rName2, &rule),
+					resource.TestCheckResourceAttr(rName2, "ip_address", "192.150.0.0/24"),
+					resource.TestCheckResourceAttr(rName2, "action", "0"),
+				),
+			},
+			{
+				ResourceName:      rName1,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: testAccWafRuleImportStateIdFunc(rName1),
+			},
+		},
+	})
+}
+
+func testAccCheckWafRuleBlackListDestroy(s *terraform.State) error {
+	config := acceptance.TestAccProvider.Meta().(*config.Config)
+	wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
+	if err != nil {
+		return fmt.Errorf("error creating HuaweiCloud WAF client: %s", err)
+	}
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "huaweicloud_waf_rule_blacklist" {
+			continue
+		}
+
+		policyID := rs.Primary.Attributes["policy_id"]
+		_, err := rules.Get(wafClient, policyID, rs.Primary.ID).Extract()
+		if err == nil {
+			return fmt.Errorf("Waf rule still exists")
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckWafRuleBlackListExists(n string, rule *rules.WhiteBlackIP) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ID is set")
+		}
+
+		config := acceptance.TestAccProvider.Meta().(*config.Config)
+		wafClient, err := config.WafV1Client(acceptance.HW_REGION_NAME)
+		if err != nil {
+			return fmt.Errorf("error creating HuaweiCloud WAF client: %s", err)
+		}
+
+		policyID := rs.Primary.Attributes["policy_id"]
+		found, err := rules.Get(wafClient, policyID, rs.Primary.ID).Extract()
+		if err != nil {
+			return err
+		}
+
+		if found.Id != rs.Primary.ID {
+			return fmt.Errorf("WAF black list rule not found")
+		}
+
+		*rule = *found
+
+		return nil
+	}
+}
+
+// testAccWafRuleImportStateIdFunc is used to test exporting rule information from the HuaweiCloud to terraform.
+// It is also called by other rules unit tests.
+func testAccWafRuleImportStateIdFunc(name string) resource.ImportStateIdFunc {
+	return func(s *terraform.State) (string, error) {
+		policy, ok := s.RootModule().Resources["huaweicloud_waf_policy.policy_1"]
+		if !ok {
+			return "", fmt.Errorf("WAF policy not found")
+		}
+		rule, ok := s.RootModule().Resources[name]
+		if !ok {
+			return "", fmt.Errorf("WAF rule not found")
+		}
+
+		if policy.Primary.ID == "" || rule.Primary.ID == "" {
+			return "", fmt.Errorf("resource not found: %s/%s", policy.Primary.ID, rule.Primary.ID)
+		}
+		return fmt.Sprintf("%s/%s", policy.Primary.ID, rule.Primary.ID), nil
+	}
+}
+
+func testAccWafRuleBlackList_basic(name string) string {
+	return fmt.Sprintf(`
+resource "huaweicloud_waf_policy" "policy_1" {
+  name = "policy_%s"
+}
+
+resource "huaweicloud_waf_rule_blacklist" "rule_1" {
+  policy_id  = huaweicloud_waf_policy.policy_1.id
+  ip_address = "192.168.0.0/24"
+}
+
+resource "huaweicloud_waf_rule_blacklist" "rule_2" {
+  policy_id  = huaweicloud_waf_policy.policy_1.id
+  ip_address = "192.165.0.0/24"
+  action     = 1
+}
+
+`, name)
+}
+
+func testAccWafRuleBlackList_update(name string) string {
+	return fmt.Sprintf(`
+resource "huaweicloud_waf_policy" "policy_1" {
+  name = "policy_%s"
+}
+
+resource "huaweicloud_waf_rule_blacklist" "rule_1" {
+  policy_id  = huaweicloud_waf_policy.policy_1.id
+  ip_address = "192.168.0.125"
+  action     = 2
+}
+
+resource "huaweicloud_waf_rule_blacklist" "rule_2" {
+  policy_id  = huaweicloud_waf_policy.policy_1.id
+  ip_address = "192.150.0.0/24"
+  action     = 0
+}
+
+`, name)
+}