From 8c24dff78a96bc3bbb3e4ef748e4163fb5e85605 Mon Sep 17 00:00:00 2001
From: "pavel.koev" <pavel.koev@imperva.com>
Date: Thu, 19 Oct 2023 12:03:20 +0300
Subject: [PATCH] #CWMS-2926 add use_default_ciphers field and documentation

---
 incapsula/client_site_ssl_settings.go         |  5 +-
 incapsula/client_site_ssl_settings_test.go    |  7 ++-
 incapsula/resource_site_ssl_settings.go       | 11 ++++-
 .../docs/r/site_ssl_settings.html.markdown    | 46 +++++++++++++++++--
 4 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/incapsula/client_site_ssl_settings.go b/incapsula/client_site_ssl_settings.go
index 55326d2f..329d4511 100644
--- a/incapsula/client_site_ssl_settings.go
+++ b/incapsula/client_site_ssl_settings.go
@@ -21,8 +21,9 @@ type InboundTLSSettingsConfiguration struct {
 }
 
 type TLSConfiguration struct {
-	TLSVersion     string   `json:"tlsVersion"`
-	CiphersSupport []string `json:"ciphersSupport"`
+	TLSVersion        string   `json:"tlsVersion"`
+	UseDefaultCiphers bool     `json:"useDefaultCiphers"`
+	CiphersSupport    []string `json:"ciphersSupport"`
 }
 
 type SSLSettingsDTO struct {
diff --git a/incapsula/client_site_ssl_settings_test.go b/incapsula/client_site_ssl_settings_test.go
index 4f1df272..9d4a52a0 100644
--- a/incapsula/client_site_ssl_settings_test.go
+++ b/incapsula/client_site_ssl_settings_test.go
@@ -279,14 +279,16 @@ func getUpdateSiteSSLSettingsDTO() SSLSettingsResponse {
 					ConfigurationProfile: "CUSTOM",
 					TLSConfigurations: []TLSConfiguration{
 						{
-							TLSVersion: "TLS 1.1",
+							TLSVersion:        "TLS 1.1",
+							UseDefaultCiphers: false,
 							CiphersSupport: []string{
 								"TLS_AES_128_GCM_SHA256",
 								"TLS_AES_128_GCM_SHA256",
 							},
 						},
 						{
-							TLSVersion: "TLS 1.2",
+							TLSVersion:        "TLS 1.2",
+							UseDefaultCiphers: false,
 							CiphersSupport: []string{
 								"TLS_AES_128_GCM_SHA256",
 								"TLS_AES_128_GCM_SHA256",
@@ -329,6 +331,7 @@ func getValidJSONResponse() string {
                         "tlsConfiguration": [
                             {
                                 "tlsVersion": "TLS 1.1",
+								"useDefaultCiphers": false,
                                 "ciphersSupport": [
                                     "TLS_AES_128_GCM_SHA256",
                                     "TLS_AES_128_GCM_SHA256"
diff --git a/incapsula/resource_site_ssl_settings.go b/incapsula/resource_site_ssl_settings.go
index d1b55558..0a750244 100644
--- a/incapsula/resource_site_ssl_settings.go
+++ b/incapsula/resource_site_ssl_settings.go
@@ -48,6 +48,10 @@ var inboundTLSSettingsResource = schema.Resource{
 						Type:     schema.TypeString,
 						Required: true,
 					},
+					"use_default_ciphers": {
+						Type:     schema.TypeBool,
+						Required: true,
+					},
 					"ciphers_support": {
 						Type:     schema.TypeList,
 						Required: true,
@@ -230,6 +234,7 @@ func mapInboundTLSSettingsResponseToResource(d *schema.ResourceData, settingsDat
 	for _, tlsConfig := range inboundTLSSettingsFromServer.TLSConfigurations {
 		tlsConfigMap := make(map[string]interface{})
 		tlsConfigMap["tls_version"] = tlsConfig.TLSVersion
+		tlsConfigMap["use_default_ciphers"] = tlsConfig.UseDefaultCiphers
 		tlsConfigMap["ciphers_support"] = toStringInterfaceSlice(tlsConfig.CiphersSupport)
 
 		tlsConfigurations = append(tlsConfigurations, tlsConfigMap)
@@ -261,11 +266,13 @@ func mapInboundTLSSettingsResourceToDTO(resourceData *schema.ResourceData) *Inbo
 		for _, tlsConfig := range tlsConfigurations {
 			tlsConfigMap := tlsConfig.(map[string]interface{})
 			tlsVersion := tlsConfigMap["tls_version"].(string)
+			useDefaultCiphers := tlsConfigMap["use_default_ciphers"].(bool)
 			ciphersSupport := tlsConfigMap["ciphers_support"].([]interface{})
 
 			tlsConfigDTO := TLSConfiguration{
-				TLSVersion:     tlsVersion,
-				CiphersSupport: toStringSlice(ciphersSupport),
+				TLSVersion:        tlsVersion,
+				UseDefaultCiphers: useDefaultCiphers,
+				CiphersSupport:    toStringSlice(ciphersSupport),
 			}
 
 			dto.TLSConfigurations = append(dto.TLSConfigurations, tlsConfigDTO)
diff --git a/website/docs/r/site_ssl_settings.html.markdown b/website/docs/r/site_ssl_settings.html.markdown
index eb4b752b..1948a60d 100644
--- a/website/docs/r/site_ssl_settings.html.markdown
+++ b/website/docs/r/site_ssl_settings.html.markdown
@@ -8,13 +8,17 @@ description: |- Provides an Incapsula Site SSL Settings resource.
 
 Provides an Incapsula Site SSL Settings resource.
 
-If you run the same resource from a site for which SSL is not yet enabled and **approved** will result in the following error response:
+In this resource you can configure:
+- HSTS: A security mechanism enabling websites to announce themselves as accessible only via HTTPS. 
+For more information about HSTS, click [here](https://www.imperva.com/blog/hsts-strict-transport-security/).
+- TLS settings: Define the supported TLS version and cipher suites used for encryption of the TLS handshake between client and Imperva. 
+For more information about supported TLS versions and ciphers, click [here](https://docs.imperva.com/bundle/cloud-application-security/page/cipher-suites.htm).
+
+If you run the SSL settings resource from a site for which SSL is not yet enabled and the SSL certificate is not approved, it will result in the following error response:
 - `status:` 406 
 - `message:` Site does not have SSL configured
 - To enable this feature for your site, you must first configure its SSL settings including a valid certificate.
 
-For more information what HSTS is click [here](https://www.imperva.com/blog/hsts-strict-transport-security/).
-
 ## Example Usage
 
 ```hcl
@@ -27,6 +31,20 @@ resource "incapsula_site_ssl_settings" "example"  {
     sub_domains_included = true
     pre_loaded = false
   }
+  inbound_tls_settings { 
+    configuration_profile     = "CUSTOM"
+
+    tls_configuration { 
+      tls_version             = "TLS_1_2"
+      use_default_ciphers     = false
+      ciphers_support         = ["TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384"]
+    }
+    tls_configuration { 
+      tls_version             = "TLS_1_3"
+      use_default_ciphers     = false
+      ciphers_support         = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
+    }
+  }
 }
 ```
 
@@ -37,6 +55,8 @@ The following arguments are supported:
 * `site_id` - (Required) Numeric identifier of the site to operate on.
 * `hsts` - (Optional): HTTP Strict Transport Security (HSTS) configuration settings for the site.
     - Type: `set` of `hsts_config` resource (defined below)
+* `inbound_tls_settings` - (Optional): Transport Layer Security (TLS) configuration settings for the site.
+  - Type: `set` of `inbound_tls_settings` resource (defined below)
 
 ## Schema of `hsts_config` resource
 
@@ -55,6 +75,26 @@ The `hsts_config` resource represents the configuration settings for HTTP Strict
     - Type: `bool`
     - Default: `false`
 
+## Schema of `inbound_tls_settings` resource
+
+The `inbound_tls_settings` resource represents the configuration settings for Transport Layer Security (TLS).
+
+* `configuration_profile` - (Required): Where to use a pre-defined or custom configuration for TLS settings.
+  - Type: `string`
+* `tls_configuration` - (Optional): List supported TLS versions and ciphers.
+  - Type: `List`
+
+### Nested Schema for `tls_configuration`
+
+* `tls_version` - (Required): TLS supported versions.
+  - Type: `string`
+* `use_default_ciphers` - (Required): Whether to use Imperva’s default ciphers for this TLS version
+  - Type: `bool`
+  - Default: `true`
+* `ciphers_support` - (Optional): List of ciphers to use for this TLS version.
+  - Type: `List`
+
+
 ## Attributes Reference
 
 The following attributes are exported: