Skip to content

Commit

Permalink
Merge pull request #1965 from cloudflare/override-sensitivity-for-all…
Browse files Browse the repository at this point in the history 
…-rules

resource/cloudflare_ruleset: add support for overriding all ruleset rule sensitivity levels
  • Loading branch information
@jacobbednarz
jacobbednarz authored Oct 17, 2022
2 parents 0d83b91 + f1b5fbe commit 389ed79
Show file tree
Hide file tree
Showing 5 changed files with 88 additions and 4 deletions.
3 changes: 3 additions & 0 deletions .changelog/1965.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/cloudflare_ruleset: add support for overriding sensitivity levels for ruleset rules
```
1 change: 1 addition & 0 deletions docs/resources/ruleset.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -709,6 +709,7 @@ Optional:
- `categories` (Block List) List of tag-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--categories))
- `enabled` (Boolean, Deprecated) Defines if the current ruleset-level override enables or disables the ruleset.
- `rules` (Block List) List of rule-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--rules))
- `sensitivity_level` (String) Sensitivity level to override for all ruleset rules. Available values: `default`, `medium`, `low`, `eoff`.
- `status` (String) Defines if the current ruleset-level override enables or disables the ruleset. Available values: `enabled`, `disabled`. Defaults to `""`.

<a id="nestedblock--rules--action_parameters--overrides--categories"></a>
Expand Down
13 changes: 9 additions & 4 deletions internal/provider/resource_cloudflare_ruleset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,10 +286,11 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
}

overrides = append(overrides, map[string]interface{}{
"categories": categoryBasedOverrides,
"rules": idBasedOverrides,
"status": apiEnabledToStatusFieldConversion(r.ActionParameters.Overrides.Enabled),
"action": r.ActionParameters.Overrides.Action,
"categories": categoryBasedOverrides,
"rules": idBasedOverrides,
"status": apiEnabledToStatusFieldConversion(r.ActionParameters.Overrides.Enabled),
"action": r.ActionParameters.Overrides.Action,
"sensitivity_level": r.ActionParameters.Overrides.SensitivityLevel,
})
}

Expand Down Expand Up @@ -725,6 +726,10 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
overrideConfiguration.Action = val.(string)
}

if val, ok := overrideParamValue.(map[string]interface{})["sensitivity_level"]; ok {
overrideConfiguration.SensitivityLevel = val.(string)
}

// Category based overrides
if val, ok := overrideParamValue.(map[string]interface{})["categories"]; ok {
for categoryCounter, category := range val.([]interface{}) {
Expand Down
69 changes: 69 additions & 0 deletions internal/provider/resource_cloudflare_ruleset_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1267,6 +1267,50 @@ func TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride(t *testing.T) {
})
}

func TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules(t *testing.T) {
// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
// service does not yet support the API tokens and it results in
// misleading state error messages.
if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
defer func(apiToken string) {
os.Setenv("CLOUDFLARE_API_TOKEN", apiToken)
}(os.Getenv("CLOUDFLARE_API_TOKEN"))
os.Setenv("CLOUDFLARE_API_TOKEN", "")
}

t.Parallel()
rnd := generateRandomResourceName()
zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
zoneName := os.Getenv("CLOUDFLARE_DOMAIN")
resourceName := "cloudflare_ruleset." + rnd

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProviderFactories: providerFactories,
Steps: []resource.TestStep{
{
Config: testAccCheckCloudflareRulesetActionParametersOverrideSensitivityForAllRulesetRules(rnd, "overriding all ruleset rules sensitivity", zoneID, zoneName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "name", "overriding all ruleset rules sensitivity"),
resource.TestCheckResourceAttr(resourceName, "description", rnd+" ruleset description"),
resource.TestCheckResourceAttr(resourceName, "kind", "zone"),
resource.TestCheckResourceAttr(resourceName, "phase", "ddos_l7"),

resource.TestCheckResourceAttr(resourceName, "rules.#", "1"),

resource.TestCheckResourceAttr(resourceName, "rules.0.action", "execute"),
resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.id", "4d21379b4f9f4bb088e0729962c8b3cf"),
resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.0.action", "log"),
resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.0.sensitivity_level", "low"),
resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "true"),
resource.TestCheckResourceAttr(resourceName, "rules.0.description", "override HTTP DDoS ruleset rule"),
resource.TestCheckResourceAttr(resourceName, "rules.0.enabled", "true"),
),
},
},
})
}

func TestAccCloudflareRuleset_AccountLevelCustomWAFRule(t *testing.T) {
// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
// service does not yet support the API tokens and it results in
Expand Down Expand Up @@ -3203,3 +3247,28 @@ func testAccCloudflareRulesetRedirectFromValue(rnd, zoneID string) string {
}
}`, rnd, zoneID)
}

func testAccCheckCloudflareRulesetActionParametersOverrideSensitivityForAllRulesetRules(rnd, name, zoneID, zoneName string) string {
return fmt.Sprintf(`
resource "cloudflare_ruleset" "%[1]s" {
zone_id = "%[3]s"
name = "%[2]s"
description = "%[1]s ruleset description"
kind = "zone"
phase = "ddos_l7"
rules {
action = "execute"
action_parameters {
id = "4d21379b4f9f4bb088e0729962c8b3cf"
overrides {
action = "log"
sensitivity_level = "low"
}
}
expression = "true"
description = "override HTTP DDoS ruleset rule"
enabled = true
}
}`, rnd, name, zoneID, zoneName)
}
6 changes: 6 additions & 0 deletions internal/provider/schema_cloudflare_ruleset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,12 @@ func resourceCloudflareRulesetSchema() map[string]*schema.Schema {
ValidateFunc: validation.StringInSlice(cloudflare.RulesetRuleActionValues(), false),
Description: fmt.Sprintf("Action to perform in the rule-level override. %s", renderAvailableDocumentationValuesStringSlice(cloudflare.RulesetRuleActionValues())),
},
"sensitivity_level": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice([]string{"default", "medium", "low", "eoff"}, false),
Description: fmt.Sprintf("Sensitivity level to override for all ruleset rules. %s", renderAvailableDocumentationValuesStringSlice([]string{"default", "medium", "low", "eoff"})),
},
"categories": {
Type: schema.TypeList,
Optional: true,
Expand Down

0 comments on commit 389ed79

Please sign in to comment.