From eb49433e4062d9968e4244046345b6498513bb51 Mon Sep 17 00:00:00 2001
From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Thu, 13 Oct 2022 14:04:39 +1100
Subject: [PATCH 1/3] resource/cloudflare_ruleset: add support for overriding
 all ruleset rule sensitivity levels

Closes #1853
---
 .../provider/resource_cloudflare_ruleset.go   | 13 ++--
 .../resource_cloudflare_ruleset_test.go       | 69 +++++++++++++++++++
 .../provider/schema_cloudflare_ruleset.go     |  6 ++
 3 files changed, 84 insertions(+), 4 deletions(-)

diff --git a/internal/provider/resource_cloudflare_ruleset.go b/internal/provider/resource_cloudflare_ruleset.go
index 9bdc2aeb1c..436052b0e3 100644
--- a/internal/provider/resource_cloudflare_ruleset.go
+++ b/internal/provider/resource_cloudflare_ruleset.go
@@ -286,10 +286,11 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
 				}
 
 				overrides = append(overrides, map[string]interface{}{
-					"categories": categoryBasedOverrides,
-					"rules":      idBasedOverrides,
-					"status":     apiEnabledToStatusFieldConversion(r.ActionParameters.Overrides.Enabled),
-					"action":     r.ActionParameters.Overrides.Action,
+					"categories":        categoryBasedOverrides,
+					"rules":             idBasedOverrides,
+					"status":            apiEnabledToStatusFieldConversion(r.ActionParameters.Overrides.Enabled),
+					"action":            r.ActionParameters.Overrides.Action,
+					"sensitivity_level": r.ActionParameters.Overrides.SensitivityLevel,
 				})
 			}
 
@@ -725,6 +726,10 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
 								overrideConfiguration.Action = val.(string)
 							}
 
+							if val, ok := overrideParamValue.(map[string]interface{})["sensitivity_level"]; ok {
+								overrideConfiguration.SensitivityLevel = val.(string)
+							}
+
 							// Category based overrides
 							if val, ok := overrideParamValue.(map[string]interface{})["categories"]; ok {
 								for categoryCounter, category := range val.([]interface{}) {
diff --git a/internal/provider/resource_cloudflare_ruleset_test.go b/internal/provider/resource_cloudflare_ruleset_test.go
index 48f5910464..9e11612ada 100644
--- a/internal/provider/resource_cloudflare_ruleset_test.go
+++ b/internal/provider/resource_cloudflare_ruleset_test.go
@@ -1267,6 +1267,50 @@ func TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride(t *testing.T) {
 	})
 }
 
+func TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules(t *testing.T) {
+	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
+	// service does not yet support the API tokens and it results in
+	// misleading state error messages.
+	if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
+		defer func(apiToken string) {
+			os.Setenv("CLOUDFLARE_API_TOKEN", apiToken)
+		}(os.Getenv("CLOUDFLARE_API_TOKEN"))
+		os.Setenv("CLOUDFLARE_API_TOKEN", "")
+	}
+
+	t.Parallel()
+	rnd := generateRandomResourceName()
+	zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
+	zoneName := os.Getenv("CLOUDFLARE_DOMAIN")
+	resourceName := "cloudflare_ruleset." + rnd
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCloudflareRulesetActionParametersOverrideSensitivityForAllRulesetRules(rnd, "overriding all ruleset rules sensitivity", zoneID, zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", "overriding all ruleset rules sensitivity"),
+					resource.TestCheckResourceAttr(resourceName, "description", rnd+" ruleset description"),
+					resource.TestCheckResourceAttr(resourceName, "kind", "zone"),
+					resource.TestCheckResourceAttr(resourceName, "phase", "ddos_l7"),
+
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "1"),
+
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action", "execute"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.id", "4d21379b4f9f4bb088e0729962c8b3cf"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.0.action", "log"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.0.sensitivity_level", "low"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "true"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.description", "override HTTP DDoS ruleset rule"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.enabled", "true"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccCloudflareRuleset_AccountLevelCustomWAFRule(t *testing.T) {
 	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
 	// service does not yet support the API tokens and it results in
@@ -3203,3 +3247,28 @@ func testAccCloudflareRulesetRedirectFromValue(rnd, zoneID string) string {
     }
   }`, rnd, zoneID)
 }
+
+func testAccCheckCloudflareRulesetActionParametersOverrideSensitivityForAllRulesetRules(rnd, name, zoneID, zoneName string) string {
+	return fmt.Sprintf(`
+  resource "cloudflare_ruleset" "%[1]s" {
+    zone_id  = "%[3]s"
+    name        = "%[2]s"
+    description = "%[1]s ruleset description"
+    kind        = "zone"
+    phase       = "ddos_l7"
+
+    rules {
+      action = "execute"
+      action_parameters {
+        id = "4d21379b4f9f4bb088e0729962c8b3cf"
+        overrides {
+		  action            = "log"
+		  sensitivity_level = "low"
+        }
+      }
+      expression = "true"
+      description = "override HTTP DDoS ruleset rule"
+      enabled = true
+    }
+  }`, rnd, name, zoneID, zoneName)
+}
diff --git a/internal/provider/schema_cloudflare_ruleset.go b/internal/provider/schema_cloudflare_ruleset.go
index e238a88246..0e89c89e91 100644
--- a/internal/provider/schema_cloudflare_ruleset.go
+++ b/internal/provider/schema_cloudflare_ruleset.go
@@ -260,6 +260,12 @@ func resourceCloudflareRulesetSchema() map[string]*schema.Schema {
 												ValidateFunc: validation.StringInSlice(cloudflare.RulesetRuleActionValues(), false),
 												Description:  fmt.Sprintf("Action to perform in the rule-level override. %s", renderAvailableDocumentationValuesStringSlice(cloudflare.RulesetRuleActionValues())),
 											},
+											"sensitivity_level": {
+												Type:         schema.TypeString,
+												Optional:     true,
+												ValidateFunc: validation.StringInSlice([]string{"high", "medium", "low", "eoff"}, false),
+												Description:  fmt.Sprintf("Sensitivity level to override for all ruleset rules. %s", renderAvailableDocumentationValuesStringSlice([]string{"high", "medium", "low", "eoff"})),
+											},
 											"categories": {
 												Type:        schema.TypeList,
 												Optional:    true,

From 8c2e1af2b4278719f8c4d0f25ac0cd2d99279c7a Mon Sep 17 00:00:00 2001
From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Thu, 13 Oct 2022 14:16:59 +1100
Subject: [PATCH 2/3] add CHANGELOG

---
 .changelog/1965.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/1965.txt

diff --git a/.changelog/1965.txt b/.changelog/1965.txt
new file mode 100644
index 0000000000..3c2f73f0c6
--- /dev/null
+++ b/.changelog/1965.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_ruleset: add support for overriding sensitivity levels for ruleset rules
+```

From f1b5fbecbd377d7e851a9676865e671bd4a35fa9 Mon Sep 17 00:00:00 2001
From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Tue, 18 Oct 2022 06:12:43 +1100
Subject: [PATCH 3/3] resource/cloudflare_ruleset: sensitivity_level should be
 `default` for highest setting

---
 docs/resources/ruleset.md                      | 1 +
 internal/provider/schema_cloudflare_ruleset.go | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/resources/ruleset.md b/docs/resources/ruleset.md
index f804ee80b9..44f5bfb674 100644
--- a/docs/resources/ruleset.md
+++ b/docs/resources/ruleset.md
@@ -709,6 +709,7 @@ Optional:
 - `categories` (Block List) List of tag-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--categories))
 - `enabled` (Boolean, Deprecated) Defines if the current ruleset-level override enables or disables the ruleset.
 - `rules` (Block List) List of rule-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--rules))
+- `sensitivity_level` (String) Sensitivity level to override for all ruleset rules. Available values: `default`, `medium`, `low`, `eoff`.
 - `status` (String) Defines if the current ruleset-level override enables or disables the ruleset. Available values: `enabled`, `disabled`. Defaults to `""`.
 
 <a id="nestedblock--rules--action_parameters--overrides--categories"></a>
diff --git a/internal/provider/schema_cloudflare_ruleset.go b/internal/provider/schema_cloudflare_ruleset.go
index 0e89c89e91..d24e28236e 100644
--- a/internal/provider/schema_cloudflare_ruleset.go
+++ b/internal/provider/schema_cloudflare_ruleset.go
@@ -263,8 +263,8 @@ func resourceCloudflareRulesetSchema() map[string]*schema.Schema {
 											"sensitivity_level": {
 												Type:         schema.TypeString,
 												Optional:     true,
-												ValidateFunc: validation.StringInSlice([]string{"high", "medium", "low", "eoff"}, false),
-												Description:  fmt.Sprintf("Sensitivity level to override for all ruleset rules. %s", renderAvailableDocumentationValuesStringSlice([]string{"high", "medium", "low", "eoff"})),
+												ValidateFunc: validation.StringInSlice([]string{"default", "medium", "low", "eoff"}, false),
+												Description:  fmt.Sprintf("Sensitivity level to override for all ruleset rules. %s", renderAvailableDocumentationValuesStringSlice([]string{"default", "medium", "low", "eoff"})),
 											},
 											"categories": {
 												Type:        schema.TypeList,