resource/cloudflare_ruleset: add support for overriding all ruleset rule sensitivity levels

[jacobbednarz]

Closes #1853

Acceptance tests are passing

TF_ACC=1 go test $(go list ./...) -v -run "^TestAccCloudflareRuleset_" -count 1 -parallel 1 -timeout 120m -parallel 1
?       github.com/cloudflare/terraform-provider-cloudflare     [no test files]
=== RUN   TestAccCloudflareRuleset_WAFBasic
=== PAUSE TestAccCloudflareRuleset_WAFBasic
=== RUN   TestAccCloudflareRuleset_WAFManagedRuleset
=== PAUSE TestAccCloudflareRuleset_WAFManagedRuleset
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetOWASP
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetOWASP
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetOWASPBlockXSSWithAnomalyOver60
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetOWASPBlockXSSWithAnomalyOver60
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetOWASPOnlyPL1
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetOWASPOnlyPL1
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetDeployMultiple
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetDeployMultiple
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithSkip
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithSkip
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithTopSkipAndLastSkip
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithTopSkipAndLastSkip
=== RUN   TestAccCloudflareRuleset_SkipPhaseAndProducts
=== PAUSE TestAccCloudflareRuleset_SkipPhaseAndProducts
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithCategoryAndRuleBasedOverrides
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetWithCategoryAndRuleBasedOverrides
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithIDBasedOverrides
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetWithIDBasedOverrides
=== RUN   TestAccCloudflareRuleset_MagicTransitUpdateWithHigherPriority
    provider_test.go:191: Skipping acceptance test as 0da42c8d2132a9ddaf714f9e7c920711 is not configured for Magic Transit
--- SKIP: TestAccCloudflareRuleset_MagicTransitUpdateWithHigherPriority (0.00s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithPayloadLogging
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetWithPayloadLogging
=== RUN   TestAccCloudflareRuleset_RateLimit
=== PAUSE TestAccCloudflareRuleset_RateLimit
=== RUN   TestAccCloudflareRuleset_CustomErrors
=== PAUSE TestAccCloudflareRuleset_CustomErrors
=== RUN   TestAccCloudflareRuleset_RequestOrigin
=== PAUSE TestAccCloudflareRuleset_RequestOrigin
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIPath
=== PAUSE TestAccCloudflareRuleset_TransformationRuleURIPath
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIQuery
=== PAUSE TestAccCloudflareRuleset_TransformationRuleURIQuery
=== RUN   TestAccCloudflareRuleset_TransformHTTPResponseHeaders
=== PAUSE TestAccCloudflareRuleset_TransformHTTPResponseHeaders
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIPathAndQueryCombination
=== PAUSE TestAccCloudflareRuleset_TransformationRuleURIPathAndQueryCombination
=== RUN   TestAccCloudflareRuleset_TransformationRuleRequestHeaders
=== PAUSE TestAccCloudflareRuleset_TransformationRuleRequestHeaders
=== RUN   TestAccCloudflareRuleset_TransformationRuleResponseHeaders
=== PAUSE TestAccCloudflareRuleset_TransformationRuleResponseHeaders
=== RUN   TestAccCloudflareRuleset_ActionParametersMultipleSkips
=== PAUSE TestAccCloudflareRuleset_ActionParametersMultipleSkips
=== RUN   TestAccCloudflareRuleset_ActionParametersOverridesAction
=== PAUSE TestAccCloudflareRuleset_ActionParametersOverridesAction
=== RUN   TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride
=== PAUSE TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride
=== RUN   TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules
=== PAUSE TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules
=== RUN   TestAccCloudflareRuleset_AccountLevelCustomWAFRule
=== PAUSE TestAccCloudflareRuleset_AccountLevelCustomWAFRule
=== RUN   TestAccCloudflareRuleset_ExposedCredentialCheck
=== PAUSE TestAccCloudflareRuleset_ExposedCredentialCheck
=== RUN   TestAccCloudflareRuleset_Logging
=== PAUSE TestAccCloudflareRuleset_Logging
=== RUN   TestAccCloudflareRuleset_ConditionallySetActionParameterVersion
=== PAUSE TestAccCloudflareRuleset_ConditionallySetActionParameterVersion
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithActionManagedChallenge
=== PAUSE TestAccCloudflareRuleset_WAFManagedRulesetWithActionManagedChallenge
=== RUN   TestAccCloudflareRuleset_LogCustomField
=== PAUSE TestAccCloudflareRuleset_LogCustomField
=== RUN   TestAccCloudflareRuleset_ActionParametersOverridesThrashingStatus
=== PAUSE TestAccCloudflareRuleset_ActionParametersOverridesThrashingStatus
=== RUN   TestAccCloudflareRuleset_CacheSettings
=== PAUSE TestAccCloudflareRuleset_CacheSettings
=== RUN   TestAccCloudflareRuleset_Config
=== PAUSE TestAccCloudflareRuleset_Config
=== RUN   TestAccCloudflareRuleset_Redirect
=== PAUSE TestAccCloudflareRuleset_Redirect
=== RUN   TestAccCloudflareRuleset_DynamicRedirect
=== PAUSE TestAccCloudflareRuleset_DynamicRedirect
=== CONT  TestAccCloudflareRuleset_WAFBasic
--- PASS: TestAccCloudflareRuleset_WAFBasic (9.84s)
=== CONT  TestAccCloudflareRuleset_TransformationRuleURIPathAndQueryCombination
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIPathAndQueryCombination (8.98s)
=== CONT  TestAccCloudflareRuleset_DynamicRedirect
--- PASS: TestAccCloudflareRuleset_DynamicRedirect (9.27s)
=== CONT  TestAccCloudflareRuleset_Redirect
--- PASS: TestAccCloudflareRuleset_Redirect (12.17s)
=== CONT  TestAccCloudflareRuleset_Config
--- PASS: TestAccCloudflareRuleset_Config (15.32s)
=== CONT  TestAccCloudflareRuleset_CacheSettings
--- PASS: TestAccCloudflareRuleset_CacheSettings (30.01s)
=== CONT  TestAccCloudflareRuleset_ActionParametersOverridesThrashingStatus
--- PASS: TestAccCloudflareRuleset_ActionParametersOverridesThrashingStatus (51.49s)
=== CONT  TestAccCloudflareRuleset_LogCustomField
--- PASS: TestAccCloudflareRuleset_LogCustomField (8.83s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetWithActionManagedChallenge
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithActionManagedChallenge (16.95s)
=== CONT  TestAccCloudflareRuleset_ConditionallySetActionParameterVersion
--- PASS: TestAccCloudflareRuleset_ConditionallySetActionParameterVersion (14.94s)
=== CONT  TestAccCloudflareRuleset_Logging
--- PASS: TestAccCloudflareRuleset_Logging (8.72s)
=== CONT  TestAccCloudflareRuleset_ExposedCredentialCheck
--- PASS: TestAccCloudflareRuleset_ExposedCredentialCheck (8.88s)
=== CONT  TestAccCloudflareRuleset_AccountLevelCustomWAFRule
--- PASS: TestAccCloudflareRuleset_AccountLevelCustomWAFRule (10.93s)
=== CONT  TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules
--- PASS: TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules (8.99s)
=== CONT  TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride
--- PASS: TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride (9.26s)
=== CONT  TestAccCloudflareRuleset_ActionParametersOverridesAction
--- PASS: TestAccCloudflareRuleset_ActionParametersOverridesAction (9.34s)
=== CONT  TestAccCloudflareRuleset_ActionParametersMultipleSkips
--- PASS: TestAccCloudflareRuleset_ActionParametersMultipleSkips (10.32s)
=== CONT  TestAccCloudflareRuleset_TransformationRuleResponseHeaders
--- PASS: TestAccCloudflareRuleset_TransformationRuleResponseHeaders (9.02s)
=== CONT  TestAccCloudflareRuleset_TransformationRuleRequestHeaders
--- PASS: TestAccCloudflareRuleset_TransformationRuleRequestHeaders (8.89s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetWithCategoryAndRuleBasedOverrides
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithCategoryAndRuleBasedOverrides (8.98s)
=== CONT  TestAccCloudflareRuleset_TransformHTTPResponseHeaders
--- PASS: TestAccCloudflareRuleset_TransformHTTPResponseHeaders (8.11s)
=== CONT  TestAccCloudflareRuleset_TransformationRuleURIQuery
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIQuery (9.12s)
=== CONT  TestAccCloudflareRuleset_TransformationRuleURIPath
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIPath (8.55s)
=== CONT  TestAccCloudflareRuleset_RequestOrigin
--- PASS: TestAccCloudflareRuleset_RequestOrigin (8.58s)
=== CONT  TestAccCloudflareRuleset_CustomErrors
--- PASS: TestAccCloudflareRuleset_CustomErrors (8.71s)
=== CONT  TestAccCloudflareRuleset_RateLimit
--- PASS: TestAccCloudflareRuleset_RateLimit (8.72s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetWithPayloadLogging
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithPayloadLogging (9.60s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetWithIDBasedOverrides
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithIDBasedOverrides (10.03s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetDeployMultiple
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetDeployMultiple (17.97s)
=== CONT  TestAccCloudflareRuleset_SkipPhaseAndProducts
--- PASS: TestAccCloudflareRuleset_SkipPhaseAndProducts (14.08s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithTopSkipAndLastSkip
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithTopSkipAndLastSkip (10.93s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithSkip
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithSkip (10.43s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetOWASPBlockXSSWithAnomalyOver60
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetOWASPBlockXSSWithAnomalyOver60 (15.37s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetOWASPOnlyPL1
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetOWASPOnlyPL1 (9.74s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRulesetOWASP
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetOWASP (9.27s)
=== CONT  TestAccCloudflareRuleset_WAFManagedRuleset
--- PASS: TestAccCloudflareRuleset_WAFManagedRuleset (9.01s)
PASS
ok      github.com/cloudflare/terraform-provider-cloudflare/internal/provider   439.700s

[jacobbednarz]

@vences do you mind eyeballing this and making sure it lines up with the expected usage of it?

[github-actions]

changelog detected ✅

[vences]

Hey @jacobbednarz,
Was able to test and it seems the validation function is wrong.

ValidateFunc: validation.StringInSlice([]string{"high", "medium", "low", "eoff"}, false),

High is never sent to the API, when configuring high it should be default. Here the doc.
Other than that it was working as expected on my zone.

I tested located and change the function to be:

ValidateFunc: validation.StringInSlice([]string{"default", "medium", "low", "eoff"}, false),
Description:  fmt.Sprintf("Sensitivity level to override for all ruleset rules. %s", renderAvailableDocumentationValuesStringSlice([]string{"default", "medium", "low", "eoff"})),

default works as expected.

Side note

One small details, if I use sensitivity_level inside another phase on which the value is not expected the error return by Terraform is not really explicit (not sure if it should be a work on the API or Terraform).

Terraform.log

{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "it cannot be used in this phase",
      "source": {
        "pointer": "/rules/2/action_parameters/overrides/sensitivity_level"
      }
    }
  ],
  "messages": null
}


-----------------------------------------------------: timestamp=2022-10-17T16:09:51.087+0100
2022-10-17T16:09:51.092+0100 [ERROR] provider.terraform-provider-cloudflare_99.0.0: Response contains error diagnostic: diagnostic_summary="error updating ruleset with ID "a3f4f100463941ec9831c74d4a0b44a8": it cannot be used in this phase" tf_provider_addr=registry.terraform.io/cloudflare/cloudflare @caller=/Users/venceslas/go/pkg/mod/github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_severity=ERROR tf_proto_version=5.3 tf_req_id=5999e70b-c58d-2576-954c-a03ad14696a7 tf_resource_type=cloudflare_ruleset tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_detail= timestamp=2022-10-17T16:09:51.092+0100
2022-10-17T16:09:51.124+0100 [ERROR] vertex "cloudflare_ruleset.zone_level_managed_waf" error: error updating ruleset with ID "a3f4f100463941ec9831c74d4a0b44a8": it cannot be used in this phase
2022-10-17T16:09:51.203+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"

The pointer is omitted and the error message is just it cannot be used in this phase. I think it is not related to that PR but just wanted to mention here :)

[jacobbednarz]

thanks @vences! good catch. for some reason i thought "high" was what the API expected but maybe it was just a dashboard-ism.

as for the exception structure, it's not part of the v4 payload envelope and we haven't been made aware of it so it's not going to be propagated anywhere. we'll need to chat with the rulesets folks about this to implement it.

[github-actions]

This functionality has been released in v3.26.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!