Add support for WAF packages #475
Conversation
|
Please remove the dependency update from this PR, we'll do that separately. |
I can't as it depends on methods that are only available in the latest |
| "sensitivity": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Default: "high", |
There was a problem hiding this comment.
Let's remove the defaults here and instead provide validation that the sensitivity is one of the accepted values.
There was a problem hiding this comment.
Can't we simply do both? We need to know the default anyway to be able to act properly on the delete action, might as well use it as the default value if not provided.
I will add the Enum of valid values too, but thought it would be something that the API can directly check instead of forcing it here (doing that means any new value added for those in the API in the future will require an update to that object)
There was a problem hiding this comment.
This isn't the provided default that a customer gets out of the box so we're making an assumption here to make the default high which comes with trade offs and not something we want to force on people.
If you want to leave this, it needs to be the actual default that comes for a customer.
We need to know the default anyway to be able to act properly on the delete action, might as well use it as the default value if not provided.
We don't have to have delete options if the resource doesn't support them. Once it's in Terraform, it can just be managed for Updates. If this complicates it, just noop the delete with an explanation in the method.
There was a problem hiding this comment.
This isn't the provided default that a customer gets out of the box so we're making an assumption here to make the default high which comes with trade offs and not something we want to force on people.
I was just following the API defaults: https://api.cloudflare.com/#waf-rule-packages-edit-firewall-package
If the defaults are different, please tell me what they are so I can change that.
We don't have to have delete options if the resource doesn't support them. Once it's in Terraform, it can just be managed for Updates. If this complicates it, just noop the delete with an explanation in the method.
This would be weak and would be a different behavior than what is used for WAF Rules, which would be very confusing (unless we prefer disabling the delete from WAF Rules too ?). I think it makes more sense to have sort of a "reset to default", but I totally agree that the "reset to default" should reset to the actual default.
| "action_mode": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Default: "challenge", |
There was a problem hiding this comment.
Similar to https://github.com/terraform-providers/terraform-provider-cloudflare/pull/475/files#r326930670, let's move towards better validation without a default.
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
a976e2b to
95f4978
Compare
|
Updated to only include those changes, but of course it won't pass the tests for now |
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
95f4978 to
b6911c8
Compare
|
Rebased on master |
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
b6911c8 to
7db5998
Compare
|
Fixed small mistakes I made when adding the |
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
7db5998 to
cb183db
Compare
|
Updated the |
|
@patryk @jacobbednarz is there anything I could do so we can move forward with this PR and the other one for WAF groups ? |
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
cb183db to
27a53c9
Compare
ghost
added
size/XL
kind/documentation
|
Added documentation for the change |
|
I've just kicked off the integration tests for these and will report back shortly! Thanks for following through here @xaf! |
|
Looks like there is a failure in the test suite. I'm able to replicate this running locally too. |
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
32fc6f6 to
3cd0b7e
Compare
The problem with that approach is that I need to know the I thus went and created a new function that creates a new client specifically to grab the information needed, as you can see in the updated code. Please tell me what you think about that @jacobbednarz and if you have any better way to implement this ? For now, the acceptance tests are passing: |
xaf
force-pushed
the
xaf/add_support_for_waf_packages
branch
from
3cd0b7e to
066cdba
Compare
|
|
||
| func testAccGetWAFPackage(zoneID string) (string, error) { | ||
| config := Config{} | ||
| if apiToken, ok := os.LookupEnv("CLOUDFLARE_API_TOKEN"); ok { |
There was a problem hiding this comment.
I don't really like this in here as we're duplicating the logic we already have in the provider setup. If that ever changes, we now have somewhere that depends on it directly. Was there a reason you couldn't use the sharedClient? We're already using that in sweepers and it leverages the existing methods.
There was a problem hiding this comment.
If we can't use the shareClient functionality, let's just copy the function and use it here. Don't worry about the logic as we can swap it all when/if we move to API tokens for the test suite.
Another drawback to having this logic here is that testAccPreCheck doesn't check for the API token, only the older method of authenticating which means use of API tokens isn't enforced at all.
There was a problem hiding this comment.
Another drawback to having this logic here is that testAccPreCheck doesn't check for the API token, only the older method of authenticating which means use of API tokens isn't enforced at all.
Note that testAccPreCheck is still run just after, so any check it does will be done here, so that should be fine ? But true that we're listing the packages before having done that check...
I don't really like this in here as we're duplicating the logic we already have in the provider setup. If that ever changes, we now have somewhere that depends on it directly. Was there a reason you couldn't use the sharedClient? We're already using that in sweepers and it leverages the existing methods.
sharedClient currently seems to be forcing to use API Key & email instead of API token, is this expected ?
resource_cloudflare_waf_package_test.go:18: Error while listing WAF packages: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"
There was a problem hiding this comment.
sharedClientcurrently seems to be forcing to use API Key & email instead of API token, is this expected ?
Yep, we'll eventually move this over to API tokens when it's supported fully.
WRT to your error, are you setting the CLOUDFLARE_API_KEY and CLOUDFLARE_EMAIL per the client initialisation when you're running the tests? As you mentioned, the PreCheck usually handles this but because we're running before it, it could be missed.
There was a problem hiding this comment.
I did not want to go fetch an API key so I used CLOUDFLARE_API_KEY="blah" for my tests above, which is why I had that error (this is also why I corrected my message after the fact, realizing the error was related to that).
I think my last push (fixup this time, sorry again) should be good to go ? (using sharedClient)
There was a problem hiding this comment.
Gotcha, that makes total sense then 😄
|
@xaf are you able to avoid rebasing until we're ready to merge? It's quite difficult to review the individual changes you're making. We can squash it when it's ready to merge if you'd prefer that. |
Yes, sorry for that... I try to push fixup commits usually but forgot this time! |
|
Great stuff. I've just kicked off the integration suite again and we'll see how we go this time. |
|
🤞 |
|
Looks like the unit tests are failing to build - https://travis-ci.org/terraform-providers/terraform-provider-cloudflare/jobs/595347342#L234 Integration tests are also failing in a similar fashion. |
|
Probably because it's based on a previous version that did not use the same packages in the headers (the path seem to have changed). |
I don't understand why this is? Are you able to let me know what issues you're hitting? You should always be able to run the tests locally when developing the provider. |
|
Oh, failed again as I forgot to update all of them. It's just that my local branch is not
|
You can still merge in the upstream master and it will have the same effect without needing to rebase or force push changes. We're not fussed if there is merge commits or not so that is up to you. |
Ok, might need to manually test for |
🎉 |
|
Looks like the integration tests are happy too! I'll take another look over this and we'll get it merged. |
|
🎉 Let me know if you want me to |
|
|
||
| * `zone_id` - (Required) The DNS zone ID to apply to. | ||
| * `package_id` - (Required) The WAF Package ID. | ||
| * `sensitivity` - (Required) The sensitivity of the package, can be one of ["high", "medium", "low", "off"]. |
There was a problem hiding this comment.
This documentation doesn't match the schema. Do you intend for this to be optional (to match the schema)? Same with action_mode.
There was a problem hiding this comment.
You're right, should read Optional
|
Thanks for your patience with this! If you can apply the same fixes to #476, we'll get that merged too. |
SetWorkersSecret creates or updates a secret DeleteWorkersSecret deletes a secret ListWorkersSecrets lists all secrets
Depends on #474