Adding support for Client IP Rules (#205)

This commit adds support for Client IP Rules / Client IP Headers. They can be specified using `client_ip_rules` (ordered list). For example: ``` client_ip_rules = ["x-client-ip", "x-another-header"] ``` --------- Co-authored-by: Daniel Corbett <[email protected]>
signalsciences · Apr 18, 2024 · 4c0233c · 4c0233c
1 parent c2d19c3
commit 4c0233c
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 0 deletions.
diff --git a/docs/data-sources/sites.md b/docs/data-sources/sites.md
@@ -38,6 +38,7 @@ Read-Only:
 - `block_duration_secs` (Number)
 - `block_http_code` (Number)
 - `block_redirect_url` (String)
+- `client_ip_rules` (Set of String)
 - `created` (String)
 - `display_name` (String)
 - `events_uri` (String)

diff --git a/docs/resources/site.md b/docs/resources/site.md
@@ -19,6 +19,7 @@ resource "sigsci_site" "my-site" {
   block_duration_seconds = 86400
   agent_anon_mode        = ""
   agent_level            = "block"
+  client_ip_rules        = ["X-Client-IP"]
 }
 ```
 
@@ -38,6 +39,7 @@ resource "sigsci_site" "my-site" {
 - `block_duration_seconds` (Number) Duration to block an IP in seconds
 - `block_http_code` (Number) HTTP response code to send when traffic is being blocked
 - `block_redirect_url` (String) URL to redirect to when blocking with a '301' or '302' HTTP status code
+- `client_ip_rules` (List of String) Headers used for assigning client IPs to requests
 - `immediate_block` (Boolean) Immediately block requests that contain attack signals
 
 ### Read-Only

diff --git a/examples/resources/sigsci_site/resource.tf b/examples/resources/sigsci_site/resource.tf
@@ -4,4 +4,5 @@ resource "sigsci_site" "my-site" {
   block_duration_seconds = 86400
   agent_anon_mode        = ""
   agent_level            = "block"
+  client_ip_rules        = ["X-Client-IP"]
 }
diff --git a/provider/datasource_sites.go b/provider/datasource_sites.go
@@ -68,6 +68,14 @@ func dataSourceSites() *schema.Resource {
 							Computed:    true,
 							Description: "URL to redirect to when blockHTTPCode is 301 or 302",
 						},
+						"client_ip_rules": {
+							Type:        schema.TypeSet,
+							Computed:    true,
+							Description: "Headers used for assigning client IPs to requests",
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
 						"created": {
 							Type:        schema.TypeString,
 							Computed:    true,
@@ -177,6 +185,7 @@ func flattenSites(data []sigsci.Site, filter string) []map[string]any {
 			"block_duration_secs":  site.BlockDurationSeconds,
 			"block_http_code":      site.BlockHTTPCode,
 			"block_redirect_url":   site.BlockRedirectURL,
+			"client_ip_rules":      flattenClientIPRules(site.ClientIPRules),
 			"created":              site.Created.String(),
 			"display_name":         site.DisplayName,
 			"events_uri":           site.Events["uri"],

diff --git a/provider/lib.go b/provider/lib.go
@@ -505,6 +505,22 @@ func expandRuleRateLimit(rateLimitResource *schema.Set) *sigsci.RateLimit {
 	}
 }
 
+func expandClientIPRules(headers []interface{}) sigsci.ClientIPRules {
+	rulesArray := make(sigsci.ClientIPRules, len(headers))
+	for i, e := range headers {
+		rulesArray[i].Header = e.(string)
+	}
+	return rulesArray
+}
+
+func flattenClientIPRules(rules sigsci.ClientIPRules) []interface{} {
+	interfaceArray := make([]interface{}, len(rules))
+	for i, val := range rules {
+		interfaceArray[i] = val.Header
+	}
+	return interfaceArray
+}
+
 func flattenRuleRateLimit(rateLimit *sigsci.RateLimit) []interface{} {
 	if rateLimit == nil {
 		return nil

diff --git a/provider/resource_site.go b/provider/resource_site.go
@@ -78,6 +78,14 @@ func resourceSite() *schema.Resource {
 				Description: "URL to redirect to when blocking with a '301' or '302' HTTP status code",
 				Optional:    true,
 			},
+			"client_ip_rules": {
+				Type:        schema.TypeList,
+				Description: "Headers used for assigning client IPs to requests",
+				Optional:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"immediate_block": {
 				Type:        schema.TypeBool,
 				Description: "Immediately block requests that contain attack signals",
@@ -121,6 +129,7 @@ func createSite(d *schema.ResourceData, m interface{}) error {
 		BlockHTTPCode:        d.Get("block_http_code").(int),
 		BlockDurationSeconds: d.Get("block_duration_seconds").(int),
 		BlockRedirectURL:     d.Get("block_redirect_url").(string),
+		ClientIPRules:        expandClientIPRules(d.Get("client_ip_rules").([]interface{})),
 		ImmediateBlock:       d.Get("immediate_block").(bool),
 	})
 	if err != nil {
@@ -166,6 +175,10 @@ func readSite(d *schema.ResourceData, m interface{}) error {
 	if err != nil {
 		return err
 	}
+	err = d.Set("client_ip_rules", flattenClientIPRules(site.ClientIPRules))
+	if err != nil {
+		return err
+	}
 	err = d.Set("agent_anon_mode", site.AgentAnonMode)
 	if err != nil {
 		return err
@@ -209,6 +222,7 @@ func updateSite(d *schema.ResourceData, m interface{}) error {
 		BlockHTTPCode:        d.Get("block_http_code").(int),
 		BlockRedirectURL:     d.Get("block_redirect_url").(string),
 		AgentAnonMode:        d.Get("agent_anon_mode").(string),
+		ClientIPRules:        expandClientIPRules(d.Get("client_ip_rules").([]interface{})),
 		ImmediateBlock:       d.Get("immediate_block").(bool),
 	})
 	if err != nil {