diff --git a/go.mod b/go.mod index c61fa7f..3684444 100644 --- a/go.mod +++ b/go.mod @@ -5,5 +5,5 @@ go 1.14 require ( github.com/davecgh/go-spew v1.1.1 github.com/hashicorp/terraform-plugin-sdk v1.14.0 - github.com/signalsciences/go-sigsci v0.1.1-0.20200908173133-5e947c11afc3 + github.com/signalsciences/go-sigsci v0.1.1-0.20201006182813-f95ff43997bc ) diff --git a/go.sum b/go.sum index 0d79354..587cab4 100644 --- a/go.sum +++ b/go.sum @@ -168,6 +168,8 @@ github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/signalsciences/go-sigsci v0.1.1-0.20200908173133-5e947c11afc3 h1:z/j8qG4eW0k26CkDmQEf/8o2pGdRVqOa0a6pQVF87+c= github.com/signalsciences/go-sigsci v0.1.1-0.20200908173133-5e947c11afc3/go.mod h1:QzNMfETjwm4NFuFS4K1UoLO4wWdopUv3AFyvO092Fak= +github.com/signalsciences/go-sigsci v0.1.1-0.20201006182813-f95ff43997bc h1:6791XANMlLdHrd+vgGA2d4d/sFJYBGc8pg+2FSb0iRE= +github.com/signalsciences/go-sigsci v0.1.1-0.20201006182813-f95ff43997bc/go.mod h1:QzNMfETjwm4NFuFS4K1UoLO4wWdopUv3AFyvO092Fak= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= diff --git a/main.tf b/main.tf index 6d78006..6cde32b 100644 --- a/main.tf +++ b/main.tf @@ -186,3 +186,78 @@ resource "sigsci_site_redaction" "test_redaction" { redaction_type = 0 } + +resource "sigsci_site_rule" "testt" { + site_short_name = sigsci_site.my-site.short_name + type = "request" + group_operator = "all" + enabled = true + reason = "Example site rule update" + expiration = "" + + conditions { + type = "multival" + field = "signal" + group_operator = "all" + operator = "exists" + conditions { + field = "signalType" + operator = "equals" + type = "single" + value = "RESPONSESPLIT" + } + } + + conditions { + type = "group" + group_operator = "any" + conditions { + field = "useragent" + operator = "like" + type = "single" + value = "python-requests*" + } + + conditions { + type = "multival" + field = "requestHeader" + operator = "doesNotExist" + group_operator = "all" + conditions { + field = "name" + operator = "equals" + type = "single" + value = "cookie" + } + } + + conditions { + type = "multival" + field = "signal" + operator = "exists" + group_operator = "any" + conditions { + field = "signalType" + operator = "equals" + type = "single" + value = "TORNODE" + } + conditions { + field = "signalType" + operator = "equals" + type = "single" + value = "SIGSCI-IP" + } + conditions { + field = "signalType" + operator = "equals" + type = "single" + value = "SCANNER" + } + } + } + + actions { + type = "block" + } +} diff --git a/provider/lib.go b/provider/lib.go index 5aaa08a..9f0a469 100644 --- a/provider/lib.go +++ b/provider/lib.go @@ -377,8 +377,15 @@ func expandRuleActions(actionsResource *schema.Set) []sigsci.Action { var actions []sigsci.Action for _, genericElement := range actionsResource.List() { castElement := genericElement.(map[string]interface{}) + var signal string + + if castElement["signal"] != nil { + signal = castElement["signal"].(string) + } + a := sigsci.Action{ - Type: castElement["type"].(string), + Type: castElement["type"].(string), + Signal: signal, } actions = append(actions, a) } @@ -431,7 +438,8 @@ func flattenRuleActions(actions []sigsci.Action) []interface{} { var actionsMap = make([]interface{}, len(actions), len(actions)) for i, action := range actions { actionMap := map[string]interface{}{ - "type": action.Type, + "type": action.Type, + "signal": action.Signal, } actionsMap[i] = actionMap } diff --git a/provider/resource_corp_rule.go b/provider/resource_corp_rule.go index 7a619d2..ac4dfeb 100644 --- a/provider/resource_corp_rule.go +++ b/provider/resource_corp_rule.go @@ -60,6 +60,11 @@ func resourceCorpRule() *schema.Resource { Description: "(block, allow, exclude)", Required: true, }, + "signal": { + Type: schema.TypeString, + Description: "(block, allow, exclude)", + Optional: true, + }, }, }, }, @@ -126,6 +131,40 @@ func resourceCorpRule() *schema.Resource { Description: "type: single - See request fields (https://docs.signalsciences.net/using-signal-sciences/features/rules/#request-fields)", Optional: true, }, + "conditions": { + Type: schema.TypeSet, + Description: "Conditions", + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "type": { + Type: schema.TypeString, + Description: "(group, single)", + Required: true, + }, + "field": { + Type: schema.TypeString, + Description: "type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)", + Optional: true, + }, + "operator": { + Type: schema.TypeString, + Description: "type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, inList, notInList)", + Optional: true, + }, + "group_operator": { + Type: schema.TypeString, + Description: "type: group - Conditions that must be matched when evaluating the request (all, any)", + Optional: true, + }, + "value": { + Type: schema.TypeString, + Description: "type: single - See request fields (https://docs.signalsciences.net/using-signal-sciences/features/rules/#request-fields)", + Optional: true, + }, + }, + }, + }, }, }, }, diff --git a/provider/resource_corp_rule_test.go b/provider/resource_corp_rule_test.go index b79c831..9ecbd13 100644 --- a/provider/resource_corp_rule_test.go +++ b/provider/resource_corp_rule_test.go @@ -44,8 +44,9 @@ func TestResourceCorpRule_basic(t *testing.T) { } }`, testSite), Check: resource.ComposeAggregateTestCheckFunc( + testInspect(), resource.TestCheckResourceAttr(resourceName, "actions.#", "1"), - resource.TestCheckResourceAttr(resourceName, "actions.1859487095.type", "excludeSignal"), + resource.TestCheckResourceAttr(resourceName, "actions.895671942.type", "excludeSignal"), resource.TestCheckResourceAttr(resourceName, "conditions.#", "2"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.conditions.#", "0"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.field", "ip"), diff --git a/provider/resource_site.go b/provider/resource_site.go index 9a85b2c..7aae4a2 100644 --- a/provider/resource_site.go +++ b/provider/resource_site.go @@ -35,7 +35,7 @@ func resourceSite() *schema.Resource { Type: schema.TypeString, Description: "Agent action level - 'block', 'log' or 'off'", Optional: true, - Default: "log", // TODO not in docs, but enforced by api + Default: "log", }, "agent_anon_mode": { Type: schema.TypeString, @@ -52,8 +52,8 @@ func resourceSite() *schema.Resource { "block_http_code": { Type: schema.TypeInt, Description: "HTTP response code to send when when traffic is being blocked", - Optional: true, - Default: 406, + Computed: true, + //Default: 406, }, }, } @@ -76,6 +76,12 @@ func createSite(d *schema.ResourceData, m interface{}) error { } d.SetId(site.Name) + // For whatever reason, you cannot create without default values, but you may update them later + // If these are not the default values, update + if d.Get("block_duration_seconds").(int) != 86400 || d.Get("agent_anon_mode").(string) != "" { + return updateSite(d, m) + } + return readSite(d, m) } diff --git a/provider/resource_site_alert.go b/provider/resource_site_alert.go index e300cae..acc248b 100644 --- a/provider/resource_site_alert.go +++ b/provider/resource_site_alert.go @@ -39,11 +39,6 @@ func resourceSiteAlert() *schema.Resource { Description: "The number of occurrences of the tag in the interval needed to trigger the alert. Min 1, Max 10000", Optional: true, }, - "block_duration_seconds": { - Type: schema.TypeInt, - Description: "The number of seconds this alert is active.", - Optional: true, - }, "enabled": { Type: schema.TypeBool, Description: "A flag to toggle this alert.", diff --git a/provider/resource_site_rule.go b/provider/resource_site_rule.go index 9bbcacc..6c9fdcb 100644 --- a/provider/resource_site_rule.go +++ b/provider/resource_site_rule.go @@ -56,6 +56,11 @@ func resourceSiteRule() *schema.Resource { Description: "(block, allow, exclude)", Required: true, }, + "signal": { + Type: schema.TypeString, + Description: "signal id to tag", + Optional: true, + }, }, }, }, @@ -305,7 +310,7 @@ func resourceSiteRuleUpdate(d *schema.ResourceData, m interface{}) error { _, err := sc.UpdateSiteRuleByID(corp, site, d.Id(), updateSiteRuleBody) if err != nil { - return fmt.Errorf("%s. Could not update redaction with Id %s in corp %s site %s", err.Error(), d.Id(), corp, site) + return err } rule, err := sc.GetSiteRuleByID(corp, site, d.Id()) if err == nil && !reflect.DeepEqual(updateSiteRuleBody, rule.CreateSiteRuleBody) { diff --git a/provider/resource_site_rule_test.go b/provider/resource_site_rule_test.go index c08e34c..c4bc7bf 100644 --- a/provider/resource_site_rule_test.go +++ b/provider/resource_site_rule_test.go @@ -51,20 +51,56 @@ func TestACCResourceSiteRule_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "site_short_name", testSite), resource.TestCheckResourceAttr(resourceName, "reason", "Example site rule update"), resource.TestCheckResourceAttr(resourceName, "actions.#", "1"), - resource.TestCheckResourceAttr(resourceName, "actions.1859487095.type", "excludeSignal"), + resource.TestCheckResourceAttr(resourceName, "actions.895671942.type", "excludeSignal"), resource.TestCheckResourceAttr(resourceName, "conditions.#", "2"), - resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.conditions.#", "0"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.field", "ip"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.group_operator", ""), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.operator", "equals"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.type", "single"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.value", "1.2.3.4"), resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.conditions.#", "0"), - resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.field", "ip"), - resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.group_operator", ""), - resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.operator", "equals"), - resource.TestCheckResourceAttr(resourceName, "conditions.2534374319.type", "single"), + resource.TestCheckResourceAttr(resourceName, "conditions.2383694574.field", "ip"), + resource.TestCheckResourceAttr(resourceName, "conditions.2383694574.group_operator", ""), + resource.TestCheckResourceAttr(resourceName, "conditions.2383694574.operator", "equals"), + resource.TestCheckResourceAttr(resourceName, "conditions.2383694574.type", "single"), resource.TestCheckResourceAttr(resourceName, "conditions.2383694574.value", "1.2.3.5"), + resource.TestCheckResourceAttr(resourceName, "conditions.2383694574.conditions.#", "0"), + ), + }, + { + Config: fmt.Sprintf(` + resource "sigsci_site_rule" "test"{ + site_short_name="%s" + type= "signal" + group_operator="any" + enabled= false + reason= "Example site rule update 2" + signal= "SQLI" + expiration= "" + conditions { + type="single" + field="ip" + operator="equals" + value="1.2.3.9" + } + actions { + type="excludeSignal" + } + + }`, testSite), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "type", "signal"), + resource.TestCheckResourceAttr(resourceName, "site_short_name", testSite), + resource.TestCheckResourceAttr(resourceName, "reason", "Example site rule update 2"), + resource.TestCheckResourceAttr(resourceName, "actions.#", "1"), + resource.TestCheckResourceAttr(resourceName, "actions.895671942.type", "excludeSignal"), + resource.TestCheckResourceAttr(resourceName, "conditions.#", "1"), + resource.TestCheckResourceAttr(resourceName, "conditions.580978146.conditions.#", "0"), + resource.TestCheckResourceAttr(resourceName, "conditions.580978146.field", "ip"), + resource.TestCheckResourceAttr(resourceName, "conditions.580978146.group_operator", ""), + resource.TestCheckResourceAttr(resourceName, "conditions.580978146.operator", "equals"), + resource.TestCheckResourceAttr(resourceName, "conditions.580978146.type", "single"), + resource.TestCheckResourceAttr(resourceName, "conditions.580978146.value", "1.2.3.9"), ), }, { @@ -107,6 +143,7 @@ func TestACCResourceSiteRuleRateLimit_basic(t *testing.T) { value="1.2.3.4" } actions { + signal=sigsci_site_signal_tag.test_tag.id type="logRequest" } rate_limit = { @@ -122,7 +159,8 @@ func TestACCResourceSiteRuleRateLimit_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "site_short_name", testSite), resource.TestCheckResourceAttr(resourceName, "reason", "Example site rule update"), resource.TestCheckResourceAttr(resourceName, "actions.#", "1"), - resource.TestCheckResourceAttr(resourceName, "actions.1301899462.type", "logRequest"), + resource.TestCheckResourceAttr(resourceName, "actions.2266040667.type", "logRequest"), + resource.TestCheckResourceAttr(resourceName, "actions.2266040667.signal", "site.my-new-tag"), resource.TestCheckResourceAttr(resourceName, "conditions.#", "1"), resource.TestCheckResourceAttr(resourceName, "rate_limit.threshold", "10"), resource.TestCheckResourceAttr(resourceName, "rate_limit.interval", "10"), @@ -225,7 +263,6 @@ func TestACCResourceSiteRuleConditionSignal(t *testing.T) { } }`, testSite), Check: resource.ComposeAggregateTestCheckFunc( - testInspect(), resource.TestCheckResourceAttr(resourceName, "conditions.#", "2"), resource.TestCheckResourceAttr(resourceName, "conditions.2455721190.conditions.3887678098.conditions.#", "1"), resource.TestCheckResourceAttr(resourceName, "conditions.1840769124.conditions.#", "1"), @@ -243,6 +280,60 @@ func TestACCResourceSiteRuleConditionSignal(t *testing.T) { }) } +func TestACCResourceSiteRuleTagSignal(t *testing.T) { + t.Parallel() + resourceName := "sigsci_site_rule.test" + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testACCCheckSiteRuleDestroy, + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(` + resource "sigsci_site_signal_tag" "test_tag" { + site_short_name = "%s" + name = "newtag" + description = "test description" + } + resource "sigsci_site_rule" "test"{ + site_short_name="%s" + type= "request" + group_operator="all" + enabled= true + reason= "Example site rule update" + expiration= "" + conditions { + type="single" + field="ip" + operator="equals" + value="1.2.3.4" + } + actions { + type = "block" + } + actions { + type="addSignal" + signal=sigsci_site_signal_tag.test_tag.id + } + }`, testSite, testSite), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "actions.#", "2"), + resource.TestCheckResourceAttr(resourceName, "actions.1990726244.type", "block"), + resource.TestCheckResourceAttr(resourceName, "actions.3968222288.signal", "site.newtag"), + resource.TestCheckResourceAttr(resourceName, "actions.3968222288.type", "addSignal"), + ), + }, + { + ResourceName: resourceName, + ImportStateIdPrefix: fmt.Sprintf("%s:", testSite), + ImportState: true, + ImportStateVerify: true, + ImportStateCheck: testAccImportStateCheckFunction(1), + }, + }, + }) +} + func testCheckSiteRuleExists(name string) resource.TestCheckFunc { var testFunc resource.TestCheckFunc = func(s *terraform.State) error { rsrc, ok := s.RootModule().Resources[name] diff --git a/provider/resource_site_test.go b/provider/resource_site_test.go index d82005b..d8d0c44 100644 --- a/provider/resource_site_test.go +++ b/provider/resource_site_test.go @@ -32,7 +32,6 @@ func init() { } func TestAccResourceSiteBasic(t *testing.T) { - t.Parallel() resourceName := "sigsci_site.test" testSite := randStringRunes(5) resource.Test(t, resource.TestCase{ @@ -45,16 +44,14 @@ func TestAccResourceSiteBasic(t *testing.T) { resource "sigsci_site" "test"{ short_name = "%s" display_name = "test 2" - block_duration_seconds = 86400 - block_http_code = 406 - agent_anon_mode = "" + agent_anon_mode = "EU" + block_duration_seconds = 86401 }`, testSite), Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "short_name", testSite), resource.TestCheckResourceAttr(resourceName, "display_name", "test 2"), - resource.TestCheckResourceAttr(resourceName, "block_duration_seconds", "86400"), // TODO change these values once api is fixed - resource.TestCheckResourceAttr(resourceName, "block_http_code", "406"), // TODO change these values once api is fixed - resource.TestCheckResourceAttr(resourceName, "agent_anon_mode", ""), + resource.TestCheckResourceAttr(resourceName, "agent_anon_mode", "EU"), + resource.TestCheckResourceAttr(resourceName, "block_duration_seconds", "86401"), ), }, { @@ -62,23 +59,21 @@ func TestAccResourceSiteBasic(t *testing.T) { resource "sigsci_site" "test"{ short_name = "%s" display_name = "test" - block_duration_seconds = 86401 - block_http_code = 406 - agent_anon_mode = "EU" + agent_anon_mode = "" + block_duration_seconds = 86400 }`, testSite), Check: resource.ComposeAggregateTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "short_name", testSite), resource.TestCheckResourceAttr(resourceName, "display_name", "test"), - resource.TestCheckResourceAttr(resourceName, "block_duration_seconds", "86401"), - resource.TestCheckResourceAttr(resourceName, "block_http_code", "406"), // TODO change these values once api is fixed - resource.TestCheckResourceAttr(resourceName, "agent_anon_mode", "EU"), + resource.TestCheckResourceAttr(resourceName, "agent_anon_mode", ""), + resource.TestCheckResourceAttr(resourceName, "block_duration_seconds", "86400"), ), }, { ResourceName: resourceName, ImportState: true, ImportStateVerify: true, - ImportStateCheck: testAccImportStateCheckFunction(1), //TODO this is insufficient + ImportStateCheck: testAccImportStateCheckFunction(1), }, }, })