From 5175117bb4f8266d2271f9b66bedc6d81e3a62ae Mon Sep 17 00:00:00 2001 From: Jacob Bednarz Date: Thu, 12 Jan 2023 12:32:29 +1100 Subject: [PATCH 1/2] remove legacy WAF resources and data sources --- .changelog/2138.txt | 27 +++ docs/data-sources/waf_groups.md | 54 ----- docs/data-sources/waf_packages.md | 56 ----- docs/data-sources/waf_rules.md | 61 ----- docs/resources/waf_group.md | 43 ---- docs/resources/waf_override.md | 60 ----- docs/resources/waf_package.md | 43 ---- docs/resources/waf_rule.md | 44 ---- .../sdkv2provider/data_source_waf_groups.go | 184 --------------- .../data_source_waf_groups_test.go | 110 --------- .../sdkv2provider/data_source_waf_packages.go | 187 --------------- .../data_source_waf_packages_test.go | 155 ------------ .../sdkv2provider/data_source_waf_rules.go | 222 ------------------ .../data_source_waf_rules_test.go | 110 --------- .../import_cloudflare_waf_rule_test.go | 35 --- internal/sdkv2provider/provider.go | 7 - .../resource_cloudflare_waf_group.go | 179 -------------- .../resource_cloudflare_waf_group_test.go | 114 --------- .../resource_cloudflare_waf_override.go | 175 -------------- .../resource_cloudflare_waf_override_test.go | 168 ------------- .../resource_cloudflare_waf_package.go | 168 ------------- .../resource_cloudflare_waf_package_test.go | 113 --------- .../resource_cloudflare_waf_rule.go | 188 --------------- .../resource_cloudflare_waf_rule_test.go | 119 ---------- .../resource_cloudflare_zone_lockdown_test.go | 1 - .../schema_cloudflare_waf_group.go | 37 --- .../schema_cloudflare_waf_override.go | 62 ----- .../schema_cloudflare_waf_package.go | 38 --- .../schema_cloudflare_waf_rule.go | 37 --- templates/data-sources/waf_groups.md | 54 ----- templates/data-sources/waf_packages.md | 56 ----- templates/data-sources/waf_rules.md | 61 ----- templates/resources/waf_group.md | 43 ---- templates/resources/waf_override.md | 60 ----- templates/resources/waf_package.md | 43 ---- templates/resources/waf_rule.md | 44 ---- 36 files changed, 27 insertions(+), 3131 deletions(-) create mode 100644 .changelog/2138.txt delete mode 100644 docs/data-sources/waf_groups.md delete mode 100644 docs/data-sources/waf_packages.md delete mode 100644 docs/data-sources/waf_rules.md delete mode 100644 docs/resources/waf_group.md delete mode 100644 docs/resources/waf_override.md delete mode 100644 docs/resources/waf_package.md delete mode 100644 docs/resources/waf_rule.md delete mode 100644 internal/sdkv2provider/data_source_waf_groups.go delete mode 100644 internal/sdkv2provider/data_source_waf_groups_test.go delete mode 100644 internal/sdkv2provider/data_source_waf_packages.go delete mode 100644 internal/sdkv2provider/data_source_waf_packages_test.go delete mode 100644 internal/sdkv2provider/data_source_waf_rules.go delete mode 100644 internal/sdkv2provider/data_source_waf_rules_test.go delete mode 100644 internal/sdkv2provider/import_cloudflare_waf_rule_test.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_group.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_group_test.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_override.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_override_test.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_package.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_package_test.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_rule.go delete mode 100644 internal/sdkv2provider/resource_cloudflare_waf_rule_test.go delete mode 100644 internal/sdkv2provider/schema_cloudflare_waf_group.go delete mode 100644 internal/sdkv2provider/schema_cloudflare_waf_override.go delete mode 100644 internal/sdkv2provider/schema_cloudflare_waf_package.go delete mode 100644 internal/sdkv2provider/schema_cloudflare_waf_rule.go delete mode 100644 templates/data-sources/waf_groups.md delete mode 100644 templates/data-sources/waf_packages.md delete mode 100644 templates/data-sources/waf_rules.md delete mode 100644 templates/resources/waf_group.md delete mode 100644 templates/resources/waf_override.md delete mode 100644 templates/resources/waf_package.md delete mode 100644 templates/resources/waf_rule.md diff --git a/.changelog/2138.txt b/.changelog/2138.txt new file mode 100644 index 0000000000..939b7002f3 --- /dev/null +++ b/.changelog/2138.txt @@ -0,0 +1,27 @@ +```release-note:breaking-change +resource/cloudflare_waf_group: removed in favour of `cloudflare_ruleset` +``` + +```release-note:breaking-change +resource/cloudflare_waf_override: removed in favour of `cloudflare_ruleset` +``` + +```release-note:breaking-change +resource/cloudflare_waf_package: removed in favour of `cloudflare_ruleset` +``` + +```release-note:breaking-change +resource/cloudflare_waf_rule: removed in favour of `cloudflare_ruleset` +``` + +```release-note:breaking-change +datasource/cloudflare_waf_groups: removed in favour of `cloudflare_ruleset` +``` + +```release-note:breaking-change +datasource/cloudflare_waf_packages: removed in favour of `cloudflare_ruleset` +``` + +```release-note:breaking-change +datasource/cloudflare_waf_rules: removed in favour of `cloudflare_ruleset` +``` diff --git a/docs/data-sources/waf_groups.md b/docs/data-sources/waf_groups.md deleted file mode 100644 index b71b401594..0000000000 --- a/docs/data-sources/waf_groups.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_groups" -description: List available Cloudflare WAF Groups. ---- - -# cloudflare_waf_groups - -Use this data source to look up [WAF Rule Groups][1]. - -## Example Usage - -The example below matches all WAF Rule Groups that contain the word `example` and are currently `on`. The matched WAF Rule Groups are then returned as output. - -```hcl -data "cloudflare_waf_groups" "test" { - filter { - name = ".*example.*" - mode = "on" - } -} - -output "waf_groups" { - value = data.cloudflare_waf_groups.test.groups -} -``` - -## Argument Reference - -- `zone_id` - (Required) The ID of the DNS zone in which to search for the WAF Rule Groups. -- `package_id` - (Optional) The ID of the WAF Rule Package in which to search for the WAF Rule Groups. -- `filter` - (Optional) One or more values used to look up WAF Rule Groups. If more than one value is given all - values must match in order to be included, see below for full list. - -**filter** - -- `name` - (Optional) A regular expression matching the name of the WAF Rule Groups to lookup. -- `mode` - (Optional) Mode of the WAF Rule Groups to lookup. Valid values: on and off. - -## Attributes Reference - -- `groups` - A map of WAF Rule Groups details. Full list below: - -**groups** - -- `id` - The WAF Rule Group ID -- `name` - The WAF Rule Group name -- `description` - The WAF Rule Group description -- `mode` - The WAF Rule Group mode -- `rules_count` - The number of rules in the WAF Rule Group -- `modified_rules_count` - The number of modified rules in the WAF Rule Group -- `package_id` - The ID of the WAF Rule Package that contains the WAF Rule Group - -[1]: https://api.cloudflare.com/#waf-rule-groups-properties diff --git a/docs/data-sources/waf_packages.md b/docs/data-sources/waf_packages.md deleted file mode 100644 index fd8f97360e..0000000000 --- a/docs/data-sources/waf_packages.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_packages" -description: List available Cloudflare WAF Packages. ---- - -# cloudflare_waf_packages - -Use this data source to look up [WAF Rule Packages][1]. - -## Example Usage - -The example below matches all `high` sensitivity WAF Rule Packages, with a `challenge` action mode and an `anomaly` detection mode, that contain the word `example`. The matched WAF Rule Packages are then returned as output. - -```hcl -data "cloudflare_waf_packages" "test" { - filter { - name = ".*example.*" - detection_mode = "anomaly" - sensitivity = "high" - action_mode = "challenge" - } -} - -output "waf_packages" { - value = data.cloudflare_waf_packages.test.packages -} -``` - -## Argument Reference - -- `zone_id` - (Required) The ID of the DNS zone in which to search for the WAF Rule Packages. -- `filter` - (Optional) One or more values used to look up WAF Rule Packages. If more than one value is given all - values must match in order to be included, see below for full list. - -**filter** - -- `name` - (Optional) A regular expression matching the name of the WAF Rule Packages to lookup. -- `detection_mode` - (Optional) Detection mode of the WAF Rule Packages to lookup. -- `sensitivity` - (Optional) Sensitivity of the WAF Rule Packages to lookup. Valid values: high, medium, low and off. -- `action_mode` - (Optional) Action mode of the WAF Rule Packages to lookup. Valid values: simulate, block and challenge. - -## Attributes Reference - -- `packages` - A map of WAF Rule Packages details. Full list below: - -**packages** - -- `id` - The WAF Rule Package ID -- `name` - The WAF Rule Package name -- `description` - The WAF Rule Package description -- `detection_mode` - The WAF Rule Package detection mode -- `sensitivity` - The WAF Rule Package sensitivity -- `action_mode` - The WAF Rule Package action mode - -[1]: https://api.cloudflare.com/#waf-rule-packages-properties diff --git a/docs/data-sources/waf_rules.md b/docs/data-sources/waf_rules.md deleted file mode 100644 index 363ed648e2..0000000000 --- a/docs/data-sources/waf_rules.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_rules" -description: List available Cloudflare WAF Rules. ---- - -# cloudflare_waf_rules - -Use this data source to look up [WAF Rules][1]. - -## Example Usage - -The example below matches all WAF Rules that are in the group of ID `de677e5818985db1285d0e80225f06e5`, contain `example` in their description, and are currently `on`. The matched WAF Rules are then returned as output. - -```hcl -data "cloudflare_waf_rules" "test" { - zone_id = "ae36f999674d196762efcc5abb06b345" - package_id = "a25a9a7e9c00afc1fb2e0245519d725b" - - filter { - description = ".*example.*" - mode = "on" - group_id = "de677e5818985db1285d0e80225f06e5" - } -} - -output "waf_rules" { - value = data.cloudflare_waf_rules.test.rules -} -``` - -## Argument Reference - -- `zone_id` - (Required) The ID of the DNS zone in which to search for the WAF Rules. -- `package_id` - (Optional) The ID of the WAF Rule Package in which to search for the WAF Rules. -- `filter` - (Optional) One or more values used to look up WAF Rules. If more than one value is given all - values must match in order to be included, see below for full list. - -**filter** - -- `description` - (Optional) A regular expression matching the description of the WAF Rules to lookup. -- `mode` - (Optional) Mode of the WAF Rules to lookup. Valid values: one of ["block", "challenge", "default", "disable", "simulate"] or ["on", "off"] depending on the WAF Rule type. -- `group_id` - (Optional) The ID of the WAF Rule Group in which the WAF Rules to lookup have to be. - -## Attributes Reference - -- `rules` - A map of WAF Rules details. Full list below: - -**rules** - -- `id` - The WAF Rule ID -- `description` - The WAF Rule description -- `priority` - The WAF Rule priority -- `mode` - The WAF Rule mode -- `group_id` - The ID of the WAF Rule Group that contains the WAF Rule -- `group_name` - The Name of the WAF Rule Group that contains the WAF Rule -- `package_id` - The ID of the WAF Rule Package that contains the WAF Rule -- `allowed_modes` - The list of allowed `mode` values for the WAF Rule -- `default_mode` - The default `mode` value for the WAF Rule - -[1]: https://api.cloudflare.com/#waf-rule-groups-properties diff --git a/docs/resources/waf_group.md b/docs/resources/waf_group.md deleted file mode 100644 index ebcb6b4047..0000000000 --- a/docs/resources/waf_group.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_group" -description: Provides a Cloudflare WAF rule group resource for a particular zone. ---- - -# cloudflare_waf_group - -Provides a Cloudflare WAF rule group resource for a particular zone. This can be used to configure firewall behaviour for pre-defined firewall groups. - -## Example Usage - -```hcl -resource "cloudflare_waf_group" "honey_pot" { - group_id = "de677e5818985db1285d0e80225f06e5" - zone_id = "ae36f999674d196762efcc5abb06b345" - mode = "on" -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone ID to apply to. -- `group_id` - (Required) The WAF Rule Group ID. -- `package_id` - (Optional) The ID of the WAF Rule Package that contains the group. -- `mode` - (Optional) The mode of the group, can be one of ["on", "off"]. - -## Attributes Reference - -The following attributes are exported: - -- `id` - The WAF Rule Group ID, the same as `group_id`. -- `package_id` - The ID of the WAF Rule Package that contains the group. - -## Import - -WAF Rule Groups can be imported using a composite ID formed of zone ID and the WAF Rule Group ID, e.g. - -``` -$ terraform import cloudflare_waf_group.honey_pot ae36f999674d196762efcc5abb06b345/de677e5818985db1285d0e80225f06e5 -``` diff --git a/docs/resources/waf_override.md b/docs/resources/waf_override.md deleted file mode 100644 index 422e0d968e..0000000000 --- a/docs/resources/waf_override.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_override" -description: Provides a Cloudflare WAF Override resource. ---- - -# cloudflare_waf_override - -Provides a Cloudflare WAF override resource. This enables the ability to toggle -WAF rules and groups on or off based on URIs. - -## Example Usage - -```hcl -resource "cloudflare_waf_override" "shop_ecxample" { - zone_id = "1d5fdc9e88c8a8c4518b068cd94331fe" - urls = [ - "example.com/no-waf-here", - "example.com/another/path/*" - ] - - # Disable rule ID 100015. - rules = { - "100015": "disable" - } - - # Set to Cloudflare default action for group ID ea8687e59929c1fd05ba97574ad43f77. - groups = { - "ea8687e59929c1fd05ba97574ad43f77": "default" - } - - # Update the actions for when a matching rule is encountered. - rewrite_action = { - "default": "block", - "challenge": "block", - } -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone to which the WAF override condition should be added. -- `urls` - (Required) An array of URLs to apply the WAF override to. -- `rules` - (Required) A list of WAF rule ID to rule action you intend to apply. -- `paused` - (Optional) Whether this package is currently paused. -- `description` - (Optional) Description of what the WAF override does. -- `priority` - (Optional) Relative priority of this configuration when multiple configurations match a single URL. -- `groups` - (Optional) Similar to `rules`; which WAF groups you want to alter. -- `rewrite_action` - (Optional) When a WAF rule matches, substitute its configured action for a different action specified by this definition. - -## Import - -WAF Overrides can be imported using a composite ID formed of zone -ID and override ID. - -``` -$ terraform import cloudflare_waf_override.my_example_waf_override 3abe5b950053dbddf1516d89f9ef1e8a/9d4e66d7649c178663bf62e06dbacb23 -``` diff --git a/docs/resources/waf_package.md b/docs/resources/waf_package.md deleted file mode 100644 index 3527d6c7ff..0000000000 --- a/docs/resources/waf_package.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_package" -description: Provides a Cloudflare WAF rule package resource for a particular zone. ---- - -# cloudflare_waf_package - -Provides a Cloudflare WAF rule package resource for a particular zone. This can be used to configure firewall behaviour for pre-defined firewall packages. - -## Example Usage - -```hcl -resource "cloudflare_waf_package" "owasp" { - package_id = "a25a9a7e9c00afc1fb2e0245519d725b" - zone_id = "ae36f999674d196762efcc5abb06b345" - sensitivity = "medium" - action_mode = "simulate" -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone ID to apply to. -- `package_id` - (Required) The WAF Package ID. -- `sensitivity` - (Optional) The sensitivity of the package, can be one of ["high", "medium", "low", "off"]. -- `action_mode` - (Optional) The action mode of the package, can be one of ["block", "challenge", "simulate"]. - -## Attributes Reference - -The following attributes are exported: - -- `id` - The WAF Package ID, the same as package_id. - -## Import - -Packages can be imported using a composite ID formed of zone ID and the WAF Package ID, e.g. - -``` -$ terraform import cloudflare_waf_package.owasp ae36f999674d196762efcc5abb06b345/a25a9a7e9c00afc1fb2e0245519d725b -``` diff --git a/docs/resources/waf_rule.md b/docs/resources/waf_rule.md deleted file mode 100644 index 0c2e2ae600..0000000000 --- a/docs/resources/waf_rule.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_rule" -description: Provides a Cloudflare WAF rule resource for a particular zone. ---- - -# cloudflare_waf_rule - -Provides a Cloudflare WAF rule resource for a particular zone. This can be used to configure firewall behaviour for pre-defined firewall rules. - -## Example Usage - -```hcl -resource "cloudflare_waf_rule" "rule_100000" { - rule_id = "100000" - zone_id = "ae36f999674d196762efcc5abb06b345" - mode = "simulate" -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone ID to apply to. -- `rule_id` - (Required) The WAF Rule ID. -- `package_id` - (Optional) The ID of the WAF Rule Package that contains the rule. -- `mode` - (Required) The mode of the rule, can be one of ["block", "challenge", "default", "disable", "simulate"] or ["on", "off"] depending on the WAF Rule type. - -## Attributes Reference - -The following attributes are exported: - -- `id` - The WAF Rule ID, the same as rule_id. -- `package_id` - The ID of the WAF Rule Package that contains the rule. -- `group_id` - The ID of the WAF Rule Group that contains the rule. - -## Import - -Rules can be imported using a composite ID formed of zone ID and the WAF Rule ID, e.g. - -``` -$ terraform import cloudflare_waf_rule.100000 ae36f999674d196762efcc5abb06b345/100000 -``` diff --git a/internal/sdkv2provider/data_source_waf_groups.go b/internal/sdkv2provider/data_source_waf_groups.go deleted file mode 100644 index 41bb4afa11..0000000000 --- a/internal/sdkv2provider/data_source_waf_groups.go +++ /dev/null @@ -1,184 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "regexp" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-log/tflog" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" -) - -func dataSourceCloudflareWAFGroups() *schema.Resource { - return &schema.Resource{ - ReadContext: dataSourceCloudflareWAFGroupsRead, - - Schema: map[string]*schema.Schema{ - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - }, - - "package_id": { - Type: schema.TypeString, - Optional: true, - }, - - "filter": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "name": { - Type: schema.TypeString, - Optional: true, - }, - "mode": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.StringInSlice([]string{"on", "off"}, false), - }, - }, - }, - }, - - "groups": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "id": { - Type: schema.TypeString, - Optional: true, - }, - "name": { - Type: schema.TypeString, - Optional: true, - }, - "description": { - Type: schema.TypeString, - Optional: true, - }, - "mode": { - Type: schema.TypeString, - Optional: true, - }, - "rules_count": { - Type: schema.TypeInt, - Optional: true, - }, - "modified_rules_count": { - Type: schema.TypeInt, - Optional: true, - }, - "package_id": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - } -} - -func dataSourceCloudflareWAFGroupsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - // Prepare the filters to be applied to the search - filter, err := expandFilterWAFGroups(d.Get("filter")) - if err != nil { - return diag.FromErr(err) - } - - // If no package ID is given, we will consider all for the zone - packageID := d.Get("package_id").(string) - var pkgList []cloudflare.WAFPackage - if packageID == "" { - var err error - tflog.Debug(ctx, fmt.Sprintf("Reading WAF Packages")) - pkgList, err = client.ListWAFPackages(ctx, zoneID) - if err != nil { - return diag.FromErr(err) - } - } else { - pkgList = append(pkgList, cloudflare.WAFPackage{ID: packageID}) - } - - tflog.Debug(ctx, fmt.Sprintf("Reading WAF Groups")) - groupIds := make([]string, 0) - groupDetails := make([]interface{}, 0) - for _, pkg := range pkgList { - groupList, err := client.ListWAFGroups(ctx, zoneID, pkg.ID) - if err != nil { - return diag.FromErr(err) - } - - for _, group := range groupList { - if filter.Name != nil && !filter.Name.Match([]byte(group.Name)) { - continue - } - - if filter.Mode != "" && filter.Mode != group.Mode { - continue - } - - groupDetails = append(groupDetails, map[string]interface{}{ - "id": group.ID, - "name": group.Name, - "description": group.Description, - "mode": group.Mode, - "rules_count": group.RulesCount, - "modified_rules_count": group.ModifiedRulesCount, - "package_id": pkg.ID, - }) - groupIds = append(groupIds, group.ID) - } - } - - err = d.Set("groups", groupDetails) - if err != nil { - return diag.FromErr(fmt.Errorf("error setting WAF groups: %w", err)) - } - - d.SetId(stringListChecksum(groupIds)) - return nil -} - -func expandFilterWAFGroups(d interface{}) (*searchFilterWAFGroups, error) { - cfg := d.([]interface{}) - filter := &searchFilterWAFGroups{} - if len(cfg) == 0 || cfg[0] == nil { - return filter, nil - } - - m := cfg[0].(map[string]interface{}) - name, ok := m["name"] - if ok { - match, err := regexp.Compile(name.(string)) - if err != nil { - return nil, err - } - - filter.Name = match - } - - mode, ok := m["mode"] - if ok { - filter.Mode = mode.(string) - } - - return filter, nil -} - -type searchFilterWAFGroups struct { - Name *regexp.Regexp - Mode string -} diff --git a/internal/sdkv2provider/data_source_waf_groups_test.go b/internal/sdkv2provider/data_source_waf_groups_test.go deleted file mode 100644 index 7b3694cc1f..0000000000 --- a/internal/sdkv2provider/data_source_waf_groups_test.go +++ /dev/null @@ -1,110 +0,0 @@ -package sdkv2provider - -import ( - "fmt" - "os" - "strings" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFGroups_NoFilter(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_groups.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFGroupsConfig(zoneID, map[string]string{}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFGroupsDataSourceID(name), - resource.TestCheckResourceAttr(name, "groups.#", "30"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFGroups_MatchName(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_groups.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFGroupsConfig(zoneID, map[string]string{"name": "OWASP.*"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFGroupsDataSourceID(name), - resource.TestCheckResourceAttr(name, "groups.#", "20"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFGroups_MatchMode(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_groups.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFGroupsConfig(zoneID, map[string]string{"mode": "on"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFGroupsDataSourceID(name), - ), - }, - }, - }) -} - -func testAccCheckCloudflareWAFGroupsDataSourceID(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - all := s.RootModule().Resources - rs, ok := all[n] - if !ok { - return fmt.Errorf("can't find WAF Groups data source: %s", n) - } - - if rs.Primary.ID == "" { - return fmt.Errorf("Snapshot WAF Groups source ID not set") - } - return nil - } -} - -func testAccCloudflareWAFGroupsConfig(zoneID string, filters map[string]string, name string) string { - filters_str := make([]string, 0, len(filters)) - for k, v := range filters { - filters_str = append(filters_str, fmt.Sprintf(`%[1]s = "%[2]s"`, k, v)) - } - - return fmt.Sprintf(` - data "cloudflare_waf_groups" "%[1]s" { - zone_id = "%[2]s" - - filter { - %[3]s - } - }`, name, zoneID, strings.Join(filters_str, "\n\t\t\t\t")) -} diff --git a/internal/sdkv2provider/data_source_waf_packages.go b/internal/sdkv2provider/data_source_waf_packages.go deleted file mode 100644 index bcda033ea9..0000000000 --- a/internal/sdkv2provider/data_source_waf_packages.go +++ /dev/null @@ -1,187 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "regexp" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-log/tflog" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" -) - -func dataSourceCloudflareWAFPackages() *schema.Resource { - return &schema.Resource{ - ReadContext: dataSourceCloudflareWAFPackagesRead, - - Schema: map[string]*schema.Schema{ - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - }, - - "filter": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "name": { - Type: schema.TypeString, - Optional: true, - }, - "detection_mode": { - Type: schema.TypeString, - Optional: true, - }, - "sensitivity": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.StringInSlice([]string{"high", "medium", "low", "off"}, false), - }, - "action_mode": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.StringInSlice([]string{"simulate", "block", "challenge"}, false), - }, - }, - }, - }, - - "packages": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "id": { - Type: schema.TypeString, - Optional: true, - }, - "name": { - Type: schema.TypeString, - Optional: true, - }, - "description": { - Type: schema.TypeString, - Optional: true, - }, - "detection_mode": { - Type: schema.TypeString, - Optional: true, - }, - "sensitivity": { - Type: schema.TypeString, - Optional: true, - }, - "action_mode": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - } -} - -func dataSourceCloudflareWAFPackagesRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - // Prepare the filters to be applied to the search - filter, err := expandFilterWAFPackages(d.Get("filter")) - if err != nil { - return diag.FromErr(err) - } - - tflog.Debug(ctx, fmt.Sprintf("Reading WAF Packages")) - packageIds := make([]string, 0) - packageDetails := make([]interface{}, 0) - pkgList, err := client.ListWAFPackages(ctx, zoneID) - if err != nil { - return diag.FromErr(err) - } - - for _, pkg := range pkgList { - if filter.Name != nil && !filter.Name.Match([]byte(pkg.Name)) { - continue - } - - if filter.DetectionMode != "" && filter.DetectionMode != pkg.DetectionMode { - continue - } - - if filter.Sensitivity != "" && filter.Sensitivity != pkg.Sensitivity { - continue - } - - if filter.ActionMode != "" && filter.ActionMode != pkg.ActionMode { - continue - } - - packageDetails = append(packageDetails, map[string]interface{}{ - "id": pkg.ID, - "name": pkg.Name, - "description": pkg.Description, - "detection_mode": pkg.DetectionMode, - "sensitivity": pkg.Sensitivity, - "action_mode": pkg.ActionMode, - }) - packageIds = append(packageIds, pkg.ID) - } - - err = d.Set("packages", packageDetails) - if err != nil { - return diag.FromErr(fmt.Errorf("error setting WAF packages: %w", err)) - } - - d.SetId(stringListChecksum(packageIds)) - return nil -} - -func expandFilterWAFPackages(d interface{}) (*searchFilterWAFPackages, error) { - cfg := d.([]interface{}) - filter := &searchFilterWAFPackages{} - if len(cfg) == 0 || cfg[0] == nil { - return filter, nil - } - - m := cfg[0].(map[string]interface{}) - name, ok := m["name"] - if ok { - match, err := regexp.Compile(name.(string)) - if err != nil { - return nil, err - } - - filter.Name = match - } - - detectionMode, ok := m["detection_mode"] - if ok { - filter.DetectionMode = detectionMode.(string) - } - - sensitivity, ok := m["sensitivity"] - if ok { - filter.Sensitivity = sensitivity.(string) - } - - actionMode, ok := m["action_mode"] - if ok { - filter.ActionMode = actionMode.(string) - } - - return filter, nil -} - -type searchFilterWAFPackages struct { - Name *regexp.Regexp - DetectionMode string - Sensitivity string - ActionMode string -} diff --git a/internal/sdkv2provider/data_source_waf_packages_test.go b/internal/sdkv2provider/data_source_waf_packages_test.go deleted file mode 100644 index c4abbffa92..0000000000 --- a/internal/sdkv2provider/data_source_waf_packages_test.go +++ /dev/null @@ -1,155 +0,0 @@ -package sdkv2provider - -import ( - "fmt" - "os" - "strings" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFPackages_NoFilter(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_packages.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFPackagesConfig(zoneID, map[string]string{}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFPackagesDataSourceID(name), - resource.TestCheckResourceAttr(name, "packages.#", "3"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFPackages_MatchName(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_packages.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFPackagesConfig(zoneID, map[string]string{"name": "USER"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFPackagesDataSourceID(name), - resource.TestCheckResourceAttr(name, "packages.#", "1"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFPackages_MatchDetectionMode(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_packages.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFPackagesConfig(zoneID, map[string]string{"detection_mode": "traditional"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFPackagesDataSourceID(name), - resource.TestCheckResourceAttr(name, "packages.#", "2"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFPackages_MatchSensitivity(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_packages.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFPackagesConfig(zoneID, map[string]string{"sensitivity": "high"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFPackagesDataSourceID(name), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFPackages_MatchActionMode(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_packages.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFPackagesConfig(zoneID, map[string]string{"action_mode": "challenge"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFPackagesDataSourceID(name), - ), - }, - }, - }) -} - -func testAccCheckCloudflareWAFPackagesDataSourceID(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - all := s.RootModule().Resources - rs, ok := all[n] - if !ok { - return fmt.Errorf("can't find WAF Packages data source: %s", n) - } - - if rs.Primary.ID == "" { - return fmt.Errorf("Snapshot WAF Packages source ID not set") - } - return nil - } -} - -func testAccCloudflareWAFPackagesConfig(zoneID string, filters map[string]string, name string) string { - filters_str := make([]string, 0, len(filters)) - for k, v := range filters { - filters_str = append(filters_str, fmt.Sprintf(`%[1]s = "%[2]s"`, k, v)) - } - - return fmt.Sprintf(` - data "cloudflare_waf_packages" "%[1]s" { - zone_id = "%[2]s" - - filter { - %[3]s - } - }`, name, zoneID, strings.Join(filters_str, "\n\t\t\t\t")) -} diff --git a/internal/sdkv2provider/data_source_waf_rules.go b/internal/sdkv2provider/data_source_waf_rules.go deleted file mode 100644 index 1ab7e6d0c2..0000000000 --- a/internal/sdkv2provider/data_source_waf_rules.go +++ /dev/null @@ -1,222 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "regexp" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-log/tflog" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" -) - -func dataSourceCloudflareWAFRules() *schema.Resource { - return &schema.Resource{ - ReadContext: dataSourceCloudflareWAFRulesRead, - - Schema: map[string]*schema.Schema{ - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - }, - - "package_id": { - Type: schema.TypeString, - Optional: true, - }, - - "filter": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "description": { - Type: schema.TypeString, - Optional: true, - }, - "mode": { - Type: schema.TypeString, - Optional: true, - }, - "group_id": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - - "rules": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "id": { - Type: schema.TypeString, - Optional: true, - }, - "description": { - Type: schema.TypeString, - Optional: true, - }, - "priority": { - Type: schema.TypeString, - Optional: true, - }, - "mode": { - Type: schema.TypeString, - Optional: true, - }, - "group_id": { - Type: schema.TypeString, - Optional: true, - }, - "group_name": { - Type: schema.TypeString, - Optional: true, - }, - "package_id": { - Type: schema.TypeString, - Optional: true, - }, - "allowed_modes": { - Type: schema.TypeList, - Optional: true, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - }, - "default_mode": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - } -} - -func dataSourceCloudflareWAFRulesRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - // Prepare the filters to be applied to the search - filter, err := expandFilterWAFRules(d.Get("filter")) - if err != nil { - return diag.FromErr(err) - } - - // If no package ID is given, we will consider all for the zone - packageID := d.Get("package_id").(string) - var pkgList []cloudflare.WAFPackage - if packageID == "" { - var err error - tflog.Debug(ctx, fmt.Sprintf("Reading WAF Packages")) - pkgList, err = client.ListWAFPackages(ctx, zoneID) - if err != nil { - return diag.FromErr(err) - } - } else { - pkgList = append(pkgList, cloudflare.WAFPackage{ID: packageID}) - } - - tflog.Debug(ctx, fmt.Sprintf("Reading WAF Rules")) - ruleIds := make([]string, 0) - ruleDetails := make([]interface{}, 0) - for _, pkg := range pkgList { - ruleList, err := client.ListWAFRules(ctx, zoneID, pkg.ID) - if err != nil { - return diag.FromErr(err) - } - - foundGroup := false - for _, rule := range ruleList { - if filter.GroupID != "" { - if filter.GroupID != rule.Group.ID { - continue - } - - // Allows to stop querying the API faster - foundGroup = true - } - - if filter.Description != nil && !filter.Description.Match([]byte(rule.Description)) { - continue - } - - if filter.Mode != "" && filter.Mode != rule.Mode { - continue - } - - ruleDetails = append(ruleDetails, map[string]interface{}{ - "id": rule.ID, - "description": rule.Description, - "priority": rule.Priority, - "mode": rule.Mode, - "group_id": rule.Group.ID, - "group_name": rule.Group.Name, - "package_id": pkg.ID, - "allowed_modes": rule.AllowedModes, - "default_mode": rule.DefaultMode, - }) - ruleIds = append(ruleIds, rule.ID) - } - - if foundGroup { - // We can stop looking further as a group is only part of a unique - // package, meaning that if we found the group, no need to go look - // at other packages - break - } - } - - err = d.Set("rules", ruleDetails) - if err != nil { - return diag.FromErr(fmt.Errorf("error setting WAF rules: %w", err)) - } - - d.SetId(stringListChecksum(ruleIds)) - return nil -} - -func expandFilterWAFRules(d interface{}) (*searchFilterWAFRules, error) { - cfg := d.([]interface{}) - filter := &searchFilterWAFRules{} - if len(cfg) == 0 || cfg[0] == nil { - return filter, nil - } - - m := cfg[0].(map[string]interface{}) - description, ok := m["description"] - if ok { - match, err := regexp.Compile(description.(string)) - if err != nil { - return nil, err - } - - filter.Description = match - } - - mode, ok := m["mode"] - if ok { - filter.Mode = mode.(string) - } - - groupID, ok := m["group_id"] - if ok { - filter.GroupID = groupID.(string) - } - - return filter, nil -} - -type searchFilterWAFRules struct { - Description *regexp.Regexp - Mode string - GroupID string -} diff --git a/internal/sdkv2provider/data_source_waf_rules_test.go b/internal/sdkv2provider/data_source_waf_rules_test.go deleted file mode 100644 index 5c660a58f3..0000000000 --- a/internal/sdkv2provider/data_source_waf_rules_test.go +++ /dev/null @@ -1,110 +0,0 @@ -package sdkv2provider - -import ( - "fmt" - "os" - "strings" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFRules_NoFilter(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_rules.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFRulesConfig(zoneID, map[string]string{}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFRulesDataSourceID(name), - resource.TestCheckResourceAttrSet(name, "rules.#"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFRules_MatchDescription(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_rules.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFRulesConfig(zoneID, map[string]string{"description": "^SLR: .*"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFRulesDataSourceID(name), - resource.TestCheckResourceAttrSet(name, "rules.#"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFRules_MatchMode(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - rnd := generateRandomResourceName() - name := fmt.Sprintf("data.cloudflare_waf_rules.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - Steps: []resource.TestStep{ - { - Config: testAccCloudflareWAFRulesConfig(zoneID, map[string]string{"mode": "on"}, rnd), - Check: resource.ComposeTestCheckFunc( - testAccCheckCloudflareWAFRulesDataSourceID(name), - ), - }, - }, - }) -} - -func testAccCheckCloudflareWAFRulesDataSourceID(n string) resource.TestCheckFunc { - return func(s *terraform.State) error { - all := s.RootModule().Resources - rs, ok := all[n] - if !ok { - return fmt.Errorf("can't find WAF Rules data source: %s", n) - } - - if rs.Primary.ID == "" { - return fmt.Errorf("Snapshot WAF Rules source ID not set") - } - return nil - } -} - -func testAccCloudflareWAFRulesConfig(zoneID string, filters map[string]string, name string) string { - filters_str := make([]string, 0, len(filters)) - for k, v := range filters { - filters_str = append(filters_str, fmt.Sprintf(`%[1]s = "%[2]s"`, k, v)) - } - - return fmt.Sprintf(` -data "cloudflare_waf_rules" "%[1]s" { - zone_id = "%[2]s" - - filter { - %[3]s - } -}`, name, zoneID, strings.Join(filters_str, "\n\t\t")) -} diff --git a/internal/sdkv2provider/import_cloudflare_waf_rule_test.go b/internal/sdkv2provider/import_cloudflare_waf_rule_test.go deleted file mode 100644 index 6199fb893f..0000000000 --- a/internal/sdkv2provider/import_cloudflare_waf_rule_test.go +++ /dev/null @@ -1,35 +0,0 @@ -package sdkv2provider - -import ( - "fmt" - "os" - "testing" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" -) - -func TestAccCloudflareWAFRule_Import(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - ruleID := "100001" - name := generateRandomResourceName() - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFRuleConfig(zoneID, ruleID, "block", name), - }, - { - ResourceName: "cloudflare_waf_rule." + name, - ImportStateIdPrefix: fmt.Sprintf("%s/", zoneID), - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} diff --git a/internal/sdkv2provider/provider.go b/internal/sdkv2provider/provider.go index 51d1a8a639..306b3bdd14 100644 --- a/internal/sdkv2provider/provider.go +++ b/internal/sdkv2provider/provider.go @@ -162,9 +162,6 @@ func New(version string) func() *schema.Provider { "cloudflare_load_balancer_pools": dataSourceCloudflareLoadBalancerPools(), "cloudflare_origin_ca_root_certificate": dataSourceCloudflareOriginCARootCertificate(), "cloudflare_record": dataSourceCloudflareRecord(), - "cloudflare_waf_groups": dataSourceCloudflareWAFGroups(), - "cloudflare_waf_packages": dataSourceCloudflareWAFPackages(), - "cloudflare_waf_rules": dataSourceCloudflareWAFRules(), "cloudflare_zone_dnssec": dataSourceCloudflareZoneDNSSEC(), "cloudflare_zone": dataSourceCloudflareZone(), "cloudflare_zones": dataSourceCloudflareZones(), @@ -244,10 +241,6 @@ func New(version string) func() *schema.Provider { "cloudflare_tunnel": resourceCloudflareTunnel(), "cloudflare_url_normalization_settings": resourceCloudflareURLNormalizationSettings(), "cloudflare_user_agent_blocking_rule": resourceCloudflareUserAgentBlockingRules(), - "cloudflare_waf_group": resourceCloudflareWAFGroup(), - "cloudflare_waf_override": resourceCloudflareWAFOverride(), - "cloudflare_waf_package": resourceCloudflareWAFPackage(), - "cloudflare_waf_rule": resourceCloudflareWAFRule(), "cloudflare_waiting_room_event": resourceCloudflareWaitingRoomEvent(), "cloudflare_waiting_room_rules": resourceCloudflareWaitingRoomRules(), "cloudflare_waiting_room": resourceCloudflareWaitingRoom(), diff --git a/internal/sdkv2provider/resource_cloudflare_waf_group.go b/internal/sdkv2provider/resource_cloudflare_waf_group.go deleted file mode 100644 index fdb866a551..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_group.go +++ /dev/null @@ -1,179 +0,0 @@ -package sdkv2provider - -import ( - "context" - "errors" - "fmt" - "strings" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" -) - -func resourceCloudflareWAFGroup() *schema.Resource { - return &schema.Resource{ - Schema: resourceCloudflareWAFGroupSchema(), - CreateContext: resourceCloudflareWAFGroupCreate, - ReadContext: resourceCloudflareWAFGroupRead, - UpdateContext: resourceCloudflareWAFGroupUpdate, - DeleteContext: resourceCloudflareWAFGroupDelete, - - Importer: &schema.ResourceImporter{ - StateContext: resourceCloudflareWAFGroupImport, - }, - } -} - -func resourceCloudflareWAFGroupRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - groupID := d.Get("group_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - packageID := d.Get("package_id").(string) - - group, err := client.WAFGroup(ctx, zoneID, packageID, groupID) - if err != nil { - var requestError *cloudflare.RequestError - if errors.As(err, &requestError) && (sliceContainsInt(requestError.ErrorCodes(), 1002) || sliceContainsInt(requestError.ErrorCodes(), 1003)) { - d.SetId("") - return nil - } - - return diag.FromErr(err) - } - - // Only need to set mode as that is the only attribute that could have changed - d.Set("mode", group.Mode) - d.SetId(group.ID) - - return nil -} - -func resourceCloudflareWAFGroupCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - groupID := d.Get("group_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - packageID := d.Get("package_id").(string) - mode := d.Get("mode").(string) - - // If no package ID is given try to resolve it - var pkgList []cloudflare.WAFPackage - if packageID == "" { - var err error - pkgList, err = client.ListWAFPackages(ctx, zoneID) - if err != nil { - return diag.FromErr(err) - } - } else { - pkgList = append(pkgList, cloudflare.WAFPackage{ID: packageID}) - } - - for _, pkg := range pkgList { - var err error - var group cloudflare.WAFGroup - - group, err = client.WAFGroup(ctx, zoneID, pkg.ID, groupID) - if err != nil { - continue - } - - d.Set("group_id", group.ID) - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("package_id", pkg.ID) - - if group.Mode != mode { - err := resourceCloudflareWAFGroupUpdate(ctx, d, meta) - if err != nil { - d.SetId("") - return err - } - } - - return resourceCloudflareWAFGroupRead(ctx, d, meta) - } - - return diag.FromErr(fmt.Errorf("unable to find WAF Group %s", groupID)) -} - -func resourceCloudflareWAFGroupDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - groupID := d.Get("group_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - packageID := d.Get("package_id").(string) - - group, err := client.WAFGroup(ctx, zoneID, packageID, groupID) - if err != nil { - return diag.FromErr(err) - } - - // Can't delete WAF Group so instead reset it to default - schema := resourceCloudflareWAFGroup().Schema - defaultMode := schema["mode"].Default.(string) - - if group.Mode != defaultMode { - _, err = client.UpdateWAFGroup(ctx, zoneID, packageID, groupID, defaultMode) - if err != nil { - return diag.FromErr(err) - } - } - - return nil -} - -func resourceCloudflareWAFGroupUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - groupID := d.Get("group_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - mode := d.Get("mode").(string) - packageID := d.Get("package_id").(string) - - // We can only update the mode of a WAF Group - _, err := client.UpdateWAFGroup(ctx, zoneID, packageID, groupID, mode) - if err != nil { - return diag.FromErr(err) - } - - return resourceCloudflareWAFGroupRead(ctx, d, meta) -} - -func resourceCloudflareWAFGroupImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - client := meta.(*cloudflare.API) - - // split the id so we can lookup - idAttr := strings.SplitN(d.Id(), "/", 2) - var zoneID string - var groupID string - if len(idAttr) == 2 { - zoneID = idAttr[0] - groupID = idAttr[1] - } else { - return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"zoneID/GroupID\" for import", d.Id()) - } - - pkgList, err := client.ListWAFPackages(ctx, zoneID) - if err != nil { - return nil, fmt.Errorf("error listing WAF packages: %w", err) - } - - for _, pkg := range pkgList { - group, err := client.WAFGroup(ctx, zoneID, pkg.ID, groupID) - if err != nil { - continue - } - - d.Set("group_id", group.ID) - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("package_id", pkg.ID) - d.Set("mode", group.Mode) - - d.SetId(group.ID) - - return []*schema.ResourceData{d}, nil - } - - return nil, fmt.Errorf("Unable to find WAF Group %s", groupID) -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_group_test.go b/internal/sdkv2provider/resource_cloudflare_waf_group_test.go deleted file mode 100644 index 980e3ec330..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_group_test.go +++ /dev/null @@ -1,114 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "os" - "testing" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFGroup_CreateThenUpdate(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - groupID, err := testAccGetWAFGroup(zoneID) - if err != nil { - t.Errorf(err.Error()) - } - - rnd := generateRandomResourceName() - name := fmt.Sprintf("cloudflare_waf_group.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFGroupDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFGroupConfig(zoneID, groupID, "on", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "group_id", groupID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttrSet(name, "package_id"), - resource.TestCheckResourceAttr(name, "mode", "on"), - ), - }, - { - Config: testAccCheckCloudflareWAFGroupConfig(zoneID, groupID, "off", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "group_id", groupID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttrSet(name, "package_id"), - resource.TestCheckResourceAttr(name, "mode", "off"), - ), - }, - }, - }) -} - -func testAccGetWAFGroup(zoneID string) (string, error) { - if os.Getenv(resource.TestEnvVar) == "" { - // Test will be skipped as acceptance tests are not enabled, - // we thus don't need to use the client to grab a package ID - return "", nil - } - - client, err := sharedClient() - if err != nil { - return "", err - } - - pkgList, err := client.ListWAFPackages(context.Background(), zoneID) - if err != nil { - return "", fmt.Errorf("Error while listing WAF packages: %w", err) - } - - for _, pkg := range pkgList { - groupList, err := client.ListWAFGroups(context.Background(), zoneID, pkg.ID) - if err != nil { - return "", fmt.Errorf("Error while listing WAF groups for WAF package %s: %w", pkg.ID, err) - } - - for _, group := range groupList { - return group.ID, nil - } - } - - return "", fmt.Errorf("No group found") -} - -func testAccCheckCloudflareWAFGroupDestroy(s *terraform.State) error { - client := testAccProvider.Meta().(*cloudflare.API) - - for _, rs := range s.RootModule().Resources { - if rs.Type != "cloudflare_waf_group" { - continue - } - - group, err := client.WAFGroup(context.Background(), rs.Primary.Attributes[consts.ZoneIDSchemaKey], rs.Primary.Attributes["package_id"], rs.Primary.ID) - if err != nil { - return err - } - - if group.Mode != "on" { - return fmt.Errorf("expected mode to be reset to on, got: %s", group.Mode) - } - } - - return nil -} - -func testAccCheckCloudflareWAFGroupConfig(zoneID, groupID, mode, name string) string { - return fmt.Sprintf(` - resource "cloudflare_waf_group" "%[4]s" { - zone_id = "%[1]s" - group_id = "%[2]s" - mode = "%[3]s" - }`, zoneID, groupID, mode, name) -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_override.go b/internal/sdkv2provider/resource_cloudflare_waf_override.go deleted file mode 100644 index 1f2777c1d8..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_override.go +++ /dev/null @@ -1,175 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "strings" - - "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-log/tflog" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" -) - -func resourceCloudflareWAFOverride() *schema.Resource { - return &schema.Resource{ - Schema: resourceCloudflareWAFOverrideSchema(), - CreateContext: resourceCloudflareWAFOverrideCreate, - ReadContext: resourceCloudflareWAFOverrideRead, - UpdateContext: resourceCloudflareWAFOverrideUpdate, - DeleteContext: resourceCloudflareWAFOverrideDelete, - Importer: &schema.ResourceImporter{ - StateContext: resourceCloudflareWAFOverrideImport, - }, - } -} - -func resourceCloudflareWAFOverrideRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - override, err := client.WAFOverride(ctx, zoneID, d.Id()) - if err != nil { - if strings.Contains(err.Error(), "wafuriconfig.api.not_found") { - tflog.Info(ctx, fmt.Sprintf("WAF override %s no longer exists", d.Id())) - d.SetId("") - return nil - } - return diag.FromErr(fmt.Errorf("failed to find WAF override %s: %w", d.Id(), err)) - } - - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("urls", override.URLs) - d.Set("paused", override.Paused) - d.Set("description", override.Description) - d.Set("priority", override.Priority) - - if len(override.Rules) != 0 { - d.Set("rules", override.Rules) - } - - if len(override.Groups) != 0 { - d.Set("groups", override.Groups) - } - - if len(override.RewriteAction) != 0 { - d.Set("rewrite_action", override.RewriteAction) - } - - d.Set("override_id", override.ID) - - return nil -} - -func resourceCloudflareWAFOverrideCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - newOverride, _ := buildWAFOverride(d) - - override, err := client.CreateWAFOverride(ctx, zoneID, newOverride) - if err != nil { - return diag.FromErr(fmt.Errorf("failed to create WAF override: %w", err)) - } - - d.SetId(override.ID) - - return resourceCloudflareWAFOverrideRead(ctx, d, meta) -} - -func resourceCloudflareWAFOverrideUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - overrideID := d.Get("override_id").(string) - updatedOverride, _ := buildWAFOverride(d) - - _, err := client.UpdateWAFOverride(ctx, zoneID, overrideID, updatedOverride) - if err != nil { - return diag.FromErr(fmt.Errorf("failed to update WAF override: %w", err)) - } - - return resourceCloudflareWAFOverrideRead(ctx, d, meta) -} - -func resourceCloudflareWAFOverrideDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - overrideID := d.Get("override_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - err := client.DeleteWAFOverride(ctx, zoneID, overrideID) - if err != nil { - return diag.FromErr(fmt.Errorf("failed to delete WAF override ID %s: %w", overrideID, err)) - } - - return resourceCloudflareWAFOverrideRead(ctx, d, meta) -} - -func resourceCloudflareWAFOverrideImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - idAttr := strings.SplitN(d.Id(), "/", 2) - - if len(idAttr) != 2 { - return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"zoneID/WAFOverrideID\"", d.Id()) - } - - zoneID, WAFOverrideID := idAttr[0], idAttr[1] - - tflog.Debug(ctx, fmt.Sprintf("Importing WAF override: id %s for zone %s", WAFOverrideID, zoneID)) - - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("override_id", WAFOverrideID) - d.SetId(WAFOverrideID) - - resourceCloudflareWAFOverrideRead(ctx, d, meta) - - return []*schema.ResourceData{d}, nil -} - -// buildWAFOverride centralises the creation of a WAFOverride struct which can -// be reused between Create and Update methods to ensure consistent building of -// the values. -func buildWAFOverride(d *schema.ResourceData) (cloudflare.WAFOverride, error) { - builtOverride := cloudflare.WAFOverride{} - - urls := d.Get("urls").([]interface{}) - for _, url := range urls { - builtOverride.URLs = append(builtOverride.URLs, url.(string)) - } - - if rules, ok := d.GetOk("rules"); ok { - rulesMap := make(map[string]string) - for ruleID, state := range rules.(map[string]interface{}) { - rulesMap[ruleID] = state.(string) - } - builtOverride.Rules = rulesMap - } - - if pausedValue, ok := d.GetOk("paused"); ok { - builtOverride.Paused = pausedValue.(bool) - } - - if descriptionValue, ok := d.GetOk("description"); ok { - builtOverride.Description = descriptionValue.(string) - } - - if priorityValue, ok := d.GetOk("priority"); ok { - builtOverride.Priority = priorityValue.(int) - } - - if groupsValue, ok := d.GetOk("groups"); ok { - groupsMap := make(map[string]string) - for groupID, state := range groupsValue.(map[string]interface{}) { - groupsMap[groupID] = state.(string) - } - builtOverride.Groups = groupsMap - } - - if rewriteActionValue, ok := d.GetOk("rewrite_action"); ok { - rewriteActions := make(map[string]string) - for rewriteOriginal, rewriteWant := range rewriteActionValue.(map[string]interface{}) { - rewriteActions[rewriteOriginal] = rewriteWant.(string) - } - builtOverride.RewriteAction = rewriteActions - } - - return builtOverride, nil -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_override_test.go b/internal/sdkv2provider/resource_cloudflare_waf_override_test.go deleted file mode 100644 index 4518542c34..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_override_test.go +++ /dev/null @@ -1,168 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "os" - "testing" - - "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFOverrideCreateAndUpdate(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - // Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF - // overrides endpoint does not yet support the API tokens and it - // results in misleading state error messages. - if os.Getenv("CLOUDFLARE_API_TOKEN") != "" { - t.Setenv("CLOUDFLARE_API_TOKEN", "") - } - - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - zoneName := os.Getenv("CLOUDFLARE_DOMAIN") - - rnd := generateRandomResourceName() - name := fmt.Sprintf("cloudflare_waf_override.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFOverrideDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFOverrideBasicConfig(zoneID, zoneName, rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttr(name, "urls.#", "2"), - resource.TestCheckResourceAttr(name, "urls.0", fmt.Sprintf("%s/basic-waf-override", zoneName)), - resource.TestCheckResourceAttr(name, "urls.1", fmt.Sprintf("%s/another-basic-waf-override", zoneName)), - resource.TestCheckResourceAttr(name, "rules.100015", "disable"), - resource.TestCheckResourceAttr(name, "groups.ea8687e59929c1fd05ba97574ad43f77", "default"), - resource.TestCheckResourceAttr(name, "rewrite_action.default", "block"), - resource.TestCheckResourceAttr(name, "rewrite_action.challenge", "block"), - ), - }, - { - Config: testAccCheckCloudflareWAFOverrideBasicConfigUpdated(zoneID, zoneName, rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttr(name, "urls.#", "1"), - resource.TestCheckResourceAttr(name, "urls.0", fmt.Sprintf("%s/basic-waf-override", zoneName)), - resource.TestCheckResourceAttr(name, "rules.100015", "disable"), - resource.TestCheckResourceAttr(name, "groups.ea8687e59929c1fd05ba97574ad43f77", "default"), - resource.TestCheckResourceAttr(name, "rewrite_action.default", "block"), - resource.TestCheckResourceAttr(name, "rewrite_action.challenge", "block"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFOverrideGroupOnly(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - // Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF - // overrides endpoint does not yet support the API tokens and it - // results in misleading state error messages. - if os.Getenv("CLOUDFLARE_API_TOKEN") != "" { - t.Setenv("CLOUDFLARE_API_TOKEN", "") - } - - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - zoneName := os.Getenv("CLOUDFLARE_DOMAIN") - - rnd := generateRandomResourceName() - name := fmt.Sprintf("cloudflare_waf_override.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFOverrideDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFOverrideGroupsOnlyConfig(zoneID, zoneName, rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttr(name, "urls.#", "1"), - resource.TestCheckResourceAttr(name, "urls.0", fmt.Sprintf("%s/group-only-override", zoneName)), - resource.TestCheckResourceAttr(name, "groups.ea8687e59929c1fd05ba97574ad43f77", "default"), - resource.TestCheckResourceAttr(name, "rewrite_action.default", "block"), - resource.TestCheckResourceAttr(name, "rewrite_action.challenge", "block"), - resource.TestCheckNoResourceAttr(name, "rules"), - ), - }, - }, - }) -} - -func testAccCheckCloudflareWAFOverrideBasicConfig(zoneID, zoneName, name string) string { - return fmt.Sprintf(` - resource "cloudflare_waf_override" "%[3]s" { - zone_id = "%[1]s" - urls = ["%[2]s/basic-waf-override", "%[2]s/another-basic-waf-override"] - rules = { - "100015": "disable" - } - groups = { - "ea8687e59929c1fd05ba97574ad43f77": "default" - } - rewrite_action = { - "default": "block", - "challenge": "block", - } - }`, zoneID, zoneName, name) -} - -func testAccCheckCloudflareWAFOverrideGroupsOnlyConfig(zoneID, zoneName, name string) string { - return fmt.Sprintf(` - resource "cloudflare_waf_override" "%[3]s" { - zone_id = "%[1]s" - urls = ["%[2]s/group-only-override"] - groups = { - "ea8687e59929c1fd05ba97574ad43f77": "default" - } - rewrite_action = { - "default": "block", - "challenge": "block", - } - }`, zoneID, zoneName, name) -} - -func testAccCheckCloudflareWAFOverrideBasicConfigUpdated(zoneID, zoneName, name string) string { - return fmt.Sprintf(` - resource "cloudflare_waf_override" "%[3]s" { - zone_id = "%[1]s" - urls = ["%[2]s/basic-waf-override"] - rules = { - "100015": "disable" - } - groups = { - "ea8687e59929c1fd05ba97574ad43f77": "default" - } - rewrite_action = { - "default": "block", - "challenge": "block", - } - }`, zoneID, zoneName, name) -} - -func testAccCheckCloudflareWAFOverrideDestroy(s *terraform.State) error { - client := testAccProvider.Meta().(*cloudflare.API) - - for _, rs := range s.RootModule().Resources { - if rs.Type != "cloudflare_waf_override" { - continue - } - - _, err := client.WAFOverride(context.Background(), rs.Primary.Attributes[consts.ZoneIDSchemaKey], rs.Primary.ID) - if err == nil { - return fmt.Errorf("WAFOverride still exists") - } - } - - return nil -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_package.go b/internal/sdkv2provider/resource_cloudflare_waf_package.go deleted file mode 100644 index f94a97a121..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_package.go +++ /dev/null @@ -1,168 +0,0 @@ -package sdkv2provider - -import ( - "context" - "errors" - "fmt" - "strings" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" -) - -func resourceCloudflareWAFPackage() *schema.Resource { - return &schema.Resource{ - Schema: resourceCloudflareWAFPackageSchema(), - CreateContext: resourceCloudflareWAFPackageCreate, - ReadContext: resourceCloudflareWAFPackageRead, - UpdateContext: resourceCloudflareWAFPackageUpdate, - DeleteContext: resourceCloudflareWAFPackageDelete, - - Importer: &schema.ResourceImporter{ - StateContext: resourceCloudflareWAFPackageImport, - }, - } -} - -func resourceCloudflareWAFPackageRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - packageID := d.Get("package_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - pkg, err := client.WAFPackage(ctx, zoneID, packageID) - if err != nil { - var requestError *cloudflare.RequestError - if errors.As(err, &requestError) && sliceContainsInt(requestError.ErrorCodes(), 1002) { - d.SetId("") - return nil - } - - return diag.FromErr(err) - } - - d.Set("sensitivity", pkg.Sensitivity) - d.Set("action_mode", pkg.ActionMode) - d.SetId(pkg.ID) - - return nil -} - -func resourceCloudflareWAFPackageCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - packageID := d.Get("package_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - sensitivity := d.Get("sensitivity").(string) - actionMode := d.Get("action_mode").(string) - - pkg, err := client.WAFPackage(ctx, zoneID, packageID) - if err != nil { - return diag.FromErr(fmt.Errorf("unable to find WAF Package %s", packageID)) - } - - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("package_id", packageID) - d.Set("sensitivity", sensitivity) - d.Set("action_mode", actionMode) - - // Set the ID to the package_id parameter passed in from the user. - // All WAF packages already exist so we already know the package_id. - // - // This is a work around as we are not really "creating" a WAF Package, - // only associating it with our terraform config for future updates. - d.SetId(packageID) - - if pkg.Sensitivity != sensitivity || pkg.ActionMode != actionMode { - err := resourceCloudflareWAFPackageUpdate(ctx, d, meta) - if err != nil { - d.SetId("") - return err - } - } - - return nil -} - -func resourceCloudflareWAFPackageDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - packageID := d.Get("package_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - - pkg, err := client.WAFPackage(ctx, zoneID, packageID) - if err != nil { - return diag.FromErr(err) - } - - // Can't delete WAF Package so instead reset it to default - schema := resourceCloudflareWAFPackage().Schema - defaultSensitivity := schema["sensitivity"].Default.(string) - defaultActionMode := schema["action_mode"].Default.(string) - - if pkg.Sensitivity != defaultSensitivity || pkg.ActionMode != defaultActionMode { - options := cloudflare.WAFPackageOptions{ - Sensitivity: defaultSensitivity, - ActionMode: defaultActionMode, - } - - _, err = client.UpdateWAFPackage(ctx, zoneID, packageID, options) - if err != nil { - return diag.FromErr(err) - } - } - - return nil -} - -func resourceCloudflareWAFPackageUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - packageID := d.Get("package_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - sensitivity := d.Get("sensitivity").(string) - actionMode := d.Get("action_mode").(string) - - options := cloudflare.WAFPackageOptions{ - Sensitivity: sensitivity, - ActionMode: actionMode, - } - - _, err := client.UpdateWAFPackage(ctx, zoneID, packageID, options) - if err != nil { - return diag.FromErr(err) - } - - return nil -} - -func resourceCloudflareWAFPackageImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - client := meta.(*cloudflare.API) - - // split the id so we can lookup - idAttr := strings.SplitN(d.Id(), "/", 2) - var zoneID string - var packageID string - if len(idAttr) == 2 { - zoneID = idAttr[0] - packageID = idAttr[1] - } else { - return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"zoneID/PackageID\" for import", d.Id()) - } - - pkg, err := client.WAFPackage(ctx, zoneID, packageID) - if err != nil { - return nil, err - } - - d.Set("package_id", pkg.ID) - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("sensitivity", pkg.Sensitivity) - d.Set("action_mode", pkg.ActionMode) - - d.SetId(pkg.ID) - - return []*schema.ResourceData{d}, nil -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_package_test.go b/internal/sdkv2provider/resource_cloudflare_waf_package_test.go deleted file mode 100644 index 0023c1456f..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_package_test.go +++ /dev/null @@ -1,113 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "os" - "testing" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFPackage_CreateThenUpdate(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - packageID, err := testAccGetWAFPackage(zoneID) - if err != nil { - t.Errorf(err.Error()) - } - - rnd := generateRandomResourceName() - name := fmt.Sprintf("cloudflare_waf_package.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFPackageDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFPackageConfig(zoneID, packageID, "medium", "simulate", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "package_id", packageID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttr(name, "sensitivity", "medium"), - resource.TestCheckResourceAttr(name, "action_mode", "simulate"), - ), - }, - { - Config: testAccCheckCloudflareWAFPackageConfig(zoneID, packageID, "low", "block", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "package_id", packageID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttr(name, "sensitivity", "low"), - resource.TestCheckResourceAttr(name, "action_mode", "block"), - ), - }, - }, - }) -} - -func testAccGetWAFPackage(zoneID string) (string, error) { - if os.Getenv(resource.TestEnvVar) == "" { - // Test will be skipped as acceptance tests are not enabled, - // we thus don't need to use the client to grab a package ID - return "", nil - } - - client, err := sharedClient() - if err != nil { - return "", err - } - - pkgList, err := client.ListWAFPackages(context.Background(), zoneID) - if err != nil { - return "", fmt.Errorf("Error while listing WAF packages: %w", err) - } - - for _, pkg := range pkgList { - if pkg.DetectionMode == "anomaly" { - return pkg.ID, nil - } - } - - return "", fmt.Errorf("No anomaly package found") -} - -func testAccCheckCloudflareWAFPackageDestroy(s *terraform.State) error { - client := testAccProvider.Meta().(*cloudflare.API) - - for _, rs := range s.RootModule().Resources { - if rs.Type != "cloudflare_waf_package" { - continue - } - - pkg, err := client.WAFPackage(context.Background(), rs.Primary.Attributes[consts.ZoneIDSchemaKey], rs.Primary.ID) - if err != nil { - return err - } - - if pkg.Sensitivity != "high" { - return fmt.Errorf("expected sensitivity to be reset to high, got: %s", pkg.Sensitivity) - } - if pkg.ActionMode != "challenge" { - return fmt.Errorf("expected action_mode to be reset to challenge, got: %s", pkg.ActionMode) - } - } - - return nil -} - -func testAccCheckCloudflareWAFPackageConfig(zoneID, packageID, sensitivity, actionMode, name string) string { - return fmt.Sprintf(` - resource "cloudflare_waf_package" "%[5]s" { - zone_id = "%[1]s" - package_id = "%[2]s" - sensitivity = "%[3]s" - action_mode = "%[4]s" - }`, zoneID, packageID, sensitivity, actionMode, name) -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_rule.go b/internal/sdkv2provider/resource_cloudflare_waf_rule.go deleted file mode 100644 index 255c8810ee..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_rule.go +++ /dev/null @@ -1,188 +0,0 @@ -package sdkv2provider - -import ( - "context" - "errors" - "fmt" - "strings" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" -) - -func resourceCloudflareWAFRule() *schema.Resource { - return &schema.Resource{ - Schema: resourceCloudflareWAFRuleSchema(), - CreateContext: resourceCloudflareWAFRuleCreate, - ReadContext: resourceCloudflareWAFRuleRead, - UpdateContext: resourceCloudflareWAFRuleUpdate, - DeleteContext: resourceCloudflareWAFRuleDelete, - - Importer: &schema.ResourceImporter{ - StateContext: resourceCloudflareWAFRuleImport, - }, - } -} - -func resourceCloudflareWAFRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - ruleID := d.Get("rule_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - packageID := d.Get("package_id").(string) - - rule, err := client.WAFRule(ctx, zoneID, packageID, ruleID) - if err != nil { - var requestError *cloudflare.RequestError - if errors.As(err, &requestError) && (sliceContainsInt(requestError.ErrorCodes(), 1002) || sliceContainsInt(requestError.ErrorCodes(), 1004)) { - d.SetId("") - return nil - } - - return diag.FromErr(err) - } - - // Only need to set mode as that is the only attribute that could have changed - d.Set("mode", rule.Mode) - d.Set("group_id", rule.Group.ID) - d.SetId(rule.ID) - - return nil -} - -func resourceCloudflareWAFRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - ruleID := d.Get("rule_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - packageID := d.Get("package_id").(string) - mode := d.Get("mode").(string) - - // If no package ID is given try to resolve it - var pkgList []cloudflare.WAFPackage - if packageID == "" { - var err error - pkgList, err = client.ListWAFPackages(ctx, zoneID) - if err != nil { - return diag.FromErr(err) - } - } else { - pkgList = append(pkgList, cloudflare.WAFPackage{ID: packageID}) - } - - for _, pkg := range pkgList { - var err error - var rule cloudflare.WAFRule - - rule, err = client.WAFRule(ctx, zoneID, pkg.ID, ruleID) - if err != nil { - continue - } - - d.Set("rule_id", rule.ID) - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("group_id", rule.Group.ID) - d.Set("package_id", pkg.ID) - - if rule.Mode != mode { - err := resourceCloudflareWAFRuleUpdate(ctx, d, meta) - if err != nil { - d.SetId("") - return err - } - } - - return resourceCloudflareWAFRuleRead(ctx, d, meta) - } - - return diag.FromErr(fmt.Errorf("unable to find WAF Rule %s", ruleID)) -} - -func resourceCloudflareWAFRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - ruleID := d.Get("rule_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - packageID := d.Get("package_id").(string) - - rule, err := client.WAFRule(ctx, zoneID, packageID, ruleID) - if err != nil { - return diag.FromErr(err) - } - - // Find the default mode to be used - defaultMode := "default" - if !contains(rule.AllowedModes, defaultMode) { - defaultMode = "on" - } - - // Can't delete WAF Rule so instead reset it to default - if rule.Mode != defaultMode { - _, err = client.UpdateWAFRule(ctx, zoneID, packageID, ruleID, defaultMode) - if err != nil { - return diag.FromErr(err) - } - } - - return nil -} - -func resourceCloudflareWAFRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { - client := meta.(*cloudflare.API) - - ruleID := d.Get("rule_id").(string) - zoneID := d.Get(consts.ZoneIDSchemaKey).(string) - mode := d.Get("mode").(string) - packageID := d.Get("package_id").(string) - - // We can only update the mode of a WAF Rule - _, err := client.UpdateWAFRule(ctx, zoneID, packageID, ruleID, mode) - if err != nil { - return diag.FromErr(err) - } - - return resourceCloudflareWAFRuleRead(ctx, d, meta) -} - -func resourceCloudflareWAFRuleImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - client := meta.(*cloudflare.API) - - // split the id so we can lookup - idAttr := strings.SplitN(d.Id(), "/", 2) - var zoneID string - var WAFID string - if len(idAttr) == 2 { - zoneID = idAttr[0] - WAFID = idAttr[1] - } else { - return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"zoneID/WAFID\" for import", d.Id()) - } - - packs, err := client.ListWAFPackages(ctx, zoneID) - if err != nil { - return nil, fmt.Errorf("error listing WAF packages: %w", err) - } - - for _, p := range packs { - rule, err := client.WAFRule(ctx, zoneID, p.ID, WAFID) - if err == nil { - d.Set("rule_id", rule.ID) - d.Set(consts.ZoneIDSchemaKey, zoneID) - d.Set("package_id", rule.PackageID) - d.Set("group_id", rule.Group.ID) - d.Set("mode", rule.Mode) - - // The ID is known by the user in advance - d.SetId(WAFID) - } - } - - if d.Id() != WAFID { - return nil, fmt.Errorf("Unable to find WAF Rule %s", WAFID) - } - - resourceCloudflareWAFRuleRead(ctx, d, meta) - - return []*schema.ResourceData{d}, nil -} diff --git a/internal/sdkv2provider/resource_cloudflare_waf_rule_test.go b/internal/sdkv2provider/resource_cloudflare_waf_rule_test.go deleted file mode 100644 index 153cf6e6b7..0000000000 --- a/internal/sdkv2provider/resource_cloudflare_waf_rule_test.go +++ /dev/null @@ -1,119 +0,0 @@ -package sdkv2provider - -import ( - "context" - "fmt" - "os" - "testing" - - cloudflare "github.com/cloudflare/cloudflare-go" - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" -) - -func TestAccCloudflareWAFRule_CreateThenUpdate(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - ruleID := "100000" - rnd := generateRandomResourceName() - name := fmt.Sprintf("cloudflare_waf_rule.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFRuleConfig(zoneID, ruleID, "simulate", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "rule_id", ruleID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttrSet(name, "package_id"), - resource.TestCheckResourceAttrSet(name, "group_id"), - resource.TestCheckResourceAttr(name, "mode", "simulate"), - ), - }, - { - Config: testAccCheckCloudflareWAFRuleConfig(zoneID, ruleID, "challenge", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "rule_id", ruleID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttrSet(name, "package_id"), - resource.TestCheckResourceAttrSet(name, "group_id"), - resource.TestCheckResourceAttr(name, "mode", "challenge"), - ), - }, - }, - }) -} - -func TestAccCloudflareWAFRule_CreateThenUpdate_SimpleModes(t *testing.T) { - skipV1WAFTestForNonConfiguredDefaultZone(t) - - t.Parallel() - zoneID := os.Getenv("CLOUDFLARE_ZONE_ID") - ruleID := "950000" - rnd := generateRandomResourceName() - name := fmt.Sprintf("cloudflare_waf_rule.%s", rnd) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFRuleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccCheckCloudflareWAFRuleConfig(zoneID, ruleID, "on", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "rule_id", ruleID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttrSet(name, "package_id"), - resource.TestCheckResourceAttrSet(name, "group_id"), - resource.TestCheckResourceAttr(name, "mode", "on"), - ), - }, - { - Config: testAccCheckCloudflareWAFRuleConfig(zoneID, ruleID, "off", rnd), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(name, "rule_id", ruleID), - resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID), - resource.TestCheckResourceAttrSet(name, "package_id"), - resource.TestCheckResourceAttrSet(name, "group_id"), - resource.TestCheckResourceAttr(name, "mode", "off"), - ), - }, - }, - }) -} - -func testAccCheckCloudflareWAFRuleDestroy(s *terraform.State) error { - client := testAccProvider.Meta().(*cloudflare.API) - - for _, rs := range s.RootModule().Resources { - if rs.Type != "cloudflare_waf_rule" { - continue - } - - rule, err := client.WAFRule(context.Background(), rs.Primary.Attributes[consts.ZoneIDSchemaKey], rs.Primary.Attributes["package_id"], rs.Primary.ID) - if err != nil { - return err - } - - if rule.Mode != "default" && rule.Mode != "on" { - return fmt.Errorf("expected mode to be reset to default, got: %s", rule.Mode) - } - } - - return nil -} - -func testAccCheckCloudflareWAFRuleConfig(zoneID, ruleID, mode, name string) string { - return fmt.Sprintf(` - resource "cloudflare_waf_rule" "%[4]s" { - rule_id = %[2]s - zone_id = "%[1]s" - mode = "%[3]s" - }`, zoneID, ruleID, mode, name) -} diff --git a/internal/sdkv2provider/resource_cloudflare_zone_lockdown_test.go b/internal/sdkv2provider/resource_cloudflare_zone_lockdown_test.go index 8c8a50f567..af04033d55 100644 --- a/internal/sdkv2provider/resource_cloudflare_zone_lockdown_test.go +++ b/internal/sdkv2provider/resource_cloudflare_zone_lockdown_test.go @@ -66,7 +66,6 @@ func TestAccCloudflareZoneLockdown_Import(t *testing.T) { resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: providerFactories, - CheckDestroy: testAccCheckCloudflareWAFRuleDestroy, Steps: []resource.TestStep{ { Config: testCloudflareZoneLockdownConfig(rnd, zoneID, "false", "1", "this is notes", rnd+"."+zoneName+"/*", "ip", "198.51.100.4"), diff --git a/internal/sdkv2provider/schema_cloudflare_waf_group.go b/internal/sdkv2provider/schema_cloudflare_waf_group.go deleted file mode 100644 index 98fa9a3ca2..0000000000 --- a/internal/sdkv2provider/schema_cloudflare_waf_group.go +++ /dev/null @@ -1,37 +0,0 @@ -package sdkv2provider - -import ( - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" -) - -func resourceCloudflareWAFGroupSchema() map[string]*schema.Schema { - return map[string]*schema.Schema{ - "group_id": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - - "package_id": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - - "mode": { - Type: schema.TypeString, - Optional: true, - Default: "on", - ValidateFunc: validation.StringInSlice([]string{"on", "off"}, false), - }, - } -} diff --git a/internal/sdkv2provider/schema_cloudflare_waf_override.go b/internal/sdkv2provider/schema_cloudflare_waf_override.go deleted file mode 100644 index fa13f577ec..0000000000 --- a/internal/sdkv2provider/schema_cloudflare_waf_override.go +++ /dev/null @@ -1,62 +0,0 @@ -package sdkv2provider - -import ( - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" -) - -func resourceCloudflareWAFOverrideSchema() map[string]*schema.Schema { - return map[string]*schema.Schema{ - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - }, - "urls": { - Required: true, - Type: schema.TypeList, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - }, - "rules": { - Optional: true, - Type: schema.TypeMap, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - }, - "paused": { - Type: schema.TypeBool, - Optional: true, - }, - "description": { - Type: schema.TypeString, - Optional: true, - }, - "priority": { - Type: schema.TypeInt, - Optional: true, - ValidateFunc: validation.IntBetween(-1000000000, 1000000000), - }, - "groups": { - Optional: true, - Type: schema.TypeMap, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - }, - "rewrite_action": { - Optional: true, - Type: schema.TypeMap, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - }, - "override_id": { - Type: schema.TypeString, - Computed: true, - }, - } -} diff --git a/internal/sdkv2provider/schema_cloudflare_waf_package.go b/internal/sdkv2provider/schema_cloudflare_waf_package.go deleted file mode 100644 index 62707acd21..0000000000 --- a/internal/sdkv2provider/schema_cloudflare_waf_package.go +++ /dev/null @@ -1,38 +0,0 @@ -package sdkv2provider - -import ( - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" -) - -func resourceCloudflareWAFPackageSchema() map[string]*schema.Schema { - return map[string]*schema.Schema{ - "package_id": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - - "sensitivity": { - Type: schema.TypeString, - Optional: true, - Default: "high", - ValidateFunc: validation.StringInSlice([]string{"high", "medium", "low", "off"}, false), - }, - - "action_mode": { - Type: schema.TypeString, - Optional: true, - Default: "challenge", - ValidateFunc: validation.StringInSlice([]string{"simulate", "block", "challenge"}, false), - }, - } -} diff --git a/internal/sdkv2provider/schema_cloudflare_waf_rule.go b/internal/sdkv2provider/schema_cloudflare_waf_rule.go deleted file mode 100644 index 7277448b14..0000000000 --- a/internal/sdkv2provider/schema_cloudflare_waf_rule.go +++ /dev/null @@ -1,37 +0,0 @@ -package sdkv2provider - -import ( - "github.com/cloudflare/terraform-provider-cloudflare/internal/consts" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" -) - -func resourceCloudflareWAFRuleSchema() map[string]*schema.Schema { - return map[string]*schema.Schema{ - "rule_id": { - Type: schema.TypeString, - Required: true, - }, - - consts.ZoneIDSchemaKey: { - Description: "The zone identifier to target for the resource.", - Type: schema.TypeString, - Required: true, - }, - - "group_id": { - Type: schema.TypeString, - Computed: true, - }, - - "package_id": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - - "mode": { - Type: schema.TypeString, - Required: true, - }, - } -} diff --git a/templates/data-sources/waf_groups.md b/templates/data-sources/waf_groups.md deleted file mode 100644 index b71b401594..0000000000 --- a/templates/data-sources/waf_groups.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_groups" -description: List available Cloudflare WAF Groups. ---- - -# cloudflare_waf_groups - -Use this data source to look up [WAF Rule Groups][1]. - -## Example Usage - -The example below matches all WAF Rule Groups that contain the word `example` and are currently `on`. The matched WAF Rule Groups are then returned as output. - -```hcl -data "cloudflare_waf_groups" "test" { - filter { - name = ".*example.*" - mode = "on" - } -} - -output "waf_groups" { - value = data.cloudflare_waf_groups.test.groups -} -``` - -## Argument Reference - -- `zone_id` - (Required) The ID of the DNS zone in which to search for the WAF Rule Groups. -- `package_id` - (Optional) The ID of the WAF Rule Package in which to search for the WAF Rule Groups. -- `filter` - (Optional) One or more values used to look up WAF Rule Groups. If more than one value is given all - values must match in order to be included, see below for full list. - -**filter** - -- `name` - (Optional) A regular expression matching the name of the WAF Rule Groups to lookup. -- `mode` - (Optional) Mode of the WAF Rule Groups to lookup. Valid values: on and off. - -## Attributes Reference - -- `groups` - A map of WAF Rule Groups details. Full list below: - -**groups** - -- `id` - The WAF Rule Group ID -- `name` - The WAF Rule Group name -- `description` - The WAF Rule Group description -- `mode` - The WAF Rule Group mode -- `rules_count` - The number of rules in the WAF Rule Group -- `modified_rules_count` - The number of modified rules in the WAF Rule Group -- `package_id` - The ID of the WAF Rule Package that contains the WAF Rule Group - -[1]: https://api.cloudflare.com/#waf-rule-groups-properties diff --git a/templates/data-sources/waf_packages.md b/templates/data-sources/waf_packages.md deleted file mode 100644 index fd8f97360e..0000000000 --- a/templates/data-sources/waf_packages.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_packages" -description: List available Cloudflare WAF Packages. ---- - -# cloudflare_waf_packages - -Use this data source to look up [WAF Rule Packages][1]. - -## Example Usage - -The example below matches all `high` sensitivity WAF Rule Packages, with a `challenge` action mode and an `anomaly` detection mode, that contain the word `example`. The matched WAF Rule Packages are then returned as output. - -```hcl -data "cloudflare_waf_packages" "test" { - filter { - name = ".*example.*" - detection_mode = "anomaly" - sensitivity = "high" - action_mode = "challenge" - } -} - -output "waf_packages" { - value = data.cloudflare_waf_packages.test.packages -} -``` - -## Argument Reference - -- `zone_id` - (Required) The ID of the DNS zone in which to search for the WAF Rule Packages. -- `filter` - (Optional) One or more values used to look up WAF Rule Packages. If more than one value is given all - values must match in order to be included, see below for full list. - -**filter** - -- `name` - (Optional) A regular expression matching the name of the WAF Rule Packages to lookup. -- `detection_mode` - (Optional) Detection mode of the WAF Rule Packages to lookup. -- `sensitivity` - (Optional) Sensitivity of the WAF Rule Packages to lookup. Valid values: high, medium, low and off. -- `action_mode` - (Optional) Action mode of the WAF Rule Packages to lookup. Valid values: simulate, block and challenge. - -## Attributes Reference - -- `packages` - A map of WAF Rule Packages details. Full list below: - -**packages** - -- `id` - The WAF Rule Package ID -- `name` - The WAF Rule Package name -- `description` - The WAF Rule Package description -- `detection_mode` - The WAF Rule Package detection mode -- `sensitivity` - The WAF Rule Package sensitivity -- `action_mode` - The WAF Rule Package action mode - -[1]: https://api.cloudflare.com/#waf-rule-packages-properties diff --git a/templates/data-sources/waf_rules.md b/templates/data-sources/waf_rules.md deleted file mode 100644 index 363ed648e2..0000000000 --- a/templates/data-sources/waf_rules.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_rules" -description: List available Cloudflare WAF Rules. ---- - -# cloudflare_waf_rules - -Use this data source to look up [WAF Rules][1]. - -## Example Usage - -The example below matches all WAF Rules that are in the group of ID `de677e5818985db1285d0e80225f06e5`, contain `example` in their description, and are currently `on`. The matched WAF Rules are then returned as output. - -```hcl -data "cloudflare_waf_rules" "test" { - zone_id = "ae36f999674d196762efcc5abb06b345" - package_id = "a25a9a7e9c00afc1fb2e0245519d725b" - - filter { - description = ".*example.*" - mode = "on" - group_id = "de677e5818985db1285d0e80225f06e5" - } -} - -output "waf_rules" { - value = data.cloudflare_waf_rules.test.rules -} -``` - -## Argument Reference - -- `zone_id` - (Required) The ID of the DNS zone in which to search for the WAF Rules. -- `package_id` - (Optional) The ID of the WAF Rule Package in which to search for the WAF Rules. -- `filter` - (Optional) One or more values used to look up WAF Rules. If more than one value is given all - values must match in order to be included, see below for full list. - -**filter** - -- `description` - (Optional) A regular expression matching the description of the WAF Rules to lookup. -- `mode` - (Optional) Mode of the WAF Rules to lookup. Valid values: one of ["block", "challenge", "default", "disable", "simulate"] or ["on", "off"] depending on the WAF Rule type. -- `group_id` - (Optional) The ID of the WAF Rule Group in which the WAF Rules to lookup have to be. - -## Attributes Reference - -- `rules` - A map of WAF Rules details. Full list below: - -**rules** - -- `id` - The WAF Rule ID -- `description` - The WAF Rule description -- `priority` - The WAF Rule priority -- `mode` - The WAF Rule mode -- `group_id` - The ID of the WAF Rule Group that contains the WAF Rule -- `group_name` - The Name of the WAF Rule Group that contains the WAF Rule -- `package_id` - The ID of the WAF Rule Package that contains the WAF Rule -- `allowed_modes` - The list of allowed `mode` values for the WAF Rule -- `default_mode` - The default `mode` value for the WAF Rule - -[1]: https://api.cloudflare.com/#waf-rule-groups-properties diff --git a/templates/resources/waf_group.md b/templates/resources/waf_group.md deleted file mode 100644 index ebcb6b4047..0000000000 --- a/templates/resources/waf_group.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_group" -description: Provides a Cloudflare WAF rule group resource for a particular zone. ---- - -# cloudflare_waf_group - -Provides a Cloudflare WAF rule group resource for a particular zone. This can be used to configure firewall behaviour for pre-defined firewall groups. - -## Example Usage - -```hcl -resource "cloudflare_waf_group" "honey_pot" { - group_id = "de677e5818985db1285d0e80225f06e5" - zone_id = "ae36f999674d196762efcc5abb06b345" - mode = "on" -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone ID to apply to. -- `group_id` - (Required) The WAF Rule Group ID. -- `package_id` - (Optional) The ID of the WAF Rule Package that contains the group. -- `mode` - (Optional) The mode of the group, can be one of ["on", "off"]. - -## Attributes Reference - -The following attributes are exported: - -- `id` - The WAF Rule Group ID, the same as `group_id`. -- `package_id` - The ID of the WAF Rule Package that contains the group. - -## Import - -WAF Rule Groups can be imported using a composite ID formed of zone ID and the WAF Rule Group ID, e.g. - -``` -$ terraform import cloudflare_waf_group.honey_pot ae36f999674d196762efcc5abb06b345/de677e5818985db1285d0e80225f06e5 -``` diff --git a/templates/resources/waf_override.md b/templates/resources/waf_override.md deleted file mode 100644 index 422e0d968e..0000000000 --- a/templates/resources/waf_override.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_override" -description: Provides a Cloudflare WAF Override resource. ---- - -# cloudflare_waf_override - -Provides a Cloudflare WAF override resource. This enables the ability to toggle -WAF rules and groups on or off based on URIs. - -## Example Usage - -```hcl -resource "cloudflare_waf_override" "shop_ecxample" { - zone_id = "1d5fdc9e88c8a8c4518b068cd94331fe" - urls = [ - "example.com/no-waf-here", - "example.com/another/path/*" - ] - - # Disable rule ID 100015. - rules = { - "100015": "disable" - } - - # Set to Cloudflare default action for group ID ea8687e59929c1fd05ba97574ad43f77. - groups = { - "ea8687e59929c1fd05ba97574ad43f77": "default" - } - - # Update the actions for when a matching rule is encountered. - rewrite_action = { - "default": "block", - "challenge": "block", - } -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone to which the WAF override condition should be added. -- `urls` - (Required) An array of URLs to apply the WAF override to. -- `rules` - (Required) A list of WAF rule ID to rule action you intend to apply. -- `paused` - (Optional) Whether this package is currently paused. -- `description` - (Optional) Description of what the WAF override does. -- `priority` - (Optional) Relative priority of this configuration when multiple configurations match a single URL. -- `groups` - (Optional) Similar to `rules`; which WAF groups you want to alter. -- `rewrite_action` - (Optional) When a WAF rule matches, substitute its configured action for a different action specified by this definition. - -## Import - -WAF Overrides can be imported using a composite ID formed of zone -ID and override ID. - -``` -$ terraform import cloudflare_waf_override.my_example_waf_override 3abe5b950053dbddf1516d89f9ef1e8a/9d4e66d7649c178663bf62e06dbacb23 -``` diff --git a/templates/resources/waf_package.md b/templates/resources/waf_package.md deleted file mode 100644 index 3527d6c7ff..0000000000 --- a/templates/resources/waf_package.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_package" -description: Provides a Cloudflare WAF rule package resource for a particular zone. ---- - -# cloudflare_waf_package - -Provides a Cloudflare WAF rule package resource for a particular zone. This can be used to configure firewall behaviour for pre-defined firewall packages. - -## Example Usage - -```hcl -resource "cloudflare_waf_package" "owasp" { - package_id = "a25a9a7e9c00afc1fb2e0245519d725b" - zone_id = "ae36f999674d196762efcc5abb06b345" - sensitivity = "medium" - action_mode = "simulate" -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone ID to apply to. -- `package_id` - (Required) The WAF Package ID. -- `sensitivity` - (Optional) The sensitivity of the package, can be one of ["high", "medium", "low", "off"]. -- `action_mode` - (Optional) The action mode of the package, can be one of ["block", "challenge", "simulate"]. - -## Attributes Reference - -The following attributes are exported: - -- `id` - The WAF Package ID, the same as package_id. - -## Import - -Packages can be imported using a composite ID formed of zone ID and the WAF Package ID, e.g. - -``` -$ terraform import cloudflare_waf_package.owasp ae36f999674d196762efcc5abb06b345/a25a9a7e9c00afc1fb2e0245519d725b -``` diff --git a/templates/resources/waf_rule.md b/templates/resources/waf_rule.md deleted file mode 100644 index 0c2e2ae600..0000000000 --- a/templates/resources/waf_rule.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -layout: "cloudflare" -page_title: "Cloudflare: cloudflare_waf_rule" -description: Provides a Cloudflare WAF rule resource for a particular zone. ---- - -# cloudflare_waf_rule - -Provides a Cloudflare WAF rule resource for a particular zone. This can be used to configure firewall behaviour for pre-defined firewall rules. - -## Example Usage - -```hcl -resource "cloudflare_waf_rule" "rule_100000" { - rule_id = "100000" - zone_id = "ae36f999674d196762efcc5abb06b345" - mode = "simulate" -} -``` - -## Argument Reference - -The following arguments are supported: - -- `zone_id` - (Required) The DNS zone ID to apply to. -- `rule_id` - (Required) The WAF Rule ID. -- `package_id` - (Optional) The ID of the WAF Rule Package that contains the rule. -- `mode` - (Required) The mode of the rule, can be one of ["block", "challenge", "default", "disable", "simulate"] or ["on", "off"] depending on the WAF Rule type. - -## Attributes Reference - -The following attributes are exported: - -- `id` - The WAF Rule ID, the same as rule_id. -- `package_id` - The ID of the WAF Rule Package that contains the rule. -- `group_id` - The ID of the WAF Rule Group that contains the rule. - -## Import - -Rules can be imported using a composite ID formed of zone ID and the WAF Rule ID, e.g. - -``` -$ terraform import cloudflare_waf_rule.100000 ae36f999674d196762efcc5abb06b345/100000 -``` From 9dc7c3df7819e832062fb69e825bf4f78eca13a9 Mon Sep 17 00:00:00 2001 From: Jacob Bednarz Date: Tue, 31 Jan 2023 10:45:40 +1100 Subject: [PATCH 2/2] update changelog --- .changelog/2138.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.changelog/2138.txt b/.changelog/2138.txt index 939b7002f3..4e39d55224 100644 --- a/.changelog/2138.txt +++ b/.changelog/2138.txt @@ -15,13 +15,13 @@ resource/cloudflare_waf_rule: removed in favour of `cloudflare_ruleset` ``` ```release-note:breaking-change -datasource/cloudflare_waf_groups: removed in favour of `cloudflare_ruleset` +datasource/cloudflare_waf_groups: removed with no current replacement ``` ```release-note:breaking-change -datasource/cloudflare_waf_packages: removed in favour of `cloudflare_ruleset` +datasource/cloudflare_waf_packages: removed with no current replacement ``` ```release-note:breaking-change -datasource/cloudflare_waf_rules: removed in favour of `cloudflare_ruleset` +datasource/cloudflare_waf_rules: removed with no current replacement ```