Open MrLuje opened 1 year ago
deer-hang
commented
6 months ago Please using resource flexibleengine_waf_policy to replace flexibleengine_waf_dedicated_policy.
The API corresponding to the resource flexibleengine_waf_dedicated_policy has expired.
It is recommended not to use the following resources:
flexibleengine_waf_dedicated_policy
flexibleengine_waf_dedicated_certificate
We will remove useless WAF resources and upgrade outdated APIs in the near future.
MrLuje
commented
6 months ago @deer-hang hum, I'm not able to use flexibleengine_waf_policy
When I try to import an existing policy of a dedicated WAF, I get following error
resource "flexibleengine_waf_policy" "flex-preprod" {
name = "sec-policy"
}$ terraform import flexibleengine_waf_dedicated_policy.flex-preprod <id of the policy>
...
╷
│ Error: Cannot import non-existent remote object
│
│ While attempting to import an existing object to "flexibleengine_waf_policy.flex-preprod", the provider detected that no object exists with
│ the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region
│ or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵but it works if I use the flexibleengine_waf_dedicated_policy resource
I also tested again the same flexibleengine_waf_rule_precise_protection as my first exemple but using directly the policy ID and I'm still getting
flexibleengine_waf_rule_precise_protection.argocd-whitelist: Creating...
╷
│ Error: error creating Flexibleengine WAF Precise Protection Rule: Resource not found: [POST https://waf.eu-west-0.prod-cloud-ocb.orange-business.com/v1/2d58c566d75b494cb87794dda5071654/waf/policy/4cd2cf5ebd344795a0c9fa22776d6055/custom], error message: {"error_msg": "Policy does not exist","error_code":"WAF.3001"}
│
│ with flexibleengine_waf_rule_precise_protection.argocd-whitelist,
│ on waf.tf line 24, in resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist":
│ 24: resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist" {
│
╵Tested with terraform v1.3.2 flexibleengine v1.45.0
deer-hang
commented
6 months ago @MrLuje Suggest using resource flexibleengine_waf_policy to create a new policy.
For your first example, we can see that there is something wrong with your usage. You are importing the ID generated by resource flexibleengine_waf_policy into resource flexibleengine_waf_dedicated_policy.
For your second example, please using resource flexibleengine_waf_policy to create a new policy, and use the policy id to create the precise protection rule.
resource "flexibleengine_waf_policy" "wildcard_domain" {
name = "wildcard_domain"
depends_on = [
flexibleengine_waf_dedicated_instance.instance_1
]
}
resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist" {
policy_id = flexibleengine_waf_policy.wildcard_domain.id
name = "rule_lxh"
priority = 50
conditions {
field = "header"
subfield = "host"
logic = "contain"
content = "argocd.domain.com"
}
conditions {
field = "ip"
logic = "not_equal"
content = "10.0.0.0"
}
}@deer-hang
1) Oups, but same issue with a flexibleengine_waf_policy resource
flexibleengine_waf_policy.flex-preprod: Importing from ID "66b29355e3714a58ac1684457ae2540a"...
flexibleengine_waf_policy.flex-preprod: Import prepared!
Prepared flexibleengine_waf_policy for import
flexibleengine_waf_policy.flex-preprod: Refreshing state... [id=66b29355e3714a58ac1684457ae2540a]
╷
│ Error: Cannot import non-existent remote object
│
│ While attempting to import an existing object to "flexibleengine_waf_policy.flex-preprod", the provider detected that no object exists with the given
│ id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or
│ endpoint, or use "terraform apply" to create a new remote object for this resource.
╵2) I don't have errors but the policy is created on WAF not on Dedicated WAF
deer-hang
commented
6 months ago @MrLuje I verified that the import function is normal. Please check the correctness of your policy_id.
MrLuje
commented
5 months ago @deer-hang just to be clear, import is working fine if I import a "regular" policy as a flexibleengine_waf_policy resource.
but it is not working if I import a policy from a dedicated waf as a flexibleengine_waf_policy resource.
deer-hang
commented
5 months ago @MrLuje There's something wrong with our documentation description.
If the resource name contains dedicated, then this resource can only be used with resources containing dedicated.
Such as: flexibleengine_waf_dedicated_instance, flexibleengine_waf_dedicated_policy, flexibleengine_waf_dedicated_certificate, and flexibleengine_waf_dedicated_domain.
If the resource name does not contain dedicated, then this resource can only be used with resources that do not contain dedicated.
Such as: flexibleengine_waf_certificate, flexibleengine_waf_domain, flexibleengine_waf_policy, flexibleengine_waf_rule_blacklist, flexibleengine_waf_rule_alarm_masking, flexibleengine_waf_rule_data_masking, flexibleengine_waf_rule_cc_protection, flexibleengine_waf_rule_precise_protection, and flexibleengine_waf_rule_web_tamper_protection.
Currently, all WAF rules belong to cloud mode. Provider currently does not support dedicated mode rules.
The reason why the import operation failed is because flexibleengine_waf_policy and flexibleengine_waf_dedicated_policy are two different resources. If a policy is created from a dedicated WAF, then the policy can only be imported in resource flexibleengine_waf_dedicated_policy.
MrLuje
commented
5 months ago Yeah, that's what I though based on resources naming.
Please using resource
flexibleengine_waf_policyto replaceflexibleengine_waf_dedicated_policy. The API corresponding to the resourceflexibleengine_waf_dedicated_policyhas expired. It is recommended not to use the following resources:flexibleengine_waf_dedicated_policyflexibleengine_waf_dedicated_certificateWe will remove useless WAF resources and upgrade outdated APIs in the near future.
So, what are my choices to manage policies & flexibleengine_waf_rule_precise_protection on a dedicated instance ? and if there are missing APIs ou resources change, is there a rough ETA ?
Thanks
deer-hang
commented
5 months ago @MrLuje We will supplement the missing rule resources in the dedicated mode in the future. Currently, Provier WAF dedicated instance does not support rule resources.
Hi there,
I am trying to add some rules to an existing
decidated WAF, I suspect the rules resources don't support a dedicated WAF so it may be more a feature request.Terraform Version
Terraform v1.3.2 on linux_amd64
Affected Resource(s)
Please list the resources as a list, for example:
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
Expected Behavior
Precise protection rule should be created
Actual Behavior
It complains about the policy being missing Also tried to import a manually created rule with the same issue
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
flexibleengine_waf_dedicated_policyalready existsterraform applyDebug Output
Thanks