Closed mcatany closed 2 years ago
please include the untruncated TF_LOG=DEBUG output.
have you read the note in the documentation and followed the error message for checking the phase doesn’t already exist?
Hi @jacobbednarz and thanks for the quick response. I've updated the previous message with the TF_LOG=DEBUG. I've seen that the endpoint I was using is different in the curl i was doing client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets/phases/http_request_firewall_managed/entrypoint
And the one used by terraform:
client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets
The think that I don't get is why with the client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets/phases/http_request_firewall_managed/entrypoint
it doesn't complain about "exceeded maximum number of zone rulesets" and with the client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets
for provider it does. Is there any way to point to "/entrypoint" with the provider?
Thanks,
Miquel
I guess the behaviour explained in my last comment is related to this: https://developers.cloudflare.com/ruleset-engine/about "To deploy a ruleset to a phase, add a rule that executes the ruleset to the phase entry point."
@mcatany We were facing the same issue lately. The solution is you have to delete the existing ruleset from zone to be able to add a new one.
# Get ruleset ID
curl -X GET "https://api.cloudflare.com/client/v4/zones/$zone/rulesets" -H "Authorization: Bearer "$CLOUDFLARE_API_TOKEN"" -H "Content-Type: application/json" | jq -r '.result[] | select(.description == "Cloudflare Managed WAF ruleset") | .id')
#Deleting the ruleset
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/$zone/rulesets/$ruleset_id" -H "Authorization: Bearer "$CLOUDFLARE_API_TOKEN"" -H "Content-Type: application/json"
Then reapply terraform, and it will work.
Hi @nickbabkin, thanks for the help. I've tried that the days before:
curl -X GET "https://api.cloudflare.com/client/v4/zones/${zone_id}/rulesets" -H "X-Auth-Email: ${user}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3254 0 3254 0 0 2299 0 --:--:-- 0:00:01 --:--:-- 2299
{
"result": [
{
"id": "70339d97bdb34195bbf054b1ebe81f76",
"name": "Cloudflare Normalization Ruleset",
"description": "Created by the Cloudflare security team, this ruleset provides normalization on the URL path",
"kind": "managed",
"version": "1",
"last_updated": "2020-12-18T09:28:09.655749Z",
"phase": "http_request_sanitize"
},
{
"id": "a6905ff86d3844cebc1a88dd80c659e7",
"name": "Bot Fight Mode for Likely Bots",
"description": "",
"source": "firewall_managed",
"kind": "managed",
"version": "4",
"last_updated": "2021-07-01T16:59:14.386598Z",
"phase": "http_request_sbfm"
},
{
"id": "48ba18287c544bd7bdbe842a294f1ae2",
"name": "Bot Fight Mode for Definite Bots",
"description": "",
"source": "firewall_managed",
"kind": "managed",
"version": "4",
"last_updated": "2021-07-01T16:59:17.970712Z",
"phase": "http_request_sbfm"
},
{
"id": "4814384a9e5d4991b9815dcfc25d2f1f",
"name": "Cloudflare OWASP Core Ruleset",
"description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository",
"source": "firewall_managed",
"kind": "managed",
"version": "33",
"last_updated": "2021-10-25T18:33:29.023088Z",
"phase": "http_request_firewall_managed"
},
{
"id": "c2e184081120413c86c3ab7e14069605",
"name": "Cloudflare Exposed Credentials Check Ruleset",
"description": "Exposed credentials check rules",
"source": "firewall_managed",
"kind": "managed",
"version": "36",
"last_updated": "2021-10-25T18:33:32.902825Z",
"phase": "http_request_firewall_managed"
},
{
"id": "efb7b8c949ac4650a09736fc376e9aee",
"name": "Cloudflare Managed Ruleset",
"description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives.",
"source": "firewall_managed",
"kind": "managed",
"version": "43",
"last_updated": "2021-12-17T14:49:14.317544Z",
"phase": "http_request_firewall_managed"
},
{
"id": "4d21379b4f9f4bb088e0729962c8b3cf",
"name": "DDoS L7 ruleset",
"description": "Automatic mitigation of HTTP-based DDoS attacks. Cloudflare routinely adds signatures to address new attack vectors. Additional configuration allows you to customize the sensitivity of each rule and the performed mitigation action.",
"kind": "managed",
"version": "486",
"last_updated": "2022-01-14T10:14:36.212151Z",
"phase": "ddos_l7"
},
{
"id": "00d360633f134f7f8615d4ec42e8a917",
"name": "default",
"description": "",
"source": "firewall_managed",
"kind": "zone",
"version": "28",
"last_updated": "2022-01-18T13:15:51.941667Z",
"phase": "http_request_firewall_managed"
}
],
"success": true,
"errors": [],
"messages": []
}
But when I try to DELETE it:
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/{$zone_id}}/rulesets/efb7b8c949ac4650a09736fc376e9aee" -H "X-Auth-Email: ${user}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167 0 167 0 0 122 0 --:--:-- 0:00:01 --:--:-- 122
{
"result": null,
"success": false,
"errors": [
{
"message": "could not find ruleset efb7b8c949ac4650a09736fc376e9aee"
}
],
"messages": null
}
The GET on that same ruleset endpoint works BTW (client/v4/zones/{$zone_id}}/rulesets/efb7b8c949ac4650a09736fc376e9aee).
@mcatany both of those endpoints are already used in the provider; one creates the phase and the other attaches the desired rules to the Ruleset. Both are required as the PUT cannot create the phase on it’s own.
Closing this off as it isn’t a bug with the provider but a side effect of having Rulesets created in the UI and then trying to manage them via Terraform as well. The linked documentation (and error message from Terraform) outlines how to clean this up to allow managing resource in Terraform. Once the Ruleset is deleted, Terraform management will work. If you have modified Rules in the Ruleset, you will also need to clean them up before migrating the Ruleset.
@mcatany the ruleset you have to delete based on your output is this:
00d360633f134f7f8615d4ec42e8a917
Look for the kind:zone
in the output
Thanks @nickbabkin, now it works. And sorry for the lose of time @jacobbednarz
np, hopefully the improvements in #1393 will help with this scenario in the future.
Confirmation
Terraform and Cloudflare provider version
Terraform version: 1.0.4 cloudflare/cloudflare v3.7.0
Affected resource(s)
cloudflare_ruleset
Terraform configuration files
Debug output
Panic output
No response
Expected output
With an API call I'm able to enable the Cloudfare Managed Ruleset
curl -X PUT -H "X-Auth-Email: user@user.com" -H "X-Auth-Key: xxxxxxxxxxxxxxxxxxxxx" "https://api.cloudflare.com/client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets/phases/http_request_firewall_managed/entrypoint" -d '{ "rules": [ { "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my phase entry point" } ] }'
{ "result": { "id": "00d360633f134f7f8615d4ec42e8a917", "name": "default", "description": "", "source": "firewall_managed", "kind": "zone", "version": "8", "rules": [ { "id": "588e3f6ac1ef4534a6283e4fcd9db834", "version": "1", "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee", "version": "latest" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my phase entry point", "last_updated": "2022-01-17T16:32:49.871554Z", "ref": "588e3f6ac1ef4534a6283e4fcd9db834", "enabled": true } ], "last_updated": "2022-01-17T16:32:49.871554Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] }
But with the Terraform Cloudflare Provider I'm unable since it says as stated before that: "Error: failed to create ruleset "Managed WAF" as a similar configuration already exists. "
Actual output
Steps to reproduce
1) Create the cloudflare_ruleset per code provided above 2) Run a terraform plan/apply
Additional factoids
This example is documented in:
https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset
References
No response