Incap Rule Port Forwarding failing with HTTP 406 Rewrite-Port/Modify

[techdecline]

When trying to create a Port Forwarding Rule for a site, the provider fails with HTTP Errors indicating invalid input as shown below:

2022-03-30T12:18:57.9504784Z 2022-03-30T12:18:57.947Z [INFO] Starting apply for incapsula_incap_rule.imperva-site-port 2022-03-30T12:18:57.9506036Z incapsula_incap_rule.imperva-site-port: Creating... 2022-03-30T12:18:57.9507024Z 2022-03-30T12:18:57.948Z [DEBUG] incapsula_incap_rule.imperva-site-port: applying the planned Create change 2022-03-30T12:18:57.9507870Z 2022-03-30T12:18:57.948Z [TRACE] GRPCProvider: ApplyResourceChange 2022-03-30T12:18:57.9509692Z 2022-03-30T12:18:57.949Z [TRACE] provider.terraform-provider-incapsula_v3.3.4: Received request: tf_provider_addr=provider tf_resource_type=incapsula_incap_rule @caller=github.com/hashicorp/terraform-plugin-go@v0.5.0/tfprotov5/tf5server/server.go:595 @module=sdk.proto tf_proto_version=5 tf_req_id=666a17bc-b379-a034-2f60-9fb81845b5ce tf_rpc=ApplyResourceChange timestamp=2022-03-30T12:18:57.949Z 2022-03-30T12:18:57.9512522Z 2022-03-30T12:18:57.949Z [TRACE] provider.terraform-provider-incapsula_v3.3.4: Calling downstream: @caller=github.com/hashicorp/terraform-plugin-go@v0.5.0/tfprotov5/tf5server/server.go:602 tf_provider_addr=provider tf_req_id=666a17bc-b379-a034-2f60-9fb81845b5ce tf_rpc=ApplyResourceChange @module=sdk.proto tf_proto_version=5 tf_resource_type=incapsula_incap_rule timestamp=2022-03-30T12:18:57.949Z 2022-03-30T12:18:57.9514551Z 2022-03-30T12:18:57.950Z [INFO] provider.terraform-provider-incapsula_v3.3.4: 2022/03/30 12:18:57 [INFO] Adding Incapsula Incap Rule for Site ID 9228632: timestamp=2022-03-30T12:18:57.949Z 2022-03-30T12:18:58.3759741Z 2022-03-30T12:18:58.375Z [INFO] provider.terraform-provider-incapsula_v3.3.4: 2022/03/30 12:18:58 [DEBUG] Incapsula Add Incap Rule JSON response: {"res":2,"res_message":"Invalid input","debug_info":{"id-info":"999999"}}: timestamp=2022-03-30T12:18:58.375Z 2022-03-30T12:18:58.3763029Z 2022-03-30T12:18:58.375Z [TRACE] provider.terraform-provider-incapsula_v3.3.4: Called downstream: @module=sdk.proto tf_proto_version=5 tf_req_id=666a17bc-b379-a034-2f60-9fb81845b5ce @caller=github.com/hashicorp/terraform-plugin-go@v0.5.0/tfprotov5/tf5server/server.go:608 tf_provider_addr=provider tf_resource_type=incapsula_incap_rule tf_rpc=ApplyResourceChange timestamp=2022-03-30T12:18:58.375Z 2022-03-30T12:18:58.3766809Z 2022-03-30T12:18:58.375Z [TRACE] provider.terraform-provider-incapsula_v3.3.4: Served request: tf_proto_version=5 tf_provider_addr=provider tf_resource_type=incapsula_incap_rule tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.5.0/tfprotov5/tf5server/server.go:614 @module=sdk.proto tf_req_id=666a17bc-b379-a034-2f60-9fb81845b5ce timestamp=2022-03-30T12:18:58.375Z 2022-03-30T12:18:58.3768979Z 2022-03-30T12:18:58.376Z [TRACE] maybeTainted: incapsula_incap_rule.imperva-site-port encountered an error during creation, so it is now marked as tainted 2022-03-30T12:18:58.3770474Z 2022-03-30T12:18:58.376Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for incapsula_incap_rule.imperva-site-port 2022-03-30T12:18:58.3771950Z 2022-03-30T12:18:58.376Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for incapsula_incap_rule.imperva-site-port 2022-03-30T12:18:58.3773536Z 2022-03-30T12:18:58.376Z [TRACE] evalApplyProvisioners: incapsula_incap_rule.imperva-site-port is tainted, so skipping provisioning 2022-03-30T12:18:58.3775433Z 2022-03-30T12:18:58.377Z [TRACE] maybeTainted: incapsula_incap_rule.imperva-site-port was already tainted, so nothing to do 2022-03-30T12:18:58.3776647Z 2022-03-30T12:18:58.377Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for incapsula_incap_rule.imperva-site-port 2022-03-30T12:18:58.3782561Z 2022-03-30T12:18:58.377Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for incapsula_incap_rule.imperva-site-port 2022-03-30T12:18:58.3784155Z 2022-03-30T12:18:58.377Z [ERROR] vertex "incapsula_incap_rule.imperva-site-port" error: Error status code 406 from Incapsula service when adding Incap Rule for Site ID 9228632: {"res":2,"res_message":"Invalid input","debug_info":{"id-info":"999999"}} 2022-03-30T12:18:58.3785404Z 2022-03-30T12:18:58.377Z [TRACE] vertex "incapsula_incap_rule.imperva-site-port": visit complete, with errors 2022-03-30T12:18:58.3786783Z 2022-03-30T12:18:58.377Z [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/imperva/incapsula\"] (close)" errored, so skipping 2022-03-30T12:18:58.3787717Z 2022-03-30T12:18:58.377Z [TRACE] dag/walk: upstream of "root" errored, so skipping

Here is my code that has been used to create the rule and the site: `resource "incapsula_site" "imperva-site" { domain = var.imperva_site.domain_name account_id = incapsula_subaccount.imperva-subaccount.id site_ip = var.imperva_site.backend_ip }

resource "incapsula_incap_rule" "imperva-site-port" { name = "pf${var.imperva_site.destination_port}" site_id = incapsula_site.imperva-site.id action = "RULE_ACTION_FORWARD_PORT" port_forwarding_context = "Use Port Value" port_forwarding_value = var.imperva_site.destination_port } `

We tested with local provisioners to configure the forwarding as shown below: resource "incapsula_site" "imperva-site" { domain = var.imperva_site.domain_name account_id = incapsula_subaccount.imperva-subaccount.id site_ip = var.imperva_site.backend_ip provisioner "local-exec" { command = nonsensitive("curl -k -X POST -H \"Accept: application/json\" -H \"Content-Type: application/json\" \"https://my.imperva.com/api/prov/v1/sites/performance/rewrite-port/modify?api_id=${var.IMPERVA_API_ID}&api_key=${data.azurerm_key_vault_secret.imperva_api_key.value}&site_id=${self.id}&rewrite_port_enabled=true&port=${var.imperva_site.destination_port}&rewrite_ssl_port_enabled=false\"") } }

This indicated that the issue must be related to some kind of SSL issue as the CURL command failed with the same error when configuring rewrite_ssl_port_enabled to true. As we are currently working with dummy sites, the final SSL setup cannot be implemented yet.

[BrachaY]

Hi @techdecline Since this issue is not the provider's bug but replicates in API directly as well, please open a support case for it.