search

imperva / terraform-provider-incapsula

This package is a plugin for Terraform, and is designed to be used to auto-provision sites in Incapsula via Incapsula’s API from the terraform cli/yaml configurations.
Mozilla Public License 2.0
44 stars 71 forks source link

incapsula_security_rule_exception throws false Terraform error on update #330

Open connor-heb opened 1 year ago

connor-heb commented 1 year ago

Confirmation

Terraform and Imperva provider version

Terraform v1.5.2
on darwin_amd64
+ provider registry.terraform.io/imperva/incapsula v3.18.3

Affected resource(s)

Terraform configuration files

terraform {
  required_providers {
    incapsula = { 
      source = "imperva/incapsula"
      version = "3.18.3"
    }   
  }

  backend "local" {
    path = "./terraform.tfstate"
  }
}

provider "incapsula" {
  api_id  = var.incapsula_api_id
  api_key = var.incapsula_api_key
}

variable "incapsula_api_id" {}

variable "incapsula_api_key" {}

resource "incapsula_subaccount" "MY-SUBACCOUNT-NAME" {
  sub_account_name = "MY-SUBACCOUNT-NAME"
}

resource "incapsula_site" "first-example-network" {
  site_ip    = "first.example.tldthatdoesnotexist"
  domain     = "first.example.network"

  account_id = incapsula_subaccount.MY-SUBACCOUNT-NAME.id
}

resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception" {
  site_id = incapsula_site.first-example-network.id
  rule_id = "api.threats.bot_access_control"
  ips     = "142.250.138.102"
}

Debug output

output.log

Panic output

No response

Expected output

Update the bot exception IPs without throwing an error

Actual output

Bot exception IPs are successfully changed when verifying through the Imperva Management Console, but the Terraform plugin errors for seemingly no reason. The API response even includes "res": 0, "res_message": "OK". Re-running terraform apply will resolve the error.

│ Error: Error from Incapsula service when adding security rule exception for rule_id (api.threats.bot_access_control) and site_id (76703397): {"site_id":76703397,"status":"pending-dns-changes","domain":"first.example.network","account_id":2077003,"acceleration_level":"advanced","acceleration_level_raw":"aggressive","site_creation_date":1688760689000,"ips":["first.example.tldthatdoesnotexist"],"dns":[{"dns_record_name":"first.example.network","set_type_to":"CNAME","set_data_to":["vjgnjeb.impervadns.net"]}],"original_dns":[{"dns_record_name":"first.example.network","set_type_to":"CNAME","set_data_to":["first.example.tldthatdoesnotexist"]}],"warnings":[],"active":"active","support_all_tls_versions":false,"use_wildcard_san_instead_of_full_domain_san":true,"add_naked_domain_san":true,"additionalErrors":[],"display_name":"first.example.network","security":{"waf":{"rules":[{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.sql_injection","name":"SQL Injection"},{"action":"api.threats.action.alert","action_text":"Alert Only","id":"api.threats.cross_site_scripting","name":"Cross Site Scripting"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.illegal_resource_access","name":"Illegal Resource Access"},{"block_bad_bots":true,"challenge_suspected_bots":false,"exceptions":[{"values":[{"ips":["93.184.216.34"],"id":"api.rule_exception_type.client_ip","name":"IP"}],"id":5605126}],"id":"api.threats.bot_access_control","name":"Bot Access Control"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.sensitive_info_leakage","name":"Sensitive Info Leakage"},{"activation_mode":"api.threats.ddos.activation_mode.auto","activation_mode_text":"Auto","ddos_traffic_threshold":1000,"id":"api.threats.ddos","name":"DDoS"},{"action":"api.threats.action.quarantine_url","action_text":"Auto-Quarantine","id":"api.threats.backdoor","name":"Backdoor Protect"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.remote_file_inclusion","name":"Remote File Inclusion"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.customRule","name":"IncapRules"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.api.specification.violation","name":"API Specification Violation"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.account_take_over","name":"Account Takeover"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.distil_bad_bots","name":"Advanced Bot Protection"}]}},"sealLocation":{"id":"api.seal_location.none","name":"No seal"},"ssl":{"origin_server":{"detected":false,"detectionStatus":"ssl_network_detection_not_run"},"custom_certificate":{"active":false},"generated_certificate":{"san":[]},"site_certificate":false},"siteDualFactorSettings":{"specificUsers":[],"enabled":false,"customAreas":[],"customAreasExceptions":[],"allowAllUsers":true,"shouldSuggestApplicatons":true,"allowedMedia":["ga","sms"],"shouldSendLoginNotifications":true,"version":0},"login_protect":{"enabled":false,"specific_users_list":[],"send_lp_notifications":true,"allow_all_users":true,"authentication_methods":["ga","sms"],"urls":[],"url_patterns":[]},"performance_configuration":{"advanced_caching_rules":{"never_cache_resources":[],"always_cache_resources":[]},"acceleration_level":"advanced","acceleration_level_raw":"aggressive","async_validation":true,"minify_javascript":true,"minify_css":true,"minify_static_html":true,"compress_jpeg":true,"compress_jepg":true,"progressive_image_rendering":false,"aggressive_compression":false,"compress_png":true,"on_the_fly_compression":true,"tcp_pre_pooling":true,"comply_no_cache":false,"comply_vary":false,"use_shortest_caching":false,"perfer_last_modified":false,"prefer_last_modified":false,"disable_client_side_caching":false,"cache300x":false,"cache_headers":[]},"extended_ddos":1000000,"restricted_cname_reuse":false,"res":0,"res_message":"OK","debug_info":{"id-info":"999999"}}
│ 
│   with incapsula_security_rule_exception.example-bot_access-control-rule-exception,
│   on MY-SUBACCOUNT-NAME.tf line 34, in resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception":
│   34: resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception" {
│ 
|

Steps to reproduce

  1. Create subaccount, create site, add incapsula_security_rule_exception
  2. terraform apply
  3. Edit the ips in incapsula_security_rule_exception
  4. terraform apply

Additional factoids

Culprit is here https://github.com/imperva/terraform-provider-incapsula/blob/d3dbaff2710dee26ce9a4082b27c2e68e46fe6dd/incapsula/client_security_rule_exception.go#L163-L176

Can be fixed by converting siteStatusResponse.Res to a string first:

        // Parse the JSON
    var siteStatusResponse SiteStatusResponse
    err = json.Unmarshal([]byte(responseBody), &siteStatusResponse)
    if err != nil {
        return nil, fmt.Errorf("Error parsing configure security rule exception JSON response for rule_id (%s) and site_id (%d)", ruleID, siteID)
    }

    // Look at the response status code from Incapsula
    if fmt.Sprint(siteStatusResponse.Res) != "0" { // Fix is here
        return nil, fmt.Errorf("Error from Incapsula service when adding security rule exception for rule_id (%s) and site_id (%d): %s", ruleID, siteID, string(responseBody))
    }

    return &siteStatusResponse, nil
}

References

No response

shirisemoimperva commented 1 year ago

Thanks for reaching out. We are checking your issue and will get back to you soon.