search

imperva / terraform-provider-incapsula

This package is a plugin for Terraform, and is designed to be used to auto-provision sites in Incapsula via Incapsula’s API from the terraform cli/yaml configurations.
Mozilla Public License 2.0
44 stars 72 forks source link

Terraform plan fails with "Disabled API Key" when using provider version 3.18.1+ #340

Closed thatcoleyouknow closed 1 year ago

thatcoleyouknow commented 1 year ago

Confirmation

Terraform and Imperva provider version

Terraform v1.4.6
on linux_amd64

    provider registry.terraform.io/imperva/incapsula v3.20.0

Affected resource(s)

We are using the incapsula_site resource but the error is from the provider (see below)

Terraform configuration files

provider "incapsula" {
  api_id  = data.google_secret_manager_secret_version.incapsula_api_id.secret_data
  api_key = data.google_secret_manager_secret_version.incapsula_api_key.secret_data
}

Debug output

I trimmed the rest of the debug output out cause it was a mile long. If you would like to see it all, let me know.

2023-08-08T22:00:39.444Z [INFO]  provider.terraform-provider-incapsula_v3.20.0: 2023/08/08 22:00:39 [DEBUG] Incapsula account JSON response: {"res":9418,"res_message":"Disabled API Key","debug_info":{"id-info":"999999"}}: timestamp=2023-08-08T22:00:39.444Z
2023-08-08T22:00:39.445Z [ERROR] provider.terraform-provider-incapsula_v3.20.0: Response contains error diagnostic: diagnostic_detail= tf_proto_version=5.3 tf_rpc=Configure @caller=[github.com/hashicorp/terraform-plugin-go@v0.14.1/tfprotov5/internal/diag/diagnostics.go:55](http://github.com/hashicorp/terraform-plugin-go@v0.14.1/tfprotov5/internal/diag/diagnostics.go:55) diagnostic_summary="Error from Incapsula service when checking account: {"res":9418,"res_message":"Disabled API Key","debug_info":{"id-info":"999999"}}" tf_provider_addr=provider tf_req_id=62be5816-048b-1959-2319-622de6d5ef7b @module=sdk.proto diagnostic_severity=ERROR timestamp=2023-08-08T22:00:39.445Z
2023-08-08T22:00:39.445Z [ERROR] vertex "provider[\"[registry.terraform.io/imperva/incapsula\](http://registry.terraform.io/imperva/incapsula%5C)"]" error: Error from Incapsula service when checking account: {"res":9418,"res_message":"Disabled API Key","debug_info":{"id-info":"999999"}}

Panic output

No response

Expected output

No error from the provider and the imperva_site resource is shown in the plan output as expected.

Actual output

448│ Error: Error from Incapsula service when checking account: {"res":9418,"res_message":"Disabled API Key","debug_info":{"id-info":"999999"}}
449│ 
450│   with provider["[registry.terraform.io/imperva/incapsula](http://registry.terraform.io/imperva/incapsula)"],
451│   on [providers.tf](http://providers.tf/) line 1, in provider "incapsula":
452│    1: provider "incapsula" {
453│

Steps to reproduce

  1. Make sure you are not pinning to a specific Incapsula provider version (aka use latest or version 3.18.1+)
  2. Configure the provider with a known working API ID and KEY
  3. Configure an imperva_site resource block
  4. Run terraform plan

Additional factoids

This issue seems to only affects provider version 3.18.1 and above, including latest, which at the time of writing this is 3.20.0. Using a known working API key or generating a new one does not make a difference. I have validated that the API key works via local Postman tests. Provider version 3.18.0 and below are not affected by this issue. We are pinning to 3.18.0 for now until this is fixed.

References

No response

thatcoleyouknow commented 1 year ago

We opened a support case with Imperva and found this to be a misleading error from the API. The root cause was that our requests were sourcing from an IP that was not in our IP whitelist, which we were not able to identify without asking support to dig through backend logs. I have no clue why using an older provider version was working for us in the mean time but one of the provider devs can probably answer that. If anyone else runs into this error, I'd suggest working with support to identify the true root cause.