search

volterraedge / terraform-provider-volterra

Volterra's Public Terraform Provider
https://volterra.io
Apache License 2.0
14 stars 11 forks source link

Issues with 'bot_defense' and Terraform State #126

Open kreynoldsf5 opened 2 years ago

kreynoldsf5 commented 2 years ago

When creating/editing a 'bot_defense' policy under an HTTP loadbalancer, subsequent drift is not detected.

For example, apply this as part of an http lb.

  bot_defense {
    policy {
      disable_js_insert       = false
      js_insert_all_pages {
        javascript_location  = "After <head> tag"
      }
      protected_app_endpoints {
        domain {
          exact_value = var.app_fqdn
        }
        path {
          prefix = "/cart"
        }
        protocol = "https"
        web  = true
        http_methods = ["POST"]
        metadata {
          name = format("%s-bot-defense", var.base)
        }
        mitigation {
          block {
            body = "string:///PHA+VGhpcyBpcyBhIGJvdCBkZWZlbnNlIGJsb2NrIHBhZ2UuPC9wPg==" 
            #<p>This is a bot defense block page.</p>"
            status = "BadRequest"
          }
        }
      }
    }
    timeout = 1000
    regional_endpoint = var.bot_defense_region
  }

If someone were to manually edit settings in the console (edit domains, path, etc.), running 'plan' or 'apply' would not detect any drift in state.

kreynoldsf5 commented 2 years ago

Config immediately after a terraform apply:

    "bot_defense": {
      "regional_endpoint": "US",
      "policy": {
        "protected_app_endpoints": [
          {
            "metadata": {
              "name": "demo-app-bot-defense",
              "description": null,
              "disable": null
            },
            "http_methods": [
              "POST"
            ],
            "protocol": "BOTH",
            "any_domain": {},
            "path": {
              "prefix": "/cart"
            },
            "web": {},
            "mitigation": {
              "block": {
                "status": "BadRequest",
                "body": "string:///PHA+VGhpcyBpcyBhIGJvdCBkZWZlbnNlIGJsb2NrIHBhZ2UuPC9wPg=="
              }
            }
          }
        ],
  ...

Here's the config after a manual update:

   "bot_defense": {
      "regional_endpoint": "US",
      "policy": {
        "protected_app_endpoints": [
          {
            "metadata": {
              "name": "demo-app-bot-defense",
              "description": "",
              "disable": false
            },
            "http_methods": [
              "POST"
            ],
            "protocol": "BOTH",
            "domain": {
              "exact_value": "micro.gsa.f5demos.com"
            },
            "path": {
              "prefix": "/cart"
            },
            "web": {},
            "mitigation": {
              "block": {
                "status": "BadRequest",
                "body": "string:///PHA+VGhpcyBpcyBhIGJvdCBkZWZlbnNlIGJsb2NrIHBhZ2UuPC9wPg=="
              }
            }
          }
        ],
        "js_insert_all_pages": {
          "javascript_location": "AFTER_HEAD"
        },
        "js_download_path": "/common.js"
      },
      "timeout": 1000
    },
...

Here's an example terraform plan output:

$terraform plan -var-file ./tfvars/gsa.tfvars           
...
module.volterra.volterra_http_loadbalancer.frontend: Refreshing state... [id=6048b25a-fac0-4763-8cf7-abd90279b208]
...
No changes. Your infrastructure matches the configuration.