terraform-provider-incapsula
terraform-provider-incapsula copied to clipboard
imperva
Provide a method for waiting on imperva-generated cert approval
Confirmation
- [X] My issue isn't already found on the issue tracker.
- [X] I have replicated my issue using the latest version of the provider and it is still present.
Terraform and Imperva provider version
Terraform v1.2.2 on darwin_arm64
- provider registry.terraform.io/hashicorp/google v4.41.0
- provider registry.terraform.io/hashicorp/time v0.9.0
- provider registry.terraform.io/imperva/incapsula v3.9.1
- provider registry.terraform.io/infobloxopen/infoblox v2.1.0
Affected resource(s)
incapsula_application_delivery
Terraform configuration files
resource "incapsula_site" "main" {
domain = var.fqdn
domain_validation = "dns"
send_site_setup_emails = "false"
site_ip = var.fqdn
force_ssl = "true"
data_storage_region = "US"
wildcard_san = "false"
}
resource "incapsula_data_centers_configuration" "main" {
site_id = incapsula_site.main.id
site_topology = "SINGLE_DC"
data_center {
name = "New DC"
ip_mode = "MULTIPLE_IP"
origin_server {
address = var.destination_ip_or_fqdn # the DNS/IP of the ELB
is_active = true
}
}
}
resource "incapsula_application_delivery" "main" {
site_id = incapsula_site.main.id
file_compression = true
minify_css = true
minify_js = true
minify_static_html = true
compress_jpeg = true
progressive_image_rendering = false
aggressive_compression = false
compress_png = true
tcp_pre_pooling = true
origin_connection_reuse = true
support_non_sni_clients = true
enable_http2 = true
http2_to_origin = true
redirect_http_to_https = true
redirect_naked_to_full = false
lifecycle {
ignore_changes = [port_to, ssl_port_to]
}
}
Debug output
N/A
Panic output
N/A
Expected output
The application delivery resource to apply successfully
Actual output
│ Error: Error status code 401 from Incapsula service when Updating Application Delivery for Site ID [redacted]: {"res":9415,"res_message":"Operation not allowed","debug_info":{"error":"HTTP/2 support requires that SSL will be configured for your website","id-info":"999999"}} │ │ with module.base.module.imperva_site[0].incapsula_application_delivery.main
Steps to reproduce
- Apply a terraform configuration containing an incapsula_site, incapsula_data_centers_configuration and incapsula_application_delivery resource like the example configuration above. Using an imperva-generated certificate is required to reproduce this issue.
- The incapsula_site and incapsula_data_centers_configuration resource will deploy successfully but the incapsula_application_delivery resource will fail (with the error above) because the SSL cert hasn't been approved yet.
Additional factoids
The certificate request approval time seems to vary anywhere from seconds up to an hour. I've seen it take as long as 45-50 minutes in the past couple of days. Querying the site status API (https://my.imperva.com/api/prov/v1/sites/status?site_id=[redacted]) returns a status of "pending-certificate" until the cert has been approved. I wrote a hacky solution to query this API every 10 seconds until the status returns "fully-configured", which is the only time I can successfully apply the incapsula_application_delivery resource to finish configuring my site. This is very frustrating and prevents our terraform module from deploying a site in a single run. Could we get a resource or data source that waits for the cert request approval before continuing so I can apply the incapsula_application_delivery resource in a single run? You all may feel it would be better to add that logic to the site resource or something else, but any method to work around this would be /very/ helpful.
I'll be opening a support case to help escalate this request internally as well.
Thank you!
References
N/A
