terraform-provider-incapsula icon indicating copy to clipboard operation
terraform-provider-incapsula copied to clipboard

Published 20 hours ago verified publisher icon imperva

incapsula_security_rule_exception throws false Terraform error on update

Open connor-heb opened this issue 1 year ago • 1 comments

Confirmation

  • [X] My issue isn't already found on the issue tracker.
  • [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Imperva provider version

Terraform v1.5.2
on darwin_amd64
+ provider registry.terraform.io/imperva/incapsula v3.18.3

Affected resource(s)

  • incapsula_security_rule_exception

Terraform configuration files

terraform {
  required_providers {
    incapsula = { 
      source = "imperva/incapsula"
      version = "3.18.3"
    }   
  }

  backend "local" {
    path = "./terraform.tfstate"
  }
}

provider "incapsula" {
  api_id  = var.incapsula_api_id
  api_key = var.incapsula_api_key
}

variable "incapsula_api_id" {}

variable "incapsula_api_key" {}

resource "incapsula_subaccount" "MY-SUBACCOUNT-NAME" {
  sub_account_name = "MY-SUBACCOUNT-NAME"
}

resource "incapsula_site" "first-example-network" {
  site_ip    = "first.example.tldthatdoesnotexist"
  domain     = "first.example.network"

  account_id = incapsula_subaccount.MY-SUBACCOUNT-NAME.id
}

resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception" {
  site_id = incapsula_site.first-example-network.id
  rule_id = "api.threats.bot_access_control"
  ips     = "142.250.138.102"
}

Debug output

output.log

Panic output

No response

Expected output

Update the bot exception IPs without throwing an error

Actual output

Bot exception IPs are successfully changed when verifying through the Imperva Management Console, but the Terraform plugin errors for seemingly no reason. The API response even includes "res": 0, "res_message": "OK". Re-running terraform apply will resolve the error.

│ Error: Error from Incapsula service when adding security rule exception for rule_id (api.threats.bot_access_control) and site_id (76703397): {"site_id":76703397,"status":"pending-dns-changes","domain":"first.example.network","account_id":2077003,"acceleration_level":"advanced","acceleration_level_raw":"aggressive","site_creation_date":1688760689000,"ips":["first.example.tldthatdoesnotexist"],"dns":[{"dns_record_name":"first.example.network","set_type_to":"CNAME","set_data_to":["vjgnjeb.impervadns.net"]}],"original_dns":[{"dns_record_name":"first.example.network","set_type_to":"CNAME","set_data_to":["first.example.tldthatdoesnotexist"]}],"warnings":[],"active":"active","support_all_tls_versions":false,"use_wildcard_san_instead_of_full_domain_san":true,"add_naked_domain_san":true,"additionalErrors":[],"display_name":"first.example.network","security":{"waf":{"rules":[{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.sql_injection","name":"SQL Injection"},{"action":"api.threats.action.alert","action_text":"Alert Only","id":"api.threats.cross_site_scripting","name":"Cross Site Scripting"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.illegal_resource_access","name":"Illegal Resource Access"},{"block_bad_bots":true,"challenge_suspected_bots":false,"exceptions":[{"values":[{"ips":["93.184.216.34"],"id":"api.rule_exception_type.client_ip","name":"IP"}],"id":5605126}],"id":"api.threats.bot_access_control","name":"Bot Access Control"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.sensitive_info_leakage","name":"Sensitive Info Leakage"},{"activation_mode":"api.threats.ddos.activation_mode.auto","activation_mode_text":"Auto","ddos_traffic_threshold":1000,"id":"api.threats.ddos","name":"DDoS"},{"action":"api.threats.action.quarantine_url","action_text":"Auto-Quarantine","id":"api.threats.backdoor","name":"Backdoor Protect"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.remote_file_inclusion","name":"Remote File Inclusion"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.customRule","name":"IncapRules"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.api.specification.violation","name":"API Specification Violation"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.account_take_over","name":"Account Takeover"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.distil_bad_bots","name":"Advanced Bot Protection"}]}},"sealLocation":{"id":"api.seal_location.none","name":"No seal"},"ssl":{"origin_server":{"detected":false,"detectionStatus":"ssl_network_detection_not_run"},"custom_certificate":{"active":false},"generated_certificate":{"san":[]},"site_certificate":false},"siteDualFactorSettings":{"specificUsers":[],"enabled":false,"customAreas":[],"customAreasExceptions":[],"allowAllUsers":true,"shouldSuggestApplicatons":true,"allowedMedia":["ga","sms"],"shouldSendLoginNotifications":true,"version":0},"login_protect":{"enabled":false,"specific_users_list":[],"send_lp_notifications":true,"allow_all_users":true,"authentication_methods":["ga","sms"],"urls":[],"url_patterns":[]},"performance_configuration":{"advanced_caching_rules":{"never_cache_resources":[],"always_cache_resources":[]},"acceleration_level":"advanced","acceleration_level_raw":"aggressive","async_validation":true,"minify_javascript":true,"minify_css":true,"minify_static_html":true,"compress_jpeg":true,"compress_jepg":true,"progressive_image_rendering":false,"aggressive_compression":false,"compress_png":true,"on_the_fly_compression":true,"tcp_pre_pooling":true,"comply_no_cache":false,"comply_vary":false,"use_shortest_caching":false,"perfer_last_modified":false,"prefer_last_modified":false,"disable_client_side_caching":false,"cache300x":false,"cache_headers":[]},"extended_ddos":1000000,"restricted_cname_reuse":false,"res":0,"res_message":"OK","debug_info":{"id-info":"999999"}}
│ 
│   with incapsula_security_rule_exception.example-bot_access-control-rule-exception,
│   on MY-SUBACCOUNT-NAME.tf line 34, in resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception":
│   34: resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception" {
│ 
|

Steps to reproduce

  1. Create subaccount, create site, add incapsula_security_rule_exception
  2. terraform apply
  3. Edit the ips in incapsula_security_rule_exception
  4. terraform apply

Additional factoids

Culprit is here https://github.com/imperva/terraform-provider-incapsula/blob/d3dbaff2710dee26ce9a4082b27c2e68e46fe6dd/incapsula/client_security_rule_exception.go#L163-L176

Can be fixed by converting siteStatusResponse.Res to a string first:

        // Parse the JSON
	var siteStatusResponse SiteStatusResponse
	err = json.Unmarshal([]byte(responseBody), &siteStatusResponse)
	if err != nil {
		return nil, fmt.Errorf("Error parsing configure security rule exception JSON response for rule_id (%s) and site_id (%d)", ruleID, siteID)
	}

	// Look at the response status code from Incapsula
	if fmt.Sprint(siteStatusResponse.Res) != "0" { // Fix is here
		return nil, fmt.Errorf("Error from Incapsula service when adding security rule exception for rule_id (%s) and site_id (%d): %s", ruleID, siteID, string(responseBody))
	}

	return &siteStatusResponse, nil
}

References

No response

connor-heb avatar Jul 07 '23 20:07 connor-heb