CIS Firewall resource changes

IBM-Cloud · Nov 24, 2020 · 2eaf1da · 2eaf1da
1 parent 7da1db3
commit 2eaf1da
Show file tree

Hide file tree

Showing 11 changed files with 1,524 additions and 381 deletions.
diff --git a/examples/ibm-cis/README.md b/examples/ibm-cis/README.md
@@ -367,8 +367,19 @@ Customise the variables in `variables.tf` to your local environment and chosen D
 | record\_content | DNS Record Content | `string` | yes |
 | firewall\_type | Firewall Type | `string` | yes |
 | lockdown\_url | Lockdown URL | `string` | yes |
-| lockdown\_target | Lockdown Configuration target | `string` | yes |
-| lockdown\_value | Lockdown Configuration Value | `string` | yes |
+| lockdown\_paused | Locdown rule paused or not | `boolean` | no
+| lockdown\_description | Lockdown description | `string` | no
+| lockdown\_priority | Lockdown priority | `integer` | no
+| lockdown\_configurations\_target | Lockdown Configuration target | `string` | yes |
+| lockdown\_configurations\_value | Lockdown Configuration Value | `string` | yes |
+| access_rule\_notes | Access rule notes | `string` | no
+| access_rule\_mode | Access rule mode | `string` | yes
+| access_rule\_configuration\_target | Access rule configuration target | `string` | yes |
+| access_rule\_configuration\_value | Access rule configuration Value | `string` | yes |
+| ua_rule\_description | User Agent rule description | `string` | no
+| ua_rule\_mode | User Agent rule mode | `string` | yes
+| ua_rule\_configuration\_target | User Agent rule configuration target | `string` | yes |
+| ua_rule\_configuration\_value | User Agent rule configuration Value | `string` | yes |
 | threshold | Rate Limiting Threshold | `number` | yes |
 | period | Rate Limiting Period | `number` | yes |
 | match\_request\_url | URL pattern of matching request | `string` | no |
@@ -413,6 +424,9 @@ Customise the variables in `variables.tf` to your local environment and chosen D
 | edge_functions_action_id | Resource ID. It is combination of `action_name`:`domain_id`:`cis_id`|
 | edge_functions_trigger_id | Resource ID. It is combination of `trigger_id`:`domain_id`:`cis_id`|
 | page_id | Custom Page ID |
+| lockdown\_lockdown_id | Firewall Lockdown ID
+| access_rule\_access_rule_id | Firewall Access rule ID
+| ua_rule\_ua_rule_id | Firewall User Agent rule ID
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

diff --git a/examples/ibm-cis/main.tf b/examples/ibm-cis/main.tf
@@ -104,7 +104,7 @@ resource "ibm_cis_dns_record" "example" {
 
 }
 
-# CIS Firewall - Present resource supports only lockdown
+# CIS Firewall
 resource "ibm_cis_firewall" "lockdown" {
   cis_id        = ibm_cis.web_domain.id
   domain_id     = ibm_cis_domain.web_domain.id
@@ -121,6 +121,13 @@ resource "ibm_cis_firewall" "lockdown" {
   }
 }
 
+# CIS Firewall data source
+data "ibm_cis_firewall" "ua_rules" {
+  cis_id        = ibm_cis.web_domain.id
+  domain_id     = ibm_cis_domain.web_domain.id
+  firewall_type = "ua_rules"
+}
+
 #CIS Rate Limit
 resource "ibm_cis_rate_limit" "ratelimit" {
   cis_id    = data.ibm_cis.web_domain.id

diff --git a/examples/ibm-cis/outputs.tf b/examples/ibm-cis/outputs.tf
@@ -40,3 +40,7 @@ output "cache_settings" {
 output "ibm_cis_custom_page_output" {
   value = ibm_cis_custom_page.custom_page
 }
+
+output "ibm_cis_firewall_ouput" {
+  value = ibm_cis_firewall.lockdown
+}
diff --git a/ibm/config.go b/ibm/config.go
@@ -28,6 +28,9 @@ import (
 	cisroutingv1 "github.com/IBM/networking-go-sdk/routingv1"
 	cissslv1 "github.com/IBM/networking-go-sdk/sslcertificateapiv1"
 	tg "github.com/IBM/networking-go-sdk/transitgatewayapisv1"
+	cisuarulev1 "github.com/IBM/networking-go-sdk/useragentblockingrulesv1"
+	cisaccessrulev1 "github.com/IBM/networking-go-sdk/zonefirewallaccessrulesv1"
+	cislockdownv1 "github.com/IBM/networking-go-sdk/zonelockdownv1"
 	cisratelimitv1 "github.com/IBM/networking-go-sdk/zoneratelimitsv1"
 	cisdomainsettingsv1 "github.com/IBM/networking-go-sdk/zonessettingsv1"
 	ciszonesv1 "github.com/IBM/networking-go-sdk/zonesv1"
@@ -205,6 +208,9 @@ type ClientSession interface {
 	CisRoutingClientSession() (*cisroutingv1.RoutingV1, error)
 	CisCacheClientSession() (*ciscachev1.CachingApiV1, error)
 	CisCustomPageClientSession() (*ciscustompagev1.CustomPagesV1, error)
+	CisAccessRuleClientSession() (*cisaccessrulev1.ZoneFirewallAccessRulesV1, error)
+	CisUARuleClientSession() (*cisuarulev1.UserAgentBlockingRulesV1, error)
+	CisLockdownClientSession() (*cislockdownv1.ZoneLockdownV1, error)
 }
 
 type clientSession struct {
@@ -368,6 +374,18 @@ type clientSession struct {
 	// CIS Custom Pages service options
 	cisCustomPageErr    error
 	cisCustomPageClient *ciscustompagev1.CustomPagesV1
+
+	// CIS Firewall Access rule service option
+	cisAccessRuleErr    error
+	cisAccessRuleClient *cisaccessrulev1.ZoneFirewallAccessRulesV1
+
+	// CIS User Agent Blocking Rule service option
+	cisUARuleErr    error
+	cisUARuleClient *cisuarulev1.UserAgentBlockingRulesV1
+
+	// CIS Firewall Lockdwon Rule service option
+	cisLockdownErr    error
+	cisLockdownClient *cislockdownv1.ZoneLockdownV1
 }
 
 // BluemixAcccountAPI ...
@@ -616,6 +634,21 @@ func (sess clientSession) CisCustomPageClientSession() (*ciscustompagev1.CustomP
 	return sess.cisCustomPageClient, sess.cisCustomPageErr
 }
 
+// CIS Firewall access rule
+func (sess clientSession) CisAccessRuleClientSession() (*cisaccessrulev1.ZoneFirewallAccessRulesV1, error) {
+	return sess.cisAccessRuleClient, sess.cisAccessRuleErr
+}
+
+// CIS User Agent Blocking rule
+func (sess clientSession) CisUARuleClientSession() (*cisuarulev1.UserAgentBlockingRulesV1, error) {
+	return sess.cisUARuleClient, sess.cisUARuleErr
+}
+
+// CIS Firewall Lockdown rule
+func (sess clientSession) CisLockdownClientSession() (*cislockdownv1.ZoneLockdownV1, error) {
+	return sess.cisLockdownClient, sess.cisLockdownErr
+}
+
 // ClientSession configures and returns a fully initialized ClientSession
 func (c *Config) ClientSession() (interface{}, error) {
 	sess, err := newSession(c)
@@ -680,6 +713,9 @@ func (c *Config) ClientSession() (interface{}, error) {
 		session.cisRoutingErr = errEmptyBluemixCredentials
 		session.cisCacheErr = errEmptyBluemixCredentials
 		session.cisCustomPageErr = errEmptyBluemixCredentials
+		session.cisAccessRuleErr = errEmptyBluemixCredentials
+		session.cisUARuleErr = errEmptyBluemixCredentials
+		session.cisLockdownErr = errEmptyBluemixCredentials
 
 		return session, nil
 	}
@@ -1172,13 +1208,59 @@ func (c *Config) ClientSession() (interface{}, error) {
 		ZoneIdentifier: core.StringPtr(""),
 		Authenticator:  authenticator,
 	}
+
 	session.cisCustomPageClient, session.cisCustomPageErr =
 		ciscustompagev1.NewCustomPagesV1(cisCustomPageOpt)
 	if session.cisCustomPageErr != nil {
 		session.cisCustomPageErr =
 			fmt.Errorf("Error occured while configuring CIS Custom Pages service: %s",
 				session.cisCustomPageErr)
 	}
+
+	// IBM Network CIS Firewall Access rule
+	cisAccessRuleOpt := &cisaccessrulev1.ZoneFirewallAccessRulesV1Options{
+		URL:            cisEndPoint,
+		Crn:            core.StringPtr(""),
+		ZoneIdentifier: core.StringPtr(""),
+		Authenticator:  authenticator,
+	}
+	session.cisAccessRuleClient, session.cisAccessRuleErr =
+		cisaccessrulev1.NewZoneFirewallAccessRulesV1(cisAccessRuleOpt)
+	if session.cisAccessRuleErr != nil {
+		session.cisAccessRuleErr =
+			fmt.Errorf("Error occured while configuring CIS Firewall Access Rule service: %s",
+				session.cisAccessRuleErr)
+	}
+
+	// IBM Network CIS Firewall User Agent Blocking rule
+	cisUARuleOpt := &cisuarulev1.UserAgentBlockingRulesV1Options{
+		URL:            cisEndPoint,
+		Crn:            core.StringPtr(""),
+		ZoneIdentifier: core.StringPtr(""),
+		Authenticator:  authenticator,
+	}
+	session.cisUARuleClient, session.cisUARuleErr =
+		cisuarulev1.NewUserAgentBlockingRulesV1(cisUARuleOpt)
+	if session.cisUARuleErr != nil {
+		session.cisUARuleErr =
+			fmt.Errorf("Error occured while configuring CIS Firewall User Agent Blocking Rule service: %s",
+				session.cisUARuleErr)
+	}
+
+	// IBM Network CIS Firewall Lockdown rule
+	cisLockdownOpt := &cislockdownv1.ZoneLockdownV1Options{
+		URL:            cisEndPoint,
+		Crn:            core.StringPtr(""),
+		ZoneIdentifier: core.StringPtr(""),
+		Authenticator:  authenticator,
+	}
+	session.cisLockdownClient, session.cisLockdownErr =
+		cislockdownv1.NewZoneLockdownV1(cisLockdownOpt)
+	if session.cisLockdownErr != nil {
+		session.cisLockdownErr =
+			fmt.Errorf("Error occured while configuring CIS Firewall Lockdown Rule service: %s",
+				session.cisLockdownErr)
+	}
 	return session, nil
 }