Revert "Revert "resource/cloudflare_ruleset: fix Ruleset override act…

…ion (#1249)" (#1252)" This reverts commit 6f95e1b.
cloudflare · Oct 14, 2021 · 0aefaf2 · 0aefaf2
1 parent 6f95e1b
commit 0aefaf2
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 6 deletions.
diff --git a/.changelog/1249.txt b/.changelog/1249.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_ruleset: add support for 'Action' and 'Enabled' action_parameters > overrides attributes
+```
diff --git a/cloudflare/resource_cloudflare_ruleset.go b/cloudflare/resource_cloudflare_ruleset.go
@@ -218,6 +218,11 @@ func resourceCloudflareRuleset() *schema.Resource {
 													Type:     schema.TypeBool,
 													Optional: true,
 												},
+												"action": {
+													Type:         schema.TypeString,
+													Optional:     true,
+													ValidateFunc: validation.StringInSlice(cloudflare.RulesetRuleActionValues(), false),
+												},
 												"categories": {
 													Type:     schema.TypeList,
 													Optional: true,
@@ -514,6 +519,7 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
 					"categories": categoryBasedOverrides,
 					"rules":      idBasedOverrides,
 					"enabled":    r.ActionParameters.Overrides.Enabled,
+					"action":     r.ActionParameters.Overrides.Action,
 				})
 			}
 
@@ -664,10 +670,19 @@ func buildRulesetRulesFromResource(phase string, r interface{}) ([]cloudflare.Ru
 					case "increment":
 						rule.ActionParameters.Increment = pValue.(int)
 					case "overrides":
-						categories := []cloudflare.RulesetRuleActionParametersCategories{}
-						rules := []cloudflare.RulesetRuleActionParametersRules{}
+						var overrideConfiguration cloudflare.RulesetRuleActionParametersOverrides
+						var categories []cloudflare.RulesetRuleActionParametersCategories
+						var rules []cloudflare.RulesetRuleActionParametersRules
 
 						for _, overrideParamValue := range pValue.([]interface{}) {
+							if phase != string(cloudflare.RulesetPhaseDDoSL7) {
+								overrideConfiguration.Enabled = &[]bool{overrideParamValue.(map[string]interface{})["enabled"].(bool)}[0]
+							}
+
+							if val, ok := overrideParamValue.(map[string]interface{})["action"]; ok {
+								overrideConfiguration.Action = val.(string)
+							}
+
 							// Category based overrides
 							if val, ok := overrideParamValue.(map[string]interface{})["categories"]; ok {
 								for _, category := range val.([]interface{}) {
@@ -702,10 +717,12 @@ func buildRulesetRulesFromResource(phase string, r interface{}) ([]cloudflare.Ru
 						}
 
 						if len(categories) > 0 || len(rules) > 0 {
-							rule.ActionParameters.Overrides = &cloudflare.RulesetRuleActionParametersOverrides{
-								Categories: categories,
-								Rules:      rules,
-							}
+							overrideConfiguration.Categories = categories
+							overrideConfiguration.Rules = rules
+						}
+
+						if !reflect.DeepEqual(overrideConfiguration, cloudflare.RulesetRuleActionParametersOverrides{}) {
+							rule.ActionParameters.Overrides = &overrideConfiguration
 						}
 
 					case "matched_data":

diff --git a/cloudflare/resource_cloudflare_ruleset_test.go b/cloudflare/resource_cloudflare_ruleset_test.go
@@ -828,6 +828,53 @@ func TestAccCloudflareRuleset_ActionParametersMultipleSkips(t *testing.T) {
 	})
 }
 
+func TestAccCloudflareRuleset_ActionParametersOverridesAction(t *testing.T) {
+	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
+	// service does not yet support the API tokens and it results in
+	// misleading state error messages.
+	if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
+		defer func(apiToken string) {
+			os.Setenv("CLOUDFLARE_API_TOKEN", apiToken)
+		}(os.Getenv("CLOUDFLARE_API_TOKEN"))
+		os.Setenv("CLOUDFLARE_API_TOKEN", "")
+	}
+
+	t.Parallel()
+	rnd := generateRandomResourceName()
+	zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
+	zoneName := os.Getenv("CLOUDFLARE_DOMAIN")
+	resourceName := "cloudflare_ruleset." + rnd
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCloudflareRulesetActionParametersOverridesActionEnabled(rnd, "Overrides Cf Managed rules in Log", zoneID, zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", "Overrides Cf Managed rules in Log"),
+					resource.TestCheckResourceAttr(resourceName, "description", rnd+" ruleset description"),
+					resource.TestCheckResourceAttr(resourceName, "kind", "zone"),
+					resource.TestCheckResourceAttr(resourceName, "phase", "http_request_firewall_managed"),
+
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "1"),
+
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action", "execute"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "true"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.description", "Execute all rules in Cloudflare Managed Ruleset in log mode on my zone-level phase entry point ruleset"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.enabled", "true"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.id", "efb7b8c949ac4650a09736fc376e9aee"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.version", "latest"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.0.action", "log"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action_parameters.0.overrides.0.enabled", "true"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride(t *testing.T) {
 	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
 	// service does not yet support the API tokens and it results in
@@ -1466,6 +1513,32 @@ func testAccCheckCloudflareRulesetRateLimit(rnd, name, zoneID, zoneName string)
   }`, rnd, name, zoneID, zoneName)
 }
 
+func testAccCheckCloudflareRulesetActionParametersOverridesActionEnabled(rnd, name, zoneID, zoneName string) string {
+	return fmt.Sprintf(`
+  resource "cloudflare_ruleset" "%[1]s" {
+    zone_id     = "%[3]s"
+    name        = "%[2]s"
+    description = "%[1]s ruleset description"
+    kind        = "zone"
+    phase       = "http_request_firewall_managed"
+
+    rules {
+      action = "execute"
+      action_parameters {
+        id = "efb7b8c949ac4650a09736fc376e9aee"
+        version = "latest"
+        overrides {
+          action = "log"
+          enabled = true
+        }
+      }
+      expression = "true"
+      description = "Execute all rules in Cloudflare Managed Ruleset in log mode on my zone-level phase entry point ruleset"
+      enabled = true
+    }
+  }`, rnd, name, zoneID, zoneName)
+}
+
 func testAccCheckCloudflareRulesetActionParametersMultipleSkips(rnd, name, zoneID, zoneName string) string {
 	return fmt.Sprintf(`
   resource "cloudflare_ruleset" "%[1]s" {

diff --git a/website/docs/r/ruleset.html.markdown b/website/docs/r/ruleset.html.markdown
@@ -275,6 +275,7 @@ The following arguments are supported:
 
 * `categories` - (Optional) List of tag-based overrides (refer to the [nested schema](#nestedblock--action-parameters-overrides-categories)).
 * `enabled` - (Optional) Defines if the current ruleset-level override enables or disables the ruleset.
+* `action` - (Optional) Action to perform in the rule-level override. Valid values are `"block"`, `"challenge"`, `"js_challenge"`, `"log"`.
 * `rules` - (Optional) List of rule-based overrides (refer to the [nested schema](#nestedblock--action-parameters-overrides-rules)).
 
 <a id="nestedblock--action-parameters-overrides-categories"></a>