Merge pull request #1689 from cloudflare/rulesets-enabled-to-status-f…

…ield

resource/cloudflare_ruleset: deprecate `enabled` (immediately) in overrides in favour of `status`

.changelog/1689.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+resource/cloudflare_ruleset: deprecates `enabled` in overridden configurations immediately in favour of `status`
+```

docs/resources/ruleset.md

@@ -27,8 +27,8 @@ Terraform. This is because Terraform will fail to apply if configuration
 already exists to prevent blindly overwriting changes.
 
 ~> `enabled` has been immediately deprecated in favour of
-  `status`. You should swap over to ensure that your configuration doesn't
-  have inconsistent operations and inadvertently disable rulesets.
+`status`. You should swap over to ensure that your configuration doesn't
+have inconsistent operations and inadvertently disable rulesets.
 
 
 <!-- schema generated by tfplugindocs -->
@@ -134,29 +134,32 @@ Optional:
 
 - `action` (String) Action to perform in the rule-level override. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
 - `categories` (Block List) List of tag-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--categories))
-- `enabled` (Boolean) Defines if the current ruleset-level override enables or disables the ruleset.
+- `enabled` (Boolean, Deprecated) Defines if the current ruleset-level override enables or disables the ruleset.
 - `rules` (Block List) List of rule-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--rules))
+- `status` (String) Defines if the current ruleset-level override enables or disables the ruleset. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
 
 <a id="nestedblock--rules--action_parameters--overrides--categories"></a>
-### Nested Schema for `rules.action_parameters.overrides.rules`
+### Nested Schema for `rules.action_parameters.overrides.status`
 
 Optional:
 
 - `action` (String) Action to perform in the tag-level override. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
 - `category` (String) Tag name to apply the ruleset rule override to.
-- `enabled` (Boolean) Defines if the current tag-level override enables or disables the ruleset rules with the specified tag.
+- `enabled` (Boolean, Deprecated) Defines if the current tag-level override enables or disables the ruleset rules with the specified tag.
+- `status` (String) Defines if the current tag-level override enables or disables the ruleset rules with the specified tag. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
 
 
 <a id="nestedblock--rules--action_parameters--overrides--rules"></a>
-### Nested Schema for `rules.action_parameters.overrides.rules`
+### Nested Schema for `rules.action_parameters.overrides.status`
 
 Optional:
 
 - `action` (String) Action to perform in the rule-level override. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
-- `enabled` (Boolean) Defines if the current rule-level override enables or disables the rule.
+- `enabled` (Boolean, Deprecated) Defines if the current rule-level override enables or disables the rule.
 - `id` (String) Rule ID to apply the override to.
 - `score_threshold` (Number) Anomaly score threshold to apply in the ruleset rule override. Only applicable to modsecurity-based rulesets.
 - `sensitivity_level` (String) Sensitivity level for a ruleset rule override.
+- `status` (String) Defines if the current rule-level override enables or disables the rule. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
 
 
 
@@ -213,7 +216,8 @@ Optional:
 
 Optional:
 
-- `enabled` (Boolean) Override the default logging behavior when a rule is matched.
+- `enabled` (Boolean, Deprecated) Override the default logging behavior when a rule is matched.
+- `status` (String) Override the default logging behavior when a rule is matched. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
 
 
 <a id="nestedblock--rules--ratelimit"></a>

examples/resources/cloudflare_ruleset/resource.tf

@@ -48,13 +48,13 @@ resource "cloudflare_ruleset" "zone_level_managed_waf_with_category_based_overri
         categories {
           category = "wordpress"
           action   = "block"
-          enabled  = true
+          status   = "enabled"
         }
 
         categories {
           category = "joomla"
           action   = "block"
-          enabled  = true
+          status   = "enabled"
         }
       }
     }

internal/provider/provider.go

@@ -31,7 +31,11 @@ func init() {
 		}
 
 		if s.Default != nil {
-			desc += fmt.Sprintf(" Defaults to `%v`.", s.Default)
+			if s.Default == "" {
+				desc += " Defaults to `\"\"`."
+			} else {
+				desc += fmt.Sprintf(" Defaults to `%v`.", s.Default)
+			}
 		}
 
 		if s.ConflictsWith != nil && len(s.ConflictsWith) > 0 {

internal/provider/resource_cloudflare_ruleset.go

@@ -258,7 +258,7 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
 					idBasedOverrides = append(idBasedOverrides, map[string]interface{}{
 						"id":                overrideRule.ID,
 						"action":            overrideRule.Action,
-						"enabled":           overrideRule.Enabled,
+						"status":            apiEnabledToStatusFieldConversion(overrideRule.Enabled),
 						"score_threshold":   overrideRule.ScoreThreshold,
 						"sensitivity_level": overrideRule.SensitivityLevel,
 					})
@@ -268,14 +268,14 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
 					categoryBasedOverrides = append(categoryBasedOverrides, map[string]interface{}{
 						"category": overrideRule.Category,
 						"action":   overrideRule.Action,
-						"enabled":  overrideRule.Enabled,
+						"status":   apiEnabledToStatusFieldConversion(overrideRule.Enabled),
 					})
 				}
 
 				overrides = append(overrides, map[string]interface{}{
 					"categories": categoryBasedOverrides,
 					"rules":      idBasedOverrides,
-					"enabled":    r.ActionParameters.Overrides.Enabled,
+					"status":     apiEnabledToStatusFieldConversion(r.ActionParameters.Overrides.Enabled),
 					"action":     r.ActionParameters.Overrides.Action,
 				})
 			}
@@ -428,7 +428,7 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
 			var logging []map[string]interface{}
 
 			logging = append(logging, map[string]interface{}{
-				"enabled": r.Logging.Enabled,
+				"status": apiEnabledToStatusFieldConversion(r.Logging.Enabled),
 			})
 
 			rule["logging"] = logging
@@ -518,9 +518,10 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
 						var rules []cloudflare.RulesetRuleActionParametersRules
 
 						for overrideCounter, overrideParamValue := range pValue.([]interface{}) {
-							//nolint:staticcheck
-							if value, ok := d.GetOkExists(fmt.Sprintf("rules.%d.action_parameters.0.overrides.%d.enabled", rulesCounter, overrideCounter)); ok {
-								overrideConfiguration.Enabled = cloudflare.BoolPtr(value.(bool))
+							if value, ok := d.GetOk(fmt.Sprintf("rules.%d.action_parameters.0.overrides.%d.status", rulesCounter, overrideCounter)); ok {
+								if value.(string) != "" {
+									overrideConfiguration.Enabled = statusToAPIEnabledFieldConversion(value.(string))
+								}
 							}
 
 							if val, ok := overrideParamValue.(map[string]interface{})["action"]; ok {
@@ -529,34 +530,41 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
 
 							// Category based overrides
 							if val, ok := overrideParamValue.(map[string]interface{})["categories"]; ok {
-								for _, category := range val.([]interface{}) {
+								for categoryCounter, category := range val.([]interface{}) {
 									cData := category.(map[string]interface{})
-									categories = append(categories, cloudflare.RulesetRuleActionParametersCategories{
+									categoryOverride := cloudflare.RulesetRuleActionParametersCategories{
 										Category: cData["category"].(string),
 										Action:   cData["action"].(string),
-										Enabled:  cloudflare.BoolPtr(cData["enabled"].(bool)),
-									})
+									}
+
+									if value, ok := d.GetOk(fmt.Sprintf("rules.%d.action_parameters.0.overrides.%d.categories.%d.status", rulesCounter, overrideCounter, categoryCounter)); ok {
+										if value != "" {
+											categoryOverride.Enabled = statusToAPIEnabledFieldConversion(value.(string))
+										}
+									}
+
+									categories = append(categories, categoryOverride)
 								}
 							}
 
 							// Rule ID based overrides
 							if val, ok := overrideParamValue.(map[string]interface{})["rules"]; ok {
 								for ruleOverrideCounter, rule := range val.([]interface{}) {
 									rData := rule.(map[string]interface{})
-
-									var enabled *bool
-									//nolint:staticcheck
-									if value, ok := d.GetOkExists(fmt.Sprintf("rules.%d.action_parameters.0.overrides.%d.rules.%d.enabled", rulesCounter, overrideCounter, ruleOverrideCounter)); ok {
-										enabled = cloudflare.BoolPtr(value.(bool))
-									}
-
-									rules = append(rules, cloudflare.RulesetRuleActionParametersRules{
+									ruleOverride := cloudflare.RulesetRuleActionParametersRules{
 										ID:               rData["id"].(string),
 										Action:           rData["action"].(string),
-										Enabled:          enabled,
 										ScoreThreshold:   rData["score_threshold"].(int),
 										SensitivityLevel: rData["sensitivity_level"].(string),
-									})
+									}
+
+									if value, ok := d.GetOk(fmt.Sprintf("rules.%d.action_parameters.0.overrides.%d.rules.%d.status", rulesCounter, overrideCounter, ruleOverrideCounter)); ok {
+										if value != "" {
+											ruleOverride.Enabled = statusToAPIEnabledFieldConversion(value.(string))
+										}
+									}
+
+									rules = append(rules, ruleOverride)
 								}
 							}
 						}
@@ -718,9 +726,8 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
 			for _, parameter := range resourceRule["logging"].([]interface{}) {
 				for pKey, pValue := range parameter.(map[string]interface{}) {
 					switch pKey {
-					case "enabled":
-						rule.Logging.Enabled = cloudflare.BoolPtr(pValue.(bool))
-
+					case "status":
+						rule.Logging.Enabled = statusToAPIEnabledFieldConversion(pValue.(string))
 					default:
 						log.Printf("[DEBUG] unknown key encountered in buildRulesetRulesFromResource for logging: %s", pKey)
 					}
@@ -744,3 +751,31 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
 
 	return rulesetRules, nil
 }
+
+// statusToAPIEnabledFieldConversion takes the "status" field from the Terraform
+// schema/state and converts it to the API equivalent for the "enabled" field.
+func statusToAPIEnabledFieldConversion(s string) *bool {
+	if s == "enabled" {
+		return cloudflare.BoolPtr(true)
+	} else if s == "disabled" {
+		return cloudflare.BoolPtr(false)
+	} else {
+		return nil
+	}
+}
+
+// apiEnabledToStatusFieldConversion takes the "enabled" field from the API and
+// converts it to the Terraform schema/state key "status".
+func apiEnabledToStatusFieldConversion(s *bool) string {
+	if s == nil {
+		return ""
+	}
+
+	if *s == true {
+		return "enabled"
+	} else if *s == false {
+		return "disabled"
+	} else {
+		return ""
+	}
+}