Add challenge and js_challenge rate-limit modes #172
Conversation
| }, | ||
|
|
||
| "timeout": { | ||
| Type: schema.TypeInt, | ||
| Required: true, |
There was a problem hiding this comment.
As this is now optional based on the mode, we probably want to add a check in the Create/Update that if the mode is simulate or ban, we check the value is defined to prevent people scratching their heads with unintended behaviour.
There was a problem hiding this comment.
I completely agree. The Cloudflare API does give reasonable error messages around this though it should really be caught by the provider before the API is called.
I'm just working on it at the moment, though this is the first time I've written any Go so you may have to forgive my non-idiomatic code.
There was a problem hiding this comment.
After grappling with attempting to insert validation into expandRateLimitAction, I've realised that this won't behave quite as expected. I've attempted to implement a ValidateFunc into the action section of the schema itself (where I'll have access to both mode and timeout), but it appears that this is not supported on lists or sets at this point in time.
I'd appreciate any pointers as to how to proceed with this.
There was a problem hiding this comment.
... but it appears that this is not supported on lists or sets at this point in time.
Yep, the ValidateFunc is only supported on primitive types which throws it out a bit.
I'd appreciate any pointers as to how to proceed with this.
Sure, I think this might do the job. You were on the right track with using expandRateLimitAction as it's used in both the Create and Update. I haven't thoroughly vetted this though.
diff --git a/cloudflare/resource_cloudflare_rate_limit.go b/cloudflare/resource_cloudflare_rate_limit.go
index e67f1a4..dd0f170 100644
--- a/cloudflare/resource_cloudflare_rate_limit.go
+++ b/cloudflare/resource_cloudflare_rate_limit.go
@@ -197,11 +197,15 @@ func resourceCloudflareRateLimit() *schema.Resource {
func resourceCloudflareRateLimitCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*cloudflare.API)
+ rateLimitAction, err := expandRateLimitAction(d)
+ if err != nil {
+ return errors.Wrap(err, "error expanding rate limit action")
+ }
newRateLimit := cloudflare.RateLimit{
Threshold: d.Get("threshold").(int),
Period: d.Get("period").(int),
- Action: expandRateLimitAction(d),
+ Action: rateLimitAction,
}
newRateLimitMatch, err := expandRateLimitTrafficMatcher(d)
@@ -255,11 +259,15 @@ func resourceCloudflareRateLimitUpdate(d *schema.ResourceData, meta interface{})
client := meta.(*cloudflare.API)
zoneId := d.Get("zone_id").(string)
rateLimitId := d.Id()
+ rateLimitAction, err := expandRateLimitAction(d)
+ if err != nil {
+ return errors.Wrap(err, "error expanding rate limit action")
+ }
updatedRateLimit := cloudflare.RateLimit{
Threshold: d.Get("threshold").(int),
Period: d.Get("period").(int),
- Action: expandRateLimitAction(d),
+ Action: rateLimitAction,
}
newRateLimitMatch, err := expandRateLimitTrafficMatcher(d)
@@ -341,13 +349,21 @@ func expandRateLimitTrafficMatcher(d *schema.ResourceData) (matcher cloudflare.R
return
}
-func expandRateLimitAction(d *schema.ResourceData) cloudflare.RateLimitAction {
+func expandRateLimitAction(d *schema.ResourceData) (cloudflare.RateLimitAction, error) {
// dont need to guard for array length because MinItems is set **and** action is required
tfAction := d.Get("action").([]interface{})[0].(map[string]interface{})
+ mode := tfAction["mode"].(string)
+ timeout := tfAction["timeout"].(int)
+
+ if mode == "simulate" || mode == "ban" {
+ if timeout == 0 {
+ return cloudflare.RateLimitAction{}, fmt.Errorf("rate limit timeout must be set if the 'mode' is simulate or ban")
+ }
+ }
action := cloudflare.RateLimitAction{
- Mode: tfAction["mode"].(string),
- Timeout: tfAction["timeout"].(int),
+ Mode: mode,
+ Timeout: timeout,
}
if _, ok := tfAction["response"]; ok && len(tfAction["response"].([]interface{})) > 0 {
@@ -359,7 +375,7 @@ func expandRateLimitAction(d *schema.ResourceData) cloudflare.RateLimitAction {
Body: tfActionResponse["body"].(string),
}
}
- return action
+ return action, nil
}
func expandRateLimitCorrelate(d *schema.ResourceData) (correlate cloudflare.RateLimitCorrelate, err error) {Do you want to try this and let me know how you go?
There was a problem hiding this comment.
That's absolutely brilliant, thanks for your help. I'd used fmt.Errorf to raise errors, but hadn't wrapped them with errors.Wrap. This now raises errors correctly.
I expanded the logic to throw an error when timeout values are provided for challenge and js_challenge modes as the Cloudflare API won't accept them.
ghost
added
kind/documentation
|
The previous commit was just my current work in progress, unfortunately it didn't error during the I'm just in the process of applying the diff above and testing it. |
… to challenge and js_challenge modes
|
@jdarley is this ready for another review? |
|
I think it is @jacobbednarz. I've tested it manually by attempting to create challenge responses with a timeout and block/simulate without a timeout. I've introduced a couple of acceptance tests which I think will test this behaviour, though I've not yet sorted an environment to run the full suite of acceptance tests against. |
| period = 1 | ||
| action { | ||
| mode = "challenge" | ||
| timeoute = 60 |
There was a problem hiding this comment.
| timeoute = 60 | |
| timeout = 60 |
|
I know they weren't all your changes however the diff --git a/cloudflare/resource_cloudflare_rate_limit_test.go b/cloudflare/resource_cloudflare_rate_limit_test.go
index 1a1ecbcad21e86c058420a5c9fdfb355064838b9..203142bb41028dc934a9501e265b88a1dd8a5d40 100644
--- a/cloudflare/resource_cloudflare_rate_limit_test.go
+++ b/cloudflare/resource_cloudflare_rate_limit_test.go
@@ -326,7 +326,7 @@ func testAccCheckCloudflareRateLimitConfigBasic(zone, id string) string {
resource "cloudflare_rate_limit" "%[1]s" {
zone = "%[2]s"
threshold = 1000
- period = 1
+ period = 10
action {
mode = "simulate"
timeout = 86400
@@ -339,7 +339,7 @@ func testAccCheckCloudflareRateLimitConfigMatchingUrl(zone, id string) string {
resource "cloudflare_rate_limit" "%[1]s" {
zone = "%[2]s"
threshold = 1000
- period = 1
+ period = 10
match {
request {
url_pattern = "%[2]s/tfacc-url-%[1]s"
@@ -357,7 +357,7 @@ func testAccCheckCloudflareRateLimitConfigFullySpecified(zone, id string) string
resource "cloudflare_rate_limit" "%[1]s" {
zone = "%[2]s"
threshold = 2000
- period = 2
+ period = 10
match {
request {
url_pattern = "%[2]s/tfacc-full-%[1]s"
@@ -391,7 +391,7 @@ func testAccCheckCloudflareRateLimitChallengeConfigBasic(zone, id string) string
resource "cloudflare_rate_limit" "%[1]s" {
zone = "%[2]s"
threshold = 1000
- period = 1
+ period = 10
action {
mode = "challenge"
}
@@ -403,7 +403,7 @@ func testAccCheckCloudflareRateLimitConfigWithoutTimeout(zone, id string) string
resource "cloudflare_rate_limit" "%[1]s" {
zone = "%[2]s"
threshold = 1000
- period = 1
+ period = 10
action {
mode = "simulate"
}
@@ -415,7 +415,7 @@ func testAccCheckCloudflareRateLimitChallengeConfigWithTimeout(zone, id string)
resource "cloudflare_rate_limit" "%[1]s" {
zone = "%[2]s"
threshold = 1000
- period = 1
+ period = 10
action {
mode = "challenge"
timeoute = 60 |
|
Very close @jdarley! Once we address the |
|
Apologies for not getting this sorted sooner @jacobbednarz - I've had a couple of weeks completely away from the screen. Hopefully this last commit will get it over the line! |
|
No sweat @jdarley. Glad to hear you're taking time away from the screens 😄 |
|
Thanks @jdarley! |
Minor update to add
challengeandjs_challengesupport tocloudflare_rate_limitresource.This has been manually tested and I can confirm it will create a rate limit with a
challengeorjs_challengeaction as expected.This PR related to issue 171