Add logging configuration for rulesets rules

.changelog/1538.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_ruleset: add support for rule `logging`
+```

cloudflare/resource_cloudflare_ruleset.go

@@ -378,6 +378,16 @@ func buildStateFromRulesetRules(rules []cloudflare.RulesetRule) interface{} {
 			rule["exposed_credential_check"] = exposedCredentialCheck
 		}
 
+		if !reflect.ValueOf(r.Logging).IsNil() {
+			var logging []map[string]interface{}
+
+			logging = append(logging, map[string]interface{}{
+				"enabled": r.Logging.Enabled,
+			})
+
+			rule["logging"] = logging
+		}
+
 		rulesData = append(rulesData, rule)
 	}
 
@@ -619,6 +629,21 @@ func buildRulesetRulesFromResource(d *schema.ResourceData) ([]cloudflare.Ruleset
 			}
 		}
 
+		if len(resourceRule["logging"].([]interface{})) > 0 {
+			rule.Logging = &cloudflare.RulesetRuleLogging{}
+			for _, parameter := range resourceRule["logging"].([]interface{}) {
+				for pKey, pValue := range parameter.(map[string]interface{}) {
+					switch pKey {
+					case "enabled":
+						rule.Logging.Enabled = pValue.(*bool)
+
+					default:
+						log.Printf("[DEBUG] unknown key encountered in buildRulesetRulesFromResource for logging: %s", pKey)
+					}
+				}
+			}
+		}
+
 		rule.Action = resourceRule["action"].(string)
 		rule.Enabled = resourceRule["enabled"].(bool)
 

cloudflare/resource_cloudflare_ruleset_test.go

@@ -1260,6 +1260,47 @@ func TestAccCloudflareRuleset_ExposedCredentialCheck(t *testing.T) {
 	})
 }
 
+func TestAccCloudflareRuleset_Logging(t *testing.T) {
+	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
+	// service does not yet support the API tokens and it results in
+	// misleading state error messages.
+	if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
+		defer func(apiToken string) {
+			os.Setenv("CLOUDFLARE_API_TOKEN", apiToken)
+		}(os.Getenv("CLOUDFLARE_API_TOKEN"))
+		os.Setenv("CLOUDFLARE_API_TOKEN", "")
+	}
+
+	t.Parallel()
+	rnd := generateRandomResourceName()
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	resourceName := "cloudflare_ruleset." + rnd
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckCloudflareRulesetDisableLoggingForSkipAction(rnd, "example disable logging for skip rule", accountID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", "example disable logging for skip rule"),
+					resource.TestCheckResourceAttr(resourceName, "description", "This ruleset includes a skip rule whose logging is disabled."),
+					resource.TestCheckResourceAttr(resourceName, "kind", "zone"),
+					resource.TestCheckResourceAttr(resourceName, "phase", "http_request_firewall_managed"),
+
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.action", "skip"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "true"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.description", "example disabled logging"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.logging.#", "1"),
+
+					resource.TestCheckResourceAttr(resourceName, "rules.0.logging.0.enabled", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccCloudflareRuleset_ConditionallySetActionParameterVersion(t *testing.T) {
 	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the WAF
 	// service does not yet support the API tokens and it results in
@@ -2208,6 +2249,31 @@ func testAccCheckCloudflareRulesetExposedCredentialCheck(rnd, name, accountID st
 `, rnd, name, accountID)
 }
 
+func testAccCheckCloudflareRulesetDisableLoggingForSkipAction(rnd, name, accountID string) string {
+	return fmt.Sprintf(`
+  resource "cloudflare_ruleset" "%[1]s" {
+    account_id  = "%[3]s"
+    name        = "%[2]s"
+    description = "This ruleset includes a skip rule whose logging is disabled."
+    kind        = "zone"
+    phase       = "http_request_firewall_managed"
+
+    rules {
+      action = "skip"
+      action_parameters {
+        ruleset = "current"
+      }
+      expression = "true"
+      enabled = true
+      description = "example disabled logging"
+      logging {
+        enabled = false
+      }
+    }
+  }
+`, rnd, name, accountID)
+}
+
 func testAccCloudflareRulesetConditionallySetActionParameterVersion_ExecuteAlone(rnd, accountID, domain string) string {
 	return fmt.Sprintf(`
   resource "cloudflare_ruleset" "%[1]s" {

cloudflare/schema_cloudflare_ruleset.go

@@ -354,6 +354,19 @@ func resourceCloudflareRulesetSchema() map[string]*schema.Schema {
 							},
 						},
 					},
+					"logging": {
+						Type:     schema.TypeList,
+						Optional: true,
+						MaxItems: 1,
+						Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+								"enabled": {
+									Type:     schema.TypeBool,
+									Optional: true,
+								},
+							},
+						},
+					},
 				},
 			},
 		},

website/docs/r/ruleset.html.markdown

@@ -222,6 +222,7 @@ The following arguments are supported:
 * `ratelimit` - (Optional) List of parameters that configure HTTP rate limiting behaviour (refer to the [nested schema](#nestedblock--ratelimiting-parameters)).
 * `response` - (Optional) List of parameters that configure the response given to end users (refer to the [nested schema](#nestedblock--response-parameters)).
 * `exposed_credential_check` - (Optional) List of parameters that configure exposed credential checks (refer to the [nested schema](#nestedblock--exposed-credential-check-parameters)).
+* `logging` - (Optional) List parameters to configure how the rule generates logs (refer to the [nested schema](#nestedblock--logging)).
 * `ref` - (Read only) Rule reference.
 * `version`- (Read only) Version of the ruleset to deploy.
 
@@ -241,19 +242,18 @@ The following arguments are supported:
 * `username_expression` - (Optional) Firewall Rules expression language based on Wireshark display filters for where to check for the "username" value. Refer to the [Firewall Rules language](https://developers.cloudflare.com/firewall/cf-firewall-language).
 * `password_expression` - (Optional) Firewall Rules expression language based on Wireshark display filters for where to check for the "password" value. Refer to the [Firewall Rules language](https://developers.cloudflare.com/firewall/cf-firewall-language).
 
+<a id="#nestedblock--logging"></a>
+**Nested schema for `logging`**
+
+* `enabled` - (Optional) Override the default logging behavior when a rule is matched.
+
 <a id="nestedblock--response-parameters"></a>
 **Nested schema for `response`**
 
 * `status_code` - (Optional) HTTP status code to send in the response.
 * `content_type` - (Optional) HTTP content type to send in the response.
 * `content` - (Optional) Body content to include in the response.
 
-<a id="#nestedblock--exposed-credential-check-parameters"></a>
-**Nested schema for `exposed_credential_check`**
-
-* `username_expression` - (Optional) Firewall Rules expression language based on Wireshark display filters for where to check for the "username" value. Refer to the [Firewall Rules language](https://developers.cloudflare.com/firewall/cf-firewall-language).
-* `password_expression` - (Optional) Firewall Rules expression language based on Wireshark display filters for where to check for the "password" value. Refer to the [Firewall Rules language](https://developers.cloudflare.com/firewall/cf-firewall-language).
-
 <a id="nestedblock--action-parameters"></a>
 **Nested schema for `action_parameters`**