incapsula_security_rule_exception throws false Terraform error on update

[connor-heb]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Imperva provider version

Terraform v1.5.2
on darwin_amd64
+ provider registry.terraform.io/imperva/incapsula v3.18.3

Affected resource(s)

• incapsula_security_rule_exception

Terraform configuration files

terraform {
  required_providers {
    incapsula = { 
      source = "imperva/incapsula"
      version = "3.18.3"
    }   
  }

  backend "local" {
    path = "./terraform.tfstate"
  }
}

provider "incapsula" {
  api_id  = var.incapsula_api_id
  api_key = var.incapsula_api_key
}

variable "incapsula_api_id" {}

variable "incapsula_api_key" {}

resource "incapsula_subaccount" "MY-SUBACCOUNT-NAME" {
  sub_account_name = "MY-SUBACCOUNT-NAME"
}

resource "incapsula_site" "first-example-network" {
  site_ip    = "first.example.tldthatdoesnotexist"
  domain     = "first.example.network"

  account_id = incapsula_subaccount.MY-SUBACCOUNT-NAME.id
}

resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception" {
  site_id = incapsula_site.first-example-network.id
  rule_id = "api.threats.bot_access_control"
  ips     = "142.250.138.102"
}

Debug output

output.log

Panic output

No response

Expected output

Update the bot exception IPs without throwing an error

Actual output

Bot exception IPs are successfully changed when verifying through the Imperva Management Console, but the Terraform plugin errors for seemingly no reason. The API response even includes "res": 0, "res_message": "OK". Re-running terraform apply will resolve the error.

│ Error: Error from Incapsula service when adding security rule exception for rule_id (api.threats.bot_access_control) and site_id (76703397): {"site_id":76703397,"status":"pending-dns-changes","domain":"first.example.network","account_id":2077003,"acceleration_level":"advanced","acceleration_level_raw":"aggressive","site_creation_date":1688760689000,"ips":["first.example.tldthatdoesnotexist"],"dns":[{"dns_record_name":"first.example.network","set_type_to":"CNAME","set_data_to":["vjgnjeb.impervadns.net"]}],"original_dns":[{"dns_record_name":"first.example.network","set_type_to":"CNAME","set_data_to":["first.example.tldthatdoesnotexist"]}],"warnings":[],"active":"active","support_all_tls_versions":false,"use_wildcard_san_instead_of_full_domain_san":true,"add_naked_domain_san":true,"additionalErrors":[],"display_name":"first.example.network","security":{"waf":{"rules":[{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.sql_injection","name":"SQL Injection"},{"action":"api.threats.action.alert","action_text":"Alert Only","id":"api.threats.cross_site_scripting","name":"Cross Site Scripting"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.illegal_resource_access","name":"Illegal Resource Access"},{"block_bad_bots":true,"challenge_suspected_bots":false,"exceptions":[{"values":[{"ips":["93.184.216.34"],"id":"api.rule_exception_type.client_ip","name":"IP"}],"id":5605126}],"id":"api.threats.bot_access_control","name":"Bot Access Control"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.sensitive_info_leakage","name":"Sensitive Info Leakage"},{"activation_mode":"api.threats.ddos.activation_mode.auto","activation_mode_text":"Auto","ddos_traffic_threshold":1000,"id":"api.threats.ddos","name":"DDoS"},{"action":"api.threats.action.quarantine_url","action_text":"Auto-Quarantine","id":"api.threats.backdoor","name":"Backdoor Protect"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.remote_file_inclusion","name":"Remote File Inclusion"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.customRule","name":"IncapRules"},{"action":"api.threats.action.block_request","action_text":"Block Request","id":"api.threats.api.specification.violation","name":"API Specification Violation"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.account_take_over","name":"Account Takeover"},{"action":"api.threats.action.disabled","action_text":"Ignore","id":"api.threats.distil_bad_bots","name":"Advanced Bot Protection"}]}},"sealLocation":{"id":"api.seal_location.none","name":"No seal"},"ssl":{"origin_server":{"detected":false,"detectionStatus":"ssl_network_detection_not_run"},"custom_certificate":{"active":false},"generated_certificate":{"san":[]},"site_certificate":false},"siteDualFactorSettings":{"specificUsers":[],"enabled":false,"customAreas":[],"customAreasExceptions":[],"allowAllUsers":true,"shouldSuggestApplicatons":true,"allowedMedia":["ga","sms"],"shouldSendLoginNotifications":true,"version":0},"login_protect":{"enabled":false,"specific_users_list":[],"send_lp_notifications":true,"allow_all_users":true,"authentication_methods":["ga","sms"],"urls":[],"url_patterns":[]},"performance_configuration":{"advanced_caching_rules":{"never_cache_resources":[],"always_cache_resources":[]},"acceleration_level":"advanced","acceleration_level_raw":"aggressive","async_validation":true,"minify_javascript":true,"minify_css":true,"minify_static_html":true,"compress_jpeg":true,"compress_jepg":true,"progressive_image_rendering":false,"aggressive_compression":false,"compress_png":true,"on_the_fly_compression":true,"tcp_pre_pooling":true,"comply_no_cache":false,"comply_vary":false,"use_shortest_caching":false,"perfer_last_modified":false,"prefer_last_modified":false,"disable_client_side_caching":false,"cache300x":false,"cache_headers":[]},"extended_ddos":1000000,"restricted_cname_reuse":false,"res":0,"res_message":"OK","debug_info":{"id-info":"999999"}}
│ 
│   with incapsula_security_rule_exception.example-bot_access-control-rule-exception,
│   on MY-SUBACCOUNT-NAME.tf line 34, in resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception":
│   34: resource "incapsula_security_rule_exception" "example-bot_access-control-rule-exception" {
│ 
|

Steps to reproduce

1. Create subaccount, create site, add incapsula_security_rule_exception
2. terraform apply
3. Edit the ips in incapsula_security_rule_exception
4. terraform apply

Additional factoids

Culprit is here

terraform-provider-incapsula/incapsula/client_security_rule_exception.go

Lines 163 to 176 in d3dbaff

	// Parse the JSON
	var siteStatusResponse SiteStatusResponse
	err = json.Unmarshal([]byte(responseBody), &siteStatusResponse)
	if err != nil {
	return nil, fmt.Errorf("Error parsing configure security rule exception JSON response for rule_id (%s) and site_id (%d)", ruleID, siteID)
	}
	// Look at the response status code from Incapsula
	if siteStatusResponse.Res != 0 {
	return nil, fmt.Errorf("Error from Incapsula service when adding security rule exception for rule_id (%s) and site_id (%d): %s", ruleID, siteID, string(responseBody))
	}
	return &siteStatusResponse, nil
	}

Can be fixed by converting siteStatusResponse.Res to a string first:

        // Parse the JSON
	var siteStatusResponse SiteStatusResponse
	err = json.Unmarshal([]byte(responseBody), &siteStatusResponse)
	if err != nil {
		return nil, fmt.Errorf("Error parsing configure security rule exception JSON response for rule_id (%s) and site_id (%d)", ruleID, siteID)
	}

	// Look at the response status code from Incapsula
	if fmt.Sprint(siteStatusResponse.Res) != "0" { // Fix is here
		return nil, fmt.Errorf("Error from Incapsula service when adding security rule exception for rule_id (%s) and site_id (%d): %s", ruleID, siteID, string(responseBody))
	}

	return &siteStatusResponse, nil
}

References

No response

[shirisemoimperva]

Thanks for reaching out. We are checking your issue and will get back to you soon.