incapsula_incap_rule does not work with rules containing at least one space

[marcosdiez]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Imperva provider version

Terraform v1.3.7
on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.57.0
• provider registry.terraform.io/imperva/incapsula v3.15.2

Affected resource(s)

incapsula_incap_rule

Terraform configuration files

resource "incapsula_incap_rule" "require_bearer_token" {
       action  = "RULE_ACTION_BLOCK"
       enabled = true
       filter  = "HeaderValue != {\"Authorization\";\"Bearer 99999999-9999-9999-9999-999999999999\"}"
       id      = (known after apply)
       name    = "Expect a Authentication Bearer token at test.XXXXXXXX.com"
       site_id = "999999999"
    }


#please notice that the problem happens because of the space between "Bearer and 99999" 
#If that space gets removed, terraform apply works

Debug output

Too much private information to publish.

But here is what matters

incapsula_incap_rule.require_bearer_token: Creating...
2023-03-06T17:24:56.341-0300 [INFO]  Starting apply for incapsula_incap_rule.require_bearer_token
2023-03-06T17:24:56.342-0300 [DEBUG] incapsula_incap_rule.require_bearer_token: applying the planned Create change
2023-03-06T17:24:56.344-0300 [INFO]  provider.terraform-provider-incapsula_v3.15.2: 2023/03/06 17:24:56 [INFO] Adding Incapsula Incap Rule for Site ID 99999999: timestamp=2023-03-06T17:24:56.344-0300
2023-03-06T17:24:57.888-0300 [INFO]  provider.terraform-provider-incapsula_v3.15.2: 2023/03/06 17:24:57 [DEBUG] Incapsula Add Incap Rule JSON response: {"res":2,"res_message":"Invalid input","debug_info":{"id-info":"999999","FilterError":"Invalid filter: syntax error. Invalid\u0027}\u0027"}}: timestamp=2023-03-06T17:24:57.888-0300
2023-03-06T17:24:57.890-0300 [ERROR] provider.terraform-provider-incapsula_v3.15.2: Response contains error diagnostic: diagnostic_detail= diagnostic_severity=ERROR tf_req_id=16e39edd-abcb-5b08-b805-de758768c974 tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_summary="Error status code 406 from Incapsula service when adding Incap Rule for Site ID 99999999: {"res":2,"res_message":"Invalid input","debug_info":{"id-info":"999999","FilterError":"Invalid filter: syntax error. Invalid\u0027}\u0027"}}" tf_proto_version=5.3 tf_provider_addr=provider tf_resource_type=incapsula_incap_rule timestamp=2023-03-06T17:24:57.889-0300
2023-03-06T17:24:57.907-0300 [ERROR] vertex "incapsula_incap_rule.require_bearer_token" error: Error status code 406 from Incapsula service when adding Incap Rule for Site ID 99999999: {"res":2,"res_message":"Invalid input","debug_info":{"id-info":"999999","FilterError":"Invalid filter: syntax error. Invalid\u0027}\u0027"}}

Panic output

No response

Expected output

terraform apply should work as expected.

Actual output

Error status code 406 from Incapsula service when adding Incap Rule for Site ID 99999999: {"res":2,"res_message":"Invalid input","debug_info":{"id-info":"999999","FilterError":"Invalid filter: syntax error. Invalid\u0027}\u0027"}}

Steps to reproduce

Use the terraform code above.
Terraform apply
get the error

Additional factoids

the problem is on the space between Bearer and 99999.

References

https://docs.imperva.com/bundle/cloud-application-security/page/rules/rule-parameters.htm

search for HeaderValue

[marcosdiez]

Apparently the problem is even worse. I.e. it's not only in the terraform module but also in incapsula itself.

If I use as a fall back the following rule:

HeaderValue not-contains {"authorization";"99999999-9999-9999-9999-999999999999"}

and I try

curl -X POST -H 'authorization: Bearer 99999999-9999-9999-9999-999999999999' \
-H 'Content-Type: application/json' --data '{ "query": "{ ping }" }' https://test. XXXXXXXX.com/

things do not work (although they should)

BUT

if I type

curl -X POST -H 'authorization: Bearer99999999-9999-9999-9999-999999999999' \
-H 'Content-Type: application/json' --data '{ "query": "{ ping }" }' https://test. XXXXXXXX.com/

it works.

On the second case, all I did was remove the space between Bearer and 99999-...

So any header with a space is a problem, apparently.

[snirp90]

Hi,
Space is considered as a special character, hence needs to be escaped, then the escape should be escape too so the string will be computed as legal.
So you are missing \ after the Bearer
You can always use the UI to validate or generate the rule syntax. on the UI it will be generated like this

 HeaderValue != {"Authorization";"Bearer\ 99999999-9999-9999-9999-999999999999"}

The TF resource should look like this

resource "incapsula_incap_rule" "require_bearer_token" {
       action  = "RULE_ACTION_BLOCK"
       enabled = true
       filter  = "HeaderValue != {\"Authorization\";\"Bearer\\ 99999999-9999-9999-9999-999999999999\"}"
       id      = (known after apply)
       name    = "Expect a Authentication Bearer token at test.XXXXXXXX.com"
       site_id = "999999999"
    }