Merge pull request #46 from wallarm/feature/PLUTO-6995-overlimit-res

Added OverlimitResSettingsRule resource and fixed rules import

CHANGELOG.md

@@ -1,3 +1,14 @@
+
+# v1.6.0 (December 6, 2024)
+
+## NOTES:
+
+* Added import support
+* Added OverlimitResSettingsRule resource
+* Changed rule vpatch resource according to api
+* Changed rule set response header resource according to api
+* Fixed some api methods
+
 # v1.5.0 (September 1, 2024)
 
 ## NOTES:

docs/resources/rule_overlimit_res_settings.md

@@ -0,0 +1,169 @@
+---
+layout: "wallarm"
+page_title: "Wallarm: wallarm_rule_overlimit_res_settings"
+subcategory: "Rule"
+description: |-
+  Provides the "Overlimit Res Settings" rule resource.
+---
+
+# wallarm_rule_overlimit_res_settings
+
+This rule enables you with setting up a custom time limit for a single request processing and changing the default node behavior.
+
+**Important:** Rules made with Terraform can't be altered by other rules that usually change how rules work (middleware, variative_values, variative_by_regex). This is because Terraform is designed to keep its configurations stable and not meant to be modified from outside its environment.
+
+## Example Usage
+
+```hcl
+resource "wallarm_overlimit_res_settings_rule" "example_overlimit_res_settings" {
+  comment    = "Example overlimit res settings rule"
+
+  action = {
+    type  = "equal"
+    value = "example_value"
+    point = {
+      header       = ["X-Example-Header"]
+      method       = "GET"
+      path         = 10
+      action_name  = "example_action"
+      action_ext   = "example_extension"
+      query        = "example_query"
+      proto        = "HTTP/1.1"
+      scheme       = "https"
+      uri          = "/example_uri"
+      instance     = 1
+    }
+  }
+
+  overlimit_time = 2000
+  mode  = "monitoring"
+}
+```
+
+## Argument Reference
+
+* `client_id` - (optional) ID of the client to apply the rules to. The value is required for [multi-tenant scenarios][1].
+* `overlimit_time` - (required) Specifies the overlimit time limit in ms.
+* `mode` - (required) Specifies the overlimit res mode. Can be: `off`, `monitoring`, `blocking`.
+* `action` - (optional) rule conditions. Possible attributes are described below.
+
+**action**
+
+`action` argument shares the available conditions which can be applied. The conditions are:
+
+* `type` - (optional) condition type. Can be: `equal`, `iequal`, `regex`, `absent`. Must be omitted for the `instance` parameter in `point`.
+  For more details, see the official [Wallarm documentation](https://docs.wallarm.com/user-guides/rules/add-rule/#condition-types)
+  Example:
+  `type = "absent"`
+* `value` - (optional) value of the parameter to match with. Must be omitted for the `instance` parameter in `point` or if `type` is `absent`.
+  Example:
+  `value = "example.com"`
+* `point` - (optional) request parameters that trigger the rule. Possible values are described below. For more details, see the official [Wallarm documentatioon](https://docs.wallarm.com/user-guides/rules/request-processing/#identifying-and-parsing-the-request-parts).
+
+### Nested Objects
+
+**point**
+
+  * `header` - (optional) arbitrary HEADER parameter name.
+  Example:
+  `header = "HOST"`
+  * `method` - (optional) request method. Can be: `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, `PATCH`.
+  Example:
+  `method = "POST"`
+  * `path` - (optional) array with URL parts separated by the `/` symbol (the last URL part is not included in the array). If there is only one part in the URL, the array will be empty.
+  Example:
+  `path = 0`
+  * `action_name` - (optional) the last part of the URL after the `/` symbol and before the first period (`.`). This part of the URL is always present in the request even if its value is an empty string.
+  Example:
+  `action_name = "login"`
+  * `action_ext` - (optional) the part of the URL after the last period (`.`). It may be missing in the request.
+  Example:
+  `action_ext = "php"`
+  * `query` - (optional) the query parameter name.
+  Example:
+  `query = "user"`
+  * `proto` - (optional) version of the HTTP Protocol.
+  Example:
+  `proto = "1.1"`
+  * `scheme` - (optional) `http`/`https`.
+  Example:
+  `scheme = "https"`
+  * `uri` - (optional) part of the request URL without domain.
+  Example:
+  `uri = "/api/login"`
+  * `instance` - (optional) ID of the application.
+  Example:
+  `instance = 42`
+
+Example:
+
+  ```hcl
+  # ... omitted
+
+  action {
+    type = "equal"
+    point = {
+      scheme = "https"
+    }
+  }
+
+  action {
+    point = {
+      instance = 9
+    }
+  }
+
+  action {
+    type = "absent"
+    point = {
+      path = 0
+     }
+  }
+
+  action {
+    type = "regex"
+    point = {
+      action_name = "masking"
+    }
+  }
+
+  action {
+    type = "absent"
+    point = {
+      action_ext = ""
+    }
+  }
+
+  action {
+    type = "iequal"
+    value = "example.com"
+    point = {
+      header = "HOST"
+    }
+  }
+
+  action {
+    type = "equal"
+    value = "admin"
+    point = {
+      query = "user"
+    }
+  }
+
+  # ... omitted
+  ```
+
+> **_NOTE:_**
+See below what limitations apply
+
+When `type` is `absent`, `point` must contain key with the default value. For `action_name`, `action_ext`, `method`, `proto`, `scheme`, `uri` default value is `""` (empty string).
+
+## Attributes Reference
+
+* `rule_id` - ID of the created rule.
+* `counter` - Name of the counter. Randomly generated, but always starts with `d:`.
+* `action_id` - the action ID (The conditions to apply on request).
+* `rule_type` - type of the created rule. For example, `rule_type = "dirbust_counter"`.
+
+
+[1]: https://docs.wallarm.com/installation/multi-tenant/overview/

docs/resources/rule_set_response_header.md

@@ -17,21 +17,22 @@ This is because Terraform is designed to keep its configurations stable and not
 
 ```hcl
 # Append the "Server" header with the "Wallarm solution" value
-# and the "Blocked" header with the "Blocked by Wallarm" value
+# and the "Server" header with the "Blocked by Wallarm" value
 # to the requests sent to the application with ID 3
 
 resource "wallarm_rule_set_response_header" "resp_headers" {
   mode = "append"
+  name = "Server"
 
   action {
     point = {
       instance = 3
     }
   }
-
-  headers = {
-    Server = "Wallarm solution"
-    Blocked = "Blocked by Wallarm"
+  
+  values = {
+    "Wallarm solution"
+    "Blocked by Wallarm"
   }
 
 }
@@ -43,9 +44,10 @@ resource "wallarm_rule_set_response_header" "resp_headers" {
 
 resource "wallarm_rule_set_response_header" "delete_header" {
   mode = "replace"
+  name =  "Wallarm component"
 
-  headers = {
-    Wallarm component = " "
+  values = {
+    " "
   }
 }
 
@@ -54,7 +56,8 @@ resource "wallarm_rule_set_response_header" "delete_header" {
 ## Argument Reference
 
 * `mode` - (**required**) mode of header processing. Valid options: `append`, `replace`
-* `headers` - (**required**) the associative array of key/value headers. Might be defined as much headers as need at once.
+* `name` - (**required**) description.
+* `values` - (**required**) array of headers. Might be defined as much headers as need at once.
 * `action` - (optional) a series of conditions, see below for a
   a full list .
 

docs/resources/rule_vpatch.md

@@ -20,21 +20,12 @@ This is because Terraform is designed to keep its configurations stable and not
 ## Example Usage
 
 ```hcl
-# Creates the rule to block incoming requests
-# containing the SQL Injection
-# in the "query" GET parameter
-
-resource "wallarm_rule_vpatch" "default" {
-  attack_type =  ["sqli"]
-  point = [["get", "query"]]
-}
-
 # Creates the rule to block incoming requests with the "HOST" header
-# containing the SQL Injection or NoSQL Injection
+# containing the SQL Injection
 # in any GET parameter
 
 resource "wallarm_rule_vpatch" "splunk" {
-  attack_type =  ["sqli", "nosqli"]
+  attack_type =  "sqli"
 
   action {
     type = "iequal"

docs/resources/rules_settings.md

@@ -96,7 +96,6 @@ resource "wallarm_rules_settings" "rules_settings" {
 	open_vulns_weight = 9
 	serialized_data_weight = 6
 	risk_score_algo = "maximum"
-	pii_fallback = false
 }
 ```
 
@@ -119,7 +118,6 @@ resource "wallarm_rules_settings" "rules_settings" {
 * `open_vulns_weight` - (optional) [risk score][1] weight of active vulnerabilities. Active vulnerabilities may result in unauthorized data access or corruption.
 * `serialized_data_weight` - (optional) [risk score][1] weight of accepting XML / JSON objects. XML / JSON objects are often used to transfer malicious payloads to attack servers.
 * `risk_score_algo` - (optional) method of [risk score][1] calculation. Specify how the risk score calculation should be performed. Available values: maximum, average.
-* `pii_fallback` - (optional) defines whether fallback mechanism for PII detection is active.
 
 [1]: https://docs.wallarm.com/api-discovery/overview/#endpoint-risk-score
 [2]: https://docs.wallarm.com/user-guides/rules/rules/

examples/wallarm_rule_overlimit_res_settings.tf

@@ -0,0 +1,23 @@
+resource "wallarm_overlimit_res_settings_rule" "example_overlimit_res_settings" {
+  comment    = "Example overlimit res settings rule"
+
+  action = {
+    type  = "equal"
+    value = "example_value"
+    point = {
+      header       = ["X-Example-Header"]
+      method       = "GET"
+      path         = 10
+      action_name  = "example_action"
+      action_ext   = "example_extension"
+      query        = "example_query"
+      proto        = "HTTP/1.1"
+      scheme       = "https"
+      uri          = "/example_uri"
+      instance     = 1
+    }
+  }
+
+  overlimit_time = 2000
+  mode  = "monitoring"
+}

examples/wallarm_rules_settings.tf

@@ -16,5 +16,4 @@ resource "wallarm_rules_settings" "rules_settings" {
 	open_vulns_weight = 9
 	serialized_data_weight = 6
 	risk_score_algo = "maximum"
-	pii_fallback = false
 }

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.1
 	github.com/hashicorp/terraform-plugin-sdk v1.16.0
 	github.com/pkg/errors v0.9.1
-	github.com/wallarm/wallarm-go v0.5.2
+	github.com/wallarm/wallarm-go v0.5.6
 	golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985 // indirect
 	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
 	golang.org/x/tools v0.1.5 // indirect

go.sum

@@ -292,8 +292,8 @@ github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oW
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.1+incompatible h1:RMF1enSPeKTlXrXdOcqjFUElywVZjjC6pqse21bKbEU=
 github.com/vmihailenco/msgpack v4.0.1+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/wallarm/wallarm-go v0.5.2 h1:f//OxeLo5kyTRjo+z4C6Zuib8EATwIA7t3eLYk2a5S0=
-github.com/wallarm/wallarm-go v0.5.2/go.mod h1:KQxO+EBaGpIgOqBoByKW4KNMEJFgkxR64FSiA4U/52I=
+github.com/wallarm/wallarm-go v0.5.6 h1:6Blpy71RJUDNNZGYrQowusp4vW3p9pF/abXFE81PDV0=
+github.com/wallarm/wallarm-go v0.5.6/go.mod h1:KQxO+EBaGpIgOqBoByKW4KNMEJFgkxR64FSiA4U/52I=
 github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

wallarm/provider.go

@@ -154,6 +154,7 @@ func Provider() terraform.ResourceProvider {
 			"wallarm_rule_credential_stuffing_regex": resourceWallarmCredentialStuffingRegex(),
 			"wallarm_rule_credential_stuffing_point": resourceWallarmCredentialStuffingPoint(),
 			"wallarm_rule_credential_stuffing_mode":  resourceWallarmCredentialStuffingMode(),
+			"wallarm_rule_overlimit_res_settings":    resourceWallarmOverlimitResSettings(),
 		},
 	}