WAF policy resource, managed WAF rulesets data source, and waf_policy_id in build settings

Author: ramonsnir

.gitignore

@@ -2,6 +2,7 @@
 /swagger_go.json
 /.env
 *.out
+/waf
 
 *.dll
 *.exe

UPDATING_OPENAPI_JSON.md

@@ -6,15 +6,12 @@ This project uses a modified `openapi.json`. Please maintain these instructions
 
 1. Take the latest `openapi-external.json` from [netlify/bitballoon-openapi](https://github.dev/netlify/bitballoon-openapi/blob/main/openapi-external.json).
 1. Remove the billing_details property from the `Account` object (also from the `required` array).
-1. Fix the type of `Repo.base_rel_dir` to `boolean`.
 1. Remove all required properties from the `Repo` object (manual builds).
 1. Remove the `domain` property from the `required` array of the `DnsZone` object.
 1. Remove the `values`, `scopes` and `is_secret` parameters from the `updateEnvVar` operation.
 1. Add a request body schema to the `updateEnvVar` operation, by copying it from an earlier version of the `openapi.json`.
 1. Remove `scopes` from the `required` array of the `updateEnvVar` operation request body.
 1. Remove `scopes` from the `required` array of the `EnvVar` object.
-1. Add a `package_path` property of type `string` to the `Repo` object.
-1. Add a `branch` property of type `string` to the `Repo` object.
 1. Add a `functions_region` property of type `string` to the `Site` object.
 1. Add a `cdp_enabled_contexts` property of type `array` of `string`s to the `Site` object.
 1. Add a `hud_enabled` property of type `boolean` to the `Site` object.
@@ -23,12 +20,11 @@ This project uses a modified `openapi.json`. Please maintain these instructions
 1. Change the type of `LogDrain.id` to `string`.
 1. Add the various `log_drains` paths from `bitballoon-openapi`'s `openapi.json` file.
 1. Remove the required properties from the `LogDrainServiceConfig` object.
-1. Add properties to the `LogDrainServiceConfig` object, by copying it from an earlier version of the `openapi.json`.
 1. Change the request body of the `Log Drains-update` operation to use the `LogDrain` object (copy from `Log Drains-create`).
 1. Add the various `firewall_rule_set` paths from `bitballoon-openapi`'s `openapi.json` file (NOTE: both site and account level).
 1. Replace the response body of the `getAccountFirewallRuleSet` operation to use the `SiteFirewallConfig` object.
 1. Replace the request body of the `updateAccountFirewallRuleSet` operation to use the `SiteFirewallConfig` object.
-1. Renamed the `unpublished_rules` and `published_rules` properties to `unpublished` and `published` in the `SiteFirewallConfig` object, also in the required properties array.
 1. Add a `rum_enabled` property of type `boolean` to the `Site` object.
 1. Add a `rum_enabled` property of type `boolean` to the `PartialSite` object.
 1. Add an `analytics_instance_id` property of type `string` to the `Site` object.
+1. Add the various WAF paths and schemas, by copying them from an earlier version of the `openapi.json`.

docs/data-sources/managed_waf_rules.md

@@ -0,0 +1,61 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "netlify_managed_waf_rules Data Source - netlify"
+subcategory: ""
+description: |-
+  Netlify managed WAF rule sets. This should be used when defining a WAF policy (netlify_waf_policy).
+---
+
+# netlify_managed_waf_rules (Data Source)
+
+Netlify managed WAF rule sets. This should be used when defining a WAF policy (netlify_waf_policy).
+
+## Example Usage
+
+```terraform
+# Read-only definitions of all managed WAF rules available in Netlify.
+# The team ID is required to query the rules.
+data "netlify_managed_waf_rules" "example" {
+  team_id = "6600abcdef1234567890abcd"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `team_id` (String)
+
+### Read-Only
+
+- `rule_sets` (Attributes Map) (see [below for nested schema](#nestedatt--rule_sets))
+
+<a id="nestedatt--rule_sets"></a>
+### Nested Schema for `rule_sets`
+
+Read-Only:
+
+- `definition` (Attributes) (see [below for nested schema](#nestedatt--rule_sets--definition))
+- `rules` (Attributes List) (see [below for nested schema](#nestedatt--rule_sets--rules))
+
+<a id="nestedatt--rule_sets--definition"></a>
+### Nested Schema for `rule_sets.definition`
+
+Read-Only:
+
+- `id` (String)
+- `type` (String)
+- `version` (String)
+
+
+<a id="nestedatt--rule_sets--rules"></a>
+### Nested Schema for `rule_sets.rules`
+
+Read-Only:
+
+- `category` (String)
+- `description` (String)
+- `id` (String)
+- `phase` (String)
+- `severity` (String) notice, warning, error, critical

docs/resources/site_build_settings.md

@@ -44,6 +44,7 @@ resource "netlify_site_build_settings" "blog" {
 - `package_directory` (String)
 - `pretty_urls` (Boolean)
 - `stop_builds` (Boolean)
+- `waf_policy_id` (String) See more details in the netlify_waf_policy resource.
 
 ### Read-Only
 

docs/resources/waf_policy.md

@@ -0,0 +1,113 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "netlify_waf_policy Resource - netlify"
+subcategory: ""
+description: |-
+  Netlify Web Application Firewall (WAF) policy. Read more https://docs.netlify.com/security/secure-access-to-sites/web-application-firewall/
+---
+
+# netlify_waf_policy (Resource)
+
+Netlify Web Application Firewall (WAF) policy. [Read more](https://docs.netlify.com/security/secure-access-to-sites/web-application-firewall/)
+
+## Example Usage
+
+```terraform
+resource "netlify_waf_policy" "example" {
+  team_id     = data.netlify_team.team.id
+  name        = "Terraform Policy"
+  description = "This is a test policy through Terraform"
+  rule_sets = [
+    {
+      managed_id        = "crs-basic",
+      passive_mode      = true,
+      overall_threshold = 5,
+      category_thresholds = {
+        "fixation" = 8,
+      },
+      rule_overrides = {
+        "920100" = {
+          action = "log_only"
+        }
+      }
+    }
+  ]
+}
+
+# To use this policy in a site, use the netlify_site_build_settings resource:
+
+resource "netlify_site_build_settings" "example" {
+  # other attributes...
+  waf_policy_id = netlify_waf_policy.example.id
+}
+
+# To dynamically define the rule overrides, you can query netlify_managed_waf_rules to get the rule IDs:
+
+data "netlify_managed_waf_rules" "example" {
+  team_id = "6600abcdef1234567890abcd"
+}
+
+resource "netlify_waf_policy" "example" {
+  team_id     = "66ae34e11a567e9092e3850f"
+  name        = "Terraform Policy"
+  description = "This is a test policy through Terraform"
+  rule_sets = [
+    {
+      managed_id        = "crs-basic",
+      passive_mode      = true,
+      overall_threshold = 5,
+      rule_overrides = {
+        for rule in data.netlify_managed_waf_rules.example.rule_sets["crs-basic"].rules : rule.id => {
+          action = "log_only"
+        } if rule.category == "rce"
+      }
+    }
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String)
+- `name` (String)
+- `rule_sets` (Attributes List) (see [below for nested schema](#nestedatt--rule_sets))
+- `team_id` (String)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `last_updated` (String)
+
+<a id="nestedatt--rule_sets"></a>
+### Nested Schema for `rule_sets`
+
+Required:
+
+- `managed_id` (String) The managed ID of the rule set. Currently, only crs-basic is supported.
+- `overall_threshold` (Number) Recommended default value is 5
+- `passive_mode` (Boolean)
+
+Optional:
+
+- `category_thresholds` (Map of Number) Thresholds for each category, e.g. fixation, injection-generic, injection-java, injection-php, lfi, protocol, rce, reputation-scanner, rfi, sqli, ssrf, xss
+- `excluded_patterns` (List of String)
+- `rule_overrides` (Attributes Map) (see [below for nested schema](#nestedatt--rule_sets--rule_overrides))
+
+<a id="nestedatt--rule_sets--rule_overrides"></a>
+### Nested Schema for `rule_sets.rule_overrides`
+
+Required:
+
+- `action` (String) log_only or none
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Import a WAF policy by its team ID and the policy ID
+terraform import netlify_waf_policy.main 6600abcdef1234567890abcd:6600abcdef1234567890abcd
+```

examples/data-sources/netlify_managed_waf_rules/data-source.tf

@@ -0,0 +1,5 @@
+# Read-only definitions of all managed WAF rules available in Netlify.
+# The team ID is required to query the rules.
+data "netlify_managed_waf_rules" "example" {
+  team_id = "6600abcdef1234567890abcd"
+}

examples/resources/netlify_waf_policy/import.sh

@@ -0,0 +1,2 @@
+# Import a WAF policy by its team ID and the policy ID
+terraform import netlify_waf_policy.main 6600abcdef1234567890abcd:6600abcdef1234567890abcd

examples/resources/netlify_waf_policy/resource.tf

@@ -0,0 +1,51 @@
+resource "netlify_waf_policy" "example" {
+  team_id     = data.netlify_team.team.id
+  name        = "Terraform Policy"
+  description = "This is a test policy through Terraform"
+  rule_sets = [
+    {
+      managed_id        = "crs-basic",
+      passive_mode      = true,
+      overall_threshold = 5,
+      category_thresholds = {
+        "fixation" = 8,
+      },
+      rule_overrides = {
+        "920100" = {
+          action = "log_only"
+        }
+      }
+    }
+  ]
+}
+
+# To use this policy in a site, use the netlify_site_build_settings resource:
+
+resource "netlify_site_build_settings" "example" {
+  # other attributes...
+  waf_policy_id = netlify_waf_policy.example.id
+}
+
+# To dynamically define the rule overrides, you can query netlify_managed_waf_rules to get the rule IDs:
+
+data "netlify_managed_waf_rules" "example" {
+  team_id = "6600abcdef1234567890abcd"
+}
+
+resource "netlify_waf_policy" "example" {
+  team_id     = "66ae34e11a567e9092e3850f"
+  name        = "Terraform Policy"
+  description = "This is a test policy through Terraform"
+  rule_sets = [
+    {
+      managed_id        = "crs-basic",
+      passive_mode      = true,
+      overall_threshold = 5,
+      rule_overrides = {
+        for rule in data.netlify_managed_waf_rules.example.rule_sets["crs-basic"].rules : rule.id => {
+          action = "log_only"
+        } if rule.category == "rce"
+      }
+    }
+  ]
+}

internal/netlifyapi/.openapi-generator/FILES

@@ -30,6 +30,8 @@ api_sni_certificates.go
 api_snippets.go
 api_split_tests.go
 api_users.go
+api_waf_managed_rules.go
+api_waf_policies.go
 api_work_os_scim.go
 client.go
 configuration.go
@@ -156,6 +158,10 @@ model_key_value_target_config.go
 model_log_drain.go
 model_log_drain_service_config.go
 model_log_drains_verify_request.go
+model_managed_waf_rule_set.go
+model_managed_waf_rule_set_definition.go
+model_managed_waf_rule_set_rules_inner.go
+model_managed_waf_rules.go
 model_member.go
 model_member_committer_match_method.go
 model_mfa_confirmation.go
@@ -228,5 +234,9 @@ model_user_connected_accounts.go
 model_user_questionnaire_params.go
 model_user_signup.go
 model_value_target_config.go
+model_waf_policy.go
+model_waf_policy_rule_override.go
+model_waf_policy_rule_sets_inner.go
+model_waf_policy_update.go
 response.go
 utils.go