feat/waf (#2298)

* feat/waf

* feat/waf

Author: SevenEarth

.changelog/2298.txt

@@ -0,0 +1,19 @@
+```release-note:new-resource
+tencentcloud_waf_auto_deny_rules
+```
+
+```release-note:new-resource
+tencentcloud_waf_module_status
+```
+
+```release-note:new-resource
+tencentcloud_waf_protection_mode
+```
+
+```release-note:new-resource
+tencentcloud_waf_web_shell
+```
+
+```release-note:enhancement
+tencentcloud_waf_saas_domain: Support set waf status
+```

go.mod

@@ -97,7 +97,7 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tsf v1.0.674
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod v1.0.199
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc v1.0.779
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.771
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.788
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wedata v1.0.782
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wss v1.0.199
 	github.com/tencentyun/cos-go-sdk-v5 v0.7.42-0.20230629101357-7edd77448a0f

go.sum

@@ -993,6 +993,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc v1.0.779 h1:4NpjQiF
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc v1.0.779/go.mod h1:kYBG2jgpjL7CuhYM+K1fkEtbWvNXrtt7NSLwXVCqmKA=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.771 h1:y047JWTfU9KUy2H5SDqQfizq1+n7rJlYCBEMCZJEy5M=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.771/go.mod h1:ahzakUD9//SLiEPseHAS9hZhth6lqSYHfc2w2rmQ/sM=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.788 h1:xHqalD5i8WG9NoIrURhH/1elbeVzR0ODQGVuxJLuepY=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.788/go.mod h1:cQ1AQPJ+XpJi3v4LkAQ4axonhwpxWCpCIXaQl/XJFWU=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wedata v1.0.782 h1:pVTxKpthJC8bw+nKPnLVHrprBOXdY7T0KVQ892yg81o=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wedata v1.0.782/go.mod h1:Oy6D8ARyX6BCeMEbayqubSqNqXAOkenLexnzdwlbcs8=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wss v1.0.199 h1:hMBLtiJPnZ9GvA677cTB6ELBR6B68wCR2QY1sNoGQc4=

tencentcloud/extension_waf.go

@@ -120,6 +120,16 @@ var API_SAFE_STATUS = []int{
 	API_SAFE_STATUS_1,
 }
 
+const (
+	PROTECTION_STATUS_0 = 0
+	PROTECTION_STATUS_1 = 1
+)
+
+var PROTECTION_STATUS = []int{
+	PROTECTION_STATUS_0,
+	PROTECTION_STATUS_1,
+}
+
 const (
 	IPV6_ON  = 1
 	IPV6_OFF = 2

tencentcloud/provider.go

@@ -1965,6 +1965,10 @@ Web Application Firewall(WAF)
     tencentcloud_waf_saas_instance
     tencentcloud_waf_anti_fake
     tencentcloud_waf_anti_info_leak
+    tencentcloud_waf_auto_deny_rules
+    tencentcloud_waf_module_status
+    tencentcloud_waf_protection_mode
+    tencentcloud_waf_web_shell
 
 Wedata
   Data Source
@@ -3735,6 +3739,10 @@ func Provider() *schema.Provider {
 			"tencentcloud_waf_saas_instance":                                   resourceTencentCloudWafSaasInstance(),
 			"tencentcloud_waf_anti_fake":                                       resourceTencentCloudWafAntiFake(),
 			"tencentcloud_waf_anti_info_leak":                                  resourceTencentCloudWafAntiInfoLeak(),
+			"tencentcloud_waf_auto_deny_rules":                                 resourceTencentCloudWafAutoDenyRules(),
+			"tencentcloud_waf_module_status":                                   resourceTencentCloudWafModuleStatus(),
+			"tencentcloud_waf_protection_mode":                                 resourceTencentCloudWafProtectionMode(),
+			"tencentcloud_waf_web_shell":                                       resourceTencentCloudWafWebShell(),
 			"tencentcloud_wedata_function":                                     resourceTencentCloudWedataFunction(),
 			"tencentcloud_wedata_resource":                                     resourceTencentCloudWedataResource(),
 			"tencentcloud_wedata_script":                                       resourceTencentCloudWedataScript(),

tencentcloud/resource_tc_waf_auto_deny_rules.go

@@ -0,0 +1,216 @@
+/*
+Provides a resource to create a waf auto_deny_rules
+
+Example Usage
+
+```hcl
+resource "tencentcloud_waf_auto_deny_rules" "example" {
+  domain              = "demo.waf.com"
+  attack_threshold    = 20
+  time_threshold      = 12
+  deny_time_threshold = 5
+}
+```
+
+Import
+
+waf auto_deny_rules can be imported using the id, e.g.
+
+```
+terraform import tencentcloud_waf_auto_deny_rules.example demo.waf.com
+```
+*/
+package tencentcloud
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	waf "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf/v20180125"
+	"github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+)
+
+func resourceTencentCloudWafAutoDenyRules() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceTencentCloudWafAutoDenyRulesCreate,
+		Read:   resourceTencentCloudWafAutoDenyRulesRead,
+		Delete: resourceTencentCloudWafAutoDenyRulesDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+		Schema: map[string]*schema.Schema{
+			"domain": {
+				Required:    true,
+				ForceNew:    true,
+				Type:        schema.TypeString,
+				Description: "Domain.",
+			},
+			"attack_threshold": {
+				Required:     true,
+				ForceNew:     true,
+				Type:         schema.TypeInt,
+				ValidateFunc: validateIntegerInRange(2, 100),
+				Description:  "The threshold number of attacks that triggers IP autodeny, ranging from 2 to 100 times.",
+			},
+			"time_threshold": {
+				Required:     true,
+				ForceNew:     true,
+				Type:         schema.TypeInt,
+				ValidateFunc: validateIntegerInRange(1, 60),
+				Description:  "IP autodeny statistical time, ranging from 1-60 minutes.",
+			},
+			"deny_time_threshold": {
+				Required:     true,
+				ForceNew:     true,
+				Type:         schema.TypeInt,
+				ValidateFunc: validateIntegerInRange(5, 360),
+				Description:  "The IP autodeny time after triggering the IP autodeny, ranging from 5 to 360 minutes.",
+			},
+		},
+	}
+}
+
+func resourceTencentCloudWafAutoDenyRulesCreate(d *schema.ResourceData, meta interface{}) error {
+	defer logElapsed("resource.tencentcloud_waf_auto_deny_rules.create")()
+	defer inconsistentCheck(d, meta)()
+
+	var (
+		logId   = getLogId(contextNil)
+		request = waf.NewModifyWafAutoDenyRulesRequest()
+		domain  string
+	)
+
+	if v, ok := d.GetOk("domain"); ok {
+		request.Domain = helper.String(v.(string))
+		domain = v.(string)
+	}
+
+	if v, ok := d.GetOkExists("attack_threshold"); ok {
+		request.AttackThreshold = helper.IntInt64(v.(int))
+	}
+
+	if v, ok := d.GetOkExists("time_threshold"); ok {
+		request.TimeThreshold = helper.IntInt64(v.(int))
+	}
+
+	if v, ok := d.GetOkExists("deny_time_threshold"); ok {
+		request.DenyTimeThreshold = helper.IntInt64(v.(int))
+	}
+
+	request.DefenseStatus = helper.IntInt64(1)
+
+	err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+		result, e := meta.(*TencentCloudClient).apiV3Conn.UseWafClient().ModifyWafAutoDenyRules(request)
+		if e != nil {
+			return retryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+		}
+
+		if result == nil || *result.Response.Success.Code != "Success" {
+			e = fmt.Errorf("create waf autoDenyRules not exists")
+			return resource.NonRetryableError(e)
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		log.Printf("[CRITAL]%s create waf autoDenyRules failed, reason:%+v", logId, err)
+		return err
+	}
+
+	d.SetId(domain)
+
+	return resourceTencentCloudWafAutoDenyRulesRead(d, meta)
+}
+
+func resourceTencentCloudWafAutoDenyRulesRead(d *schema.ResourceData, meta interface{}) error {
+	defer logElapsed("resource.tencentcloud_waf_auto_deny_rules.read")()
+	defer inconsistentCheck(d, meta)()
+
+	var (
+		logId   = getLogId(contextNil)
+		ctx     = context.WithValue(context.TODO(), logIdKey, logId)
+		service = WafService{client: meta.(*TencentCloudClient).apiV3Conn}
+		domain  = d.Id()
+	)
+
+	autoDenyRules, err := service.DescribeWafAutoDenyRulesById(ctx, domain)
+	if err != nil {
+		return err
+	}
+
+	if autoDenyRules == nil {
+		d.SetId("")
+		log.Printf("[WARN]%s resource `WafAutoDenyRules` [%s] not found, please check if it has been deleted.\n", logId, d.Id())
+		return nil
+	}
+
+	_ = d.Set("domain", domain)
+
+	if autoDenyRules.AttackThreshold != nil {
+		_ = d.Set("attack_threshold", autoDenyRules.AttackThreshold)
+	}
+
+	if autoDenyRules.TimeThreshold != nil {
+		_ = d.Set("time_threshold", autoDenyRules.TimeThreshold)
+	}
+
+	if autoDenyRules.DenyTimeThreshold != nil {
+		_ = d.Set("deny_time_threshold", autoDenyRules.DenyTimeThreshold)
+	}
+
+	return nil
+}
+
+func resourceTencentCloudWafAutoDenyRulesDelete(d *schema.ResourceData, meta interface{}) error {
+	defer logElapsed("resource.tencentcloud_waf_auto_deny_rules.delete")()
+	defer inconsistentCheck(d, meta)()
+
+	var (
+		logId   = getLogId(contextNil)
+		request = waf.NewModifyWafAutoDenyRulesRequest()
+		domain  = d.Id()
+	)
+
+	if v, ok := d.GetOkExists("attack_threshold"); ok {
+		request.AttackThreshold = helper.IntInt64(v.(int))
+	}
+
+	if v, ok := d.GetOkExists("time_threshold"); ok {
+		request.TimeThreshold = helper.IntInt64(v.(int))
+	}
+
+	if v, ok := d.GetOkExists("deny_time_threshold"); ok {
+		request.DenyTimeThreshold = helper.IntInt64(v.(int))
+	}
+
+	request.Domain = &domain
+	request.DefenseStatus = helper.IntInt64(0)
+	err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+		result, e := meta.(*TencentCloudClient).apiV3Conn.UseWafClient().ModifyWafAutoDenyRules(request)
+		if e != nil {
+			return retryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+		}
+
+		if result == nil || *result.Response.Success.Code != "Success" {
+			e = fmt.Errorf("delete waf autoDenyRules not exists")
+			return resource.NonRetryableError(e)
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		log.Printf("[CRITAL]%s delete waf autoDenyRules failed, reason:%+v", logId, err)
+		return err
+	}
+
+	return nil
+}

tencentcloud/resource_tc_waf_auto_deny_rules_test.go

@@ -0,0 +1,43 @@
+package tencentcloud
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+// go test -i; go test -test.run TestAccTencentCloudWafAutoDenyRulesResource_basic -v
+func TestAccTencentCloudWafAutoDenyRulesResource_basic(t *testing.T) {
+	t.Parallel()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWafAutoDenyRules,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("tencentcloud_waf_auto_deny_rules.example", "id"),
+					resource.TestCheckResourceAttrSet("tencentcloud_waf_auto_deny_rules.example", "attack_threshold"),
+					resource.TestCheckResourceAttrSet("tencentcloud_waf_auto_deny_rules.example", "time_threshold"),
+					resource.TestCheckResourceAttrSet("tencentcloud_waf_auto_deny_rules.example", "deny_time_threshold"),
+				),
+			},
+			{
+				ResourceName:      "tencentcloud_waf_auto_deny_rules.example",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+const testAccWafAutoDenyRules = `
+resource "tencentcloud_waf_auto_deny_rules" "example" {
+  domain              = "keep.qcloudwaf.com"
+  attack_threshold    = 20
+  time_threshold      = 12
+  deny_time_threshold = 5
+}
+`