resource/cloudflare_api_shield_operation_schema_validation_settings

Adds new resource
cloudflare · Oct 16, 2023 · b17c46e · b17c46e
1 parent 5d61607
commit b17c46e
Show file tree

Hide file tree

Showing 7 changed files with 389 additions and 106 deletions.
diff --git a/.changelog/2852.txt b/.changelog/2852.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+cloudflare_api_shield_operation_schema_validation_settings
+```
diff --git a/docs/resources/api_shield_operation_schema_validation_settings.md b/docs/resources/api_shield_operation_schema_validation_settings.md
@@ -0,0 +1,37 @@
+---
+page_title: "cloudflare_api_shield_operation_schema_validation_settings Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a resource to manage operation-level settings in API Shield Schema Validation 2.0.
+---
+
+# cloudflare_api_shield_operation_schema_validation_settings (Resource)
+
+Provides a resource to manage operation-level settings in API Shield Schema Validation 2.0.
+
+## Example Usage
+
+```terraform
+resource "cloudflare_api_shield_operation_schema_validation_settings" "example" {
+  zone_id  = "0da42c8d2132a9ddaf714f9e7c920711"
+  operation_id = cloudflare_api_shield_operation.example.id
+  mitigation_action = "block"
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `operation_id` (String) Operation ID these settings should apply to. **Modifying this attribute will force creation of a new resource.**
+- `zone_id` (String) The zone identifier to target for the resource. **Modifying this attribute will force creation of a new resource.**
+
+### Optional
+
+- `mitigation_action` (String) The mitigation action to apply to this operation.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+
diff --git a/examples/resources/cloudflare_api_shield_operation_schema_validation_settings/resource.tf b/examples/resources/cloudflare_api_shield_operation_schema_validation_settings/resource.tf
@@ -0,0 +1,5 @@
+resource "cloudflare_api_shield_operation_schema_validation_settings" "example" {
+  zone_id  = "0da42c8d2132a9ddaf714f9e7c920711"
+  operation_id = cloudflare_api_shield_operation.example.id
+  mitigation_action = "block"
+}
diff --git a/internal/sdkv2provider/provider.go b/internal/sdkv2provider/provider.go
diff --git a/...rnal/sdkv2provider/resource_cloudflare_api_shield_operation_schema_validation_settings.go b/...rnal/sdkv2provider/resource_cloudflare_api_shield_operation_schema_validation_settings.go
@@ -0,0 +1,114 @@
+package sdkv2provider
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/pkg/errors"
+
+	"github.com/MakeNowJust/heredoc/v2"
+	"github.com/cloudflare/cloudflare-go"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceCloudflareAPIShieldOperationSchemaValidationSettings() *schema.Resource {
+	return &schema.Resource{
+		Schema:        resourceCloudflareAPIShieldOperationSchemaValidationSettingsSchema(),
+		CreateContext: resourceCloudflareAPIShieldOperationSchemaValidationSettingsCreate,
+		ReadContext:   resourceCloudflareAPIShieldOperationSchemaValidationSettingsRead,
+		UpdateContext: resourceCloudflareAPIShieldOperationSchemaValidationSettingsUpdate,
+		DeleteContext: resourceCloudflareAPIShieldOperationSchemaValidationSettingsDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: nil,
+		},
+		Description: heredoc.Doc(`
+			Provides a resource to manage operation-level settings in API Shield Schema Validation 2.0.
+		`),
+	}
+}
+
+func resourceCloudflareAPIShieldOperationSchemaValidationSettingsCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	return resourceCloudflareAPIShieldOperationSchemaValidationSettingsUpdate(ctx, d, meta)
+}
+
+func resourceCloudflareAPIShieldOperationSchemaValidationSettingsUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*cloudflare.API)
+	zoneID := d.Get(consts.ZoneIDSchemaKey).(string)
+
+	operationID := d.Get("operation_id").(string)
+
+	var mitigationAction *string
+	if ma, ok := d.GetOk("mitigation_action"); ok {
+		mitigationAction = cloudflare.StringPtr(ma.(string))
+	}
+
+	_, err := client.UpdateAPIShieldOperationSchemaValidationSettings(
+		ctx,
+		cloudflare.ZoneIdentifier(zoneID),
+		cloudflare.UpdateAPIShieldOperationSchemaValidationSettingsParams{
+			OperationID: operationID,
+			APIShieldOperationSchemaValidationSettings: cloudflare.APIShieldOperationSchemaValidationSettings{
+				MitigationAction: mitigationAction,
+			},
+		},
+	)
+
+	if err != nil {
+		return diag.FromErr(errors.Wrap(err, "failed to create API Shield Operation Schema Validation Settings"))
+	}
+
+	// Settings are configured at the operation level so using the operationID as the ID
+	d.SetId(operationID)
+	return resourceCloudflareAPIShieldOperationSchemaValidationSettingsRead(ctx, d, meta)
+}
+
+func resourceCloudflareAPIShieldOperationSchemaValidationSettingsRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*cloudflare.API)
+	zoneID := d.Get(consts.ZoneIDSchemaKey).(string)
+
+	operationID := d.Get("operation_id").(string)
+	settings, err := client.GetAPIShieldOperationSchemaValidationSettings(
+		ctx,
+		cloudflare.ZoneIdentifier(zoneID),
+		cloudflare.GetAPIShieldOperationSchemaValidationSettingsParams{
+			OperationID: operationID,
+		},
+	)
+
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to fetch API Shield Operation Schema Validation Settings: %w", err))
+	}
+
+	if settings.MitigationAction != nil {
+		if err := d.Set("mitigation_action", *settings.MitigationAction); err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
+	// Settings are configured at the operation level so using the zoneID as the ID
+	d.SetId(operationID)
+	return nil
+}
+
+func resourceCloudflareAPIShieldOperationSchemaValidationSettingsDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client := meta.(*cloudflare.API)
+	zoneID := d.Get(consts.ZoneIDSchemaKey).(string)
+
+	// There is no DELETE endpoint for schema validation settings,
+	// so terraform should reset the state to default settings
+	_, err := client.UpdateAPIShieldOperationSchemaValidationSettings(
+		ctx,
+		cloudflare.ZoneIdentifier(zoneID),
+		cloudflare.UpdateAPIShieldOperationSchemaValidationSettingsParams{
+			OperationID: d.Get("operation_id").(string),
+			APIShieldOperationSchemaValidationSettings: cloudflare.APIShieldOperationSchemaValidationSettings{},
+		},
+	)
+	if err != nil {
+		return diag.FromErr(fmt.Errorf("failed to delete API Shield Operation Schema Validation Settings: %w", err))
+	}
+
+	return nil
+}
diff --git a/...sdkv2provider/resource_cloudflare_api_shield_operation_schema_validation_settings_test.go b/...sdkv2provider/resource_cloudflare_api_shield_operation_schema_validation_settings_test.go
@@ -0,0 +1,95 @@
+package sdkv2provider
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccCloudflareAPIShieldOperationSchemaValidationSettings_Create(t *testing.T) {
+	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the API token
+	// endpoint does not yet support the API tokens without an explicit scope.
+	if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
+		t.Setenv("CLOUDFLARE_API_TOKEN", "")
+	}
+
+	rnd := generateRandomResourceName()
+	resourceID := "cloudflare_api_shield_operation_schema_validation_settings." + rnd
+	zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
+
+	block := "block"
+	none := "none"
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAPIShieldOperationSchemaValidationSettingsMitigation(rnd, zoneID, &block),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceID, consts.ZoneIDSchemaKey, zoneID),
+					resource.TestCheckResourceAttr(resourceID, "mitigation_action", "block"),
+				),
+			},
+			{
+				Config: testAccCloudflareAPIShieldOperationSchemaValidationSettingsMitigation(rnd, zoneID, nil),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceID, consts.ZoneIDSchemaKey, zoneID),
+					resource.TestCheckResourceAttr(resourceID, "mitigation_action", ""),
+				),
+			},
+			{
+				Config: testAccCloudflareAPIShieldOperationSchemaValidationSettingsMitigation(rnd, zoneID, &none),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceID, consts.ZoneIDSchemaKey, zoneID),
+					resource.TestCheckResourceAttr(resourceID, "mitigation_action", "none"),
+				),
+			},
+			{
+				Config: testAccCloudflareAPIShieldOperationSchemaValidationSettingsNoMitigation(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceID, consts.ZoneIDSchemaKey, zoneID),
+					resource.TestCheckResourceAttr(resourceID, "mitigation_action", ""),
+				),
+			},
+		},
+	})
+}
+
+func testAccCloudflareAPIShieldOperationSchemaValidationSettingsMitigation(resourceName, zone string, mitigation *string) string {
+	action := "null"
+	if mitigation != nil {
+		action = fmt.Sprintf("\"%s\"", *mitigation)
+	}
+
+	return fmt.Sprintf(`
+	resource "cloudflare_api_shield_operation" "terraform_test_acc_operation" {
+		zone_id = "%[2]s"
+		host = "foo.com"
+		method = "GET"
+        endpoint = "/api"
+	}
+	resource "cloudflare_api_shield_operation_schema_validation_settings" "%[1]s" {
+		zone_id = "%[2]s"
+		operation_id = cloudflare_api_shield_operation.terraform_test_acc_operation.id
+		mitigation_action = %[3]s
+	}
+`, resourceName, zone, action)
+}
+
+func testAccCloudflareAPIShieldOperationSchemaValidationSettingsNoMitigation(resourceName, zone string) string {
+	return fmt.Sprintf(`
+	resource "cloudflare_api_shield_operation" "terraform_test_acc_operation" {
+		zone_id = "%[2]s"
+		host = "foo.com"
+		method = "GET"
+        endpoint = "/api"
+	}
+	resource "cloudflare_api_shield_operation_schema_validation_settings" "%[1]s" {
+		zone_id = "%[2]s"
+		operation_id = cloudflare_api_shield_operation.terraform_test_acc_operation.id
+	}
+`, resourceName, zone)
+}
diff --git a/internal/sdkv2provider/schema_cloudflare_api_shield_operation_schema_validation_settings.go b/internal/sdkv2provider/schema_cloudflare_api_shield_operation_schema_validation_settings.go
@@ -0,0 +1,28 @@
+package sdkv2provider
+
+import (
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceCloudflareAPIShieldOperationSchemaValidationSettingsSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		consts.ZoneIDSchemaKey: {
+			Description: consts.ZoneIDSchemaDescription,
+			Type:        schema.TypeString,
+			Required:    true,
+			ForceNew:    true,
+		},
+		"operation_id": {
+			Description: "Operation ID these settings should apply to",
+			Type:        schema.TypeString,
+			Required:    true,
+			ForceNew:    true,
+		},
+		"mitigation_action": {
+			Description: "The mitigation action to apply to this operation",
+			Type:        schema.TypeString,
+			Optional:    true,
+		},
+	}
+}