Does flexibleengine_waf_rule_precise_protection support dedicated WAF ?

[MrLuje]

Hi there,

I am trying to add some rules to an existing decidated WAF, I suspect the rules resources don't support a dedicated WAF so it may be more a feature request.

Terraform Version

Terraform v1.3.2 on linux_amd64

Affected Resource(s)

Please list the resources as a list, for example:

• flexibleengine_waf_dedicated_policy
• flexibleengine_waf_rule_precise_protection

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "flexibleengine_waf_dedicated_policy" "wildcard_domain" {
  name = "wildcard_domain"
}

resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist" {
  policy_id = flexibleengine_waf_dedicated_policy.wildcard_domain.id
  name      = "argocd.domain.com"
  priority  = 50

  conditions {
    field    = "header"
    subfield = "host"
    logic    = "contain"
    content  = "argocd.domain.com"
  }

  conditions {
    field   = "ip"
    logic   = "not_equal"
    content = "10.0.0.0"
  }
}

Expected Behavior

Precise protection rule should be created

Actual Behavior

It complains about the policy being missing
Also tried to import a manually created rule with the same issue

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. The flexibleengine_waf_dedicated_policy already exists
2. terraform apply

Debug Output

flexibleengine_waf_rule_precise_protection.argocd-whitelist: Creating...
╷
│ Error: error creating Flexibleengine WAF Precise Protection Rule: Resource not found: [POST https://waf.eu-west-0.prod-cloud-ocb.orange-business.com/v1/2d58c566d75b494cb87794dda5071654/waf/policy/4cd2cf5ebd344795a0c9fa22776d6055/custom], error message: {"error_msg": "Policy does not exist","error_code":"WAF.3001"}
│ 
│   with flexibleengine_waf_rule_precise_protection.argocd-whitelist,
│   on waf.tf line 24, in resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist":
│   24: resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist" {
│ 
╵

Thanks

[deer-hang]

Please using resource flexibleengine_waf_policy to replace flexibleengine_waf_dedicated_policy.
The API corresponding to the resource flexibleengine_waf_dedicated_policy has expired.
It is recommended not to use the following resources:
flexibleengine_waf_dedicated_policy
flexibleengine_waf_dedicated_certificate

We will remove useless WAF resources and upgrade outdated APIs in the near future.

[MrLuje]

@deer-hang hum, I'm not able to use flexibleengine_waf_policy
When I try to import an existing policy of a dedicated WAF, I get following error

resource "flexibleengine_waf_policy" "flex-preprod" {
  name = "sec-policy"
}

$ terraform import flexibleengine_waf_dedicated_policy.flex-preprod <id of the policy>
...
╷
│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "flexibleengine_waf_policy.flex-preprod", the provider detected that no object exists with
│ the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region
│ or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵

but it works if I use the flexibleengine_waf_dedicated_policy resource

I also tested again the same flexibleengine_waf_rule_precise_protection as my first exemple but using directly the policy ID and I'm still getting

flexibleengine_waf_rule_precise_protection.argocd-whitelist: Creating...
╷
│ Error: error creating Flexibleengine WAF Precise Protection Rule: Resource not found: [POST https://waf.eu-west-0.prod-cloud-ocb.orange-business.com/v1/2d58c566d75b494cb87794dda5071654/waf/policy/4cd2cf5ebd344795a0c9fa22776d6055/custom], error message: {"error_msg": "Policy does not exist","error_code":"WAF.3001"}
│ 
│   with flexibleengine_waf_rule_precise_protection.argocd-whitelist,
│   on waf.tf line 24, in resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist":
│   24: resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist" {
│ 
╵

Tested with terraform v1.3.2
flexibleengine v1.45.0

[deer-hang]

@MrLuje Suggest using resource flexibleengine_waf_policy to create a new policy.
For your first example, we can see that there is something wrong with your usage. You are importing the ID generated by resource flexibleengine_waf_policy into resource flexibleengine_waf_dedicated_policy.

For your second example, please using resource flexibleengine_waf_policy to create a new policy, and use the policy id to create the precise protection rule.

resource "flexibleengine_waf_policy" "wildcard_domain" {
  name = "wildcard_domain"

  depends_on = [
    flexibleengine_waf_dedicated_instance.instance_1
  ]
}

resource "flexibleengine_waf_rule_precise_protection" "argocd-whitelist" {
  policy_id = flexibleengine_waf_policy.wildcard_domain.id
  name      = "rule_lxh"
  priority  = 50

  conditions {
    field    = "header"
    subfield = "host"
    logic    = "contain"
    content  = "argocd.domain.com"
  }

  conditions {
    field   = "ip"
    logic   = "not_equal"
    content = "10.0.0.0"
  }
}

[MrLuje]

@deer-hang

1. Oups, but same issue with a flexibleengine_waf_policy resource

flexibleengine_waf_policy.flex-preprod: Importing from ID "66b29355e3714a58ac1684457ae2540a"...
flexibleengine_waf_policy.flex-preprod: Import prepared!
  Prepared flexibleengine_waf_policy for import
flexibleengine_waf_policy.flex-preprod: Refreshing state... [id=66b29355e3714a58ac1684457ae2540a]
╷
│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "flexibleengine_waf_policy.flex-preprod", the provider detected that no object exists with the given
│ id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or
│ endpoint, or use "terraform apply" to create a new remote object for this resource.
╵

2. I don't have errors but the policy is created on WAF not on Dedicated WAF

[deer-hang]

@MrLuje I verified that the import function is normal. Please check the correctness of your policy_id.

[MrLuje]

@deer-hang just to be clear, import is working fine if I import a "regular" policy as a flexibleengine_waf_policy resource.
but it is not working if I import a policy from a dedicated waf as a flexibleengine_waf_policy resource.

[deer-hang]

@MrLuje There's something wrong with our documentation description.

1. If the resource name contains dedicated, then this resource can only be used with resources containing dedicated.
   Such as: flexibleengine_waf_dedicated_instance, flexibleengine_waf_dedicated_policy, flexibleengine_waf_dedicated_certificate, and flexibleengine_waf_dedicated_domain.

2. If the resource name does not contain dedicated, then this resource can only be used with resources that do not contain dedicated.
   Such as: flexibleengine_waf_certificate, flexibleengine_waf_domain, flexibleengine_waf_policy, flexibleengine_waf_rule_blacklist, flexibleengine_waf_rule_alarm_masking, flexibleengine_waf_rule_data_masking, flexibleengine_waf_rule_cc_protection, flexibleengine_waf_rule_precise_protection, and flexibleengine_waf_rule_web_tamper_protection.

3. Currently, all WAF rules belong to cloud mode. Provider currently does not support dedicated mode rules.

4. The reason why the import operation failed is because flexibleengine_waf_policy and flexibleengine_waf_dedicated_policy are two different resources. If a policy is created from a dedicated WAF, then the policy can only be imported in resource flexibleengine_waf_dedicated_policy.

[MrLuje]

Yeah, that's what I though based on resources naming.

Please using resource flexibleengine_waf_policy to replace flexibleengine_waf_dedicated_policy. The API corresponding to the resource flexibleengine_waf_dedicated_policy has expired. It is recommended not to use the following resources: flexibleengine_waf_dedicated_policy flexibleengine_waf_dedicated_certificate

We will remove useless WAF resources and upgrade outdated APIs in the near future.

So, what are my choices to manage policies & flexibleengine_waf_rule_precise_protection on a dedicated instance ? and if there are missing APIs ou resources change, is there a rough ETA ?

Thanks

[deer-hang]

@MrLuje
We will supplement the missing rule resources in the dedicated mode in the future.
Currently, Provier WAF dedicated instance does not support rule resources.