Skip to content

Commit 5ab6d94

Browse files
authored
Merge pull request #84 from wallarm/refactor/v2.3.9
2 parents 03c8a2c + 4931b92 commit 5ab6d94

39 files changed

Lines changed: 1749 additions & 218 deletions

CHANGELOG.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,35 @@
1+
## [v2.3.9] - 2026-05-04
2+
3+
> Rules polish batch — naming cleanup, schema-shape audit (symmetric remove-restores-default), safety hardening, test gap fills. Bumps `wallarm-go` to v0.12.2.
4+
>
5+
> **Migration note:** the `Optional+Computed``Optional+Default(<value>)` flips below cover ~13 fields. Resources whose API value differs from the new schema default will produce a one-time plan diff after upgrade — review `terraform plan` output before applying. Affects `active` (all resources), `additional_parameters`/`plain_parameters` (brute/bola/enum), `introspection`/`debug_enabled`/`max_depth`/`max_value_size_kb`/`max_doc_size_kb`/`max_doc_per_batch`/`max_aliases` (graphql_detection), `mode` (overlimit_res_settings, file_upload_size_limit), `time_unit` (rate_limit).
6+
7+
### Upgrade Steps
8+
9+
* [ACTION REQUIRED] `wallarm_rule_graphql_detection`: rename `max_alias_size_kb``max_aliases` in HCL.
10+
11+
### Breaking Changes
12+
13+
* **`wallarm_rule_graphql_detection.max_alias_size_kb` renamed to `max_aliases`** (count, not size; wire JSON tag unchanged).
14+
* **`mitigation` (all rule resources) now `Computed` only** (was `Optional+Computed`); HCL setting it now fails validation.
15+
* **`wallarm_rule_regex.experimental` default behaviour**: HCL omitting the field now creates a regular `regex` rule (was `experimental_regex`).
16+
17+
### Bug Fixes
18+
19+
* **`wallarm_rule_graphql_detection.introspection` / `.debug_enabled` now `Optional+Default(true)`** — symmetric remove-restores-default.
20+
* **`active` (all rule resources) now `Optional+Default(true)`** — same.
21+
* **`enumerated_parameters.additional_parameters` / `.plain_parameters` now `Optional+Default(false)`** (rule_brute/_bola/_enum) — same.
22+
* **`wallarm_rule_graphql_detection` int fields now `Optional+Default(<API default>)`**`max_depth`, `max_value_size_kb` (range `1..100` validator added), `max_doc_size_kb`, `max_doc_per_batch`.
23+
* **`wallarm_rule_graphql_detection.max_aliases` now `Optional+Default(5)`** (was `Optional+Computed+ForceNew`); mutates in place. Adds `wallarm-go.HintUpdateV3Params.MaxAliases` + `resourcerule.WithMaxAliases`.
24+
* **`wallarm_rule_overlimit_res_settings.mode` now `Optional+Default("monitoring")`.**
25+
* **`wallarm_rule_rate_limit.time_unit` now `Optional+Default("rps")`.**
26+
* **`wallarm_rule_file_upload_size_limit.mode` now `Optional+Default("monitoring")`**; `size` gains `IntAtLeast(1)` validator.
27+
* **`wallarm_rule_regex.experimental` now `Optional+Computed+ForceNew`** (was `Optional+Default(true)+ForceNew`; ForceNew retained); Read derives from `rule_type`. Prevents destroy-on-import for regular `regex` rules.
28+
* **`findActionByConditionsHash` 200-page pagination cap** — bounds previously unbounded loop.
29+
* **`setIfExists` panic-swallow removed** — replaced with explicit cty guards in `rawStateHasKey`.
30+
* **Plan-time enum validators added**: `attack_type` on rule_disable_attack_type/vpatch (17 values each), rule_regex (16); `block_by_session/ip+graylist_by_ip` accept `0` (unset, dropped on wire) OR `600..315569520` — preserves `terraform import` + `-generate-config-out` round-trip on partially-set reactions; `threshold.count`/`.period` `IntAtLeast(1)` — surfaces API constraint at plan time.
31+
* **Generic helper `resourcerule.GetPointerIfConfigured[T any]`** replaces type-specific variants — used by rate_limit `delay`/`burst` where 0 is meaningful.
32+
133
## [v2.3.8] - 2026-05-01
234

335
> Schema actualisation against API ground truth, zero-value pointer fixes, plan-time validator for `enumerated_parameters`, full rule-test harness migration. Bumps `wallarm-go` to v0.12.1.

docs/guides/mitigation_controls.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ For detailed documentation, see [Mitigation Controls Overview](https://docs.wall
1616
| Wallarm UI name | Terraform resource | Key parameters |
1717
|-----------------|-------------------|----------------|
1818
| Real-time blocking mode | [`wallarm_rule_mode`](../resources/rule_mode) | `mode` |
19-
| GraphQL API protection | [`wallarm_rule_graphql_detection`](../resources/rule_graphql_detection) | `mode`, `max_depth`, `max_value_size_kb`, `max_doc_size_kb`, `max_alias_size_kb`, `max_doc_per_batch` |
19+
| GraphQL API protection | [`wallarm_rule_graphql_detection`](../resources/rule_graphql_detection) | `mode`, `max_depth`, `max_value_size_kb`, `max_doc_size_kb`, `max_aliases`, `max_doc_per_batch` |
2020
| Enumeration attack protection | [`wallarm_rule_enum`](../resources/rule_enum) | `mode`, `threshold`, `reaction`, `advanced_conditions`, `arbitrary_conditions` |
2121
| BOLA protection | [`wallarm_rule_bola`](../resources/rule_bola) | `mode`, `threshold`, `reaction`, `advanced_conditions`, `arbitrary_conditions` |
2222
| Forced browsing protection | [`wallarm_rule_forced_browsing`](../resources/rule_forced_browsing) | `mode`, `threshold`, `reaction`, `advanced_conditions`, `arbitrary_conditions` |

docs/resources/rule_disable_attack_type.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ resource "wallarm_rule_disable_attack_type" "disable_sqli" {
3030

3131
* `client_id` - (optional) ID of the client to apply the rules to. The value is required for [multi-tenant scenarios][2].
3232
* `action` - (optional) rule conditions. See the [Action Guide](../guides/action) for full documentation on action conditions, point types, and usage examples.
33-
* `attack_type` - (**required**) attack type to ignore. Possible values: `sqli`, `xss`, `rce`, `ptrav`, `crlf`, `nosqli`, `xxe`, `ldapi`, `scanner`, `ssti`, `ssi`, `mail_injection`, `vpatch`.
33+
* `attack_type` - (**required**) attack type to ignore. Possible values: `xss`, `sqli`, `rce`, `xxe`, `ptrav`, `crlf`, `redir`, `nosqli`, `ldapi`, `scanner`, `mass_assignment`, `ssrf`, `ssi`, `mail_injection`, `ssti`, `any`, `invalid_xml`. The canonical list is served by `GET /v2/attack_types` on the Wallarm API.
3434
* `point` - (**required**) request parts to apply the rules to. See the [Point Guide](../guides/point) for the full list of possible values and examples.
3535

3636
## Attributes Reference

docs/resources/rule_graphql_detection.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ resource "wallarm_rule_graphql_detection" "graphql_detection" {
2727
max_doc_size_kb = 100
2828
max_value_size_kb = 10
2929
max_depth = 10
30-
max_alias_size_kb = 5
30+
max_aliases = 5
3131
max_doc_per_batch = 10
3232
introspection = true
3333
debug_enabled = true
@@ -43,7 +43,7 @@ resource "wallarm_rule_graphql_detection" "graphql_detection" {
4343
* `max_doc_size_kb` - (optional) the limit for the size in kilobytes of an entire GraphQL query.
4444
* `max_value_size_kb` - (optional) the limit for the size in kilobytes of an entire GraphQL query
4545
* `max_depth` - (optional) the maximum allowed depth for a GraphQL query. By limiting query depth.
46-
* `max_alias_size_kb` - (optional) the limit on the number of aliases that can be used in a single GraphQL query.
46+
* `max_aliases` - (optional) the limit on the number of aliases that can be used in a single GraphQL query.
4747
* `max_doc_per_batch` - (optional) the number of batched queries that can be sent in a single request.
4848
* `introspection` - (optional) when enabled, the server will treat introspection requests—which can reveal the structure of your GraphQL schema—as potential attacks. Can be: `true`, `false`.
4949
* `debug_enabled` - (optional) enabling this option means that requests containing the debug mode parameter will be considered potential attacks. Can be: `true`, `false`.

docs/resources/rule_regex.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,9 +66,10 @@ resource "wallarm_rule_regex" "scanner_rule" {
6666
## Argument Reference
6767

6868
* `client_id` - (optional) ID of the client to apply the rules to. The value is required for [multi-tenant scenarios][2].
69-
* `attack_type` - (**required**) attack type that will be detected when the parameter value in the request matches the regular expression. Can be: `any`, `sqli`, `rce`, `crlf`, `nosqli`, `ptrav`, `xxe`, `ptrav`, `xss`, `scanner`, `redir`, `ldapi`.
69+
* `attack_type` - (**required**) attack type that will be detected when the parameter value in the request matches the regular expression. Possible values for custom attack-detector rules: `xss`, `sqli`, `rce`, `xxe`, `ptrav`, `crlf`, `redir`, `nosqli`, `ldapi`, `scanner`, `mass_assignment`, `ssrf`, `ssi`, `mail_injection`, `ssti`, `vpatch`. Note: `any` and `invalid_xml` are not valid here (a regex rule must detect a specific attack class). The canonical attack-types list is served by `GET /v2/attack_types` on the Wallarm API.
7070
* `action` - (optional) rule conditions. See the [Action Guide](../guides/action) for full documentation on action conditions, point types, and usage examples.
7171
* `point` - (**required**) request parts to apply the rules to. See the [Point Guide](../guides/point) for the full list of possible values and examples.
72+
* `experimental` - (optional) when `true`, the rule is created with `rule_type = "experimental_regex"` (matches surface as attacks but are never blocked, even in block mode). When `false` or omitted, a regular `regex` rule is created. ForceNew — flipping this destroys and recreates the rule. Default behaviour when omitted: regular `regex`. _v2.3.9 behaviour change: previously omitting this field defaulted to `experimental_regex`._
7273

7374

7475
## Attributes Reference

docs/resources/rule_vpatch.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,9 +42,7 @@ resource "wallarm_rule_vpatch" "splunk" {
4242
## Argument Reference
4343

4444
* `client_id` - (optional) ID of the client to apply the rules to. The value is required for [multi-tenant scenarios][2].
45-
* `attack_type` - (**required**) attack type. The request with this attack will be blocked. Can be:
46-
* `any` to block the request with the specified `point` even if the attack is not detected.
47-
* One of the names of attack types to block the requests with the specified `point` if these malicious payloads are detected. Possible attack types: `sqli`, `rce`, `crlf`, `nosqli`, `ptrav`, `xxe`, `ptrav`, `xss`, `scanner`, `redir`, `ldapi`.
45+
* `attack_type` - (**required**) attack type. The request with this attack will be blocked. Possible values: `xss`, `sqli`, `rce`, `xxe`, `ptrav`, `crlf`, `redir`, `nosqli`, `ldapi`, `scanner`, `mass_assignment`, `ssrf`, `ssi`, `mail_injection`, `ssti`, `any`, `invalid_xml`. Use `any` to block the request with the specified `point` even if the attack is not detected. The canonical list is served by `GET /v2/attack_types` on the Wallarm API.
4846
* `point` - (**required**) request parts to apply the rules to. See the [Point Guide](../guides/point) for the full list of possible values and examples.
4947
* `action` - (optional) rule conditions. See the [Action Guide](../guides/action) for full documentation on action conditions, point types, and usage examples.
5048

examples/import-rules/Makefile

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ IMPORT_BLOCKS_FILE = ./import_rule_blocks.tf
66
RULE_CONFIGS_FILE = ./import_rule_configs.tf
77
RULE_STAMP_CONFIGS_FILE = ./import_rule_stamp_configs.tf
88

9-
FILES_DIRS_TO_CLEAN = ${LOG_FILES} ${TMP_FILES} ${TF_DIR} ${TF_STATE_FILE} ${IMPORT_BLOCKS_FILE} ${RULE_CONFIGS_FILE}
9+
FILES_DIRS_TO_CLEAN = ${LOG_FILES} ${TMP_FILES} ${TF_DIR} ${TF_STATE_FILE} ${IMPORT_BLOCKS_FILE} ${RULE_CONFIGS_FILE} ${RULE_STAMP_CONFIGS_FILE}
1010

1111

1212
default: list
@@ -73,12 +73,19 @@ import-stamps-conf-gen:
7373
# - comment=null → "Managed by Terraform"
7474
# - remove all remaining =null lines
7575
# - remove all remaining =[] lines
76+
# - drop reaction.{block_by_session,block_by_ip,graylist_by_ip} = 0 lines:
77+
# SDKv2's flat state model has no NullVal slot for TypeInt inside a nested
78+
# block, so partially-set reactions ({block_by_ip = 3600}, others absent)
79+
# round-trip through state as 0 and emit literal `= 0` lines that the
80+
# schema validator rejects. The mapper drops 0 on the wire, so removing
81+
# these lines is round-trip safe.
7682
import-configs-fix:
7783
-@sed -E \
7884
-e 's/(variativity_disabled[[:space:]]*)=[[:space:]]*false/\1= true/' \
7985
-e 's/(comment[[:space:]]*)=[[:space:]]*null/\1= "Managed by Terraform"/' \
8086
-e '/=[[:space:]]*null/d' \
8187
-e '/=[[:space:]]*\[\]/d' \
88+
-e '/(block_by_session|block_by_ip|graylist_by_ip)[[:space:]]*=[[:space:]]*0/d' \
8289
$(RULE_CONFIGS_FILE) > $(RULE_CONFIGS_FILE).tmp && mv $(RULE_CONFIGS_FILE).tmp $(RULE_CONFIGS_FILE)
8390

8491
# ─── Case 1: Native import (all rules) ─────────────────────────────────────

examples/wallarm_rule_graphql_detection.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ resource "wallarm_rule_graphql_detection" "graphql_block" {
1111

1212
# All max_*, introspection, debug_enabled fields are Optional+Computed —
1313
# API defaults apply when omitted (max_depth=10, max_value_size_kb=10,
14-
# max_doc_size_kb=100, max_doc_per_batch=10, max_alias_size_kb=5,
14+
# max_doc_size_kb=100, max_doc_per_batch=10, max_aliases=5,
1515
# introspection=true, debug_enabled=true). Override here if needed:
1616
#
1717
# max_depth = 20

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ require (
1010
github.com/hashicorp/terraform-plugin-sdk/v2 v2.39.0
1111
github.com/pkg/errors v0.9.1
1212
github.com/samber/lo v1.51.0
13-
github.com/wallarm/wallarm-go v0.12.1
13+
github.com/wallarm/wallarm-go v0.12.2
1414
github.com/zclconf/go-cty v1.17.0
1515
)
1616

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -157,8 +157,8 @@ github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IU
157157
github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
158158
github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
159159
github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
160-
github.com/wallarm/wallarm-go v0.12.1 h1:2NodWNssSMSGeZgp6Im7Dg8hM2gHpLaA7Aa/BN0E1ZA=
161-
github.com/wallarm/wallarm-go v0.12.1/go.mod h1:yqZcNkOdSXL7K0CXRDJ3WyjyjDOHyk41iAv9fXsFP8o=
160+
github.com/wallarm/wallarm-go v0.12.2 h1:Yb0QVuMzBUWTn48MLxh/JQIUReQuFFVxJSsKualJqUk=
161+
github.com/wallarm/wallarm-go v0.12.2/go.mod h1:yqZcNkOdSXL7K0CXRDJ3WyjyjDOHyk41iAv9fXsFP8o=
162162
github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
163163
github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
164164
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

0 commit comments

Comments
 (0)