Skip to content

Commit be8cad1

Browse files
authored
Release/v2.3.5 (#79)
* test: add acceptance tests for wallarm_rule_api_abuse_mode (TDD) * chore: promote terraform-plugin-go to direct dependency * feat: add wallarm_rule_api_abuse_mode rule resource * test: tighten InvalidMode error regex to match codebase convention * test: unique per-test action scopes + 4-part regex for existsError * refactor: replace existsAction/existsHint with existingHintForAction * test: fix Sprintf arg ordering in config helper (host was being shadowed by mode) * fix: invalidate hint cache after HintDelete to avoid stale reads * debug: trace hint delete/read paths + compare cached vs raw in CheckDestroy * debug: add OrderBy to raw HintRead in CheckDestroy ground-truth check * fix acceptance test race via isolated provider factory and test client helper * replace hand-rolled action comparison with canonical ConditionsHash * add wallarm_rule_api_abuse_mode docs and example * apply simplify fixes: length prefilter, nil check, helper type * register api_abuse_mode in APITypeToTerraformResource for bulk import discovery * convert InvalidMode acceptance test to pure ValidateFunc unit test
1 parent c3d6f06 commit be8cad1

16 files changed

Lines changed: 642 additions & 216 deletions

CHANGELOG.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,25 @@
1+
# v2.3.5 (Apr 22, 2026)
2+
3+
## FEATURES:
4+
5+
* New resource `wallarm_rule_api_abuse_mode` — toggles [API Abuse Prevention](https://docs.wallarm.com/api-abuse-prevention/overview/) for requests matching an action scope. Primary use case: allowlist trusted crawlers (Pinterest, Google, monitoring agents) with `mode = "disabled"`. `mode` is `ForceNew` — changing it destroys and recreates the rule.
6+
7+
## IMPROVEMENTS:
8+
9+
* Extracted shared `existingHintForAction` helper for duplicate-rule detection on Create. Used by `wallarm_rule_mode` and `wallarm_rule_api_abuse_mode`; replaces the per-resource `existsAction` + `existsHint` pair.
10+
* Replaced hand-rolled action-conditions comparison (`equalWithoutOrder`, `compareActionDetails`, `actionPointsEqual`, `convertToStringSlice`) with a single `resourcerule.ConditionsHash` compare. Matches the Wallarm API's own canonical action identity and removes ~85 lines of per-field equality logic.
11+
* Added `testAccNewAPIClient()` test helper for CheckDestroy in tests that use `ProtoV5ProviderFactories`. Constructs an API client from `WALLARM_API_TOKEN` / `WALLARM_API_HOST` without going through the shared `testAccProvider`, avoiding a `Configure` race under `-race`.
12+
13+
## BUG FIXES:
14+
15+
* `CachedClient.HintDelete` now invalidates the hint cache on success. Previously the cache could return stale entries for just-deleted rules, surfacing in acceptance tests as "dangling resource" errors in CheckDestroy after a Create path that populated the cache.
16+
17+
## DOCUMENTATION:
18+
19+
* New `docs/resources/rule_api_abuse_mode.md` with Pinterest allowlist example, Argument/Attributes reference, and 3-part (`{client_id}/{action_id}/{rule_id}`) Import section.
20+
* New `examples/wallarm_rule_api_abuse_mode.tf` with three scope patterns (enable per instance, enable per host, Pinterest allowlist).
21+
* README Rules table: added `wallarm_rule_api_abuse_mode` entry; Rules count bumped 20 → 21.
22+
123
# v2.3.4 (Apr 20, 2026)
224

325
## IMPROVEMENTS:

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ Session-based rules for real-time threat mitigation. In the Wallarm Console UI t
102102
| `wallarm_rule_rate_limit_enum` | DoS protection (rate limiting) |
103103
| `wallarm_rule_file_upload_size_limit` | File upload restriction policy |
104104

105-
### Rules (20 resources)
105+
### Rules (21 resources)
106106

107107
Request-level rules for detection tuning, virtual patching, and data handling. These appear under the Rules section in the Wallarm Console UI.
108108

@@ -130,6 +130,7 @@ Request-level rules for detection tuning, virtual patching, and data handling. T
130130
| `wallarm_rule_bola_counter` | BOLA counter |
131131
| `wallarm_rule_credential_stuffing_regex` | Credential stuffing regex |
132132
| `wallarm_rule_credential_stuffing_point` | Credential stuffing detection points |
133+
| `wallarm_rule_api_abuse_mode` | Toggle API Abuse Prevention per request scope |
133134

134135
### IP Lists (3 resources)
135136

docs/guides/action.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -161,8 +161,7 @@ resource "wallarm_rule_mode" "example" {
161161

162162
The Wallarm API reuses Actions (scope definitions). If two rules have identical conditions, they share the same Action. This means:
163163
- Creating a rule with the same conditions as an existing one will not create a duplicate Action.
164-
- The provider checks for existing Actions before creating (the `existsAction` check).
165-
- If the Action already exists, the provider returns an error suggesting to import the existing resource.
164+
- The provider checks for existing rules on the same Action before creating. If a rule of the same type already exists on the matching scope, the provider returns an error suggesting to import it instead.
166165

167166
## Common fields on all rule resources
168167

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
---
2+
layout: "wallarm"
3+
page_title: "Wallarm: wallarm_rule_api_abuse_mode"
4+
subcategory: "Rules"
5+
description: |-
6+
Enables or disables API Abuse Prevention for requests matching an action scope.
7+
---
8+
9+
# wallarm_rule_api_abuse_mode
10+
11+
Provides the resource to toggle [API Abuse Prevention][1] for traffic matching a given action scope. Typical use: allowlist trusted crawlers (Pinterest, Google, monitoring agents) by applying `mode = "disabled"` to requests that carry their signature (User-Agent, path, method, etc.).
12+
13+
## Example Usage
14+
15+
```hcl
16+
# Disable API Abuse Prevention for legitimate Pinterest crawler traffic.
17+
18+
resource "wallarm_rule_api_abuse_mode" "pinterest" {
19+
mode = "disabled"
20+
title = "Allow Pinterest"
21+
comment = "Allow Pinterest through API Abuse Prevention"
22+
23+
action {
24+
type = "regex"
25+
value = ".*(Pinterest|Pinterestbot)/(0.2|1.0);?\\s[(]?[+]https?://www[.]pinterest[.]com/bot[.]html[)].*"
26+
point = {
27+
header = "USER-AGENT"
28+
}
29+
}
30+
31+
action {
32+
type = "equal"
33+
value = "api"
34+
point = {
35+
path = 0
36+
}
37+
}
38+
39+
action {
40+
type = "regex"
41+
value = "v\\d"
42+
point = {
43+
path = 1
44+
}
45+
}
46+
47+
action {
48+
type = "absent"
49+
point = {
50+
action_ext = ""
51+
}
52+
}
53+
}
54+
```
55+
56+
## Argument Reference
57+
58+
* `mode` - (optional) API abuse mode. One of: `enabled`, `disabled`. Default: `enabled`. Changing this value destroys and recreates the rule.
59+
* `title` - (optional) human-readable rule title.
60+
* `comment` - (optional) free-text rule comment. Defaults to `Managed by Terraform`.
61+
* `active` - (optional) whether the rule is active. Defaults to `true`.
62+
* `client_id` - (optional) ID of the client to apply the rule to. The value is required for [multi-tenant scenarios][2].
63+
* `action` - (optional) rule conditions. See the [Action Guide](../guides/action) for full documentation on action conditions, point types, and usage examples.
64+
65+
## Attributes Reference
66+
67+
* `rule_id` - ID of the created rule.
68+
* `action_id` - the action ID (the conditions to apply on request).
69+
* `rule_type` - type of the created rule. For `wallarm_rule_api_abuse_mode` this is always `api_abuse_mode`.
70+
71+
## Import
72+
73+
```
74+
$ terraform import wallarm_rule_api_abuse_mode.pinterest 6039/563855/11086881
75+
```
76+
77+
* `6039` - Client ID.
78+
* `563855` - Action ID.
79+
* `11086881` - Rule ID.
80+
81+
For automated bulk import using the `wallarm_rules` data source, see the [Rules Import Guide](../guides/rules_import).
82+
83+
[1]: https://docs.wallarm.com/api-abuse-prevention/overview/
84+
[2]: https://docs.wallarm.com/installation/multi-tenant/overview/
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Enable API Abuse Prevention for a specific application (instance).
2+
resource "wallarm_rule_api_abuse_mode" "tiredful_api_abuse_mode" {
3+
mode = "enabled"
4+
5+
action {
6+
point = {
7+
instance = 9
8+
}
9+
}
10+
}
11+
12+
# Enable API Abuse Prevention for all traffic to a specific host.
13+
resource "wallarm_rule_api_abuse_mode" "dvwa_abuse_mode" {
14+
mode = "enabled"
15+
16+
action {
17+
type = "iequal"
18+
value = "dvwa.wallarm-demo.com"
19+
point = {
20+
header = "HOST"
21+
}
22+
}
23+
}
24+
25+
# Allowlist trusted Pinterest crawler traffic under /api/v{N} routes by
26+
# disabling API Abuse Prevention for requests that match the crawler's
27+
# User-Agent and path shape.
28+
resource "wallarm_rule_api_abuse_mode" "pinterest" {
29+
mode = "disabled"
30+
title = "Allow Pinterest"
31+
comment = "Allow Pinterest through API Abuse Prevention"
32+
33+
action {
34+
type = "regex"
35+
value = ".*(Pinterest|Pinterestbot)/(0.2|1.0);?\\s[(]?[+]https?://www[.]pinterest[.]com/bot[.]html[)].*"
36+
point = {
37+
header = "USER-AGENT"
38+
}
39+
}
40+
41+
action {
42+
type = "equal"
43+
value = "api"
44+
point = {
45+
path = 0
46+
}
47+
}
48+
49+
action {
50+
type = "regex"
51+
value = "v\\d"
52+
point = {
53+
path = 1
54+
}
55+
}
56+
57+
action {
58+
type = "absent"
59+
point = {
60+
action_ext = ""
61+
}
62+
}
63+
}

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ go 1.24.0
55
require (
66
github.com/hashicorp/go-cleanhttp v0.5.2
77
github.com/hashicorp/hcl/v2 v2.24.0
8+
github.com/hashicorp/terraform-plugin-go v0.30.0
89
github.com/hashicorp/terraform-plugin-sdk/v2 v2.39.0
910
github.com/pkg/errors v0.9.1
1011
github.com/samber/lo v1.51.0
@@ -33,7 +34,6 @@ require (
3334
github.com/hashicorp/logutils v1.0.0 // indirect
3435
github.com/hashicorp/terraform-exec v0.25.0 // indirect
3536
github.com/hashicorp/terraform-json v0.27.2 // indirect
36-
github.com/hashicorp/terraform-plugin-go v0.30.0 // indirect
3737
github.com/hashicorp/terraform-plugin-log v0.10.0 // indirect
3838
github.com/hashicorp/terraform-registry-address v0.4.0 // indirect
3939
github.com/hashicorp/terraform-svchost v0.1.1 // indirect

wallarm/common/resourcerule/action_reverse_map.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -508,6 +508,7 @@ func ActionValueString(a wallarm.ActionDetails) string {
508508

509509
// APITypeToTerraformResource maps Wallarm API rule types to Terraform resource names.
510510
var APITypeToTerraformResource = map[string]string{
511+
"api_abuse_mode": "wallarm_rule_api_abuse_mode",
511512
"binary_data": "wallarm_rule_binary_data",
512513
"bola": "wallarm_rule_bola",
513514
"bola_counter": "wallarm_rule_bola_counter",

0 commit comments

Comments
 (0)