waf: make full_detection be updatable in policy (#567)

docs/resources/waf_policy.md

@@ -30,6 +30,12 @@ The following arguments are supported:
   - *2*: medium
   - *3*: high
 
+* `full_detection` - (Optional, Bool) Specifies the detection mode in Precise Protection. Valid values are:
+  * *true*: full detection, Full detection finishes all threat detections before blocking requests that
+    meet Precise Protection specified conditions.
+  * *false*: instant detection. Instant detection immediately ends threat detection after blocking a request that
+    meets Precise Protection specified conditions.
+
 * `domains` - (Optional, List) An array of domain IDs.
 
 ## Attributes Reference
@@ -38,19 +44,13 @@ In addition to all arguments above, the following attributes are exported:
 
 * `id` - The policy ID in UUID format.
 
-* `full_detection` - The detection mode in Precise Protection.
-  * *true*: full detection, Full detection finishes all threat detections before blocking requests that meet Precise Protection specified conditions.
-  * *false*: instant detection. Instant detection immediately ends threat detection after blocking a request that meets Precise Protection specified conditions.
-
-* `options` - The protection switches. The options object structure is documented below.
-
-The `options` block supports:
+* `protection_status` - The protection switches. The object structure is documented below.
 
-* `webattack` - Indicates whether Basic Web Protection is enabled.
+The `protection_status` block supports:
 
-* `common` - Indicates whether General Check in Basic Web Protection is enabled.
+* `basic_web_protection` - Indicates whether Basic Web Protection is enabled.
 
-* `crawler` - Indicates whether the master crawler detection switch in Basic Web Protection is enabled.
+* `general_check` - Indicates whether General Check in Basic Web Protection is enabled.
 
 * `crawler_engine` - Indicates whether the Search Engine switch in Basic Web Protection is enabled.
 
@@ -62,17 +62,17 @@ The `options` block supports:
 
 * `webshell` - Indicates whether webshell detection in Basic Web Protection is enabled.
 
-* `cc` - Indicates whether CC Attack Protection is enabled.
+* `cc_protection` - Indicates whether CC Attack Protection is enabled.
 
-* `custom` - Indicates whether Precise Protection is enabled.
+* `precise_protection` - Indicates whether Precise Protection is enabled.
 
-* `whiteblackip` - Indicates whether Blacklist and Whitelist is enabled.
+* `blacklist` - Indicates whether Blacklist and Whitelist is enabled.
 
-* `privacy` - Indicates whether Data Masking is enabled.
+* `data_masking` - Indicates whether Data Masking is enabled.
 
-* `ignore` - Indicates whether False Alarm Masking is enabled.
+* `false_alarm_masking` - Indicates whether False Alarm Masking is enabled.
 
-* `antitamper` - Indicates whether Web Tamper Protection is enabled.
+* `web_tamper_protection` - Indicates whether Web Tamper Protection is enabled.
 
 ## Import
 

flexibleengine/resource_flexibleengine_waf_policy.go

@@ -59,22 +59,23 @@ func resourceWafPolicyV1() *schema.Resource {
 				Default:      2,
 				ValidateFunc: validation.IntBetween(0, 3),
 			},
+			"full_detection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 
-			"options": {
+			"protection_status": {
 				Type:     schema.TypeList,
 				Computed: true,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
-						"webattack": {
+						"basic_web_protection": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"common": {
-							Type:     schema.TypeBool,
-							Computed: true,
-						},
-						"crawler": {
+						"general_check": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
@@ -98,38 +99,33 @@ func resourceWafPolicyV1() *schema.Resource {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"cc": {
+						"cc_protection": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"custom": {
+						"precise_protection": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"whiteblackip": {
+						"blacklist": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"privacy": {
+						"data_masking": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"ignore": {
+						"false_alarm_masking": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
-						"antitamper": {
+						"web_tamper_protection": {
 							Type:     schema.TypeBool,
 							Computed: true,
 						},
 					},
 				},
 			},
-
-			"full_detection": {
-				Type:     schema.TypeBool,
-				Computed: true,
-			},
 		},
 	}
 }
@@ -149,9 +145,8 @@ func resourceWafPolicyV1Create(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("Error creating waf policy: %s", err)
 	}
 
-	log.Printf("[DEBUG] Waf policy created: %#v", policy)
+	log.Printf("[DEBUG] WAF policy created: %#v", policy)
 	d.SetId(policy.Id)
-	d.Set("name", policy.Name)
 
 	return resourceWafPolicyV1Update(d, meta)
 }
@@ -165,9 +160,10 @@ func resourceWafPolicyV1Read(d *schema.ResourceData, meta interface{}) error {
 
 	n, err := policies.Get(wafClient, d.Id()).Extract()
 	if err != nil {
-		return CheckDeleted(d, err, "Waf Policy")
+		return CheckDeleted(d, err, "WAF Policy")
 	}
 
+	log.Printf("[DEBUG] fetching WAF policy %s: %#v", d.Id(), n)
 	d.Set("region", GetRegion(d, config))
 	d.Set("name", n.Name)
 	d.Set("level", n.Level)
@@ -177,23 +173,23 @@ func resourceWafPolicyV1Read(d *schema.ResourceData, meta interface{}) error {
 
 	options := []map[string]interface{}{
 		{
-			"webattack":       *n.Options.WebAttack,
-			"common":          *n.Options.Common,
-			"crawler":         *n.Options.Crawler,
-			"crawler_engine":  *n.Options.CrawlerEngine,
-			"crawler_scanner": *n.Options.CrawlerScanner,
-			"crawler_script":  *n.Options.CrawlerScript,
-			"crawler_other":   *n.Options.CrawlerOther,
-			"webshell":        *n.Options.WebShell,
-			"cc":              *n.Options.Cc,
-			"custom":          *n.Options.Custom,
-			"whiteblackip":    *n.Options.WhiteblackIp,
-			"privacy":         *n.Options.Privacy,
-			"ignore":          *n.Options.Ignore,
-			"antitamper":      *n.Options.AntiTamper,
+			"basic_web_protection":  *n.Options.WebAttack,
+			"general_check":         *n.Options.Common,
+			"crawler_engine":        *n.Options.CrawlerEngine,
+			"crawler_scanner":       *n.Options.CrawlerScanner,
+			"crawler_script":        *n.Options.CrawlerScript,
+			"crawler_other":         *n.Options.CrawlerOther,
+			"webshell":              *n.Options.WebShell,
+			"cc_protection":         *n.Options.Cc,
+			"precise_protection":    *n.Options.Custom,
+			"blacklist":             *n.Options.WhiteblackIp,
+			"data_masking":          *n.Options.Privacy,
+			"false_alarm_masking":   *n.Options.Ignore,
+			"web_tamper_protection": *n.Options.AntiTamper,
 		},
 	}
-	d.Set("options", options)
+	d.Set("protection_status", options)
+
 	return nil
 }
 
@@ -204,15 +200,25 @@ func resourceWafPolicyV1Update(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error creating Flexibleengine WAF Client: %s", err)
 	}
 
-	if d.HasChanges("name", "level", "protection_mode") {
-		updateOpts := policies.UpdateOpts{
-			Name:  d.Get("name").(string),
-			Level: d.Get("level").(int),
-			Action: &policies.Action{
-				Category: d.Get("protection_mode").(string),
-			},
+	var updateOpts policies.UpdateOpts
+	var changed bool
+
+	if d.HasChange("name") && !d.IsNewResource() {
+		changed = true
+		updateOpts.Name = d.Get("name").(string)
+	}
+	if d.HasChanges("level", "protection_mode", "full_detection") {
+		changed = true
+		updateOpts.Level = d.Get("level").(int)
+		updateOpts.Action = &policies.Action{
+			Category: d.Get("protection_mode").(string),
 		}
 
+		detectionMode := d.Get("full_detection").(bool)
+		updateOpts.FullDetection = &detectionMode
+	}
+
+	if changed {
 		log.Printf("[DEBUG] updateOpts: %#v", updateOpts)
 		_, err = policies.Update(wafClient, d.Id(), updateOpts).Extract()
 		if err != nil {

flexibleengine/resource_flexibleengine_waf_policy_test.go

@@ -16,7 +16,7 @@ func TestAccWafPolicyV1_basic(t *testing.T) {
 	randName := acctest.RandString(5)
 	resourceName := "flexibleengine_waf_policy.policy_1"
 
-	resource.Test(t, resource.TestCase{
+	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckWafPolicyV1Destroy,
@@ -29,6 +29,8 @@ func TestAccWafPolicyV1_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "protection_mode", "log"),
 					resource.TestCheckResourceAttr(resourceName, "level", "2"),
 					resource.TestCheckResourceAttr(resourceName, "full_detection", "false"),
+					resource.TestCheckResourceAttr(resourceName, "protection_status.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "protection_status.0.basic_web_protection", "true"),
 				),
 			},
 			{
@@ -38,6 +40,7 @@ func TestAccWafPolicyV1_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "name", fmt.Sprintf("policy-%s-updated", randName)),
 					resource.TestCheckResourceAttr(resourceName, "protection_mode", "block"),
 					resource.TestCheckResourceAttr(resourceName, "level", "1"),
+					resource.TestCheckResourceAttr(resourceName, "full_detection", "true"),
 				),
 			},
 			{
@@ -116,6 +119,7 @@ resource "flexibleengine_waf_policy" "policy_1" {
   name            = "policy-%s-updated"
   level           = 1
   protection_mode = "block"
+  full_detection  = true
 }
 `, name)
 }