[WAF] new resource/opentelekomcloud_waf_dedicated_geo_ip_rule_v1 an…

…d `resource/opentelekomcloud_waf_dedicated_alarm_masking_rule_v1` (#2309)

[WAF] new `resource/opentelekomcloud_waf_dedicated_geo_ip_rule_v1` and `resource/opentelekomcloud_waf_dedicated_alarm_masking_rule_v1`

Summary of the Pull Request
PR Checklist

 Refers to: #2231
 Tests added/passed.
 Documentation updated.
 Schema updated.
 Release notes added.

Acceptance Steps Performed
=== RUN   TestAccWafDedicatedGeoIpRuleV1_basic
--- PASS: TestAccWafDedicatedGeoIpRuleV1_basic (70.77s)
PASS

Process finished with exit code 0

Reviewed-by: Artem Lifshits

docs/resources/waf_dedicated_alarm_masking_rule_v1.md

@@ -0,0 +1,107 @@
+---
+subcategory: "Dedicated Web Application Firewall (WAFD)"
+---
+
+Up-to-date reference of API arguments for WAF dedicated Global Protection Whitelist (formerly False Alarm Masking) rule you can get at
+`https://docs.otc.t-systems.com/web-application-firewall-dedicated/api-ref/apis/rule_management/creating_an_information_leakage_protection_rule.html`.
+
+# opentelekomcloud_waf_dedicated_anti_leakage_rule_v1
+
+Manages a WAF Dedicated Global Protection Whitelist (formerly False Alarm Masking) Rule resource within OpenTelekomCloud.
+
+## Example Usage
+
+```hcl
+resource "opentelekomcloud_waf_dedicated_policy_v1" "policy_1" {
+  name = "policy_am"
+}
+
+resource "opentelekomcloud_waf_dedicated_alarm_masking_rule_v1" "rule_1" {
+  policy_id   = opentelekomcloud_waf_dedicated_policy_v1.policy_1.id
+  domains     = ["www.example.com"]
+  rule        = "xss"
+  description = "description"
+
+  conditions {
+    category        = "url"
+    contents        = ["/login"]
+    logic_operation = "equal"
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `policy_id` - (Required, ForceNew, String) The WAF policy ID. Changing this creates a new rule.
+
+* `domains` - (Required, ForceNew, List) Domain names to be protected. Changing this creates a new rule.
+
+* `conditions` - (Optional, ForceNew, List) Condition list. Changing this creates a new rule.
+  The `conditions` block supports:
+
+  + `category` - (Required, ForceNew, String) Field type. The value can be `url`, `ip`, `params`, `cookie`, or `header`.
+
+  + `logic_operation` - (Required, ForceNew, String) The matching logic varies depending on the field type.
+    + if the field type is `ip`, the logic can be `equal` or `not_equal`.
+    + If the field type is `url`, `params`, `cookie`, or `header`, the logic can be `equal`, `not_equal`, `contain`, `not_contain`, `prefix`, `not_prefix`, `suffix`, `not_suffix`.
+
+  + `contents` - (Optional, ForceNew, List) Content. The array length is limited to 1.
+    The content format varies depending on the field type.
+    + For example, if the field type is `ip`, the value must be an `IP address` or `IP address range`.
+    + If the field type is `url`, the value must be in the `standard URL format`.
+    + IF the field type is `params`, `cookie`, or `header`, the content format is not limited.
+
+  + `index` - (Optional, ForceNew, String) Subfield. When `category` is set to `params`, `cookie`, or `header`, set this parameter based on site requirements. This parameter is mandatory.
+
+* `advanced_settings` - (Optional, ForceNew, List) To ignore attacks of a specific field, specify the field in the Advanced settings area.
+  After you add the rule, WAF will stop blocking attacks of the specified field.
+  This parameter is not included if all modules are bypassed. Changing this creates a new rule.
+  The `advanced_settings` block supports:
+  + `contents` - (Optional, ForceNew, List) Subfield of the specified field type. The default value is all.
+
+  + `index` - (Optional, ForceNew, String) Field type.
+    The following field types are supported: `Params`, `Cookie`, `Header`, `Body`, and `Multipart`.
+    When you select `Params`, `Cookie`, or `Header`, you can set this parameter to `all` or configure subfields as required.
+
+* `rule` - (Required, ForceNew, String) Items to be masked. Changing this creates a new rule.
+  You can provide multiple items and separate them with semicolons (;).
+  + If you want to disable a specific built-in rule for a domain name, the value of this parameter is the rule ID.
+    When requests are blocked against a certain built-in rule while you do not want this rule to block requests later,
+    you can query the rule in the Events page on the console and find its rule ID in the Hit Rule column.
+    Then, you can disk the rule by its ID (including 6 digits).
+  + If you want to mask a type of basic web protection rules, set this parameter to the name of the type of basic
+    web protection rules.
+    + `xss`: XSS attacks
+    + `webshell`: Web shells
+    + `vuln`: Other types of attacks
+    + `sqli`: SQL injection attack
+    + `robot`: Malicious crawlers
+    + `rfi`: Remote file inclusion
+    + `lfi`: Local file inclusion
+    + `cmdi`: Command injection attack
+  + To bypass the basic web protection, set this parameter to `all`.
+  + To bypass all WAF protection, set this parameter to `bypass`.
+
+* `description` - (Optional, ForceNew, String) Rule description. Changing this creates a new rule.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` -  ID of the rule.
+
+* `status` - Rule status. The value can be:
+  + `0`: The rule is disabled.
+  + `1`: The rule is enabled.
+
+* `created_at` - Timestamp the rule is created.
+
+## Import
+
+Dedicated WAF Web Global Protection Whitelist (formerly False Alarm Masking) rules can be imported using `policy_id/id`, e.g.
+
+```sh
+terraform import opentelekomcloud_waf_dedicated_alarm_masking_rule_v1.rule_1 ff95e71c8ae74eba9887193ab22c5757/b39f3a5a1b4f447a8030f0b0703f47f5
+```

docs/resources/waf_dedicated_geo_ip_rule_v1.md

@@ -0,0 +1,86 @@
+---
+subcategory: "Dedicated Web Application Firewall (WAFD)"
+---
+
+Up-to-date reference of API arguments for WAF dedicated Geolocation Access Control rule you can get at
+`https://docs.otc.t-systems.com/web-application-firewall-dedicated/api-ref/apis/rule_management/creating_a_geolocation_access_control_rule.html`.
+
+# opentelekomcloud_waf_dedicated_geo_ip_rule_v1
+
+Manages a WAF Dedicated Geolocation Access Control Rule resource within OpenTelekomCloud.
+
+## Example Usage
+
+```hcl
+resource "opentelekomcloud_waf_dedicated_policy_v1" "policy_1" {
+  name = "policy_gi"
+}
+
+resource "opentelekomcloud_waf_dedicated_geo_ip_rule_v1" "rule_1" {
+  policy_id   = opentelekomcloud_waf_dedicated_policy_v1.policy_1.id
+  region_code = "BR"
+  action      = 0
+  name        = "test"
+  description = "test description"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `policy_id` - (Required, ForceNew, String) The WAF policy ID. Changing this creates a new rule.
+
+* `region_code` - (Required, String) Applicable regions. The value can be the region code. For more geographical location codes, see docs "Appendix - Geographic Location Codes."
+  Values:
+  + CA: Canada
+  + US: USA
+  + AU: Australia
+  + IN: India
+  + JP: Japan
+  + UK: United Kingdom
+  + FR: France
+  + DE: Germany
+  + BR: Brazil
+  + Ukraine: Ukraine
+  + Pakistan: Pakistan
+  + Palestine: Palestine
+  + Israel: Israel
+  + Iraq: Afghanistan
+  + Libya: Libya
+  + Turkey: Turkey
+  + Thailand: Thailand
+  + Singapore: Singapore
+  + South Africa: South Africa
+  + Mexico: Mexico
+  + Peru: Peru
+
+* `action` - (Required, Int) Protective action.
+  The value can be:
+  + 0: WAF blocks the requests that hit the rule.
+  + 1: WAF allows the requests that hit the rule.
+  + 2: WAF only logs the requests that hit the rule.
+
+* `name` - (Optional, String) Rule name.
+
+* `description` - (Optional, String) Rule description
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` -  ID of the rule.
+
+* `status` - Rule status. The value can be:
+  + `0`: The rule is disabled.
+  + `1`: The rule is enabled.
+
+* `created_at` - Timestamp the rule is created.
+
+## Import
+
+Dedicated WAF Web Geolocation Access Control rules can be imported using `policy_id/id`, e.g.
+
+```sh
+terraform import opentelekomcloud_waf_dedicated_geo_ip_rule_v1.rule_1 ff95e71c8ae74eba9887193ab22c5757/b39f3a5a1b4f447a8030f0b0703f47f5
+```

opentelekomcloud/acceptance/waf/resource_opentelekomcloud_waf_dedicated_alarm_masking_rule_v1_test.go

@@ -0,0 +1,118 @@
+package acceptance
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/opentelekomcloud/gophertelekomcloud/openstack/waf-premium/v1/rules"
+
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/acceptance/common"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/acceptance/env"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/cfg"
+)
+
+const wafdAlarmMaskingRuleName = "opentelekomcloud_waf_dedicated_alarm_masking_rule_v1.rule_1"
+
+func TestAccWafDedicatedAlarmMaskingRuleV1_basic(t *testing.T) {
+	var rule rules.IgnoreRule
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { common.TestAccPreCheck(t) },
+		ProviderFactories: common.TestAccProviderFactories,
+		CheckDestroy:      testAccCheckWafDedicatedAlarmMaskingRuleV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWafDedicatedAlarmMaskingRuleV1Basic,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafDedicatedAlarmMaskingRuleV1Exists(wafdAlarmMaskingRuleName, &rule),
+					resource.TestCheckResourceAttr(wafdAlarmMaskingRuleName, "domains.#", "1"),
+					resource.TestCheckResourceAttr(wafdAlarmMaskingRuleName, "domains.0", "www.example.com"),
+					resource.TestCheckResourceAttr(wafdAlarmMaskingRuleName, "rule", "091004"),
+					resource.TestCheckResourceAttr(wafdAlarmMaskingRuleName, "description", "description"),
+					resource.TestCheckResourceAttr(wafdAlarmMaskingRuleName, "conditions.#", "1"),
+					resource.TestCheckResourceAttr(wafdAlarmMaskingRuleName, "conditions.0.category", "url"),
+				),
+			},
+			{
+				ResourceName:      wafdAlarmMaskingRuleName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateIdFunc: dedicatedRuleImportStateIDFunc(wafdAlarmMaskingRuleName, wafdPolicyResourceName),
+			},
+		},
+	})
+}
+
+func testAccCheckWafDedicatedAlarmMaskingRuleV1Destroy(s *terraform.State) error {
+	config := common.TestAccProvider.Meta().(*cfg.Config)
+	client, err := config.WafDedicatedV1Client(env.OS_REGION_NAME)
+	if err != nil {
+		return err
+	}
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "opentelekomcloud_waf_dedicated_alarm_masking_rule_v1" {
+			continue
+		}
+
+		_, err := rules.GetIgnore(client, rs.Primary.Attributes["policy_id"], rs.Primary.ID)
+		if err == nil {
+			return fmt.Errorf("waf dedicated rule still exists")
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckWafDedicatedAlarmMaskingRuleV1Exists(n string, rule *rules.IgnoreRule) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("no ID is set")
+		}
+
+		config := common.TestAccProvider.Meta().(*cfg.Config)
+		client, err := config.WafDedicatedV1Client(env.OS_REGION_NAME)
+		if err != nil {
+			return err
+		}
+
+		found, err := rules.GetIgnore(client, rs.Primary.Attributes["policy_id"], rs.Primary.ID)
+		if err != nil {
+			return err
+		}
+
+		if found.ID != rs.Primary.ID {
+			return fmt.Errorf("waf dedicated rule not found")
+		}
+
+		*rule = *found
+
+		return nil
+	}
+}
+
+const testAccWafDedicatedAlarmMaskingRuleV1Basic = `
+resource "opentelekomcloud_waf_dedicated_policy_v1" "policy_1" {
+  name = "policy_am"
+}
+
+resource "opentelekomcloud_waf_dedicated_alarm_masking_rule_v1" "rule_1" {
+  policy_id   = opentelekomcloud_waf_dedicated_policy_v1.policy_1.id
+  domains     = ["www.example.com"]
+  rule        = "all"
+  description = "description"
+
+  conditions {
+    category        = "url"
+    contents        = ["/login"]
+    logic_operation = "equal"
+  }
+}
+`