waf policy is looking empty after apply this terraform file #900
Description
Hello
Terraform v0.12.9
- provider.local v1.4.0
- provider.oci v3.47.0
i m trying to run this terrafrom file:
locals {
upper_domain = (var.labs_domain)
}
variable "certificate_display_name" {
default = "tf_example_waas_certificate"
}
output "cert_content" {
value = file("${var.ssh_certificate_data}")
}
resource "oci_waas_certificate" "waf_policy_certificate" {
compartment_id = "${var.compartment_ocid}"
certificate_data = file(var.ssh_certificate_data)
private_key_data = file(var.ssh_private_key_data)
}
/*
data "oci_waas_certificates" "waf_policy_certificate" {
compartment_id = "${var.compartment_ocid}"
display_names = "${var.certificate_display_name}"
ids = "${oci_waas_certificate.waf_policy_certificate.id}"
}
*/
resource "oci_waas_waas_policy" "student_waf_policy" {
count = var.instance_count
compartment_id = "${var.compartment_ocid}"
domain = "${var.waas_domain}${count.index}-waf.${var.labs_domain}"
#additional_domains = "${var.additional_domains}"
display_name = "${var.waas_policy_display_name}${count.index}"
origin_groups {
label = "originGroups1"
origin_group {
origin = "primary"
weight = "1"
}
}
origins {
#label = "${var.waas_policy_display_name}${count.index}-ebs"
label = "primary"
uri = file("student${count.index}.txt")
custom_headers {
name = "user"
value = "student"
}
http_port = "8000"
https_port = "4443"
}
policy_config {
certificate_id = "${oci_waas_certificate.waf_policy_certificate.id}"
cipher_group = "DEFAULT"
client_address_header = "X_FORWARDED_FOR"
is_behind_cdn = false
is_cache_control_respected = true
is_https_enabled = true
is_https_forced = true
is_origin_compression_enabled = false
is_response_buffering_enabled = false
tls_protocols = ["TLS_V1", "TLS_V1_1", "TLS_V1_2", "TLS_V1_3"]
}
timeouts {
create = "120m"
delete = "120m"
update = "120m"
}
important this creates a vanilla waf_config
uncomment the lines for more deployment settings
waf_config {
origin = "primary"
origin_groups = ["originGroups1"]
access_rules {
action = "DETECT"
criteria {
condition = "URL_IS"
value = "/"
}
name = "DETECT_/"
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "blockErrorPageDescription"
block_error_page_message = "blockErrorPageMessage"
block_response_code = 403
}
access_rules {
action = "DETECT"
criteria {
condition = "COUNTRY_IS"
value = "FR"
}
name = "DETECT_FR"
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "blockErrorPageDescription"
block_error_page_message = "blockErrorPageMessage"
block_response_code = 403
}
access_rules {
action = "DETECT"
criteria {
condition = "USER_AGENT_IS"
value = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"
}
name = "DETECT_Mozilla"
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "blockErrorPageDescription"
block_error_page_message = "blockErrorPageMessage"
block_response_code = 403
}
address_rate_limiting {
is_enabled = true
allowed_rate_per_address = 5
block_response_code = 403
max_delayed_count_per_address = 10
}
captchas {
#Required
failure_message = "message"
session_expiration_in_seconds = 10
submit_label = "label"
title = "root page"
url = "/"
#Optional
footer_text = "footer_text"
header_text = "header_text"
}
device_fingerprint_challenge {
is_enabled = true
action = "DETECT"
action_expiration_in_seconds = 10
challenge_settings {
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "blockErrorPageDescription"
block_error_page_message = "blockErrorPageMessage"
block_response_code = 403
captcha_footer = "captchaFooter"
captcha_header = "captchaHeader"
captcha_submit_label = "captchaSubmitLabel"
captcha_title = "captchaTitle"
}
failure_threshold = 10
failure_threshold_expiration_in_seconds = 10
max_address_count = 10
max_address_count_expiration_in_seconds = 10
}
human_interaction_challenge {
is_enabled = true
action = "DETECT"
action_expiration_in_seconds = 10
challenge_settings {
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "blockErrorPageDescription"
block_error_page_message = "blockErrorPageMessage"
block_response_code = 403
captcha_footer = "captchaFooter"
captcha_header = "captchaHeader"
captcha_submit_label = "captchaSubmitLabel"
captcha_title = "captchaTitle"
}
failure_threshold = 10
failure_threshold_expiration_in_seconds = 10
interaction_threshold = 10
recording_period_in_seconds = 10
set_http_header {
name = "hc_name1"
value = "hc_value1"
}
}
js_challenge {
is_enabled = true
action = "DETECT"
action_expiration_in_seconds = 10
challenge_settings {
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "blockErrorPageDescription"
block_error_page_message = "blockErrorPageMessage"
block_response_code = 403
captcha_footer = "captchaFooter"
captcha_header = "captchaHeader"
captcha_submit_label = "captchaSubmitLabel"
captcha_title = "captchaTitle"
}
failure_threshold = 10
}
protection_settings {
allowed_http_methods = ["OPTIONS", "GET", "HEAD", "POST", "DELETE", "PUT"]
block_action = "SET_RESPONSE_CODE"
block_error_page_code = 403
block_error_page_description = "Access blocked by website owner. Please contact support."
block_error_page_message = "Access to the website is blocked."
block_response_code = 403
is_response_inspected = false
max_argument_count = 10
max_name_length_per_argument = 10
max_response_size_in_ki_b = 10
max_total_name_length_of_arguments = 10
media_types = ["text/html", "text/plain","text/asp","application/json","application/x-javascript","application/javascript","text/javascript","application/xml","text/xml","application/plain", "application/json"]
recommendations_period_in_days = 5
}
}
}
data "oci_waas_waas_policies" "test_waas_policies" {
count = var.instance_count
compartment_id = "${var.compartment_ocid}"
display_names = ["${var.waas_policy_display_name}"]
ids = ["${oci_waas_waas_policy.student_waf_policy[count.index].id}"]
states = ["ACTIVE"]
}
modifify dns
##waas_policy_display_name = "student"
##waas_domain = "student"
##labs_domain = "emeacloudpursuitlabs.com"
student1-waf-emeacloudpursuitlabs-com.b.waas.oci.oraclecloud.net
"${waas_policy_display_name}-waf-${labs_domain}.b.waas.oci.oraclecloud.net}"
resource "oci_dns_record" "record-cname" {
count = var.instance_count
depends_on = ["oci_waas_waas_policy.student_waf_policy"]
zone_name_or_id = "${local.upper_domain}"
domain = "student${count.index}-waf.${local.upper_domain}"
rtype = "CNAME"
rdata = "${element( flatten(list(oci_waas_waas_policy.student_waf_policy.*.cname)) , count.index)}"
ttl = 3600
}
before
modifify dns
/*
resource "oci_dns_record" "record-cname" {
zone_name_or_id = "emeacloudpursuitlabs.com"
domain = "${var.waas_domain}"
rtype = "CNAME"
rdata = "${oci_waas_waas_policy.student0_waas_policy.cname}"
ttl = 3600
}
*/
data "oci_waas_waas_policies" "student_waf_policy" {
compartment_id = "${var.compartment_ocid}"
// count = var.instance_count
#Optional
display_names = "${var.waas_policy_display_name.}"
ids = "${oci_waas_waas_policy.student_waf_policy..id}"
//cname = "${oci_waas_waas_policy.student_waf_policy..cname}"
states = "ACTIVE".
time_created_greater_than_or_equal_to = "2018-01-01T00:00:00.000Z"
time_created_less_than = "2038-01-01T00:00:00.000Z"
}
output "cnames" {
value = flatten(["${oci_waas_waas_policy.student_waf_policy.*.cname}"])
}
output "waas_policies" {
value = "${oci_waas_waas_policy.student_waf_policy.*}"
}
resource "local_file" "test_waf_url" {
depends_on = [ "oci_dns_record.record-cname" ]
count = var.instance_count
content = "curl -k https://student${count.index}-waf.${var.labs_domain}"
filename = "${count.index}test_waf_url.sh"
}
the policy takes more than 60 minutes to creata at the end its empty no protection a re created
this is what is dumped :
waas_policies = [
{
"additional_domains" = []
"cname" = "student0-waf-emeacloudpursuit-com.b.waas.oci.oraclecloud.net"
"compartment_id" = "ocid1.compartment.oc1..aaaaaaaa375sfgxnc24b3rmxjju6ttxv264t6ukiyv42txxfxs3zj2difroa"
"display_name" = "student0"
"domain" = "student0-waf.emeacloudpursuit.com"
"freeform_tags" = {}
"id" = "ocid1.waaspolicy.oc1..aaaaaaaayxcw6hjqf3dooqycs6d2p6emgbb5y7g5i3vm34hka6c4h4tum2fa"
"origin_groups" = [
{
"label" = "originGroups1"
"origin_group" = [
{
"origin" = "primary"
"weight" = 1
},
]
},
]
"origins" = [
{
"custom_headers" = [
{
"name" = "user"
"value" = "student"
},
]
"http_port" = 8000
"https_port" = 4443
"label" = "primary"
"uri" = "132.145.31.52"
},
]
"policy_config" = [
{
"certificate_id" = "ocid1.waascertificate.oc1..aaaaaaaardhsfknt7jmt3u7c5f35fg4rwhkrc4b5mdovmdzb5i4th34qqiqq"
"cipher_group" = ""
"client_address_header" = "X_FORWARDED_FOR"
"is_behind_cdn" = false
"is_cache_control_respected" = false
"is_https_enabled" = true
"is_https_forced" = true
"is_origin_compression_enabled" = false
"is_response_buffering_enabled" = false
"tls_protocols" = []
},
]
"state" = "ACTIVE"
"time_created" = "2019-10-10 19:51:17.576 +0000 UTC"
"timeouts" = {
"create" = "120m"
"delete" = "120m"
"update" = "120m"
}
"waf_config" = [
{
"access_rules" = []
"address_rate_limiting" = [
{
"allowed_rate_per_address" = 1
"block_response_code" = 503
"is_enabled" = false
"max_delayed_count_per_address" = 10
},
]
"caching_rules" = []
"captchas" = []
"custom_protection_rules" = []
"device_fingerprint_challenge" = [
{
"action" = "DETECT"
"action_expiration_in_seconds" = 60
"challenge_settings" = [
{
"block_action" = "SHOW_ERROR_PAGE"
"block_error_page_code" = "DFC"
"block_error_page_description" = "Access blocked by website owner. Please contact support."
"block_error_page_message" = "Access to the website is blocked."
"block_response_code" = 403
"captcha_footer" = "Enter the letters and numbers as they are shown in image above."
"captcha_header" = "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below."
"captcha_submit_label" = "Yes, I am human."
"captcha_title" = "Are you human?"
},
]
"failure_threshold" = 10
"failure_threshold_expiration_in_seconds" = 60
"is_enabled" = false
"max_address_count" = 20
"max_address_count_expiration_in_seconds" = 60
},
]
"human_interaction_challenge" = [
{
"action" = "DETECT"
"action_expiration_in_seconds" = 60
"challenge_settings" = [
{
"block_action" = "SHOW_ERROR_PAGE"
"block_error_page_code" = "HIC"
"block_error_page_description" = "Access blocked by website owner. Please contact support."
"block_error_page_message" = "Access to the website is blocked."
"block_response_code" = 403
"captcha_footer" = "Enter the letters and numbers as they are shown in image above."
"captcha_header" = "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below."
"captcha_submit_label" = "Yes, I am human."
"captcha_title" = "Are you human?"
},
]
"failure_threshold" = 10
"failure_threshold_expiration_in_seconds" = 60
"interaction_threshold" = 3
"is_enabled" = false
"recording_period_in_seconds" = 15
"set_http_header" = []
},
]
"js_challenge" = [
{
"action" = "DETECT"
"action_expiration_in_seconds" = 60
"challenge_settings" = [
{
"block_action" = "SHOW_ERROR_PAGE"
"block_error_page_code" = "JSC-403"
"block_error_page_description" = "Access blocked by website owner. Please contact support."
"block_error_page_message" = "Access to the website is blocked."
"block_response_code" = 403
"captcha_footer" = "Enter the letters and numbers as they are shown in image above."
"captcha_header" = "We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below."
"captcha_submit_label" = "Yes, I am human."
"captcha_title" = "Are you human?"
},
]
"failure_threshold" = 10
"is_enabled" = false
"set_http_header" = [
{
"name" = "x-jsc-alerts"
"value" = "{failed_amount}"
},
]
},
]
"origin" = "primary"
"origin_groups" = []
"protection_settings" = [
{
"allowed_http_methods" = [
"GET",
"POST",
"HEAD",
"OPTIONS",
]
"block_action" = "SET_RESPONSE_CODE"
"block_error_page_code" = "403"
"block_error_page_description" = "Access blocked by website owner. Please contact support."
"block_error_page_message" = "Access to the website is blocked."
"block_response_code" = 403
"is_response_inspected" = false
"max_argument_count" = 255
"max_name_length_per_argument" = 400
"max_response_size_in_ki_b" = 1024
"max_total_name_length_of_arguments" = 64000
"media_types" = [
"text/html",
"text/plain",
]
"recommendations_period_in_days" = 10
},
]
"whitelists" = []
},
]
},
are there any obvious mistakes in the config ?
Terraform runs the script its creates a simple config all the protection tags / captchas ... are not there
Is there any errors on my config or is there a bug ?
thanks
Eugene