diff --git a/go.mod b/go.mod index cfffbfec7f..37d4581cb2 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/mitchellh/go-homedir v1.1.0 github.com/mozillazg/go-httpheader v0.3.0 // indirect github.com/pkg/errors v0.9.1 - github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos v1.0.334 + github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos v1.0.353 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/api v1.0.285 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/apigateway v1.0.199 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/as v1.0.199 @@ -30,7 +30,7 @@ require ( github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.283 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cloudaudit v1.0.199 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls v1.0.291 - github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.351 + github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.353 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.351 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cynosdb v1.0.199 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dayu v1.0.335 diff --git a/go.sum b/go.sum index 07b2fc0220..55b2649ea3 100644 --- a/go.sum +++ b/go.sum @@ -448,6 +448,8 @@ github.com/tdakkota/asciicheck v0.0.0-20200416190851-d7f85be797a2 h1:Xr9gkxfOP0K github.com/tdakkota/asciicheck v0.0.0-20200416190851-d7f85be797a2/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos v1.0.334 h1:wQMm0QGdVvdkYALiav8MHWnigkpquU4XiUsMOzEtw38= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos v1.0.334/go.mod h1:6ficOD4j2/gwkkXUrSlInWqKIAuWrIid1u4UvMiC41A= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos v1.0.353 h1:96xJ0rJ6x8P+2GkuCKDfUS83E5Blnvdxi/FmKdelX+Q= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos v1.0.353/go.mod h1:E/Y+Rga/DOO+ZpBRQKSigaRnw6h1uJbIURKXI+6ozz4= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/api v1.0.285 h1:gFmukRGLtYiXVBVvg/5DP/0fM1+dKpwDjT+khtDVLmc= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/api v1.0.285/go.mod h1:aGlXSWjtSnE6kuqcaRy/NKj1CLiB8NlMSHGsDn+k7Ag= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/apigateway v1.0.199 h1:e9M5HSIq2xw61Oz9whoaq+QT95rZtowkY/2zhdzx9v4= @@ -485,6 +487,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.332 h1:sIRd github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.332/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.351 h1:BpVJoxG5kajBS7PYDeoujh4IDXr1sj3KNXn0GsceS2M= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.351/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.353 h1:rFkcKuLFxt2xolSWbyeznetTBw9Cyhe1ycILmEkE1Pk= +github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.353/go.mod h1:7sCQWVkxcsR38nffDW057DRGk8mUjK1Ing/EFOK8s8Y= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.199 h1:ajgJogYSIQ5u1PIbiV5nsvr5K0fYpm1/T7Dy+mxEM6U= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.199/go.mod h1:AqyM/ZZMD7q5mHBqNY9YImbSpEpoEe7E/vrTbUWX+po= github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.351 h1:zqJsH5pxGT57La7NAOOyMQxsuM11pupNBwV1dzXcT24= diff --git a/tencentcloud/extension_ddos.go b/tencentcloud/extension_ddos.go index 07cf157101..7e4c6ad52d 100644 --- a/tencentcloud/extension_ddos.go +++ b/tencentcloud/extension_ddos.go @@ -1,5 +1,7 @@ package tencentcloud +import "encoding/json" + const ( DDOS_EIP_BIND_STATUS_BINDING = "BINDING" DDOS_EIP_BIND_STATUS_BIND = "BIND" @@ -16,3 +18,37 @@ const ( ) var DDOS_EIP_BIND_RESOURCE_TYPE = []string{DDOS_EIP_BIND_RESOURCE_TYPE_CVM, DDOS_EIP_BIND_RESOURCE_TYPE_CLB} + +const ( + DDOS_BLACK_WHITE_IP_TYPE_BLACK = "black" + DDOS_BLACK_WHITE_IP_TYPE_WHITE = "white" +) + +func DeltaList(oldInstanceList []interface{}, newInstanceList []interface{}) (increment []string, decrement []string) { + oldInstanceMaps := make(map[string]int) + newInstanceMaps := make(map[string]int) + for _, oldInstance := range oldInstanceList { + buf, _ := json.Marshal(oldInstance) + oldInstanceMaps[string(buf)] = 1 + } + for _, newInstance := range newInstanceList { + buf, _ := json.Marshal(newInstance) + newInstanceMaps[string(buf)] = 1 + } + + for _, oldInstance := range oldInstanceList { + buf, _ := json.Marshal(oldInstance) + key := string(buf) + if newInstanceMaps[key] == 0 { + decrement = append(decrement, key) + } + } + for _, newInstance := range newInstanceList { + buf, _ := json.Marshal(newInstance) + key := string(buf) + if oldInstanceMaps[key] == 0 { + increment = append(increment, key) + } + } + return +} diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index 864d0fbc0f..ab7336ec50 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -54,6 +54,7 @@ Anti-DDoS(DayuV2) tencentcloud_dayu_eip tencentcloud_dayu_l4_rule tencentcloud_dayu_l7_rule_v2 + tencentcloud_dayu_ddos_policy_v2 Anti-DDoS(Dayu) Data Source @@ -959,6 +960,7 @@ func Provider() terraform.ResourceProvider { "tencentcloud_dayu_cc_http_policy": resourceTencentCloudDayuCCHttpPolicy(), "tencentcloud_dayu_cc_https_policy": resourceTencentCloudDayuCCHttpsPolicy(), "tencentcloud_dayu_ddos_policy": resourceTencentCloudDayuDdosPolicy(), + "tencentcloud_dayu_ddos_policy_v2": resourceTencentCloudDayuDdosPolicyV2(), "tencentcloud_dayu_ddos_policy_case": resourceTencentCloudDayuDdosPolicyCase(), "tencentcloud_dayu_ddos_policy_attachment": resourceTencentCloudDayuDdosPolicyAttachment(), "tencentcloud_dayu_l4_rule": resourceTencentCloudDayuL4Rule(), diff --git a/tencentcloud/resource_tc_dayu_ddos_policy_v2.go b/tencentcloud/resource_tc_dayu_ddos_policy_v2.go new file mode 100644 index 0000000000..0bea03c629 --- /dev/null +++ b/tencentcloud/resource_tc_dayu_ddos_policy_v2.go @@ -0,0 +1,1325 @@ +/* +Use this resource to create dayu DDoS policy v2 + +Example Usage + +```hcl +resource "tencentcloud_dayu_ddos_policy_v2" "ddos_v2" { + resource_id = "bgpip-000004xf" + business = "bgpip" + ddos_threshold="100" + ddos_level="low" + black_white_ips { + ip = "1.2.3.4" + ip_type = "black" + } + acls { + action = "transmit" + d_port_start = 1 + d_port_end = 10 + s_port_start=10 + s_port_end=20 + priority=9 + forward_protocol="all" + } + protocol_block_config { + drop_icmp=1 + drop_tcp=0 + drop_udp=0 + drop_other=0 + } + ddos_connect_limit { + sd_new_limit=10 + sd_conn_limit=11 + dst_new_limit=20 + dst_conn_limit=21 + bad_conn_threshold=30 + syn_rate=10 + syn_limit=20 + conn_timeout=30 + null_conn_enable=1 + } + ddos_ai="on" + ddos_geo_ip_block_config { + action="drop" + area_list=["100001"] + region_type="customized" + } + ddos_speed_limit_config { + protocol_list="TCP" + dst_port_list="10" + mode=1 + packet_rate=10 + bandwidth=20 + } + packet_filters { + action="drop" + protocol="all" + s_port_start=10 + s_port_end=10 + d_port_start=20 + d_port_end=20 + pktlen_min=30 + pktlen_max=30 + str="12" + str2="30" + match_logic="and" + match_type="pcre" + match_type2="pcre" + match_begin="begin_l3" + match_begin2="begin_l3" + depth=2 + depth2=3 + offset=1 + offset2=2 + is_not=0 + is_not2=0 + } +} + +``` +*/ +package tencentcloud + +import ( + "context" + "encoding/json" + "fmt" + "strings" + + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + antiddos "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos/v20200309" + "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper" +) + +func resourceTencentCloudDayuDdosPolicyV2() *schema.Resource { + return &schema.Resource{ + Create: resourceTencentCloudDayuDdosPolicyV2Create, + Read: resourceTencentCloudDayuDdosPolicyV2Read, + Update: resourceTencentCloudDayuDdosPolicyV2Update, + Delete: resourceTencentCloudDayuDdosPolicyV2Delete, + + Schema: map[string]*schema.Schema{ + "resource_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: "The ID of the resource instance.", + }, + "business": { + Type: schema.TypeString, + Optional: true, + Description: "Bussiness of resource instance. bgpip indicates anti-anti-ip ip; bgp means exclusive package; bgp-multip means shared packet; net indicates anti-anti-ip pro version.", + }, + "ddos_threshold": { + Type: schema.TypeInt, + Optional: true, + Description: "DDoS cleaning threshold, value[0, 60, 80, 100, 150, 200, 250, 300, 400, 500, 700, 1000]; When the value is set to 0, it means that the default value is adopted.", + }, + "ddos_level": { + Type: schema.TypeString, + Optional: true, + Description: "Protection class, value [`low`, `middle`, `high`].", + }, + "black_white_ips": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ip": { + Type: schema.TypeString, + Required: true, + Description: "Ip of resource instance.", + }, + "ip_type": { + Type: schema.TypeString, + Required: true, + Description: "IP type, value [`black`(blacklist IP), `white` (whitelist IP)].", + }, + }, + }, + Description: "DDoS-protected IP blacklist and whitelist.", + }, + "acls": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Required: true, + Description: "Action, optional values: drop, transmit, forward.", + }, + "d_port_start": { + Type: schema.TypeInt, + Required: true, + Description: "The destination port starts, and the value range is 0~65535.", + }, + "d_port_end": { + Type: schema.TypeInt, + Required: true, + Description: "The destination port ends, and the value range is 0~65535.", + }, + "s_port_start": { + Type: schema.TypeInt, + Required: true, + Description: "The source port starts, and the value range is 0~65535.", + }, + "s_port_end": { + Type: schema.TypeInt, + Required: true, + Description: "The source port ends, and the acceptable value ranges from 0 to 65535.", + }, + "priority": { + Type: schema.TypeInt, + Required: true, + Description: "Policy priority, the lower the number, the higher the level, the higher the rule matches, taking a value of 1-1000.Note: This field may return null, indicating that a valid value could not be retrieved.", + }, + "forward_protocol": { + Type: schema.TypeString, + Required: true, + Description: "Protocol type, desirable values tcp, udp, all.", + }, + }, + }, + Description: "Port ACL policy for DDoS protection.", + }, + "protocol_block_config": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "drop_icmp": { + Type: schema.TypeInt, + Required: true, + Description: "ICMP block, value [0 (block off), 1 (block on)].", + }, + "drop_tcp": { + Type: schema.TypeInt, + Required: true, + Description: "TCP block, value [0 (block off), 1 (block on)].", + }, + "drop_udp": { + Type: schema.TypeInt, + Required: true, + Description: "UDP block, value [0 (block off), 1 (block on)].", + }, + "drop_other": { + Type: schema.TypeInt, + Required: true, + Description: "Other block, value [0 (block off), 1 (block on)].", + }, + }, + }, + Description: "Protocol block configuration for DDoS protection.", + }, + "ddos_connect_limit": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "sd_new_limit": { + Type: schema.TypeInt, + Required: true, + Description: "The limit on the number of news per second based on source IP + destination IP.", + }, + "sd_conn_limit": { + Type: schema.TypeInt, + Required: true, + Description: "Concurrent connection control based on source IP + destination IP.", + }, + "dst_new_limit": { + Type: schema.TypeInt, + Required: true, + Description: "Limit on the number of news per second based on the destination IP.", + }, + "dst_conn_limit": { + Type: schema.TypeInt, + Required: true, + Description: "Concurrent connection control based on destination IP+ destination port.", + }, + "bad_conn_threshold": { + Type: schema.TypeInt, + Required: true, + Description: "Based on connection suppression trigger threshold, value range [0,4294967295].", + }, + "syn_rate": { + Type: schema.TypeInt, + Required: true, + Description: "Anomalous connection detection condition, percentage of syn ack, value range [0,100].", + }, + "syn_limit": { + Type: schema.TypeInt, + Required: true, + Description: "Anomaly connection detection condition, syn threshold, value range [0,100].", + }, + "conn_timeout": { + Type: schema.TypeInt, + Required: true, + Description: "Abnormal connection detection condition, connection timeout, value range [0,65535].", + }, + "null_conn_enable": { + Type: schema.TypeInt, + Required: true, + Description: "Abnormal connection detection conditions, empty connection guard switch, value range[0,1].", + }, + }, + }, + Description: "DDoS connection suppression options.", + }, + "ddos_ai": { + Type: schema.TypeString, + Optional: true, + Description: "AI protection switch, take the value [`on`, `off`].", + }, + "ddos_geo_ip_block_config": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Required: true, + Description: "Block action, take the value [`drop`, `trans`].", + }, + "area_list": { + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeInt}, + Required: true, + Description: "When the RegionType is customized, the AreaList must be filled in, and a maximum of 128 must be filled in.", + }, + "region_type": { + Type: schema.TypeString, + Required: true, + Description: "Zone type, value [oversea (overseas),china (domestic),customized (custom region)].", + }, + }, + }, + Description: "DDoS-protected area block configuration.", + }, + "ddos_speed_limit_config": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "protocol_list": { + Type: schema.TypeString, + Required: true, + Description: "IP protocol numbers, take the value[ ALL (all protocols),TCP (tcp protocol),UDP (udp protocol),SMP (smp protocol),1; 2-100 (custom protocol number range, up to 8)].", + }, + "dst_port_list": { + Type: schema.TypeString, + Required: true, + Description: "List of port ranges, up to 8, multiple; Separated, the range is represented with -; this port range must be filled in; fill in the style 1:0-65535, style 2:80; 443; 1000-2000.", + }, + "mode": { + Type: schema.TypeInt, + Required: true, + Description: "Speed limit mode, take the value [1 (speed limit based on source IP),2 (speed limit based on destination port)].", + }, + "packet_rate": { + Type: schema.TypeInt, + Required: true, + Description: "Packet rate pps.", + }, + "bandwidth": { + Type: schema.TypeInt, + Required: true, + Description: "Bandwidth bps.", + }, + }, + }, + Description: "Access speed limit configuration for DDoS protection.", + }, + "packet_filters": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Required: true, + Description: "Action, take the value [drop,transmit,drop_black (discard and black out),drop_rst (Interception),drop_black_rst (intercept and block),forward].", + }, + "protocol": { + Type: schema.TypeString, + Required: true, + Description: "Protocol, value [tcp udp icmp all].", + }, + "s_port_start": { + Type: schema.TypeInt, + Required: true, + Description: "Start the source port, take the value 0~65535.", + }, + "s_port_end": { + Type: schema.TypeInt, + Required: true, + Description: "End source port, take the value 1~65535, must be greater than or equal to the starting source port.", + }, + "d_port_start": { + Type: schema.TypeInt, + Required: true, + Description: "From the destination port, take the value 0~65535.", + }, + "d_port_end": { + Type: schema.TypeInt, + Required: true, + Description: "The end destination port, take the value 1~65535, which must be greater than or equal to the starting destination port.", + }, + "pktlen_min": { + Type: schema.TypeInt, + Required: true, + Description: "Minimum message length, 1-1500.", + }, + "pktlen_max": { + Type: schema.TypeInt, + Required: true, + Description: "The maximum message length, taken from 1 to 1500, must be greater than or equal to the minimum message length.", + }, + "str": { + Type: schema.TypeString, + Required: true, + Description: "Detect values, key strings or regular expressions, take the value [When the detection type is sunday, please fill in the string or hexadecimal bytecode, for example \x313233 corresponds to the hexadecimal bytecode of the string `123`;When the detection type is pcre, please fill in the regular expression string;].", + }, + "str2": { + Type: schema.TypeString, + Required: true, + Description: "The second detection value, the key string or regular expression, takes the value [When the detection type is sunday, please fill in the string or hexadecimal bytecode, for example \x313233 corresponds to the hexadecimal bytecode of the string `123`;When the detection type is pcre, please fill in the regular expression string;].", + }, + "match_logic": { + Type: schema.TypeString, + Required: true, + Description: "When there is a second detection condition, the and/or relationship with the first detection condition, takes the value [And (and relationship),none (fill in this value when there is no second detection condition)].", + }, + "match_type": { + Type: schema.TypeString, + Required: true, + Description: "Detection type, value [sunday (keyword),pcre (regular expression)].", + }, + "match_type2": { + Type: schema.TypeString, + Required: true, + Description: "The second type of detection, takes the value [sunday (keyword),pcre (regular expression)].", + }, + "match_begin": { + Type: schema.TypeString, + Required: true, + Description: "Detect position, take the value [begin_l3 (IP header),begin_l4 (TCP/UDP header),begin_l5 (T load), no_match (mismatch)].", + }, + "match_begin2": { + Type: schema.TypeString, + Required: true, + Description: "The second detection position. take the value [begin_l3 (IP header),begin_l4 (TCP/UDP header),begin_l5 (T load), no_match (mismatch)].", + }, + "depth": { + Type: schema.TypeInt, + Required: true, + Description: "Detection depth from the detection position, value [0,1500].", + }, + "depth2": { + Type: schema.TypeInt, + Required: true, + Description: "Second detection depth starting from the second detection position, value [0,1500].", + }, + "offset": { + Type: schema.TypeInt, + Required: true, + Description: "Offset from detection position, value range [0, Depth].", + }, + "offset2": { + Type: schema.TypeInt, + Required: true, + Description: "Offset from the second detection position, value range [0,Depth2].", + }, + "is_not": { + Type: schema.TypeInt, + Required: true, + Description: "Whether to include the detected value, take the value [0 (included),1 (not included)].", + }, + "is_not2": { + Type: schema.TypeInt, + Required: true, + Description: "Whether the second detection contains the detected value, the value [0 (included),1 (not included)].", + }, + }, + }, + Description: "Feature filtering rules for DDoS protection.", + }, + }, + } +} + +func resourceTencentCloudDayuDdosPolicyV2Create(d *schema.ResourceData, meta interface{}) error { + defer logElapsed("resource.tencentcloud_dayu_ddos_policy_v2.create")() + logId := getLogId(contextNil) + ctx := context.WithValue(context.TODO(), logIdKey, logId) + antiddosService := AntiddosService{client: meta.(*TencentCloudClient).apiV3Conn} + + resourceId := d.Get("resource_id").(string) + business := d.Get("business").(string) + + d.SetId(resourceId + FILED_SP + business) + if v, ok := d.GetOk("black_white_ips"); ok { + blackWhiteIps := v.([]interface{}) + blacks := make([]string, 0) + whites := make([]string, 0) + for _, blackWhiteIpItem := range blackWhiteIps { + blackWhiteIp := blackWhiteIpItem.(map[string]interface{}) + if blackWhiteIp["ip_type"].(string) == DDOS_BLACK_WHITE_IP_TYPE_WHITE { + whites = append(whites, blackWhiteIp["ip"].(string)) + } + if blackWhiteIp["ip_type"].(string) == DDOS_BLACK_WHITE_IP_TYPE_BLACK { + blacks = append(blacks, blackWhiteIp["ip"].(string)) + } + + } + if len(blacks) > 0 { + err := antiddosService.CreateDDoSBlackWhiteIpList(ctx, resourceId, blacks, DDOS_BLACK_WHITE_IP_TYPE_BLACK) + if err != nil { + return err + } + + } + if len(whites) > 0 { + err := antiddosService.CreateDDoSBlackWhiteIpList(ctx, resourceId, whites, DDOS_BLACK_WHITE_IP_TYPE_WHITE) + if err != nil { + return err + } + } + + } + + if v, ok := d.GetOk("ddos_level"); ok { + ddosLevel := v.(string) + err := antiddosService.ModifyDDoSLevel(ctx, business, resourceId, ddosLevel) + if err != nil { + return err + } + } + if v, ok := d.GetOk("ddos_threshold"); ok { + threshold := v.(int) + err := antiddosService.ModifyDDoSThreshold(ctx, business, resourceId, threshold) + if err != nil { + return err + } + } + + if v, ok := d.GetOk("acls"); ok { + acls := v.([]interface{}) + for _, aclItem := range acls { + acl := aclItem.(map[string]interface{}) + action := acl["action"].(string) + dPortStart := acl["d_port_start"].(int) + dPortEnd := acl["d_port_end"].(int) + sPortStart := acl["s_port_start"].(int) + sPortEnd := acl["s_port_end"].(int) + priority := acl["priority"].(int) + forwardProtocol := acl["forward_protocol"].(string) + tmpAclConfig := antiddos.AclConfig{ + Action: &action, + DPortStart: helper.IntUint64(dPortStart), + DPortEnd: helper.IntUint64(dPortEnd), + SPortStart: helper.IntUint64(sPortStart), + SPortEnd: helper.IntUint64(sPortEnd), + Priority: helper.IntUint64(priority), + ForwardProtocol: &forwardProtocol, + } + err := antiddosService.CreatePortAclConfig(ctx, resourceId, tmpAclConfig) + if err != nil { + return err + } + } + } + + if v, ok := d.GetOk("protocol_block_config"); ok { + protocolBlockConfigs := v.([]interface{}) + for _, protocolBlockConfigItem := range protocolBlockConfigs { + protocolBlockConfig := protocolBlockConfigItem.(map[string]interface{}) + dropIcmp := protocolBlockConfig["drop_icmp"].(int) + dropTcp := protocolBlockConfig["drop_tcp"].(int) + dropUdp := protocolBlockConfig["drop_udp"].(int) + dropOther := protocolBlockConfig["drop_other"].(int) + tmpProtocolBlockConfig := antiddos.ProtocolBlockConfig{ + DropIcmp: helper.IntInt64(dropIcmp), + DropTcp: helper.IntInt64(dropTcp), + DropUdp: helper.IntInt64(dropUdp), + DropOther: helper.IntInt64(dropOther), + } + err := antiddosService.CreateProtocolBlockConfig(ctx, resourceId, tmpProtocolBlockConfig) + if err != nil { + return err + } + } + } + + if v, ok := d.GetOk("ddos_connect_limit"); ok { + ddosConnectLimits := v.([]interface{}) + for _, ddosConnectLimitItem := range ddosConnectLimits { + ddosConnectLimit := ddosConnectLimitItem.(map[string]interface{}) + sdNewLimit := ddosConnectLimit["sd_new_limit"].(int) + sdConnLimit := ddosConnectLimit["sd_conn_limit"].(int) + dstNewLimit := ddosConnectLimit["dst_new_limit"].(int) + dstConnLimit := ddosConnectLimit["dst_conn_limit"].(int) + badConnThreshold := ddosConnectLimit["bad_conn_threshold"].(int) + synRate := ddosConnectLimit["syn_rate"].(int) + synLimit := ddosConnectLimit["syn_limit"].(int) + connTimeout := ddosConnectLimit["conn_timeout"].(int) + nullConnEnable := ddosConnectLimit["null_conn_enable"].(int) + tmpConnectLimitConfig := antiddos.ConnectLimitConfig{ + SdNewLimit: helper.IntUint64(sdNewLimit), + SdConnLimit: helper.IntUint64(sdConnLimit), + DstNewLimit: helper.IntUint64(dstNewLimit), + DstConnLimit: helper.IntUint64(dstConnLimit), + BadConnThreshold: helper.IntUint64(badConnThreshold), + SynRate: helper.IntUint64(synRate), + SynLimit: helper.IntUint64(synLimit), + ConnTimeout: helper.IntUint64(connTimeout), + NullConnEnable: helper.IntUint64(nullConnEnable), + } + err := antiddosService.CreateDDoSConnectLimit(ctx, resourceId, tmpConnectLimitConfig) + if err != nil { + return err + } + } + } + if v, ok := d.GetOk("ddos_ai"); ok { + err := antiddosService.CreateDDoSAI(ctx, resourceId, v.(string)) + if err != nil { + return err + } + } + if v, ok := d.GetOk("ddos_geo_ip_block_config"); ok { + ddosGeoIpBlockConfigs := v.([]interface{}) + for _, ddosGeoIpBlockConfigItem := range ddosGeoIpBlockConfigs { + ddosGeoIpBlockConfig := ddosGeoIpBlockConfigItem.(map[string]interface{}) + action := ddosGeoIpBlockConfig["action"].(string) + areaList := ddosGeoIpBlockConfig["area_list"].([]interface{}) + regionType := ddosGeoIpBlockConfig["region_type"].(string) + areaInt64List := make([]*int64, 0) + for _, area := range areaList { + areaInt64List = append(areaInt64List, helper.IntInt64(area.(int))) + } + tmpDDoSGeoIPBlockConfig := antiddos.DDoSGeoIPBlockConfig{ + Action: &action, + Id: &resourceId, + RegionType: ®ionType, + AreaList: areaInt64List, + } + err := antiddosService.CreateDDoSGeoIPBlockConfig(ctx, resourceId, tmpDDoSGeoIPBlockConfig) + if err != nil { + return err + } + } + } + if v, ok := d.GetOk("ddos_speed_limit_config"); ok { + ddosConnectLimitList := v.([]interface{}) + for _, ddosConnectLimitItem := range ddosConnectLimitList { + ddosConnectLimit := ddosConnectLimitItem.(map[string]interface{}) + protocolList := ddosConnectLimit["protocol_list"].(string) + dstPortList := ddosConnectLimit["dst_port_list"].(string) + mode := ddosConnectLimit["mode"].(int) + packetRate := ddosConnectLimit["packet_rate"].(int) + bandwidth := ddosConnectLimit["bandwidth"].(int) + + tmpDDosConnectLimit := antiddos.DDoSSpeedLimitConfig{ + ProtocolList: &protocolList, + DstPortList: &dstPortList, + Mode: helper.IntUint64(mode), + SpeedValues: []*antiddos.SpeedValue{ + { + Type: helper.IntUint64(1), + Value: helper.IntUint64(packetRate), + }, + { + Type: helper.IntUint64(2), + Value: helper.IntUint64(bandwidth), + }, + }, + } + err := antiddosService.CreateDDoSSpeedLimitConfig(ctx, resourceId, tmpDDosConnectLimit) + if err != nil { + return err + } + } + } + + if v, ok := d.GetOk("packet_filters"); ok { + packetFilters := v.([]interface{}) + for _, packetFilterItem := range packetFilters { + packetFilter := packetFilterItem.(map[string]interface{}) + action := packetFilter["action"].(string) + protocol := packetFilter["protocol"].(string) + sPortStart := packetFilter["s_port_start"].(int) + sPortEnd := packetFilter["s_port_end"].(int) + dPortStart := packetFilter["d_port_start"].(int) + dPortEnd := packetFilter["d_port_end"].(int) + pktlenMin := packetFilter["pktlen_min"].(int) + pktlenMax := packetFilter["pktlen_max"].(int) + str := packetFilter["str"].(string) + str2 := packetFilter["str2"].(string) + matchLogic := packetFilter["match_logic"].(string) + matchType := packetFilter["match_type"].(string) + matchType2 := packetFilter["match_type2"].(string) + matchBegin := packetFilter["match_begin"].(string) + matchBegin2 := packetFilter["match_begin2"].(string) + depth := packetFilter["depth"].(int) + depth2 := packetFilter["depth2"].(int) + offset := packetFilter["offset"].(int) + offset2 := packetFilter["offset2"].(int) + isNot := packetFilter["is_not"].(int) + isNot2 := packetFilter["is_not2"].(int) + + tmpPacketFilter := antiddos.PacketFilterConfig{ + Id: &resourceId, + Action: &action, + Protocol: &protocol, + SportStart: helper.IntInt64(sPortStart), + SportEnd: helper.IntInt64(sPortEnd), + DportStart: helper.IntInt64(dPortStart), + DportEnd: helper.IntInt64(dPortEnd), + PktlenMin: helper.IntInt64(pktlenMin), + PktlenMax: helper.IntInt64(pktlenMax), + Str: &str, + Str2: &str2, + MatchLogic: &matchLogic, + MatchType: &matchType, + MatchType2: &matchType2, + MatchBegin: &matchBegin, + MatchBegin2: &matchBegin2, + Depth: helper.IntInt64(depth), + Offset: helper.IntInt64(offset), + IsNot: helper.IntInt64(isNot), + Depth2: helper.IntInt64(depth2), + Offset2: helper.IntInt64(offset2), + IsNot2: helper.IntInt64(isNot2), + } + err := antiddosService.CreatePacketFilterConfig(ctx, resourceId, tmpPacketFilter) + if err != nil { + return err + } + } + } + + return resourceTencentCloudDayuDdosPolicyV2Read(d, meta) +} + +func resourceTencentCloudDayuDdosPolicyV2Read(d *schema.ResourceData, meta interface{}) error { + defer logElapsed("resource.tencentcloud_dayu_ddos_policy_v2.read")() + logId := getLogId(contextNil) + ctx := context.WithValue(context.TODO(), logIdKey, logId) + antiddosService := AntiddosService{client: meta.(*TencentCloudClient).apiV3Conn} + items := strings.Split(d.Id(), FILED_SP) + if len(items) < 2 { + return fmt.Errorf("broken ID of DDoS policy") + } + instanceId := items[0] + protectThresholdRelation, err := antiddosService.DescribeListProtectThresholdConfig(ctx, instanceId) + if err != nil { + return err + } + ddosLevel := protectThresholdRelation.DDoSLevel + ddosThreshold := protectThresholdRelation.DDoSThreshold + d.Set("ddos_level", ddosLevel) + d.Set("ddos_threshold", ddosThreshold) + + blackWhiteIpRelationList, err := antiddosService.DescribeListBlackWhiteIpList(ctx, instanceId) + if err != nil { + return err + } + blackWhiteIpInfos := make([]map[string]string, 0) + for _, blackWhiteIpRelation := range blackWhiteIpRelationList { + ip := blackWhiteIpRelation.Ip + ipType := blackWhiteIpRelation.Type + blackWhiteIpInfos = append(blackWhiteIpInfos, map[string]string{"ip": *ip, "ip_type": *ipType}) + } + d.Set("black_white_ips", blackWhiteIpInfos) + + aclConfigRelationList, err := antiddosService.DescribeListPortAclList(ctx, instanceId) + if err != nil { + return err + } + acls := make([]map[string]interface{}, 0) + for _, aclConfigRelation := range aclConfigRelationList { + action := aclConfigRelation.AclConfig.Action + dPortStart := aclConfigRelation.AclConfig.DPortStart + dPortEnd := aclConfigRelation.AclConfig.DPortEnd + sPortStart := aclConfigRelation.AclConfig.SPortStart + sPortEnd := aclConfigRelation.AclConfig.SPortEnd + priority := aclConfigRelation.AclConfig.Priority + forwardProtocol := aclConfigRelation.AclConfig.ForwardProtocol + acl := make(map[string]interface{}) + acl["action"] = action + acl["d_port_start"] = dPortStart + acl["d_port_end"] = dPortEnd + acl["s_port_start"] = sPortStart + acl["s_port_end"] = sPortEnd + acl["priority"] = priority + acl["forward_protocol"] = forwardProtocol + acls = append(acls, acl) + } + d.Set("acls", acls) + + protocolBlockRelation, err := antiddosService.DescribeListProtocolBlockConfig(ctx, instanceId) + if err != nil { + return err + } + dropIcmp := protocolBlockRelation.ProtocolBlockConfig.DropIcmp + dropTcp := protocolBlockRelation.ProtocolBlockConfig.DropTcp + dropUdp := protocolBlockRelation.ProtocolBlockConfig.DropUdp + dropOther := protocolBlockRelation.ProtocolBlockConfig.DropOther + protocolBlockConfig := make(map[string]interface{}) + protocolBlockConfig["drop_icmp"] = dropIcmp + protocolBlockConfig["drop_tcp"] = dropTcp + protocolBlockConfig["drop_udp"] = dropUdp + protocolBlockConfig["drop_other"] = dropOther + d.Set("protocol_block_config", []map[string]interface{}{protocolBlockConfig}) + + connectLimitRelation, err := antiddosService.DescribeDDoSConnectLimitList(ctx, instanceId) + if err != nil { + return err + } + ddosConnectLimit := make(map[string]interface{}) + ddosConnectLimit["sd_new_limit"] = connectLimitRelation.SdNewLimit + ddosConnectLimit["sd_conn_limit"] = connectLimitRelation.SdConnLimit + ddosConnectLimit["dst_new_limit"] = connectLimitRelation.DstNewLimit + ddosConnectLimit["dst_conn_limit"] = connectLimitRelation.DstConnLimit + ddosConnectLimit["bad_conn_threshold"] = connectLimitRelation.BadConnThreshold + ddosConnectLimit["syn_rate"] = connectLimitRelation.SynRate + ddosConnectLimit["syn_limit"] = connectLimitRelation.SynLimit + ddosConnectLimit["conn_timeout"] = connectLimitRelation.ConnTimeout + ddosConnectLimit["null_conn_enable"] = connectLimitRelation.NullConnEnable + d.Set("ddos_connect_limit", []map[string]interface{}{ddosConnectLimit}) + + ddoSAIRelation, err := antiddosService.DescribeListDDoSAI(ctx, instanceId) + if err != nil { + return err + } + d.Set("ddos_ai", ddoSAIRelation.DDoSAI) + + ddosGeoIPBlockConfigRelations, err := antiddosService.DescribeListDDoSGeoIPBlockConfig(ctx, instanceId) + if err != nil { + return err + } + ddosGeoIPBlockConfigList := make([]map[string]interface{}, 0) + + for _, ddosGeoIPBlockConfigRelation := range ddosGeoIPBlockConfigRelations { + ddosGeoIPBlockConfig := make(map[string]interface{}) + ddosGeoIPBlockConfig["action"] = ddosGeoIPBlockConfigRelation.GeoIPBlockConfig.Action + ddosGeoIPBlockConfig["area_list"] = ddosGeoIPBlockConfigRelation.GeoIPBlockConfig.AreaList + ddosGeoIPBlockConfig["id"] = ddosGeoIPBlockConfigRelation.GeoIPBlockConfig.Id + ddosGeoIPBlockConfig["region_type"] = ddosGeoIPBlockConfigRelation.GeoIPBlockConfig.RegionType + ddosGeoIPBlockConfigList = append(ddosGeoIPBlockConfigList, ddosGeoIPBlockConfig) + } + + d.Set("ddos_geo_ip_block_config", ddosGeoIPBlockConfigList) + + ddosSpeedLimitConfigRelations, err := antiddosService.DescribeListDDoSSpeedLimitConfig(ctx, instanceId) + if err != nil { + return err + } + ddosSpeedLimitConfigs := make([]map[string]interface{}, 0) + for _, ddosSpeedLimitConfigRelation := range ddosSpeedLimitConfigRelations { + ddosSpeedLimitConfig := make(map[string]interface{}) + ddosSpeedLimitConfig["protocol_list"] = ddosSpeedLimitConfigRelation.SpeedLimitConfig.ProtocolList + ddosSpeedLimitConfig["dst_port_list"] = ddosSpeedLimitConfigRelation.SpeedLimitConfig.DstPortList + ddosSpeedLimitConfig["mode"] = ddosSpeedLimitConfigRelation.SpeedLimitConfig.Mode + for _, speedValue := range ddosSpeedLimitConfigRelation.SpeedLimitConfig.SpeedValues { + if *speedValue.Type == uint64(1) { + ddosSpeedLimitConfig["packet_rate"] = *speedValue.Value + } + if *speedValue.Type == uint64(2) { + ddosSpeedLimitConfig["bandwidth"] = *speedValue.Value + } + + } + ddosSpeedLimitConfigs = append(ddosSpeedLimitConfigs, ddosSpeedLimitConfig) + } + + d.Set("ddos_speed_limit_config", ddosSpeedLimitConfigs) + + packetFilterRelationList, err := antiddosService.DescribeListPacketFilterConfig(ctx, instanceId) + if err != nil { + return err + } + packetFilters := make([]map[string]interface{}, 0) + for _, packetFilterRelation := range packetFilterRelationList { + tmpPacketFilter := make(map[string]interface{}) + tmpPacketFilter["id"] = packetFilterRelation.PacketFilterConfig.Id + tmpPacketFilter["s_port_start"] = packetFilterRelation.PacketFilterConfig.SportStart + tmpPacketFilter["s_port_end"] = packetFilterRelation.PacketFilterConfig.SportEnd + tmpPacketFilter["d_port_start"] = packetFilterRelation.PacketFilterConfig.DportStart + tmpPacketFilter["d_port_end"] = packetFilterRelation.PacketFilterConfig.DportEnd + tmpPacketFilter["pktlen_min"] = packetFilterRelation.PacketFilterConfig.PktlenMin + tmpPacketFilter["pktlen_max"] = packetFilterRelation.PacketFilterConfig.PktlenMax + tmpPacketFilter["str"] = packetFilterRelation.PacketFilterConfig.Str + tmpPacketFilter["str2"] = packetFilterRelation.PacketFilterConfig.Str2 + tmpPacketFilter["match_logic"] = packetFilterRelation.PacketFilterConfig.MatchLogic + tmpPacketFilter["match_type"] = packetFilterRelation.PacketFilterConfig.MatchType + tmpPacketFilter["match_type2"] = packetFilterRelation.PacketFilterConfig.MatchType2 + tmpPacketFilter["match_begin"] = packetFilterRelation.PacketFilterConfig.MatchBegin + tmpPacketFilter["match_begin2"] = packetFilterRelation.PacketFilterConfig.MatchBegin2 + packetFilters = append(packetFilters, tmpPacketFilter) + } + d.Set("packet_filters", packetFilters) + + return nil +} + +func resourceTencentCloudDayuDdosPolicyV2Update(d *schema.ResourceData, meta interface{}) error { + defer logElapsed("resource.tencentcloud_dayu_ddos_policy_v2.read")() + logId := getLogId(contextNil) + ctx := context.WithValue(context.TODO(), logIdKey, logId) + antiddosService := AntiddosService{client: meta.(*TencentCloudClient).apiV3Conn} + items := strings.Split(d.Id(), FILED_SP) + if len(items) < 2 { + return fmt.Errorf("broken ID of DDoS policy") + } + resourceId := items[0] + business := items[1] + d.Partial(true) + + if d.HasChange("ddos_level") { + ddosLevel := d.Get("ddos_level").(string) + err := antiddosService.ModifyDDoSLevel(ctx, business, resourceId, ddosLevel) + if err != nil { + return err + } + } + if d.HasChange("ddos_threshold") { + threshold := d.Get("ddos_threshold").(int) + err := antiddosService.ModifyDDoSThreshold(ctx, business, resourceId, threshold) + if err != nil { + return err + } + } + + if d.HasChange("protocol_block_config") { + protocolBlockConfigs := d.Get("protocol_block_config").([]interface{}) + for _, protocolBlockConfigItem := range protocolBlockConfigs { + protocolBlockConfig := protocolBlockConfigItem.(map[string]interface{}) + dropIcmp := protocolBlockConfig["drop_icmp"].(int) + dropTcp := protocolBlockConfig["drop_tcp"].(int) + dropUdp := protocolBlockConfig["drop_udp"].(int) + dropOther := protocolBlockConfig["drop_other"].(int) + tmpProtocolBlockConfig := antiddos.ProtocolBlockConfig{ + DropIcmp: helper.IntInt64(dropIcmp), + DropTcp: helper.IntInt64(dropTcp), + DropUdp: helper.IntInt64(dropUdp), + DropOther: helper.IntInt64(dropOther), + } + err := antiddosService.CreateProtocolBlockConfig(ctx, resourceId, tmpProtocolBlockConfig) + if err != nil { + return err + } + } + d.SetPartial("protocol_block_config") + } + + if d.HasChange("ddos_connect_limit") { + ddosConnectLimits := d.Get("ddos_connect_limit").([]interface{}) + for _, ddosConnectLimitItem := range ddosConnectLimits { + ddosConnectLimit := ddosConnectLimitItem.(map[string]interface{}) + sdNewLimit := ddosConnectLimit["sd_new_limit"].(int) + sdConnLimit := ddosConnectLimit["sd_conn_limit"].(int) + dstNewLimit := ddosConnectLimit["dst_new_limit"].(int) + dstConnLimit := ddosConnectLimit["dst_conn_limit"].(int) + badConnThreshold := ddosConnectLimit["bad_conn_threshold"].(int) + synRate := ddosConnectLimit["syn_rate"].(int) + synLimit := ddosConnectLimit["syn_limit"].(int) + connTimeout := ddosConnectLimit["conn_timeout"].(int) + nullConnEnable := ddosConnectLimit["null_conn_enable"].(int) + tmpConnectLimitConfig := antiddos.ConnectLimitConfig{ + SdNewLimit: helper.IntUint64(sdNewLimit), + SdConnLimit: helper.IntUint64(sdConnLimit), + DstNewLimit: helper.IntUint64(dstNewLimit), + DstConnLimit: helper.IntUint64(dstConnLimit), + BadConnThreshold: helper.IntUint64(badConnThreshold), + SynRate: helper.IntUint64(synRate), + SynLimit: helper.IntUint64(synLimit), + ConnTimeout: helper.IntUint64(connTimeout), + NullConnEnable: helper.IntUint64(nullConnEnable), + } + err := antiddosService.CreateDDoSConnectLimit(ctx, resourceId, tmpConnectLimitConfig) + if err != nil { + return err + } + } + d.SetPartial("ddos_connect_limit") + } + if d.HasChange("ddos_ai") { + err := antiddosService.CreateDDoSAI(ctx, resourceId, d.Get("ddos_ai").(string)) + if err != nil { + return err + } + d.SetPartial("ddos_ai") + } + + if d.HasChange("black_white_ips") { + blackWhiteIps := d.Get("black_white_ips").([]interface{}) + oldUniqIpMap := make(map[string]int) + oldBlackWhiteIps, err := antiddosService.DescribeListBlackWhiteIpList(ctx, resourceId) + if err != nil { + return err + } + for _, oldBlackWhiteIp := range oldBlackWhiteIps { + ip := oldBlackWhiteIp.Ip + ipType := oldBlackWhiteIp.Type + key := *ipType + "_" + *ip + oldUniqIpMap[key] = 1 + } + newUniqIpMap := make(map[string]int) + for _, blackWhiteIpItem := range blackWhiteIps { + blackWhiteIp := blackWhiteIpItem.(map[string]interface{}) + key := blackWhiteIp["ip_type"].(string) + "_" + blackWhiteIp["ip"].(string) + newUniqIpMap[key] = 1 + if oldUniqIpMap["key"] == 0 { + err := antiddosService.CreateDDoSBlackWhiteIpList(ctx, resourceId, []string{blackWhiteIp["ip"].(string)}, blackWhiteIp["ip_type"].(string)) + if err != nil { + return err + } + } + } + for _, oldBlackWhiteIp := range oldBlackWhiteIps { + ip := oldBlackWhiteIp.Ip + ipType := oldBlackWhiteIp.Type + key := *ipType + "_" + *ip + if newUniqIpMap[key] == 0 { + antiddosService.DeleteDDoSBlackWhiteIpList(ctx, resourceId, []string{*ip}, *ipType) + } + } + + d.SetPartial("black_white_ips") + } + + if d.HasChange("acls") { + oldAclConfigRelationList, err := antiddosService.DescribeListPortAclList(ctx, resourceId) + if err != nil { + return err + } + oldAclConfigs := make([]interface{}, 0) + for _, oldAclConfigRelation := range oldAclConfigRelationList { + oldAclConfigs = append(oldAclConfigs, *oldAclConfigRelation.AclConfig) + } + newAclConfigs := make([]interface{}, 0) + acls := d.Get("acls").([]interface{}) + for _, aclItem := range acls { + acl := aclItem.(map[string]interface{}) + action := acl["action"].(string) + dPortStart := acl["d_port_start"].(int) + dPortEnd := acl["d_port_end"].(int) + sPortStart := acl["s_port_start"].(int) + sPortEnd := acl["s_port_end"].(int) + priority := acl["priority"].(int) + forwardProtocol := acl["forward_protocol"].(string) + tmpAclConfig := antiddos.AclConfig{ + Action: &action, + DPortStart: helper.IntUint64(dPortStart), + DPortEnd: helper.IntUint64(dPortEnd), + SPortStart: helper.IntUint64(sPortStart), + SPortEnd: helper.IntUint64(sPortEnd), + Priority: helper.IntUint64(priority), + ForwardProtocol: &forwardProtocol, + } + newAclConfigs = append(newAclConfigs, tmpAclConfig) + } + increments, decrements := DeltaList(oldAclConfigs, newAclConfigs) + for _, decrementItem := range decrements { + var decrement antiddos.AclConfig + json.Unmarshal([]byte(decrementItem), &decrement) + err := antiddosService.DeletePortAclConfig(ctx, resourceId, decrement) + if err != nil { + return err + } + } + for _, incrementItems := range increments { + var increment antiddos.AclConfig + json.Unmarshal([]byte(incrementItems), &increment) + err := antiddosService.CreatePortAclConfig(ctx, resourceId, increment) + if err != nil { + return err + } + } + + d.SetPartial("acls") + } + + if d.HasChange("ddos_geo_ip_block_config") { + oldDDoSGeoIPBlockConfigRelations, err := antiddosService.DescribeListDDoSGeoIPBlockConfig(ctx, resourceId) + if err != nil { + return err + } + + oldDDoSGeoIPBlockConfigs := make([]interface{}, 0) + for _, oldDDoSGeoIPBlockConfigRelation := range oldDDoSGeoIPBlockConfigRelations { + ddosGeoIPBlockConfig := *oldDDoSGeoIPBlockConfigRelation.GeoIPBlockConfig + oldDDoSGeoIPBlockConfigs = append(oldDDoSGeoIPBlockConfigs, ddosGeoIPBlockConfig) + } + + newDDoSGeoIPBlockConfigs := make([]interface{}, 0) + for _, ddosGeoIpBlockConfigItem := range d.Get("ddos_geo_ip_block_config").([]interface{}) { + ddosGeoIpBlockConfig := ddosGeoIpBlockConfigItem.(map[string]interface{}) + action := ddosGeoIpBlockConfig["action"].(string) + areaList := ddosGeoIpBlockConfig["area_list"].([]interface{}) + regionType := ddosGeoIpBlockConfig["region_type"].(string) + areaInt64List := make([]*int64, 0) + for _, area := range areaList { + areaInt64List = append(areaInt64List, helper.IntInt64(area.(int))) + } + tmpDDoSGeoIPBlockConfig := antiddos.DDoSGeoIPBlockConfig{ + Action: &action, + Id: &resourceId, + RegionType: ®ionType, + AreaList: areaInt64List, + } + newDDoSGeoIPBlockConfigs = append(newDDoSGeoIPBlockConfigs, tmpDDoSGeoIPBlockConfig) + } + increments, decrements := DeltaList(oldDDoSGeoIPBlockConfigs, newDDoSGeoIPBlockConfigs) + for _, decrementItem := range decrements { + var decrement antiddos.DDoSGeoIPBlockConfig + json.Unmarshal([]byte(decrementItem), &decrement) + err := antiddosService.DeleteDDoSGeoIPBlockConfig(ctx, resourceId, decrement) + if err != nil { + return err + } + } + for _, incrementItems := range increments { + var increment antiddos.DDoSGeoIPBlockConfig + json.Unmarshal([]byte(incrementItems), &increment) + err := antiddosService.CreateDDoSGeoIPBlockConfig(ctx, resourceId, increment) + if err != nil { + return err + } + } + + d.SetPartial("ddos_geo_ip_block_config") + } + + if d.HasChange("ddos_speed_limit_config") { + oldDDoSSpeedLimitConfigRelations, err := antiddosService.DescribeListDDoSSpeedLimitConfig(ctx, resourceId) + if err != nil { + return err + } + + oldDDoSSpeedLimitConfigs := make([]interface{}, 0) + for _, oldDDoSSpeedLimitConfigRelation := range oldDDoSSpeedLimitConfigRelations { + oldDDoSSpeedLimitConfig := *oldDDoSSpeedLimitConfigRelation.SpeedLimitConfig + oldDDoSSpeedLimitConfigs = append(oldDDoSSpeedLimitConfigs, oldDDoSSpeedLimitConfig) + } + + newDDoSSpeedLimitConfigs := make([]interface{}, 0) + for _, ddosConnectLimitItem := range d.Get("ddos_speed_limit_config").([]interface{}) { + ddosConnectLimit := ddosConnectLimitItem.(map[string]interface{}) + protocolList := ddosConnectLimit["protocol_list"].(string) + dstPortList := ddosConnectLimit["dst_port_list"].(string) + mode := ddosConnectLimit["mode"].(int) + packetRate := ddosConnectLimit["packet_rate"].(int) + bandwidth := ddosConnectLimit["bandwidth"].(int) + + tmpDDosConnectLimit := antiddos.DDoSSpeedLimitConfig{ + ProtocolList: &protocolList, + DstPortList: &dstPortList, + Mode: helper.IntUint64(mode), + SpeedValues: []*antiddos.SpeedValue{ + { + Type: helper.IntUint64(1), + Value: helper.IntUint64(packetRate), + }, + { + Type: helper.IntUint64(2), + Value: helper.IntUint64(bandwidth), + }, + }, + } + newDDoSSpeedLimitConfigs = append(newDDoSSpeedLimitConfigs, tmpDDosConnectLimit) + } + + increments, decrements := DeltaList(oldDDoSSpeedLimitConfigs, newDDoSSpeedLimitConfigs) + for _, decrementItem := range decrements { + var decrement antiddos.DDoSSpeedLimitConfig + json.Unmarshal([]byte(decrementItem), &decrement) + err := antiddosService.DeleteDDoSSpeedLimitConfig(ctx, resourceId, decrement) + if err != nil { + return err + } + } + for _, incrementItems := range increments { + var increment antiddos.DDoSSpeedLimitConfig + json.Unmarshal([]byte(incrementItems), &increment) + err := antiddosService.CreateDDoSSpeedLimitConfig(ctx, resourceId, increment) + if err != nil { + return err + } + } + + d.SetPartial("ddos_speed_limit_config") + } + + if d.HasChange("packet_filters") { + oldPacketFilterRelationList, err := antiddosService.DescribeListPacketFilterConfig(ctx, resourceId) + if err != nil { + return err + } + oldPacketFilters := make([]interface{}, 0) + for _, packetFilterRelation := range oldPacketFilterRelationList { + tmpPacketFilter := packetFilterRelation.PacketFilterConfig + oldPacketFilters = append(oldPacketFilters, tmpPacketFilter) + } + + newPacketFilters := make([]interface{}, 0) + + for _, packetFilterItem := range d.Get("packet_filters").([]interface{}) { + packetFilter := packetFilterItem.(map[string]interface{}) + action := packetFilter["action"].(string) + protocol := packetFilter["protocol"].(string) + sPortStart := packetFilter["s_port_start"].(int) + sPortEnd := packetFilter["s_port_end"].(int) + dPortStart := packetFilter["d_port_start"].(int) + dPortEnd := packetFilter["d_port_end"].(int) + pktlenMin := packetFilter["pktlen_min"].(int) + pktlenMax := packetFilter["pktlen_max"].(int) + str := packetFilter["str"].(string) + str2 := packetFilter["str2"].(string) + matchLogic := packetFilter["match_logic"].(string) + matchType := packetFilter["match_type"].(string) + matchType2 := packetFilter["match_type2"].(string) + matchBegin := packetFilter["match_begin"].(string) + matchBegin2 := packetFilter["match_begin2"].(string) + depth := packetFilter["depth"].(int) + depth2 := packetFilter["depth2"].(int) + offset := packetFilter["offset"].(int) + offset2 := packetFilter["offset2"].(int) + isNot := packetFilter["is_not"].(int) + isNot2 := packetFilter["is_not2"].(int) + + tmpPacketFilter := antiddos.PacketFilterConfig{ + Id: &resourceId, + Action: &action, + Protocol: &protocol, + SportStart: helper.IntInt64(sPortStart), + SportEnd: helper.IntInt64(sPortEnd), + DportStart: helper.IntInt64(dPortStart), + DportEnd: helper.IntInt64(dPortEnd), + PktlenMin: helper.IntInt64(pktlenMin), + PktlenMax: helper.IntInt64(pktlenMax), + Str: &str, + Str2: &str2, + MatchLogic: &matchLogic, + MatchType: &matchType, + MatchType2: &matchType2, + MatchBegin: &matchBegin, + MatchBegin2: &matchBegin2, + Depth: helper.IntInt64(depth), + Offset: helper.IntInt64(offset), + IsNot: helper.IntInt64(isNot), + Depth2: helper.IntInt64(depth2), + Offset2: helper.IntInt64(offset2), + IsNot2: helper.IntInt64(isNot2), + } + newPacketFilters = append(newPacketFilters, tmpPacketFilter) + } + increments, decrements := DeltaList(oldPacketFilters, newPacketFilters) + + for _, decrementItem := range decrements { + var decrement antiddos.PacketFilterConfig + json.Unmarshal([]byte(decrementItem), &decrement) + err := antiddosService.DeletePacketFilterConfig(ctx, resourceId, decrement) + if err != nil { + return err + } + } + for _, incrementItem := range increments { + var increment antiddos.PacketFilterConfig + json.Unmarshal([]byte(incrementItem), &increment) + err := antiddosService.CreatePacketFilterConfig(ctx, resourceId, increment) + if err != nil { + return err + } + } + + d.SetPartial("packet_filters") + } + + d.Partial(false) + + return resourceTencentCloudDayuDdosPolicyV2Read(d, meta) +} + +func resourceTencentCloudDayuDdosPolicyV2Delete(d *schema.ResourceData, meta interface{}) error { + defer logElapsed("resource.tencentcloud_dayu_ddos_policy_v2.read")() + logId := getLogId(contextNil) + ctx := context.WithValue(context.TODO(), logIdKey, logId) + antiddosService := AntiddosService{client: meta.(*TencentCloudClient).apiV3Conn} + items := strings.Split(d.Id(), FILED_SP) + if len(items) < 2 { + return fmt.Errorf("broken ID of DDoS policy") + } + resourceId := items[0] + business := items[1] + + antiddosService.DeleteyDDoSLevel(ctx, business, resourceId) + antiddosService.DeleteDDoSThreshold(ctx, business, resourceId) + + blackWhiteIpRelationList, err := antiddosService.DescribeListBlackWhiteIpList(ctx, resourceId) + if err != nil { + return err + } + blacks := make([]string, 0) + whites := make([]string, 0) + for _, blackWhiteIpRelation := range blackWhiteIpRelationList { + ip := blackWhiteIpRelation.Ip + ipType := blackWhiteIpRelation.Type + if *ipType == DDOS_BLACK_WHITE_IP_TYPE_BLACK { + blacks = append(blacks, *ip) + } + if *ipType == DDOS_BLACK_WHITE_IP_TYPE_WHITE { + whites = append(whites, *ip) + } + } + if len(blacks) > 0 { + antiddosService.DeleteDDoSBlackWhiteIpList(ctx, resourceId, blacks, DDOS_BLACK_WHITE_IP_TYPE_BLACK) + } + if len(whites) > 0 { + antiddosService.DeleteDDoSBlackWhiteIpList(ctx, resourceId, whites, DDOS_BLACK_WHITE_IP_TYPE_WHITE) + } + + aclConfigRelationList, err := antiddosService.DescribeListPortAclList(ctx, resourceId) + if err != nil { + return err + } + for _, aclConfigRelation := range aclConfigRelationList { + deleteAclConfigRelation := aclConfigRelation + antiddosService.DeletePortAclConfig(ctx, resourceId, *deleteAclConfigRelation.AclConfig) + } + + antiddosService.DeleteProtocolBlockConfig(ctx, resourceId) + antiddosService.DeleteDDoSConnectLimit(ctx, resourceId) + antiddosService.DeleteDDoSAI(ctx, resourceId) + + ddosGeoIPBlockConfigRelations, err := antiddosService.DescribeListDDoSGeoIPBlockConfig(ctx, resourceId) + if err != nil { + return err + } + for _, ddosGeoIPBlockConfigRelation := range ddosGeoIPBlockConfigRelations { + antiddosService.DeleteDDoSGeoIPBlockConfig(ctx, resourceId, *ddosGeoIPBlockConfigRelation.GeoIPBlockConfig) + } + + ddosSpeedLimitConfigRelations, err := antiddosService.DescribeListDDoSSpeedLimitConfig(ctx, resourceId) + if err != nil { + return err + } + for _, ddosSpeedLimitConfigRelation := range ddosSpeedLimitConfigRelations { + antiddosService.DeleteDDoSSpeedLimitConfig(ctx, resourceId, *ddosSpeedLimitConfigRelation.SpeedLimitConfig) + + } + + packetFilterRelationList, err := antiddosService.DescribeListPacketFilterConfig(ctx, resourceId) + if err != nil { + return err + } + + for _, packetFilterRelation := range packetFilterRelationList { + antiddosService.DeletePacketFilterConfig(ctx, resourceId, *packetFilterRelation.PacketFilterConfig) + } + return nil +} diff --git a/tencentcloud/resource_tc_dayu_ddos_policy_v2_test.go b/tencentcloud/resource_tc_dayu_ddos_policy_v2_test.go new file mode 100644 index 0000000000..776c1a02b3 --- /dev/null +++ b/tencentcloud/resource_tc_dayu_ddos_policy_v2_test.go @@ -0,0 +1,176 @@ +package tencentcloud + +import ( + "context" + "fmt" + "strings" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" +) + +func TestAccTencentCloudDayuDdosPolicyV2Resource(t *testing.T) { + t.Parallel() + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheckCommon(t, ACCOUNT_TYPE_INTERNATION) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckDayuDdosPolicyV2Destroy, + Steps: []resource.TestStep{ + { + Config: testAccDayuDdosPolicyV2, + Check: resource.ComposeTestCheckFunc( + testAccCheckDayuDdosPolicyV2Exists("tencentcloud_dayu_ddos_policy_v2.test_policy"), + resource.TestCheckResourceAttr("tencentcloud_dayu_ddos_policy_v2.test_policy", "black_white_ips.#", "1"), + resource.TestCheckResourceAttr("tencentcloud_dayu_ddos_policy_v2.test_policy", "ddos_connect_limit.#", "1"), + resource.TestCheckResourceAttr("tencentcloud_dayu_ddos_policy_v2.test_policy", "ddos_geo_ip_block_config.#", "1"), + resource.TestCheckResourceAttr("tencentcloud_dayu_ddos_policy_v2.test_policy", "ddos_speed_limit_config.#", "1"), + resource.TestCheckResourceAttr("tencentcloud_dayu_ddos_policy_v2.test_policy", "packet_filters.#", "1"), + resource.TestCheckResourceAttr("tencentcloud_dayu_ddos_policy_v2.test_policy", "protocol_block_config.#", "1"), + ), + }, + }, + }) +} + +func testAccCheckDayuDdosPolicyV2Destroy(s *terraform.State) error { + for _, rs := range s.RootModule().Resources { + if rs.Type != "tencentcloud_dayu_ddos_policy_v2" { + continue + } + logId := getLogId(contextNil) + ctx := context.WithValue(context.TODO(), logIdKey, logId) + + items := strings.Split(rs.Primary.ID, FILED_SP) + if len(items) < 2 { + return fmt.Errorf("broken ID of DDoS policy") + } + resourceId := items[0] + + antiddosService := AntiddosService{client: testAccProvider.Meta().(*TencentCloudClient).apiV3Conn} + blackWhiteIpRelationList, err := antiddosService.DescribeListBlackWhiteIpList(ctx, resourceId) + if err != nil { + return err + } + if len(blackWhiteIpRelationList) != 0 { + return fmt.Errorf("delete DDoS policy %s fail, still on server", rs.Primary.ID) + } + + aclConfigRelationList, err := antiddosService.DescribeListPortAclList(ctx, resourceId) + if err != nil { + return err + } + if len(aclConfigRelationList) != 0 { + return fmt.Errorf("delete DDoS policy %s fail, still on server", rs.Primary.ID) + } + + ddosGeoIPBlockConfigRelations, err := antiddosService.DescribeListDDoSGeoIPBlockConfig(ctx, resourceId) + if err != nil { + return err + } + if len(ddosGeoIPBlockConfigRelations) != 0 { + return fmt.Errorf("delete DDoS policy %s fail, still on server", rs.Primary.ID) + } + + ddosSpeedLimitConfigRelations, err := antiddosService.DescribeListDDoSSpeedLimitConfig(ctx, resourceId) + if err != nil { + return err + } + if len(ddosSpeedLimitConfigRelations) != 0 { + return fmt.Errorf("delete DDoS policy %s fail, still on server", rs.Primary.ID) + } + + packetFilterRelationList, err := antiddosService.DescribeListPacketFilterConfig(ctx, resourceId) + if err != nil { + return err + } + if len(packetFilterRelationList) != 0 { + return fmt.Errorf("delete DDoS policy %s fail, still on server", rs.Primary.ID) + } + } + return nil +} + +func testAccCheckDayuDdosPolicyV2Exists(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + _, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("resource %s is not found", n) + } + return nil + } +} + +const testAccDayuDdosPolicyV2 string = ` +resource "tencentcloud_dayu_ddos_policy_v2" "test_policy" { + resource_id = "bgpip-000004xf" + business = "bgpip" + ddos_threshold="100" + ddos_level="low" + black_white_ips { + ip = "1.2.3.4" + ip_type = "black" + } + acls { + action = "transmit" + d_port_start = 1 + d_port_end = 10 + s_port_start=10 + s_port_end=20 + priority=9 + forward_protocol="all" + } + protocol_block_config { + drop_icmp=1 + drop_tcp=0 + drop_udp=0 + drop_other=0 + } + ddos_connect_limit { + sd_new_limit=10 + sd_conn_limit=11 + dst_new_limit=20 + dst_conn_limit=21 + bad_conn_threshold=30 + syn_rate=10 + syn_limit=20 + conn_timeout=30 + null_conn_enable=1 + } + ddos_ai="on" + ddos_geo_ip_block_config { + action="drop" + area_list=["100001"] + region_type="customized" + } + ddos_speed_limit_config { + protocol_list="TCP" + dst_port_list="10" + mode=1 + packet_rate=10 + bandwidth=20 + } + packet_filters { + action="drop" + protocol="all" + s_port_start=10 + s_port_end=10 + d_port_start=20 + d_port_end=20 + pktlen_min=30 + pktlen_max=30 + str="12" + str2="30" + match_logic="and" + match_type="pcre" + match_type2="pcre" + match_begin="begin_l3" + match_begin2="begin_l3" + depth=2 + depth2=3 + offset=1 + offset2=2 + is_not=0 + is_not2=0 + } +}` diff --git a/tencentcloud/service_tencentcloud_antiddos.go b/tencentcloud/service_tencentcloud_antiddos.go index 507f055884..2341baef2b 100644 --- a/tencentcloud/service_tencentcloud_antiddos.go +++ b/tencentcloud/service_tencentcloud_antiddos.go @@ -8,7 +8,9 @@ import ( antiddos "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/antiddos/v20200309" "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common" "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors" + sdkErrors "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors" "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/connectivity" + "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper" "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/ratelimit" ) @@ -146,3 +148,737 @@ func (me *AntiddosService) DisassociateDDoSEipAddress(ctx context.Context, insta return } + +func (me *AntiddosService) DescribeListProtectThresholdConfig(ctx context.Context, instanceId string) (result antiddos.ProtectThresholdRelation, err error) { + logId := getLogId(ctx) + request := antiddos.NewDescribeListProtectThresholdConfigRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + request.Limit = helper.IntUint64(1) + request.Offset = helper.Int64Uint64(0) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + response, err := me.client.UseAntiddosClient().DescribeListProtectThresholdConfig(request) + configList := response.Response.ConfigList + if len(configList) > 0 { + result = *configList[0] + } + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DescribeListBlackWhiteIpList(ctx context.Context, instanceId string) (result []*antiddos.BlackWhiteIpRelation, err error) { + request := antiddos.NewDescribeListBlackWhiteIpListRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + var limit int64 = 10 + var offset int64 = 0 + + request.Limit = &limit + request.Offset = &offset + + for { + ratelimit.Check(request.GetAction()) + response, e := me.client.UseAntiddosClient().DescribeListBlackWhiteIpList(request) + if e != nil { + err = e + return + } + ipList := response.Response.IpList + if len(ipList) > 0 { + result = append(result, ipList...) + } + if len(ipList) < int(limit) { + return + } + offset += limit + } +} + +func (me *AntiddosService) DescribeListPortAclList(ctx context.Context, instanceId string) (result []*antiddos.AclConfigRelation, err error) { + request := antiddos.NewDescribeListPortAclListRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + var limit uint64 = 10 + var offset uint64 = 0 + + request.Limit = &limit + request.Offset = &offset + + for { + ratelimit.Check(request.GetAction()) + response, e := me.client.UseAntiddosClient().DescribeListPortAclList(request) + if e != nil { + err = e + return + } + aclList := response.Response.AclList + if len(aclList) > 0 { + result = append(result, aclList...) + } + if len(aclList) < int(limit) { + return + } + offset += limit + } +} + +func (me *AntiddosService) DescribeListProtocolBlockConfig(ctx context.Context, instanceId string) (result antiddos.ProtocolBlockRelation, err error) { + logId := getLogId(ctx) + request := antiddos.NewDescribeListProtocolBlockConfigRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + request.Limit = helper.IntInt64(1) + request.Offset = helper.IntInt64(0) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + response, err := me.client.UseAntiddosClient().DescribeListProtocolBlockConfig(request) + configList := response.Response.ConfigList + if len(configList) > 0 { + result = *configList[0] + } + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DescribeDDoSConnectLimitList(ctx context.Context, instanceId string) (result antiddos.ConnectLimitConfig, err error) { + logId := getLogId(ctx) + request := antiddos.NewDescribeDDoSConnectLimitListRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + request.Limit = helper.IntUint64(1) + request.Offset = helper.IntUint64(0) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + response, err := me.client.UseAntiddosClient().DescribeDDoSConnectLimitList(request) + configList := response.Response.ConfigList + if len(configList) > 0 { + result = *configList[0].ConnectLimitConfig + } + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DescribeListDDoSAI(ctx context.Context, instanceId string) (result antiddos.DDoSAIRelation, err error) { + logId := getLogId(ctx) + request := antiddos.NewDescribeListDDoSAIRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + request.Limit = helper.IntInt64(1) + request.Offset = helper.IntInt64(0) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + response, err := me.client.UseAntiddosClient().DescribeListDDoSAI(request) + configList := response.Response.ConfigList + if len(configList) > 0 { + result = *configList[0] + } + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DescribeListDDoSGeoIPBlockConfig(ctx context.Context, instanceId string) (result []*antiddos.DDoSGeoIPBlockConfigRelation, err error) { + request := antiddos.NewDescribeListDDoSGeoIPBlockConfigRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + var limit uint64 = 10 + var offset uint64 = 0 + request.Limit = &limit + request.Offset = &offset + + for { + ratelimit.Check(request.GetAction()) + response, e := me.client.UseAntiddosClient().DescribeListDDoSGeoIPBlockConfig(request) + if e != nil { + err = e + return + } + configList := response.Response.ConfigList + if len(configList) > 0 { + result = append(result, configList...) + } + if len(configList) < int(limit) { + return + } + offset += limit + } + return +} + +func (me *AntiddosService) DescribeListDDoSSpeedLimitConfig(ctx context.Context, instanceId string) (result []*antiddos.DDoSSpeedLimitConfigRelation, err error) { + request := antiddos.NewDescribeListDDoSSpeedLimitConfigRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + var limit uint64 = 10 + var offset uint64 = 0 + request.Limit = &limit + request.Offset = &offset + + for { + ratelimit.Check(request.GetAction()) + response, e := me.client.UseAntiddosClient().DescribeListDDoSSpeedLimitConfig(request) + if e != nil { + err = e + return + } + configList := response.Response.ConfigList + if len(configList) > 0 { + result = append(result, configList...) + } + if len(configList) < int(limit) { + return + } + offset += limit + } + + return +} + +func (me *AntiddosService) DescribeListPacketFilterConfig(ctx context.Context, instanceId string) (result []*antiddos.PacketFilterRelation, err error) { + logId := getLogId(ctx) + request := antiddos.NewDescribeListPacketFilterConfigRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + request.Limit = helper.IntInt64(1) + request.Offset = helper.IntInt64(0) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + response, err := me.client.UseAntiddosClient().DescribeListPacketFilterConfig(request) + configList := response.Response.ConfigList + if len(configList) > 0 { + result = configList + } + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DescribeListWaterPrintConfig(ctx context.Context, instanceId string) (result antiddos.WaterPrintRelation, err error) { + logId := getLogId(ctx) + request := antiddos.NewDescribeListWaterPrintConfigRequest() + request.FilterInstanceId = common.StringPtr(instanceId) + request.Limit = helper.IntInt64(1) + request.Offset = helper.IntInt64(0) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + response, err := me.client.UseAntiddosClient().DescribeListWaterPrintConfig(request) + configList := response.Response.ConfigList + if len(configList) > 0 { + result = *configList[0] + } + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreateDDoSBlackWhiteIpList(ctx context.Context, instanceId string, ipList []string, ipType string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSBlackWhiteIpListRequest() + request.InstanceId = common.StringPtr(instanceId) + requestIpList := make([]*antiddos.IpSegment, 0) + ip32mask := uint64(0) + for _, ip := range ipList { + requestIpList = append(requestIpList, &antiddos.IpSegment{Ip: &ip, Mask: &ip32mask}) + } + request.IpList = requestIpList + request.Type = common.StringPtr(ipType) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSBlackWhiteIpList(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) ModifyDDoSThreshold(ctx context.Context, business, instanceId string, threshold int) (err error) { + logId := getLogId(ctx) + request := antiddos.NewModifyDDoSThresholdRequest() + request.Business = common.StringPtr(business) + request.Id = common.StringPtr(instanceId) + request.Threshold = helper.IntUint64(threshold) + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().ModifyDDoSThreshold(request) + if err != nil { + if sdkError, ok := err.(*sdkErrors.TencentCloudSDKError); ok { + if sdkError.Code == "ResourceUnavailable" { + return nil + } + } + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) ModifyDDoSLevel(ctx context.Context, business, instanceId, ddosLevel string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewModifyDDoSLevelRequest() + request.Business = common.StringPtr(business) + request.Id = common.StringPtr(instanceId) + request.Method = common.StringPtr("set") + request.DDoSLevel = common.StringPtr(ddosLevel) + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().ModifyDDoSLevel(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreatePortAclConfig(ctx context.Context, instanceId string, aclConfig antiddos.AclConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreatePortAclConfigRequest() + request.AclConfig = &aclConfig + request.InstanceId = &instanceId + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreatePortAclConfig(request) + if err != nil { + if sdkError, ok := err.(*sdkErrors.TencentCloudSDKError); ok { + if sdkError.Code == "ResourceInUse" { + return nil + } + } + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreateProtocolBlockConfig(ctx context.Context, instanceId string, protocolBlockConfig antiddos.ProtocolBlockConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateProtocolBlockConfigRequest() + request.InstanceId = &instanceId + request.ProtocolBlockConfig = &protocolBlockConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateProtocolBlockConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreateDDoSConnectLimit(ctx context.Context, instanceId string, connectLimitConfig antiddos.ConnectLimitConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSConnectLimitRequest() + request.InstanceId = &instanceId + request.ConnectLimitConfig = &connectLimitConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSConnectLimit(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreateDDoSAI(ctx context.Context, instanceId, ddosAI string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSAIRequest() + request.DDoSAI = &ddosAI + request.InstanceIdList = []*string{&instanceId} + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSAI(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreateDDoSGeoIPBlockConfig(ctx context.Context, instanceId string, ddosGeoIPBlockConfig antiddos.DDoSGeoIPBlockConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSGeoIPBlockConfigRequest() + request.InstanceId = &instanceId + request.DDoSGeoIPBlockConfig = &ddosGeoIPBlockConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSGeoIPBlockConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreateDDoSSpeedLimitConfig(ctx context.Context, instanceId string, ddosSpeedLimitConfig antiddos.DDoSSpeedLimitConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSSpeedLimitConfigRequest() + request.InstanceId = &instanceId + request.DDoSSpeedLimitConfig = &ddosSpeedLimitConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSSpeedLimitConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) CreatePacketFilterConfig(ctx context.Context, instanceId string, packetFilterConfig antiddos.PacketFilterConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreatePacketFilterConfigRequest() + request.InstanceId = &instanceId + request.PacketFilterConfig = &packetFilterConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreatePacketFilterConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteDDoSBlackWhiteIpList(ctx context.Context, instanceId string, ips []string, ipType string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewDeleteDDoSBlackWhiteIpListRequest() + request.InstanceId = &instanceId + request.Type = &ipType + ipList := make([]*antiddos.IpSegment, 0) + for _, ip := range ips { + ipList = append(ipList, &antiddos.IpSegment{ + Ip: &ip, + Mask: helper.IntUint64(0), + }) + } + request.IpList = ipList + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().DeleteDDoSBlackWhiteIpList(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeletePortAclConfig(ctx context.Context, instanceId string, aclConfig antiddos.AclConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewDeletePortAclConfigRequest() + request.InstanceId = &instanceId + request.AclConfig = &aclConfig + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().DeletePortAclConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteProtocolBlockConfig(ctx context.Context, instanceId string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateProtocolBlockConfigRequest() + request.InstanceId = &instanceId + protocolBlockConfig := antiddos.ProtocolBlockConfig{ + DropIcmp: helper.IntInt64(0), + DropTcp: helper.IntInt64(0), + DropUdp: helper.IntInt64(0), + DropOther: helper.IntInt64(0), + CheckExceptNullConnect: helper.IntInt64(1), + } + request.ProtocolBlockConfig = &protocolBlockConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateProtocolBlockConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteDDoSConnectLimit(ctx context.Context, instanceId string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSConnectLimitRequest() + request.InstanceId = &instanceId + connectLimitConfig := antiddos.ConnectLimitConfig{ + SdNewLimit: helper.IntUint64(0), + DstNewLimit: helper.IntUint64(0), + SdConnLimit: helper.IntUint64(0), + DstConnLimit: helper.IntUint64(0), + BadConnThreshold: helper.IntUint64(0), + NullConnEnable: helper.IntUint64(0), + ConnTimeout: helper.IntUint64(0), + SynRate: helper.IntUint64(0), + SynLimit: helper.IntUint64(0), + } + request.ConnectLimitConfig = &connectLimitConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSConnectLimit(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteDDoSAI(ctx context.Context, instanceId string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewCreateDDoSAIRequest() + request.DDoSAI = common.StringPtr("off") + request.InstanceIdList = []*string{&instanceId} + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().CreateDDoSAI(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteDDoSGeoIPBlockConfig(ctx context.Context, instanceId string, ddosGeoIPBlockConfig antiddos.DDoSGeoIPBlockConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewDeleteDDoSGeoIPBlockConfigRequest() + request.InstanceId = &instanceId + request.DDoSGeoIPBlockConfig = &ddosGeoIPBlockConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().DeleteDDoSGeoIPBlockConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteDDoSSpeedLimitConfig(ctx context.Context, instanceId string, ddosSpeedLimitConfig antiddos.DDoSSpeedLimitConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewDeleteDDoSSpeedLimitConfigRequest() + request.InstanceId = &instanceId + request.DDoSSpeedLimitConfig = &ddosSpeedLimitConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().DeleteDDoSSpeedLimitConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeletePacketFilterConfig(ctx context.Context, instanceId string, packetFilterConfig antiddos.PacketFilterConfig) (err error) { + logId := getLogId(ctx) + request := antiddos.NewDeletePacketFilterConfigRequest() + request.InstanceId = &instanceId + request.PacketFilterConfig = &packetFilterConfig + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().DeletePacketFilterConfig(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteDDoSThreshold(ctx context.Context, business, instanceId string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewModifyDDoSThresholdRequest() + request.Business = common.StringPtr(business) + request.Id = common.StringPtr(instanceId) + request.Threshold = helper.IntUint64(0) + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().ModifyDDoSThreshold(request) + if err != nil { + if sdkError, ok := err.(*sdkErrors.TencentCloudSDKError); ok { + if sdkError.Code == "ResourceUnavailable" { + return nil + } + } + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} + +func (me *AntiddosService) DeleteyDDoSLevel(ctx context.Context, business, instanceId string) (err error) { + logId := getLogId(ctx) + request := antiddos.NewModifyDDoSLevelRequest() + request.Business = common.StringPtr(business) + request.Id = common.StringPtr(instanceId) + request.Method = common.StringPtr("set") + request.DDoSLevel = common.StringPtr("middle") + + err = resource.Retry(writeRetryTimeout, func() *resource.RetryError { + _, err := me.client.UseAntiddosClient().ModifyDDoSLevel(request) + if err != nil { + return resource.RetryableError(err) + } + return nil + }) + if err != nil { + log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", + logId, request.GetAction(), request.ToJsonString(), err.Error()) + return + } + return +} diff --git a/website/docs/r/dayu_ddos_policy_v2.html.markdown b/website/docs/r/dayu_ddos_policy_v2.html.markdown new file mode 100644 index 0000000000..7aaa903be5 --- /dev/null +++ b/website/docs/r/dayu_ddos_policy_v2.html.markdown @@ -0,0 +1,187 @@ +--- +subcategory: "Anti-DDoS(DayuV2)" +layout: "tencentcloud" +page_title: "TencentCloud: tencentcloud_dayu_ddos_policy_v2" +sidebar_current: "docs-tencentcloud-resource-dayu_ddos_policy_v2" +description: |- + Use this resource to create dayu DDoS policy v2 +--- + +# tencentcloud_dayu_ddos_policy_v2 + +Use this resource to create dayu DDoS policy v2 + +## Example Usage + +```hcl +resource "tencentcloud_dayu_ddos_policy_v2" "ddos_v2" { + resource_id = "bgpip-000004xf" + business = "bgpip" + ddos_threshold = "100" + ddos_level = "low" + black_white_ips { + ip = "1.2.3.4" + ip_type = "black" + } + acls { + action = "transmit" + d_port_start = 1 + d_port_end = 10 + s_port_start = 10 + s_port_end = 20 + priority = 9 + forward_protocol = "all" + } + protocol_block_config { + drop_icmp = 1 + drop_tcp = 0 + drop_udp = 0 + drop_other = 0 + } + ddos_connect_limit { + sd_new_limit = 10 + sd_conn_limit = 11 + dst_new_limit = 20 + dst_conn_limit = 21 + bad_conn_threshold = 30 + syn_rate = 10 + syn_limit = 20 + conn_timeout = 30 + null_conn_enable = 1 + } + ddos_ai = "on" + ddos_geo_ip_block_config { + action = "drop" + area_list = ["100001"] + region_type = "customized" + } + ddos_speed_limit_config { + protocol_list = "TCP" + dst_port_list = "10" + mode = 1 + packet_rate = 10 + bandwidth = 20 + } + packet_filters { + action = "drop" + protocol = "all" + s_port_start = 10 + s_port_end = 10 + d_port_start = 20 + d_port_end = 20 + pktlen_min = 30 + pktlen_max = 30 + str = "12" + str2 = "30" + match_logic = "and" + match_type = "pcre" + match_type2 = "pcre" + match_begin = "begin_l3" + match_begin2 = "begin_l3" + depth = 2 + depth2 = 3 + offset = 1 + offset2 = 2 + is_not = 0 + is_not2 = 0 + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `resource_id` - (Required, ForceNew) The ID of the resource instance. +* `acls` - (Optional) Port ACL policy for DDoS protection. +* `black_white_ips` - (Optional) DDoS-protected IP blacklist and whitelist. +* `business` - (Optional) Bussiness of resource instance. bgpip indicates anti-anti-ip ip; bgp means exclusive package; bgp-multip means shared packet; net indicates anti-anti-ip pro version. +* `ddos_ai` - (Optional) AI protection switch, take the value [`on`, `off`]. +* `ddos_connect_limit` - (Optional) DDoS connection suppression options. +* `ddos_geo_ip_block_config` - (Optional) DDoS-protected area block configuration. +* `ddos_level` - (Optional) Protection class, value [`low`, `middle`, `high`]. +* `ddos_speed_limit_config` - (Optional) Access speed limit configuration for DDoS protection. +* `ddos_threshold` - (Optional) DDoS cleaning threshold, value[0, 60, 80, 100, 150, 200, 250, 300, 400, 500, 700, 1000]; When the value is set to 0, it means that the default value is adopted. +* `packet_filters` - (Optional) Feature filtering rules for DDoS protection. +* `protocol_block_config` - (Optional) Protocol block configuration for DDoS protection. + +The `acls` object supports the following: + +* `action` - (Required) Action, optional values: drop, transmit, forward. +* `d_port_end` - (Required) The destination port ends, and the value range is 0~65535. +* `d_port_start` - (Required) The destination port starts, and the value range is 0~65535. +* `forward_protocol` - (Required) Protocol type, desirable values tcp, udp, all. +* `priority` - (Required) Policy priority, the lower the number, the higher the level, the higher the rule matches, taking a value of 1-1000.Note: This field may return null, indicating that a valid value could not be retrieved. +* `s_port_end` - (Required) The source port ends, and the acceptable value ranges from 0 to 65535. +* `s_port_start` - (Required) The source port starts, and the value range is 0~65535. + +The `black_white_ips` object supports the following: + +* `ip_type` - (Required) IP type, value [`black`(blacklist IP), `white` (whitelist IP)]. +* `ip` - (Required) Ip of resource instance. + +The `ddos_connect_limit` object supports the following: + +* `bad_conn_threshold` - (Required) Based on connection suppression trigger threshold, value range [0,4294967295]. +* `conn_timeout` - (Required) Abnormal connection detection condition, connection timeout, value range [0,65535]. +* `dst_conn_limit` - (Required) Concurrent connection control based on destination IP+ destination port. +* `dst_new_limit` - (Required) Limit on the number of news per second based on the destination IP. +* `null_conn_enable` - (Required) Abnormal connection detection conditions, empty connection guard switch, value range[0,1]. +* `sd_conn_limit` - (Required) Concurrent connection control based on source IP + destination IP. +* `sd_new_limit` - (Required) The limit on the number of news per second based on source IP + destination IP. +* `syn_limit` - (Required) Anomaly connection detection condition, syn threshold, value range [0,100]. +* `syn_rate` - (Required) Anomalous connection detection condition, percentage of syn ack, value range [0,100]. + +The `ddos_geo_ip_block_config` object supports the following: + +* `action` - (Required) Block action, take the value [`drop`, `trans`]. +* `area_list` - (Required) When the RegionType is customized, the AreaList must be filled in, and a maximum of 128 must be filled in. +* `region_type` - (Required) Zone type, value [oversea (overseas),china (domestic),customized (custom region)]. + +The `ddos_speed_limit_config` object supports the following: + +* `bandwidth` - (Required) Bandwidth bps. +* `dst_port_list` - (Required) List of port ranges, up to 8, multiple; Separated, the range is represented with -; this port range must be filled in; fill in the style 1:0-65535, style 2:80; 443; 1000-2000. +* `mode` - (Required) Speed limit mode, take the value [1 (speed limit based on source IP),2 (speed limit based on destination port)]. +* `packet_rate` - (Required) Packet rate pps. +* `protocol_list` - (Required) IP protocol numbers, take the value[ ALL (all protocols),TCP (tcp protocol),UDP (udp protocol),SMP (smp protocol),1; 2-100 (custom protocol number range, up to 8)]. + +The `packet_filters` object supports the following: + +* `action` - (Required) Action, take the value [drop,transmit,drop_black (discard and black out),drop_rst (Interception),drop_black_rst (intercept and block),forward]. +* `d_port_end` - (Required) The end destination port, take the value 1~65535, which must be greater than or equal to the starting destination port. +* `d_port_start` - (Required) From the destination port, take the value 0~65535. +* `depth2` - (Required) Second detection depth starting from the second detection position, value [0,1500]. +* `depth` - (Required) Detection depth from the detection position, value [0,1500]. +* `is_not2` - (Required) Whether the second detection contains the detected value, the value [0 (included),1 (not included)]. +* `is_not` - (Required) Whether to include the detected value, take the value [0 (included),1 (not included)]. +* `match_begin2` - (Required) The second detection position. take the value [begin_l3 (IP header),begin_l4 (TCP/UDP header),begin_l5 (T load), no_match (mismatch)]. +* `match_begin` - (Required) Detect position, take the value [begin_l3 (IP header),begin_l4 (TCP/UDP header),begin_l5 (T load), no_match (mismatch)]. +* `match_logic` - (Required) When there is a second detection condition, the and/or relationship with the first detection condition, takes the value [And (and relationship),none (fill in this value when there is no second detection condition)]. +* `match_type2` - (Required) The second type of detection, takes the value [sunday (keyword),pcre (regular expression)]. +* `match_type` - (Required) Detection type, value [sunday (keyword),pcre (regular expression)]. +* `offset2` - (Required) Offset from the second detection position, value range [0,Depth2]. +* `offset` - (Required) Offset from detection position, value range [0, Depth]. +* `pktlen_max` - (Required) The maximum message length, taken from 1 to 1500, must be greater than or equal to the minimum message length. +* `pktlen_min` - (Required) Minimum message length, 1-1500. +* `protocol` - (Required) Protocol, value [tcp udp icmp all]. +* `s_port_end` - (Required) End source port, take the value 1~65535, must be greater than or equal to the starting source port. +* `s_port_start` - (Required) Start the source port, take the value 0~65535. +* `str2` - (Required) The second detection value, the key string or regular expression, takes the value [When the detection type is sunday, please fill in the string or hexadecimal bytecode, for example 13233 corresponds to the hexadecimal bytecode of the string `123`;When the detection type is pcre, please fill in the regular expression string;]. +* `str` - (Required) Detect values, key strings or regular expressions, take the value [When the detection type is sunday, please fill in the string or hexadecimal bytecode, for example 13233 corresponds to the hexadecimal bytecode of the string `123`;When the detection type is pcre, please fill in the regular expression string;]. + +The `protocol_block_config` object supports the following: + +* `drop_icmp` - (Required) ICMP block, value [0 (block off), 1 (block on)]. +* `drop_other` - (Required) Other block, value [0 (block off), 1 (block on)]. +* `drop_tcp` - (Required) TCP block, value [0 (block off), 1 (block on)]. +* `drop_udp` - (Required) UDP block, value [0 (block off), 1 (block on)]. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - ID of the resource. + + + diff --git a/website/tencentcloud.erb b/website/tencentcloud.erb index 9232843666..d9df333702 100644 --- a/website/tencentcloud.erb +++ b/website/tencentcloud.erb @@ -173,6 +173,9 @@
  • Resources