fix(CIS): fix skip action in custom rules (IBM-Cloud#6242)

* fix(CIS): fix skip action in custom rules

* fix changes in update

* Added documentation

* Added documentation

* Added documentation

* Added validation changes

* fix changes for validation

Author: anaghajoshiibm

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/IBM/logs-go-sdk v0.4.0
 	github.com/IBM/logs-router-go-sdk v1.0.7
 	github.com/IBM/mqcloud-go-sdk v0.2.0
-	github.com/IBM/networking-go-sdk v0.51.4
+	github.com/IBM/networking-go-sdk v0.51.5
 	github.com/IBM/platform-services-go-sdk v0.81.1
 	github.com/IBM/project-go-sdk v0.3.5
 	github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5

go.sum

@@ -147,8 +147,8 @@ github.com/IBM/logs-router-go-sdk v1.0.7 h1:uQjQAAcQdo3XvhY6MC7HakhZaXIUsGfUmKj2
 github.com/IBM/logs-router-go-sdk v1.0.7/go.mod h1:tCN2vFgu5xG0ob9iJcxi5M4bJ6mWmu3nhmRPnvlwev0=
 github.com/IBM/mqcloud-go-sdk v0.2.0 h1:QOWk8ZGk0QfIL0MOGTKzNdM3Qe0Hk+ifAFtNSFQo5HU=
 github.com/IBM/mqcloud-go-sdk v0.2.0/go.mod h1:VZQKMtqmcdXKhmLhLiPuS/UHMs/5yo2tA/nD83cQt9E=
-github.com/IBM/networking-go-sdk v0.51.4 h1:rkbR+gUkksLKjNYL5YEWEAMv3qddR0mUkxObDMa4l/s=
-github.com/IBM/networking-go-sdk v0.51.4/go.mod h1:gjCFEp+UVP7FUlcq2C1RaoZAXFcD39CQdlUk7uVKko4=
+github.com/IBM/networking-go-sdk v0.51.5 h1:75lKAx17y++hirXK5GcEM23mTRhHnhsv6gmhz70ex1Q=
+github.com/IBM/networking-go-sdk v0.51.5/go.mod h1:wyEnRnBnROgGmSn5UrryycIrbBujHKXf0PmI1NSwcjY=
 github.com/IBM/platform-services-go-sdk v0.81.1 h1:Ch9wUIigyA3HzW7MQnA1WTHAw+QA6W4bSP3ThgzDpx0=
 github.com/IBM/platform-services-go-sdk v0.81.1/go.mod h1:XOowH+JnIih3FA7uilLVM/9VH7XgCmJ4T/i6eZi7gkw=
 github.com/IBM/project-go-sdk v0.3.5 h1:L+YClFUa14foS0B/hOOY9n7sIdsT5/XQicnXOyJSpyM=

ibm/service/cis/data_source_ibm_cis_rulesets.go

@@ -57,6 +57,8 @@ const (
 	CISRulesetsRulePositionIndex                       = "index"
 	CISRulesetRuleId                                   = "rule_id"
 	CISRulesetOverridesScoreThreshold                  = "score_threshold"
+	CISRulesetsRulePhases                              = "phases"
+	CISRulesetsRuleProducts                            = "products"
 )
 
 var CISResponseObject = &schema.Resource{
@@ -219,7 +221,19 @@ var CISResponseObject = &schema.Resource{
 								CISRuleset: {
 									Type:        schema.TypeString,
 									Computed:    true,
-									Description: "Ruleset ID of the ruleset to apply action to.",
+									Description: "Ruleset of the rule",
+								},
+								CISRulesetsRulePhases: {
+									Type:        schema.TypeList,
+									Computed:    true,
+									Description: "Phases of the rule",
+									Elem:        &schema.Schema{Type: schema.TypeString},
+								},
+								CISRulesetsRuleProducts: {
+									Type:        schema.TypeList,
+									Computed:    true,
+									Description: "Products of the rule",
+									Elem:        &schema.Schema{Type: schema.TypeString},
 								},
 								CISRulesetList: {
 									Type:        schema.TypeList,
@@ -489,7 +503,7 @@ func flattenCISRulesets(rulesetObj rulesetsv1.RulesetDetails) interface{} {
 		ruleDetails[CISRulesetsRuleActionDescription] = ruleDetailsObj.Description
 
 		// Not Applicable for now
-		ruleDetails[CISRulesetsRuleLogging] = ruleDetailsObj.Logging
+		//ruleDetails[CISRulesetsRuleLogging] = ruleDetailsObj.Logging
 
 		flattenedActionParameter := flattenCISRulesetsRuleActionParameters(ruleDetailsObj.ActionParameters)
 
@@ -526,6 +540,12 @@ func flattenCISRulesetsRuleActionParameters(rulesetsRuleActionParameterObj *rule
 	if _, ok := actionParametersOutput["rulesets"]; ok {
 		resultOutput[CISRulesetList] = rulesetsRuleActionParameterObj.Rulesets
 	}
+	if val, ok := actionParametersOutput["phases"]; ok {
+		resultOutput[CISRulesetsRulePhases] = val.([]interface{})
+	}
+	if val, ok := actionParametersOutput["products"]; ok {
+		resultOutput[CISRulesetsRuleProducts] = val.([]interface{})
+	}
 	if _, ok := actionParametersOutput["response"]; ok {
 		flattenCISRulesetsRuleActionParameterResponse := flattenCISRulesetsRuleActionParameterResponse(rulesetsRuleActionParameterObj.Response)
 		resultOutput[CISRulesetsRuleActionParametersResponse] = []map[string]interface{}{flattenCISRulesetsRuleActionParameterResponse}

ibm/service/cis/resource_ibm_cis_ruleset.go

@@ -175,7 +175,19 @@ var CISResourceResponseObject = &schema.Resource{
 								CISRuleset: {
 									Type:        schema.TypeString,
 									Optional:    true,
-									Description: "Ruleset ID of the ruleset to apply action to",
+									Description: "Ruleset of the rule",
+								},
+								CISRulesetsRulePhases: {
+									Type:        schema.TypeList,
+									Optional:    true,
+									Description: "Phases of the rule",
+									Elem:        &schema.Schema{Type: schema.TypeString},
+								},
+								CISRulesetsRuleProducts: {
+									Type:        schema.TypeList,
+									Optional:    true,
+									Description: "Products of the rule",
+									Elem:        &schema.Schema{Type: schema.TypeString},
 								},
 								CISRulesetList: {
 									Type:        schema.TypeList,
@@ -572,6 +584,19 @@ func expandCISRulesetsRulesActionParameters(obj interface{}) rulesetsv1.ActionPa
 	}
 	actionParameterRespObj.Rulesets = ruleList
 
+	ruleset := actionParameterObj[CISRuleset].(string)
+	if ruleset != "" {
+		actionParameterRespObj.Ruleset = &ruleset
+	}
+
+	phases := actionParameterObj[CISRulesetsRulePhases].([]interface{})
+	phasesList := flex.ExpandStringList(phases)
+	actionParameterRespObj.Phases = phasesList
+
+	products := actionParameterObj[CISRulesetsRuleProducts].([]interface{})
+	productsList := flex.ExpandStringList(products)
+	actionParameterRespObj.Products = productsList
+
 	finalResponse := make([]rulesetsv1.ActionParameters, 0)
 
 	overrideObj := rulesetsv1.Overrides{}

ibm/service/cis/resource_ibm_cis_ruleset_rule.go

@@ -135,7 +135,19 @@ var CISRulesetsRulesObject = &schema.Resource{
 					CISRuleset: {
 						Type:        schema.TypeString,
 						Optional:    true,
-						Description: "Ruleset ID of the ruleset to apply action to",
+						Description: "Ruleset of the rule",
+					},
+					CISRulesetsRulePhases: {
+						Type:        schema.TypeList,
+						Optional:    true,
+						Description: "Phases of the rule",
+						Elem:        &schema.Schema{Type: schema.TypeString},
+					},
+					CISRulesetsRuleProducts: {
+						Type:        schema.TypeList,
+						Optional:    true,
+						Description: "Products of the rule",
+						Elem:        &schema.Schema{Type: schema.TypeString},
 					},
 					CISRulesetList: {
 						Type:        schema.TypeList,
@@ -433,11 +445,10 @@ func ResourceIBMCISRulesetRuleUpdate(d *schema.ResourceData, meta interface{}) e
 		rulesetsRuleObject := d.Get(CISRulesetsRule).([]interface{})[0].(map[string]interface{})
 		opt.SetDescription(rulesetsRuleObject[CISRulesetsDescription].(string))
 		opt.SetAction(rulesetsRuleObject[CISRulesetsRuleAction].(string))
-		if d.HasChange(CISRulesetsRuleActionParameters) {
+		if rulesetsRuleObject[CISRulesetsRuleActionParameters] != nil {
 			actionParameters := expandCISRulesetsRulesActionParameters(rulesetsRuleObject[CISRulesetsRuleActionParameters])
 			opt.SetActionParameters(&actionParameters)
 		}
-
 		opt.SetEnabled(rulesetsRuleObject[CISRulesetsRuleActionEnabled].(bool))
 		opt.SetExpression(rulesetsRuleObject[CISRulesetsRuleExpression].(string))
 		opt.SetRef(rulesetsRuleObject[CISRulesetsRuleRef].(string))
@@ -472,7 +483,7 @@ func ResourceIBMCISRulesetRuleUpdate(d *schema.ResourceData, meta interface{}) e
 		opt.SetRef(rulesetsRuleObject[CISRulesetsRuleAction].(string))
 		position, err := expandCISRulesetsRulesPositions(rulesetsRuleObject[CISRulesetsRulePosition])
 		if err != nil {
-			return fmt.Errorf("[ERROR] Error while updating the zone Ruleset %s", err)
+			return fmt.Errorf("[ERROR] Error while updating the instance Ruleset %s", err)
 		}
 		opt.SetPosition(&position)
 
@@ -483,7 +494,7 @@ func ResourceIBMCISRulesetRuleUpdate(d *schema.ResourceData, meta interface{}) e
 		_, _, err = sess.UpdateInstanceRulesetRule(opt)
 
 		if err != nil {
-			return fmt.Errorf("[ERROR] Error while updating the zone Ruleset %s", err)
+			return fmt.Errorf("[ERROR] Error while updating the instance Ruleset %s", err)
 		}
 
 		d.SetId(dataSourceCISRulesetsRuleCheckID(d, ruleId))

website/docs/d/cis_ruleset_entrypoint_versions.html.markdown

@@ -88,7 +88,9 @@ Extra attributes when `version` is provide.
           - `enabled` (Boolean) Enables/Disables the rule.
           - `action` (String) Action of the rule.
       - `version` (String) Latest version.
-      - `ruleset` (String) ID of the ruleset.
+      - `ruleset` (String) Ruleset of the rule.
+      - `phases` (List) Phases of the rule.
+      - `products` (List) Products of the rule.
       - `rulesets` (List) IDs of the rulesets.
       - `response` (Map) Custom response from the API.
         - `content` (String) Content of the response.

website/docs/r/cis_ruleset_entrypoint_version.html.markdown

@@ -166,6 +166,9 @@ Review the argument references that you can specify for your resource.
 
       Nested scheme of `action parameters`
       - `id` (Required, String) ID of the managed ruleset to be deployed.
+      - `ruleset` (Optional, String)  Skips the remaining rules in the current ruleset. Allowed value is `current`.
+      - `phases` (Optional, List) Skips the execution of one or more phases. Allowed values for phases are `http_ratelimit`, `http_request_sbfm`, `http_request_firewall_managed`.
+      - `products` (Optional, List) Skips specific security products. Allowed values for products are `zoneLockdown`, `uaBlock`, `bic`, `hot`, `securityLevel`, `rateLimit`, `waf`.
       - `overrides` (Optional, List) Provides the parameters that are to be overridden.
 
         Nested scheme of `overrides`

website/docs/r/cis_ruleset_rule.html.markdown

@@ -108,6 +108,9 @@ Review the argument references that you can specify for your resource.
     - `action_parameters` (Optional, List) Parameters that are used to modify the rules.
     Nested scheme of `action parameters`
       - `id` (Optional, String) ID of the managed ruleset to be deployed. It is not required in custom rule.
+      - `ruleset` (Optional, String)  Skips the remaining rules in the current ruleset. Allowed value is `current`.
+      - `phases` (Optional, List) Skips the execution of one or more phases. Allowed values for phases are `http_ratelimit`, `http_request_sbfm`, `http_request_firewall_managed`.
+      - `products` (Optional, List) Skips specific security products. Allowed values for products are `zoneLockdown`, `uaBlock`, `bic`, `hot`, `securityLevel`, `rateLimit`, `waf`.
       - `response` (Optional, Map). Custom response used for custom rules.
 
         Nested scheme of `response`