Added - Load Balancer and Waf support for Request Ids (WAF Incident ID support)

Author: August Reinig

examples/load_balancer/lb_full/lb_full.tf

@@ -65,7 +65,7 @@ variable "availability_domain" {
 }
 
 provider "oci" {
-  #version          = "5.29.0"
+  #version          = "6.0.0"
   tenancy_ocid     = var.tenancy_ocid
   user_ocid        = var.user_ocid
   fingerprint      = var.fingerprint
@@ -271,6 +271,8 @@ resource "oci_load_balancer" "lb1" {
   }
 
   is_delete_protection_enabled = "false"
+  is_request_id_enabled = "true"
+  request_id_header = "X-MyRequest-Id"
 }
 
 resource "oci_load_balancer" "lb2" {
@@ -374,7 +376,7 @@ resource "oci_load_balancer_backend_set" "lb-bes3" {
   ssl_configuration {
     protocols         = ["TLSv1.1", "TLSv1.2"]
     cipher_suite_name = oci_load_balancer_ssl_cipher_suite.test_ssl_cipher_suite3.name
-    trusted_certificate_authority_ids  = var.trusted_certificate_authority_ids
+    trusted_certificate_authority_ids = jsondecode(var.trusted_certificate_authority_ids)
 
   }
 }
@@ -487,8 +489,8 @@ resource "oci_load_balancer_listener" "lb-listener4" {
   protocol                 = "HTTP"
 
   ssl_configuration {
-    certificate_ids                    = var.certificate_ids
-    trusted_certificate_authority_ids  = var.trusted_certificate_authority_ids
+    certificate_ids                    = jsondecode(var.certificate_ids)
+    trusted_certificate_authority_ids  = jsondecode(var.trusted_certificate_authority_ids)
     verify_peer_certificate            = false
     protocols                          = ["TLSv1.1", "TLSv1.2"]
     server_order_preference            = "ENABLED"

examples/web_app_firewall/waf_full.tf

@@ -78,6 +78,32 @@ resource "oci_waf_web_app_firewall_policy" "test_waf_web_app_firewall_policy" {
     }
   }
 
+  actions {
+    #Required
+    name = "dynamicReturn401Response"
+    type = "RETURN_HTTP_RESPONSE"
+    code = 401
+    body {
+      #Required
+      type = "DYNAMIC"
+      # need $${ so that terraform doesn't try to replace ${http.request.id}
+      template = "{\n\"code\": 401,\n\"message\":\"Unauthorised: requestId: $${http.request.id}}"
+    }
+
+    #Optional
+    headers {
+      #Required
+      name = "Header1"
+      value = "Value1"
+    }
+
+    headers {
+      #Required
+      name = "Header2"
+      value = "Value2"
+    }
+  }
+
   request_access_control {
     #Required
     default_action_name = "defaultAction"
@@ -265,4 +291,4 @@ resource "oci_load_balancer" "lb" {
   display_name               = "lb1"
   is_private                 = true
   network_security_group_ids = [oci_core_network_security_group.test_network_security_group.id]
-}
+}

internal/integrationtest/load_balancer_backend_set_resource_test.go

@@ -61,10 +61,16 @@ func (s *ResourceLoadBalancerBackendSetTestSuite) SetupTest() {
 	
 	resource "oci_load_balancer_certificate" "t" {
 		load_balancer_id = "${oci_load_balancer.t.id}"
-		ca_certificate = "${var.ca_certificate_value}"
+		ca_certificate = <<-EOT
+${var.ca_certificate_value}
+          EOT
 		certificate_name = "tf_cert_name"
-		private_key = "${var.private_key_value}"
-		public_certificate = "${var.ca_certificate_value}"
+		private_key =  <<-EOT
+${var.private_key_value}
+          EOT
+		public_certificate = <<-EOT
+${var.ca_certificate_value}
+          EOT
 	}`
 	s.ResourceName = "oci_load_balancer_backendset.t"
 	s.BackendResourceName = "oci_load_balancer_backend.t"

internal/integrationtest/load_balancer_certificate_test.go

@@ -38,18 +38,31 @@ var (
 	}
 
 	certificateRepresentation = map[string]interface{}{
-		"certificate_name":   acctest.Representation{RepType: acctest.Required, Create: `example_certificate_bundle`},
-		"load_balancer_id":   acctest.Representation{RepType: acctest.Required, Create: `${oci_load_balancer_load_balancer.test_load_balancer.id}`},
-		"ca_certificate":     acctest.Representation{RepType: acctest.Optional, Create: caCertificate},
-		"passphrase":         acctest.Representation{RepType: acctest.Optional, Create: `Mysecretunlockingcode42!1!`},
-		"private_key":        acctest.Representation{RepType: acctest.Optional, Create: `${var.private_key_value}`},
-		"public_certificate": acctest.Representation{RepType: acctest.Optional, Create: `${var.ca_certificate_value}`},
+		"certificate_name": acctest.Representation{RepType: acctest.Required, Create: `example_certificate_bundle`},
+		"load_balancer_id": acctest.Representation{RepType: acctest.Required, Create: `${oci_load_balancer_load_balancer.test_load_balancer.id}`},
+		"ca_certificate":   acctest.Representation{RepType: acctest.Optional, Create: caCertificate},
+		// We don't test with private keys but if we were to do so we would have to set this.
+		// "passphrase":         acctest.Representation{RepType: acctest.Optional, Create: `Mysecretunlockingcode42!1!`},
+		"private_key":        acctest.Representation{RepType: acctest.Optional, Create: privateKeyData},
+		"public_certificate": acctest.Representation{RepType: acctest.Optional, Create: caCertificate},
 	}
 
-	caCertificate            = strings.ReplaceAll(utils.GetEnvSettingWithBlankDefault("ca_certificate"), `\\n`, `\n`)
+	// The following assumes you set the TF_VAR_ca_certificate variable to something like the following:
+	//     export TF_VAR_private_key_value="$(cat ~/certificate/example_2.com.key)"
+	// which results in
+	//     $ printenv TF_VAR_ca_certificate
+	//     -----BEGIN CERTIFICATE-----
+	//     MIIFRDCCAyygAwIBAgIUDB9s8795KLpchjLPGFI9sqdVaT4wDQYJKoZIhvcNAQEL
+	//     ...
+	//     eaiXT7X2gvU=
+	//     -----END CERTIFICATE-----
+	// We want the string
+	//     "-----BEGIN CERTIFICATE-----\\nMIIFRDCC...\\neaiXT7X2gvU=\\n-----END CERTIFICATE-----"
+	caCertificate            = strings.ReplaceAll(utils.GetEnvSettingWithBlankDefault("ca_certificate"), "\n", "\\n")
 	caCertificateVariableStr = fmt.Sprintf("variable \"ca_certificate_value\" { default = \"%s\" }\n", caCertificate)
-	privateKeyData           = utils.GetEnvSettingWithBlankDefault("private_key_data")
-	privateKeyVariableStr    = fmt.Sprintf("variable \"private_key_value\" { default = \"%s\" }\n", privateKeyData)
+
+	privateKeyData        = strings.ReplaceAll(utils.GetEnvSettingWithBlankDefault("private_key_data"), "\n", "\\n")
+	privateKeyVariableStr = fmt.Sprintf("variable \"private_key_value\" { default = \"%s\" }\n", privateKeyData)
 
 	CertificateResourceDependencies = acctest.GenerateResourceFromRepresentationMap("oci_load_balancer_load_balancer", "test_load_balancer", acctest.Required, acctest.Create, loadBalancerRepresentation) +
 		LoadBalancerSubnetDependencies + privateKeyVariableStr + caCertificateVariableStr
@@ -96,8 +109,10 @@ func TestLoadBalancerCertificateResource_basic(t *testing.T) {
 				resource.TestMatchResourceAttr(resourceName, "ca_certificate", regexp.MustCompile("-----BEGIN CERT.*")),
 				resource.TestCheckResourceAttr(resourceName, "certificate_name", "example_certificate_bundle"),
 				resource.TestCheckResourceAttrSet(resourceName, "load_balancer_id"),
-				resource.TestCheckResourceAttr(resourceName, "passphrase", "Mysecretunlockingcode42!1!"),
-				resource.TestMatchResourceAttr(resourceName, "private_key", regexp.MustCompile("-----BEGIN ENCRYPTED PRIVATE KEY.*")),
+				// We don't test with private keys but if we were to do so we would have to set
+				// resource.TestCheckResourceAttr(resourceName, "passphrase", "Mysecretunlockingcode42!1!"),
+				// resource.TestMatchResourceAttr(resourceName, "private_key", regexp.MustCompile("-----BEGIN PRIVATE ENCRYPTED KEY.*")),
+				resource.TestMatchResourceAttr(resourceName, "private_key", regexp.MustCompile("-----BEGIN PRIVATE KEY.*")),
 				resource.TestMatchResourceAttr(resourceName, "public_certificate", regexp.MustCompile("-----BEGIN CERT.*")),
 
 				func(s *terraform.State) (err error) {

internal/integrationtest/load_balancer_load_balancer_test.go

@@ -54,6 +54,8 @@ var (
 
 		"freeform_tags":                acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
 		"is_private":                   acctest.Representation{RepType: acctest.Optional, Create: `false`},
+		"is_request_id_enabled":        acctest.Representation{RepType: acctest.Optional, Create: `true`, Update: `true`},
+		"request_id_header":            acctest.Representation{RepType: acctest.Optional, Create: ``, Update: `X-MyRequestB-Id`},
 		"is_delete_protection_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
 		"reserved_ips":                 acctest.RepresentationGroup{RepType: acctest.Optional, Group: loadBalancerReservedIpsRepresentation},
 		"network_security_group_ids":   acctest.Representation{RepType: acctest.Optional, Create: []string{`${oci_core_network_security_group.test_network_security_group1.id}`}, Update: []string{}},
@@ -193,12 +195,13 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 				acctest.GenerateResourceFromRepresentationMap("oci_load_balancer_load_balancer", "test_load_balancer", acctest.Optional, acctest.Create, loadBalancerRepresentation),
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttr(resourceName, "compartment_id", compartmentId),
-				//Commenting this out as we are ignoring the changes to the tags in the resource representation.
 				resource.TestCheckResourceAttr(resourceName, "display_name", "example_load_balancer"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
 				resource.TestCheckResourceAttr(resourceName, "is_delete_protection_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "is_private", "false"),
+				resource.TestCheckResourceAttr(resourceName, "is_request_id_enabled", "true"),
+				resource.TestCheckResourceAttr(resourceName, "request_id_header", "X-Request-Id"),
 				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "reserved_ips.0.id"),
 				resource.TestCheckResourceAttr(resourceName, "network_security_group_ids.#", "1"),
@@ -228,12 +231,13 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 					})),
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttr(resourceName, "compartment_id", compartmentIdU),
-				//Commenting this out as we are ignoring the changes to the tags in the resource representation.
 				resource.TestCheckResourceAttr(resourceName, "display_name", "example_load_balancer"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
 				resource.TestCheckResourceAttr(resourceName, "is_delete_protection_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "is_private", "false"),
+				resource.TestCheckResourceAttr(resourceName, "is_request_id_enabled", "true"),
+				resource.TestCheckResourceAttr(resourceName, "request_id_header", "X-Request-Id"),
 				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "reserved_ips.0.id"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "100Mbps"),
@@ -257,12 +261,13 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 				acctest.GenerateResourceFromRepresentationMap("oci_load_balancer_load_balancer", "test_load_balancer", acctest.Optional, acctest.Update, loadBalancerRepresentation),
 			Check: acctest.ComposeAggregateTestCheckFuncWrapper(
 				resource.TestCheckResourceAttr(resourceName, "compartment_id", compartmentId),
-				//Commenting this out as we are ignoring the changes to the tags in the resource representation.
 				resource.TestCheckResourceAttr(resourceName, "display_name", "displayName2"),
 				resource.TestCheckResourceAttr(resourceName, "freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(resourceName, "id"),
 				resource.TestCheckResourceAttr(resourceName, "is_delete_protection_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "is_private", "false"),
+				resource.TestCheckResourceAttr(resourceName, "is_request_id_enabled", "true"),
+				resource.TestCheckResourceAttr(resourceName, "request_id_header", "X-MyRequestB-Id"),
 				resource.TestCheckResourceAttr(resourceName, "reserved_ips.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "shape", "400Mbps"),
 				resource.TestCheckResourceAttrSet(resourceName, "reserved_ips.0.id"),
@@ -294,14 +299,15 @@ func TestLoadBalancerLoadBalancerResource_basic(t *testing.T) {
 
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.compartment_id", compartmentId),
-				//Commenting this out as we are ignoring the changes to the tags in the resource representation.
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.display_name", "displayName2"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.freeform_tags.%", "1"),
 				resource.TestCheckResourceAttrSet(datasourceName, "load_balancers.0.id"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.ip_address_details.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.is_delete_protection_enabled", "true"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.is_private", "false"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.network_security_group_ids.#", "0"),
+				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.is_request_id_enabled", "true"),
+				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.request_id_header", "X-MyRequestB-Id"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.shape", "400Mbps"),
 				resource.TestCheckResourceAttrSet(datasourceName, "load_balancers.0.state"),
 				resource.TestCheckResourceAttr(datasourceName, "load_balancers.0.subnet_ids.#", "2"),