Support approved_ips on account_user resource (#628)

yelenaNahum · web-flow · commit 187cc8b048bb · 2026-02-19T09:58:32.000+02:00
* Add approved_ips to account_user resource

* Add approved_ips to account_user resource

* Add approved_ips to account_user resource

* Add approved_ips to account_user resource

* Add approved_ips to account_user resource

* Add approved_ips to account_user resource

* Add approved_ips to account_user resource

* Add approved_ips to account_user resource
diff --git a/incapsula/client_account_user.go b/incapsula/client_account_user.go
@@ -15,12 +15,13 @@ const endpointUserOperationNew = "identity-management/v3/idm-users"
 // UserApisResponse contains the relevant user information when adding, getting or updating a user
 type UserApisResponse struct {
 	Data []struct {
-		UserID    string `json:"id"`
-		AccountID int    `json:"accountId"`
-		FirstName string `json:"firstName"`
-		LastName  string `json:"lastName"`
-		Email     string `json:"email"`
-		Roles     []struct {
+		UserID      string   `json:"id"`
+		AccountID   int      `json:"accountId"`
+		FirstName   string   `json:"firstName"`
+		LastName    string   `json:"lastName"`
+		Email       string   `json:"email"`
+		ApprovedIps []string `json:"approvedIps"`
+		Roles       []struct {
 			RoleID   int    `json:"id"`
 			RoleName string `json:"name"`
 		} `json:"roles"`
@@ -29,39 +30,47 @@ type UserApisResponse struct {
 
 type UserApisUpdateResponse struct {
 	Data []struct {
-		UserID    string `json:"id"`
-		AccountID int    `json:"accountId"`
-		FirstName string `json:"firstName"`
-		LastName  string `json:"lastName"`
-		Email     string `json:"email"`
-		Roles     []struct {
+		UserID      string   `json:"id"`
+		AccountID   int      `json:"accountId"`
+		FirstName   string   `json:"firstName"`
+		LastName    string   `json:"lastName"`
+		Email       string   `json:"email"`
+		ApprovedIps []string `json:"approvedIps"`
+		Roles       []struct {
 			RoleID   int    `json:"id"`
 			RoleName string `json:"name"`
 		} `json:"roles"`
 	} `json:"data"`
 }
 
 type UserAddReq struct {
-	UserEmail string `json:"email"`
-	RoleIds   []int  `json:"roleIds"`
-	FirstName string `json:"firstName"`
-	LastName  string `json:"lastName"`
+	UserEmail   string   `json:"email"`
+	RoleIds     []int    `json:"roleIds"`
+	FirstName   string   `json:"firstName"`
+	LastName    string   `json:"lastName"`
+	ApprovedIps []string `json:"approvedIps"`
 }
 
 type UserUpdateReq struct {
-	RoleIds []int `json:"roleIds"`
+	RoleIds     *[]int    `json:"roleIds,omitempty"`
+	ApprovedIps *[]string `json:"approvedIps,omitempty"`
 }
 
 // AddAccountUser adds a user to Incapsula Account
-func (c *Client) AddAccountUser(accountID int, email, firstName, lastName string, roleIds []interface{}) (*UserApisResponse, error) {
+func (c *Client) AddAccountUser(accountID int, email, firstName, lastName string, roleIds []interface{}, approvedIps []interface{}) (*UserApisResponse, error) {
 	log.Printf("[INFO] Adding Incapsula account user for email: %s (account ID %d)\n", email, accountID)
 
 	listRoles := make([]int, len(roleIds))
 	for i, v := range roleIds {
 		listRoles[i] = v.(int)
 	}
 
-	userAddReq := UserAddReq{UserEmail: email, RoleIds: listRoles, FirstName: firstName, LastName: lastName}
+	listApprovedIps := make([]string, len(approvedIps))
+	for i, v := range approvedIps {
+		listApprovedIps[i] = v.(string)
+	}
+
+	userAddReq := UserAddReq{UserEmail: email, RoleIds: listRoles, FirstName: firstName, LastName: lastName, ApprovedIps: listApprovedIps}
 
 	userJSON, err := json.Marshal(userAddReq)
 	if err != nil {
@@ -144,16 +153,40 @@ func (c *Client) GetAccountUser(accountID int, email string) (*UserApisResponse,
 }
 
 // UpdateAccountUser User Roles
-func (c *Client) UpdateAccountUser(accountID int, email string, roleIds []interface{}) (*UserApisUpdateResponse, error) {
+// Pass nil for roleIds or approvedIps to leave them unchanged (for PATCH semantics)
+func (c *Client) UpdateAccountUser(accountID int, email string, roleIds []interface{}, approvedIps []interface{}) (*UserApisUpdateResponse, error) {
 	log.Printf("[INFO] Update Incapsula User for email: %s (account ID %d)\n", email, accountID)
-	listRoles := make([]int, len(roleIds))
-	for i, v := range roleIds {
-		listRoles[i] = v.(int)
+	log.Printf("[DEBUG] UpdateAccountUser called with roleIds=%v (nil: %v), approvedIps=%v (nil: %v)\n",
+		roleIds, roleIds == nil, approvedIps, approvedIps == nil)
+
+	userUpdateReq := UserUpdateReq{}
+
+	// Only include roleIds if provided (not nil)
+	if roleIds != nil {
+		listRoles := make([]int, len(roleIds))
+		for i, v := range roleIds {
+			listRoles[i] = v.(int)
+		}
+		userUpdateReq.RoleIds = &listRoles
+		log.Printf("[DEBUG] Including roleIds in request: %v\n", listRoles)
+	} else {
+		log.Printf("[DEBUG] NOT including roleIds in request (nil parameter)\n")
 	}
 
-	userUpdateReq := UserUpdateReq{RoleIds: listRoles}
+	// Only include approvedIps if provided (not nil)
+	if approvedIps != nil {
+		listApprovedIps := make([]string, len(approvedIps))
+		for i, v := range approvedIps {
+			listApprovedIps[i] = v.(string)
+		}
+		userUpdateReq.ApprovedIps = &listApprovedIps
+		log.Printf("[DEBUG] Including approvedIps in request: %v\n", listApprovedIps)
+	} else {
+		log.Printf("[DEBUG] NOT including approvedIps in request (nil parameter)\n")
+	}
 
 	userJSON, err := json.Marshal(userUpdateReq)
+	log.Printf("[DEBUG] Final JSON payload: %s\n", string(userJSON))
 	if err != nil {
 		return nil, fmt.Errorf("Failed to JSON marshal IncapRule: %s", err)
 	}
diff --git a/incapsula/client_account_user_test.go b/incapsula/client_account_user_test.go
@@ -20,7 +20,8 @@ func TestClientAddUserBadConnection(t *testing.T) {
 
 	roleIds := make([]interface{}, 1)
 	roleIds[0] = 0
-	UserAddResponse, err := client.AddAccountUser(0, email, "", "", roleIds)
+	approvedIps := make([]interface{}, 0)
+	UserAddResponse, err := client.AddAccountUser(0, email, "", "", roleIds, approvedIps)
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -47,7 +48,8 @@ func TestClientAddUserBadJSON(t *testing.T) {
 	email := "example@example.com"
 	roleIds := make([]interface{}, 1)
 	roleIds[0] = 10
-	UserAddResponse, err := client.AddAccountUser(accountID, email, "f", "l", roleIds)
+	approvedIps := make([]interface{}, 0)
+	UserAddResponse, err := client.AddAccountUser(accountID, email, "f", "l", roleIds, approvedIps)
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -156,7 +158,8 @@ func TestClientUpdateUserBadConnection(t *testing.T) {
 	email := "example@example.com"
 	roleIds := make([]interface{}, 1)
 	roleIds[0] = 10
-	updateUserResponse, err := client.UpdateAccountUser(accountID, email, roleIds)
+	approvedIps := make([]interface{}, 0)
+	updateUserResponse, err := client.UpdateAccountUser(accountID, email, roleIds, approvedIps)
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -182,9 +185,10 @@ func TestClientUpdateUserBadJSON(t *testing.T) {
 
 	roleIds := make([]interface{}, 1)
 	roleIds[0] = 10
+	approvedIps := make([]interface{}, 0)
 	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: server.URL}
 	client := &Client{config: config, httpClient: &http.Client{}}
-	updateUserResponse, err := client.UpdateAccountUser(accountID, email, roleIds)
+	updateUserResponse, err := client.UpdateAccountUser(accountID, email, roleIds, approvedIps)
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
diff --git a/incapsula/resource_account_user.go b/incapsula/resource_account_user.go
@@ -76,6 +76,16 @@ func resourceAccountUser() *schema.Resource {
 					Type: schema.TypeInt,
 				},
 				Optional: true,
+				Computed: true,
+			},
+			"approved_ips": {
+				Description: "List of approved IP addresses from which the user is allowed to access the Cloud Security Console via the UI or API.",
+				Type:        schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+				Computed: true,
 			},
 
 			// Computed Arguments
@@ -121,12 +131,14 @@ func resourceUserCreate(d *schema.ResourceData, m interface{}) error {
 	log.Printf("[INFO] Creating Incapsula user for email: %s\n", email)
 
 	roleIds := d.Get("role_ids").(*schema.Set)
+	approvedIps := d.Get("approved_ips").([]interface{})
 	UserAddResponse, err := client.AddAccountUser(
 		accountId,
 		email,
 		d.Get("first_name").(string),
 		d.Get("last_name").(string),
 		roleIds.List(),
+		approvedIps,
 	)
 
 	if err != nil {
@@ -167,16 +179,37 @@ func resourceUserRead(d *schema.ResourceData, m interface{}) error {
 
 	log.Printf("[INFO]listRoles : %v\n", userStatusResponse.Data[0].Roles)
 
-	listRolesIds := make([]int, len(userStatusResponse.Data[0].Roles))
-	listRolesNames := make([]string, len(userStatusResponse.Data[0].Roles))
-	for i, v := range userStatusResponse.Data[0].Roles {
+	// Normalize roles: if API returns null, treat it as empty list
+	roles := userStatusResponse.Data[0].Roles
+	if roles == nil {
+		log.Printf("[DEBUG] API returned nil for roles, normalizing to empty list\n")
+		roles = make([]struct {
+			RoleID   int    `json:"id"`
+			RoleName string `json:"name"`
+		}, 0)
+	}
+
+	listRolesIds := make([]int, len(roles))
+	listRolesNames := make([]string, len(roles))
+	for i, v := range roles {
 		listRolesIds[i] = v.RoleID
 		listRolesNames[i] = v.RoleName
 	}
+	log.Printf("[DEBUG] Setting role_ids in state: %v\n", listRolesIds)
 
 	d.Set("email", userStatusResponse.Data[0].Email)
 	d.Set("account_id", userStatusResponse.Data[0].AccountID)
 
+	// Normalize approved_ips: if API returns null, treat it as empty list
+	// This prevents Terraform from showing drift when approved_ips is not set
+	approvedIps := userStatusResponse.Data[0].ApprovedIps
+	if approvedIps == nil {
+		log.Printf("[DEBUG] API returned nil for approved_ips, normalizing to empty list\n")
+		approvedIps = []string{}
+	}
+	log.Printf("[DEBUG] Setting approved_ips in state: %v\n", approvedIps)
+	d.Set("approved_ips", approvedIps)
+
 	accountStatusResponse, err := client.AccountStatus(accountID, ReadAccount)
 	if accountStatusResponse != nil && accountStatusResponse.AccountType == "Sub Account" {
 		log.Printf("[DEBUG] User creation on Sub Account, setting null value to avoid forces replacement\n")
@@ -199,13 +232,39 @@ func resourceUserUpdate(d *schema.ResourceData, m interface{}) error {
 	email := d.Get("email").(string)
 	accountId := d.Get("account_id").(int)
 
-	log.Printf("[INFO] Creating Incapsula user for email: %s\n", email)
+	log.Printf("[INFO] Updating Incapsula user for email: %s\n", email)
+
+	// Only send fields that have changed (PATCH semantics)
+	var roleIds []interface{}
+	var approvedIps []interface{}
+
+	roleIdsChanged := d.HasChange("role_ids")
+	approvedIpsChanged := d.HasChange("approved_ips")
+
+	log.Printf("[DEBUG] role_ids changed: %v, approved_ips changed: %v\n", roleIdsChanged, approvedIpsChanged)
+
+	if roleIdsChanged {
+		roleIds = d.Get("role_ids").(*schema.Set).List()
+		log.Printf("[DEBUG] role_ids will be updated: %v\n", roleIds)
+	} else {
+		roleIds = nil
+		log.Printf("[DEBUG] role_ids will NOT be updated (nil)\n")
+	}
+
+	if approvedIpsChanged {
+		approvedIps = d.Get("approved_ips").([]interface{})
+		log.Printf("[DEBUG] approved_ips will be updated: %v (is nil: %v, length: %d)\n",
+			approvedIps, approvedIps == nil, len(approvedIps))
+	} else {
+		approvedIps = nil
+		log.Printf("[DEBUG] approved_ips will NOT be updated (nil)\n")
+	}
 
-	roleIds := d.Get("role_ids").(*schema.Set)
 	userUpdateResponse, err := client.UpdateAccountUser(
 		accountId,
 		email,
-		roleIds.List(),
+		roleIds,
+		approvedIps,
 	)
 	if err != nil {
 		log.Printf("[ERROR] Could not update user for email: %s, %s\n", email, err)
diff --git a/incapsula/resource_account_user_test.go b/incapsula/resource_account_user_test.go
@@ -82,6 +82,26 @@ func TestIncapsulaAccountUser_Update(t *testing.T) {
 	})
 }
 
+func TestIncapsulaAccountUser_WithApprovedIps(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckIncapsulaAccountUserDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testCheckIncapsulaAccountUserConfigWithApprovedIps(t, accountUserEmail),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckIncapsulaAccountUserExists(accountResourceUserTypeName),
+					resource.TestCheckResourceAttr(accountResourceUserTypeName, "email", accountUserEmail),
+					resource.TestCheckResourceAttr(accountResourceUserTypeName, "approved_ips.#", "2"),
+					resource.TestCheckResourceAttr(accountResourceUserTypeName, "approved_ips.0", "192.168.1.1"),
+					resource.TestCheckResourceAttr(accountResourceUserTypeName, "approved_ips.1", "10.0.0.5"),
+				),
+			},
+		},
+	})
+}
+
 func TestIncapsulaAccountUser_ImportBasic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -240,3 +260,18 @@ func testCheckIncapsulaAccountUserConfigUpdate(t *testing.T) string {
 		accountResourceUserType, accountResourceUserName, accountUserEmail, accountUserFirstName, accountUserLastName,
 	)
 }
+
+func testCheckIncapsulaAccountUserConfigWithApprovedIps(t *testing.T, email string) string {
+	return fmt.Sprintf(`
+		data "incapsula_account_data" "account_data" {}
+
+		resource "%s" "%s" {
+			account_id = data.incapsula_account_data.account_data.current_account
+			email = "%s"
+			first_name = "%s"
+			last_name = "%s"
+			approved_ips = ["192.168.1.1", "10.0.0.5"]
+		}`,
+		accountResourceUserType, accountResourceUserName, email, accountUserFirstName, accountUserLastName,
+	)
+}
diff --git a/website/docs/r/account_user.html.markdown b/website/docs/r/account_user.html.markdown
@@ -35,6 +35,21 @@ resource "incapsula_account_user" "user_1" {
 
 ```
 
+### Usage with Approved IPs
+
+User creation with approved IP addresses for login restrictions.
+
+```hcl
+resource "incapsula_account_user" "user_with_ips" {
+  account_id = data.incapsula_account_data.account_data.current_account
+  email = "example@terraform.com"
+  first_name = "First"
+  last_name = "Last"
+  approved_ips = ["192.168.1.1", "10.0.0.5", "172.16.0.10"]
+}
+
+```
+
 ### Role References Usage
 
 Usage with role reference.
@@ -88,6 +103,7 @@ resource "incapsula_account_user" "user_3" {
     incapsula_account_role.role_2.id,
     data.incapsula_account_roles.roles.reader_role_id,
   ]
+  approved_ips = ["192.168.1.1", "10.0.0.0/24"]
 }
 ```
 
@@ -151,6 +167,8 @@ The following arguments are supported:
 * `last_name` - (Optional) The user's last name. This attribute cannot be updated.
 * `role_ids` - (Optional) List of role ids to be associated with the user. <p/>
   Default value is an empty list (user with no roles).
+* `approved_ips` - (Optional) List of approved IP addresses from which the user is allowed to access the Cloud Security Console via the UI or API. <p/>
+  Supports individual IPs, IP ranges, and CIDR notation. Default value is an empty list (no IP restrictions).
 
 
 ## Attributes Reference
