TF | Support client_apps & countries & continents in bot_access_control rule exception (#606)

Karin-Yechilzuke-Imperva · web-flow · commit 2dfbe081a7d1 · 2025-12-17T19:23:47.000+02:00
* adding missing args

* added acceptance tests
diff --git a/incapsula/client_security_rule_exception.go b/incapsula/client_security_rule_exception.go
@@ -22,7 +22,7 @@ var securityRuleExceptionParamMapping = map[string][]string{
 	blacklistedURLsExceptionRuleID:      {"client_apps", "countries", "continents", "ips", "urls"},
 	// WAF RuleIDs
 	backdoorExceptionRuleID:              {"client_apps", "countries", "continents", "ips", "urls", "user_agents", "parameters"},
-	botAccessControlExceptionRuleID:      {"client_app_types", "ips", "urls", "user_agents"},
+	botAccessControlExceptionRuleID:      {"client_app_types", "client_apps", "countries", "continents", "ips", "urls", "user_agents"},
 	crossSiteScriptingExceptionRuleID:    {"client_apps", "countries", "continents", "urls", "parameters"},
 	ddosExceptionRuleID:                  {"client_apps", "countries", "continents", "ips", "urls"},
 	illegalResourceAccessExceptionRuleID: {"client_apps", "countries", "continents", "ips", "urls", "parameters"},
diff --git a/incapsula/resource_security_rule_exception.go b/incapsula/resource_security_rule_exception.go
@@ -352,10 +352,10 @@ func resourceSecurityRuleExceptionUpdate(d *schema.ResourceData, m interface{})
 		_, err := client.EditSecurityRuleException(
 			d.Get("site_id").(int),
 			ruleID,
-			"",
-			"",
-			"",
-			"",
+			d.Get("client_app_types").(string),
+			d.Get("client_apps").(string),
+			d.Get("countries").(string),
+			d.Get("continents").(string),
 			d.Get("ips").(string),
 			d.Get("urls").(string),
 			d.Get("user_agents").(string),
diff --git a/incapsula/resource_security_rule_exception_test.go b/incapsula/resource_security_rule_exception_test.go
@@ -2,6 +2,7 @@ package incapsula
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"testing"
 
@@ -11,6 +12,8 @@ import (
 
 const securityRuleExceptionNameBlacklistedCountries = "Example security rule exception - blacklisted_countries"
 const securityRuleExceptionResourceNameBlacklistedCountries = "incapsula_security_rule_exception.example-waf-blacklisted-countries-rule-exception"
+const securityRuleExceptionNameBotAccessControl = "Example security rule exception - bot_access_control"
+const securityRuleExceptionResourceNameBotAccessControl = "incapsula_security_rule_exception.example-waf-bot-access-control-rule-exception"
 
 ////////////////////////////////////////////////////////////////
 // AccCheckAddSecurityRuleException Tests
@@ -85,6 +88,58 @@ func testAccCheckSecurityRuleExceptionCreateInvalidParams(t *testing.T) {
 	})
 }
 
+func TestAccCheckSecurityRuleExceptionCreateValidRuleBots(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSecurityRuleExceptionDestroyBots,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckSecurityRuleExceptionGoodConfigBots(t),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckSecurityRuleExceptionExistsBots(securityRuleExceptionResourceNameBotAccessControl),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "rule_id", "api.threats.bot_access_control"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "client_app_types", "DataScraper"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "client_apps", "123,488"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "countries", "JM"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "continents", "EU"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "ips", "1.2.3.6,1.2.3.7"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "urls", "/myurl"),
+					resource.TestCheckResourceAttr(securityRuleExceptionResourceNameBotAccessControl, "user_agents", "myUserAgent"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccCheckSecurityRuleExceptionCreateInvalidRuleIDBots(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSecurityRuleExceptionDestroyBots,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCheckSecurityRuleExceptionInvalidConfigBots(t),
+				ExpectError: regexp.MustCompile("invalid rule_id"),
+			},
+		},
+	})
+}
+
+func TestAccCheckSecurityRuleExceptionCreateInvalidParamsBots(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSecurityRuleExceptionDestroyBots,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCheckSecurityRuleExceptionInvalidParamsBots(t),
+				ExpectError: regexp.MustCompile("Error parsing SecurityRuleExceptionCreateResponse JSON response"),
+			},
+		},
+	})
+}
+
 ////////////////////////////////////////////////////////////////
 // testAccCheckSecurityRuleExceptionDestroy Tests
 ////////////////////////////////////////////////////////////////
@@ -156,6 +211,69 @@ func testAccStateSecurityRuleExceptionID(s *terraform.State) (string, error) {
 	return "", fmt.Errorf("Error finding site_id")
 }
 
+func testAccCheckSecurityRuleExceptionDestroyBots(state *terraform.State) error {
+	client := testAccProvider.Meta().(*Client)
+
+	for _, res := range state.RootModule().Resources {
+		if res.Type != "incapsula_security_rule_exception" {
+			continue
+		}
+
+		ruleID := res.Primary.ID
+		if ruleID == "" {
+			return fmt.Errorf("Incapsula security rule exception does not exist")
+		}
+
+		siteID := res.Primary.Attributes["site_id"]
+		if siteID == "" {
+			return fmt.Errorf("incapsula site_id does not exist")
+		}
+
+		siteIDInt, err := strconv.Atoi(siteID)
+		if err != nil {
+			return fmt.Errorf("Error parsing siteID %s to int", siteID)
+		}
+
+		siteStatusResponse, _ := client.ListSecurityRuleExceptions(siteID, ruleID)
+		if siteStatusResponse.SiteID == siteIDInt {
+			return fmt.Errorf("site id (%s) still exists", siteID)
+		}
+	}
+
+	return nil
+}
+
+func testCheckSecurityRuleExceptionExistsBots(name string) resource.TestCheckFunc {
+	return func(state *terraform.State) error {
+		res, ok := state.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Incapsula security rule exception resource not found: %s", name)
+		}
+
+		ruleID := res.Primary.ID
+		if ruleID == "" {
+			return fmt.Errorf("Incapsula security exception rule rule_id (%s) does not exist", ruleID)
+		}
+
+		siteID := res.Primary.Attributes["site_id"]
+		if siteID == "" {
+			return fmt.Errorf("incapsula site_id does not exist")
+		}
+
+		client := testAccProvider.Meta().(*Client)
+		siteStatusResponse, err := client.ListSecurityRuleExceptions(siteID, ruleID)
+		if err != nil {
+			return fmt.Errorf("ListSecurityRuleExceptions Error for site_id (%s) and rule_id (%s) %s", siteID, ruleID, err)
+		}
+
+		if siteStatusResponse == nil {
+			return fmt.Errorf("Incapsula security rule exception for site id (%s) and rule_id (%s) does not exist", siteID, ruleID)
+		}
+
+		return nil
+	}
+}
+
 // Good Security Rule Exception configs
 func testAccCheckACLSecurityRuleExceptionGoodConfigBlacklistedCountries(t *testing.T) string {
 	return testAccCheckIncapsulaSiteConfigBasic(GenerateTestDomain(t)) + fmt.Sprintf("%s%s", `
@@ -193,3 +311,53 @@ resource "incapsula_security_rule_exception" "example-waf-blacklisted-countries-
 }`, securityRuleExceptionResourceNameBlacklistedCountries,
 	)
 }
+
+// Good Security Rule Exception configs - bots
+func testAccCheckSecurityRuleExceptionGoodConfigBots(t *testing.T) string {
+	return testAccCheckIncapsulaSiteConfigBasic(GenerateTestDomain(t)) + fmt.Sprintf("%s", `
+resource "incapsula_security_rule_exception" "example-waf-bot-access-control-rule-exception" {
+  site_id = "${incapsula_site.testacc-terraform-site.id}"
+  rule_id = "api.threats.bot_access_control"
+  client_app_types="DataScraper"
+  client_apps="488,123"
+  countries="JM"
+  continents="EU"
+  ips="1.2.3.6,1.2.3.7"
+  urls="/myurl"
+  user_agents="myUserAgent"
+}`,
+	)
+}
+
+// Bad Security Rule Exception configs - bots
+func testAccCheckSecurityRuleExceptionInvalidConfigBots(t *testing.T) string {
+	return testAccCheckIncapsulaSiteConfigBasic(GenerateTestDomain(t)) + fmt.Sprintf("%s", `
+resource "incapsula_security_rule_exception" "example-waf-bot-access-control-rule-exception" {
+  site_id = "${incapsula_site.testacc-terraform-site.id}"
+  rule_id = "bad_rule_id"
+  client_app_types="DataScraper"
+  client_apps="488,123"
+  countries="JM"
+  continents="EU"
+  ips="1.2.3.6,1.2.3.7"
+  urls="/myurl"
+  user_agents="myUserAgent"
+}`,
+	)
+}
+
+func testAccCheckSecurityRuleExceptionInvalidParamsBots(t *testing.T) string {
+	return testAccCheckIncapsulaSiteConfigBasic(GenerateTestDomain(t)) + fmt.Sprintf("%s", `
+resource "incapsula_security_rule_exception" "example-waf-bot-access-control-rule-exception" {
+  site_id = "${incapsula_site.testacc-terraform-site.id}"
+  rule_id = "api.threats.bot_access_control"
+  client_app_types="DataScraper"
+  client_apps="488,123"
+  countries="JM"
+  continents="EU"
+  ips="1.2.3.6,1.2.3."
+  urls="/myurl"
+  user_agents="myUserAgent"
+}`,
+	)
+}
