Add optional account id parameter to the site ssl settings resource to be able to read and update sub-account site settings (#424)

Author: Pavel-Koev

incapsula/client_site_ssl_settings.go

@@ -26,15 +26,15 @@ type TLSConfiguration struct {
 }
 
 type SSLSettingsDTO struct {
-	HstsConfiguration               HSTSConfiguration                `json:"hstsConfiguration"`
+	HstsConfiguration               *HSTSConfiguration               `json:"hstsConfiguration"`
 	InboundTLSSettingsConfiguration *InboundTLSSettingsConfiguration `json:"inboundTlsSettings,omitempty"`
 }
 
 type SSLSettingsResponse struct {
 	Data []SSLSettingsDTO `json:"data"`
 }
 
-func (c *Client) UpdateSiteSSLSettings(siteID int, mySSLSettings SSLSettingsResponse) (*SSLSettingsResponse, error) {
+func (c *Client) UpdateSiteSSLSettings(siteID int, accountID int, mySSLSettings SSLSettingsResponse) (*SSLSettingsResponse, error) {
 	log.Printf("[INFO] Updating Incapsula Site SSL settings for Site ID %d\n", siteID)
 
 	requestJSON, err := json.Marshal(mySSLSettings)
@@ -44,6 +44,9 @@ func (c *Client) UpdateSiteSSLSettings(siteID int, mySSLSettings SSLSettingsResp
 
 	// Patch request to Incapsula
 	reqURL := fmt.Sprintf("%s/sites-mgmt/v3/sites/%d/settings/TLSConfiguration", c.config.BaseURLAPI, siteID)
+	if accountID != 0 {
+		reqURL = fmt.Sprintf("%s?caid=%d", reqURL, accountID)
+	}
 	log.Printf("[INFO] SSL Settings request json looks like this %s\n", requestJSON)
 	log.Printf("[INFO] SSL Settings request URL looks like this %s\n", reqURL)
 	resp, err := c.DoJsonRequestWithHeaders(http.MethodPatch, reqURL, requestJSON, UpdateSiteSSLSettings)
@@ -73,11 +76,15 @@ func (c *Client) UpdateSiteSSLSettings(siteID int, mySSLSettings SSLSettingsResp
 	return &sslSettingsResponse, nil
 }
 
-func (c *Client) ReadSiteSSLSettings(siteID int) (*SSLSettingsResponse, int, error) {
+func (c *Client) ReadSiteSSLSettings(siteID int, accountID int) (*SSLSettingsResponse, int, error) {
 	log.Printf("[INFO] Getting Incapsula Incap SSL settings for Site ID %d\n", siteID)
 
 	// Get form to Incapsula
 	reqURL := fmt.Sprintf("%s/sites-mgmt/v3/sites/%d/settings/TLSConfiguration", c.config.BaseURLAPI, siteID)
+	if accountID != 0 {
+		reqURL = fmt.Sprintf("%s?caid=%d", reqURL, accountID)
+	}
+	log.Printf("[INFO] SSL Settings request URL looks like this %s\n", reqURL)
 	resp, err := c.DoJsonRequestWithHeaders(http.MethodGet, reqURL, nil, ReadSiteSSLSettings)
 	if err != nil {
 		return nil, 0, fmt.Errorf("error from Incapsula service when reading SSL Settings for Site ID %d: %s", siteID, err)

incapsula/client_site_ssl_settings_test.go

@@ -16,7 +16,7 @@ func TestUpdateSiteSSLSettingsHandleBadConnection(t *testing.T) {
 	sslSettingsDTO := getUpdateSiteSSLSettingsDTO()
 
 	// act
-	var res, err = client.UpdateSiteSSLSettings(123, sslSettingsDTO)
+	var res, err = client.UpdateSiteSSLSettings(123, 1234, sslSettingsDTO)
 
 	// assert
 	if err == nil {
@@ -33,6 +33,7 @@ func TestUpdateSiteSSLSettingsHandleResponseCodeNotSuccess(t *testing.T) {
 	apiID := "foo"
 	apiKey := "bar"
 	siteID := 42
+	accountID := 1234
 
 	endpoint := fmt.Sprintf("/sites-mgmt/v3/sites/%d/settings/TLSConfiguration", siteID)
 
@@ -53,7 +54,7 @@ func TestUpdateSiteSSLSettingsHandleResponseCodeNotSuccess(t *testing.T) {
 	var dto = getUpdateSiteSSLSettingsDTO()
 
 	// act
-	_, err := client.UpdateSiteSSLSettings(siteID, dto)
+	_, err := client.UpdateSiteSSLSettings(siteID, accountID, dto)
 
 	// assert
 	if err == nil {
@@ -70,6 +71,7 @@ func TestUpdateSiteSSLSettingsHandleInvalidResponseBody(t *testing.T) {
 	apiID := "foo"
 	apiKey := "bar"
 	siteID := 42
+	accountID := 1234
 
 	endpoint := fmt.Sprintf("/sites-mgmt/v3/sites/%d/settings/TLSConfiguration", siteID)
 	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
@@ -90,7 +92,7 @@ func TestUpdateSiteSSLSettingsHandleInvalidResponseBody(t *testing.T) {
 	var dto = getUpdateSiteSSLSettingsDTO()
 
 	// act
-	_, err := client.UpdateSiteSSLSettings(siteID, dto)
+	_, err := client.UpdateSiteSSLSettings(siteID, accountID, dto)
 
 	// assert
 	if err == nil {
@@ -107,6 +109,7 @@ func TestUpdateSiteSSLSettingsSuccess(t *testing.T) {
 	apiID := "foo"
 	apiKey := "bar"
 	siteID := 42
+	accountID := 1234
 
 	validResponse := getValidJSONResponse()
 
@@ -127,7 +130,7 @@ func TestUpdateSiteSSLSettingsSuccess(t *testing.T) {
 	var dto = getUpdateSiteSSLSettingsDTO()
 
 	// act
-	_, err := client.UpdateSiteSSLSettings(siteID, dto)
+	_, err := client.UpdateSiteSSLSettings(siteID, accountID, dto)
 
 	// assert
 	if err != nil {
@@ -141,7 +144,7 @@ func TestReadSiteSSLSettingsHandleRequestError(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 
 	// act
-	var res, statusCode, err = client.ReadSiteSSLSettings(123)
+	var res, statusCode, err = client.ReadSiteSSLSettings(123, 1234)
 
 	// assert
 	if err == nil {
@@ -162,6 +165,7 @@ func TestReadSiteSSLSettingsHandleResponseCodeNotSuccess(t *testing.T) {
 	apiID := "foo"
 	apiKey := "bar"
 	siteID := 42
+	accountID := 1234
 
 	endpoint := fmt.Sprintf("/sites-mgmt/v3/sites/%d/settings/TLSConfiguration", siteID)
 
@@ -181,7 +185,7 @@ func TestReadSiteSSLSettingsHandleResponseCodeNotSuccess(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 
 	// act
-	_, statusCode, err := client.ReadSiteSSLSettings(siteID)
+	_, statusCode, err := client.ReadSiteSSLSettings(siteID, accountID)
 
 	// assert
 	if err == nil {
@@ -198,6 +202,7 @@ func TestReadSiteSSLSettingsHandleInvalidResponseBody(t *testing.T) {
 	apiID := "foo"
 	apiKey := "bar"
 	siteID := 42
+	accountID := 1234
 
 	endpoint := fmt.Sprintf("/sites-mgmt/v3/sites/%d/settings/TLSConfiguration", siteID)
 	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
@@ -217,7 +222,7 @@ func TestReadSiteSSLSettingsHandleInvalidResponseBody(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 
 	// act
-	_, _, err := client.ReadSiteSSLSettings(siteID)
+	_, _, err := client.ReadSiteSSLSettings(siteID, accountID)
 
 	// assert
 	if err == nil {
@@ -234,6 +239,7 @@ func TestReadSiteSSLSettingsSuccess(t *testing.T) {
 	apiID := "foo"
 	apiKey := "bar"
 	siteID := 42
+	accountID := 1234
 
 	var validResponse = getValidJSONResponse()
 
@@ -253,7 +259,7 @@ func TestReadSiteSSLSettingsSuccess(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 
 	// act
-	_, statusCode, err := client.ReadSiteSSLSettings(siteID)
+	_, statusCode, err := client.ReadSiteSSLSettings(siteID, accountID)
 
 	// assert
 	if err != nil {
@@ -269,7 +275,7 @@ func getUpdateSiteSSLSettingsDTO() SSLSettingsResponse {
 	var sslSettingsDTO = SSLSettingsResponse{
 		Data: []SSLSettingsDTO{
 			{
-				HstsConfiguration: HSTSConfiguration{
+				HstsConfiguration: &HSTSConfiguration{
 					PreLoaded:          true,
 					MaxAge:             1237,
 					SubDomainsIncluded: true,

incapsula/resource_site_ssl_settings.go

@@ -5,6 +5,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"log"
 	"strconv"
+	"strings"
 )
 
 var hstsConfigResource = schema.Resource{
@@ -69,13 +70,32 @@ func resourceSiteSSLSettings() *schema.Resource {
 		Delete: resourceSiteSSLSettingsDelete,
 		Importer: &schema.ResourceImporter{
 			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
-				siteID, err := strconv.Atoi(d.Id())
-				if err != nil {
-					fmt.Errorf("failed to convert Site Id from import command, actual value: %s, expected numeric id", d.Id())
+				idSlice := strings.Split(d.Id(), "/")
+				log.Printf("[DEBUG] Starting to import site ssl settings. Parameters: %s\n", d.Id())
+
+				if len(idSlice) > 2 || idSlice[0] == "" {
+					return nil, fmt.Errorf("unexpected format of ID (%q), expected site_id or site_id/account_id", d.Id())
 				}
 
+				siteID, err := strconv.Atoi(idSlice[0])
+				if err != nil {
+					fmt.Errorf("failed to convert Site Id from import command, actual value: %s, expected numeric id", idSlice[0])
+				}
 				d.Set("site_id", siteID)
-				log.Printf("[DEBUG] Import  Site Config JSON for Site ID %d", siteID)
+
+				if len(idSlice) == 2 {
+					if idSlice[1] == "" {
+						return nil, fmt.Errorf("unexpected format of ID (%q), expected site_id or site_id/account_id", d.Id())
+					}
+
+					accountID, err := strconv.Atoi(idSlice[1])
+					if err != nil {
+						fmt.Errorf("failed to convert Account Id from import command, actual value: %s, expected numeric id", idSlice[1])
+					}
+					d.Set("account_id", accountID)
+				}
+
+				log.Printf("[DEBUG] Import Site ssl settings for Site ID %d", siteID)
 				return []*schema.ResourceData{d}, nil
 			},
 		},
@@ -87,6 +107,11 @@ func resourceSiteSSLSettings() *schema.Resource {
 				Required:    true,
 				ForceNew:    true,
 			},
+			"account_id": {
+				Description: "Numeric identifier of the account in which the site is located",
+				Type:        schema.TypeInt,
+				Optional:    true,
+			},
 			"hsts": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -108,7 +133,7 @@ func resourceSiteSSLSettingsUpdate(d *schema.ResourceData, m interface{}) error
 
 	setting := getSSLSettingsDTO(d)
 
-	_, err := client.UpdateSiteSSLSettings(d.Get("site_id").(int), setting)
+	_, err := client.UpdateSiteSSLSettings(d.Get("site_id").(int), d.Get("account_id").(int), setting)
 
 	if err != nil {
 		return err
@@ -120,7 +145,7 @@ func resourceSiteSSLSettingsUpdate(d *schema.ResourceData, m interface{}) error
 func resourceSiteSSLSettingsRead(d *schema.ResourceData, m interface{}) error {
 	client := m.(*Client)
 
-	settingsData, statusCode, err := client.ReadSiteSSLSettings(d.Get("site_id").(int))
+	settingsData, statusCode, err := client.ReadSiteSSLSettings(d.Get("site_id").(int), d.Get("account_id").(int))
 	if statusCode == 404 {
 		d.SetId("")
 		return nil
@@ -150,7 +175,7 @@ func resourceSiteSSLSettingsDelete(d *schema.ResourceData, m interface{}) error
 	// If more settings are implemented in the endpoint, add delete logic for them here.
 	setting := prepareDisableHSTSStructure()
 	prepareDefaultTLSStructure(&setting)
-	var _, err = client.UpdateSiteSSLSettings(d.Get("site_id").(int), setting)
+	var _, err = client.UpdateSiteSSLSettings(d.Get("site_id").(int), d.Get("account_id").(int), setting)
 
 	if err != nil {
 		return err
@@ -160,7 +185,7 @@ func resourceSiteSSLSettingsDelete(d *schema.ResourceData, m interface{}) error
 }
 
 func prepareDisableHSTSStructure() SSLSettingsResponse {
-	disableHSTSSetting := HSTSConfiguration{
+	disableHSTSSetting := &HSTSConfiguration{
 		IsEnabled: false,
 	}
 
@@ -185,7 +210,7 @@ func prepareDefaultTLSStructure(settingsData *SSLSettingsResponse) {
 
 func mapHSTSResponseToHSTSResource(d *schema.ResourceData, settingsData *SSLSettingsResponse) {
 	// handle HSTS remote configuration mapping
-	var hstsSettingsFromServer HSTSConfiguration
+	var hstsSettingsFromServer *HSTSConfiguration
 	hstsSettingsFromServer = settingsData.Data[0].HstsConfiguration
 	// Get the "hsts" attribute from the resource data
 	// Create a map to hold the values for the "hsts" nested object
@@ -202,12 +227,15 @@ func mapHSTSResponseToHSTSResource(d *schema.ResourceData, settingsData *SSLSett
 	// END HSTS mapping
 }
 
-func mapHSTSResourceToHSTSDTO(d *schema.ResourceData) HSTSConfiguration {
-	hsts := d.Get("hsts").(*schema.Set)
+func mapHSTSResourceToHSTSDTO(d *schema.ResourceData) *HSTSConfiguration {
+	hsts, ok := d.Get("hsts").(*schema.Set)
+	if !ok || hsts.Len() == 0 {
+		return nil
+	}
 	hstsList := hsts.List()
 	hstsMap := hstsList[0].(map[string]interface{})
 
-	return HSTSConfiguration{
+	return &HSTSConfiguration{
 		IsEnabled:          hstsMap["is_enabled"].(bool),
 		MaxAge:             hstsMap["max_age"].(int),
 		PreLoaded:          hstsMap["pre_loaded"].(bool),

website/docs/r/site_ssl_settings.html.markdown

@@ -26,22 +26,30 @@ If you run the SSL settings resource from a site for which SSL is not yet enable
 resource "incapsula_site_ssl_settings" "example"  {
   site_id = incapsula_site.mysite.id
   
-  hsts {
-    is_enabled = true
-    max_age = 86400
-    sub_domains_included = true
-    pre_loaded = false
+  hsts { 
+    is_enabled               = true
+    max_age                  = 31536000
+    sub_domains_included     = false
+    pre_loaded               = false
   }
-  inbound_tls_settings { 
-    configuration_profile     = "CUSTOM"
 
-    tls_configuration { 
-      tls_version             = "TLS_1_2"
-      ciphers_support         = ["TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384"]
+  inbound_tls_settings {
+    configuration_profile = "CUSTOM"
+
+    tls_configuration {
+      tls_version     = "TLS_1_2"
+      ciphers_support = [
+          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        ]
     }
-    tls_configuration { 
-      tls_version             = "TLS_1_3"
-      ciphers_support         = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
+    tls_configuration {
+      tls_version     = "TLS_1_3"
+      ciphers_support = [
+        "TLS_AES_128_GCM_SHA256",
+        "TLS_CHACHA20_POLY1305_SHA256",
+        "TLS_AES_256_GCM_SHA384",
+      ]
     }
   }
 }
@@ -99,9 +107,10 @@ The following attributes are exported:
 
 ## Import
 
-Site SSL settings can be imported using the `id`:
+Site SSL settings can be imported using the `siteId` or `siteId`/`accountId` for sub-accounts:
 ```
 terraform import incapsula_site_ssl_settings.example 1234
+terraform import incapsula_site_ssl_settings.example 1234/4321
 ```