MEDIUM: site: add attack_threshold+immediate_block (#210)

* MEDIUM: site: add attack_threshold+immediate_block

This commit brings in the latest improvements that are in go-sigsci
0.1.19 (to be released), which allows for updating the attack thresholds
and/or setting the immediate block functionality.

attack_threshold can be set multiple times each for the various
intervals: 1, 10, 60 (in minutes).

immediate_block is a bool, which will instruct the WAF to immediately
block requests with attack signals.

This commit depends on go-sigsci#59 as well as a new version being
issued.

* update go-sigsci

* tidy

* test workflow update

* test workflow update

* test workflow update

* test workflow update

.github/workflows/tf.yml

@@ -2,13 +2,19 @@ name: Terraform init and validate
 
 on: [push, pull_request]
 
+env:
+ BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
+
 jobs:
   tf:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - uses: hashicorp/setup-terraform@v2
 
+    - name: Terraform build 
+      run: make build 
+
     - name: Terraform fmt
       run: terraform fmt -check
 
@@ -17,3 +23,5 @@ jobs:
 
     - name: Terraform Validate
       run: terraform validate -no-color
+      env:
+        TF_CLI_CONFIG_FILE: bin/developer_overrides.tfrc

docs/resources/site.md

@@ -34,15 +34,25 @@ resource "sigsci_site" "my-site" {
 
 - `agent_anon_mode` (String) Agent IP anonymization mode - "" (empty string) or 'EU'
 - `agent_level` (String) Agent action level - 'block', 'log' or 'off'
+- `attack_threshold` (Block Set) List entries (see [below for nested schema](#nestedblock--attack_threshold))
 - `block_duration_seconds` (Number) Duration to block an IP in seconds
 - `block_http_code` (Number) HTTP response code to send when traffic is being blocked
 - `block_redirect_url` (String) URL to redirect to when blocking with a '301' or '302' HTTP status code
+- `immediate_block` (Boolean) Immediately block requests that contain attack signals
 
 ### Read-Only
 
 - `id` (String) The ID of this resource.
 - `primary_agent_key` (Map of String, Sensitive) The sites primary Agent key
 
+<a id="nestedblock--attack_threshold"></a>
+### Nested Schema for `attack_threshold`
+
+Required:
+
+- `interval` (Number)
+- `threshold` (Number)
+
 ## Import
 
 Import is supported using the following syntax:

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/hashicorp/terraform-plugin-docs v0.14.1
 	github.com/hashicorp/terraform-plugin-sdk v1.14.0
-	github.com/signalsciences/go-sigsci v0.1.18
+	github.com/signalsciences/go-sigsci v0.1.19
 	golang.org/x/lint v0.0.0-20190409202823-959b441ac422
 	honnef.co/go/tools v0.4.2
 )

go.sum

@@ -257,10 +257,8 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/signalsciences/go-sigsci v0.1.16 h1:4Z6kwgSyo0gPLRLv+/gsaeq+CeGuE/AhENOR2aANnm4=
-github.com/signalsciences/go-sigsci v0.1.16/go.mod h1:CXwoXk81ZwFdne6o8cnAYwxvke5kcLg7zE6Bl/e1KUo=
-github.com/signalsciences/go-sigsci v0.1.18 h1:CIxtFXJ97jWW5x8Di+gc5lnF1eXM9HH0RT0u/1e98TQ=
-github.com/signalsciences/go-sigsci v0.1.18/go.mod h1:CXwoXk81ZwFdne6o8cnAYwxvke5kcLg7zE6Bl/e1KUo=
+github.com/signalsciences/go-sigsci v0.1.19 h1:PV826ftNXvVjV+VW2kQegCWcK+sQ5FUlJvPlifcOyNk=
+github.com/signalsciences/go-sigsci v0.1.19/go.mod h1:CXwoXk81ZwFdne6o8cnAYwxvke5kcLg7zE6Bl/e1KUo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=

main.tf

@@ -25,6 +25,19 @@ resource "sigsci_site" "my-site" {
   block_duration_seconds = 86400
   agent_anon_mode        = ""
   agent_level            = "block"
+  immediate_block        = false
+  attack_threshold {
+    interval  = 1
+    threshold = 25
+  }
+  attack_threshold {
+    interval  = 10
+    threshold = 150
+  }
+  attack_threshold {
+    interval  = 60
+    threshold = 900
+  }
 }
 
 resource "sigsci_corp_list" "test" {

provider/lib.go

@@ -438,6 +438,34 @@ func expandRuleActions(actionsResource *schema.Set) []sigsci.Action {
 	return actions
 }
 
+func expandAttackThresholds(attackThresholdsResource *schema.Set) []sigsci.AttackThreshold {
+	var err error
+	var threshold, interval int
+	var attackThresholds []sigsci.AttackThreshold
+	for _, value := range attackThresholdsResource.List() {
+		castV := value.(map[string]interface{})
+		if val, ok := castV["threshold"]; ok {
+			threshold = val.(int)
+			if err != nil {
+				return nil
+			}
+			if val, ok := castV["interval"]; ok {
+				interval = val.(int)
+				if err != nil {
+					return nil
+				}
+			}
+			a := sigsci.AttackThreshold{
+				Threshold: threshold,
+				Interval:  interval,
+			}
+			attackThresholds = append(attackThresholds, a)
+		}
+	}
+
+	return attackThresholds
+}
+
 func expandRuleRateLimit(rateLimitResource map[string]interface{}) *sigsci.RateLimit {
 	var threshold, interval, duration int
 	var err error

provider/resource_site.go

@@ -42,6 +42,25 @@ func resourceSite() *schema.Resource {
 				Optional:    true,
 				Default:     "",
 			},
+			"attack_threshold": {
+				Type:        schema.TypeSet,
+				Description: "List entries",
+				Required:    false,
+				Optional:    true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"interval": {
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+
+						"threshold": {
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+			},
 			"block_duration_seconds": { // Has issues on create -- will always be default, will update just fine to the correct value
 				Type:        schema.TypeInt,
 				Description: "Duration to block an IP in seconds",
@@ -59,6 +78,11 @@ func resourceSite() *schema.Resource {
 				Description: "URL to redirect to when blocking with a '301' or '302' HTTP status code",
 				Optional:    true,
 			},
+			"immediate_block": {
+				Type:        schema.TypeBool,
+				Description: "Immediately block requests that contain attack signals",
+				Optional:    true,
+			},
 			"primary_agent_key": {
 				Type:        schema.TypeMap,
 				Description: "The sites primary Agent key",
@@ -93,11 +117,12 @@ func createSite(d *schema.ResourceData, m interface{}) error {
 		DisplayName:          d.Get("display_name").(string),
 		AgentLevel:           d.Get("agent_level").(string),
 		AgentAnonMode:        d.Get("agent_anon_mode").(string),
+		AttackThresholds:     expandAttackThresholds(d.Get("attack_threshold").(*schema.Set)),
 		BlockHTTPCode:        d.Get("block_http_code").(int),
 		BlockDurationSeconds: d.Get("block_duration_seconds").(int),
 		BlockRedirectURL:     d.Get("block_redirect_url").(string),
+		ImmediateBlock:       d.Get("immediate_block").(bool),
 	})
-
 	if err != nil {
 		return err
 	}
@@ -154,6 +179,11 @@ func readSite(d *schema.ResourceData, m interface{}) error {
 		return err
 	}
 
+	err = d.Set("immediate_block", site.ImmediateBlock)
+	if err != nil {
+		return err
+	}
+
 	primaryAgentKey, err := sc.GetSitePrimaryAgentKey(corp, sitename)
 	if err != nil {
 		return err
@@ -174,10 +204,12 @@ func updateSite(d *schema.ResourceData, m interface{}) error {
 	_, err := sc.UpdateSite(corp, site, sigsci.UpdateSiteBody{
 		DisplayName:          d.Get("display_name").(string),
 		AgentLevel:           d.Get("agent_level").(string),
+		AttackThresholds:     expandAttackThresholds(d.Get("attack_threshold").(*schema.Set)),
 		BlockDurationSeconds: d.Get("block_duration_seconds").(int),
 		BlockHTTPCode:        d.Get("block_http_code").(int),
 		BlockRedirectURL:     d.Get("block_redirect_url").(string),
 		AgentAnonMode:        d.Get("agent_anon_mode").(string),
+		ImmediateBlock:       d.Get("immediate_block").(bool),
 	})
 	if err != nil {
 		return err