Account export capability for ATO (#430)

* Adding account export capability for ATO - Introducing subb account level ATO allowlist fetching * Formatting logs to be consistent across the source code
imperva · Jun 13, 2024 · cbda1be · cbda1be
1 parent 875ef0a
commit cbda1be
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 10 deletions.
diff --git a/incapsula/client_ato_allowlist.go b/incapsula/client_ato_allowlist.go
@@ -164,6 +164,9 @@ func (c *Client) GetAtoSiteAllowlist(accountId, siteId int) (*ATOAllowlistDTO, i
 	} else {
 		reqURL = fmt.Sprintf("%s%s/%d%s?caid=%d", c.config.BaseURLAPI, endpointATOSiteBase, siteId, endpointAtoAllowlist, accountId)
 	}
+
+	log.Printf("[INFO] fetching ATO Allowlist for siteId: %d, accountId: %d, BaseURLAPI: %s, endpointATOSiteBase: %s, endpointAtoAllowlist: %s, reqURL: %s\n", siteId, accountId, c.config.BaseURLAPI, endpointATOSiteBase, endpointAtoAllowlist, reqURL)
+
 	resp, err := c.DoJsonRequestWithHeaders(http.MethodGet, reqURL, nil, ReadATOSiteAllowlistOperation)
 	if err != nil {
 		return nil, 0, fmt.Errorf("[Error] Error executing get ATO allowlist request for site with id %d: %s", siteId, err)

diff --git a/incapsula/resource_ato_endpoint_mitigation_configuration.go b/incapsula/resource_ato_endpoint_mitigation_configuration.go
@@ -30,7 +30,7 @@ func ATOEndpointMitigationConfiguration() *schema.Resource {
 				if err != nil {
 					return nil, fmt.Errorf("failed to convert site ID from import command, actual value: %s, expected numeric id", keyParts[1])
 				}
-				endpointId := keyParts[1]
+				endpointId := keyParts[2]
 
 				d.Set("account_id", accountId)
 				d.Set("site_id", siteId)

diff --git a/incapsula/resource_ato_site_allowlist.go b/incapsula/resource_ato_site_allowlist.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"net/http"
 	"strconv"
+	"strings"
 )
 
 func resourceATOSiteAllowlist() *schema.Resource {
@@ -16,10 +17,34 @@ func resourceATOSiteAllowlist() *schema.Resource {
 		Delete: resourceATOSiteAllowlistDelete,
 		Importer: &schema.ResourceImporter{
 			State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+
+				// If this id is of form <account_id>/<site_id> extract the sub account Id as well
+				if strings.Contains(d.Id(), "/") {
+					keyParts := strings.Split(d.Id(), "/")
+					print("id is %s", d.Id())
+					if len(keyParts) != 2 {
+						return nil, fmt.Errorf("Error parsing ID, actual value: %s, expected 2 numeric IDs seperated by '/'\n", d.Id())
+					}
+					accountId, err := strconv.Atoi(keyParts[0])
+					if err != nil {
+						return nil, fmt.Errorf("[ERROR] failed to convert account ID from import command, actual value: %s, expected numeric id", keyParts[0])
+					}
+					siteId, err := strconv.Atoi(keyParts[1])
+					if err != nil {
+						return nil, fmt.Errorf("[ERROR] failed to convert site ID from import command, actual value: %s, expected numeric id", keyParts[1])
+					}
+
+					d.Set("account_id", accountId)
+					d.Set("site_id", siteId)
+					d.Set("id", d.Id())
+					log.Printf("[DEBUG] To Import ATO allowlsit configuration for account ID %d , site ID %d", accountId, siteId)
+					return []*schema.ResourceData{d}, nil
+				}
+
 				siteId, err := strconv.Atoi(d.Id())
 				err = d.Set("site_id", siteId)
 				if err != nil {
-					return nil, fmt.Errorf("failed to extract site ID from import command, actual value: %s, error : %s", d.Id(), err)
+					return nil, fmt.Errorf("[ERROR] failed to extract site ID from import command, actual value: %s, error : %s", d.Id(), err)
 				}
 				log.Printf("[DEBUG] Import ATO allowlist for site ID %d", siteId)
 				return []*schema.ResourceData{d}, nil

diff --git a/incapsula/resource_ato_site_allowlist_test.go b/incapsula/resource_ato_site_allowlist_test.go
@@ -47,7 +47,7 @@ func testCheckATOSiteAllowlistConfigExists(name string) resource.TestCheckFunc {
 		// Fetch the resource from the current state
 		res, ok := state.RootModule().Resources[name]
 		if !ok {
-			return fmt.Errorf("Incapsula ATO Site allowlist resource not found: %s", name)
+			return fmt.Errorf("[ERROR] incapsula ATO Site allowlist resource not found: %s", name)
 		}
 
 		// Extract accountId and siteId from teh terraform state
@@ -63,13 +63,13 @@ func testCheckATOSiteAllowlistConfigExists(name string) resource.TestCheckFunc {
 		var siteIdString = res.Primary.Attributes["site_id"]
 		siteId, err := strconv.Atoi(siteIdString)
 		if err != nil {
-			fmt.Errorf("failed to convert site ID from import command, actual value: %s, expected numeric ID", siteIdString)
+			return fmt.Errorf("[ERROR] failed to convert site ID from import command, actual value: %s, expected numeric ID", siteIdString)
 		}
 
 		client := testAccProvider.Meta().(*Client)
 		aTOAllowlistDTO, _, err := client.GetAtoSiteAllowlistWithRetries(accountId, siteId)
 		if err != nil {
-			return fmt.Errorf("Error in fetching ATO allowlist for site ID %d, Error : %s", siteId, err)
+			return fmt.Errorf("[ERROR] cannot fetch ATO allowlist for site ID %d, Error : %s", siteId, err)
 		}
 		if aTOAllowlistDTO == nil || aTOAllowlistDTO.Allowlist == nil {
 			return fmt.Errorf("ATO site allowlist is not present for site ID %d", siteId)
@@ -90,12 +90,12 @@ func testACCStateATOSiteAllowlistID(s *terraform.State) (string, error) {
 
 		if strings.Compare(schemaId, resourceId) != 0 {
 			// if newID != resourceID {
-			return "", fmt.Errorf("Incapsula ATO Site allowlist Config does not exist")
+			return "", fmt.Errorf("[ERROR] incapsula ATO Site allowlist Config does not exist")
 		}
 
 		return schemaId, nil
 	}
-	return "", fmt.Errorf("Error finding correct resource %s", atoSiteAllowlistConfigResource)
+	return "", fmt.Errorf("[ERROR] finding correct resource %s", atoSiteAllowlistConfigResource)
 }
 
 func testACCStateATOSiteAllowlistConfigDestroy(s *terraform.State) error {
@@ -131,10 +131,11 @@ func testACCStateATOSiteAllowlistConfigDestroy(s *terraform.State) error {
 func testAccCheckATOSiteAllowlistConfigBasic(t *testing.T) string {
 	return testAccCheckIncapsulaSiteConfigBasic(GenerateTestDomain(t)) + fmt.Sprintf(`
 	resource "%s" "%s" {
+		account_id          = %s.account_id
 		site_id             = %s.id
 		allowlist			= [ { "ip": "192.10.20.0", "mask": "24", "desc": "Test IP 1"}, { "ip": "192.10.20.1", "mask": "8", "desc": "Test IP 2" } ]
 		depends_on 			= ["%s"]
 	}`,
-		atoSiteAllowlistResourceType, atoSiteAllowlistResourceName, siteResourceName, siteResourceName,
+		atoSiteAllowlistResourceType, atoSiteAllowlistResourceName, siteResourceName, siteResourceName, siteResourceName,
 	)
 }
diff --git a/website/docs/r/resource_ato_site_allowlist.html.markdown b/website/docs/r/resource_ato_site_allowlist.html.markdown
@@ -41,8 +41,8 @@ The following arguments are supported:
 
 ## Import
 
-ATO Site allowlist configuration can be imported using the site_id 
+ATO Site allowlist configuration can be imported using the <account_id>/<site_id> 
 
 ```
-$ terraform import incapsula_ato_site_allowlist.demo-terraform-ato-site-allowlist 1234
+$ terraform import incapsula_ato_site_allowlist.demo-terraform-ato-site-allowlist 1234/4567
 ```