From 34b21ef183a350b869d03c8208f45b225e0218c1 Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Tue, 25 Mar 2025 10:36:34 +0800
Subject: [PATCH 1/7] add
---
go.mod | 4 +-
go.sum | 4 +
tencentcloud/provider.go | 1 +
tencentcloud/provider.md | 1 +
.../teo/resource_tc_teo_security_policy.go | 1136 +++++++++++++++++
.../teo/resource_tc_teo_security_policy.md | 166 +++
.../resource_tc_teo_security_policy_test.go | 183 +++
.../services/teo/service_tencentcloud_teo.go | 40 +
.../tencentcloud/common/http/request.go | 2 +-
.../tencentcloud/teo/v20220901/client.go | 140 +-
.../tencentcloud/teo/v20220901/errors.go | 3 +
.../tencentcloud/teo/v20220901/models.go | 474 ++++++-
vendor/modules.txt | 4 +-
.../docs/r/teo_security_policy.html.markdown | 292 +++++
website/tencentcloud.erb | 4 +
15 files changed, 2375 insertions(+), 79 deletions(-)
create mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy.go
create mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy.md
create mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy_test.go
create mode 100644 website/docs/r/teo_security_policy.html.markdown
diff --git a/go.mod b/go.mod
index 0777c3944b..92a4c96261 100644
--- a/go.mod
+++ b/go.mod
@@ -46,7 +46,7 @@ require (
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1107
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cloudaudit v1.0.1033
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls v1.0.1078
- github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1128
+ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1129
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.1128
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cwp v1.0.762
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cynosdb v1.0.1111
@@ -90,7 +90,7 @@ require (
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdcpg v1.0.533
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdmq v1.0.955
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578
- github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1108
+ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1129
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.1038
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/trocket v1.0.947
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tse v1.0.857
diff --git a/go.sum b/go.sum
index 587d8f0b0c..ab163961b4 100644
--- a/go.sum
+++ b/go.sum
@@ -937,6 +937,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1126 h1:HHW
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1126/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1128 h1:NGnqDc8FQL0YdiCHgTO4Wkso6ToD8rE3JW9VOzoPBNA=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1128/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1129 h1:T9WMHYVasPNH3zcDNoaLL+9jUk04PcOZznDvJ6Dykr8=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1129/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/controlcenter v1.0.993 h1:WlPgXldQCxt7qi5Xrc6j6zTrsXWzN5BcOGs7Irq7fwQ=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/controlcenter v1.0.993/go.mod h1:Z9U8zNtyuyKhjS0698wqsrG/kLx1TQ5CEixXBwVe7xY=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/csip v1.0.860 h1:F3esKBIT3HW9+7Gt8cVgf8X06VdGIczpgLBUECzSEzU=
@@ -1039,6 +1041,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578 h1:vBpQhUr
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578/go.mod h1:UlojGQh/9wb7/uXPNi7PvMral1CNAskVDNgqJEV83l0=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1108 h1:IjBfssGmmqK9VVwQKhETRWoOowRqytnLdeYADiFy1Bk=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1108/go.mod h1:yzldBIX7obRjbGohIb78bKNKvnDIoki2jJROQd5Rdb0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1129 h1:9zrLWqS6sQ7YHjyrRGKexB5s7MkmlaAjME+Gsjw0FXo=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1129/go.mod h1:Upcwa9By8gGR8qNLEiAetIKGbe4LmZbtXw0muPWXYc8=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/thpc v1.0.998 h1:f4/n0dVKQTD06xJ84B5asHViNJHrZmGojdAWEPIsITM=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/thpc v1.0.998/go.mod h1:fyi/HUwCwVe2NCCCjz8k/C5GwPu3QazCZO+OBJ3MhLk=
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.1038 h1:tmK0aSj8zJrTx7aubJR8DBvtySj1uO8UdFANUDFtbmo=
diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
index 69ba053d21..2a4f0d6d7a 100644
--- a/tencentcloud/provider.go
+++ b/tencentcloud/provider.go
@@ -1794,6 +1794,7 @@ func Provider() *schema.Provider {
"tencentcloud_teo_function_rule": teo.ResourceTencentCloudTeoFunctionRule(),
"tencentcloud_teo_function_rule_priority": teo.ResourceTencentCloudTeoFunctionRulePriority(),
"tencentcloud_teo_function_runtime_environment": teo.ResourceTencentCloudTeoFunctionRuntimeEnvironment(),
+ "tencentcloud_teo_security_policy": teo.ResourceTencentCloudTeoSecurityPolicy(),
"tencentcloud_tcm_mesh": tcm.ResourceTencentCloudTcmMesh(),
"tencentcloud_tcm_cluster_attachment": tcm.ResourceTencentCloudTcmClusterAttachment(),
"tencentcloud_tcm_prometheus_attachment": tcm.ResourceTencentCloudTcmPrometheusAttachment(),
diff --git a/tencentcloud/provider.md b/tencentcloud/provider.md
index 6c655d035d..6572b6b5bc 100644
--- a/tencentcloud/provider.md
+++ b/tencentcloud/provider.md
@@ -1493,6 +1493,7 @@ tencentcloud_teo_function_runtime_environment
tencentcloud_teo_l7_acc_rule
tencentcloud_teo_l7_acc_setting
tencentcloud_teo_security_ip_group
+tencentcloud_teo_security_policy
TencentCloud ServiceMesh(TCM)
Data Source
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy.go b/tencentcloud/services/teo/resource_tc_teo_security_policy.go
new file mode 100644
index 0000000000..7965870294
--- /dev/null
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy.go
@@ -0,0 +1,1136 @@
+package teo
+
+import (
+ "context"
+ "fmt"
+ "log"
+ "strings"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+ teov20220901 "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901"
+
+ tccommon "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/common"
+ "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+)
+
+func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceTencentCloudTeoSecurityPolicyCreate,
+ Read: resourceTencentCloudTeoSecurityPolicyRead,
+ Update: resourceTencentCloudTeoSecurityPolicyUpdate,
+ Delete: resourceTencentCloudTeoSecurityPolicyDelete,
+ Importer: &schema.ResourceImporter{
+ State: schema.ImportStatePassthrough,
+ },
+ Schema: map[string]*schema.Schema{
+ "zone_id": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: "Zone ID.",
+ },
+
+ "security_policy": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Security policy configuration. it is recommended to use for custom policies and managed rule configurations of Web protection. it supports configuring security policies with expression grammar.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "custom_rules": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Custom rule configuration.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "rules": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "List of custom rule definitions.
when modifying the Web protection configuration using ModifySecurityPolicy:
- if the Rules parameter is not specified or the parameter length of Rules is zero: clear all custom rule configurations.
- if the parameter value of CustomRules in the SecurityPolicy parameter is not specified: keep the existing custom rule configuration without modification.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "The name of the custom rule.",
+ },
+ "condition": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "The specific content of the custom rule must comply with the expression grammar. please refer to the product document for detailed specifications.",
+ },
+ "action": {
+ Type: schema.TypeList,
+ Required: true,
+ MaxItems: 1,
+ Description: "Execution actions for custom rules. the Name parameter value of SecurityAction supports: Deny: block; Monitor: observe; ReturnCustomPage: block using a specified page; Redirect: Redirect to URL; BlockIP: IP blocking; JSChallenge: JavaScript challenge; ManagedChallenge: managed challenge; Allow: Allow..",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Specific actions for safe execution. valid values:.\nDeny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.",
+ },
+ "block_ip_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is BlockIP.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "duration": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Penalty duration for blocking ips. supported units: s: second, value range 1-120; m: minute, value range 1-120; h: hour, value range 1-48..",
+ },
+ },
+ },
+ },
+ "return_custom_page_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is ReturnCustomPage.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "response_code": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Response status code.",
+ },
+ "error_page_id": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Response custom page ID.",
+ },
+ },
+ },
+ },
+ "redirect_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is Redirect.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "url": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Redirect URL.",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "enabled": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Indicates whether the custom rule is enabled. valid values: on: enabled off: disabled.",
+ },
+ "id": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "The ID of a custom rule.
the rule ID supports different rule configuration operations:
- add a new rule: ID is empty or the ID parameter is not specified;
- modify an existing rule: specify the rule ID that needs to be updated/modified;
- delete an existing rule: existing Rules not included in the Rules list of the CustomRules parameter will be deleted.",
+ },
+ "rule_type": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Type of custom rule. valid values: BasicAccessRule: basic access control; PreciseMatchRule: exact matching rule, default; ManagedAccessRule: expert customized rule, for output only. the default value is PreciseMatchRule.",
+ },
+ "priority": {
+ Type: schema.TypeInt,
+ Optional: true,
+ Description: "Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports PreciseMatchRule.",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "managed_rules": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Managed rule configuration.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "enabled": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Indicates whether the managed rule is enabled. valid values: on: enabled. all managed rules take effect as configured; off: disabled. all managed rules do not take effect..",
+ },
+ "detection_only": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Indicates whether the evaluation mode is Enabled. it is valid only when the Enabled parameter is set to on. valid values: on: Enabled. all managed rules take effect in observation mode. off: disabled. all managed rules take effect according to the actual configuration..",
+ },
+ "semantic_analysis": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Whether the managed rule semantic analysis option is Enabled is valid only when the Enabled parameter is on. valid values: on: enable. perform semantic analysis on requests before processing them; off: disable. process requests directly without semantic analysis.
default off.",
+ },
+ "auto_update": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Managed rule automatic update option.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "auto_update_to_latest_version": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Indicates whether to enable automatic update to the latest version. valid values: on: enabled off: disabled.",
+ },
+ "ruleset_version": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "The currently used version, in the format compliant with ISO 8601 standard, such as 2023-12-21T12:00:32Z. it is empty by default and is only an output parameter.",
+ },
+ },
+ },
+ },
+ "managed_rule_groups": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "group_id": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Group name of the managed rule. if the rule group for the configuration is not specified, it will be processed based on the default configuration. refer to product documentation for the specific value of GroupId.",
+ },
+ "sensitivity_level": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Protection level of the managed rule group. valid values: loose: lenient, only contains ultra-high risk rules. at this point, configure Action, and RuleActions configuration is invalid; normal: normal, contains ultra-high risk and high-risk rules. at this point, configure Action, and RuleActions configuration is invalid; strict: strict, contains ultra-high risk, high-risk and medium-risk rules. at this point, configure Action, and RuleActions configuration is invalid; extreme: super strict, contains ultra-high risk, high-risk, medium-risk and low-risk rules. at this point, configure Action, and RuleActions configuration is invalid; custom: custom, refined strategy. configure the disposal method for each individual rule. at this point, the Action field is invalid. use RuleActions to configure the refined strategy for each individual rule..",
+ },
+ "action": {
+ Type: schema.TypeList,
+ Required: true,
+ MaxItems: 1,
+ Description: "Handling actions for managed rule groups. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process requests and record security events in logs; Disabled: not enabled, do not scan requests and skip this rule..",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Specific actions for safe execution. valid values:.\nDeny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.",
+ },
+ "block_ip_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is BlockIP.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "duration": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Penalty duration for blocking ips. supported units: s: second, value range 1-120; m: minute, value range 1-120; h: hour, value range 1-48..",
+ },
+ },
+ },
+ },
+ "return_custom_page_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is ReturnCustomPage.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "response_code": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Response status code.",
+ },
+ "error_page_id": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Response custom page ID.",
+ },
+ },
+ },
+ },
+ "redirect_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is Redirect.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "url": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Redirect URL.",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "rule_actions": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Specific configuration of rule items under the managed rule group. the configuration is effective only when SensitivityLevel is custom.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "rule_id": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Specific items under the managed rule group, which are used to rewrite the configuration content of this individual rule item. refer to product documentation for details.",
+ },
+ "action": {
+ Type: schema.TypeList,
+ Required: true,
+ MaxItems: 1,
+ Description: "Specify the handling action for the managed rule item in RuleId. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process the request and record the security event in logs; Disabled: Disabled, do not scan the request and skip this rule..",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Specific actions for safe execution. valid values:.\nDeny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.",
+ },
+ "block_ip_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is BlockIP.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "duration": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Penalty duration for blocking ips. supported units: s: second, value range 1-120; m: minute, value range 1-120; h: hour, value range 1-48..",
+ },
+ },
+ },
+ },
+ "return_custom_page_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is ReturnCustomPage.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "response_code": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Response status code.",
+ },
+ "error_page_id": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Response custom page ID.",
+ },
+ },
+ },
+ },
+ "redirect_action_parameters": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Additional parameter when Name is Redirect.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "url": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Redirect URL.",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "meta_data": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Managed rule group information, for output only.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "group_detail": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Managed rule group description, for output only.",
+ },
+ "group_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Managed rule group name, for output only.",
+ },
+ "rule_details": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "All sub-rule information under the current managed rule group, for output only.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "rule_id": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Managed rule Id.",
+ },
+ "risk_level": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Protection level of managed rules. valid values: low: low risk. this rule has a relatively low risk and is applicable to access scenarios in a very strict control environment. this level of rule may generate considerable false alarms. medium: medium risk. this means the risk of this rule is normal and it is suitable for protection scenarios with stricter requirements. high: high risk. this indicates that the risk of this rule is relatively high and it will not generate false alarms in most scenarios. extreme: ultra-high risk. this represents that the risk of this rule is extremely high and it will not generate false alarms basically..",
+ },
+ "description": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Rule description.",
+ },
+ "tags": {
+ Type: schema.TypeSet,
+ Optional: true,
+ Description: "Rule tag. some types of rules do not have tags.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "rule_version": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Rule ownership version.",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+
+ "entity": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ ValidateFunc: tccommon.ValidateAllowedStringValue([]string{"ZoneDefaultPolicy", "Template", "Host"}),
+ Description: "Security policy type. the following parameter values can be used: ZoneDefaultPolicy: used to specify a site-level policy; Template: used to specify a policy Template. you need to simultaneously specify the TemplateId parameter; Host: used to specify a domain-level policy (note: when using a domain name to specify a dns service policy, only dns services or policy templates that have applied a domain-level policy are supported)..",
+ },
+
+ "host": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Specifies the specified domain. when the Entity parameter value is Host, use the domain-level policy specified by this parameter. for example: use www.example.com to configure the domain-level policy of the domain.",
+ },
+
+ "template_id": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Specify the policy Template ID. use this parameter to specify the ID of the policy Template when the Entity parameter value is Template.",
+ },
+ },
+ }
+}
+
+func resourceTencentCloudTeoSecurityPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.create")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ var (
+ zoneId string
+ entity string
+ host string
+ templateId string
+ )
+
+ if v, ok := d.GetOk("zone_id"); ok {
+ zoneId = v.(string)
+ }
+
+ if v, ok := d.GetOk("entity"); ok {
+ entity = v.(string)
+ }
+
+ if v, ok := d.GetOk("host"); ok {
+ host = v.(string)
+ }
+
+ if v, ok := d.GetOk("template_id"); ok {
+ templateId = v.(string)
+ }
+
+ if entity == "ZoneDefaultPolicy" && host == "" && templateId == "" {
+ d.SetId(strings.Join([]string{zoneId, entity}, tccommon.FILED_SP))
+ } else if entity == "Host" && host != "" && templateId == "" {
+ d.SetId(strings.Join([]string{zoneId, entity, host}, tccommon.FILED_SP))
+ } else if entity == "Template" && host == "" && templateId != "" {
+ d.SetId(strings.Join([]string{zoneId, entity, templateId}, tccommon.FILED_SP))
+ } else {
+ return fmt.Errorf("If `entity` is `ZoneDefaultPolicy`, Please do not set `host` and `template_id`; If `entity` is `Host`, Only support set `host`; If `entity` is `Template`, Only support set `template_id`.")
+ }
+
+ return resourceTencentCloudTeoSecurityPolicyUpdate(d, meta)
+}
+
+func resourceTencentCloudTeoSecurityPolicyRead(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.read")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ var (
+ logId = tccommon.GetLogId(tccommon.ContextNil)
+ ctx = tccommon.NewResourceLifeCycleHandleFuncContext(context.Background(), logId, d, meta)
+ service = TeoService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+ zoneId string
+ entity string
+ host string
+ templateId string
+ )
+
+ idSplit := strings.Split(d.Id(), tccommon.FILED_SP)
+ if !(len(idSplit) == 2 || len(idSplit) == 3) {
+ return fmt.Errorf("id is broken,%s", d.Id())
+ }
+
+ zoneId = idSplit[0]
+ entity = idSplit[1]
+ if entity == "ZoneDefaultPolicy" && len(idSplit) == 2 {
+
+ } else if entity == "Host" && len(idSplit) == 3 {
+ host = idSplit[2]
+ } else if entity == "Template" && len(idSplit) == 3 {
+ templateId = idSplit[2]
+ } else {
+ return fmt.Errorf("`entity` is illegal, %s.", entity)
+ }
+
+ respData, err := service.DescribeTeoSecurityPolicyById(ctx, zoneId, entity, host, templateId)
+ if err != nil {
+ return err
+ }
+
+ if respData == nil {
+ d.SetId("")
+ log.Printf("[WARN]%s resource `teo_security_policy` [%s] not found, please check if it has been deleted.\n", logId, d.Id())
+ return nil
+ }
+
+ _ = d.Set("zone_id", zoneId)
+ _ = d.Set("entity", entity)
+ _ = d.Set("host", host)
+ _ = d.Set("template_id", templateId)
+
+ securityPolicyList := make([]map[string]interface{}, 0, 1)
+ securityPolicyMap := map[string]interface{}{}
+ if respData.CustomRules != nil {
+ customRulesMap := map[string]interface{}{}
+ rulesList := make([]map[string]interface{}, 0, len(respData.CustomRules.Rules))
+ if respData.CustomRules.Rules != nil {
+ for _, rules := range respData.CustomRules.Rules {
+ rulesMap := map[string]interface{}{}
+ if rules.Name != nil {
+ rulesMap["name"] = rules.Name
+ }
+
+ if rules.Condition != nil {
+ rulesMap["condition"] = rules.Condition
+ }
+
+ actionMap := map[string]interface{}{}
+ if rules.Action != nil {
+ if rules.Action.Name != nil {
+ actionMap["name"] = rules.Action.Name
+ }
+
+ blockIPActionParametersMap := map[string]interface{}{}
+ if rules.Action.BlockIPActionParameters != nil {
+ if rules.Action.BlockIPActionParameters.Duration != nil {
+ blockIPActionParametersMap["duration"] = rules.Action.BlockIPActionParameters.Duration
+ }
+
+ actionMap["block_ip_action_parameters"] = []interface{}{blockIPActionParametersMap}
+ }
+
+ returnCustomPageActionParametersMap := map[string]interface{}{}
+ if rules.Action.ReturnCustomPageActionParameters != nil {
+ if rules.Action.ReturnCustomPageActionParameters.ResponseCode != nil {
+ returnCustomPageActionParametersMap["response_code"] = rules.Action.ReturnCustomPageActionParameters.ResponseCode
+ }
+
+ if rules.Action.ReturnCustomPageActionParameters.ErrorPageId != nil {
+ returnCustomPageActionParametersMap["error_page_id"] = rules.Action.ReturnCustomPageActionParameters.ErrorPageId
+ }
+
+ actionMap["return_custom_page_action_parameters"] = []interface{}{returnCustomPageActionParametersMap}
+ }
+
+ redirectActionParametersMap := map[string]interface{}{}
+ if rules.Action.RedirectActionParameters != nil {
+ if rules.Action.RedirectActionParameters.URL != nil {
+ redirectActionParametersMap["url"] = rules.Action.RedirectActionParameters.URL
+ }
+
+ actionMap["redirect_action_parameters"] = []interface{}{redirectActionParametersMap}
+ }
+
+ rulesMap["action"] = []interface{}{actionMap}
+ }
+
+ if rules.Enabled != nil {
+ rulesMap["enabled"] = rules.Enabled
+ }
+
+ if rules.Id != nil {
+ rulesMap["id"] = rules.Id
+ }
+
+ if rules.RuleType != nil {
+ rulesMap["rule_type"] = rules.RuleType
+ }
+
+ if rules.Priority != nil {
+ rulesMap["priority"] = rules.Priority
+ }
+
+ rulesList = append(rulesList, rulesMap)
+ }
+
+ customRulesMap["rules"] = rulesList
+ }
+
+ securityPolicyMap["custom_rules"] = []interface{}{customRulesMap}
+ }
+
+ if respData.ManagedRules != nil {
+ managedRulesMap := map[string]interface{}{}
+ if respData.ManagedRules.Enabled != nil {
+ managedRulesMap["enabled"] = respData.ManagedRules.Enabled
+ }
+
+ if respData.ManagedRules.DetectionOnly != nil {
+ managedRulesMap["detection_only"] = respData.ManagedRules.DetectionOnly
+ }
+
+ if respData.ManagedRules.SemanticAnalysis != nil {
+ managedRulesMap["semantic_analysis"] = respData.ManagedRules.SemanticAnalysis
+ }
+
+ autoUpdateMap := map[string]interface{}{}
+ if respData.ManagedRules.AutoUpdate != nil {
+ if respData.ManagedRules.AutoUpdate.AutoUpdateToLatestVersion != nil {
+ autoUpdateMap["auto_update_to_latest_version"] = respData.ManagedRules.AutoUpdate.AutoUpdateToLatestVersion
+ }
+
+ if respData.ManagedRules.AutoUpdate.RulesetVersion != nil {
+ autoUpdateMap["ruleset_version"] = respData.ManagedRules.AutoUpdate.RulesetVersion
+ }
+
+ managedRulesMap["auto_update"] = []interface{}{autoUpdateMap}
+ }
+
+ managedRuleGroupsList := make([]map[string]interface{}, 0, len(respData.ManagedRules.ManagedRuleGroups))
+ if respData.ManagedRules.ManagedRuleGroups != nil {
+ for _, managedRuleGroups := range respData.ManagedRules.ManagedRuleGroups {
+ managedRuleGroupsMap := map[string]interface{}{}
+
+ if managedRuleGroups.GroupId != nil {
+ managedRuleGroupsMap["group_id"] = managedRuleGroups.GroupId
+ }
+
+ if managedRuleGroups.SensitivityLevel != nil {
+ managedRuleGroupsMap["sensitivity_level"] = managedRuleGroups.SensitivityLevel
+ }
+
+ actionMap := map[string]interface{}{}
+ if managedRuleGroups.Action != nil {
+ if managedRuleGroups.Action.Name != nil {
+ actionMap["name"] = managedRuleGroups.Action.Name
+ }
+
+ blockIPActionParametersMap := map[string]interface{}{}
+ if managedRuleGroups.Action.BlockIPActionParameters != nil {
+ if managedRuleGroups.Action.BlockIPActionParameters.Duration != nil {
+ blockIPActionParametersMap["duration"] = managedRuleGroups.Action.BlockIPActionParameters.Duration
+ }
+
+ actionMap["block_ip_action_parameters"] = []interface{}{blockIPActionParametersMap}
+ }
+
+ returnCustomPageActionParametersMap := map[string]interface{}{}
+ if managedRuleGroups.Action.ReturnCustomPageActionParameters != nil {
+ if managedRuleGroups.Action.ReturnCustomPageActionParameters.ResponseCode != nil {
+ returnCustomPageActionParametersMap["response_code"] = managedRuleGroups.Action.ReturnCustomPageActionParameters.ResponseCode
+ }
+
+ if managedRuleGroups.Action.ReturnCustomPageActionParameters.ErrorPageId != nil {
+ returnCustomPageActionParametersMap["error_page_id"] = managedRuleGroups.Action.ReturnCustomPageActionParameters.ErrorPageId
+ }
+
+ actionMap["return_custom_page_action_parameters"] = []interface{}{returnCustomPageActionParametersMap}
+ }
+
+ redirectActionParametersMap := map[string]interface{}{}
+ if managedRuleGroups.Action.RedirectActionParameters != nil {
+ if managedRuleGroups.Action.RedirectActionParameters.URL != nil {
+ redirectActionParametersMap["url"] = managedRuleGroups.Action.RedirectActionParameters.URL
+ }
+
+ actionMap["redirect_action_parameters"] = []interface{}{redirectActionParametersMap}
+ }
+
+ managedRuleGroupsMap["action"] = []interface{}{actionMap}
+ }
+
+ ruleActionsList := make([]map[string]interface{}, 0, len(managedRuleGroups.RuleActions))
+ if managedRuleGroups.RuleActions != nil {
+ for _, ruleActions := range managedRuleGroups.RuleActions {
+ ruleActionsMap := map[string]interface{}{}
+ if ruleActions.RuleId != nil {
+ ruleActionsMap["rule_id"] = ruleActions.RuleId
+ }
+
+ actionMap := map[string]interface{}{}
+ if ruleActions.Action != nil {
+ if ruleActions.Action.Name != nil {
+ actionMap["name"] = ruleActions.Action.Name
+ }
+
+ blockIPActionParametersMap := map[string]interface{}{}
+ if ruleActions.Action.BlockIPActionParameters != nil {
+ if ruleActions.Action.BlockIPActionParameters.Duration != nil {
+ blockIPActionParametersMap["duration"] = ruleActions.Action.BlockIPActionParameters.Duration
+ }
+
+ actionMap["block_ip_action_parameters"] = []interface{}{blockIPActionParametersMap}
+ }
+
+ returnCustomPageActionParametersMap := map[string]interface{}{}
+ if ruleActions.Action.ReturnCustomPageActionParameters != nil {
+ if ruleActions.Action.ReturnCustomPageActionParameters.ResponseCode != nil {
+ returnCustomPageActionParametersMap["response_code"] = ruleActions.Action.ReturnCustomPageActionParameters.ResponseCode
+ }
+
+ if ruleActions.Action.ReturnCustomPageActionParameters.ErrorPageId != nil {
+ returnCustomPageActionParametersMap["error_page_id"] = ruleActions.Action.ReturnCustomPageActionParameters.ErrorPageId
+ }
+
+ actionMap["return_custom_page_action_parameters"] = []interface{}{returnCustomPageActionParametersMap}
+ }
+
+ redirectActionParametersMap := map[string]interface{}{}
+ if ruleActions.Action.RedirectActionParameters != nil {
+ if ruleActions.Action.RedirectActionParameters.URL != nil {
+ redirectActionParametersMap["url"] = ruleActions.Action.RedirectActionParameters.URL
+ }
+
+ actionMap["redirect_action_parameters"] = []interface{}{redirectActionParametersMap}
+ }
+
+ ruleActionsMap["action"] = []interface{}{actionMap}
+ }
+
+ ruleActionsList = append(ruleActionsList, ruleActionsMap)
+ }
+
+ managedRuleGroupsMap["rule_actions"] = ruleActionsList
+ }
+
+ metaDataMap := map[string]interface{}{}
+ if managedRuleGroups.MetaData != nil {
+ if managedRuleGroups.MetaData.GroupDetail != nil {
+ metaDataMap["group_detail"] = managedRuleGroups.MetaData.GroupDetail
+ }
+
+ if managedRuleGroups.MetaData.GroupName != nil {
+ metaDataMap["group_name"] = managedRuleGroups.MetaData.GroupName
+ }
+
+ ruleDetailsList := make([]map[string]interface{}, 0, len(managedRuleGroups.MetaData.RuleDetails))
+ if managedRuleGroups.MetaData.RuleDetails != nil {
+ for _, ruleDetails := range managedRuleGroups.MetaData.RuleDetails {
+ ruleDetailsMap := map[string]interface{}{}
+ if ruleDetails.RuleId != nil {
+ ruleDetailsMap["rule_id"] = ruleDetails.RuleId
+ }
+
+ if ruleDetails.RiskLevel != nil {
+ ruleDetailsMap["risk_level"] = ruleDetails.RiskLevel
+ }
+
+ if ruleDetails.Description != nil {
+ ruleDetailsMap["description"] = ruleDetails.Description
+ }
+
+ if ruleDetails.Tags != nil {
+ ruleDetailsMap["tags"] = ruleDetails.Tags
+ }
+
+ if ruleDetails.RuleVersion != nil {
+ ruleDetailsMap["rule_version"] = ruleDetails.RuleVersion
+ }
+
+ ruleDetailsList = append(ruleDetailsList, ruleDetailsMap)
+ }
+
+ metaDataMap["rule_details"] = ruleDetailsList
+ }
+ managedRuleGroupsMap["meta_data"] = []interface{}{metaDataMap}
+ }
+
+ managedRuleGroupsList = append(managedRuleGroupsList, managedRuleGroupsMap)
+ }
+
+ managedRulesMap["managed_rule_groups"] = managedRuleGroupsList
+ }
+
+ securityPolicyMap["managed_rules"] = []interface{}{managedRulesMap}
+ }
+
+ securityPolicyList = append(securityPolicyList, securityPolicyMap)
+ _ = d.Set("security_policy", securityPolicyList)
+ return nil
+}
+
+func resourceTencentCloudTeoSecurityPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.update")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ var (
+ logId = tccommon.GetLogId(tccommon.ContextNil)
+ ctx = tccommon.NewResourceLifeCycleHandleFuncContext(context.Background(), logId, d, meta)
+ request = teov20220901.NewModifySecurityPolicyRequest()
+ zoneId string
+ entity string
+ host string
+ templateId string
+ )
+
+ idSplit := strings.Split(d.Id(), tccommon.FILED_SP)
+ if !(len(idSplit) == 2 || len(idSplit) == 3) {
+ return fmt.Errorf("id is broken,%s", d.Id())
+ }
+
+ zoneId = idSplit[0]
+ entity = idSplit[1]
+ if entity == "ZoneDefaultPolicy" && len(idSplit) == 2 {
+
+ } else if entity == "Host" && len(idSplit) == 3 {
+ host = idSplit[2]
+ } else if entity == "Template" && len(idSplit) == 3 {
+ templateId = idSplit[2]
+ } else {
+ return fmt.Errorf("`entity` is illegal, %s.", entity)
+ }
+
+ request.ZoneId = &zoneId
+ request.Entity = &entity
+ request.TemplateId = &templateId
+ request.Host = &host
+ request.SecurityConfig = &teov20220901.SecurityConfig{}
+ if securityPolicyMap, ok := helper.InterfacesHeadMap(d, "security_policy"); ok {
+ securityPolicy := teov20220901.SecurityPolicy{}
+ if customRulesMap, ok := helper.ConvertInterfacesHeadToMap(securityPolicyMap["custom_rules"]); ok {
+ customRules := teov20220901.CustomRules{}
+ if v, ok := customRulesMap["rules"]; ok {
+ for _, item := range v.([]interface{}) {
+ rulesMap := item.(map[string]interface{})
+ customRule := teov20220901.CustomRule{}
+ if v, ok := rulesMap["name"].(string); ok && v != "" {
+ customRule.Name = helper.String(v)
+ }
+
+ if v, ok := rulesMap["condition"].(string); ok && v != "" {
+ customRule.Condition = helper.String(v)
+ }
+
+ if actionMap, ok := helper.ConvertInterfacesHeadToMap(rulesMap["action"]); ok {
+ securityAction := teov20220901.SecurityAction{}
+ if v, ok := actionMap["name"].(string); ok && v != "" {
+ securityAction.Name = helper.String(v)
+ }
+
+ if blockIPActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["block_ip_action_parameters"]); ok {
+ blockIPActionParameters := teov20220901.BlockIPActionParameters{}
+ if v, ok := blockIPActionParametersMap["duration"].(string); ok && v != "" {
+ blockIPActionParameters.Duration = helper.String(v)
+ }
+
+ securityAction.BlockIPActionParameters = &blockIPActionParameters
+ }
+
+ if returnCustomPageActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["return_custom_page_action_parameters"]); ok {
+ returnCustomPageActionParameters := teov20220901.ReturnCustomPageActionParameters{}
+ if v, ok := returnCustomPageActionParametersMap["response_code"].(string); ok && v != "" {
+ returnCustomPageActionParameters.ResponseCode = helper.String(v)
+ }
+
+ if v, ok := returnCustomPageActionParametersMap["error_page_id"].(string); ok && v != "" {
+ returnCustomPageActionParameters.ErrorPageId = helper.String(v)
+ }
+
+ securityAction.ReturnCustomPageActionParameters = &returnCustomPageActionParameters
+ }
+
+ if redirectActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["redirect_action_parameters"]); ok {
+ redirectActionParameters := teov20220901.RedirectActionParameters{}
+ if v, ok := redirectActionParametersMap["url"].(string); ok && v != "" {
+ redirectActionParameters.URL = helper.String(v)
+ }
+
+ securityAction.RedirectActionParameters = &redirectActionParameters
+ }
+
+ customRule.Action = &securityAction
+ }
+
+ if v, ok := rulesMap["enabled"].(string); ok && v != "" {
+ customRule.Enabled = helper.String(v)
+ }
+
+ if v, ok := rulesMap["id"].(string); ok && v != "" {
+ customRule.Id = helper.String(v)
+ }
+
+ if v, ok := rulesMap["rule_type"].(string); ok && v != "" {
+ customRule.RuleType = helper.String(v)
+ }
+
+ if v, ok := rulesMap["priority"].(int); ok {
+ customRule.Priority = helper.IntInt64(v)
+ }
+
+ customRules.Rules = append(customRules.Rules, &customRule)
+ }
+ }
+
+ securityPolicy.CustomRules = &customRules
+ }
+
+ if managedRulesMap, ok := helper.ConvertInterfacesHeadToMap(securityPolicyMap["managed_rules"]); ok {
+ managedRules := teov20220901.ManagedRules{}
+ if v, ok := managedRulesMap["enabled"].(string); ok && v != "" {
+ managedRules.Enabled = helper.String(v)
+ }
+
+ if v, ok := managedRulesMap["detection_only"].(string); ok && v != "" {
+ managedRules.DetectionOnly = helper.String(v)
+ }
+
+ if v, ok := managedRulesMap["semantic_analysis"].(string); ok && v != "" {
+ managedRules.SemanticAnalysis = helper.String(v)
+ }
+
+ if autoUpdateMap, ok := helper.ConvertInterfacesHeadToMap(managedRulesMap["auto_update"]); ok {
+ managedRuleAutoUpdate := teov20220901.ManagedRuleAutoUpdate{}
+ if v, ok := autoUpdateMap["auto_update_to_latest_version"].(string); ok && v != "" {
+ managedRuleAutoUpdate.AutoUpdateToLatestVersion = helper.String(v)
+ }
+
+ if v, ok := autoUpdateMap["ruleset_version"].(string); ok && v != "" {
+ managedRuleAutoUpdate.RulesetVersion = helper.String(v)
+ }
+
+ managedRules.AutoUpdate = &managedRuleAutoUpdate
+ }
+
+ if v, ok := managedRulesMap["managed_rule_groups"]; ok {
+ for _, item := range v.([]interface{}) {
+ managedRuleGroupsMap := item.(map[string]interface{})
+ managedRuleGroup := teov20220901.ManagedRuleGroup{}
+ if v, ok := managedRuleGroupsMap["group_id"].(string); ok && v != "" {
+ managedRuleGroup.GroupId = helper.String(v)
+ }
+
+ if v, ok := managedRuleGroupsMap["sensitivity_level"].(string); ok && v != "" {
+ managedRuleGroup.SensitivityLevel = helper.String(v)
+ }
+
+ if actionMap, ok := helper.ConvertInterfacesHeadToMap(managedRuleGroupsMap["action"]); ok {
+ securityAction2 := teov20220901.SecurityAction{}
+ if v, ok := actionMap["name"].(string); ok && v != "" {
+ securityAction2.Name = helper.String(v)
+ }
+
+ if blockIPActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["block_ip_action_parameters"]); ok {
+ blockIPActionParameters2 := teov20220901.BlockIPActionParameters{}
+ if v, ok := blockIPActionParametersMap["duration"].(string); ok && v != "" {
+ blockIPActionParameters2.Duration = helper.String(v)
+ }
+
+ securityAction2.BlockIPActionParameters = &blockIPActionParameters2
+ }
+
+ if returnCustomPageActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["return_custom_page_action_parameters"]); ok {
+ returnCustomPageActionParameters2 := teov20220901.ReturnCustomPageActionParameters{}
+ if v, ok := returnCustomPageActionParametersMap["response_code"].(string); ok && v != "" {
+ returnCustomPageActionParameters2.ResponseCode = helper.String(v)
+ }
+
+ if v, ok := returnCustomPageActionParametersMap["error_page_id"].(string); ok && v != "" {
+ returnCustomPageActionParameters2.ErrorPageId = helper.String(v)
+ }
+
+ securityAction2.ReturnCustomPageActionParameters = &returnCustomPageActionParameters2
+ }
+
+ if redirectActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["redirect_action_parameters"]); ok {
+ redirectActionParameters2 := teov20220901.RedirectActionParameters{}
+ if v, ok := redirectActionParametersMap["url"].(string); ok && v != "" {
+ redirectActionParameters2.URL = helper.String(v)
+ }
+
+ securityAction2.RedirectActionParameters = &redirectActionParameters2
+ }
+
+ managedRuleGroup.Action = &securityAction2
+ }
+
+ if v, ok := managedRuleGroupsMap["rule_actions"]; ok {
+ for _, item := range v.([]interface{}) {
+ ruleActionsMap := item.(map[string]interface{})
+ managedRuleAction := teov20220901.ManagedRuleAction{}
+ if v, ok := ruleActionsMap["rule_id"].(string); ok && v != "" {
+ managedRuleAction.RuleId = helper.String(v)
+ }
+
+ if actionMap, ok := helper.ConvertInterfacesHeadToMap(ruleActionsMap["action"]); ok {
+ securityAction3 := teov20220901.SecurityAction{}
+ if v, ok := actionMap["name"].(string); ok && v != "" {
+ securityAction3.Name = helper.String(v)
+ }
+
+ if blockIPActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["block_ip_action_parameters"]); ok {
+ blockIPActionParameters3 := teov20220901.BlockIPActionParameters{}
+ if v, ok := blockIPActionParametersMap["duration"].(string); ok && v != "" {
+ blockIPActionParameters3.Duration = helper.String(v)
+ }
+
+ securityAction3.BlockIPActionParameters = &blockIPActionParameters3
+ }
+
+ if returnCustomPageActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["return_custom_page_action_parameters"]); ok {
+ returnCustomPageActionParameters3 := teov20220901.ReturnCustomPageActionParameters{}
+ if v, ok := returnCustomPageActionParametersMap["response_code"].(string); ok && v != "" {
+ returnCustomPageActionParameters3.ResponseCode = helper.String(v)
+ }
+
+ if v, ok := returnCustomPageActionParametersMap["error_page_id"].(string); ok && v != "" {
+ returnCustomPageActionParameters3.ErrorPageId = helper.String(v)
+ }
+
+ securityAction3.ReturnCustomPageActionParameters = &returnCustomPageActionParameters3
+ }
+
+ if redirectActionParametersMap, ok := helper.ConvertInterfacesHeadToMap(actionMap["redirect_action_parameters"]); ok {
+ redirectActionParameters3 := teov20220901.RedirectActionParameters{}
+ if v, ok := redirectActionParametersMap["url"].(string); ok && v != "" {
+ redirectActionParameters3.URL = helper.String(v)
+ }
+
+ securityAction3.RedirectActionParameters = &redirectActionParameters3
+ }
+
+ managedRuleAction.Action = &securityAction3
+ }
+
+ managedRuleGroup.RuleActions = append(managedRuleGroup.RuleActions, &managedRuleAction)
+ }
+ }
+
+ if metaDataMap, ok := helper.ConvertInterfacesHeadToMap(managedRuleGroupsMap["meta_data"]); ok {
+ managedRuleGroupMeta := teov20220901.ManagedRuleGroupMeta{}
+ if v, ok := metaDataMap["group_detail"].(string); ok && v != "" {
+ managedRuleGroupMeta.GroupDetail = helper.String(v)
+ }
+
+ if v, ok := metaDataMap["group_name"].(string); ok && v != "" {
+ managedRuleGroupMeta.GroupName = helper.String(v)
+ }
+
+ if v, ok := metaDataMap["rule_details"]; ok {
+ for _, item := range v.([]interface{}) {
+ ruleDetailsMap := item.(map[string]interface{})
+ managedRuleDetail := teov20220901.ManagedRuleDetail{}
+ if v, ok := ruleDetailsMap["rule_id"].(string); ok && v != "" {
+ managedRuleDetail.RuleId = helper.String(v)
+ }
+
+ if v, ok := ruleDetailsMap["risk_level"].(string); ok && v != "" {
+ managedRuleDetail.RiskLevel = helper.String(v)
+ }
+
+ if v, ok := ruleDetailsMap["description"].(string); ok && v != "" {
+ managedRuleDetail.Description = helper.String(v)
+ }
+
+ if v, ok := ruleDetailsMap["tags"]; ok {
+ tagsSet := v.(*schema.Set).List()
+ for i := range tagsSet {
+ tags := tagsSet[i].(string)
+ managedRuleDetail.Tags = append(managedRuleDetail.Tags, helper.String(tags))
+ }
+ }
+
+ if v, ok := ruleDetailsMap["rule_version"].(string); ok && v != "" {
+ managedRuleDetail.RuleVersion = helper.String(v)
+ }
+
+ managedRuleGroupMeta.RuleDetails = append(managedRuleGroupMeta.RuleDetails, &managedRuleDetail)
+ }
+ }
+
+ managedRuleGroup.MetaData = &managedRuleGroupMeta
+ }
+
+ managedRules.ManagedRuleGroups = append(managedRules.ManagedRuleGroups, &managedRuleGroup)
+ }
+ }
+
+ securityPolicy.ManagedRules = &managedRules
+ }
+
+ request.SecurityPolicy = &securityPolicy
+ }
+
+ reqErr := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+ result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseTeoV20220901Client().ModifySecurityPolicyWithContext(ctx, request)
+ if e != nil {
+ return tccommon.RetryError(e)
+ } else {
+ log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+ }
+
+ if result == nil || result.BaseResponse == nil {
+ return resource.NonRetryableError(fmt.Errorf("Create teo security policy failed, Response is nil."))
+ }
+
+ return nil
+ })
+
+ if reqErr != nil {
+ log.Printf("[CRITAL]%s modify teo security policy failed, reason:%+v", logId, reqErr)
+ return reqErr
+ }
+
+ return resourceTencentCloudTeoSecurityPolicyRead(d, meta)
+}
+
+func resourceTencentCloudTeoSecurityPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.delete")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ return nil
+}
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy.md b/tencentcloud/services/teo/resource_tc_teo_security_policy.md
new file mode 100644
index 0000000000..dfe79e8392
--- /dev/null
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy.md
@@ -0,0 +1,166 @@
+Provides a resource to create a teo teo_security_policy
+
+Example Usage
+
+```hcl
+resource "tencentcloud_teo_security_policy" "teo_security_policy" {
+ security_config = {
+ waf_config = {
+ waf_rule = {
+ }
+ ai_rule = {
+ }
+ }
+ rate_limit_config = {
+ rate_limit_user_rules = {
+ acl_conditions = {
+ }
+ }
+ rate_limit_template = {
+ rate_limit_template_detail = {
+ }
+ }
+ rate_limit_intelligence = {
+ }
+ rate_limit_customizes = {
+ acl_conditions = {
+ }
+ }
+ }
+ acl_config = {
+ acl_user_rules = {
+ acl_conditions = {
+ }
+ }
+ customizes = {
+ acl_conditions = {
+ }
+ }
+ }
+ bot_config = {
+ bot_managed_rule = {
+ }
+ bot_portrait_rule = {
+ }
+ intelligence_rule = {
+ intelligence_rule_items = {
+ }
+ }
+ bot_user_rules = {
+ extend_actions = {
+ }
+ acl_conditions = {
+ }
+ }
+ alg_detect_rule = {
+ alg_conditions = {
+ }
+ alg_detect_session = {
+ alg_detect_results = {
+ }
+ session_behaviors = {
+ }
+ }
+ alg_detect_js = {
+ alg_detect_results = {
+ }
+ }
+ }
+ customizes = {
+ extend_actions = {
+ }
+ acl_conditions = {
+ }
+ }
+ }
+ switch_config = {
+ }
+ ip_table_config = {
+ ip_table_rules = {
+ }
+ }
+ except_config = {
+ except_user_rules = {
+ except_user_rule_conditions = {
+ }
+ except_user_rule_scope = {
+ partial_modules = {
+ }
+ skip_conditions = {
+ }
+ }
+ }
+ }
+ drop_page_config = {
+ waf_drop_page_detail = {
+ }
+ acl_drop_page_detail = {
+ }
+ }
+ template_config = {
+ }
+ slow_post_config = {
+ first_part_config = {
+ }
+ slow_rate_config = {
+ }
+ }
+ detect_length_limit_config = {
+ detect_length_limit_rules = {
+ conditions = {
+ }
+ }
+ }
+ }
+ security_policy = {
+ custom_rules = {
+ rules = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ }
+ }
+ managed_rules = {
+ auto_update = {
+ }
+ managed_rule_groups = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ rule_actions = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ }
+ meta_data = {
+ rule_details = {
+ }
+ }
+ }
+ }
+ }
+}
+```
+
+Import
+
+teo teo_security_policy can be imported using the id, e.g.
+
+```
+terraform import tencentcloud_teo_security_policy.teo_security_policy teo_security_policy_id
+```
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy_test.go b/tencentcloud/services/teo/resource_tc_teo_security_policy_test.go
new file mode 100644
index 0000000000..41a9eb186f
--- /dev/null
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy_test.go
@@ -0,0 +1,183 @@
+package teo_test
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+ tcacctest "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/acctest"
+)
+
+func TestAccTencentCloudTeoSecurityPolicyResource_basic(t *testing.T) {
+ t.Parallel()
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() {
+ tcacctest.AccPreCheck(t)
+ },
+ Providers: tcacctest.AccProviders,
+ Steps: []resource.TestStep{{
+ Config: testAccTeoSecurityPolicy,
+ Check: resource.ComposeTestCheckFunc(resource.TestCheckResourceAttrSet("tencentcloud_teo_security_policy.teo_security_policy", "id")),
+ }, {
+ ResourceName: "tencentcloud_teo_security_policy.teo_security_policy",
+ ImportState: true,
+ ImportStateVerify: true,
+ }},
+ })
+}
+
+const testAccTeoSecurityPolicy = `
+
+resource "tencentcloud_teo_security_policy" "teo_security_policy" {
+ security_config = {
+ waf_config = {
+ waf_rule = {
+ }
+ ai_rule = {
+ }
+ }
+ rate_limit_config = {
+ rate_limit_user_rules = {
+ acl_conditions = {
+ }
+ }
+ rate_limit_template = {
+ rate_limit_template_detail = {
+ }
+ }
+ rate_limit_intelligence = {
+ }
+ rate_limit_customizes = {
+ acl_conditions = {
+ }
+ }
+ }
+ acl_config = {
+ acl_user_rules = {
+ acl_conditions = {
+ }
+ }
+ customizes = {
+ acl_conditions = {
+ }
+ }
+ }
+ bot_config = {
+ bot_managed_rule = {
+ }
+ bot_portrait_rule = {
+ }
+ intelligence_rule = {
+ intelligence_rule_items = {
+ }
+ }
+ bot_user_rules = {
+ extend_actions = {
+ }
+ acl_conditions = {
+ }
+ }
+ alg_detect_rule = {
+ alg_conditions = {
+ }
+ alg_detect_session = {
+ alg_detect_results = {
+ }
+ session_behaviors = {
+ }
+ }
+ alg_detect_js = {
+ alg_detect_results = {
+ }
+ }
+ }
+ customizes = {
+ extend_actions = {
+ }
+ acl_conditions = {
+ }
+ }
+ }
+ switch_config = {
+ }
+ ip_table_config = {
+ ip_table_rules = {
+ }
+ }
+ except_config = {
+ except_user_rules = {
+ except_user_rule_conditions = {
+ }
+ except_user_rule_scope = {
+ partial_modules = {
+ }
+ skip_conditions = {
+ }
+ }
+ }
+ }
+ drop_page_config = {
+ waf_drop_page_detail = {
+ }
+ acl_drop_page_detail = {
+ }
+ }
+ template_config = {
+ }
+ slow_post_config = {
+ first_part_config = {
+ }
+ slow_rate_config = {
+ }
+ }
+ detect_length_limit_config = {
+ detect_length_limit_rules = {
+ conditions = {
+ }
+ }
+ }
+ }
+ security_policy = {
+ custom_rules = {
+ rules = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ }
+ }
+ managed_rules = {
+ auto_update = {
+ }
+ managed_rule_groups = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ rule_actions = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ }
+ meta_data = {
+ rule_details = {
+ }
+ }
+ }
+ }
+ }
+}
+`
diff --git a/tencentcloud/services/teo/service_tencentcloud_teo.go b/tencentcloud/services/teo/service_tencentcloud_teo.go
index e315cb04ec..d77eba6507 100644
--- a/tencentcloud/services/teo/service_tencentcloud_teo.go
+++ b/tencentcloud/services/teo/service_tencentcloud_teo.go
@@ -1644,3 +1644,43 @@ func (me *TeoService) DescribeTeoL7AccRuleById(ctx context.Context, zoneId strin
ret = response.Response
return
}
+
+func (me *TeoService) DescribeTeoSecurityPolicyById(ctx context.Context, zoneId, entity, host, templateId string) (ret *teo.SecurityPolicy, errRet error) {
+ logId := tccommon.GetLogId(ctx)
+
+ request := teo.NewDescribeSecurityPolicyRequest()
+ response := teo.NewDescribeSecurityPolicyResponse()
+ request.ZoneId = &zoneId
+ request.Entity = &entity
+ if host != "" {
+ request.Host = &host
+ }
+
+ if templateId != "" {
+ request.TemplateId = &templateId
+ }
+
+ err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
+ ratelimit.Check(request.GetAction())
+ result, e := me.client.UseTeoV20220901Client().DescribeSecurityPolicy(request)
+ if e != nil {
+ return tccommon.RetryError(e)
+ }
+
+ log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+ response = result
+ return nil
+ })
+
+ if err != nil {
+ errRet = err
+ return
+ }
+
+ if response.Response == nil {
+ return
+ }
+
+ ret = response.Response.SecurityPolicy
+ return
+}
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go
index fccc640040..6b41d2a8a6 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go
@@ -265,7 +265,7 @@ func CompleteCommonParams(request Request, region string, requestClient string)
params["Action"] = request.GetAction()
params["Timestamp"] = strconv.FormatInt(time.Now().Unix(), 10)
params["Nonce"] = strconv.Itoa(rand.Int())
- params["RequestClient"] = "SDK_GO_1.0.1128"
+ params["RequestClient"] = "SDK_GO_1.0.1129"
if requestClient != "" {
params["RequestClient"] += ": " + requestClient
}
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go
index 93529a26a7..63334c7874 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go
@@ -2104,7 +2104,9 @@ func NewCreateRuleResponse() (response *CreateRuleResponse) {
}
// CreateRule
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [CreateL7AccRules](https://cloud.tencent.com/document/product/1552/115822)。
+// 本接口为旧版本创建规则引擎接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本创建七层加速规则接口详情请参考 [CreateL7AccRules](https://cloud.tencent.com/document/product/1552/115822)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// FAILEDOPERATION = "FailedOperation"
@@ -2204,7 +2206,9 @@ func (c *Client) CreateRule(request *CreateRuleRequest) (response *CreateRuleRes
}
// CreateRule
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [CreateL7AccRules](https://cloud.tencent.com/document/product/1552/115822)。
+// 本接口为旧版本创建规则引擎接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本创建七层加速规则接口详情请参考 [CreateL7AccRules](https://cloud.tencent.com/document/product/1552/115822)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// FAILEDOPERATION = "FailedOperation"
@@ -3433,7 +3437,9 @@ func NewDeleteRulesResponse() (response *DeleteRulesResponse) {
}
// DeleteRules
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [DeleteL7AccRules](https://cloud.tencent.com/document/product/1552/115821)。
+// 本接口为旧版本删除规则引擎接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本删除七层加速规则接口详情请参考 [DeleteL7AccRules](https://cloud.tencent.com/document/product/1552/115821)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// FAILEDOPERATION = "FailedOperation"
@@ -3459,7 +3465,9 @@ func (c *Client) DeleteRules(request *DeleteRulesRequest) (response *DeleteRules
}
// DeleteRules
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [DeleteL7AccRules](https://cloud.tencent.com/document/product/1552/115821)。
+// 本接口为旧版本删除规则引擎接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本删除七层加速规则接口详情请参考 [DeleteL7AccRules](https://cloud.tencent.com/document/product/1552/115821)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// FAILEDOPERATION = "FailedOperation"
@@ -5695,7 +5703,9 @@ func NewDescribeRulesResponse() (response *DescribeRulesResponse) {
}
// DescribeRules
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [DescribeL7AccRules](https://cloud.tencent.com/document/product/1552/115820)。
+// 本接口为旧版本查询规则引擎规则接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本查询七层加速规则接口详情请参考 [DescribeL7AccRules](https://cloud.tencent.com/document/product/1552/115820)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// INTERNALERROR_ROUTEERROR = "InternalError.RouteError"
@@ -5706,7 +5716,9 @@ func (c *Client) DescribeRules(request *DescribeRulesRequest) (response *Describ
}
// DescribeRules
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [DescribeL7AccRules](https://cloud.tencent.com/document/product/1552/115820)。
+// 本接口为旧版本查询规则引擎规则接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本查询七层加速规则接口详情请参考 [DescribeL7AccRules](https://cloud.tencent.com/document/product/1552/115820)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// INTERNALERROR_ROUTEERROR = "InternalError.RouteError"
@@ -5899,6 +5911,63 @@ func (c *Client) DescribeSecurityIPGroupInfoWithContext(ctx context.Context, req
return
}
+func NewDescribeSecurityPolicyRequest() (request *DescribeSecurityPolicyRequest) {
+ request = &DescribeSecurityPolicyRequest{
+ BaseRequest: &tchttp.BaseRequest{},
+ }
+
+ request.Init().WithApiInfo("teo", APIVersion, "DescribeSecurityPolicy")
+
+
+ return
+}
+
+func NewDescribeSecurityPolicyResponse() (response *DescribeSecurityPolicyResponse) {
+ response = &DescribeSecurityPolicyResponse{
+ BaseResponse: &tchttp.BaseResponse{},
+ }
+ return
+
+}
+
+// DescribeSecurityPolicy
+// 查询安全防护配置详情。
+//
+// 可能返回的错误码:
+// INTERNALERROR_PROXYSERVER = "InternalError.ProxyServer"
+// INVALIDPARAMETER_SECURITY = "InvalidParameter.Security"
+// UNAUTHORIZEDOPERATION_CAMUNAUTHORIZED = "UnauthorizedOperation.CamUnauthorized"
+// UNAUTHORIZEDOPERATION_NOPERMISSION = "UnauthorizedOperation.NoPermission"
+// UNAUTHORIZEDOPERATION_UNKNOWN = "UnauthorizedOperation.Unknown"
+func (c *Client) DescribeSecurityPolicy(request *DescribeSecurityPolicyRequest) (response *DescribeSecurityPolicyResponse, err error) {
+ return c.DescribeSecurityPolicyWithContext(context.Background(), request)
+}
+
+// DescribeSecurityPolicy
+// 查询安全防护配置详情。
+//
+// 可能返回的错误码:
+// INTERNALERROR_PROXYSERVER = "InternalError.ProxyServer"
+// INVALIDPARAMETER_SECURITY = "InvalidParameter.Security"
+// UNAUTHORIZEDOPERATION_CAMUNAUTHORIZED = "UnauthorizedOperation.CamUnauthorized"
+// UNAUTHORIZEDOPERATION_NOPERMISSION = "UnauthorizedOperation.NoPermission"
+// UNAUTHORIZEDOPERATION_UNKNOWN = "UnauthorizedOperation.Unknown"
+func (c *Client) DescribeSecurityPolicyWithContext(ctx context.Context, request *DescribeSecurityPolicyRequest) (response *DescribeSecurityPolicyResponse, err error) {
+ if request == nil {
+ request = NewDescribeSecurityPolicyRequest()
+ }
+
+ if c.GetCredential() == nil {
+ return nil, errors.New("DescribeSecurityPolicy require credential")
+ }
+
+ request.SetContext(ctx)
+
+ response = NewDescribeSecurityPolicyResponse()
+ err = c.Send(request, response)
+ return
+}
+
func NewDescribeSecurityTemplateBindingsRequest() (request *DescribeSecurityTemplateBindingsRequest) {
request = &DescribeSecurityTemplateBindingsRequest{
BaseRequest: &tchttp.BaseRequest{},
@@ -8471,6 +8540,57 @@ func (c *Client) ModifyL7AccRuleWithContext(ctx context.Context, request *Modify
return
}
+func NewModifyL7AccRulePriorityRequest() (request *ModifyL7AccRulePriorityRequest) {
+ request = &ModifyL7AccRulePriorityRequest{
+ BaseRequest: &tchttp.BaseRequest{},
+ }
+
+ request.Init().WithApiInfo("teo", APIVersion, "ModifyL7AccRulePriority")
+
+
+ return
+}
+
+func NewModifyL7AccRulePriorityResponse() (response *ModifyL7AccRulePriorityResponse) {
+ response = &ModifyL7AccRulePriorityResponse{
+ BaseResponse: &tchttp.BaseResponse{},
+ }
+ return
+
+}
+
+// ModifyL7AccRulePriority
+// 本接口用于修改[规则引擎](https://cloud.tencent.com/document/product/1552/70901)中规则列表的优先级,本接口需要传入站点 ID 下完整的规则 ID 列表,规则 ID 列表可以通过[查询七层加速规则](https://cloud.tencent.com/document/product/1552/115820)接口获取,最终优先级顺序将调整成规则 ID 列表的顺序,从前往后执行。
+//
+// 可能返回的错误码:
+// INVALIDPARAMETER_INVALIDRULEENGINE = "InvalidParameter.InvalidRuleEngine"
+// INVALIDPARAMETER_INVALIDRULEENGINENOTFOUND = "InvalidParameter.InvalidRuleEngineNotFound"
+func (c *Client) ModifyL7AccRulePriority(request *ModifyL7AccRulePriorityRequest) (response *ModifyL7AccRulePriorityResponse, err error) {
+ return c.ModifyL7AccRulePriorityWithContext(context.Background(), request)
+}
+
+// ModifyL7AccRulePriority
+// 本接口用于修改[规则引擎](https://cloud.tencent.com/document/product/1552/70901)中规则列表的优先级,本接口需要传入站点 ID 下完整的规则 ID 列表,规则 ID 列表可以通过[查询七层加速规则](https://cloud.tencent.com/document/product/1552/115820)接口获取,最终优先级顺序将调整成规则 ID 列表的顺序,从前往后执行。
+//
+// 可能返回的错误码:
+// INVALIDPARAMETER_INVALIDRULEENGINE = "InvalidParameter.InvalidRuleEngine"
+// INVALIDPARAMETER_INVALIDRULEENGINENOTFOUND = "InvalidParameter.InvalidRuleEngineNotFound"
+func (c *Client) ModifyL7AccRulePriorityWithContext(ctx context.Context, request *ModifyL7AccRulePriorityRequest) (response *ModifyL7AccRulePriorityResponse, err error) {
+ if request == nil {
+ request = NewModifyL7AccRulePriorityRequest()
+ }
+
+ if c.GetCredential() == nil {
+ return nil, errors.New("ModifyL7AccRulePriority require credential")
+ }
+
+ request.SetContext(ctx)
+
+ response = NewModifyL7AccRulePriorityResponse()
+ err = c.Send(request, response)
+ return
+}
+
func NewModifyL7AccSettingRequest() (request *ModifyL7AccSettingRequest) {
request = &ModifyL7AccSettingRequest{
BaseRequest: &tchttp.BaseRequest{},
@@ -8918,7 +9038,9 @@ func NewModifyRuleResponse() (response *ModifyRuleResponse) {
}
// ModifyRule
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [ModifyL7AccRule](https://cloud.tencent.com/document/product/1552/115818)。
+// 本接口为旧版本修改规则引擎接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本修改七层加速规则接口详情请参考 [ModifyL7AccRule](https://cloud.tencent.com/document/product/1552/115818)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// INTERNALERROR_CONFIGLOCKED = "InternalError.ConfigLocked"
@@ -9017,7 +9139,9 @@ func (c *Client) ModifyRule(request *ModifyRuleRequest) (response *ModifyRuleRes
}
// ModifyRule
-// 本接口为旧版,EdgeOne 已对规则引擎相关接口全面升级,详情请参考 [ModifyL7AccRule](https://cloud.tencent.com/document/product/1552/115818)。
+// 本接口为旧版本修改规则引擎接口,EdgeOne 于 2025 年 1 月 21 日已对规则引擎相关接口全面升级,新版本修改七层加速规则接口详情请参考 [ModifyL7AccRule](https://cloud.tencent.com/document/product/1552/115818)。
+//
+// 注意:自 2025 年 1 月 21 日起,旧版接口停止更新迭代,后续新增功能将仅在新版接口中提供,旧版接口支持的原有能力将不受影响。为避免在使用旧版接口时出现数据字段冲突,建议您尽早迁移到新版规则引擎接口。
//
// 可能返回的错误码:
// INTERNALERROR_CONFIGLOCKED = "InternalError.ConfigLocked"
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go
index 8626689fc9..31091ba795 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go
@@ -518,6 +518,9 @@ const (
// 无效的响应头header。
INVALIDPARAMETER_INVALIDRESPONSEHEADERVALUE = "InvalidParameter.InvalidResponseHeaderValue"
+ // 无效的规则引擎配置。
+ INVALIDPARAMETER_INVALIDRULEENGINE = "InvalidParameter.InvalidRuleEngine"
+
// 无效的规则引擎操作。
INVALIDPARAMETER_INVALIDRULEENGINEACTION = "InvalidParameter.InvalidRuleEngineAction"
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go
index afa356ca3d..27e32ee4b6 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go
@@ -894,6 +894,11 @@ func (r *BindZoneToPlanResponse) FromJsonString(s string) error {
return json.Unmarshal([]byte(s), &r)
}
+type BlockIPActionParameters struct {
+ // 封禁 IP 的惩罚时长。支持的单位有:s:秒,取值范围1~120;m:分,取值范围1~120;h:小时,取值范围1~48。
+ Duration *string `json:"Duration,omitnil,omitempty" name:"Duration"`
+}
+
type BotConfig struct {
// bot开关,取值有:
// on:开启;
@@ -3869,7 +3874,7 @@ type CreateZoneRequestParams struct {
// 待绑定的目标套餐 ID。当您账号下已存在套餐时,可以填写此参数,直接将站点绑定至该套餐。若您当前没有可绑定的套餐时,请前往控制台购买套餐完成站点创建。
PlanId *string `json:"PlanId,omitnil,omitempty" name:"PlanId"`
- // 同名站点标识。限制输入数字、英文、- 和 _ 组合,长度 20 个字符以内。详情参考 [同名站点标识](https://cloud.tencent.com/document/product/1552/70202),无此使用场景时,该字段保留为空即可。
+ // 同名站点标识。限制输入数字、英文、"." 、"-" 和 "_",长度 200 个字符以内。详情参考 [同名站点标识](https://cloud.tencent.com/document/product/1552/70202),无此使用场景时,该字段保留为空即可。
AliasZoneName *string `json:"AliasZoneName,omitnil,omitempty" name:"AliasZoneName"`
// 标签。该参数用于对站点进行分权限管控、分账。需要先前往 [标签控制台](https://console.cloud.tencent.com/tag/taglist) 创建对应的标签才可以在此处传入对应的标签键和标签值。
@@ -3910,7 +3915,7 @@ type CreateZoneRequest struct {
// 待绑定的目标套餐 ID。当您账号下已存在套餐时,可以填写此参数,直接将站点绑定至该套餐。若您当前没有可绑定的套餐时,请前往控制台购买套餐完成站点创建。
PlanId *string `json:"PlanId,omitnil,omitempty" name:"PlanId"`
- // 同名站点标识。限制输入数字、英文、- 和 _ 组合,长度 20 个字符以内。详情参考 [同名站点标识](https://cloud.tencent.com/document/product/1552/70202),无此使用场景时,该字段保留为空即可。
+ // 同名站点标识。限制输入数字、英文、"." 、"-" 和 "_",长度 200 个字符以内。详情参考 [同名站点标识](https://cloud.tencent.com/document/product/1552/70202),无此使用场景时,该字段保留为空即可。
AliasZoneName *string `json:"AliasZoneName,omitnil,omitempty" name:"AliasZoneName"`
// 标签。该参数用于对站点进行分权限管控、分账。需要先前往 [标签控制台](https://console.cloud.tencent.com/tag/taglist) 创建对应的标签才可以在此处传入对应的标签键和标签值。
@@ -4051,6 +4056,34 @@ type CustomField struct {
Enabled *bool `json:"Enabled,omitnil,omitempty" name:"Enabled"`
}
+type CustomRule struct {
+ // 自定义规则的名称。
+ Name *string `json:"Name,omitnil,omitempty" name:"Name"`
+
+ // 自定义规则的具体内容,需符合表达式语法,详细规范参见产品文档。
+ Condition *string `json:"Condition,omitnil,omitempty" name:"Condition"`
+
+ // 自定义规则的执行动作。 SecurityAction 的 Name 取值支持:Deny:拦截;Monitor:观察;ReturnCustomPage:使用指定页面拦截;Redirect:重定向至 URL;BlockIP:IP 封禁;JSChallenge:JavaScript 挑战;ManagedChallenge:托管挑战;Allow:放行。
+ Action *SecurityAction `json:"Action,omitnil,omitempty" name:"Action"`
+
+ // 自定义规则是否开启。取值有:on:开启off:关闭
+ Enabled *string `json:"Enabled,omitnil,omitempty" name:"Enabled"`
+
+ // 自定义规则的 ID。
通过规则 ID 可支持不同的规则配置操作:
- 增加新规则:ID 为空或不指定 ID 参数;
- 修改已有规则:指定需要更新/修改的规则 ID;
- 删除已有规则:CustomRules 参数中,Rules 列表中未包含的已有规则将被删除。
+ Id *string `json:"Id,omitnil,omitempty" name:"Id"`
+
+ // 自定义规则的类型。取值有:BasicAccessRule:基础访问管控;PreciseMatchRule:精准匹配规则,默认;ManagedAccessRule:专家定制规则,仅出参。
默认为PreciseMatchRule。
+ RuleType *string `json:"RuleType,omitnil,omitempty" name:"RuleType"`
+
+ // 自定义规则的优先级,范围是 0 ~ 100,默认为 0,仅支持精准匹配规则(PreciseMatchRule)。
+ Priority *int64 `json:"Priority,omitnil,omitempty" name:"Priority"`
+}
+
+type CustomRules struct {
+ // 自定义规则的定义列表。
使用 ModifySecurityPolicy 修改 Web 防护配置时:
- 若未指定 Rules 参数,或 Rules 参数长度为零:清空所有自定义规则配置。
- 若 SecurityPolicy 参数中,未指定 CustomRules 参数值:保持已有自定义规则配置,不做修改。
+ Rules []*CustomRule `json:"Rules,omitnil,omitempty" name:"Rules"`
+}
+
type CustomTime struct {
// 自定义缓存时间开关,取值有:
// on:开启;
@@ -5859,7 +5892,14 @@ type DescribeBillingDataRequestParams struct {
// quic_request: QUIC 请求,单位为次;
// bot_request_clean: Bot 请求,单位为次;
// cls_count: 实时日志推送条数,单位为条;
- // ddos_bandwidth: 弹性 DDoS 防护带宽,单位为 bps。
+ // ddos_bandwidth: 弹性 DDoS 防护带宽,单位为 bps;
+ // total_transcode:所有规格音频,视频即时转码,转封装时长,单位为秒;
+ // remux:转封装时长,单位为秒;
+ // transcode_audio:音频转码时长,单位为秒;
+ // transcode_H264_SD:H.264 编码方式的标清视频(短边 <= 480 px)时长,单位为秒;
+ // transcode_H264_HD:H.264 编码方式的高清视频(短边 <= 720 px)时长,单位为秒;
+ // transcode_H264_FHD:H.264 编码方式的全高清视频(短边 <= 1080 px)时长,单位为秒;
+ // transcode_H264_2K:H.264 编码方式的 2K 视频(短边 <= 1440 px)时长,单位为秒。
MetricName *string `json:"MetricName,omitnil,omitempty" name:"MetricName"`
// 查询时间粒度,取值有:
@@ -5903,7 +5943,14 @@ type DescribeBillingDataRequest struct {
// quic_request: QUIC 请求,单位为次;
// bot_request_clean: Bot 请求,单位为次;
// cls_count: 实时日志推送条数,单位为条;
- // ddos_bandwidth: 弹性 DDoS 防护带宽,单位为 bps。
+ // ddos_bandwidth: 弹性 DDoS 防护带宽,单位为 bps;
+ // total_transcode:所有规格音频,视频即时转码,转封装时长,单位为秒;
+ // remux:转封装时长,单位为秒;
+ // transcode_audio:音频转码时长,单位为秒;
+ // transcode_H264_SD:H.264 编码方式的标清视频(短边 <= 480 px)时长,单位为秒;
+ // transcode_H264_HD:H.264 编码方式的高清视频(短边 <= 720 px)时长,单位为秒;
+ // transcode_H264_FHD:H.264 编码方式的全高清视频(短边 <= 1080 px)时长,单位为秒;
+ // transcode_H264_2K:H.264 编码方式的 2K 视频(短边 <= 1440 px)时长,单位为秒。
MetricName *string `json:"MetricName,omitnil,omitempty" name:"MetricName"`
// 查询时间粒度,取值有:
@@ -8881,6 +8928,85 @@ func (r *DescribeSecurityIPGroupResponse) FromJsonString(s string) error {
return json.Unmarshal([]byte(s), &r)
}
+// Predefined struct for user
+type DescribeSecurityPolicyRequestParams struct {
+ // 站点 ID。
+ ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
+
+ // 安全策略类型,可使用以下参数值进行查询: ZoneDefaultPolicy:用于指定查询站点级策略;Template:用于指定查询策略模板,需要同时指定 TemplateId 参数;Host:用于指定查询域名级策略(注意:当使用域名来指定域名服务策略时,仅支持已经应用了域名级策略的域名服务或者策略模板)。
+ Entity *string `json:"Entity,omitnil,omitempty" name:"Entity"`
+
+ // 指定策略模板 ID。当 Entity 参数值为 Template 时,使用本参数指定策略模板的 ID 查询模板配置。
+ TemplateId *string `json:"TemplateId,omitnil,omitempty" name:"TemplateId"`
+
+ // 指定域名。当 Entity 参数值为 Host 时,使用本参数指定的域名级策略查询域名配置,例如:使用 www.example.com ,配置该域名的域名级策略。
+ Host *string `json:"Host,omitnil,omitempty" name:"Host"`
+}
+
+type DescribeSecurityPolicyRequest struct {
+ *tchttp.BaseRequest
+
+ // 站点 ID。
+ ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
+
+ // 安全策略类型,可使用以下参数值进行查询: ZoneDefaultPolicy:用于指定查询站点级策略;Template:用于指定查询策略模板,需要同时指定 TemplateId 参数;Host:用于指定查询域名级策略(注意:当使用域名来指定域名服务策略时,仅支持已经应用了域名级策略的域名服务或者策略模板)。
+ Entity *string `json:"Entity,omitnil,omitempty" name:"Entity"`
+
+ // 指定策略模板 ID。当 Entity 参数值为 Template 时,使用本参数指定策略模板的 ID 查询模板配置。
+ TemplateId *string `json:"TemplateId,omitnil,omitempty" name:"TemplateId"`
+
+ // 指定域名。当 Entity 参数值为 Host 时,使用本参数指定的域名级策略查询域名配置,例如:使用 www.example.com ,配置该域名的域名级策略。
+ Host *string `json:"Host,omitnil,omitempty" name:"Host"`
+}
+
+func (r *DescribeSecurityPolicyRequest) ToJsonString() string {
+ b, _ := json.Marshal(r)
+ return string(b)
+}
+
+// FromJsonString It is highly **NOT** recommended to use this function
+// because it has no param check, nor strict type check
+func (r *DescribeSecurityPolicyRequest) FromJsonString(s string) error {
+ f := make(map[string]interface{})
+ if err := json.Unmarshal([]byte(s), &f); err != nil {
+ return err
+ }
+ delete(f, "ZoneId")
+ delete(f, "Entity")
+ delete(f, "TemplateId")
+ delete(f, "Host")
+ if len(f) > 0 {
+ return tcerr.NewTencentCloudSDKError("ClientError.BuildRequestError", "DescribeSecurityPolicyRequest has unknown keys!", "")
+ }
+ return json.Unmarshal([]byte(s), &r)
+}
+
+// Predefined struct for user
+type DescribeSecurityPolicyResponseParams struct {
+ // 安全策略配置。
+ // 注意:此字段可能返回 null,表示取不到有效值。
+ SecurityPolicy *SecurityPolicy `json:"SecurityPolicy,omitnil,omitempty" name:"SecurityPolicy"`
+
+ // 唯一请求 ID,由服务端生成,每次请求都会返回(若请求因其他原因未能抵达服务端,则该次请求不会获得 RequestId)。定位问题时需要提供该次请求的 RequestId。
+ RequestId *string `json:"RequestId,omitnil,omitempty" name:"RequestId"`
+}
+
+type DescribeSecurityPolicyResponse struct {
+ *tchttp.BaseResponse
+ Response *DescribeSecurityPolicyResponseParams `json:"Response"`
+}
+
+func (r *DescribeSecurityPolicyResponse) ToJsonString() string {
+ b, _ := json.Marshal(r)
+ return string(b)
+}
+
+// FromJsonString It is highly **NOT** recommended to use this function
+// because it has no param check, nor strict type check
+func (r *DescribeSecurityPolicyResponse) FromJsonString(s string) error {
+ return json.Unmarshal([]byte(s), &r)
+}
+
// Predefined struct for user
type DescribeSecurityTemplateBindingsRequestParams struct {
// 要查询的站点 ID。
@@ -8960,10 +9086,12 @@ type DescribeTimingL4DataRequestParams struct {
EndTime *string `json:"EndTime,omitnil,omitempty" name:"EndTime"`
// 查询指标,取值有:
- // l4Flow_connections: 访问连接数;
+ // l4Flow_connections: 访问并发连接数;
// l4Flow_flux: 访问总流量;
// l4Flow_inFlux: 访问入流量;
- // l4Flow_outFlux: 访问出流量。
+ // l4Flow_outFlux: 访问出流量;
+ // l4Flow_inBandwidth: 访问入向带宽峰值;
+ // l4Flow_outBandwidth: 访问出向带宽峰值。
MetricNames []*string `json:"MetricNames,omitnil,omitempty" name:"MetricNames"`
// 站点 ID 集合,此参数必填。
@@ -8984,10 +9112,7 @@ type DescribeTimingL4DataRequestParams struct {
// proxyId:按照四层代理实例 ID 进行过滤。
Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
- // 数据归属地区,取值有:
- // overseas:全球(除中国大陆地区)数据;
- // mainland:中国大陆地区数据;
- // global:全球数据。不填默认取值为global。
+ // 数据归属地区。该参数已废弃。请在 Filters.country 中按客户端地域过滤数据。
Area *string `json:"Area,omitnil,omitempty" name:"Area"`
}
@@ -9001,10 +9126,12 @@ type DescribeTimingL4DataRequest struct {
EndTime *string `json:"EndTime,omitnil,omitempty" name:"EndTime"`
// 查询指标,取值有:
- // l4Flow_connections: 访问连接数;
+ // l4Flow_connections: 访问并发连接数;
// l4Flow_flux: 访问总流量;
// l4Flow_inFlux: 访问入流量;
- // l4Flow_outFlux: 访问出流量。
+ // l4Flow_outFlux: 访问出流量;
+ // l4Flow_inBandwidth: 访问入向带宽峰值;
+ // l4Flow_outBandwidth: 访问出向带宽峰值。
MetricNames []*string `json:"MetricNames,omitnil,omitempty" name:"MetricNames"`
// 站点 ID 集合,此参数必填。
@@ -9025,10 +9152,7 @@ type DescribeTimingL4DataRequest struct {
// proxyId:按照四层代理实例 ID 进行过滤。
Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
- // 数据归属地区,取值有:
- // overseas:全球(除中国大陆地区)数据;
- // mainland:中国大陆地区数据;
- // global:全球数据。不填默认取值为global。
+ // 数据归属地区。该参数已废弃。请在 Filters.country 中按客户端地域过滤数据。
Area *string `json:"Area,omitnil,omitempty" name:"Area"`
}
@@ -9134,14 +9258,11 @@ type DescribeTimingL7AnalysisDataRequestParams struct {
// tlsVersion:按照 TLS 版本进行过滤。若填写 tlsVersion 参数,则最多可查询近 30 天的数据。对应 Value 的可选项如下:
TLS1.0;
TLS1.1;
TLS1.2;
TLS1.3。
// ipVersion:按照 IP 版本进行过滤。对应 Value 的可选项如下:
4:IPv4;
6:IPv6。
// cacheType:按照缓存状态进行过滤。对应 Value 的可选项如下:
hit:请求命中 EdgeOne 节点缓存,资源由节点缓存提供。资源部分命中缓存也会记录为 hit。
miss:请求未命中 EdgeOne 节点缓存,资源由源站提供。
dynamic:请求的资源无法缓存/未配置被节点缓存,资源由源站提供。
other:无法被识别的缓存状态。边缘函数响应的请求会记录为 other。
- // clientIp:按照客户端 IP 进行过滤。
+ // clientIp:按照客户端 IP 进行过滤。若填写 clientIp 参数,则最多可查询近 30 天的数据。
+ // userAgent:按照 User-Agent 请求头部进行过滤。若填写 userAgent 参数,则最多可查询近 30 天的数据。
Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
- // 数据归属地区,取值有:
- // overseas:全球(除中国大陆地区)数据;
- // mainland:中国大陆地区数据;
- // global:全球数据。
- // 不填默认取值为 global。
+ // 数据归属地区。该参数已废弃。请在 Filters.country 中按客户端地域过滤数据。
Area *string `json:"Area,omitnil,omitempty" name:"Area"`
}
@@ -9193,14 +9314,11 @@ type DescribeTimingL7AnalysisDataRequest struct {
// tlsVersion:按照 TLS 版本进行过滤。若填写 tlsVersion 参数,则最多可查询近 30 天的数据。对应 Value 的可选项如下:
TLS1.0;
TLS1.1;
TLS1.2;
TLS1.3。
// ipVersion:按照 IP 版本进行过滤。对应 Value 的可选项如下:
4:IPv4;
6:IPv6。
// cacheType:按照缓存状态进行过滤。对应 Value 的可选项如下:
hit:请求命中 EdgeOne 节点缓存,资源由节点缓存提供。资源部分命中缓存也会记录为 hit。
miss:请求未命中 EdgeOne 节点缓存,资源由源站提供。
dynamic:请求的资源无法缓存/未配置被节点缓存,资源由源站提供。
other:无法被识别的缓存状态。边缘函数响应的请求会记录为 other。
- // clientIp:按照客户端 IP 进行过滤。
+ // clientIp:按照客户端 IP 进行过滤。若填写 clientIp 参数,则最多可查询近 30 天的数据。
+ // userAgent:按照 User-Agent 请求头部进行过滤。若填写 userAgent 参数,则最多可查询近 30 天的数据。
Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
- // 数据归属地区,取值有:
- // overseas:全球(除中国大陆地区)数据;
- // mainland:中国大陆地区数据;
- // global:全球数据。
- // 不填默认取值为 global。
+ // 数据归属地区。该参数已废弃。请在 Filters.country 中按客户端地域过滤数据。
Area *string `json:"Area,omitnil,omitempty" name:"Area"`
}
@@ -9415,6 +9533,7 @@ type DescribeTopL7AnalysisDataRequestParams struct {
// l7Flow_outFlux_ua_device:按设备类型维度统计 L7 EdgeOne 响应流量指标;
// l7Flow_outFlux_ua_browser:按浏览器类型维度统计 L7 EdgeOne 响应流量指标;
// l7Flow_outFlux_ua_os:按操作系统类型维度统计 L7 EdgeOne 响应流量指标;
+ // l7Flow_outFlux_ua:按 User-Agent 维度统计 L7 EdgeOne 响应流量指标;
// l7Flow_request_country:按国家/地区维度统计 L7 访问请求数指标;
// l7Flow_request_province:按中国大陆境内省份维度统计 L7 访问请求数指标;
// l7Flow_request_statusCode:按状态码维度统计 L7 访问请求数指标;
@@ -9425,7 +9544,9 @@ type DescribeTopL7AnalysisDataRequestParams struct {
// l7Flow_request_referer:按 Referer 维度统计 L7 访问请求数指标;
// l7Flow_request_ua_device:按设备类型维度统计 L7 访问请求数指标;
// l7Flow_request_ua_browser:按浏览器类型维度统计 L7 访问请求数指标;
- // l7Flow_request_ua_os:按操作系统类型维度统计 L7 访问请求数指标。
+ // l7Flow_request_ua_os:按操作系统类型维度统计 L7 访问请求数指标;
+ // l7Flow_request_ua:按 User-Agent 维度统计 L7 访问请求数指标。
+ //
MetricName *string `json:"MetricName,omitnil,omitempty" name:"MetricName"`
// 站点 ID 集合,此参数必填。
@@ -9451,7 +9572,8 @@ type DescribeTopL7AnalysisDataRequestParams struct {
// tlsVersion:按照 TLS 版本进行过滤。若填写 tlsVersion 参数,则最多可查询近 30 天的数据。对应 Value 的可选项如下:
TLS1.0;
TLS1.1;
TLS1.2;
TLS1.3。
// ipVersion:按照 IP 版本进行过滤。对应 Value 的可选项如下:
4:IPv4;
6:IPv6。
// cacheType:按照缓存状态进行过滤。对应 Value 的可选项如下:
hit:请求命中 EdgeOne 节点缓存,资源由节点缓存提供。资源部分命中缓存也会记录为 hit。
miss:请求未命中 EdgeOne 节点缓存,资源由源站提供。
dynamic:请求的资源无法缓存/未配置被节点缓存,资源由源站提供。
other:无法被识别的缓存状态。边缘函数响应的请求会记录为 other。
- // clientIp:按照客户端 IP 进行过滤。
+ // clientIp:按照客户端 IP 进行过滤。若填写 clientIp 参数,则最多可查询近 30 天的数据。
+ // userAgent:按照 User-Agent 请求头部进行过滤。若填写 userAgent 参数,则最多可查询近 30 天的数据。
Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
// 查询时间粒度,取值有:
@@ -9461,10 +9583,7 @@ type DescribeTopL7AnalysisDataRequestParams struct {
// day: 1天。不填将根据开始时间跟结束时间的间距自动推算粒度,具体为:2 小时范围内以 min 粒度查询,2 天范围内以 5min 粒度查询,7 天范围内以 hour 粒度查询,超过 7 天以 day 粒度查询。
Interval *string `json:"Interval,omitnil,omitempty" name:"Interval"`
- // 数据归属地区,取值有:
- // overseas:全球(除中国大陆地区)数据;
- // mainland:中国大陆地区数据;
- // global:全球数据。不填默认取值为global。
+ // 数据归属地区。该参数已废弃。请在 Filters.country 中按客户端地域过滤数据。
Area *string `json:"Area,omitnil,omitempty" name:"Area"`
}
@@ -9489,6 +9608,7 @@ type DescribeTopL7AnalysisDataRequest struct {
// l7Flow_outFlux_ua_device:按设备类型维度统计 L7 EdgeOne 响应流量指标;
// l7Flow_outFlux_ua_browser:按浏览器类型维度统计 L7 EdgeOne 响应流量指标;
// l7Flow_outFlux_ua_os:按操作系统类型维度统计 L7 EdgeOne 响应流量指标;
+ // l7Flow_outFlux_ua:按 User-Agent 维度统计 L7 EdgeOne 响应流量指标;
// l7Flow_request_country:按国家/地区维度统计 L7 访问请求数指标;
// l7Flow_request_province:按中国大陆境内省份维度统计 L7 访问请求数指标;
// l7Flow_request_statusCode:按状态码维度统计 L7 访问请求数指标;
@@ -9499,7 +9619,9 @@ type DescribeTopL7AnalysisDataRequest struct {
// l7Flow_request_referer:按 Referer 维度统计 L7 访问请求数指标;
// l7Flow_request_ua_device:按设备类型维度统计 L7 访问请求数指标;
// l7Flow_request_ua_browser:按浏览器类型维度统计 L7 访问请求数指标;
- // l7Flow_request_ua_os:按操作系统类型维度统计 L7 访问请求数指标。
+ // l7Flow_request_ua_os:按操作系统类型维度统计 L7 访问请求数指标;
+ // l7Flow_request_ua:按 User-Agent 维度统计 L7 访问请求数指标。
+ //
MetricName *string `json:"MetricName,omitnil,omitempty" name:"MetricName"`
// 站点 ID 集合,此参数必填。
@@ -9525,7 +9647,8 @@ type DescribeTopL7AnalysisDataRequest struct {
// tlsVersion:按照 TLS 版本进行过滤。若填写 tlsVersion 参数,则最多可查询近 30 天的数据。对应 Value 的可选项如下:
TLS1.0;
TLS1.1;
TLS1.2;
TLS1.3。
// ipVersion:按照 IP 版本进行过滤。对应 Value 的可选项如下:
4:IPv4;
6:IPv6。
// cacheType:按照缓存状态进行过滤。对应 Value 的可选项如下:
hit:请求命中 EdgeOne 节点缓存,资源由节点缓存提供。资源部分命中缓存也会记录为 hit。
miss:请求未命中 EdgeOne 节点缓存,资源由源站提供。
dynamic:请求的资源无法缓存/未配置被节点缓存,资源由源站提供。
other:无法被识别的缓存状态。边缘函数响应的请求会记录为 other。
- // clientIp:按照客户端 IP 进行过滤。
+ // clientIp:按照客户端 IP 进行过滤。若填写 clientIp 参数,则最多可查询近 30 天的数据。
+ // userAgent:按照 User-Agent 请求头部进行过滤。若填写 userAgent 参数,则最多可查询近 30 天的数据。
Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
// 查询时间粒度,取值有:
@@ -9535,10 +9658,7 @@ type DescribeTopL7AnalysisDataRequest struct {
// day: 1天。不填将根据开始时间跟结束时间的间距自动推算粒度,具体为:2 小时范围内以 min 粒度查询,2 天范围内以 5min 粒度查询,7 天范围内以 hour 粒度查询,超过 7 天以 day 粒度查询。
Interval *string `json:"Interval,omitnil,omitempty" name:"Interval"`
- // 数据归属地区,取值有:
- // overseas:全球(除中国大陆地区)数据;
- // mainland:中国大陆地区数据;
- // global:全球数据。不填默认取值为global。
+ // 数据归属地区。该参数已废弃。请在 Filters.country 中按客户端地域过滤数据。
Area *string `json:"Area,omitnil,omitempty" name:"Area"`
}
@@ -9886,7 +10006,7 @@ type DescribeZonesRequestParams struct {
Limit *int64 `json:"Limit,omitnil,omitempty" name:"Limit"`
// 过滤条件,Filters.Values 的上限为 20。该参数不填写时,返回当前 appid 下有权限的所有站点信息。详细的过滤条件如下:
- // zone-name:按照站点名称进行过滤;zone-id:按照站点 ID进行过滤。站点 ID 形如:zone-2noz78a8ev6k;status:按照站点状态进行过滤;tag-key:按照标签键进行过滤;tag-value: 按照标签值进行过滤。模糊查询时仅支持过滤字段名为 zone-name。
+ // zone-name:按照站点名称进行过滤;zone-id:按照站点 ID进行过滤。站点 ID 形如:zone-2noz78a8ev6k;status:按照站点状态进行过滤;tag-key:按照标签键进行过滤;tag-value: 按照标签值进行过滤。alias-zone-name: 按照同名站点标识进行过滤。模糊查询时支持过滤字段名为 zone-name 或 alias-zone-name。
Filters []*AdvancedFilter `json:"Filters,omitnil,omitempty" name:"Filters"`
// 可根据该字段对返回结果进行排序,取值有:
@@ -9914,7 +10034,7 @@ type DescribeZonesRequest struct {
Limit *int64 `json:"Limit,omitnil,omitempty" name:"Limit"`
// 过滤条件,Filters.Values 的上限为 20。该参数不填写时,返回当前 appid 下有权限的所有站点信息。详细的过滤条件如下:
- // zone-name:按照站点名称进行过滤;zone-id:按照站点 ID进行过滤。站点 ID 形如:zone-2noz78a8ev6k;status:按照站点状态进行过滤;tag-key:按照标签键进行过滤;tag-value: 按照标签值进行过滤。模糊查询时仅支持过滤字段名为 zone-name。
+ // zone-name:按照站点名称进行过滤;zone-id:按照站点 ID进行过滤。站点 ID 形如:zone-2noz78a8ev6k;status:按照站点状态进行过滤;tag-key:按照标签键进行过滤;tag-value: 按照标签值进行过滤。alias-zone-name: 按照同名站点标识进行过滤。模糊查询时支持过滤字段名为 zone-name 或 alias-zone-name。
Filters []*AdvancedFilter `json:"Filters,omitnil,omitempty" name:"Filters"`
// 可根据该字段对返回结果进行排序,取值有:
@@ -10127,6 +10247,43 @@ type DetailHost struct {
ClientIpCountry *ClientIpCountry `json:"ClientIpCountry,omitnil,omitempty" name:"ClientIpCountry"`
}
+type DetectLengthLimitCondition struct {
+ // 匹配条件的参数名称,取值有:
+ // body_depth:请求正文包部分的检测深度。
+ Name *string `json:"Name,omitnil,omitempty" name:"Name"`
+
+ // 匹配条件的参数值,取值与 Name 成对使用。
+ // 当 Name 值为 body_depth 时, Values 只支持传入单个值,取值有:
+ // 10KB;
+ // 64KB;
+ // 128KB。
+ Values []*string `json:"Values,omitnil,omitempty" name:"Values"`
+}
+
+type DetectLengthLimitConfig struct {
+ // 检测长度限制的规则列表。
+ DetectLengthLimitRules []*DetectLengthLimitRule `json:"DetectLengthLimitRules,omitnil,omitempty" name:"DetectLengthLimitRules"`
+}
+
+type DetectLengthLimitRule struct {
+ // 规则Id。仅出参使用。
+ RuleId *uint64 `json:"RuleId,omitnil,omitempty" name:"RuleId"`
+
+ // 规则名称。仅出参使用。
+ RuleName *string `json:"RuleName,omitnil,omitempty" name:"RuleName"`
+
+ // 规则描述,仅出参使用。
+ Description *string `json:"Description,omitnil,omitempty" name:"Description"`
+
+ // 规则配置条件。仅出参使用。
+ Conditions []*DetectLengthLimitCondition `json:"Conditions,omitnil,omitempty" name:"Conditions"`
+
+ // 处置方式,取值有:
+ // skip:当请求正文数据超过 Conditions 出参中 body_depth 设置的检测深度时,跳过所有请求正文内容的检测;
+ // scan:仅检测 Conditions 出参中 body_depth 设置的检测深度,对超出部分的请求正文内容直接截断处理,超出部分的请求正文不会经过安全检测。仅出参使用。
+ Action *string `json:"Action,omitnil,omitempty" name:"Action"`
+}
+
type DiffIPWhitelist struct {
// 最新IP白名单列表。
LatestIPWhitelist *IPWhitelist `json:"LatestIPWhitelist,omitnil,omitempty" name:"LatestIPWhitelist"`
@@ -11764,6 +11921,84 @@ type LogFormat struct {
FieldDelimiter *string `json:"FieldDelimiter,omitnil,omitempty" name:"FieldDelimiter"`
}
+type ManagedRuleAction struct {
+ // 托管规则组下的具体项,用于改写此单条规则项配置的内容,具体参考产品文档。
+ RuleId *string `json:"RuleId,omitnil,omitempty" name:"RuleId"`
+
+ // RuleId 中指定托管规则项的处置动作。 SecurityAction 的 Name 取值支持:Deny:拦截,响应拦截页面;Monitor:观察,不处理请求记录安全事件到日志中;Disabled:未启用,不扫描请求跳过该规则。
+ Action *SecurityAction `json:"Action,omitnil,omitempty" name:"Action"`
+}
+
+type ManagedRuleAutoUpdate struct {
+ // 是否开启自动更新至最新版本。取值有:on:开启off:关闭
+ AutoUpdateToLatestVersion *string `json:"AutoUpdateToLatestVersion,omitnil,omitempty" name:"AutoUpdateToLatestVersion"`
+
+ // 当前使用的版本,格式符合ISO 8601标准,如2023-12-21T12:00:32Z,默认为空,仅出参。
+ RulesetVersion *string `json:"RulesetVersion,omitnil,omitempty" name:"RulesetVersion"`
+}
+
+type ManagedRuleDetail struct {
+ // 托管规则Id。
+ RuleId *string `json:"RuleId,omitnil,omitempty" name:"RuleId"`
+
+ // 托管规则的防护级别。取值有:low:低风险,此规则风险较低,适用于非常严格控制环境下的访问场景,该等级规则可能造成较多的误报;medium:中风险,表示此条规则风险正常,适用较为严格的防护场景;high:高风险,表示此条规则风险较高,大多数场景不会产生误报;extreme:超高风险,表示此条规则风险极高,基本不会产生误报;
+ RiskLevel *string `json:"RiskLevel,omitnil,omitempty" name:"RiskLevel"`
+
+ // 规则描述。
+ Description *string `json:"Description,omitnil,omitempty" name:"Description"`
+
+ // 规则标签。部分类型的规则不存在标签。
+ Tags []*string `json:"Tags,omitnil,omitempty" name:"Tags"`
+
+ // 规则所属版本。
+ RuleVersion *string `json:"RuleVersion,omitnil,omitempty" name:"RuleVersion"`
+}
+
+type ManagedRuleGroup struct {
+ // 托管规则的组名称,未指定配置的规则分组将按照默认配置处理,GroupId 的具体取值参考产品文档。
+ GroupId *string `json:"GroupId,omitnil,omitempty" name:"GroupId"`
+
+ // 托管规则组的防护级别。取值有:loose:宽松,只包含超高风险规则,此时需配置Action,且RuleActions配置无效;normal:正常,包含超高风险和高风险规则,此时需配置Action,且RuleActions配置无效;strict:严格,包含超高风险、高风险和中风险规则,此时需配置Action,且RuleActions配置无效;extreme:超严格,包含超高风险、高风险、中风险和低风险规则,此时需配置Action,且RuleActions配置无效;custom:自定义,精细化策略,按单条规则配置处置方式,此时Action字段无效,使用RuleActions配置单条规则的精细化策略。
+ SensitivityLevel *string `json:"SensitivityLevel,omitnil,omitempty" name:"SensitivityLevel"`
+
+ // 托管规则组的处置动作。SecurityAction 的 Name 取值支持:Deny:拦截,响应拦截页面;Monitor:观察,不处理请求记录安全事件到日志中;Disabled:未启用,不扫描请求跳过该规则。
+ Action *SecurityAction `json:"Action,omitnil,omitempty" name:"Action"`
+
+ // 托管规则组下规则项的具体配置,仅在 SensitivityLevel 为 custom 时配置生效。
+ RuleActions []*ManagedRuleAction `json:"RuleActions,omitnil,omitempty" name:"RuleActions"`
+
+ // 托管规则组信息,仅出参。
+ MetaData *ManagedRuleGroupMeta `json:"MetaData,omitnil,omitempty" name:"MetaData"`
+}
+
+type ManagedRuleGroupMeta struct {
+ // 托管规则组描述,仅出参。
+ GroupDetail *string `json:"GroupDetail,omitnil,omitempty" name:"GroupDetail"`
+
+ // 托管规则组名称,仅出参。
+ GroupName *string `json:"GroupName,omitnil,omitempty" name:"GroupName"`
+
+ // 当前托管规则组下的所有子规则信息,仅出参。
+ RuleDetails []*ManagedRuleDetail `json:"RuleDetails,omitnil,omitempty" name:"RuleDetails"`
+}
+
+type ManagedRules struct {
+ // 托管规则是否开启。取值有:on:开启,所有托管规则按配置生效;off:关闭,所有托管规则不生效。
+ Enabled *string `json:"Enabled,omitnil,omitempty" name:"Enabled"`
+
+ // 评估模式是否开启,仅在 Enabled 参数为 on 时有效。取值有:on:开启,表示所有托管规则以观察模式生效;off:关闭,表示所有托管规则以实际配置生效。
+ DetectionOnly *string `json:"DetectionOnly,omitnil,omitempty" name:"DetectionOnly"`
+
+ // 托管规则语义分析选项是否开启,仅在 Enabled 参数为 on 时有效。取值有:on:开启,对请求进行语义分析后进行处理;off:关闭,对请求不进行语义分析,直接进行处理。
默认为 off。
+ SemanticAnalysis *string `json:"SemanticAnalysis,omitnil,omitempty" name:"SemanticAnalysis"`
+
+ // 托管规则自动更新选项。
+ AutoUpdate *ManagedRuleAutoUpdate `json:"AutoUpdate,omitnil,omitempty" name:"AutoUpdate"`
+
+ // 托管规则组的配置。如果此结构传空数组或 GroupId 未包含在列表内将按照默认方式处理。
+ ManagedRuleGroups []*ManagedRuleGroup `json:"ManagedRuleGroups,omitnil,omitempty" name:"ManagedRuleGroups"`
+}
+
type MaxAge struct {
// 是否遵循源站,取值有:
// on:遵循源站,忽略MaxAge 时间设置;
@@ -13466,6 +13701,67 @@ func (r *ModifyL4ProxyStatusResponse) FromJsonString(s string) error {
return json.Unmarshal([]byte(s), &r)
}
+// Predefined struct for user
+type ModifyL7AccRulePriorityRequestParams struct {
+ // 站点 ID。
+ ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
+
+ // 站点 ID 下完整的规则 ID 列表,规则 ID 列表可以通过 [查询七层加速规则](https://cloud.tencent.com/document/product/1552/115820) 获取,最终优先级顺序将调整成规则 ID 列表的顺序,从前往后依次执行。
+ RuleIds []*string `json:"RuleIds,omitnil,omitempty" name:"RuleIds"`
+}
+
+type ModifyL7AccRulePriorityRequest struct {
+ *tchttp.BaseRequest
+
+ // 站点 ID。
+ ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
+
+ // 站点 ID 下完整的规则 ID 列表,规则 ID 列表可以通过 [查询七层加速规则](https://cloud.tencent.com/document/product/1552/115820) 获取,最终优先级顺序将调整成规则 ID 列表的顺序,从前往后依次执行。
+ RuleIds []*string `json:"RuleIds,omitnil,omitempty" name:"RuleIds"`
+}
+
+func (r *ModifyL7AccRulePriorityRequest) ToJsonString() string {
+ b, _ := json.Marshal(r)
+ return string(b)
+}
+
+// FromJsonString It is highly **NOT** recommended to use this function
+// because it has no param check, nor strict type check
+func (r *ModifyL7AccRulePriorityRequest) FromJsonString(s string) error {
+ f := make(map[string]interface{})
+ if err := json.Unmarshal([]byte(s), &f); err != nil {
+ return err
+ }
+ delete(f, "ZoneId")
+ delete(f, "RuleIds")
+ if len(f) > 0 {
+ return tcerr.NewTencentCloudSDKError("ClientError.BuildRequestError", "ModifyL7AccRulePriorityRequest has unknown keys!", "")
+ }
+ return json.Unmarshal([]byte(s), &r)
+}
+
+// Predefined struct for user
+type ModifyL7AccRulePriorityResponseParams struct {
+ // 唯一请求 ID,由服务端生成,每次请求都会返回(若请求因其他原因未能抵达服务端,则该次请求不会获得 RequestId)。定位问题时需要提供该次请求的 RequestId。
+ RequestId *string `json:"RequestId,omitnil,omitempty" name:"RequestId"`
+}
+
+type ModifyL7AccRulePriorityResponse struct {
+ *tchttp.BaseResponse
+ Response *ModifyL7AccRulePriorityResponseParams `json:"Response"`
+}
+
+func (r *ModifyL7AccRulePriorityResponse) ToJsonString() string {
+ b, _ := json.Marshal(r)
+ return string(b)
+}
+
+// FromJsonString It is highly **NOT** recommended to use this function
+// because it has no param check, nor strict type check
+func (r *ModifyL7AccRulePriorityResponse) FromJsonString(s string) error {
+ return json.Unmarshal([]byte(s), &r)
+}
+
// Predefined struct for user
type ModifyL7AccRuleRequestParams struct {
// 站点 ID。
@@ -14210,44 +14506,44 @@ func (r *ModifySecurityIPGroupResponse) FromJsonString(s string) error {
// Predefined struct for user
type ModifySecurityPolicyRequestParams struct {
- // 站点Id。
+ // 站点 ID。
ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
- // 安全配置。
+ // 安全策略配置。当 SecurityPolicy 参数中的 CustomRule 被设置时,SecurityConfig 参数中的 AclConfg、 IpTableConfg 将被忽略;当 SecurityPolicy 参数中的 ManagedRule 被设置时,SecurityConfig 参数中的 WafConfig 将被忽略。对于自定义规则以及托管规则策略配置建议使用 SecurityPolicy 参数进行设置。
SecurityConfig *SecurityConfig `json:"SecurityConfig,omitnil,omitempty" name:"SecurityConfig"`
- // 子域名/应用名。
- //
- // 注意:当同时指定本参数和 TemplateId 参数时,本参数不生效。请勿同时指定本参数和 TemplateId 参数。
+ // 安全策略配置。对 Web 防护自定义策略和托管规则配置建议使用,支持表达式语法对安全策略进行配置。
+ SecurityPolicy *SecurityPolicy `json:"SecurityPolicy,omitnil,omitempty" name:"SecurityPolicy"`
+
+ // 安全策略类型,可使用以下参数值: ZoneDefaultPolicy:用于指定站点级策略;Template:用于指定策略模板,需要同时指定 TemplateId 参数;Host:用于指定域名级策略(注意:当使用域名来指定域名服务策略时,仅支持已经应用了域名级策略的域名服务或者策略模板)。
Entity *string `json:"Entity,omitnil,omitempty" name:"Entity"`
- // 指定模板策略 ID,或指定站点全局策略。
- // - 如需配置策略模板,请指定策略模板 ID。
- // - 如需配置站点全局策略,请使用 @ZoneLevel@Domain 参数值
- //
- // 注意:当使用本参数时,Entity 参数不生效。请勿同时使用本参数和 Entity 参数。
+ // 指定域名。当 Entity 参数值为 Host 时,使用本参数指定的域名级策略,例如:使用 www.example.com ,配置该域名的域名级策略。
+ Host *string `json:"Host,omitnil,omitempty" name:"Host"`
+
+ // 指定策略模板 ID。当 Entity 参数值为 Template 时,使用本参数指定策略模板的 ID。
TemplateId *string `json:"TemplateId,omitnil,omitempty" name:"TemplateId"`
}
type ModifySecurityPolicyRequest struct {
*tchttp.BaseRequest
- // 站点Id。
+ // 站点 ID。
ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
- // 安全配置。
+ // 安全策略配置。当 SecurityPolicy 参数中的 CustomRule 被设置时,SecurityConfig 参数中的 AclConfg、 IpTableConfg 将被忽略;当 SecurityPolicy 参数中的 ManagedRule 被设置时,SecurityConfig 参数中的 WafConfig 将被忽略。对于自定义规则以及托管规则策略配置建议使用 SecurityPolicy 参数进行设置。
SecurityConfig *SecurityConfig `json:"SecurityConfig,omitnil,omitempty" name:"SecurityConfig"`
- // 子域名/应用名。
- //
- // 注意:当同时指定本参数和 TemplateId 参数时,本参数不生效。请勿同时指定本参数和 TemplateId 参数。
+ // 安全策略配置。对 Web 防护自定义策略和托管规则配置建议使用,支持表达式语法对安全策略进行配置。
+ SecurityPolicy *SecurityPolicy `json:"SecurityPolicy,omitnil,omitempty" name:"SecurityPolicy"`
+
+ // 安全策略类型,可使用以下参数值: ZoneDefaultPolicy:用于指定站点级策略;Template:用于指定策略模板,需要同时指定 TemplateId 参数;Host:用于指定域名级策略(注意:当使用域名来指定域名服务策略时,仅支持已经应用了域名级策略的域名服务或者策略模板)。
Entity *string `json:"Entity,omitnil,omitempty" name:"Entity"`
- // 指定模板策略 ID,或指定站点全局策略。
- // - 如需配置策略模板,请指定策略模板 ID。
- // - 如需配置站点全局策略,请使用 @ZoneLevel@Domain 参数值
- //
- // 注意:当使用本参数时,Entity 参数不生效。请勿同时使用本参数和 Entity 参数。
+ // 指定域名。当 Entity 参数值为 Host 时,使用本参数指定的域名级策略,例如:使用 www.example.com ,配置该域名的域名级策略。
+ Host *string `json:"Host,omitnil,omitempty" name:"Host"`
+
+ // 指定策略模板 ID。当 Entity 参数值为 Template 时,使用本参数指定策略模板的 ID。
TemplateId *string `json:"TemplateId,omitnil,omitempty" name:"TemplateId"`
}
@@ -14265,7 +14561,9 @@ func (r *ModifySecurityPolicyRequest) FromJsonString(s string) error {
}
delete(f, "ZoneId")
delete(f, "SecurityConfig")
+ delete(f, "SecurityPolicy")
delete(f, "Entity")
+ delete(f, "Host")
delete(f, "TemplateId")
if len(f) > 0 {
return tcerr.NewTencentCloudSDKError("ClientError.BuildRequestError", "ModifySecurityPolicyRequest has unknown keys!", "")
@@ -14309,7 +14607,7 @@ type ModifyZoneRequestParams struct {
// 自定义站点信息,以替代系统默认分配的名称服务器。不填写保持原有配置。当站点是无域名接入方式时不允许传此参数。
VanityNameServers *VanityNameServers `json:"VanityNameServers,omitnil,omitempty" name:"VanityNameServers"`
- // 站点别名。数字、英文、-和_组合,限制20个字符。
+ // 同名站点标识。限制输入数字、英文、"." 、"-" 和 "_",长度 200 个字符以内。
AliasZoneName *string `json:"AliasZoneName,omitnil,omitempty" name:"AliasZoneName"`
// 站点接入地域,取值有:
@@ -14337,7 +14635,7 @@ type ModifyZoneRequest struct {
// 自定义站点信息,以替代系统默认分配的名称服务器。不填写保持原有配置。当站点是无域名接入方式时不允许传此参数。
VanityNameServers *VanityNameServers `json:"VanityNameServers,omitnil,omitempty" name:"VanityNameServers"`
- // 站点别名。数字、英文、-和_组合,限制20个字符。
+ // 同名站点标识。限制输入数字、英文、"." 、"-" 和 "_",长度 200 个字符以内。
AliasZoneName *string `json:"AliasZoneName,omitnil,omitempty" name:"AliasZoneName"`
// 站点接入地域,取值有:
@@ -15470,6 +15768,11 @@ type RealtimeLogDeliveryTask struct {
UpdateTime *string `json:"UpdateTime,omitnil,omitempty" name:"UpdateTime"`
}
+type RedirectActionParameters struct {
+ // 重定向的URL。
+ URL *string `json:"URL,omitnil,omitempty" name:"URL"`
+}
+
type RenewFlag struct {
// 预付费套餐的自动续费标志,取值有:
// on:开启自动续费;
@@ -15612,13 +15915,25 @@ type ResponseSpeedLimitParameters struct {
// LimitAfterSpecificSecondsDownloaded:全速下载特定时间后开始限速。
Mode *string `json:"Mode,omitnil,omitempty" name:"Mode"`
- // 限速值,单位为:KB/s,填写数值,指定限速大小。
+ // 限速值,指定限速大小,填写含单位的数值或变量。当前支持单位有:KB/s。
MaxSpeed *string `json:"MaxSpeed,omitnil,omitempty" name:"MaxSpeed"`
- // 限速开始值,可以为下载大小或指定时长,单位为:KB或s,当 Mode 取值为 LimitAfterSpecificBytesDownloaded 或 LimitAfterSpecificSecondsDownloaded 时,该参数必填。填写数值,指定下载大小或指定时长。
+ // 限速开始值,可以为下载大小或指定时长,填写含单位的数值或变量,指定下载大小或指定时长。
+ //
+ // - 当Mode 取值为 LimitAfterSpecificBytesDownloaded 时,单位取值有: KB;
+ //
+ // - 当Mode 取值为 LimitAfterSpecificSecondsDownloaded 时,单位取值有: s。
StartAt *string `json:"StartAt,omitnil,omitempty" name:"StartAt"`
}
+type ReturnCustomPageActionParameters struct {
+ // 响应状态码。
+ ResponseCode *string `json:"ResponseCode,omitnil,omitempty" name:"ResponseCode"`
+
+ // 响应的自定义页面ID。
+ ErrorPageId *string `json:"ErrorPageId,omitnil,omitempty" name:"ErrorPageId"`
+}
+
type RewriteAction struct {
// 功能名称,功能名称填写规范可调用接口 [查询规则引擎的设置参数](https://cloud.tencent.com/document/product/1552/80618) 查看。
Action *string `json:"Action,omitnil,omitempty" name:"Action"`
@@ -16129,6 +16444,21 @@ type SecEntryValue struct {
Sum *float64 `json:"Sum,omitnil,omitempty" name:"Sum"`
}
+type SecurityAction struct {
+ // 安全执行的具体动作。取值有:
+ // Deny:拦截;Monitor:观察;ReturnCustomPage:使用指定页面拦截;Redirect:重定向至 URL;BlockIP:IP 封禁;JSChallenge:JavaScript 挑战;ManagedChallenge:托管挑战;Disabled:未启用;Allow:放行。
+ Name *string `json:"Name,omitnil,omitempty" name:"Name"`
+
+ // 当 Name 为 BlockIP 时的附加参数。
+ BlockIPActionParameters *BlockIPActionParameters `json:"BlockIPActionParameters,omitnil,omitempty" name:"BlockIPActionParameters"`
+
+ // 当 Name 为 ReturnCustomPage 时的附加参数。
+ ReturnCustomPageActionParameters *ReturnCustomPageActionParameters `json:"ReturnCustomPageActionParameters,omitnil,omitempty" name:"ReturnCustomPageActionParameters"`
+
+ // 当 Name 为 Redirect 时的附加参数。
+ RedirectActionParameters *RedirectActionParameters `json:"RedirectActionParameters,omitnil,omitempty" name:"RedirectActionParameters"`
+}
+
type SecurityConfig struct {
// 托管规则。如果入参为空或不填,默认使用历史配置。
// 注意:此字段可能返回 null,表示取不到有效值。
@@ -16169,6 +16499,18 @@ type SecurityConfig struct {
// 慢速攻击配置。如果入参为空或不填,默认使用历史配置。
// 注意:此字段可能返回 null,表示取不到有效值。
SlowPostConfig *SlowPostConfig `json:"SlowPostConfig,omitnil,omitempty" name:"SlowPostConfig"`
+
+ // 检测长度限制配置。仅出参使用。
+ // 注意:此字段可能返回 null,表示取不到有效值。
+ DetectLengthLimitConfig *DetectLengthLimitConfig `json:"DetectLengthLimitConfig,omitnil,omitempty" name:"DetectLengthLimitConfig"`
+}
+
+type SecurityPolicy struct {
+ // 自定义规则配置。
+ CustomRules *CustomRules `json:"CustomRules,omitnil,omitempty" name:"CustomRules"`
+
+ // 托管规则配置。
+ ManagedRules *ManagedRules `json:"ManagedRules,omitnil,omitempty" name:"ManagedRules"`
}
type SecurityTemplateBinding struct {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 2006a3656b..f1ba1655ab 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1166,7 +1166,7 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cloudaudit/v20190319
# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls v1.0.1078
## explicit; go 1.14
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls/v20201016
-# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1128
+# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1129
## explicit; go 1.11
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors
@@ -1324,7 +1324,7 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdmq/v20200217
# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578
## explicit; go 1.14
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem/v20210701
-# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1108
+# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1129
## explicit; go 1.14
github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901
# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/thpc v1.0.998
diff --git a/website/docs/r/teo_security_policy.html.markdown b/website/docs/r/teo_security_policy.html.markdown
new file mode 100644
index 0000000000..6805c8fb93
--- /dev/null
+++ b/website/docs/r/teo_security_policy.html.markdown
@@ -0,0 +1,292 @@
+---
+subcategory: "TencentCloud EdgeOne(TEO)"
+layout: "tencentcloud"
+page_title: "TencentCloud: tencentcloud_teo_security_policy"
+sidebar_current: "docs-tencentcloud-resource-teo_security_policy"
+description: |-
+ Provides a resource to create a teo teo_security_policy
+---
+
+# tencentcloud_teo_security_policy
+
+Provides a resource to create a teo teo_security_policy
+
+## Example Usage
+
+```hcl
+resource "tencentcloud_teo_security_policy" "teo_security_policy" {
+ security_config = {
+ waf_config = {
+ waf_rule = {
+ }
+ ai_rule = {
+ }
+ }
+ rate_limit_config = {
+ rate_limit_user_rules = {
+ acl_conditions = {
+ }
+ }
+ rate_limit_template = {
+ rate_limit_template_detail = {
+ }
+ }
+ rate_limit_intelligence = {
+ }
+ rate_limit_customizes = {
+ acl_conditions = {
+ }
+ }
+ }
+ acl_config = {
+ acl_user_rules = {
+ acl_conditions = {
+ }
+ }
+ customizes = {
+ acl_conditions = {
+ }
+ }
+ }
+ bot_config = {
+ bot_managed_rule = {
+ }
+ bot_portrait_rule = {
+ }
+ intelligence_rule = {
+ intelligence_rule_items = {
+ }
+ }
+ bot_user_rules = {
+ extend_actions = {
+ }
+ acl_conditions = {
+ }
+ }
+ alg_detect_rule = {
+ alg_conditions = {
+ }
+ alg_detect_session = {
+ alg_detect_results = {
+ }
+ session_behaviors = {
+ }
+ }
+ alg_detect_js = {
+ alg_detect_results = {
+ }
+ }
+ }
+ customizes = {
+ extend_actions = {
+ }
+ acl_conditions = {
+ }
+ }
+ }
+ switch_config = {
+ }
+ ip_table_config = {
+ ip_table_rules = {
+ }
+ }
+ except_config = {
+ except_user_rules = {
+ except_user_rule_conditions = {
+ }
+ except_user_rule_scope = {
+ partial_modules = {
+ }
+ skip_conditions = {
+ }
+ }
+ }
+ }
+ drop_page_config = {
+ waf_drop_page_detail = {
+ }
+ acl_drop_page_detail = {
+ }
+ }
+ template_config = {
+ }
+ slow_post_config = {
+ first_part_config = {
+ }
+ slow_rate_config = {
+ }
+ }
+ detect_length_limit_config = {
+ detect_length_limit_rules = {
+ conditions = {
+ }
+ }
+ }
+ }
+ security_policy = {
+ custom_rules = {
+ rules = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ }
+ }
+ managed_rules = {
+ auto_update = {
+ }
+ managed_rule_groups = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ rule_actions = {
+ action = {
+ block_ip_action_parameters = {
+ }
+ return_custom_page_action_parameters = {
+ }
+ redirect_action_parameters = {
+ }
+ }
+ }
+ meta_data = {
+ rule_details = {
+ }
+ }
+ }
+ }
+ }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `zone_id` - (Required, String, ForceNew) Zone ID.
+* `entity` - (Optional, String, ForceNew) Security policy type. the following parameter values can be used: ZoneDefaultPolicy: used to specify a site-level policy; Template: used to specify a policy Template. you need to simultaneously specify the TemplateId parameter; Host: used to specify a domain-level policy (note: when using a domain name to specify a dns service policy, only dns services or policy templates that have applied a domain-level policy are supported)..
+* `host` - (Optional, String, ForceNew) Specifies the specified domain. when the Entity parameter value is Host, use the domain-level policy specified by this parameter. for example: use www.example.com to configure the domain-level policy of the domain.
+* `security_policy` - (Optional, List) Security policy configuration. it is recommended to use for custom policies and managed rule configurations of Web protection. it supports configuring security policies with expression grammar.
+* `template_id` - (Optional, String, ForceNew) Specify the policy Template ID. use this parameter to specify the ID of the policy Template when the Entity parameter value is Template.
+
+The `action` object of `managed_rule_groups` supports the following:
+
+* `name` - (Required, String) Specific actions for safe execution. valid values:.
+Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
+* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
+* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
+* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
+
+The `action` object of `rule_actions` supports the following:
+
+* `name` - (Required, String) Specific actions for safe execution. valid values:.
+Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
+* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
+* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
+* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
+
+The `action` object of `rules` supports the following:
+
+* `name` - (Required, String) Specific actions for safe execution. valid values:.
+Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
+* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
+* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
+* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
+
+The `auto_update` object of `managed_rules` supports the following:
+
+* `auto_update_to_latest_version` - (Required, String) Indicates whether to enable automatic update to the latest version. valid values: on: enabled off: disabled.
+* `ruleset_version` - (Optional, String) The currently used version, in the format compliant with ISO 8601 standard, such as 2023-12-21T12:00:32Z. it is empty by default and is only an output parameter.
+
+The `block_ip_action_parameters` object of `action` supports the following:
+
+* `duration` - (Required, String) Penalty duration for blocking ips. supported units: s: second, value range 1-120; m: minute, value range 1-120; h: hour, value range 1-48..
+
+The `custom_rules` object of `security_policy` supports the following:
+
+* `rules` - (Optional, List) List of custom rule definitions.
when modifying the Web protection configuration using ModifySecurityPolicy:
- if the Rules parameter is not specified or the parameter length of Rules is zero: clear all custom rule configurations.
- if the parameter value of CustomRules in the SecurityPolicy parameter is not specified: keep the existing custom rule configuration without modification.
+
+The `managed_rule_groups` object of `managed_rules` supports the following:
+
+* `action` - (Required, List) Handling actions for managed rule groups. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process requests and record security events in logs; Disabled: not enabled, do not scan requests and skip this rule..
+* `group_id` - (Required, String) Group name of the managed rule. if the rule group for the configuration is not specified, it will be processed based on the default configuration. refer to product documentation for the specific value of GroupId.
+* `sensitivity_level` - (Required, String) Protection level of the managed rule group. valid values: loose: lenient, only contains ultra-high risk rules. at this point, configure Action, and RuleActions configuration is invalid; normal: normal, contains ultra-high risk and high-risk rules. at this point, configure Action, and RuleActions configuration is invalid; strict: strict, contains ultra-high risk, high-risk and medium-risk rules. at this point, configure Action, and RuleActions configuration is invalid; extreme: super strict, contains ultra-high risk, high-risk, medium-risk and low-risk rules. at this point, configure Action, and RuleActions configuration is invalid; custom: custom, refined strategy. configure the disposal method for each individual rule. at this point, the Action field is invalid. use RuleActions to configure the refined strategy for each individual rule..
+* `meta_data` - (Optional, List) Managed rule group information, for output only.
+* `rule_actions` - (Optional, List) Specific configuration of rule items under the managed rule group. the configuration is effective only when SensitivityLevel is custom.
+
+The `managed_rules` object of `security_policy` supports the following:
+
+* `detection_only` - (Required, String) Indicates whether the evaluation mode is Enabled. it is valid only when the Enabled parameter is set to on. valid values: on: Enabled. all managed rules take effect in observation mode. off: disabled. all managed rules take effect according to the actual configuration..
+* `enabled` - (Required, String) Indicates whether the managed rule is enabled. valid values: on: enabled. all managed rules take effect as configured; off: disabled. all managed rules do not take effect..
+* `auto_update` - (Optional, List) Managed rule automatic update option.
+* `managed_rule_groups` - (Optional, List) Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.
+* `semantic_analysis` - (Optional, String) Whether the managed rule semantic analysis option is Enabled is valid only when the Enabled parameter is on. valid values: on: enable. perform semantic analysis on requests before processing them; off: disable. process requests directly without semantic analysis.
default off.
+
+The `meta_data` object of `managed_rule_groups` supports the following:
+
+* `group_detail` - (Optional, String) Managed rule group description, for output only.
+* `group_name` - (Optional, String) Managed rule group name, for output only.
+* `rule_details` - (Optional, List) All sub-rule information under the current managed rule group, for output only.
+
+The `redirect_action_parameters` object of `action` supports the following:
+
+* `url` - (Required, String) Redirect URL.
+
+The `return_custom_page_action_parameters` object of `action` supports the following:
+
+* `error_page_id` - (Required, String) Response custom page ID.
+* `response_code` - (Required, String) Response status code.
+
+The `rule_actions` object of `managed_rule_groups` supports the following:
+
+* `action` - (Required, List) Specify the handling action for the managed rule item in RuleId. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process the request and record the security event in logs; Disabled: Disabled, do not scan the request and skip this rule..
+* `rule_id` - (Required, String) Specific items under the managed rule group, which are used to rewrite the configuration content of this individual rule item. refer to product documentation for details.
+
+The `rule_details` object of `meta_data` supports the following:
+
+* `description` - (Optional, String) Rule description.
+* `risk_level` - (Optional, String) Protection level of managed rules. valid values: low: low risk. this rule has a relatively low risk and is applicable to access scenarios in a very strict control environment. this level of rule may generate considerable false alarms. medium: medium risk. this means the risk of this rule is normal and it is suitable for protection scenarios with stricter requirements. high: high risk. this indicates that the risk of this rule is relatively high and it will not generate false alarms in most scenarios. extreme: ultra-high risk. this represents that the risk of this rule is extremely high and it will not generate false alarms basically..
+* `rule_id` - (Optional, String) Managed rule Id.
+* `rule_version` - (Optional, String) Rule ownership version.
+* `tags` - (Optional, Set) Rule tag. some types of rules do not have tags.
+
+The `rules` object of `custom_rules` supports the following:
+
+* `action` - (Required, List) Execution actions for custom rules. the Name parameter value of SecurityAction supports: Deny: block; Monitor: observe; ReturnCustomPage: block using a specified page; Redirect: Redirect to URL; BlockIP: IP blocking; JSChallenge: JavaScript challenge; ManagedChallenge: managed challenge; Allow: Allow..
+* `condition` - (Required, String) The specific content of the custom rule must comply with the expression grammar. please refer to the product document for detailed specifications.
+* `enabled` - (Required, String) Indicates whether the custom rule is enabled. valid values: on: enabled off: disabled.
+* `name` - (Required, String) The name of the custom rule.
+* `id` - (Optional, String) The ID of a custom rule.
the rule ID supports different rule configuration operations:
- add a new rule: ID is empty or the ID parameter is not specified;
- modify an existing rule: specify the rule ID that needs to be updated/modified;
- delete an existing rule: existing Rules not included in the Rules list of the CustomRules parameter will be deleted.
+* `priority` - (Optional, Int) Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports PreciseMatchRule.
+* `rule_type` - (Optional, String) Type of custom rule. valid values: BasicAccessRule: basic access control; PreciseMatchRule: exact matching rule, default; ManagedAccessRule: expert customized rule, for output only. the default value is PreciseMatchRule.
+
+The `security_policy` object supports the following:
+
+* `custom_rules` - (Optional, List) Custom rule configuration.
+* `managed_rules` - (Optional, List) Managed rule configuration.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - ID of the resource.
+
+
+
+## Import
+
+teo teo_security_policy can be imported using the id, e.g.
+
+```
+terraform import tencentcloud_teo_security_policy.teo_security_policy teo_security_policy_id
+```
+
diff --git a/website/tencentcloud.erb b/website/tencentcloud.erb
index e83885439a..0ca22b60d1 100644
--- a/website/tencentcloud.erb
+++ b/website/tencentcloud.erb
@@ -5277,7 +5277,11 @@
tencentcloud_teo_rule_engine
+<<<<<<< HEAD
tencentcloud_teo_security_ip_group
+=======
+ tencentcloud_teo_security_policy
+>>>>>>> 12fb513b7 (add)
tencentcloud_teo_zone
From dfb9a0902a96082af9411b4f0673350a2ae68c5e Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Tue, 25 Mar 2025 14:18:04 +0800
Subject: [PATCH 2/7] add
---
tencentcloud/services/teo/resource_tc_teo_security_policy.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy.go b/tencentcloud/services/teo/resource_tc_teo_security_policy.go
index 7965870294..58c6bedd07 100644
--- a/tencentcloud/services/teo/resource_tc_teo_security_policy.go
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy.go
@@ -155,6 +155,7 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
"managed_rules": {
Type: schema.TypeList,
Optional: true,
+ Computed: true,
MaxItems: 1,
Description: "Managed rule configuration.",
Elem: &schema.Resource{
From 288f78a306ab7eb9e818e34d41e35a1e24a51cd4 Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Tue, 25 Mar 2025 14:20:00 +0800
Subject: [PATCH 3/7] add
---
.changelog/3237.txt | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 .changelog/3237.txt
diff --git a/.changelog/3237.txt b/.changelog/3237.txt
new file mode 100644
index 0000000000..3d13837350
--- /dev/null
+++ b/.changelog/3237.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+tencentcloud_teo_security_policy
+```
From 47b9b81809d8117a22da0867c6b4d8a29624ef90 Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Thu, 27 Mar 2025 15:08:37 +0800
Subject: [PATCH 4/7] add
---
tencentcloud/provider.go | 2 +-
tencentcloud/provider.md | 1 +
.../teo/resource_tc_teo_security_policy.md | 166 -----
...resource_tc_teo_security_policy_config.go} | 114 +--
.../resource_tc_teo_security_policy_config.md | 566 +++++++++++++++
...urce_tc_teo_security_policy_config_test.go | 211 ++++++
.../resource_tc_teo_security_policy_test.go | 183 -----
.../services/teo/service_tencentcloud_teo.go | 2 +-
.../docs/r/teo_security_policy.html.markdown | 618 +++++++++++++---
.../teo_security_policy_config.html.markdown | 682 ++++++++++++++++++
website/tencentcloud.erb | 4 +
11 files changed, 2004 insertions(+), 545 deletions(-)
delete mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy.md
rename tencentcloud/services/teo/{resource_tc_teo_security_policy.go => resource_tc_teo_security_policy_config.go} (93%)
create mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy_config.md
create mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy_config_test.go
delete mode 100644 tencentcloud/services/teo/resource_tc_teo_security_policy_test.go
create mode 100644 website/docs/r/teo_security_policy_config.html.markdown
diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
index 2a4f0d6d7a..d6e0820eaf 100644
--- a/tencentcloud/provider.go
+++ b/tencentcloud/provider.go
@@ -1794,7 +1794,7 @@ func Provider() *schema.Provider {
"tencentcloud_teo_function_rule": teo.ResourceTencentCloudTeoFunctionRule(),
"tencentcloud_teo_function_rule_priority": teo.ResourceTencentCloudTeoFunctionRulePriority(),
"tencentcloud_teo_function_runtime_environment": teo.ResourceTencentCloudTeoFunctionRuntimeEnvironment(),
- "tencentcloud_teo_security_policy": teo.ResourceTencentCloudTeoSecurityPolicy(),
+ "tencentcloud_teo_security_policy_config": teo.ResourceTencentCloudTeoSecurityPolicyConfig(),
"tencentcloud_tcm_mesh": tcm.ResourceTencentCloudTcmMesh(),
"tencentcloud_tcm_cluster_attachment": tcm.ResourceTencentCloudTcmClusterAttachment(),
"tencentcloud_tcm_prometheus_attachment": tcm.ResourceTencentCloudTcmPrometheusAttachment(),
diff --git a/tencentcloud/provider.md b/tencentcloud/provider.md
index 6572b6b5bc..46f46a61e9 100644
--- a/tencentcloud/provider.md
+++ b/tencentcloud/provider.md
@@ -1494,6 +1494,7 @@ tencentcloud_teo_l7_acc_rule
tencentcloud_teo_l7_acc_setting
tencentcloud_teo_security_ip_group
tencentcloud_teo_security_policy
+tencentcloud_teo_security_policy_config
TencentCloud ServiceMesh(TCM)
Data Source
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy.md b/tencentcloud/services/teo/resource_tc_teo_security_policy.md
deleted file mode 100644
index dfe79e8392..0000000000
--- a/tencentcloud/services/teo/resource_tc_teo_security_policy.md
+++ /dev/null
@@ -1,166 +0,0 @@
-Provides a resource to create a teo teo_security_policy
-
-Example Usage
-
-```hcl
-resource "tencentcloud_teo_security_policy" "teo_security_policy" {
- security_config = {
- waf_config = {
- waf_rule = {
- }
- ai_rule = {
- }
- }
- rate_limit_config = {
- rate_limit_user_rules = {
- acl_conditions = {
- }
- }
- rate_limit_template = {
- rate_limit_template_detail = {
- }
- }
- rate_limit_intelligence = {
- }
- rate_limit_customizes = {
- acl_conditions = {
- }
- }
- }
- acl_config = {
- acl_user_rules = {
- acl_conditions = {
- }
- }
- customizes = {
- acl_conditions = {
- }
- }
- }
- bot_config = {
- bot_managed_rule = {
- }
- bot_portrait_rule = {
- }
- intelligence_rule = {
- intelligence_rule_items = {
- }
- }
- bot_user_rules = {
- extend_actions = {
- }
- acl_conditions = {
- }
- }
- alg_detect_rule = {
- alg_conditions = {
- }
- alg_detect_session = {
- alg_detect_results = {
- }
- session_behaviors = {
- }
- }
- alg_detect_js = {
- alg_detect_results = {
- }
- }
- }
- customizes = {
- extend_actions = {
- }
- acl_conditions = {
- }
- }
- }
- switch_config = {
- }
- ip_table_config = {
- ip_table_rules = {
- }
- }
- except_config = {
- except_user_rules = {
- except_user_rule_conditions = {
- }
- except_user_rule_scope = {
- partial_modules = {
- }
- skip_conditions = {
- }
- }
- }
- }
- drop_page_config = {
- waf_drop_page_detail = {
- }
- acl_drop_page_detail = {
- }
- }
- template_config = {
- }
- slow_post_config = {
- first_part_config = {
- }
- slow_rate_config = {
- }
- }
- detect_length_limit_config = {
- detect_length_limit_rules = {
- conditions = {
- }
- }
- }
- }
- security_policy = {
- custom_rules = {
- rules = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
- }
- }
- managed_rules = {
- auto_update = {
- }
- managed_rule_groups = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
- rule_actions = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
- }
- meta_data = {
- rule_details = {
- }
- }
- }
- }
- }
-}
-```
-
-Import
-
-teo teo_security_policy can be imported using the id, e.g.
-
-```
-terraform import tencentcloud_teo_security_policy.teo_security_policy teo_security_policy_id
-```
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy.go b/tencentcloud/services/teo/resource_tc_teo_security_policy_config.go
similarity index 93%
rename from tencentcloud/services/teo/resource_tc_teo_security_policy.go
rename to tencentcloud/services/teo/resource_tc_teo_security_policy_config.go
index 58c6bedd07..925f650c05 100644
--- a/tencentcloud/services/teo/resource_tc_teo_security_policy.go
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy_config.go
@@ -14,12 +14,12 @@ import (
"github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
)
-func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
+func ResourceTencentCloudTeoSecurityPolicyConfig() *schema.Resource {
return &schema.Resource{
- Create: resourceTencentCloudTeoSecurityPolicyCreate,
- Read: resourceTencentCloudTeoSecurityPolicyRead,
- Update: resourceTencentCloudTeoSecurityPolicyUpdate,
- Delete: resourceTencentCloudTeoSecurityPolicyDelete,
+ Create: resourceTencentCloudTeoSecurityPolicyConfigCreate,
+ Read: resourceTencentCloudTeoSecurityPolicyConfigRead,
+ Update: resourceTencentCloudTeoSecurityPolicyConfigUpdate,
+ Delete: resourceTencentCloudTeoSecurityPolicyConfigDelete,
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
@@ -134,6 +134,7 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
"id": {
Type: schema.TypeString,
Optional: true,
+ Computed: true,
Description: "The ID of a custom rule.
the rule ID supports different rule configuration operations:
- add a new rule: ID is empty or the ID parameter is not specified;
- modify an existing rule: specify the rule ID that needs to be updated/modified;
- delete an existing rule: existing Rules not included in the Rules list of the CustomRules parameter will be deleted.",
},
"rule_type": {
@@ -144,7 +145,7 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
"priority": {
Type: schema.TypeInt,
Optional: true,
- Description: "Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports PreciseMatchRule.",
+ Description: "Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports `rule_type` is `PreciseMatchRule`.",
},
},
},
@@ -189,15 +190,16 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
},
"ruleset_version": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "The currently used version, in the format compliant with ISO 8601 standard, such as 2023-12-21T12:00:32Z. it is empty by default and is only an output parameter.",
},
},
},
},
"managed_rule_groups": {
- Type: schema.TypeList,
+ Type: schema.TypeSet,
Optional: true,
+ Computed: true,
Description: "Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
@@ -357,45 +359,44 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
},
"meta_data": {
Type: schema.TypeList,
- Optional: true,
- MaxItems: 1,
+ Computed: true,
Description: "Managed rule group information, for output only.",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"group_detail": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "Managed rule group description, for output only.",
},
"group_name": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "Managed rule group name, for output only.",
},
"rule_details": {
Type: schema.TypeList,
- Optional: true,
+ Computed: true,
Description: "All sub-rule information under the current managed rule group, for output only.",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"rule_id": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "Managed rule Id.",
},
"risk_level": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "Protection level of managed rules. valid values: low: low risk. this rule has a relatively low risk and is applicable to access scenarios in a very strict control environment. this level of rule may generate considerable false alarms. medium: medium risk. this means the risk of this rule is normal and it is suitable for protection scenarios with stricter requirements. high: high risk. this indicates that the risk of this rule is relatively high and it will not generate false alarms in most scenarios. extreme: ultra-high risk. this represents that the risk of this rule is extremely high and it will not generate false alarms basically..",
},
"description": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "Rule description.",
},
"tags": {
Type: schema.TypeSet,
- Optional: true,
+ Computed: true,
Description: "Rule tag. some types of rules do not have tags.",
Elem: &schema.Schema{
Type: schema.TypeString,
@@ -403,7 +404,7 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
},
"rule_version": {
Type: schema.TypeString,
- Optional: true,
+ Computed: true,
Description: "Rule ownership version.",
},
},
@@ -447,8 +448,8 @@ func ResourceTencentCloudTeoSecurityPolicy() *schema.Resource {
}
}
-func resourceTencentCloudTeoSecurityPolicyCreate(d *schema.ResourceData, meta interface{}) error {
- defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.create")()
+func resourceTencentCloudTeoSecurityPolicyConfigCreate(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy_config.create")()
defer tccommon.InconsistentCheck(d, meta)()
var (
@@ -484,11 +485,11 @@ func resourceTencentCloudTeoSecurityPolicyCreate(d *schema.ResourceData, meta in
return fmt.Errorf("If `entity` is `ZoneDefaultPolicy`, Please do not set `host` and `template_id`; If `entity` is `Host`, Only support set `host`; If `entity` is `Template`, Only support set `template_id`.")
}
- return resourceTencentCloudTeoSecurityPolicyUpdate(d, meta)
+ return resourceTencentCloudTeoSecurityPolicyConfigUpdate(d, meta)
}
-func resourceTencentCloudTeoSecurityPolicyRead(d *schema.ResourceData, meta interface{}) error {
- defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.read")()
+func resourceTencentCloudTeoSecurityPolicyConfigRead(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy_config.read")()
defer tccommon.InconsistentCheck(d, meta)()
var (
@@ -518,7 +519,7 @@ func resourceTencentCloudTeoSecurityPolicyRead(d *schema.ResourceData, meta inte
return fmt.Errorf("`entity` is illegal, %s.", entity)
}
- respData, err := service.DescribeTeoSecurityPolicyById(ctx, zoneId, entity, host, templateId)
+ respData, err := service.DescribeTeoSecurityPolicyConfigById(ctx, zoneId, entity, host, templateId)
if err != nil {
return err
}
@@ -609,6 +610,8 @@ func resourceTencentCloudTeoSecurityPolicyRead(d *schema.ResourceData, meta inte
rulesList = append(rulesList, rulesMap)
}
+ customRulesMap["rules"] = rulesList
+ } else {
customRulesMap["rules"] = rulesList
}
@@ -805,8 +808,8 @@ func resourceTencentCloudTeoSecurityPolicyRead(d *schema.ResourceData, meta inte
return nil
}
-func resourceTencentCloudTeoSecurityPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
- defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.update")()
+func resourceTencentCloudTeoSecurityPolicyConfigUpdate(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy_config.update")()
defer tccommon.InconsistentCheck(d, meta)()
var (
@@ -940,15 +943,11 @@ func resourceTencentCloudTeoSecurityPolicyUpdate(d *schema.ResourceData, meta in
managedRuleAutoUpdate.AutoUpdateToLatestVersion = helper.String(v)
}
- if v, ok := autoUpdateMap["ruleset_version"].(string); ok && v != "" {
- managedRuleAutoUpdate.RulesetVersion = helper.String(v)
- }
-
managedRules.AutoUpdate = &managedRuleAutoUpdate
}
if v, ok := managedRulesMap["managed_rule_groups"]; ok {
- for _, item := range v.([]interface{}) {
+ for _, item := range v.(*schema.Set).List() {
managedRuleGroupsMap := item.(map[string]interface{})
managedRuleGroup := teov20220901.ManagedRuleGroup{}
if v, ok := managedRuleGroupsMap["group_id"].(string); ok && v != "" {
@@ -1051,51 +1050,6 @@ func resourceTencentCloudTeoSecurityPolicyUpdate(d *schema.ResourceData, meta in
}
}
- if metaDataMap, ok := helper.ConvertInterfacesHeadToMap(managedRuleGroupsMap["meta_data"]); ok {
- managedRuleGroupMeta := teov20220901.ManagedRuleGroupMeta{}
- if v, ok := metaDataMap["group_detail"].(string); ok && v != "" {
- managedRuleGroupMeta.GroupDetail = helper.String(v)
- }
-
- if v, ok := metaDataMap["group_name"].(string); ok && v != "" {
- managedRuleGroupMeta.GroupName = helper.String(v)
- }
-
- if v, ok := metaDataMap["rule_details"]; ok {
- for _, item := range v.([]interface{}) {
- ruleDetailsMap := item.(map[string]interface{})
- managedRuleDetail := teov20220901.ManagedRuleDetail{}
- if v, ok := ruleDetailsMap["rule_id"].(string); ok && v != "" {
- managedRuleDetail.RuleId = helper.String(v)
- }
-
- if v, ok := ruleDetailsMap["risk_level"].(string); ok && v != "" {
- managedRuleDetail.RiskLevel = helper.String(v)
- }
-
- if v, ok := ruleDetailsMap["description"].(string); ok && v != "" {
- managedRuleDetail.Description = helper.String(v)
- }
-
- if v, ok := ruleDetailsMap["tags"]; ok {
- tagsSet := v.(*schema.Set).List()
- for i := range tagsSet {
- tags := tagsSet[i].(string)
- managedRuleDetail.Tags = append(managedRuleDetail.Tags, helper.String(tags))
- }
- }
-
- if v, ok := ruleDetailsMap["rule_version"].(string); ok && v != "" {
- managedRuleDetail.RuleVersion = helper.String(v)
- }
-
- managedRuleGroupMeta.RuleDetails = append(managedRuleGroupMeta.RuleDetails, &managedRuleDetail)
- }
- }
-
- managedRuleGroup.MetaData = &managedRuleGroupMeta
- }
-
managedRules.ManagedRuleGroups = append(managedRules.ManagedRuleGroups, &managedRuleGroup)
}
}
@@ -1114,7 +1068,7 @@ func resourceTencentCloudTeoSecurityPolicyUpdate(d *schema.ResourceData, meta in
log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
}
- if result == nil || result.BaseResponse == nil {
+ if result == nil || result.Response == nil {
return resource.NonRetryableError(fmt.Errorf("Create teo security policy failed, Response is nil."))
}
@@ -1126,11 +1080,11 @@ func resourceTencentCloudTeoSecurityPolicyUpdate(d *schema.ResourceData, meta in
return reqErr
}
- return resourceTencentCloudTeoSecurityPolicyRead(d, meta)
+ return resourceTencentCloudTeoSecurityPolicyConfigRead(d, meta)
}
-func resourceTencentCloudTeoSecurityPolicyDelete(d *schema.ResourceData, meta interface{}) error {
- defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy.delete")()
+func resourceTencentCloudTeoSecurityPolicyConfigDelete(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_teo_security_policy_config.delete")()
defer tccommon.InconsistentCheck(d, meta)()
return nil
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md b/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md
new file mode 100644
index 0000000000..9b6b9c2300
--- /dev/null
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md
@@ -0,0 +1,566 @@
+Provides a resource to create a teo security policy
+
+~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17.
+
+Example Usage
+
+If entity is ZoneDefaultPolicy
+
+```hcl
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "ZoneDefaultPolicy"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+```
+
+If entity is Host
+
+```hcl
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "Host"
+ host = "www.example.com"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+```
+
+If entity is Template
+
+```hcl
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "Template"
+ template_id = "temp-05dtxkyw"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+```
+
+Import
+
+teo security policy can be imported using the id, e.g.
+
+```
+# If entity is ZoneDefaultPolicy
+terraform import tencentcloud_teo_security_policy_config.example zone-37u62pwxfo8s#ZoneDefaultPolicy
+# If entity is Host
+terraform import tencentcloud_teo_security_policy_config.example zone-37u62pwxfo8s#Host#www.example.com
+# If entity is Template
+terraform import tencentcloud_teo_security_policy_config.example zone-37u62pwxfo8s#Template#temp-05dtxkyw
+```
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy_config_test.go b/tencentcloud/services/teo/resource_tc_teo_security_policy_config_test.go
new file mode 100644
index 0000000000..33ed5b5f38
--- /dev/null
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy_config_test.go
@@ -0,0 +1,211 @@
+package teo_test
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+ tcacctest "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/acctest"
+)
+
+func TestAccTencentCloudTeoSecurityPolicyResource_basic(t *testing.T) {
+ t.Parallel()
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() {
+ tcacctest.AccPreCheck(t)
+ },
+ Providers: tcacctest.AccProviders,
+ Steps: []resource.TestStep{{
+ Config: testAccTeoSecurityPolicy,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttrSet("tencentcloud_teo_security_policy_config_config.example", "id"),
+ ),
+ },
+ {
+ ResourceName: "tencentcloud_teo_security_policy_config.example",
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+}
+
+const testAccTeoSecurityPolicy = `
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "ZoneDefaultPolicy"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+`
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy_test.go b/tencentcloud/services/teo/resource_tc_teo_security_policy_test.go
deleted file mode 100644
index 41a9eb186f..0000000000
--- a/tencentcloud/services/teo/resource_tc_teo_security_policy_test.go
+++ /dev/null
@@ -1,183 +0,0 @@
-package teo_test
-
-import (
- "testing"
-
- "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-
- tcacctest "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/acctest"
-)
-
-func TestAccTencentCloudTeoSecurityPolicyResource_basic(t *testing.T) {
- t.Parallel()
- resource.Test(t, resource.TestCase{
- PreCheck: func() {
- tcacctest.AccPreCheck(t)
- },
- Providers: tcacctest.AccProviders,
- Steps: []resource.TestStep{{
- Config: testAccTeoSecurityPolicy,
- Check: resource.ComposeTestCheckFunc(resource.TestCheckResourceAttrSet("tencentcloud_teo_security_policy.teo_security_policy", "id")),
- }, {
- ResourceName: "tencentcloud_teo_security_policy.teo_security_policy",
- ImportState: true,
- ImportStateVerify: true,
- }},
- })
-}
-
-const testAccTeoSecurityPolicy = `
-
-resource "tencentcloud_teo_security_policy" "teo_security_policy" {
- security_config = {
- waf_config = {
- waf_rule = {
- }
- ai_rule = {
- }
- }
- rate_limit_config = {
- rate_limit_user_rules = {
- acl_conditions = {
- }
- }
- rate_limit_template = {
- rate_limit_template_detail = {
- }
- }
- rate_limit_intelligence = {
- }
- rate_limit_customizes = {
- acl_conditions = {
- }
- }
- }
- acl_config = {
- acl_user_rules = {
- acl_conditions = {
- }
- }
- customizes = {
- acl_conditions = {
- }
- }
- }
- bot_config = {
- bot_managed_rule = {
- }
- bot_portrait_rule = {
- }
- intelligence_rule = {
- intelligence_rule_items = {
- }
- }
- bot_user_rules = {
- extend_actions = {
- }
- acl_conditions = {
- }
- }
- alg_detect_rule = {
- alg_conditions = {
- }
- alg_detect_session = {
- alg_detect_results = {
- }
- session_behaviors = {
- }
- }
- alg_detect_js = {
- alg_detect_results = {
- }
- }
- }
- customizes = {
- extend_actions = {
- }
- acl_conditions = {
- }
- }
- }
- switch_config = {
- }
- ip_table_config = {
- ip_table_rules = {
- }
- }
- except_config = {
- except_user_rules = {
- except_user_rule_conditions = {
- }
- except_user_rule_scope = {
- partial_modules = {
- }
- skip_conditions = {
- }
- }
- }
- }
- drop_page_config = {
- waf_drop_page_detail = {
- }
- acl_drop_page_detail = {
- }
- }
- template_config = {
- }
- slow_post_config = {
- first_part_config = {
- }
- slow_rate_config = {
- }
- }
- detect_length_limit_config = {
- detect_length_limit_rules = {
- conditions = {
- }
- }
- }
- }
- security_policy = {
- custom_rules = {
- rules = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
- }
- }
- managed_rules = {
- auto_update = {
- }
- managed_rule_groups = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
- rule_actions = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
- }
- meta_data = {
- rule_details = {
- }
- }
- }
- }
- }
-}
-`
diff --git a/tencentcloud/services/teo/service_tencentcloud_teo.go b/tencentcloud/services/teo/service_tencentcloud_teo.go
index d77eba6507..84693d8c17 100644
--- a/tencentcloud/services/teo/service_tencentcloud_teo.go
+++ b/tencentcloud/services/teo/service_tencentcloud_teo.go
@@ -1645,7 +1645,7 @@ func (me *TeoService) DescribeTeoL7AccRuleById(ctx context.Context, zoneId strin
return
}
-func (me *TeoService) DescribeTeoSecurityPolicyById(ctx context.Context, zoneId, entity, host, templateId string) (ret *teo.SecurityPolicy, errRet error) {
+func (me *TeoService) DescribeTeoSecurityPolicyConfigById(ctx context.Context, zoneId, entity, host, templateId string) (ret *teo.SecurityPolicy, errRet error) {
logId := tccommon.GetLogId(ctx)
request := teo.NewDescribeSecurityPolicyRequest()
diff --git a/website/docs/r/teo_security_policy.html.markdown b/website/docs/r/teo_security_policy.html.markdown
index 6805c8fb93..e85e9d850d 100644
--- a/website/docs/r/teo_security_policy.html.markdown
+++ b/website/docs/r/teo_security_policy.html.markdown
@@ -4,163 +4,558 @@ layout: "tencentcloud"
page_title: "TencentCloud: tencentcloud_teo_security_policy"
sidebar_current: "docs-tencentcloud-resource-teo_security_policy"
description: |-
- Provides a resource to create a teo teo_security_policy
+ Provides a resource to create a teo security policy
---
# tencentcloud_teo_security_policy
-Provides a resource to create a teo teo_security_policy
+Provides a resource to create a teo security policy
+
+~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17.
## Example Usage
+### If entity is ZoneDefaultPolicy
+
```hcl
-resource "tencentcloud_teo_security_policy" "teo_security_policy" {
- security_config = {
- waf_config = {
- waf_rule = {
+resource "tencentcloud_teo_security_policy" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "ZoneDefaultPolicy"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
}
- ai_rule = {
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
}
}
- rate_limit_config = {
- rate_limit_user_rules = {
- acl_conditions = {
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- rate_limit_template = {
- rate_limit_template_detail = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- rate_limit_intelligence = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
- rate_limit_customizes = {
- acl_conditions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- }
- acl_config = {
- acl_user_rules = {
- acl_conditions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- customizes = {
- acl_conditions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- }
- bot_config = {
- bot_managed_rule = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
- bot_portrait_rule = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
- intelligence_rule = {
- intelligence_rule_items = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- bot_user_rules = {
- extend_actions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
- acl_conditions = {
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- alg_detect_rule = {
- alg_conditions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
- alg_detect_session = {
- alg_detect_results = {
- }
- session_behaviors = {
- }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
- alg_detect_js = {
- alg_detect_results = {
- }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- customizes = {
- extend_actions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
- acl_conditions = {
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
- }
- switch_config = {
- }
- ip_table_config = {
- ip_table_rules = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
}
- except_config = {
- except_user_rules = {
- except_user_rule_conditions = {
- }
- except_user_rule_scope = {
- partial_modules = {
- }
- skip_conditions = {
+ }
+}
+```
+
+### If entity is Host
+
+```hcl
+resource "tencentcloud_teo_security_policy" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "Host"
+ host = "www.example.com"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
}
}
}
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
}
- drop_page_config = {
- waf_drop_page_detail = {
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
}
- acl_drop_page_detail = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
- }
- template_config = {
- }
- slow_post_config = {
- first_part_config = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
- slow_rate_config = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
}
- }
- detect_length_limit_config = {
- detect_length_limit_rules = {
- conditions = {
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
}
}
- security_policy = {
- custom_rules = {
- rules = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
+}
+```
+
+### If entity is Template
+
+```hcl
+resource "tencentcloud_teo_security_policy" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "Template"
+ template_id = "temp-05dtxkyw"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
}
}
}
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
}
- managed_rules = {
- auto_update = {
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
}
- managed_rule_groups = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
- rule_actions = {
- action = {
- block_ip_action_parameters = {
- }
- return_custom_page_action_parameters = {
- }
- redirect_action_parameters = {
- }
- }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
- meta_data = {
- rule_details = {
- }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
}
}
}
@@ -205,7 +600,6 @@ The `action` object of `rules` supports the following:
The `auto_update` object of `managed_rules` supports the following:
* `auto_update_to_latest_version` - (Required, String) Indicates whether to enable automatic update to the latest version. valid values: on: enabled off: disabled.
-* `ruleset_version` - (Optional, String) The currently used version, in the format compliant with ISO 8601 standard, such as 2023-12-21T12:00:32Z. it is empty by default and is only an output parameter.
The `block_ip_action_parameters` object of `action` supports the following:
@@ -220,7 +614,6 @@ The `managed_rule_groups` object of `managed_rules` supports the following:
* `action` - (Required, List) Handling actions for managed rule groups. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process requests and record security events in logs; Disabled: not enabled, do not scan requests and skip this rule..
* `group_id` - (Required, String) Group name of the managed rule. if the rule group for the configuration is not specified, it will be processed based on the default configuration. refer to product documentation for the specific value of GroupId.
* `sensitivity_level` - (Required, String) Protection level of the managed rule group. valid values: loose: lenient, only contains ultra-high risk rules. at this point, configure Action, and RuleActions configuration is invalid; normal: normal, contains ultra-high risk and high-risk rules. at this point, configure Action, and RuleActions configuration is invalid; strict: strict, contains ultra-high risk, high-risk and medium-risk rules. at this point, configure Action, and RuleActions configuration is invalid; extreme: super strict, contains ultra-high risk, high-risk, medium-risk and low-risk rules. at this point, configure Action, and RuleActions configuration is invalid; custom: custom, refined strategy. configure the disposal method for each individual rule. at this point, the Action field is invalid. use RuleActions to configure the refined strategy for each individual rule..
-* `meta_data` - (Optional, List) Managed rule group information, for output only.
* `rule_actions` - (Optional, List) Specific configuration of rule items under the managed rule group. the configuration is effective only when SensitivityLevel is custom.
The `managed_rules` object of `security_policy` supports the following:
@@ -228,14 +621,11 @@ The `managed_rules` object of `security_policy` supports the following:
* `detection_only` - (Required, String) Indicates whether the evaluation mode is Enabled. it is valid only when the Enabled parameter is set to on. valid values: on: Enabled. all managed rules take effect in observation mode. off: disabled. all managed rules take effect according to the actual configuration..
* `enabled` - (Required, String) Indicates whether the managed rule is enabled. valid values: on: enabled. all managed rules take effect as configured; off: disabled. all managed rules do not take effect..
* `auto_update` - (Optional, List) Managed rule automatic update option.
-* `managed_rule_groups` - (Optional, List) Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.
+* `managed_rule_groups` - (Optional, Set) Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.
* `semantic_analysis` - (Optional, String) Whether the managed rule semantic analysis option is Enabled is valid only when the Enabled parameter is on. valid values: on: enable. perform semantic analysis on requests before processing them; off: disable. process requests directly without semantic analysis.
default off.
The `meta_data` object of `managed_rule_groups` supports the following:
-* `group_detail` - (Optional, String) Managed rule group description, for output only.
-* `group_name` - (Optional, String) Managed rule group name, for output only.
-* `rule_details` - (Optional, List) All sub-rule information under the current managed rule group, for output only.
The `redirect_action_parameters` object of `action` supports the following:
@@ -253,11 +643,6 @@ The `rule_actions` object of `managed_rule_groups` supports the following:
The `rule_details` object of `meta_data` supports the following:
-* `description` - (Optional, String) Rule description.
-* `risk_level` - (Optional, String) Protection level of managed rules. valid values: low: low risk. this rule has a relatively low risk and is applicable to access scenarios in a very strict control environment. this level of rule may generate considerable false alarms. medium: medium risk. this means the risk of this rule is normal and it is suitable for protection scenarios with stricter requirements. high: high risk. this indicates that the risk of this rule is relatively high and it will not generate false alarms in most scenarios. extreme: ultra-high risk. this represents that the risk of this rule is extremely high and it will not generate false alarms basically..
-* `rule_id` - (Optional, String) Managed rule Id.
-* `rule_version` - (Optional, String) Rule ownership version.
-* `tags` - (Optional, Set) Rule tag. some types of rules do not have tags.
The `rules` object of `custom_rules` supports the following:
@@ -266,7 +651,7 @@ The `rules` object of `custom_rules` supports the following:
* `enabled` - (Required, String) Indicates whether the custom rule is enabled. valid values: on: enabled off: disabled.
* `name` - (Required, String) The name of the custom rule.
* `id` - (Optional, String) The ID of a custom rule.
the rule ID supports different rule configuration operations:
- add a new rule: ID is empty or the ID parameter is not specified;
- modify an existing rule: specify the rule ID that needs to be updated/modified;
- delete an existing rule: existing Rules not included in the Rules list of the CustomRules parameter will be deleted.
-* `priority` - (Optional, Int) Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports PreciseMatchRule.
+* `priority` - (Optional, Int) Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports `rule_type` is `PreciseMatchRule`.
* `rule_type` - (Optional, String) Type of custom rule. valid values: BasicAccessRule: basic access control; PreciseMatchRule: exact matching rule, default; ManagedAccessRule: expert customized rule, for output only. the default value is PreciseMatchRule.
The `security_policy` object supports the following:
@@ -284,9 +669,14 @@ In addition to all arguments above, the following attributes are exported:
## Import
-teo teo_security_policy can be imported using the id, e.g.
+teo security policy can be imported using the id, e.g.
```
-terraform import tencentcloud_teo_security_policy.teo_security_policy teo_security_policy_id
+# If entity is ZoneDefaultPolicy
+terraform import tencentcloud_teo_security_policy.example zone-37u62pwxfo8s#ZoneDefaultPolicy
+# If entity is Host
+terraform import tencentcloud_teo_security_policy.example zone-37u62pwxfo8s#Host#www.example.com
+# If entity is Template
+terraform import tencentcloud_teo_security_policy.example zone-37u62pwxfo8s#Template#temp-05dtxkyw
```
diff --git a/website/docs/r/teo_security_policy_config.html.markdown b/website/docs/r/teo_security_policy_config.html.markdown
new file mode 100644
index 0000000000..cf6afd3eab
--- /dev/null
+++ b/website/docs/r/teo_security_policy_config.html.markdown
@@ -0,0 +1,682 @@
+---
+subcategory: "TencentCloud EdgeOne(TEO)"
+layout: "tencentcloud"
+page_title: "TencentCloud: tencentcloud_teo_security_policy_config"
+sidebar_current: "docs-tencentcloud-resource-teo_security_policy_config"
+description: |-
+ Provides a resource to create a teo security policy
+---
+
+# tencentcloud_teo_security_policy_config
+
+Provides a resource to create a teo security policy
+
+~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17.
+
+## Example Usage
+
+### If entity is ZoneDefaultPolicy
+
+```hcl
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "ZoneDefaultPolicy"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+```
+
+### If entity is Host
+
+```hcl
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "Host"
+ host = "www.example.com"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+```
+
+### If entity is Template
+
+```hcl
+resource "tencentcloud_teo_security_policy_config" "example" {
+ zone_id = "zone-37u62pwxfo8s"
+ entity = "Template"
+ template_id = "temp-05dtxkyw"
+ security_policy {
+ custom_rules {
+ rules {
+ name = "rule1"
+ condition = "$${http.request.host} contain ['abc']"
+ enabled = "on"
+ rule_type = "PreciseMatchRule"
+ priority = 50
+ action {
+ name = "BlockIP"
+ block_ip_action_parameters {
+ duration = "120s"
+ }
+ }
+ }
+
+ rules {
+ name = "rule2"
+ condition = "$${http.request.ip} in ['119.28.103.58']"
+ enabled = "off"
+ id = "2182252647"
+ rule_type = "BasicAccessRule"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+
+ managed_rules {
+ enabled = "on"
+ detection_only = "off"
+ semantic_analysis = "off"
+ auto_update {
+ auto_update_to_latest_version = "off"
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-webshell-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xxe-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-non-compliant-protocol-usages"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-file-upload-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-command-and-code-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ldap-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssrf-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-xss-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-vulnerability-scanners"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-cms-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-other-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-sql-injections"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-unauthorized-file-accesses"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-oa-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-ssti-attacks"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+
+ managed_rule_groups {
+ group_id = "wafgroup-shiro-vulnerabilities"
+ sensitivity_level = "strict"
+ action {
+ name = "Deny"
+ }
+ }
+ }
+ }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `zone_id` - (Required, String, ForceNew) Zone ID.
+* `entity` - (Optional, String, ForceNew) Security policy type. the following parameter values can be used: ZoneDefaultPolicy: used to specify a site-level policy; Template: used to specify a policy Template. you need to simultaneously specify the TemplateId parameter; Host: used to specify a domain-level policy (note: when using a domain name to specify a dns service policy, only dns services or policy templates that have applied a domain-level policy are supported)..
+* `host` - (Optional, String, ForceNew) Specifies the specified domain. when the Entity parameter value is Host, use the domain-level policy specified by this parameter. for example: use www.example.com to configure the domain-level policy of the domain.
+* `security_policy` - (Optional, List) Security policy configuration. it is recommended to use for custom policies and managed rule configurations of Web protection. it supports configuring security policies with expression grammar.
+* `template_id` - (Optional, String, ForceNew) Specify the policy Template ID. use this parameter to specify the ID of the policy Template when the Entity parameter value is Template.
+
+The `action` object of `managed_rule_groups` supports the following:
+
+* `name` - (Required, String) Specific actions for safe execution. valid values:.
+Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
+* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
+* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
+* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
+
+The `action` object of `rule_actions` supports the following:
+
+* `name` - (Required, String) Specific actions for safe execution. valid values:.
+Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
+* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
+* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
+* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
+
+The `action` object of `rules` supports the following:
+
+* `name` - (Required, String) Specific actions for safe execution. valid values:.
+Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
+* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
+* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
+* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
+
+The `auto_update` object of `managed_rules` supports the following:
+
+* `auto_update_to_latest_version` - (Required, String) Indicates whether to enable automatic update to the latest version. valid values: on: enabled off: disabled.
+
+The `block_ip_action_parameters` object of `action` supports the following:
+
+* `duration` - (Required, String) Penalty duration for blocking ips. supported units: s: second, value range 1-120; m: minute, value range 1-120; h: hour, value range 1-48..
+
+The `custom_rules` object of `security_policy` supports the following:
+
+* `rules` - (Optional, List) List of custom rule definitions.
when modifying the Web protection configuration using ModifySecurityPolicy:
- if the Rules parameter is not specified or the parameter length of Rules is zero: clear all custom rule configurations.
- if the parameter value of CustomRules in the SecurityPolicy parameter is not specified: keep the existing custom rule configuration without modification.
+
+The `managed_rule_groups` object of `managed_rules` supports the following:
+
+* `action` - (Required, List) Handling actions for managed rule groups. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process requests and record security events in logs; Disabled: not enabled, do not scan requests and skip this rule..
+* `group_id` - (Required, String) Group name of the managed rule. if the rule group for the configuration is not specified, it will be processed based on the default configuration. refer to product documentation for the specific value of GroupId.
+* `sensitivity_level` - (Required, String) Protection level of the managed rule group. valid values: loose: lenient, only contains ultra-high risk rules. at this point, configure Action, and RuleActions configuration is invalid; normal: normal, contains ultra-high risk and high-risk rules. at this point, configure Action, and RuleActions configuration is invalid; strict: strict, contains ultra-high risk, high-risk and medium-risk rules. at this point, configure Action, and RuleActions configuration is invalid; extreme: super strict, contains ultra-high risk, high-risk, medium-risk and low-risk rules. at this point, configure Action, and RuleActions configuration is invalid; custom: custom, refined strategy. configure the disposal method for each individual rule. at this point, the Action field is invalid. use RuleActions to configure the refined strategy for each individual rule..
+* `rule_actions` - (Optional, List) Specific configuration of rule items under the managed rule group. the configuration is effective only when SensitivityLevel is custom.
+
+The `managed_rules` object of `security_policy` supports the following:
+
+* `detection_only` - (Required, String) Indicates whether the evaluation mode is Enabled. it is valid only when the Enabled parameter is set to on. valid values: on: Enabled. all managed rules take effect in observation mode. off: disabled. all managed rules take effect according to the actual configuration..
+* `enabled` - (Required, String) Indicates whether the managed rule is enabled. valid values: on: enabled. all managed rules take effect as configured; off: disabled. all managed rules do not take effect..
+* `auto_update` - (Optional, List) Managed rule automatic update option.
+* `managed_rule_groups` - (Optional, Set) Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.
+* `semantic_analysis` - (Optional, String) Whether the managed rule semantic analysis option is Enabled is valid only when the Enabled parameter is on. valid values: on: enable. perform semantic analysis on requests before processing them; off: disable. process requests directly without semantic analysis.
default off.
+
+The `meta_data` object of `managed_rule_groups` supports the following:
+
+
+The `redirect_action_parameters` object of `action` supports the following:
+
+* `url` - (Required, String) Redirect URL.
+
+The `return_custom_page_action_parameters` object of `action` supports the following:
+
+* `error_page_id` - (Required, String) Response custom page ID.
+* `response_code` - (Required, String) Response status code.
+
+The `rule_actions` object of `managed_rule_groups` supports the following:
+
+* `action` - (Required, List) Specify the handling action for the managed rule item in RuleId. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process the request and record the security event in logs; Disabled: Disabled, do not scan the request and skip this rule..
+* `rule_id` - (Required, String) Specific items under the managed rule group, which are used to rewrite the configuration content of this individual rule item. refer to product documentation for details.
+
+The `rule_details` object of `meta_data` supports the following:
+
+
+The `rules` object of `custom_rules` supports the following:
+
+* `action` - (Required, List) Execution actions for custom rules. the Name parameter value of SecurityAction supports: Deny: block; Monitor: observe; ReturnCustomPage: block using a specified page; Redirect: Redirect to URL; BlockIP: IP blocking; JSChallenge: JavaScript challenge; ManagedChallenge: managed challenge; Allow: Allow..
+* `condition` - (Required, String) The specific content of the custom rule must comply with the expression grammar. please refer to the product document for detailed specifications.
+* `enabled` - (Required, String) Indicates whether the custom rule is enabled. valid values: on: enabled off: disabled.
+* `name` - (Required, String) The name of the custom rule.
+* `id` - (Optional, String) The ID of a custom rule.
the rule ID supports different rule configuration operations:
- add a new rule: ID is empty or the ID parameter is not specified;
- modify an existing rule: specify the rule ID that needs to be updated/modified;
- delete an existing rule: existing Rules not included in the Rules list of the CustomRules parameter will be deleted.
+* `priority` - (Optional, Int) Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports `rule_type` is `PreciseMatchRule`.
+* `rule_type` - (Optional, String) Type of custom rule. valid values: BasicAccessRule: basic access control; PreciseMatchRule: exact matching rule, default; ManagedAccessRule: expert customized rule, for output only. the default value is PreciseMatchRule.
+
+The `security_policy` object supports the following:
+
+* `custom_rules` - (Optional, List) Custom rule configuration.
+* `managed_rules` - (Optional, List) Managed rule configuration.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - ID of the resource.
+
+
+
+## Import
+
+teo security policy can be imported using the id, e.g.
+
+```
+# If entity is ZoneDefaultPolicy
+terraform import tencentcloud_teo_security_policy_config.example zone-37u62pwxfo8s#ZoneDefaultPolicy
+# If entity is Host
+terraform import tencentcloud_teo_security_policy_config.example zone-37u62pwxfo8s#Host#www.example.com
+# If entity is Template
+terraform import tencentcloud_teo_security_policy_config.example zone-37u62pwxfo8s#Template#temp-05dtxkyw
+```
+
diff --git a/website/tencentcloud.erb b/website/tencentcloud.erb
index 0ca22b60d1..f3241d9634 100644
--- a/website/tencentcloud.erb
+++ b/website/tencentcloud.erb
@@ -5277,11 +5277,15 @@
tencentcloud_teo_rule_engine
+<<<<<<< HEAD
<<<<<<< HEAD
tencentcloud_teo_security_ip_group
=======
tencentcloud_teo_security_policy
>>>>>>> 12fb513b7 (add)
+=======
+ tencentcloud_teo_security_policy_config
+>>>>>>> ca92b2b31 (add)
tencentcloud_teo_zone
From 6d28358fe48ca2032e12cd953d9c4d687f029d52 Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Thu, 27 Mar 2025 15:09:39 +0800
Subject: [PATCH 5/7] add
---
.changelog/3237.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.changelog/3237.txt b/.changelog/3237.txt
index 3d13837350..64ed3195f8 100644
--- a/.changelog/3237.txt
+++ b/.changelog/3237.txt
@@ -1,3 +1,3 @@
```release-note:new-resource
-tencentcloud_teo_security_policy
+tencentcloud_teo_security_policy_config
```
From 436efbc6c10f1c78b2d1570b6e89986193a04c8d Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Thu, 27 Mar 2025 15:24:01 +0800
Subject: [PATCH 6/7] add
---
.../services/teo/resource_tc_teo_security_policy_config.md | 2 +-
website/docs/r/teo_security_policy_config.html.markdown | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md b/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md
index 9b6b9c2300..1bb0036cce 100644
--- a/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md
+++ b/tencentcloud/services/teo/resource_tc_teo_security_policy_config.md
@@ -1,6 +1,6 @@
Provides a resource to create a teo security policy
-~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17.
+~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17. If the user does not set the `managed_rule_groups` parameter, the system will generate it by default.
Example Usage
diff --git a/website/docs/r/teo_security_policy_config.html.markdown b/website/docs/r/teo_security_policy_config.html.markdown
index cf6afd3eab..ad00ee43e2 100644
--- a/website/docs/r/teo_security_policy_config.html.markdown
+++ b/website/docs/r/teo_security_policy_config.html.markdown
@@ -11,7 +11,7 @@ description: |-
Provides a resource to create a teo security policy
-~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17.
+~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17. If the user does not set the `managed_rule_groups` parameter, the system will generate it by default.
## Example Usage
From 752ff1ecee2faab055df76df806da84ca51eeadd Mon Sep 17 00:00:00 2001
From: SevenEarth <391613297@qq.com>
Date: Thu, 27 Mar 2025 19:20:58 +0800
Subject: [PATCH 7/7] add
---
tencentcloud/provider.md | 1 -
.../docs/r/teo_security_policy.html.markdown | 682 ------------------
website/tencentcloud.erb | 9 +-
3 files changed, 2 insertions(+), 690 deletions(-)
delete mode 100644 website/docs/r/teo_security_policy.html.markdown
diff --git a/tencentcloud/provider.md b/tencentcloud/provider.md
index 46f46a61e9..034757c11d 100644
--- a/tencentcloud/provider.md
+++ b/tencentcloud/provider.md
@@ -1493,7 +1493,6 @@ tencentcloud_teo_function_runtime_environment
tencentcloud_teo_l7_acc_rule
tencentcloud_teo_l7_acc_setting
tencentcloud_teo_security_ip_group
-tencentcloud_teo_security_policy
tencentcloud_teo_security_policy_config
TencentCloud ServiceMesh(TCM)
diff --git a/website/docs/r/teo_security_policy.html.markdown b/website/docs/r/teo_security_policy.html.markdown
deleted file mode 100644
index e85e9d850d..0000000000
--- a/website/docs/r/teo_security_policy.html.markdown
+++ /dev/null
@@ -1,682 +0,0 @@
----
-subcategory: "TencentCloud EdgeOne(TEO)"
-layout: "tencentcloud"
-page_title: "TencentCloud: tencentcloud_teo_security_policy"
-sidebar_current: "docs-tencentcloud-resource-teo_security_policy"
-description: |-
- Provides a resource to create a teo security policy
----
-
-# tencentcloud_teo_security_policy
-
-Provides a resource to create a teo security policy
-
-~> **NOTE:** If the user's EO version is the personal version, `managed_rule_groups` needs to set one; If the user's EO version is a non personal version, `managed_rule_groups` needs to set 17.
-
-## Example Usage
-
-### If entity is ZoneDefaultPolicy
-
-```hcl
-resource "tencentcloud_teo_security_policy" "example" {
- zone_id = "zone-37u62pwxfo8s"
- entity = "ZoneDefaultPolicy"
- security_policy {
- custom_rules {
- rules {
- name = "rule1"
- condition = "$${http.request.host} contain ['abc']"
- enabled = "on"
- rule_type = "PreciseMatchRule"
- priority = 50
- action {
- name = "BlockIP"
- block_ip_action_parameters {
- duration = "120s"
- }
- }
- }
-
- rules {
- name = "rule2"
- condition = "$${http.request.ip} in ['119.28.103.58']"
- enabled = "off"
- id = "2182252647"
- rule_type = "BasicAccessRule"
- action {
- name = "Deny"
- }
- }
- }
-
- managed_rules {
- enabled = "on"
- detection_only = "off"
- semantic_analysis = "off"
- auto_update {
- auto_update_to_latest_version = "off"
- }
-
- managed_rule_groups {
- group_id = "wafgroup-webshell-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-xxe-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-non-compliant-protocol-usages"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-file-upload-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-command-and-code-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ldap-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ssrf-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-unauthorized-accesses"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-xss-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-vulnerability-scanners"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-cms-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-other-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-sql-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-unauthorized-file-accesses"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-oa-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ssti-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-shiro-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
- }
- }
-}
-```
-
-### If entity is Host
-
-```hcl
-resource "tencentcloud_teo_security_policy" "example" {
- zone_id = "zone-37u62pwxfo8s"
- entity = "Host"
- host = "www.example.com"
- security_policy {
- custom_rules {
- rules {
- name = "rule1"
- condition = "$${http.request.host} contain ['abc']"
- enabled = "on"
- rule_type = "PreciseMatchRule"
- priority = 50
- action {
- name = "BlockIP"
- block_ip_action_parameters {
- duration = "120s"
- }
- }
- }
-
- rules {
- name = "rule2"
- condition = "$${http.request.ip} in ['119.28.103.58']"
- enabled = "off"
- id = "2182252647"
- rule_type = "BasicAccessRule"
- action {
- name = "Deny"
- }
- }
- }
-
- managed_rules {
- enabled = "on"
- detection_only = "off"
- semantic_analysis = "off"
- auto_update {
- auto_update_to_latest_version = "off"
- }
-
- managed_rule_groups {
- group_id = "wafgroup-webshell-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-xxe-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-non-compliant-protocol-usages"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-file-upload-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-command-and-code-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ldap-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ssrf-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-unauthorized-accesses"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-xss-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-vulnerability-scanners"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-cms-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-other-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-sql-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-unauthorized-file-accesses"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-oa-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ssti-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-shiro-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
- }
- }
-}
-```
-
-### If entity is Template
-
-```hcl
-resource "tencentcloud_teo_security_policy" "example" {
- zone_id = "zone-37u62pwxfo8s"
- entity = "Template"
- template_id = "temp-05dtxkyw"
- security_policy {
- custom_rules {
- rules {
- name = "rule1"
- condition = "$${http.request.host} contain ['abc']"
- enabled = "on"
- rule_type = "PreciseMatchRule"
- priority = 50
- action {
- name = "BlockIP"
- block_ip_action_parameters {
- duration = "120s"
- }
- }
- }
-
- rules {
- name = "rule2"
- condition = "$${http.request.ip} in ['119.28.103.58']"
- enabled = "off"
- id = "2182252647"
- rule_type = "BasicAccessRule"
- action {
- name = "Deny"
- }
- }
- }
-
- managed_rules {
- enabled = "on"
- detection_only = "off"
- semantic_analysis = "off"
- auto_update {
- auto_update_to_latest_version = "off"
- }
-
- managed_rule_groups {
- group_id = "wafgroup-webshell-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-xxe-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-non-compliant-protocol-usages"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-file-upload-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-command-and-code-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ldap-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ssrf-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-unauthorized-accesses"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-xss-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-vulnerability-scanners"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-cms-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-other-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-sql-injections"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-unauthorized-file-accesses"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-oa-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-ssti-attacks"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
-
- managed_rule_groups {
- group_id = "wafgroup-shiro-vulnerabilities"
- sensitivity_level = "strict"
- action {
- name = "Deny"
- }
- }
- }
- }
-}
-```
-
-## Argument Reference
-
-The following arguments are supported:
-
-* `zone_id` - (Required, String, ForceNew) Zone ID.
-* `entity` - (Optional, String, ForceNew) Security policy type. the following parameter values can be used: ZoneDefaultPolicy: used to specify a site-level policy; Template: used to specify a policy Template. you need to simultaneously specify the TemplateId parameter; Host: used to specify a domain-level policy (note: when using a domain name to specify a dns service policy, only dns services or policy templates that have applied a domain-level policy are supported)..
-* `host` - (Optional, String, ForceNew) Specifies the specified domain. when the Entity parameter value is Host, use the domain-level policy specified by this parameter. for example: use www.example.com to configure the domain-level policy of the domain.
-* `security_policy` - (Optional, List) Security policy configuration. it is recommended to use for custom policies and managed rule configurations of Web protection. it supports configuring security policies with expression grammar.
-* `template_id` - (Optional, String, ForceNew) Specify the policy Template ID. use this parameter to specify the ID of the policy Template when the Entity parameter value is Template.
-
-The `action` object of `managed_rule_groups` supports the following:
-
-* `name` - (Required, String) Specific actions for safe execution. valid values:.
-Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
-* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
-* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
-* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
-
-The `action` object of `rule_actions` supports the following:
-
-* `name` - (Required, String) Specific actions for safe execution. valid values:.
-Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
-* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
-* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
-* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
-
-The `action` object of `rules` supports the following:
-
-* `name` - (Required, String) Specific actions for safe execution. valid values:.
-Deny: block Monitor: Monitor ReturnCustomPage: use specified page to block Redirect: Redirect to URL BlockIP: IP block JSChallenge: JavaScript challenge ManagedChallenge: managed challenge Disabled: Disabled Allow: Allow.
-* `block_ip_action_parameters` - (Optional, List) Additional parameter when Name is BlockIP.
-* `redirect_action_parameters` - (Optional, List) Additional parameter when Name is Redirect.
-* `return_custom_page_action_parameters` - (Optional, List) Additional parameter when Name is ReturnCustomPage.
-
-The `auto_update` object of `managed_rules` supports the following:
-
-* `auto_update_to_latest_version` - (Required, String) Indicates whether to enable automatic update to the latest version. valid values: on: enabled off: disabled.
-
-The `block_ip_action_parameters` object of `action` supports the following:
-
-* `duration` - (Required, String) Penalty duration for blocking ips. supported units: s: second, value range 1-120; m: minute, value range 1-120; h: hour, value range 1-48..
-
-The `custom_rules` object of `security_policy` supports the following:
-
-* `rules` - (Optional, List) List of custom rule definitions.
when modifying the Web protection configuration using ModifySecurityPolicy:
- if the Rules parameter is not specified or the parameter length of Rules is zero: clear all custom rule configurations.
- if the parameter value of CustomRules in the SecurityPolicy parameter is not specified: keep the existing custom rule configuration without modification.
-
-The `managed_rule_groups` object of `managed_rules` supports the following:
-
-* `action` - (Required, List) Handling actions for managed rule groups. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process requests and record security events in logs; Disabled: not enabled, do not scan requests and skip this rule..
-* `group_id` - (Required, String) Group name of the managed rule. if the rule group for the configuration is not specified, it will be processed based on the default configuration. refer to product documentation for the specific value of GroupId.
-* `sensitivity_level` - (Required, String) Protection level of the managed rule group. valid values: loose: lenient, only contains ultra-high risk rules. at this point, configure Action, and RuleActions configuration is invalid; normal: normal, contains ultra-high risk and high-risk rules. at this point, configure Action, and RuleActions configuration is invalid; strict: strict, contains ultra-high risk, high-risk and medium-risk rules. at this point, configure Action, and RuleActions configuration is invalid; extreme: super strict, contains ultra-high risk, high-risk, medium-risk and low-risk rules. at this point, configure Action, and RuleActions configuration is invalid; custom: custom, refined strategy. configure the disposal method for each individual rule. at this point, the Action field is invalid. use RuleActions to configure the refined strategy for each individual rule..
-* `rule_actions` - (Optional, List) Specific configuration of rule items under the managed rule group. the configuration is effective only when SensitivityLevel is custom.
-
-The `managed_rules` object of `security_policy` supports the following:
-
-* `detection_only` - (Required, String) Indicates whether the evaluation mode is Enabled. it is valid only when the Enabled parameter is set to on. valid values: on: Enabled. all managed rules take effect in observation mode. off: disabled. all managed rules take effect according to the actual configuration..
-* `enabled` - (Required, String) Indicates whether the managed rule is enabled. valid values: on: enabled. all managed rules take effect as configured; off: disabled. all managed rules do not take effect..
-* `auto_update` - (Optional, List) Managed rule automatic update option.
-* `managed_rule_groups` - (Optional, Set) Configuration of the managed rule group. if this structure is passed as an empty array or the GroupId is not included in the list, it will be processed based on the default method.
-* `semantic_analysis` - (Optional, String) Whether the managed rule semantic analysis option is Enabled is valid only when the Enabled parameter is on. valid values: on: enable. perform semantic analysis on requests before processing them; off: disable. process requests directly without semantic analysis.
default off.
-
-The `meta_data` object of `managed_rule_groups` supports the following:
-
-
-The `redirect_action_parameters` object of `action` supports the following:
-
-* `url` - (Required, String) Redirect URL.
-
-The `return_custom_page_action_parameters` object of `action` supports the following:
-
-* `error_page_id` - (Required, String) Response custom page ID.
-* `response_code` - (Required, String) Response status code.
-
-The `rule_actions` object of `managed_rule_groups` supports the following:
-
-* `action` - (Required, List) Specify the handling action for the managed rule item in RuleId. the Name parameter value of SecurityAction supports: Deny: block and respond with an interception page; Monitor: observe, do not process the request and record the security event in logs; Disabled: Disabled, do not scan the request and skip this rule..
-* `rule_id` - (Required, String) Specific items under the managed rule group, which are used to rewrite the configuration content of this individual rule item. refer to product documentation for details.
-
-The `rule_details` object of `meta_data` supports the following:
-
-
-The `rules` object of `custom_rules` supports the following:
-
-* `action` - (Required, List) Execution actions for custom rules. the Name parameter value of SecurityAction supports: Deny: block; Monitor: observe; ReturnCustomPage: block using a specified page; Redirect: Redirect to URL; BlockIP: IP blocking; JSChallenge: JavaScript challenge; ManagedChallenge: managed challenge; Allow: Allow..
-* `condition` - (Required, String) The specific content of the custom rule must comply with the expression grammar. please refer to the product document for detailed specifications.
-* `enabled` - (Required, String) Indicates whether the custom rule is enabled. valid values: on: enabled off: disabled.
-* `name` - (Required, String) The name of the custom rule.
-* `id` - (Optional, String) The ID of a custom rule.
the rule ID supports different rule configuration operations:
- add a new rule: ID is empty or the ID parameter is not specified;
- modify an existing rule: specify the rule ID that needs to be updated/modified;
- delete an existing rule: existing Rules not included in the Rules list of the CustomRules parameter will be deleted.
-* `priority` - (Optional, Int) Customizes the priority of rules. value range: 0-100. it defaults to 0. only supports `rule_type` is `PreciseMatchRule`.
-* `rule_type` - (Optional, String) Type of custom rule. valid values: BasicAccessRule: basic access control; PreciseMatchRule: exact matching rule, default; ManagedAccessRule: expert customized rule, for output only. the default value is PreciseMatchRule.
-
-The `security_policy` object supports the following:
-
-* `custom_rules` - (Optional, List) Custom rule configuration.
-* `managed_rules` - (Optional, List) Managed rule configuration.
-
-## Attributes Reference
-
-In addition to all arguments above, the following attributes are exported:
-
-* `id` - ID of the resource.
-
-
-
-## Import
-
-teo security policy can be imported using the id, e.g.
-
-```
-# If entity is ZoneDefaultPolicy
-terraform import tencentcloud_teo_security_policy.example zone-37u62pwxfo8s#ZoneDefaultPolicy
-# If entity is Host
-terraform import tencentcloud_teo_security_policy.example zone-37u62pwxfo8s#Host#www.example.com
-# If entity is Template
-terraform import tencentcloud_teo_security_policy.example zone-37u62pwxfo8s#Template#temp-05dtxkyw
-```
-
diff --git a/website/tencentcloud.erb b/website/tencentcloud.erb
index f3241d9634..f4137adedc 100644
--- a/website/tencentcloud.erb
+++ b/website/tencentcloud.erb
@@ -5277,15 +5277,10 @@
tencentcloud_teo_rule_engine
-<<<<<<< HEAD
-<<<<<<< HEAD
tencentcloud_teo_security_ip_group
-=======
- tencentcloud_teo_security_policy
->>>>>>> 12fb513b7 (add)
-=======
+
+
tencentcloud_teo_security_policy_config
->>>>>>> ca92b2b31 (add)
tencentcloud_teo_zone