Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a method for waiting on imperva-generated cert approval #235

Open
2 tasks done
thatcoleyouknow opened this issue Oct 27, 2022 · 2 comments
Open
2 tasks done

Provide a method for waiting on imperva-generated cert approval #235

thatcoleyouknow opened this issue Oct 27, 2022 · 2 comments
Labels
service/app_performance

Comments

@thatcoleyouknow
Copy link

thatcoleyouknow commented Oct 27, 2022
edited
Loading

Confirmation

  • My issue isn't already found on the issue tracker.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Imperva provider version

Terraform v1.2.2
on darwin_arm64

  • provider registry.terraform.io/hashicorp/google v4.41.0
  • provider registry.terraform.io/hashicorp/time v0.9.0
  • provider registry.terraform.io/imperva/incapsula v3.9.1
  • provider registry.terraform.io/infobloxopen/infoblox v2.1.0

Affected resource(s)

incapsula_application_delivery

Terraform configuration files

resource "incapsula_site" "main" {
  domain                 = var.fqdn
  domain_validation      = "dns"
  send_site_setup_emails = "false"
  site_ip                = var.fqdn
  force_ssl              = "true"
  data_storage_region    = "US"
  wildcard_san           = "false"
}

resource "incapsula_data_centers_configuration" "main" {
  site_id       = incapsula_site.main.id
  site_topology = "SINGLE_DC"

  data_center {
    name    = "New DC"
    ip_mode = "MULTIPLE_IP"

    origin_server {
      address   = var.destination_ip_or_fqdn # the DNS/IP of the ELB
      is_active = true
    }
  }
}

resource "incapsula_application_delivery" "main" {
  site_id                     = incapsula_site.main.id
  file_compression            = true
  minify_css                  = true
  minify_js                   = true
  minify_static_html          = true
  compress_jpeg               = true
  progressive_image_rendering = false
  aggressive_compression      = false
  compress_png                = true
  tcp_pre_pooling             = true
  origin_connection_reuse     = true
  support_non_sni_clients     = true
  enable_http2                = true
  http2_to_origin             = true
  redirect_http_to_https      = true
  redirect_naked_to_full      = false

  lifecycle {
    ignore_changes = [port_to, ssl_port_to]
  }
}

Debug output

N/A

Panic output

N/A

Expected output

The application delivery resource to apply successfully

Actual output

│ Error: Error status code 401 from Incapsula service when Updating Application Delivery for Site ID [redacted]: {"res":9415,"res_message":"Operation not allowed","debug_info":{"error":"HTTP/2 support requires that SSL will be configured for your website","id-info":"999999"}}

│ with module.base.module.imperva_site[0].incapsula_application_delivery.main

Steps to reproduce

  1. Apply a terraform configuration containing an incapsula_site, incapsula_data_centers_configuration and incapsula_application_delivery resource like the example configuration above. Using an imperva-generated certificate is required to reproduce this issue.
  2. The incapsula_site and incapsula_data_centers_configuration resource will deploy successfully but the incapsula_application_delivery resource will fail (with the error above) because the SSL cert hasn't been approved yet.

Additional factoids

The certificate request approval time seems to vary anywhere from seconds up to an hour. I've seen it take as long as 45-50 minutes in the past couple of days. Querying the site status API (https://my.imperva.com/api/prov/v1/sites/status?site_id=[redacted]) returns a status of "pending-certificate" until the cert has been approved. I wrote a hacky solution to query this API every 10 seconds until the status returns "fully-configured", which is the only time I can successfully apply the incapsula_application_delivery resource to finish configuring my site. This is very frustrating and prevents our terraform module from deploying a site in a single run. Could we get a resource or data source that waits for the cert request approval before continuing so I can apply the incapsula_application_delivery resource in a single run? You all may feel it would be better to add that logic to the site resource or something else, but any method to work around this would be /very/ helpful.

I'll be opening a support case to help escalate this request internally as well.

Thank you!

References

N/A
@BrachaY
Copy link
Collaborator

BrachaY commented Nov 3, 2022

Hi @colereynolds
Thanks for reaching out.
We are checking your issue, and hope to return with answers soon.

@thatcoleyouknow
Copy link
Author

Any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/app_performance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thatcoleyouknow @BrachaY