feat(cdn): Add support for configuring WAF#1372
Open
matheuspolitano wants to merge 81 commits intostackitcloud:mainfrom
Open
feat(cdn): Add support for configuring WAF#1372matheuspolitano wants to merge 81 commits intostackitcloud:mainfrom
matheuspolitano wants to merge 81 commits intostackitcloud:mainfrom
Conversation
matheuspolitano
changed the title
Contributor
Author
…b.com/matheuspolitano/terraform-provider-stackit into mp/cdn/feat/implement-configuring-waf
marceljk
reviewed
May 6, 2026
Comment on lines
+1752
to
+1765
|
|
||
| // getWafSet extracts strings from HCL set, sorts them and returns the slice | ||
| func getWafSet(ctx context.Context, tfSet basetypes.SetValue) []string { | ||
| if utils.IsUndefined(tfSet) { | ||
| return nil | ||
| } | ||
| var elements []string | ||
| diags := tfSet.ElementsAs(ctx, &elements, true) | ||
| if diags.HasError() { | ||
| return []string{} | ||
| } | ||
| sort.Strings(elements) | ||
| return elements | ||
| } |
Contributor
There was a problem hiding this comment.
Why is it needed to sort the slice? Takes the API care of the order? If not, you can use conversion.StringSetToSlice() instead this function, there you shouldn't ignore the error like it was done here
Contributor
Author
There was a problem hiding this comment.
i've removed the sort
Contributor
There was a problem hiding this comment.
same here, remove this function and use instead everywhere conversion.StringSetToSlice()
Suggested change
| // getWafSet extracts strings from HCL set, sorts them and returns the slice | |
| func getWafSet(ctx context.Context, tfSet basetypes.SetValue) []string { | |
| if utils.IsUndefined(tfSet) { | |
| return nil | |
| } | |
| var elements []string | |
| diags := tfSet.ElementsAs(ctx, &elements, true) | |
| if diags.HasError() { | |
| return []string{} | |
| } | |
| sort.Strings(elements) | |
| return elements | |
| } |
Comment on lines
+1322
to
+1327
| mapWafString := func(apiVal *string) types.String { | ||
| if apiVal != nil { | ||
| return types.StringValue(*apiVal) | ||
| } | ||
| return types.StringNull() | ||
| } |
Contributor
There was a problem hiding this comment.
you can use the function types.StringPointerValue() from the terraform framework itself instead of this function
Contributor
There was a problem hiding this comment.
I meant here to remove the whole mapWafString function and use everywhere types.StringPointerValue() instead. It does the same thing but keeps the code clean because this is a function of the framework
Suggested change
| mapWafString := func(apiVal *string) types.String { | |
| if apiVal != nil { | |
| return types.StringValue(*apiVal) | |
| } | |
| return types.StringNull() | |
| } |
marceljk
reviewed
May 6, 2026
Co-authored-by: Marcel Jacek <72880145+marceljk@users.noreply.github.com>
…b.com/matheuspolitano/terraform-provider-stackit into mp/cdn/feat/implement-configuring-waf
Co-authored-by: Marcel Jacek <72880145+marceljk@users.noreply.github.com>
…b.com/matheuspolitano/terraform-provider-stackit into mp/cdn/feat/implement-configuring-waf
Fyusel
reviewed
May 7, 2026
marceljk
reviewed
May 7, 2026
Comment on lines
+1322
to
+1327
| mapWafString := func(apiVal *string) types.String { | ||
| if apiVal != nil { | ||
| return types.StringValue(*apiVal) | ||
| } | ||
| return types.StringNull() | ||
| } |
Contributor
There was a problem hiding this comment.
I meant here to remove the whole mapWafString function and use everywhere types.StringPointerValue() instead. It does the same thing but keeps the code clean because this is a function of the framework
Suggested change
| mapWafString := func(apiVal *string) types.String { | |
| if apiVal != nil { | |
| return types.StringValue(*apiVal) | |
| } | |
| return types.StringNull() | |
| } |
Comment on lines
+1752
to
+1765
|
|
||
| // getWafSet extracts strings from HCL set, sorts them and returns the slice | ||
| func getWafSet(ctx context.Context, tfSet basetypes.SetValue) []string { | ||
| if utils.IsUndefined(tfSet) { | ||
| return nil | ||
| } | ||
| var elements []string | ||
| diags := tfSet.ElementsAs(ctx, &elements, true) | ||
| if diags.HasError() { | ||
| return []string{} | ||
| } | ||
| sort.Strings(elements) | ||
| return elements | ||
| } |
Contributor
There was a problem hiding this comment.
same here, remove this function and use instead everywhere conversion.StringSetToSlice()
Suggested change
| // getWafSet extracts strings from HCL set, sorts them and returns the slice | |
| func getWafSet(ctx context.Context, tfSet basetypes.SetValue) []string { | |
| if utils.IsUndefined(tfSet) { | |
| return nil | |
| } | |
| var elements []string | |
| diags := tfSet.ElementsAs(ctx, &elements, true) | |
| if diags.HasError() { | |
| return []string{} | |
| } | |
| sort.Strings(elements) | |
| return elements | |
| } |
Comment on lines
+1751
to
+1760
| // Helper to unconditionally map set fields | ||
| func mustMapStringSet(ctx context.Context, apiList []string) types.Set { | ||
| if apiList != nil { | ||
| setVal, diags := types.SetValueFrom(ctx, types.StringType, apiList) | ||
| if !diags.HasError() { | ||
| return setVal | ||
| } | ||
| } | ||
| return types.SetNull(types.StringType) | ||
| } |
Contributor
There was a problem hiding this comment.
Move this to the conversion package and name it to something like SliceToStringSet and avoid context if possible and don't ignore the error.
Could be something like this:
func SliceToStringSet(list []string) (types.Set, error) {
if list == nil {
return types.SetNull(types.StringType), nil
}
set := make([]attr.Value, len(list))
for idx, v := range list {
stringValue := types.StringValue(v)
set[idx] = stringValue
}
result, diags := types.SetValue(types.StringType, set)
if diags.HasError() {
return types.SetNull(types.StringType), fmt.Errorf("converting to SetValue: %v", diags.Errors())
}
return result, nil
}
Comment on lines
+1346
to
+1352
| isWafDisabled := (distribution.Config.Waf.Mode == cdnSdk.WAFMODE_DISABLED) && | ||
| (distribution.Config.Waf.Type == cdnSdk.WAFTYPE_FREE) | ||
|
|
||
| var wafVal attr.Value | ||
| if isWafDisabled && (isImport || utils.IsUndefined(oldConfig.Waf)) { | ||
| wafVal = types.ObjectNull(wafTypes) | ||
| } else { |
Contributor
There was a problem hiding this comment.
I'm against this workaround here. The datasource shows always waf with the attributes and the resource should behave the same, even if it's not configured by the customer
Comment on lines
+231
to
+232
| resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.allowed_http_methods.#", "1"), | ||
| resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.allowed_http_methods.0", "GET"), |
Contributor
There was a problem hiding this comment.
Don't set the values here by hand. Use them from you config.
Suggested change
| resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.allowed_http_methods.#", "1"), | |
| resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.allowed_http_methods.0", "GET"), | |
| resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.allowed_http_methods.#", "1"), | |
| resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.allowed_http_methods.0", testConfigVarsHttp["waf_allowed_http_methods"]), |
Change it also for all other checks, even in the Read via datasource and update step
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
https://jira.schwarz/browse/STACKITCDN-723
I want to add support for the waf configuration block in the CDN distribution resource,so that users can programmatically manage security tiers, paranoia levels, and granular rule overrides (Enabled/Disabled/Log-only) via Terraform.
Checklist
make fmtexamples/directory)make generate-docs(will be checked by CI)make test(will be checked by CI)make lint(will be checked by CI)