feat(cdn): Add support for configuring WAF#1372
Open
matheuspolitano wants to merge 26 commits intostackitcloud:mainfrom
Open
feat(cdn): Add support for configuring WAF#1372matheuspolitano wants to merge 26 commits intostackitcloud:mainfrom
matheuspolitano wants to merge 26 commits intostackitcloud:mainfrom
Conversation
matheuspolitano
changed the title
Contributor
Author
h3adex
reviewed
Apr 14, 2026
| # "@builtin/crs/request/942151" is explicitly DISABLED, overriding the collection setting. | ||
| # | ||
| # To view all available collections, groups, and rules, consult the API documentation: | ||
| # https://internal-docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections |
Contributor
There was a problem hiding this comment.
internal docs are not reachable from external user
|
This PR was marked as stale after 7 days of inactivity and will be closed after another 7 days of further inactivity. If this PR should be kept open, just add a comment, remove the stale label or push new commits to it. |
Manuelvaas
added
has internal tracking issue
and removed
Stale
Fyusel
reviewed
Apr 24, 2026
| - `allowed_http_methods` (List of String) Restricts which HTTP methods the distribution accepts. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, `PATCH`. | ||
| - `allowed_http_versions` (List of String) Restricts which HTTP protocol versions are accepted. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `HTTP/1.0`, `HTTP/1.1`, `HTTP/2`, `HTTP/2.0`. | ||
| - `allowed_request_content_types` (List of String) Restricts which Content-Type headers are accepted in request bodies. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `application/x-www-form-urlencoded`, `multipart/form-data`, `multipart/related`, `text/xml`, `application/xml`, `application/soap+xml`, `application/x-amf`, `application/json`, `application/octet-stream`, `application/csp-report`, `application/xss-auditor-report`, `text/plain`. | ||
| - `disabled_rule_collection_ids` (List of String) List of WAF Collection IDs explicitly disabled. Can be set to an empty list to clear previously set rules. Precedence hierarchy: Specific Rules override Groups, and Groups override Collections. To view available rule collections, please consult the API documentation: https://internal-docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections |
Contributor
There was a problem hiding this comment.
Same here with the internal-docs
Should all be replaced
| - `allowed_http_versions` (List of String) Restricts which HTTP protocol versions are accepted. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `HTTP/1.0`, `HTTP/1.1`, `HTTP/2`, `HTTP/2.0`. | ||
| - `allowed_request_content_types` (List of String) Restricts which Content-Type headers are accepted in request bodies. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `application/x-www-form-urlencoded`, `multipart/form-data`, `multipart/related`, `text/xml`, `application/xml`, `application/soap+xml`, `application/x-amf`, `application/json`, `application/octet-stream`, `application/csp-report`, `application/xss-auditor-report`, `text/plain`. | ||
| - `disabled_rule_collection_ids` (List of String) List of WAF Collection IDs explicitly disabled. Can be set to an empty list to clear previously set rules. Precedence hierarchy: Specific Rules override Groups, and Groups override Collections. To view available rule collections, please consult the API documentation: https://internal-docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections | ||
| - `disabled_rule_group_ids` (List of String) List of WAF Rule Group IDs explicitly disabled. Can be set to an empty list to clear previously set rules. Precedence hierarchy: Specific Rules override Groups, and Groups override Collections. To view available rule groups, please consult the API documentation: https://internal-docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections |
Contributor
There was a problem hiding this comment.
The sentence "Precendence hierarchy" is written for almost every attribute and is almost the same. Does it make sense to have this for every attribute or should this just be mentioned somewhere "globally"?
| - `allowed_http_methods` (List of String) Restricts which HTTP methods the distribution accepts. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, `PATCH`. | ||
| - `allowed_http_versions` (List of String) Restricts which HTTP protocol versions are accepted. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `HTTP/1.0`, `HTTP/1.1`, `HTTP/2`, `HTTP/2.0`. | ||
| - `allowed_request_content_types` (List of String) Restricts which Content-Type headers are accepted in request bodies. If provided, the list must contain at least one item. If omitted, the API applies the following defaults: `application/x-www-form-urlencoded`, `multipart/form-data`, `multipart/related`, `text/xml`, `application/xml`, `application/soap+xml`, `application/x-amf`, `application/json`, `application/octet-stream`, `application/csp-report`, `application/xss-auditor-report`, `text/plain`. | ||
| - `disabled_rule_collection_ids` (List of String) List of WAF Collection IDs explicitly disabled. Can be set to an empty list to clear previously set rules. Precedence hierarchy: Specific Rules override Groups, and Groups override Collections. To view available rule collections, please consult the API documentation: https://internal-docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections |
| } | ||
|
|
||
| // getSortedWafList extracts strings from HCL list, sorts them and returns the slice | ||
| func getSortedWafList(ctx context.Context, tfList basetypes.ListValue) []string { |
Contributor
There was a problem hiding this comment.
I would move those three helper functions to utils package
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
https://jira.schwarz/browse/STACKITCDN-723
I want to add support for the waf configuration block in the CDN distribution resource,so that users can programmatically manage security tiers, paranoia levels, and granular rule overrides (Enabled/Disabled/Log-only) via Terraform.
Checklist
make fmtexamples/directory)make generate-docs(will be checked by CI)make test(will be checked by CI)make lint(will be checked by CI)