From 37c28d05193e0c9f2e6484d146659f85624fea37 Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Thu, 28 May 2026 13:55:04 +0200 Subject: [PATCH 1/7] chore: add tls field --- .../services/cdn/distribution/resource.go | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/stackit/internal/services/cdn/distribution/resource.go b/stackit/internal/services/cdn/distribution/resource.go index 488acdfed..542cb314e 100644 --- a/stackit/internal/services/cdn/distribution/resource.go +++ b/stackit/internal/services/cdn/distribution/resource.go @@ -102,6 +102,9 @@ var schemaDescriptions = map[string]string{ "waf_enabled_rule_collection_ids": "Set of WAF Collection IDs explicitly enabled. Can be set to an empty set to clear previously set rules. Case you removed waf will retain the last known state. To view available rule collections, please consult the API documentation: https://docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections", "waf_disabled_rule_collection_ids": "Set of WAF Collection IDs explicitly disabled. Can be set to an empty set to clear previously set rules. Case you removed waf will retain the last known state. To view available rule collections, please consult the API documentation: https://docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections", "waf_log_only_rule_collection_ids": "Set of WAF Collection IDs explicitly marked as Log Only. Can be set to an empty set to clear previously set rules. Case you removed waf will retain the last known state. To view available rule collections, please consult the API documentation: https://docs.api.eu01.stackit.cloud/documentation/cdn/version/v1#tag/WAF/operation/ListWafCollections", + "config_tls_config": "Configuration for TLS protocol versions. Note: Enabling older TLS versions (1.0, 1.1) is generally discouraged for security reasons.", + "config_tls_enable_tls_10": "If set to true, the distribution will accept connections using TLS 1.0.", + "config_tls_enable_tls_11": "If set to true, the distribution will accept connections using TLS 1.1.", } type Model struct { @@ -141,6 +144,7 @@ type distributionConfig struct { BlockedCountries *[]string `tfsdk:"blocked_countries"` // The countries for which content will be blocked Optimizer types.Object `tfsdk:"optimizer"` // The optimizer configuration Waf types.Object `tfsdk:"waf"` // The WAF configuration + tls tlsConfig `tfsdk:"tls"` // The TLS configuration } type optimizerConfig struct { @@ -157,6 +161,11 @@ type backend struct { Credentials *backendCredentials `tfsdk:"credentials"` } +type tlsConfig struct { + enabledTls10 types.Bool `tfsdk:"enabled_tls_10"` + enabledTls11 types.Bool `tfsdk:"enabled_tls_11"` +} + type wafConfig struct { Mode types.String `tfsdk:"mode"` Type types.String `tfsdk:"type"` @@ -193,6 +202,9 @@ var configTypes = map[string]attr.Type{ "waf": types.ObjectType{ AttrTypes: wafTypes, }, + "tls": types.ObjectType{ + AttrTypes: tlsTypes, + }, } var optimizerTypes = map[string]attr.Type{ @@ -229,6 +241,11 @@ var redirectsTypes = map[string]attr.Type{ }, } +var tlsTypes = map[string]attr.Type{ + "enabled_tls_10": types.BoolType, + "enabled_tls_11": types.BoolType, +} + var wafTypes = map[string]attr.Type{ "mode": types.StringType, "type": types.StringType, @@ -389,6 +406,23 @@ func (r *distributionResource) Schema(_ context.Context, _ resource.SchemaReques objectvalidator.AlsoRequires(path.MatchRelative().AtName("enabled")), }, }, + "tls": schema.SingleNestedAttribute{ + Description: schemaDescriptions["config_tls_config"], + Optional: true, + Computed: true, + Attributes: map[string]schema.Attribute{ + "enabled_tls_11": schema.BoolAttribute{ + Optional: true, + Computed: true, + Description: schemaDescriptions["config_tls_enable_tls_10"], + }, + "enabled_tls_10": schema.BoolAttribute{ + Optional: true, + Computed: true, + Description: schemaDescriptions["config_tls_enable_tls_11"], + }, + }, + }, "redirects": schema.SingleNestedAttribute{ Optional: true, Description: schemaDescriptions["config_redirects"], From 133f4662b59eb67e876a7fe1cd1fc32fb4517448 Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Thu, 28 May 2026 17:53:21 +0200 Subject: [PATCH 2/7] chore: add tls --- .../services/cdn/distribution/datasource.go | 28 +++++++++++ .../cdn/distribution/datasource_test.go | 11 ++++- .../services/cdn/distribution/resource.go | 47 +++++++++++++++++-- .../cdn/distribution/resource_test.go | 31 ++++++++++++ 4 files changed, 112 insertions(+), 5 deletions(-) diff --git a/stackit/internal/services/cdn/distribution/datasource.go b/stackit/internal/services/cdn/distribution/datasource.go index 69ac63f4a..4a37e12e7 100644 --- a/stackit/internal/services/cdn/distribution/datasource.go +++ b/stackit/internal/services/cdn/distribution/datasource.go @@ -46,6 +46,9 @@ var dataSourceConfigTypes = map[string]attr.Type{ "waf": types.ObjectType{ AttrTypes: wafTypes, // Shared from resource.go }, + "tls": types.ObjectType{ + AttrTypes: tlsTypes, // Shared from resource.go + }, } type distributionDataSource struct { @@ -207,6 +210,20 @@ func (r *distributionDataSource) Schema(_ context.Context, _ datasource.SchemaRe }, }, }, + "tls": schema.SingleNestedAttribute{ + Description: schemaDescriptions["config_tls_config"], + Computed: true, + Attributes: map[string]schema.Attribute{ + "enabled_tls_11": schema.BoolAttribute{ + Computed: true, + Description: schemaDescriptions["config_tls_enable_tls_10"], + }, + "enabled_tls_10": schema.BoolAttribute{ + Computed: true, + Description: schemaDescriptions["config_tls_enable_tls_11"], + }, + }, + }, "redirects": schema.SingleNestedAttribute{ Computed: true, Description: schemaDescriptions["config_redirects"], @@ -641,6 +658,16 @@ func mapDataSourceFields(ctx context.Context, distribution *cdnSdk.Distribution, } } + tlsObjAttrs := map[string]attr.Value{ + "enabled_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10), + "enabled_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11), + } + + tlsVal, diagTls := types.ObjectValue(tlsTypes, tlsObjAttrs) + if diagTls.HasError() { + return core.DiagsToError(diagWaf) + } + // Use dataSourceConfigTypes cfg, diags := types.ObjectValue(dataSourceConfigTypes, map[string]attr.Value{ "backend": backend, @@ -649,6 +676,7 @@ func mapDataSourceFields(ctx context.Context, distribution *cdnSdk.Distribution, "optimizer": optimizerVal, "redirects": redirectsVal, "waf": wafVal, + "tls": tlsVal, }) if diags.HasError() { return core.DiagsToError(diags) diff --git a/stackit/internal/services/cdn/distribution/datasource_test.go b/stackit/internal/services/cdn/distribution/datasource_test.go index 7c0effccb..bce8c02a9 100644 --- a/stackit/internal/services/cdn/distribution/datasource_test.go +++ b/stackit/internal/services/cdn/distribution/datasource_test.go @@ -58,7 +58,10 @@ func TestMapDataSourceFields(t *testing.T) { "disabled_rule_collection_ids": emptyWafSet, "log_only_rule_collection_ids": emptyWafSet, }) - + defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + "enabled_tls_10": types.BoolValue(false), + "enabled_tls_11": types.BoolValue(false), + }) config := types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ "backend": backend, "regions": regionsFixture, @@ -66,6 +69,7 @@ func TestMapDataSourceFields(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsTypes), "waf": emptyWaf, + "tls": defaultTls, }) redirectsInput := cdnSdk.RedirectConfig{ Rules: []cdnSdk.RedirectRule{ @@ -239,6 +243,7 @@ func TestMapDataSourceFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": emptyWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -266,6 +271,7 @@ func TestMapDataSourceFields(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsTypes), "waf": emptyWaf, + "tls": defaultTls, }) }), IsValid: true, @@ -287,6 +293,7 @@ func TestMapDataSourceFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": emptyWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -312,6 +319,7 @@ func TestMapDataSourceFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": redirectsConfigExpected, "waf": emptyWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -328,6 +336,7 @@ func TestMapDataSourceFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": populatedWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { diff --git a/stackit/internal/services/cdn/distribution/resource.go b/stackit/internal/services/cdn/distribution/resource.go index 542cb314e..44568b5c5 100644 --- a/stackit/internal/services/cdn/distribution/resource.go +++ b/stackit/internal/services/cdn/distribution/resource.go @@ -144,7 +144,7 @@ type distributionConfig struct { BlockedCountries *[]string `tfsdk:"blocked_countries"` // The countries for which content will be blocked Optimizer types.Object `tfsdk:"optimizer"` // The optimizer configuration Waf types.Object `tfsdk:"waf"` // The WAF configuration - tls tlsConfig `tfsdk:"tls"` // The TLS configuration + Tls *tlsConfig `tfsdk:"tls"` // The TLS configuration } type optimizerConfig struct { @@ -162,8 +162,8 @@ type backend struct { } type tlsConfig struct { - enabledTls10 types.Bool `tfsdk:"enabled_tls_10"` - enabledTls11 types.Bool `tfsdk:"enabled_tls_11"` + EnabledTls10 types.Bool `tfsdk:"enabled_tls_10"` + EnabledTls11 types.Bool `tfsdk:"enabled_tls_11"` } type wafConfig struct { @@ -902,6 +902,15 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe blockedCountries = tempBlockedCountries } + //tls + var tlsConfig *cdnSdk.TlsConfigPatch + if configModel.Tls != nil { + tlsConfig = &cdnSdk.TlsConfigPatch{ + EnableTls10: new(configModel.Tls.EnabledTls10.ValueBool()), + EnableTls11: new(configModel.Tls.EnabledTls11.ValueBool()), + } + } + // redirects redirectsConfig := convertRedirectconfig(configModel.Redirects) @@ -951,6 +960,7 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe Regions: regions, BlockedCountries: blockedCountries, Redirects: redirectsConfig, + Tls: tlsConfig, } configPatch.Waf = &cdnSdk.WafConfigPatch{ @@ -1394,6 +1404,17 @@ func mapFields(ctx context.Context, distribution *cdnSdk.Distribution, model *Mo } } } + + tlsObjAttrs := map[string]attr.Value{ + "enabled_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10), + "enabled_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11), + } + + tlsVal, diagTls := types.ObjectValue(tlsTypes, tlsObjAttrs) + if diagTls.HasError() { + return core.DiagsToError(diagWaf) + } + cfg, diags := types.ObjectValue(configTypes, map[string]attr.Value{ "backend": backend, "regions": modelRegions, @@ -1401,6 +1422,7 @@ func mapFields(ctx context.Context, distribution *cdnSdk.Distribution, model *Mo "optimizer": optimizerVal, "redirects": redirectsVal, "waf": wafVal, + "tls": tlsVal, }) if diags.HasError() { return core.DiagsToError(diags) @@ -1472,6 +1494,12 @@ func toCreatePayload(ctx context.Context, model *Model) (*cdnSdk.CreateDistribut optimizer = cdnSdk.NewOptimizer(cfg.Optimizer.GetEnabled()) } + var tls *cdnSdk.TlsConfig + // Leave the tls pointer as nil if the TLS configuration is empty. + if cfg.Tls.EnableTls10 == true || cfg.Tls.EnableTls11 == true { + tls = &cfg.Tls + } + var backend *cdnSdk.CreateDistributionPayloadBackend if cfg.Backend.HttpBackend != nil { backend = &cdnSdk.CreateDistributionPayloadBackend{ @@ -1514,7 +1542,8 @@ func toCreatePayload(ctx context.Context, model *Model) (*cdnSdk.CreateDistribut BlockedCountries: cfg.BlockedCountries, Optimizer: optimizer, Redirects: cfg.Redirects, - Waf: wafPayload, // Now passes nil if omitted + Waf: wafPayload, + Tls: tls, } return payload, nil @@ -1591,6 +1620,15 @@ func convertConfig(ctx context.Context, model *Model) (*cdnSdk.Config, error) { regions = append(regions, *regionEnum) } + // tls + var tls cdnSdk.TlsConfig + if configModel.Tls != nil { + tls = cdnSdk.TlsConfig{ + EnableTls10: configModel.Tls.EnabledTls10.ValueBool(), + EnableTls11: configModel.Tls.EnabledTls11.ValueBool(), + } + } + // blockedCountries var blockedCountries []string if configModel.BlockedCountries != nil { @@ -1670,6 +1708,7 @@ func convertConfig(ctx context.Context, model *Model) (*cdnSdk.Config, error) { Regions: regions, BlockedCountries: blockedCountries, Redirects: redirectsConfig, + Tls: tls, } if !utils.IsUndefined(configModel.Waf) { diff --git a/stackit/internal/services/cdn/distribution/resource_test.go b/stackit/internal/services/cdn/distribution/resource_test.go index e16d5354d..c4f9263df 100644 --- a/stackit/internal/services/cdn/distribution/resource_test.go +++ b/stackit/internal/services/cdn/distribution/resource_test.go @@ -77,6 +77,11 @@ func TestToCreatePayload(t *testing.T) { "disabled_rule_collection_ids": emptyWafSet, "log_only_rule_collection_ids": emptyWafSet, }) + // defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + // "enabled_tls_10": types.BoolValue(false), + // "enabled_tls_11": types.BoolValue(false), + // }) + redirectsObjType, ok := configTypes["redirects"].(basetypes.ObjectType) if !ok { t.Fatalf("configTypes[\"redirects\"] is not of type basetypes.ObjectType") @@ -90,6 +95,7 @@ func TestToCreatePayload(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsTypes), "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), }) matcherValues := types.ListValueMust(types.StringType, []attr.Value{ @@ -197,6 +203,7 @@ func TestToCreatePayload(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -224,6 +231,7 @@ func TestToCreatePayload(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": redirectsConfigVal, "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -280,6 +288,7 @@ func TestToCreatePayload(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsTypes), "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -309,6 +318,7 @@ func TestToCreatePayload(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsAttrTypes), "waf": populatedWaf, + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -396,6 +406,7 @@ func TestConvertConfig(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), }) matcherValues := types.ListValueMust(types.StringType, []attr.Value{ @@ -508,6 +519,7 @@ func TestConvertConfig(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.Config{ @@ -538,6 +550,7 @@ func TestConvertConfig(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), "waf": populatedWaf, + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.Config{ @@ -569,6 +582,7 @@ func TestConvertConfig(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": redirectsConfigVal, "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.Config{ @@ -629,6 +643,7 @@ func TestConvertConfig(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsTypes), "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), }) }), Expected: &cdnSdk.Config{ @@ -778,6 +793,11 @@ func TestMapFields(t *testing.T) { "disabled_rule_collection_ids": types.SetNull(types.StringType), "log_only_rule_collection_ids": types.SetNull(types.StringType), }) + + defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + "enabled_tls_10": types.BoolValue(false), + "enabled_tls_11": types.BoolValue(false), + }) config := types.ObjectValueMust(configTypes, map[string]attr.Value{ "backend": backend, "regions": regionsFixture, @@ -785,6 +805,7 @@ func TestMapFields(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsAttrTypes), "waf": defaultWaf, + "tls": defaultTls, }) redirectsInput := &cdnSdk.RedirectConfig{ @@ -873,6 +894,10 @@ func TestMapFields(t *testing.T) { Mode: cdnSdk.WAFMODE_DISABLED, Type: cdnSdk.WAFTYPE_FREE, }, + Tls: cdnSdk.TlsConfig{ + EnableTls10: false, + EnableTls11: false, + }, }, CreatedAt: createdAt, Domains: []cdnSdk.Domain{ @@ -913,6 +938,7 @@ func TestMapFields(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsAttrTypes), "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), }) tests := map[string]struct { Input *cdnSdk.Distribution @@ -934,6 +960,7 @@ func TestMapFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsAttrTypes), "waf": defaultWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -961,6 +988,7 @@ func TestMapFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsAttrTypes), "waf": defaultWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -977,6 +1005,7 @@ func TestMapFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": redirectsConfigExpected, "waf": defaultWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -1001,6 +1030,7 @@ func TestMapFields(t *testing.T) { "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsAttrTypes), "waf": populatedWaf, + "tls": defaultTls, }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -1062,6 +1092,7 @@ func TestMapFields(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "redirects": types.ObjectNull(redirectsAttrTypes), "waf": defaultWaf, + "tls": defaultTls, }) }), IsValid: true, From 27fc2252522606a17fb249526d09daadc026ce08 Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Mon, 1 Jun 2026 12:19:39 +0200 Subject: [PATCH 3/7] chore: add tls --- stackit/internal/services/cdn/cdn_acc_test.go | 25 ++++++++++ .../services/cdn/distribution/datasource.go | 8 ++-- .../cdn/distribution/datasource_test.go | 4 +- .../services/cdn/distribution/resource.go | 48 ++++++++++++------- .../cdn/distribution/resource_test.go | 8 ++-- .../cdn/testdata/resource-http-base.tf | 6 +++ 6 files changed, 71 insertions(+), 28 deletions(-) diff --git a/stackit/internal/services/cdn/cdn_acc_test.go b/stackit/internal/services/cdn/cdn_acc_test.go index 369f23c5e..0fc179d28 100644 --- a/stackit/internal/services/cdn/cdn_acc_test.go +++ b/stackit/internal/services/cdn/cdn_acc_test.go @@ -122,6 +122,8 @@ var testConfigVarsHttp = config.Variables{ "waf_log_only_rule_ids_0": config.StringVariable(wafRule3), "waf_log_only_rule_group_ids_0": config.StringVariable(wafRule3), "waf_log_only_rule_collection_ids_0": config.StringVariable(wafRule3), + "tls_enable_tls_10": config.BoolVariable(true), + "tls_enable_tls_11": config.BoolVariable(true), } func configVarsHttpUpdated() config.Variables { @@ -137,6 +139,17 @@ func configVarsHttpUpdated() config.Variables { updatedConfig["waf_allowed_http_versions_0"] = config.StringVariable("HTTP/1.1") updatedConfig["waf_paranoia_level"] = config.StringVariable("L3") + // Update TLS + updatedConfig["tls_enable_tls_10"] = config.BoolVariable(false) + updatedConfig["tls_enable_tls_11"] = config.BoolVariable(false) + + // Update WAF rules + updatedConfig["waf_disabled_rule_ids_0"] = config.StringVariable(wafRule3) + updatedConfig["waf_disabled_rule_group_ids_0"] = config.StringVariable(wafRule3) + updatedConfig["waf_disabled_rule_collection_ids_0"] = config.StringVariable(wafRule3) + + updatedConfig["waf_enabled_rule_ids_0"] = config.StringVariable(wafRule1) + updatedConfig["waf_enabled_rule_ids_0"] = config.StringVariable(wafRule2) updatedConfig["waf_enabled_rule_group_ids_0"] = config.StringVariable(wafRule2) updatedConfig["waf_enabled_rule_collection_ids_0"] = config.StringVariable(wafRule2) @@ -234,6 +247,10 @@ func TestAccCDNDistributionHttp(t *testing.T) { ), resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", testutil.ConvertConfigVariable(testConfigVarsHttp["optimizer"])), + // TLS Checks + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_10"])), + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_11"])), + // WAF Checks resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_mode"])), resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.type", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_type"])), @@ -371,6 +388,10 @@ func TestAccCDNDistributionHttp(t *testing.T) { resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"), resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.optimizer.enabled", testutil.ConvertConfigVariable(testConfigVarsHttp["optimizer"])), + // TLS Checks inside Data Source + resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_10"])), + resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_11"])), + // WAF Checks inside Data Source resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_mode"])), resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.waf.type", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_type"])), @@ -445,6 +466,10 @@ func TestAccCDNDistributionHttp(t *testing.T) { resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"), resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", testutil.ConvertConfigVariable(testConfigVarsHttp["optimizer"])), + // TLS Configuration + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(configVarsHttpUpdated()["tls_enable_tls_10"])), + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(configVarsHttpUpdated()["tls_enable_tls_11"])), + // Checking WAF Mutated Configurations resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(configVarsHttpUpdated()["waf_mode"])), resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.type", testutil.ConvertConfigVariable(configVarsHttpUpdated()["waf_type"])), diff --git a/stackit/internal/services/cdn/distribution/datasource.go b/stackit/internal/services/cdn/distribution/datasource.go index 4a37e12e7..aad5662b3 100644 --- a/stackit/internal/services/cdn/distribution/datasource.go +++ b/stackit/internal/services/cdn/distribution/datasource.go @@ -214,11 +214,11 @@ func (r *distributionDataSource) Schema(_ context.Context, _ datasource.SchemaRe Description: schemaDescriptions["config_tls_config"], Computed: true, Attributes: map[string]schema.Attribute{ - "enabled_tls_11": schema.BoolAttribute{ + "enable_tls_11": schema.BoolAttribute{ Computed: true, Description: schemaDescriptions["config_tls_enable_tls_10"], }, - "enabled_tls_10": schema.BoolAttribute{ + "enable_tls_10": schema.BoolAttribute{ Computed: true, Description: schemaDescriptions["config_tls_enable_tls_11"], }, @@ -659,8 +659,8 @@ func mapDataSourceFields(ctx context.Context, distribution *cdnSdk.Distribution, } tlsObjAttrs := map[string]attr.Value{ - "enabled_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10), - "enabled_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11), + "enable_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10), + "enable_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11), } tlsVal, diagTls := types.ObjectValue(tlsTypes, tlsObjAttrs) diff --git a/stackit/internal/services/cdn/distribution/datasource_test.go b/stackit/internal/services/cdn/distribution/datasource_test.go index bce8c02a9..9ab8ca867 100644 --- a/stackit/internal/services/cdn/distribution/datasource_test.go +++ b/stackit/internal/services/cdn/distribution/datasource_test.go @@ -59,8 +59,8 @@ func TestMapDataSourceFields(t *testing.T) { "log_only_rule_collection_ids": emptyWafSet, }) defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ - "enabled_tls_10": types.BoolValue(false), - "enabled_tls_11": types.BoolValue(false), + "enable_tls_10": types.BoolValue(false), + "enable_tls_11": types.BoolValue(false), }) config := types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ "backend": backend, diff --git a/stackit/internal/services/cdn/distribution/resource.go b/stackit/internal/services/cdn/distribution/resource.go index 44568b5c5..2d4933489 100644 --- a/stackit/internal/services/cdn/distribution/resource.go +++ b/stackit/internal/services/cdn/distribution/resource.go @@ -144,7 +144,7 @@ type distributionConfig struct { BlockedCountries *[]string `tfsdk:"blocked_countries"` // The countries for which content will be blocked Optimizer types.Object `tfsdk:"optimizer"` // The optimizer configuration Waf types.Object `tfsdk:"waf"` // The WAF configuration - Tls *tlsConfig `tfsdk:"tls"` // The TLS configuration + Tls types.Object `tfsdk:"tls"` // The TLS configuration } type optimizerConfig struct { @@ -162,8 +162,8 @@ type backend struct { } type tlsConfig struct { - EnabledTls10 types.Bool `tfsdk:"enabled_tls_10"` - EnabledTls11 types.Bool `tfsdk:"enabled_tls_11"` + EnableTls10 types.Bool `tfsdk:"enable_tls_10"` + EnableTls11 types.Bool `tfsdk:"enable_tls_11"` } type wafConfig struct { @@ -242,8 +242,8 @@ var redirectsTypes = map[string]attr.Type{ } var tlsTypes = map[string]attr.Type{ - "enabled_tls_10": types.BoolType, - "enabled_tls_11": types.BoolType, + "enable_tls_10": types.BoolType, + "enable_tls_11": types.BoolType, } var wafTypes = map[string]attr.Type{ @@ -411,12 +411,12 @@ func (r *distributionResource) Schema(_ context.Context, _ resource.SchemaReques Optional: true, Computed: true, Attributes: map[string]schema.Attribute{ - "enabled_tls_11": schema.BoolAttribute{ + "enable_tls_11": schema.BoolAttribute{ Optional: true, Computed: true, Description: schemaDescriptions["config_tls_enable_tls_10"], }, - "enabled_tls_10": schema.BoolAttribute{ + "enable_tls_10": schema.BoolAttribute{ Optional: true, Computed: true, Description: schemaDescriptions["config_tls_enable_tls_11"], @@ -903,11 +903,17 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe } //tls - var tlsConfig *cdnSdk.TlsConfigPatch - if configModel.Tls != nil { - tlsConfig = &cdnSdk.TlsConfigPatch{ - EnableTls10: new(configModel.Tls.EnabledTls10.ValueBool()), - EnableTls11: new(configModel.Tls.EnabledTls11.ValueBool()), + var tls *cdnSdk.TlsConfigPatch + if !utils.IsUndefined(configModel.Tls) { + var tlsValue tlsConfig + diags = configModel.Tls.As(ctx, &tlsValue, basetypes.ObjectAsOptions{}) + if diags.HasError() { + core.LogAndAddError(ctx, &resp.Diagnostics, "Update CDN distribution", "Error mapping TLS config") + return + } + tls = &cdnSdk.TlsConfigPatch{ + EnableTls10: new(tlsValue.EnableTls10.ValueBool()), + EnableTls11: new(tlsValue.EnableTls10.ValueBool()), } } @@ -960,7 +966,7 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe Regions: regions, BlockedCountries: blockedCountries, Redirects: redirectsConfig, - Tls: tlsConfig, + Tls: tls, } configPatch.Waf = &cdnSdk.WafConfigPatch{ @@ -1406,8 +1412,8 @@ func mapFields(ctx context.Context, distribution *cdnSdk.Distribution, model *Mo } tlsObjAttrs := map[string]attr.Value{ - "enabled_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10), - "enabled_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11), + "enable_tls_10": types.BoolValue(distribution.Config.Tls.EnableTls10), + "enable_tls_11": types.BoolValue(distribution.Config.Tls.EnableTls11), } tlsVal, diagTls := types.ObjectValue(tlsTypes, tlsObjAttrs) @@ -1622,11 +1628,17 @@ func convertConfig(ctx context.Context, model *Model) (*cdnSdk.Config, error) { // tls var tls cdnSdk.TlsConfig - if configModel.Tls != nil { + if !utils.IsUndefined(configModel.Tls) { + var tlsValue tlsConfig + diags := configModel.Tls.As(ctx, &tlsValue, basetypes.ObjectAsOptions{}) + if diags.HasError() { + return nil, core.DiagsToError(diags) + } tls = cdnSdk.TlsConfig{ - EnableTls10: configModel.Tls.EnabledTls10.ValueBool(), - EnableTls11: configModel.Tls.EnabledTls11.ValueBool(), + EnableTls10: tlsValue.EnableTls10.ValueBool(), + EnableTls11: tlsValue.EnableTls11.ValueBool(), } + } // blockedCountries diff --git a/stackit/internal/services/cdn/distribution/resource_test.go b/stackit/internal/services/cdn/distribution/resource_test.go index c4f9263df..3bdac9f7f 100644 --- a/stackit/internal/services/cdn/distribution/resource_test.go +++ b/stackit/internal/services/cdn/distribution/resource_test.go @@ -78,8 +78,8 @@ func TestToCreatePayload(t *testing.T) { "log_only_rule_collection_ids": emptyWafSet, }) // defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ - // "enabled_tls_10": types.BoolValue(false), - // "enabled_tls_11": types.BoolValue(false), + // "enable_tls_10": types.BoolValue(false), + // "enable_tls_11": types.BoolValue(false), // }) redirectsObjType, ok := configTypes["redirects"].(basetypes.ObjectType) @@ -795,8 +795,8 @@ func TestMapFields(t *testing.T) { }) defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ - "enabled_tls_10": types.BoolValue(false), - "enabled_tls_11": types.BoolValue(false), + "enable_tls_10": types.BoolValue(false), + "enable_tls_11": types.BoolValue(false), }) config := types.ObjectValueMust(configTypes, map[string]attr.Value{ "backend": backend, diff --git a/stackit/internal/services/cdn/testdata/resource-http-base.tf b/stackit/internal/services/cdn/testdata/resource-http-base.tf index 9373493c9..b86a6804b 100644 --- a/stackit/internal/services/cdn/testdata/resource-http-base.tf +++ b/stackit/internal/services/cdn/testdata/resource-http-base.tf @@ -31,6 +31,8 @@ variable "waf_log_only_rule_group_ids_0" {} variable "waf_enabled_rule_collection_ids_0" {} variable "waf_disabled_rule_collection_ids_0" {} variable "waf_log_only_rule_collection_ids_0" {} +variable "tls_enable_tls_10" {} +variable "tls_enable_tls_11" {} # dns variable "dns_zone_name" {} @@ -78,6 +80,10 @@ resource "stackit_cdn_distribution" "distribution" { } ] } + tls = { + enable_tls_10 = var.tls_enable_tls_10 + enable_tls_11 = var.tls_enable_tls_11 + } waf = { mode = var.waf_mode type = var.waf_type From 4c0bd89b0f5a365e8e8df55f900f5cf7fbb461a2 Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Wed, 3 Jun 2026 11:07:28 +0200 Subject: [PATCH 4/7] chore: add all small feature test --- stackit/internal/services/cdn/cdn_acc_test.go | 12 + .../services/cdn/distribution/datasource.go | 28 +- .../services/cdn/distribution/resource.go | 68 ++- .../cdn/distribution/resource_test.go | 390 +++++++++++++----- .../cdn/testdata/resource-http-base.tf | 4 + 5 files changed, 365 insertions(+), 137 deletions(-) diff --git a/stackit/internal/services/cdn/cdn_acc_test.go b/stackit/internal/services/cdn/cdn_acc_test.go index 0fc179d28..f66d4f2eb 100644 --- a/stackit/internal/services/cdn/cdn_acc_test.go +++ b/stackit/internal/services/cdn/cdn_acc_test.go @@ -124,6 +124,8 @@ var testConfigVarsHttp = config.Variables{ "waf_log_only_rule_collection_ids_0": config.StringVariable(wafRule3), "tls_enable_tls_10": config.BoolVariable(true), "tls_enable_tls_11": config.BoolVariable(true), + "strip_response_cookies": config.BoolVariable(false), + "forward_host_header": config.BoolVariable(true), } func configVarsHttpUpdated() config.Variables { @@ -143,6 +145,10 @@ func configVarsHttpUpdated() config.Variables { updatedConfig["tls_enable_tls_10"] = config.BoolVariable(false) updatedConfig["tls_enable_tls_11"] = config.BoolVariable(false) + // Update small features + updatedConfig["strip_response_cookies"] = config.BoolVariable(true) + updatedConfig["forward_host_header"] = config.BoolVariable(false) + // Update WAF rules updatedConfig["waf_disabled_rule_ids_0"] = config.StringVariable(wafRule3) updatedConfig["waf_disabled_rule_group_ids_0"] = config.StringVariable(wafRule3) @@ -250,6 +256,8 @@ func TestAccCDNDistributionHttp(t *testing.T) { // TLS Checks resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_10"])), resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_11"])), + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.forward_host_header", testutil.ConvertConfigVariable(testConfigVarsHttp["forward_host_header"])), + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.strip_response_cookies", testutil.ConvertConfigVariable(testConfigVarsHttp["strip_response_cookies"])), // WAF Checks resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_mode"])), @@ -391,6 +399,8 @@ func TestAccCDNDistributionHttp(t *testing.T) { // TLS Checks inside Data Source resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_10"])), resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(testConfigVarsHttp["tls_enable_tls_11"])), + resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.forward_host_header", testutil.ConvertConfigVariable(testConfigVarsHttp["forward_host_header"])), + resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.strip_response_cookies", testutil.ConvertConfigVariable(testConfigVarsHttp["strip_response_cookies"])), // WAF Checks inside Data Source resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(testConfigVarsHttp["waf_mode"])), @@ -469,6 +479,8 @@ func TestAccCDNDistributionHttp(t *testing.T) { // TLS Configuration resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_10", testutil.ConvertConfigVariable(configVarsHttpUpdated()["tls_enable_tls_10"])), resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.tls.enable_tls_11", testutil.ConvertConfigVariable(configVarsHttpUpdated()["tls_enable_tls_11"])), + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.forward_host_header", testutil.ConvertConfigVariable(configVarsHttpUpdated()["forward_host_header"])), + resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.strip_response_cookies", testutil.ConvertConfigVariable(configVarsHttpUpdated()["strip_response_cookies"])), // Checking WAF Mutated Configurations resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.waf.mode", testutil.ConvertConfigVariable(configVarsHttpUpdated()["waf_mode"])), diff --git a/stackit/internal/services/cdn/distribution/datasource.go b/stackit/internal/services/cdn/distribution/datasource.go index aad5662b3..41fd1882f 100644 --- a/stackit/internal/services/cdn/distribution/datasource.go +++ b/stackit/internal/services/cdn/distribution/datasource.go @@ -49,6 +49,8 @@ var dataSourceConfigTypes = map[string]attr.Type{ "tls": types.ObjectType{ AttrTypes: tlsTypes, // Shared from resource.go }, + "strip_response_cookies": types.BoolType, + "forward_host_header": types.BoolType, } type distributionDataSource struct { @@ -210,6 +212,16 @@ func (r *distributionDataSource) Schema(_ context.Context, _ datasource.SchemaRe }, }, }, + "strip_response_cookies": schema.BoolAttribute{ + Optional: true, + Computed: true, + Description: schemaDescriptions["config_strip_response_cookies"], + }, + "forward_host_header": schema.BoolAttribute{ + Optional: true, + Computed: true, + Description: schemaDescriptions["config_forward_host_header"], + }, "tls": schema.SingleNestedAttribute{ Description: schemaDescriptions["config_tls_config"], Computed: true, @@ -670,13 +682,15 @@ func mapDataSourceFields(ctx context.Context, distribution *cdnSdk.Distribution, // Use dataSourceConfigTypes cfg, diags := types.ObjectValue(dataSourceConfigTypes, map[string]attr.Value{ - "backend": backend, - "regions": modelRegions, - "blocked_countries": modelBlockedCountries, - "optimizer": optimizerVal, - "redirects": redirectsVal, - "waf": wafVal, - "tls": tlsVal, + "backend": backend, + "regions": modelRegions, + "blocked_countries": modelBlockedCountries, + "optimizer": optimizerVal, + "redirects": redirectsVal, + "waf": wafVal, + "tls": tlsVal, + "strip_response_cookies": types.BoolValue(distribution.Config.StripResponseCookies), + "forward_host_header": types.BoolValue(distribution.Config.ForwardHostHeader), }) if diags.HasError() { return core.DiagsToError(diags) diff --git a/stackit/internal/services/cdn/distribution/resource.go b/stackit/internal/services/cdn/distribution/resource.go index 2d4933489..96779147e 100644 --- a/stackit/internal/services/cdn/distribution/resource.go +++ b/stackit/internal/services/cdn/distribution/resource.go @@ -105,6 +105,8 @@ var schemaDescriptions = map[string]string{ "config_tls_config": "Configuration for TLS protocol versions. Note: Enabling older TLS versions (1.0, 1.1) is generally discouraged for security reasons.", "config_tls_enable_tls_10": "If set to true, the distribution will accept connections using TLS 1.0.", "config_tls_enable_tls_11": "If set to true, the distribution will accept connections using TLS 1.1.", + "config_strip_response_cookies": "Enable this to prevent origin-level cookies from being forwarded to the end user.", + "config_forward_host_header": "Enable this allows the 'Host' header to be passed through to the origin.", } type Model struct { @@ -138,13 +140,15 @@ type redirectConfig struct { } type distributionConfig struct { - Backend backend `tfsdk:"backend"` // The backend associated with the distribution - Redirects *redirectConfig `tfsdk:"redirects"` // A wrapper for a list of redirect rules that allows for redirect settings on a distribution - Regions *[]string `tfsdk:"regions"` // The regions in which data will be cached - BlockedCountries *[]string `tfsdk:"blocked_countries"` // The countries for which content will be blocked - Optimizer types.Object `tfsdk:"optimizer"` // The optimizer configuration - Waf types.Object `tfsdk:"waf"` // The WAF configuration - Tls types.Object `tfsdk:"tls"` // The TLS configuration + Backend backend `tfsdk:"backend"` // The backend associated with the distribution + Redirects *redirectConfig `tfsdk:"redirects"` // A wrapper for a list of redirect rules that allows for redirect settings on a distribution + Regions *[]string `tfsdk:"regions"` // The regions in which data will be cached + BlockedCountries *[]string `tfsdk:"blocked_countries"` // The countries for which content will be blocked + Optimizer types.Object `tfsdk:"optimizer"` // The optimizer configuration + Waf types.Object `tfsdk:"waf"` // The WAF configuration + Tls types.Object `tfsdk:"tls"` // The TLS configuration + StripResponseCookies types.Bool `tfsdk:"strip_response_cookies"` // The Enable this to prevent origin-level cookies from being forwarded to the end user + ForwardHostHeader types.Bool `tfsdk:"forward_host_header"` // The Enable this allows the 'Host' header to be passed through to the origin. } type optimizerConfig struct { @@ -205,6 +209,8 @@ var configTypes = map[string]attr.Type{ "tls": types.ObjectType{ AttrTypes: tlsTypes, }, + "strip_response_cookies": types.BoolType, + "forward_host_header": types.BoolType, } var optimizerTypes = map[string]attr.Type{ @@ -406,6 +412,16 @@ func (r *distributionResource) Schema(_ context.Context, _ resource.SchemaReques objectvalidator.AlsoRequires(path.MatchRelative().AtName("enabled")), }, }, + "strip_response_cookies": schema.BoolAttribute{ + Optional: true, + Computed: true, + Description: schemaDescriptions["config_strip_response_cookies"], + }, + "forward_host_header": schema.BoolAttribute{ + Optional: true, + Computed: true, + Description: schemaDescriptions["config_forward_host_header"], + }, "tls": schema.SingleNestedAttribute{ Description: schemaDescriptions["config_tls_config"], Optional: true, @@ -902,7 +918,7 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe blockedCountries = tempBlockedCountries } - //tls + // tls var tls *cdnSdk.TlsConfigPatch if !utils.IsUndefined(configModel.Tls) { var tlsValue tlsConfig @@ -969,6 +985,15 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe Tls: tls, } + // forwardHostHeader + if !utils.IsUndefined(configModel.ForwardHostHeader) { + configPatch.ForwardHostHeader = new(configModel.ForwardHostHeader.ValueBool()) + } + // stripResponseCookies + if !utils.IsUndefined(configModel.StripResponseCookies) { + configPatch.StripResponseCookies = new(configModel.StripResponseCookies.ValueBool()) + } + configPatch.Waf = &cdnSdk.WafConfigPatch{ Mode: new(cdnSdk.WAFMODE_DISABLED), Type: new(cdnSdk.WAFTYPE_FREE), @@ -1422,13 +1447,15 @@ func mapFields(ctx context.Context, distribution *cdnSdk.Distribution, model *Mo } cfg, diags := types.ObjectValue(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": modelRegions, - "blocked_countries": modelBlockedCountries, - "optimizer": optimizerVal, - "redirects": redirectsVal, - "waf": wafVal, - "tls": tlsVal, + "backend": backend, + "regions": modelRegions, + "blocked_countries": modelBlockedCountries, + "optimizer": optimizerVal, + "redirects": redirectsVal, + "waf": wafVal, + "tls": tlsVal, + "strip_response_cookies": types.BoolValue(distribution.Config.StripResponseCookies), + "forward_host_header": types.BoolValue(distribution.Config.ForwardHostHeader), }) if diags.HasError() { return core.DiagsToError(diags) @@ -1501,8 +1528,7 @@ func toCreatePayload(ctx context.Context, model *Model) (*cdnSdk.CreateDistribut } var tls *cdnSdk.TlsConfig - // Leave the tls pointer as nil if the TLS configuration is empty. - if cfg.Tls.EnableTls10 == true || cfg.Tls.EnableTls11 == true { + if !utils.IsUndefined(rawConfig.Tls) { tls = &cfg.Tls } @@ -1552,6 +1578,13 @@ func toCreatePayload(ctx context.Context, model *Model) (*cdnSdk.CreateDistribut Tls: tls, } + if !utils.IsUndefined(rawConfig.ForwardHostHeader) { + payload.ForwardHostHeader = new(rawConfig.ForwardHostHeader.ValueBool()) + } + if !utils.IsUndefined(rawConfig.StripResponseCookies) { + payload.StripResponseCookies = new(rawConfig.StripResponseCookies.ValueBool()) + } + return payload, nil } @@ -1638,7 +1671,6 @@ func convertConfig(ctx context.Context, model *Model) (*cdnSdk.Config, error) { EnableTls10: tlsValue.EnableTls10.ValueBool(), EnableTls11: tlsValue.EnableTls11.ValueBool(), } - } // blockedCountries diff --git a/stackit/internal/services/cdn/distribution/resource_test.go b/stackit/internal/services/cdn/distribution/resource_test.go index 3bdac9f7f..7752039d3 100644 --- a/stackit/internal/services/cdn/distribution/resource_test.go +++ b/stackit/internal/services/cdn/distribution/resource_test.go @@ -77,10 +77,6 @@ func TestToCreatePayload(t *testing.T) { "disabled_rule_collection_ids": emptyWafSet, "log_only_rule_collection_ids": emptyWafSet, }) - // defaultTls := types.ObjectValueMust(tlsTypes, map[string]attr.Value{ - // "enable_tls_10": types.BoolValue(false), - // "enable_tls_11": types.BoolValue(false), - // }) redirectsObjType, ok := configTypes["redirects"].(basetypes.ObjectType) if !ok { @@ -89,13 +85,15 @@ func TestToCreatePayload(t *testing.T) { redirectsAttrTypes := redirectsObjType.AttrTypes config := types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsTypes), - "waf": defaultWaf, - "tls": types.ObjectNull(tlsTypes), + "backend": backend, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsTypes), + "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) matcherValues := types.ListValueMust(types.StringType, []attr.Value{ @@ -197,13 +195,15 @@ func TestToCreatePayload(t *testing.T) { "happy_path_with_optimizer": { Input: modelFixture(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": optimizer, - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsTypes), - "waf": defaultWaf, - "tls": types.ObjectNull(tlsTypes), + "backend": backend, + "regions": regionsFixture, + "optimizer": optimizer, + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -225,13 +225,15 @@ func TestToCreatePayload(t *testing.T) { "happy_path_with_redirects": { Input: modelFixture(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": redirectsConfigVal, - "waf": defaultWaf, - "tls": types.ObjectNull(tlsTypes), + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": redirectsConfigVal, + "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -282,13 +284,15 @@ func TestToCreatePayload(t *testing.T) { "geofencing": types.MapNull(geofencingTypes.ElemType), }) m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": bucketBackend, - "regions": regionsFixture, // reusing the existing one - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsTypes), - "waf": defaultWaf, - "tls": types.ObjectNull(tlsTypes), + "backend": bucketBackend, + "regions": regionsFixture, // reusing the existing one + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsTypes), + "waf": defaultWaf, + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.CreateDistributionPayload{ @@ -310,6 +314,66 @@ func TestToCreatePayload(t *testing.T) { IsValid: true, }, "happy_path_with_waf": { + Input: modelFixture(func(m *Model) { + m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": populatedWaf, + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), + }) + }), + Expected: &cdnSdk.CreateDistributionPayload{ + Regions: []cdnSdk.Region{"EU", "US"}, + BlockedCountries: []string{"XX", "YY", "ZZ"}, + Waf: &expectedWafConfig, + Backend: cdnSdk.CreateDistributionPayloadBackend{ + HttpBackendCreate: &cdnSdk.HttpBackendCreate{ + Geofencing: &map[string][]string{"https://de.mycoolapp.com": {"DE", "FR"}}, + OriginRequestHeaders: &map[string]string{"testHeader0": "testHeaderValue0", "testHeader1": "testHeaderValue1"}, + OriginUrl: "https://www.mycoolapp.com", + Type: "http", + }, + }, + }, + IsValid: true, + }, + "happy_path_with_strip_response_and_cookies_forward": { + Input: modelFixture(func(m *Model) { + m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolValue(true), + "forward_host_header": types.BoolValue(true), + }) + }), + Expected: &cdnSdk.CreateDistributionPayload{ + Regions: []cdnSdk.Region{"EU", "US"}, + BlockedCountries: []string{"XX", "YY", "ZZ"}, + Waf: nil, + StripResponseCookies: new(true), + ForwardHostHeader: new(true), + Backend: cdnSdk.CreateDistributionPayloadBackend{ + HttpBackendCreate: &cdnSdk.HttpBackendCreate{ + Geofencing: &map[string][]string{"https://de.mycoolapp.com": {"DE", "FR"}}, + OriginRequestHeaders: &map[string]string{"testHeader0": "testHeaderValue0", "testHeader1": "testHeaderValue1"}, + OriginUrl: "https://www.mycoolapp.com", + Type: "http", + }, + }, + }, + IsValid: true, + }, + "happy_path_with_tls": { Input: modelFixture(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ "backend": backend, @@ -317,14 +381,23 @@ func TestToCreatePayload(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": populatedWaf, - "tls": types.ObjectNull(tlsTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + "enable_tls_10": types.BoolValue(true), + "enable_tls_11": types.BoolValue(true), + }), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.CreateDistributionPayload{ Regions: []cdnSdk.Region{"EU", "US"}, BlockedCountries: []string{"XX", "YY", "ZZ"}, - Waf: &expectedWafConfig, + Waf: nil, + Tls: &cdnSdk.TlsConfig{ + EnableTls10: true, + EnableTls11: true, + }, Backend: cdnSdk.CreateDistributionPayloadBackend{ HttpBackendCreate: &cdnSdk.HttpBackendCreate{ Geofencing: &map[string][]string{"https://de.mycoolapp.com": {"DE", "FR"}}, @@ -400,13 +473,15 @@ func TestConvertConfig(t *testing.T) { optimizer := types.ObjectValueMust(optimizerTypes, map[string]attr.Value{"enabled": types.BoolValue(true)}) config := types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsTypes), - "waf": types.ObjectNull(wafTypes), - "tls": types.ObjectNull(tlsTypes), + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) matcherValues := types.ListValueMust(types.StringType, []attr.Value{ @@ -513,13 +588,15 @@ func TestConvertConfig(t *testing.T) { "happy_path_with_optimizer": { Input: modelFixture(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": optimizer, - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsTypes), - "waf": types.ObjectNull(wafTypes), - "tls": types.ObjectNull(tlsTypes), + "backend": backend, + "regions": regionsFixture, + "optimizer": optimizer, + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.Config{ @@ -541,7 +618,8 @@ func TestConvertConfig(t *testing.T) { BlockedCountries: []string{"XX", "YY", "ZZ"}, }, IsValid: true, - }, "happy_path_with_waf": { + }, + "happy_path_with_tls": { Input: modelFixture(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ "backend": backend, @@ -549,8 +627,50 @@ func TestConvertConfig(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsTypes), - "waf": populatedWaf, - "tls": types.ObjectNull(tlsTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + "enable_tls_10": types.BoolValue(true), + "enable_tls_11": types.BoolValue(true), + }), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), + }) + }), + Expected: &cdnSdk.Config{ + Backend: cdnSdk.ConfigBackend{ + HttpBackend: &cdnSdk.HttpBackend{ + OriginRequestHeaders: map[string]string{ + "testHeader0": "testHeaderValue0", + "testHeader1": "testHeaderValue1", + }, + OriginUrl: "https://www.mycoolapp.com", + Type: "http", + Geofencing: map[string][]string{ + "https://de.mycoolapp.com": {"DE", "FR"}, + }, + }, + }, + Regions: []cdnSdk.Region{"EU", "US"}, + BlockedCountries: []string{"XX", "YY", "ZZ"}, + Tls: cdnSdk.TlsConfig{ + EnableTls10: true, + EnableTls11: true, + }, + }, + IsValid: true, + }, + "happy_path_with_waf": { + Input: modelFixture(func(m *Model) { + m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": populatedWaf, + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.Config{ @@ -576,13 +696,15 @@ func TestConvertConfig(t *testing.T) { "happy_path_with_redirects": { Input: modelFixture(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": redirectsConfigVal, - "waf": types.ObjectNull(wafTypes), - "tls": types.ObjectNull(tlsTypes), + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": redirectsConfigVal, + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.Config{ @@ -637,13 +759,15 @@ func TestConvertConfig(t *testing.T) { "geofencing": types.MapNull(geofencingTypes.ElemType), }) m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": bucketBackend, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsTypes), - "waf": types.ObjectNull(wafTypes), - "tls": types.ObjectNull(tlsTypes), + "backend": bucketBackend, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) }), Expected: &cdnSdk.Config{ @@ -799,13 +923,15 @@ func TestMapFields(t *testing.T) { "enable_tls_11": types.BoolValue(false), }) config := types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": defaultWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": defaultWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) redirectsInput := &cdnSdk.RedirectConfig{ @@ -932,13 +1058,15 @@ func TestMapFields(t *testing.T) { "geofencing": types.MapNull(geofencingTypes.ElemType), }) configOld := types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": bucketBackendOld, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": types.ObjectNull(wafTypes), - "tls": types.ObjectNull(tlsTypes), + "backend": bucketBackendOld, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": types.ObjectNull(wafTypes), + "tls": types.ObjectNull(tlsTypes), + "strip_response_cookies": types.BoolUnknown(), + "forward_host_header": types.BoolUnknown(), }) tests := map[string]struct { Input *cdnSdk.Distribution @@ -954,13 +1082,15 @@ func TestMapFields(t *testing.T) { "happy_path_with_optimizer": { Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": optimizer, - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": defaultWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "optimizer": optimizer, + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": defaultWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -982,13 +1112,15 @@ func TestMapFields(t *testing.T) { "credentials": types.ObjectNull(backendCredentialsTypes), }) m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backendWithGeofencing, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": defaultWaf, - "tls": defaultTls, + "backend": backendWithGeofencing, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": defaultWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -999,13 +1131,15 @@ func TestMapFields(t *testing.T) { "happy_path_with_redirects": { Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": redirectsConfigExpected, - "waf": defaultWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": redirectsConfigExpected, + "waf": defaultWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -1021,7 +1155,27 @@ func TestMapFields(t *testing.T) { d.Status = "ERROR" }), IsValid: true, - }, "happy_path_with_waf": { + }, + "happy_path_with_waf": { + Expected: expectedModel(func(m *Model) { + m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": populatedWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), + }) + }), + Input: distributionFixture(func(d *cdnSdk.Distribution) { + d.Config.Waf = expectedWafConfig + }), + IsValid: true, + }, + "happy_path_with_tls_and_strip_response_and_cookies_forward": { Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ "backend": backend, @@ -1029,12 +1183,22 @@ func TestMapFields(t *testing.T) { "optimizer": types.ObjectNull(optimizerTypes), "blocked_countries": blockedCountriesFixture, "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": populatedWaf, - "tls": defaultTls, + "waf": defaultWaf, + "tls": types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + "enable_tls_10": types.BoolValue(true), + "enable_tls_11": types.BoolValue(true), + }), + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { - d.Config.Waf = expectedWafConfig + d.Config.Tls = cdnSdk.TlsConfig{ + EnableTls10: true, + EnableTls11: true, + } + d.Config.ForwardHostHeader = false + d.Config.StripResponseCookies = false }), IsValid: true, }, @@ -1086,13 +1250,15 @@ func TestMapFields(t *testing.T) { }), Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{ - "backend": bucketBackendOld, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsAttrTypes), - "waf": defaultWaf, - "tls": defaultTls, + "backend": bucketBackendOld, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsAttrTypes), + "waf": defaultWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), IsValid: true, diff --git a/stackit/internal/services/cdn/testdata/resource-http-base.tf b/stackit/internal/services/cdn/testdata/resource-http-base.tf index b86a6804b..08ff46e09 100644 --- a/stackit/internal/services/cdn/testdata/resource-http-base.tf +++ b/stackit/internal/services/cdn/testdata/resource-http-base.tf @@ -33,6 +33,8 @@ variable "waf_disabled_rule_collection_ids_0" {} variable "waf_log_only_rule_collection_ids_0" {} variable "tls_enable_tls_10" {} variable "tls_enable_tls_11" {} +variable "strip_response_cookies" {} +variable "forward_host_header" {} # dns variable "dns_zone_name" {} @@ -84,6 +86,8 @@ resource "stackit_cdn_distribution" "distribution" { enable_tls_10 = var.tls_enable_tls_10 enable_tls_11 = var.tls_enable_tls_11 } + strip_response_cookies = var.strip_response_cookies + forward_host_header = var.forward_host_header waf = { mode = var.waf_mode type = var.waf_type From 9625c8e5e583f34c9f5f2f2a4cea304b45d97a6d Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Wed, 3 Jun 2026 11:58:29 +0200 Subject: [PATCH 5/7] chore: adjust tls11 --- stackit/internal/services/cdn/distribution/resource.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stackit/internal/services/cdn/distribution/resource.go b/stackit/internal/services/cdn/distribution/resource.go index 96779147e..14f0a3f98 100644 --- a/stackit/internal/services/cdn/distribution/resource.go +++ b/stackit/internal/services/cdn/distribution/resource.go @@ -929,7 +929,7 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe } tls = &cdnSdk.TlsConfigPatch{ EnableTls10: new(tlsValue.EnableTls10.ValueBool()), - EnableTls11: new(tlsValue.EnableTls10.ValueBool()), + EnableTls11: new(tlsValue.EnableTls11.ValueBool()), } } From cb675cac5e6395ce418d49e7542223a241f79f45 Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Thu, 4 Jun 2026 09:43:51 +0200 Subject: [PATCH 6/7] chore: add docs --- docs/data-sources/cdn_distribution.md | 12 ++++++++++++ docs/resources/cdn_distribution.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/docs/data-sources/cdn_distribution.md b/docs/data-sources/cdn_distribution.md index c81d09ad3..32a3e2786 100644 --- a/docs/data-sources/cdn_distribution.md +++ b/docs/data-sources/cdn_distribution.md @@ -46,6 +46,8 @@ data "stackit_cdn_distribution" "example" { Optional: - `blocked_countries` (List of String) The configured countries where distribution of content is blocked +- `forward_host_header` (Boolean) Enable this allows the 'Host' header to be passed through to the origin. +- `strip_response_cookies` (Boolean) Enable this to prevent origin-level cookies from being forwarded to the end user. Read-Only: @@ -53,6 +55,7 @@ Read-Only: - `optimizer` (Attributes) Configuration for the Image Optimizer. This is a paid feature that automatically optimizes images to reduce their file size for faster delivery, leading to improved website performance and a better user experience. (see [below for nested schema](#nestedatt--config--optimizer)) - `redirects` (Attributes) A wrapper for a list of redirect rules that allows for redirect settings on a distribution (see [below for nested schema](#nestedatt--config--redirects)) - `regions` (List of String) The configured regions where content will be hosted +- `tls` (Attributes) Configuration for TLS protocol versions. Note: Enabling older TLS versions (1.0, 1.1) is generally discouraged for security reasons. (see [below for nested schema](#nestedatt--config--tls)) - `waf` (Attributes) Configures the Web Application Firewall (WAF) for the distribution. If this block is undefined or removed from your configuration, the WAF mode will default to DISABLED and the type to FREE. All other WAF properties will retain their last known state in the API; if they were never defined, the API will apply its default settings. (see [below for nested schema](#nestedatt--config--waf)) @@ -106,6 +109,15 @@ Read-Only: + +### Nested Schema for `config.tls` + +Read-Only: + +- `enable_tls_10` (Boolean) If set to true, the distribution will accept connections using TLS 1.1. +- `enable_tls_11` (Boolean) If set to true, the distribution will accept connections using TLS 1.0. + + ### Nested Schema for `config.waf` diff --git a/docs/resources/cdn_distribution.md b/docs/resources/cdn_distribution.md index 046eeffae..0ec70a3b8 100644 --- a/docs/resources/cdn_distribution.md +++ b/docs/resources/cdn_distribution.md @@ -146,8 +146,11 @@ Required: Optional: - `blocked_countries` (List of String) The configured countries where distribution of content is blocked +- `forward_host_header` (Boolean) Enable this allows the 'Host' header to be passed through to the origin. - `optimizer` (Attributes) Configuration for the Image Optimizer. This is a paid feature that automatically optimizes images to reduce their file size for faster delivery, leading to improved website performance and a better user experience. (see [below for nested schema](#nestedatt--config--optimizer)) - `redirects` (Attributes) A wrapper for a list of redirect rules that allows for redirect settings on a distribution (see [below for nested schema](#nestedatt--config--redirects)) +- `strip_response_cookies` (Boolean) Enable this to prevent origin-level cookies from being forwarded to the end user. +- `tls` (Attributes) Configuration for TLS protocol versions. Note: Enabling older TLS versions (1.0, 1.1) is generally discouraged for security reasons. (see [below for nested schema](#nestedatt--config--tls)) - `waf` (Attributes) Configures the Web Application Firewall (WAF) for the distribution. If this block is undefined or removed from your configuration, the WAF mode will default to DISABLED and the type to FREE. All other WAF properties will retain their last known state in the API; if they were never defined, the API will apply its default settings. (see [below for nested schema](#nestedatt--config--waf)) @@ -220,6 +223,15 @@ Optional: + +### Nested Schema for `config.tls` + +Optional: + +- `enable_tls_10` (Boolean) If set to true, the distribution will accept connections using TLS 1.1. +- `enable_tls_11` (Boolean) If set to true, the distribution will accept connections using TLS 1.0. + + ### Nested Schema for `config.waf` From 4a65f6a39a613fdd7477718f3beeca1025f8d459 Mon Sep 17 00:00:00 2001 From: Matheus Politano Date: Thu, 4 Jun 2026 09:58:10 +0200 Subject: [PATCH 7/7] chore: fix the datasource --- .../stackit_cdn_distribution/resource.tf | 7 + .../cdn/distribution/datasource_test.go | 123 ++++++++++++------ 2 files changed, 88 insertions(+), 42 deletions(-) diff --git a/examples/resources/stackit_cdn_distribution/resource.tf b/examples/resources/stackit_cdn_distribution/resource.tf index afeabecc6..4475b8854 100644 --- a/examples/resources/stackit_cdn_distribution/resource.tf +++ b/examples/resources/stackit_cdn_distribution/resource.tf @@ -57,6 +57,13 @@ resource "stackit_cdn_distribution" "example_bucket_distribution" { ] } + tls = { + enable_tls_10 = true + enable_tls_11 = true + } + strip_response_cookies = true + forward_host_header = true + # WAF Configuration # # Precedence Hierarchy: Specific Rules > Groups > Collections diff --git a/stackit/internal/services/cdn/distribution/datasource_test.go b/stackit/internal/services/cdn/distribution/datasource_test.go index 9ab8ca867..96513d5ad 100644 --- a/stackit/internal/services/cdn/distribution/datasource_test.go +++ b/stackit/internal/services/cdn/distribution/datasource_test.go @@ -63,13 +63,15 @@ func TestMapDataSourceFields(t *testing.T) { "enable_tls_11": types.BoolValue(false), }) config := types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsTypes), - "waf": emptyWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsTypes), + "waf": emptyWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) redirectsInput := cdnSdk.RedirectConfig{ Rules: []cdnSdk.RedirectRule{ @@ -237,13 +239,15 @@ func TestMapDataSourceFields(t *testing.T) { "happy_path_with_optimizer": { Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": optimizer, - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsTypes), - "waf": emptyWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "optimizer": optimizer, + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": emptyWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -265,13 +269,15 @@ func TestMapDataSourceFields(t *testing.T) { }), Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ - "backend": bucketBackendExpected, - "regions": regionsFixture, - "blocked_countries": blockedCountriesFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "redirects": types.ObjectNull(redirectsTypes), - "waf": emptyWaf, - "tls": defaultTls, + "backend": bucketBackendExpected, + "regions": regionsFixture, + "blocked_countries": blockedCountriesFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "redirects": types.ObjectNull(redirectsTypes), + "waf": emptyWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), IsValid: true, @@ -287,13 +293,15 @@ func TestMapDataSourceFields(t *testing.T) { "region": types.StringNull(), }) m.Config = types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ - "backend": backendWithGeofencing, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsTypes), - "waf": emptyWaf, - "tls": defaultTls, + "backend": backendWithGeofencing, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": emptyWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -313,13 +321,15 @@ func TestMapDataSourceFields(t *testing.T) { "happy_path_with_redirects": { Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": redirectsConfigExpected, - "waf": emptyWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": redirectsConfigExpected, + "waf": emptyWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -330,13 +340,15 @@ func TestMapDataSourceFields(t *testing.T) { "happy_path_with_waf": { Expected: expectedModel(func(m *Model) { m.Config = types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ - "backend": backend, - "regions": regionsFixture, - "optimizer": types.ObjectNull(optimizerTypes), - "blocked_countries": blockedCountriesFixture, - "redirects": types.ObjectNull(redirectsTypes), - "waf": populatedWaf, - "tls": defaultTls, + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": populatedWaf, + "tls": defaultTls, + "strip_response_cookies": types.BoolValue(false), + "forward_host_header": types.BoolValue(false), }) }), Input: distributionFixture(func(d *cdnSdk.Distribution) { @@ -377,6 +389,33 @@ func TestMapDataSourceFields(t *testing.T) { }), IsValid: true, }, + "happy_path_with_tls_and_strip_response_and_cookies_forward": { + Expected: expectedModel(func(m *Model) { + m.Config = types.ObjectValueMust(dataSourceConfigTypes, map[string]attr.Value{ + "backend": backend, + "regions": regionsFixture, + "optimizer": types.ObjectNull(optimizerTypes), + "blocked_countries": blockedCountriesFixture, + "redirects": types.ObjectNull(redirectsTypes), + "waf": emptyWaf, + "tls": types.ObjectValueMust(tlsTypes, map[string]attr.Value{ + "enable_tls_10": types.BoolValue(true), + "enable_tls_11": types.BoolValue(true), + }), + "strip_response_cookies": types.BoolValue(true), + "forward_host_header": types.BoolValue(true), + }) + }), + Input: distributionFixture(func(d *cdnSdk.Distribution) { + d.Config.Tls = cdnSdk.TlsConfig{ + EnableTls10: true, + EnableTls11: true, + } + d.Config.ForwardHostHeader = true + d.Config.StripResponseCookies = true + }), + IsValid: true, + }, "sad_path_distribution_nil": { Expected: nil, Input: nil,