[Docs] Review cloudflare_ruleset Terraform examples

Author: pedrosousa

src/content/docs/cache/how-to/cache-rules/terraform-example.mdx

@@ -6,14 +6,12 @@ sidebar:
 head:
   - tag: title
     content: Cache Rules — Terraform example
-
 ---
 
-import { Details } from "~/components"
+import { Details } from "~/components";
 
 The following example defines a single cache rule for a zone using Terraform. The rule configures several cache settings and sets a custom cache key for incoming requests addressed at `example.net`.
 
-
 <Details header="Terraform `cloudflare_ruleset` resource">
 
 ```tf
@@ -26,7 +24,10 @@ resource "cloudflare_ruleset" "cache_rules_example" {
   phase       = "http_request_cache_settings"
 
   rules {
-    action = "set_cache_settings"
+		ref         = "cache_settings_custom_cache_key"
+    description = "Set cache settings and custom cache key for example.net"
+    expression  = "(http.host eq \"example.net\")"
+    action      = "set_cache_settings"
     action_parameters {
       edge_ttl {
         mode    = "override_origin"
@@ -77,14 +78,10 @@ resource "cloudflare_ruleset" "cache_rules_example" {
       }
       origin_error_page_passthru = false
     }
-    expression  = "(http.host eq \"example.net\")"
-    description = "Set cache settings and custom cache key for example.net"
-    enabled     = true
   }
 }
 ```
 
-
 </Details>
 
 For additional guidance on using Terraform with Cloudflare, refer to [Terraform](/terraform/).

src/content/docs/rules/configuration-rules/examples/define-single-configuration-terraform.mdx

@@ -23,14 +23,14 @@ resource "cloudflare_ruleset" "http_config_rules_example" {
   phase       = "http_config_settings"
 
   rules {
-    action = "set_config"
+    ref         = "disable_obfuscation_bic"
+    description = "Disable email obfuscation and BIC for API requests"
+    expression  = "(http.request.uri.path matches \"^/api/\")"
+    action      = "set_config"
     action_parameters {
       email_obfuscation = false
       bic               = false
     }
-    expression  = "(http.request.uri.path matches \"^/api/\")"
-    description = "Disable email obfuscation and BIC for API requests"
-    enabled     = true
   }
 }
 ```

src/content/docs/rules/origin-rules/examples/define-single-origin-terraform.mdx

@@ -23,17 +23,17 @@ resource "cloudflare_ruleset" "http_origin_example" {
   phase       = "http_request_origin"
 
   rules {
-    action = "route"
+	  ref         = "change_api_origin"
+    description = "Change origin of API requests"
+    expression  = "(http.request.uri.path matches \"^/api/\")"
+    action      = "route"
     action_parameters {
       host_header = "example.net"
       origin {
         host = "example.net"
         port = 8000
       }
     }
-    expression  = "(http.request.uri.path matches \"^/api/\")"
-    description = "Change origin of API requests"
-    enabled     = true
   }
 }
 ```

src/content/docs/rules/url-forwarding/single-redirects/terraform-example.mdx

@@ -20,7 +20,10 @@ resource "cloudflare_ruleset" "single_redirects_example" {
   phase       = "http_request_dynamic_redirect"
 
   rules {
-    action = "redirect"
+    ref         = "redirect_old_url"
+    description = "Redirect visitors still using old URL"
+    expression  = "(http.request.uri.path matches \"^/contact-us/\")"
+    action      = "redirect"
     action_parameters {
       from_value {
         status_code = 301
@@ -30,9 +33,6 @@ resource "cloudflare_ruleset" "single_redirects_example" {
         preserve_query_string = false
       }
     }
-    expression  = "(http.request.uri.path matches \"^/contact-us/\")"
-    description = "Redirect visitors still using old URL"
-    enabled     = true
   }
 }
 ```

src/content/docs/terraform/additional-configurations/ddos-managed-rulesets.mdx

@@ -45,21 +45,21 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
   phase       = "ddos_l7"
 
   rules {
-    action = "execute"
+    ref         = "override_l7_ddos_ruleset_all"
+    description = "Override the HTTP DDoS Attack Protection managed ruleset"
+    expression  = "true"
+    action      = "execute"
     action_parameters {
       # Cloudflare L7 DDoS Attack Protection Ruleset
       id = "4d21379b4f9f4bb088e0729962c8b3cf"
       overrides {
         rules {
           # Rule: HTTP requests with unusual HTTP headers or URI path (signature #11).
-          id = "fdfdac75430c4c47a959592f0aa5e68a"
+          id                = "fdfdac75430c4c47a959592f0aa5e68a"
           sensitivity_level = "low"
         }
       }
     }
-    expression = "true"
-    description = "Override the HTTP DDoS Attack Protection managed ruleset"
-    enabled = true
   }
 }
 ```
@@ -86,21 +86,21 @@ resource "cloudflare_ruleset" "account_level_network_ddos_config" {
   phase       = "ddos_l4"
 
   rules {
-    action = "execute"
+    ref         = "override_l7_ddos_ruleset_dst_ip"
+    description = "Override the HTTP DDoS Attack Protection managed ruleset"
+    expression  = "ip.dst in { 192.0.2.0/24 }"
+    action      = "execute"
     action_parameters {
       # Cloudflare L3/4 DDoS Attack Protection Ruleset
       id = "3b64149bfa6e4220bbbc2bd6db589552"
       overrides {
         rules {
           # Rule: Generic high-volume UDP traffic flows.
-          id = "599dab0942ff4898ac1b7797e954e98b"
+          id                = "599dab0942ff4898ac1b7797e954e98b"
           sensitivity_level = "low"
         }
       }
     }
-    expression = "ip.dst in { 192.0.2.0/24 }"
-    description = "Override the HTTP DDoS Attack Protection managed ruleset"
-    enabled = true
   }
 }
 ```
@@ -159,53 +159,53 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
   # level.
 
   rules {
+    ref         = "l7_ddos_block_traffic_low_threshold"
     description = "At the low sensitivity threshold, block the traffic"
-    action = "execute"
+    expression  = "true"
+    action      = "execute"
     action_parameters {
       # Cloudflare L7 DDoS Attack Protection Ruleset
       id = "4d21379b4f9f4bb088e0729962c8b3cf"
       overrides {
         rules {
           # Rule: HTTP requests from known botnet (signature #4).
-          id = "29d170ba2f004cc787b1ac272c9e04e7"
+          id                = "29d170ba2f004cc787b1ac272c9e04e7"
           sensitivity_level = "low"
-          action = "block"
+          action            = "block"
         }
         rules {
           # Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
-          id = "60a48054bbcf4014ac63c44f1712a123"
+          id                = "60a48054bbcf4014ac63c44f1712a123"
           sensitivity_level = "low"
-          action = "block"
+          action            = "block"
         }
       }
     }
-    expression = "true"
-    enabled = true
   }
 
   rules {
+    ref         = "l7_ddos_log_default_threshold"
     description = "At the default sensitivity threshold, log to see if any legitimate traffic gets caught"
-    action = "execute"
+    expression  = "true"
+    action      = "execute"
     action_parameters {
       # Cloudflare L7 DDoS Attack Protection Ruleset
       id = "4d21379b4f9f4bb088e0729962c8b3cf"
       overrides {
         rules {
           # Rule: HTTP requests from known botnet (signature #4).
-          id = "29d170ba2f004cc787b1ac272c9e04e7"
+          id                = "29d170ba2f004cc787b1ac272c9e04e7"
           sensitivity_level = "default"
-          action = "log"
+          action            = "log"
         }
         rules {
           # Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
-          id = "60a48054bbcf4014ac63c44f1712a123"
+          id                = "60a48054bbcf4014ac63c44f1712a123"
           sensitivity_level = "default"
-          action = "log"
+          action            = "log"
         }
       }
     }
-    expression = "true"
-    enabled = true
   }
 }
 ```

src/content/docs/terraform/additional-configurations/rate-limiting-rules.mdx

@@ -6,18 +6,17 @@ sidebar:
 head:
   - tag: title
     content: Configure rate limiting rules with Terraform
-
 ---
 
-import { Details, Render } from "~/components"
+import { Details, Render } from "~/components";
 
 This page provides an example of creating a rate limiting rule in a zone using Terraform.
 
 For more information on rate limiting rules, refer to [Rate limiting rules](/waf/rate-limiting-rules/) in the Cloudflare WAF documentation.
 
 :::note
 
-For more information on configuring the previous version of rate limiting rules in Terraform, refer to the [`cloudflare_rate_limit` resource](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) in the Terraform documentation. 
+For more information on configuring the previous version of rate limiting rules in Terraform, refer to the [`cloudflare_rate_limit` resource](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/rate_limit) in the Terraform documentation.
 :::
 
 ## Before you start
@@ -30,7 +29,7 @@ For more information on configuring the previous version of rate limiting rules
 
 <Render file="import-delete-existing-rulesets" />
 
-***
+---
 
 ## Create a rate limiting rule
 
@@ -45,31 +44,29 @@ resource "cloudflare_ruleset" "zone_rl" {
   phase       = "http_ratelimit"
 
   rules {
-    action = "block"
+    ref         = "rate_limit_api_requests_ip"
+    description = "Rate limit API requests by IP"
+    expression  = "(http.request.uri.path matches \"^/api/\")"
+    action      = "block"
     ratelimit {
       characteristics = ["cf.colo.id", "ip.src"]
       period = 60
       requests_per_period = 100
       mitigation_timeout = 600
     }
-    expression = "(http.request.uri.path matches \"^/api/\")"
-    description = "My rate limiting rule"
-    enabled = true
   }
 }
 ```
 
-<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br/>
-
+<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br />
 
 <Details header="Account-level example configuration">
 
 :::note[Before you start]
 
+- Account-level rate limiting configuration requires an Enterprise plan with a paid add-on.
 
-* Account-level rate limiting configuration requires an Enterprise plan with a paid add-on.
-
-* Custom rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"`. 
+- Custom rulesets deployed at the account level will only apply to incoming traffic of zones on an Enterprise plan. The expression of your `execute` rule must end with `and cf.zone.plan eq "ENT"`.
   :::
 
 This example defines a [custom ruleset](/ruleset-engine/custom-rulesets/) with a single rate limiting rule in account with ID `<ACCOUNT_ID>` that blocks traffic for the `/api/` path exceeding the configured rate. The second `cloudflare_ruleset` resource defines an `execute` rule that deploys the custom ruleset for traffic addressed at `example.com`.
@@ -83,16 +80,16 @@ resource "cloudflare_ruleset" "account_rl" {
   phase       = "http_ratelimit"
 
   rules {
-    action = "block"
+    ref         = "rate_limit_api_ip"
+    description = "Rate limit API requests by IP"
+    expression  = "http.request.uri.path contains \"/api/\""
+    action      = "block"
     ratelimit {
-      characteristics = ["cf.colo.id", "ip.src"]
-      period = 60
+      characteristics     = ["cf.colo.id", "ip.src"]
+      period              = 60
       requests_per_period = 100
-      mitigation_timeout = 600
+      mitigation_timeout  = 600
     }
-    expression = "http.request.uri.path contains \"/api/\""
-    description = "API rule"
-    enabled = true
   }
 }
 
@@ -108,26 +105,25 @@ resource "cloudflare_ruleset" "account_rl_entrypoint" {
 
   rules {
     # Deploy the previously defined custom ruleset containing a rate limiting rule
-    action = "execute"
+    ref         = "deploy_rate_limit_example_com"
+    description = "Deploy custom ruleset with RL rule"
+    expression  = "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\""
+    action      = "execute"
     action_parameters {
       id = cloudflare_ruleset.account_rl.id
     }
-    expression = "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\""
-    description = "Deploy custom ruleset with RL rule"
-    enabled = true
   }
 }
 ```
 
-
 </Details>
 
 ## Create an advanced rate limiting rule
 
 This example creates a rate limiting rule in zone with ID `<ZONE_ID>` with:
 
-* A custom counting expression that includes a response field (`http.response.code`).
-* A custom JSON response for rate limited requests.
+- A custom counting expression that includes a response field (`http.response.code`).
+- A custom JSON response for rate limited requests.
 
 ```tf
 resource "cloudflare_ruleset" "zone_rl_custom_response" {
@@ -138,26 +134,26 @@ resource "cloudflare_ruleset" "zone_rl_custom_response" {
   phase       = "http_ratelimit"
 
   rules {
-    action = "block"
+    ref         = "rate_limit_example_com_status_404"
+    description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"
+    expression  = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"
+    action      = "block"
     action_parameters {
       response {
-        status_code = 429
-        content = "{\"response\": \"block\"}"
+        status_code  = 429
+        content      = "{\"response\": \"block\"}"
         content_type = "application/json"
       }
     }
     ratelimit {
-      characteristics = ["ip.src", "cf.colo.id"]
-      period = 10
+      characteristics     = ["ip.src", "cf.colo.id"]
+      period              = 10
       requests_per_period = 5
-      mitigation_timeout = 30
+      mitigation_timeout  = 30
       counting_expression = "(http.host eq \"www.example.com\") and (http.request.uri.path matches \"^/status/\") and (http.response.code eq 404)"
     }
-    expression = "http.host eq \"www.example.com\" and (http.request.uri.path matches \"^/status/\")"
-    description = "Rate limit requests to www.example.com when exceeding the threshold of 404 responses on /status/"
-    enabled = true
   }
 }
 ```
 
-<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br/>
+<Render file="add-new-rule" params={{ one: "rate limiting rule" }} /> <br />