feat(edge-services): support route and waf references on cache and tls stages

yfodil · yfodil · commit d557ca58f698 · 2025-04-14T10:36:16.000+02:00
diff --git a/docs/resources/edge_services_cache_stage.md b/docs/resources/edge_services_cache_stage.md
@@ -36,6 +36,8 @@ resource "scaleway_edge_services_cache_stage" "main" {
 
 - `pipeline_id` - (Required) The ID of the pipeline.
 - `backend_stage_id` - (Optional) The backend stage ID the cache stage will be linked to.
+- `route_stage_id` - (Optional) The route stage ID the cache stage will be linked to.
+- `waf_stage_id` - (Optional) The WAF stage ID the cache stage will be linked to.
 - `fallback_ttl` - (Optional) The Time To Live (TTL) in seconds. Defines how long content is cached.
 - `refresh_cache` - (Optional) Trigger a refresh of the cache by changing this field's value.
 - `purge_requests` - (Optional) The Scaleway Object Storage origin bucket (S3) linked to the backend stage.
diff --git a/docs/resources/edge_services_pipeline.md b/docs/resources/edge_services_pipeline.md
@@ -26,12 +26,10 @@ resource "scaleway_edge_services_pipeline" "main" {
   description = "pipeline description"
 }
 
-resource "scaleway_edge_services_backend_stage" "main" {
-  pipeline_id = scaleway_edge_services_pipeline.main.id
-  s3_backend_config {
-    bucket_name   = "my-bucket-name"
-    bucket_region = "fr-par"
-  }
+resource "scaleway_edge_services_dns_stage" "main" {
+  pipeline_id  = scaleway_edge_services_pipeline.main.id
+  tls_stage_id = scaleway_edge_services_tls_stage.main.id
+  fqdns        = ["subdomain.example.com"]
 }
 
 resource "scaleway_edge_services_tls_stage" "main" {
@@ -40,20 +38,45 @@ resource "scaleway_edge_services_tls_stage" "main" {
   managed_certificate = true
 }
 
-resource "scaleway_edge_services_dns_stage" "main" {
-  pipeline_id  = scaleway_edge_services_pipeline.main.id
-  tls_stage_id = scaleway_edge_services_tls_stage.main.id
-  fqdns        = ["subdomain.example.com"]
+resource "scaleway_edge_services_cache_stage" "main" {
+  pipeline_id      = scaleway_edge_services_pipeline.main.id
+  route_stage_id   = scaleway_edge_services_route_stage.main.id
 }
 
-resource "scaleway_edge_services_head_stage" "main" {
+resource "scaleway_edge_services_route_stage" "main" {
   pipeline_id   = scaleway_edge_services_pipeline.main.id
-  head_stage_id = scaleway_edge_services_dns_stage.main.id
+  waf_stage_id  = scaleway_edge_services_waf_stage.main.id
+
+  rule {
+    backend_stage_id = scaleway_edge_services_backend_stage.main.id
+    rule_http_match {
+      method_filters = ["get", "post"]
+      path_filter {
+        path_filter_type = "regex"
+        value            = ".*"
+      }
+    }
+  }
 }
 
-resource "scaleway_edge_services_cache_stage" "main" {
+resource "scaleway_edge_services_waf_stage" "main" {
   pipeline_id      = scaleway_edge_services_pipeline.main.id
   backend_stage_id = scaleway_edge_services_backend_stage.main.id
+  mode             = "enable"
+  paranoia_level   = 3
+}
+
+resource "scaleway_edge_services_backend_stage" "main" {
+  pipeline_id = scaleway_edge_services_pipeline.main.id
+  s3_backend_config {
+    bucket_name   = "my-bucket-name"
+    bucket_region = "fr-par"
+  }
+}
+
+resource "scaleway_edge_services_head_stage" "main" {
+  pipeline_id   = scaleway_edge_services_pipeline.main.id
+  head_stage_id = scaleway_edge_services_dns_stage.main.id
 }
 ```
 
diff --git a/docs/resources/edge_services_tls_stage.md b/docs/resources/edge_services_tls_stage.md
@@ -35,6 +35,8 @@ resource "scaleway_edge_services_tls_stage" "main" {
 - `pipeline_id` - (Required) The ID of the pipeline.
 - `backend_stage_id` - (Optional) The backend stage ID the TLS stage will be linked to.
 - `cache_stage_id` - (Optional) The cache stage ID the TLS stage will be linked to.
+- `route_stage_id` - (Optional) The route stage ID the TLS stage will be linked to.
+- `waf_stage_id` - (Optional) The WAF stage ID the TLS stage will be linked to.
 - `managed_certificate` - (Optional) Set to true when Scaleway generates and manages a Let's Encrypt certificate for the TLS stage/custom endpoint.
 - `secrets` - (Optional) The TLS secrets.
     - `bucket_name` - The ID of the secret.
diff --git a/internal/services/edgeservices/cache_stage.go b/internal/services/edgeservices/cache_stage.go
@@ -34,6 +34,18 @@ func ResourceCacheStage() *schema.Resource {
 				Computed:    true,
 				Description: "The backend stage ID the cache stage will be linked to",
 			},
+			"waf_stage_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "The WAF stage ID the cache stage will be linked to",
+			},
+			"route_stage_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "The route stage ID the cache stage will be linked to",
+			},
 			"fallback_ttl": {
 				Type:        schema.TypeInt,
 				Optional:    true,
@@ -92,6 +104,8 @@ func ResourceCacheStageCreate(ctx context.Context, d *schema.ResourceData, m int
 	cacheStage, err := api.CreateCacheStage(&edgeservices.CreateCacheStageRequest{
 		PipelineID:     d.Get("pipeline_id").(string),
 		BackendStageID: types.ExpandStringPtr(d.Get("backend_stage_id").(string)),
+		RouteStageID:   types.ExpandStringPtr(d.Get("route_stage_id").(string)),
+		WafStageID:     types.ExpandStringPtr(d.Get("waf_stage_id").(string)),
 		FallbackTTL:    &scw.Duration{Seconds: int64(d.Get("fallback_ttl").(int))},
 	}, scw.WithContext(ctx))
 	if err != nil {
@@ -123,6 +137,8 @@ func ResourceCacheStageRead(ctx context.Context, d *schema.ResourceData, m inter
 	_ = d.Set("created_at", types.FlattenTime(cacheStage.CreatedAt))
 	_ = d.Set("updated_at", types.FlattenTime(cacheStage.UpdatedAt))
 	_ = d.Set("backend_stage_id", types.FlattenStringPtr(cacheStage.BackendStageID))
+	_ = d.Set("route_stage_id", types.FlattenStringPtr(cacheStage.RouteStageID))
+	_ = d.Set("waf_stage_id", types.FlattenStringPtr(cacheStage.WafStageID))
 	_ = d.Set("fallback_ttl", cacheStage.FallbackTTL.Seconds)
 
 	return nil
@@ -142,6 +158,16 @@ func ResourceCacheStageUpdate(ctx context.Context, d *schema.ResourceData, m int
 		hasChanged = true
 	}
 
+	if d.HasChange("route_stage_id") {
+		updateRequest.RouteStageID = types.ExpandUpdatedStringPtr(d.Get("route_stage_id"))
+		hasChanged = true
+	}
+
+	if d.HasChange("waf_stage_id") {
+		updateRequest.WafStageID = types.ExpandUpdatedStringPtr(d.Get("waf_stage_id"))
+		hasChanged = true
+	}
+
 	if d.HasChange("fallback_ttl") {
 		updateRequest.FallbackTTL = &scw.Duration{Seconds: int64(d.Get("fallback_ttl").(int))}
 		hasChanged = true
diff --git a/internal/services/edgeservices/tls_stage.go b/internal/services/edgeservices/tls_stage.go
@@ -41,6 +41,18 @@ func ResourceTLSStage() *schema.Resource {
 				Computed:    true,
 				Description: "The cache stage ID the TLS stage will be linked to",
 			},
+			"waf_stage_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "The WAF stage ID the TLS stage will be linked to",
+			},
+			"route_stage_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "The route stage ID the TLS stage will be linked to",
+			},
 			"managed_certificate": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -94,6 +106,8 @@ func ResourceTLSStageCreate(ctx context.Context, d *schema.ResourceData, m inter
 		PipelineID:         d.Get("pipeline_id").(string),
 		BackendStageID:     types.ExpandStringPtr(d.Get("backend_stage_id").(string)),
 		CacheStageID:       types.ExpandStringPtr(d.Get("cache_stage_id").(string)),
+		RouteStageID:       types.ExpandStringPtr(d.Get("route_stage_id").(string)),
+		WafStageID:         types.ExpandStringPtr(d.Get("waf_stage_id").(string)),
 		ManagedCertificate: types.ExpandBoolPtr(d.Get("managed_certificate").(bool)),
 		Secrets:            expandTLSSecrets(d.Get("secrets"), region),
 	}, scw.WithContext(ctx))
@@ -124,6 +138,8 @@ func ResourceTLSStageRead(ctx context.Context, d *schema.ResourceData, m interfa
 
 	_ = d.Set("backend_stage_id", types.FlattenStringPtr(tlsStage.BackendStageID))
 	_ = d.Set("cache_stage_id", types.FlattenStringPtr(tlsStage.CacheStageID))
+	_ = d.Set("route_stage_id", types.FlattenStringPtr(tlsStage.RouteStageID))
+	_ = d.Set("waf_stage_id", types.FlattenStringPtr(tlsStage.WafStageID))
 	_ = d.Set("pipeline_id", tlsStage.PipelineID)
 	_ = d.Set("managed_certificate", tlsStage.ManagedCertificate)
 	_ = d.Set("secrets", flattenTLSSecrets(tlsStage.Secrets))
@@ -156,6 +172,16 @@ func ResourceTLSStageUpdate(ctx context.Context, d *schema.ResourceData, m inter
 		hasChanged = true
 	}
 
+	if d.HasChange("route_stage_id") {
+		updateRequest.RouteStageID = types.ExpandUpdatedStringPtr(d.Get("route_stage_id"))
+		hasChanged = true
+	}
+
+	if d.HasChange("waf_stage_id") {
+		updateRequest.WafStageID = types.ExpandUpdatedStringPtr(d.Get("waf_stage_id"))
+		hasChanged = true
+	}
+
 	if d.HasChange("managed_certificate") {
 		updateRequest.ManagedCertificate = types.ExpandBoolPtr(d.Get("managed_certificate"))
 		hasChanged = true
