Edge Services WAF can be registerred on bucket

[halvardssm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

OpenTofu v1.11.4
on darwin_arm64

Affected Resource(s)

• scaleway_edge_services_waf_stage

Terraform Configuration Files

resource "scaleway_object_bucket" "app" {
  name       = var.domain
  project_id = var.project_id
  region     = var.region
  versioning {
    enabled = true
  }
  lifecycle_rule {
    enabled                                = true
    abort_incomplete_multipart_upload_days = 30
  }
}

resource "scaleway_edge_services_pipeline" "main" {
  name        = "frontend_bucket_pipeline"
  description = "Edge service pipeline for the frontend bucket"
}

resource "scaleway_edge_services_backend_stage" "main" {
  pipeline_id = scaleway_edge_services_pipeline.main.id
  s3_backend_config {
    bucket_name   = scaleway_object_bucket.app.name
    bucket_region = scaleway_object_bucket.app.region
    is_website    = true
  }
}

resource "scaleway_edge_services_waf_stage" "main" {
  pipeline_id      = scaleway_edge_services_pipeline.main.id
  backend_stage_id = scaleway_edge_services_backend_stage.main.id
  mode             = "enable"
  paranoia_level   = 3
}

resource "scaleway_edge_services_route_stage" "main" {
  pipeline_id  = scaleway_edge_services_pipeline.main.id
  waf_stage_id = scaleway_edge_services_waf_stage.main.id

  rule {
    backend_stage_id = scaleway_edge_services_backend_stage.main.id
    rule_http_match {
      path_filter {
        path_filter_type = "regex"
        value            = ".*"
      }
    }
  }
}

resource "scaleway_edge_services_cache_stage" "main" {
  pipeline_id    = scaleway_edge_services_pipeline.main.id
  route_stage_id = scaleway_edge_services_route_stage.main.id
  purge_requests {
    pipeline_id = scaleway_edge_services_pipeline.main.id
    all         = true
  }
}

resource "scaleway_edge_services_tls_stage" "main" {
  pipeline_id         = scaleway_edge_services_pipeline.main.id
  cache_stage_id      = scaleway_edge_services_cache_stage.main.id
  managed_certificate = true
}

resource "scaleway_edge_services_dns_stage" "main" {
  pipeline_id  = scaleway_edge_services_pipeline.main.id
  tls_stage_id = scaleway_edge_services_tls_stage.main.id
  fqdns        = [var.domain]
}

resource "scaleway_edge_services_head_stage" "main" {
  pipeline_id   = scaleway_edge_services_pipeline.main.id
  head_stage_id = scaleway_edge_services_dns_stage.main.id
}

Debug Output

Panic Output

Expected Behavior

This should have errored out as it states on the webpage that the WAF stage is only available in from of a load balancer, and on the web interface it is not possible to register a WAF on a bucket.

Actual Behavior

The stage was added without problem, and did not show any warnings or errors.

Steps to Reproduce

1. terraform apply or tofu apply

Important Factoids

References

• #0000

[yfodil]

Hello, thanks for reaching out

After checking with the Edge Services team, I can confirm that WAF stage does work with S3 backends. The confusion comes from the web console which currently only shows WAF configurations for Load Balancer backends. However, the feature is fully supported for S3 backends via API (and therefore Terraform)

The team is working on a console redesign for Edge Services, and the WAF configuration for S3 backends will be visible once its deployed