feat(edge-services): support route and waf references on cache & tls stages (#3035)

* feat(edge-services): support route and waf references on cache and tls stages

* lint

* add ConflictWith on stages

* use const

Author: yfodil

docs/resources/edge_services_cache_stage.md

@@ -35,7 +35,9 @@ resource "scaleway_edge_services_cache_stage" "main" {
 ## Argument Reference
 
 - `pipeline_id` - (Required) The ID of the pipeline.
-- `backend_stage_id` - (Optional) The backend stage ID the cache stage will be linked to.
+- `backend_stage_id` - (Optional) The backend stage ID the cache stage will be linked to. Only one of `backend_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
+- `route_stage_id` - (Optional) The route stage ID the cache stage will be linked to. Only one of `backend_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
+- `waf_stage_id` - (Optional) The WAF stage ID the cache stage will be linked to. Only one of `backend_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
 - `fallback_ttl` - (Optional) The Time To Live (TTL) in seconds. Defines how long content is cached.
 - `refresh_cache` - (Optional) Trigger a refresh of the cache by changing this field's value.
 - `purge_requests` - (Optional) The Scaleway Object Storage origin bucket (S3) linked to the backend stage.

docs/resources/edge_services_dns_stage.md

@@ -21,9 +21,9 @@ resource "scaleway_edge_services_dns_stage" "main" {
 ## Argument Reference
 
 - `pipeline_id` - (Required) The ID of the pipeline.
-- `backend_stage_id` - (Optional) The backend stage ID the DNS stage will be linked to.
-- `tls_stage_id` - (Optional) The TLS stage ID the DNS stage will be linked to.
-- `cache_stage_id` - (Optional) The cache stage ID the DNS stage will be linked to.
+- `backend_stage_id` - (Optional) The backend stage ID the DNS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id` and `tls_stage_id` should be specified.
+- `tls_stage_id` - (Optional) The TLS stage ID the DNS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id` and `tls_stage_id` should be specified.
+- `cache_stage_id` - (Optional) The cache stage ID the DNS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id` and `tls_stage_id` should be specified.
 - `fqdns` - (Optional) Fully Qualified Domain Name (in the format subdomain.example.com) to attach to the stage.
 - `project_id` - (Defaults to [provider](../index.md#project_id) `project_id`) The ID of the project the DNS stage is associated with.
 

docs/resources/edge_services_pipeline.md

@@ -26,12 +26,10 @@ resource "scaleway_edge_services_pipeline" "main" {
   description = "pipeline description"
 }
 
-resource "scaleway_edge_services_backend_stage" "main" {
-  pipeline_id = scaleway_edge_services_pipeline.main.id
-  s3_backend_config {
-    bucket_name   = "my-bucket-name"
-    bucket_region = "fr-par"
-  }
+resource "scaleway_edge_services_dns_stage" "main" {
+  pipeline_id  = scaleway_edge_services_pipeline.main.id
+  tls_stage_id = scaleway_edge_services_tls_stage.main.id
+  fqdns        = ["subdomain.example.com"]
 }
 
 resource "scaleway_edge_services_tls_stage" "main" {
@@ -40,20 +38,45 @@ resource "scaleway_edge_services_tls_stage" "main" {
   managed_certificate = true
 }
 
-resource "scaleway_edge_services_dns_stage" "main" {
-  pipeline_id  = scaleway_edge_services_pipeline.main.id
-  tls_stage_id = scaleway_edge_services_tls_stage.main.id
-  fqdns        = ["subdomain.example.com"]
+resource "scaleway_edge_services_cache_stage" "main" {
+  pipeline_id      = scaleway_edge_services_pipeline.main.id
+  route_stage_id   = scaleway_edge_services_route_stage.main.id
 }
 
-resource "scaleway_edge_services_head_stage" "main" {
+resource "scaleway_edge_services_route_stage" "main" {
   pipeline_id   = scaleway_edge_services_pipeline.main.id
-  head_stage_id = scaleway_edge_services_dns_stage.main.id
+  waf_stage_id  = scaleway_edge_services_waf_stage.main.id
+
+  rule {
+    backend_stage_id = scaleway_edge_services_backend_stage.main.id
+    rule_http_match {
+      method_filters = ["get", "post"]
+      path_filter {
+        path_filter_type = "regex"
+        value            = ".*"
+      }
+    }
+  }
 }
 
-resource "scaleway_edge_services_cache_stage" "main" {
+resource "scaleway_edge_services_waf_stage" "main" {
   pipeline_id      = scaleway_edge_services_pipeline.main.id
   backend_stage_id = scaleway_edge_services_backend_stage.main.id
+  mode             = "enable"
+  paranoia_level   = 3
+}
+
+resource "scaleway_edge_services_backend_stage" "main" {
+  pipeline_id = scaleway_edge_services_pipeline.main.id
+  s3_backend_config {
+    bucket_name   = "my-bucket-name"
+    bucket_region = "fr-par"
+  }
+}
+
+resource "scaleway_edge_services_head_stage" "main" {
+  pipeline_id   = scaleway_edge_services_pipeline.main.id
+  head_stage_id = scaleway_edge_services_dns_stage.main.id
 }
 ```
 

docs/resources/edge_services_tls_stage.md

@@ -33,8 +33,10 @@ resource "scaleway_edge_services_tls_stage" "main" {
 ## Argument Reference
 
 - `pipeline_id` - (Required) The ID of the pipeline.
-- `backend_stage_id` - (Optional) The backend stage ID the TLS stage will be linked to.
-- `cache_stage_id` - (Optional) The cache stage ID the TLS stage will be linked to.
+- `backend_stage_id` - (Optional) The backend stage ID the TLS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
+- `cache_stage_id` - (Optional) The cache stage ID the TLS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
+- `route_stage_id` - (Optional) The route stage ID the TLS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
+- `waf_stage_id` - (Optional) The WAF stage ID the TLS stage will be linked to. Only one of `backend_stage_id`, `cache_stage_id`, `route_stage_id` and `waf_stage_id` should be specified.
 - `managed_certificate` - (Optional) Set to true when Scaleway generates and manages a Let's Encrypt certificate for the TLS stage/custom endpoint.
 - `secrets` - (Optional) The TLS secrets.
     - `bucket_name` - The ID of the secret.

internal/services/container/container_test.go

@@ -575,7 +575,7 @@ func isContainerPresent(tt *acctest.TestTools, n string) resource.TestCheckFunc
 func isContainerDestroyed(tt *acctest.TestTools) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		for _, rs := range state.RootModule().Resources {
-			if rs.Type != "scaleway_container_namespace" { //nolint:goconst
+			if rs.Type != containerNamespaceResource {
 				continue
 			}
 

internal/services/container/namespace_test.go

@@ -14,6 +14,8 @@ import (
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/registry"
 )
 
+const containerNamespaceResource = "scaleway_container_namespace"
+
 func TestAccNamespace_Basic(t *testing.T) {
 	tt := acctest.NewTestTools(t)
 	defer tt.Cleanup()
@@ -313,7 +315,7 @@ func isNamespacePresent(tt *acctest.TestTools, n string) resource.TestCheckFunc
 func isNamespaceDestroyed(tt *acctest.TestTools) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		for _, rs := range state.RootModule().Resources {
-			if rs.Type != "scaleway_container_namespace" {
+			if rs.Type != containerNamespaceResource {
 				continue
 			}
 
@@ -343,7 +345,7 @@ func isNamespaceDestroyed(tt *acctest.TestTools) resource.TestCheckFunc {
 func isRegistryDestroyed(tt *acctest.TestTools) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		for _, rs := range state.RootModule().Resources {
-			if rs.Type != "scaleway_container_namespace" {
+			if rs.Type != containerNamespaceResource {
 				continue
 			}
 

internal/services/edgeservices/cache_stage.go

@@ -29,10 +29,25 @@ func ResourceCacheStage() *schema.Resource {
 				Description: "The ID of the pipeline",
 			},
 			"backend_stage_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The backend stage ID the cache stage will be linked to",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The backend stage ID the cache stage will be linked to",
+				ConflictsWith: []string{"waf_stage_id", "route_stage_id"},
+			},
+			"waf_stage_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The WAF stage ID the cache stage will be linked to",
+				ConflictsWith: []string{"backend_stage_id", "route_stage_id"},
+			},
+			"route_stage_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The route stage ID the cache stage will be linked to",
+				ConflictsWith: []string{"backend_stage_id", "waf_stage_id"},
 			},
 			"fallback_ttl": {
 				Type:        schema.TypeInt,
@@ -92,6 +107,8 @@ func ResourceCacheStageCreate(ctx context.Context, d *schema.ResourceData, m int
 	cacheStage, err := api.CreateCacheStage(&edgeservices.CreateCacheStageRequest{
 		PipelineID:     d.Get("pipeline_id").(string),
 		BackendStageID: types.ExpandStringPtr(d.Get("backend_stage_id").(string)),
+		RouteStageID:   types.ExpandStringPtr(d.Get("route_stage_id").(string)),
+		WafStageID:     types.ExpandStringPtr(d.Get("waf_stage_id").(string)),
 		FallbackTTL:    &scw.Duration{Seconds: int64(d.Get("fallback_ttl").(int))},
 	}, scw.WithContext(ctx))
 	if err != nil {
@@ -123,6 +140,8 @@ func ResourceCacheStageRead(ctx context.Context, d *schema.ResourceData, m inter
 	_ = d.Set("created_at", types.FlattenTime(cacheStage.CreatedAt))
 	_ = d.Set("updated_at", types.FlattenTime(cacheStage.UpdatedAt))
 	_ = d.Set("backend_stage_id", types.FlattenStringPtr(cacheStage.BackendStageID))
+	_ = d.Set("route_stage_id", types.FlattenStringPtr(cacheStage.RouteStageID))
+	_ = d.Set("waf_stage_id", types.FlattenStringPtr(cacheStage.WafStageID))
 	_ = d.Set("fallback_ttl", cacheStage.FallbackTTL.Seconds)
 
 	return nil
@@ -142,6 +161,16 @@ func ResourceCacheStageUpdate(ctx context.Context, d *schema.ResourceData, m int
 		hasChanged = true
 	}
 
+	if d.HasChange("route_stage_id") {
+		updateRequest.RouteStageID = types.ExpandUpdatedStringPtr(d.Get("route_stage_id"))
+		hasChanged = true
+	}
+
+	if d.HasChange("waf_stage_id") {
+		updateRequest.WafStageID = types.ExpandUpdatedStringPtr(d.Get("waf_stage_id"))
+		hasChanged = true
+	}
+
 	if d.HasChange("fallback_ttl") {
 		updateRequest.FallbackTTL = &scw.Duration{Seconds: int64(d.Get("fallback_ttl").(int))}
 		hasChanged = true

internal/services/edgeservices/dns_stage.go

@@ -29,22 +29,25 @@ func ResourceDNSStage() *schema.Resource {
 				Description: "The ID of the pipeline",
 			},
 			"backend_stage_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The backend stage ID the DNS stage will be linked to",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The backend stage ID the DNS stage will be linked to",
+				ConflictsWith: []string{"cache_stage_id", "tls_stage_id"},
 			},
 			"tls_stage_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The TLS stage ID the DNS stage will be linked to",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The TLS stage ID the DNS stage will be linked to",
+				ConflictsWith: []string{"cache_stage_id", "backend_stage_id"},
 			},
 			"cache_stage_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The cache stage ID the DNS stage will be linked to",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The cache stage ID the DNS stage will be linked to",
+				ConflictsWith: []string{"backend_stage_id", "tls_stage_id"},
 			},
 			"fqdns": {
 				Type:        schema.TypeList,

internal/services/edgeservices/tls_stage.go

@@ -30,16 +30,32 @@ func ResourceTLSStage() *schema.Resource {
 				Description: "The ID of the pipeline",
 			},
 			"backend_stage_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The backend stage ID the TLS stage will be linked to",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The backend stage ID the TLS stage will be linked to",
+				ConflictsWith: []string{"cache_stage_id", "route_stage_id", "waf_stage_id"},
 			},
 			"cache_stage_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The cache stage ID the TLS stage will be linked to",
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The cache stage ID the TLS stage will be linked to",
+				ConflictsWith: []string{"backend_stage_id", "route_stage_id", "waf_stage_id"},
+			},
+			"waf_stage_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The WAF stage ID the TLS stage will be linked to",
+				ConflictsWith: []string{"backend_stage_id", "cache_stage_id", "route_stage_id"},
+			},
+			"route_stage_id": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				Description:   "The route stage ID the TLS stage will be linked to",
+				ConflictsWith: []string{"backend_stage_id", "cache_stage_id", "waf_stage_id"},
 			},
 			"managed_certificate": {
 				Type:        schema.TypeBool,
@@ -94,6 +110,8 @@ func ResourceTLSStageCreate(ctx context.Context, d *schema.ResourceData, m inter
 		PipelineID:         d.Get("pipeline_id").(string),
 		BackendStageID:     types.ExpandStringPtr(d.Get("backend_stage_id").(string)),
 		CacheStageID:       types.ExpandStringPtr(d.Get("cache_stage_id").(string)),
+		RouteStageID:       types.ExpandStringPtr(d.Get("route_stage_id").(string)),
+		WafStageID:         types.ExpandStringPtr(d.Get("waf_stage_id").(string)),
 		ManagedCertificate: types.ExpandBoolPtr(d.Get("managed_certificate").(bool)),
 		Secrets:            expandTLSSecrets(d.Get("secrets"), region),
 	}, scw.WithContext(ctx))
@@ -124,6 +142,8 @@ func ResourceTLSStageRead(ctx context.Context, d *schema.ResourceData, m interfa
 
 	_ = d.Set("backend_stage_id", types.FlattenStringPtr(tlsStage.BackendStageID))
 	_ = d.Set("cache_stage_id", types.FlattenStringPtr(tlsStage.CacheStageID))
+	_ = d.Set("route_stage_id", types.FlattenStringPtr(tlsStage.RouteStageID))
+	_ = d.Set("waf_stage_id", types.FlattenStringPtr(tlsStage.WafStageID))
 	_ = d.Set("pipeline_id", tlsStage.PipelineID)
 	_ = d.Set("managed_certificate", tlsStage.ManagedCertificate)
 	_ = d.Set("secrets", flattenTLSSecrets(tlsStage.Secrets))
@@ -156,6 +176,16 @@ func ResourceTLSStageUpdate(ctx context.Context, d *schema.ResourceData, m inter
 		hasChanged = true
 	}
 
+	if d.HasChange("route_stage_id") {
+		updateRequest.RouteStageID = types.ExpandUpdatedStringPtr(d.Get("route_stage_id"))
+		hasChanged = true
+	}
+
+	if d.HasChange("waf_stage_id") {
+		updateRequest.WafStageID = types.ExpandUpdatedStringPtr(d.Get("waf_stage_id"))
+		hasChanged = true
+	}
+
 	if d.HasChange("managed_certificate") {
 		updateRequest.ManagedCertificate = types.ExpandBoolPtr(d.Get("managed_certificate"))
 		hasChanged = true