add CDN geofencing

Author: Matheus Politano

docs/data-sources/cdn_distribution.md

@@ -56,6 +56,10 @@ Read-Only:
 <a id="nestedatt--config--backend"></a>
 ### Nested Schema for `config.backend`
 
+Optional:
+
+- `geofencing` (Map of List of String) A map of URLs to a list of countries where content is allowed.
+
 Read-Only:
 
 - `origin_request_headers` (Map of String) The configured origin request headers for the backend

docs/resources/cdn_distribution.md

@@ -80,6 +80,7 @@ Required:
 
 Optional:
 
+- `geofencing` (Map of List of String) A map of URLs to a list of countries where content is allowed.
 - `origin_request_headers` (Map of String) The configured origin request headers for the backend
 
 

examples/resources/stackit_cdn_distribution/resource.tf

@@ -4,6 +4,9 @@ resource "stackit_cdn_distribution" "example_distribution" {
     backend = {
       type       = "http"
       origin_url = "https://mybackend.onstackit.cloud"
+      geofencing = {
+        "https://mybackend.onstackit.cloud" = ["DE"]
+      }
     }
     regions           = ["EU", "US", "ASIA", "AF", "SA"]
     blocked_countries = ["DE", "AT", "CH"]

stackit/internal/services/cdn/cdn_acc_test.go

@@ -45,6 +45,9 @@ func configResources(regions string) string {
 						backend = {
 							type = "http"
 							origin_url = "%s"
+							geofencing = {
+								"%s" = ["DE"]  
+							}
 						}
 						regions           = [%s]
 						blocked_countries = [%s]
@@ -70,7 +73,7 @@ func configResources(regions string) string {
 					type       = "CNAME"
 					records    = ["${stackit_cdn_distribution.distribution.domains[0].name}."]
 				}
-		`, testutil.CdnProviderConfig(), testutil.ProjectId, instanceResource["config_backend_origin_url"],
+		`, testutil.CdnProviderConfig(), testutil.ProjectId, instanceResource["config_backend_origin_url"], instanceResource["config_backend_origin_url"],
 		regions, instanceResource["blocked_countries"], testutil.ProjectId, instanceResource["dns_name"],
 		testutil.ProjectId, instanceResource["custom_domain_prefix"])
 }
@@ -173,6 +176,11 @@ func TestAccCDNDistributionResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.#", "2"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.1", "AQ"),
+					resource.TestCheckResourceAttr(
+						"stackit_cdn_distribution.distribution",
+						fmt.Sprintf("config.backend.geofencing.%s.0", instanceResource["config_backend_origin_url"]),
+						"DE",
+					),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", "true"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "status", "ACTIVE"),

stackit/internal/services/cdn/distribution/datasource.go

@@ -142,6 +142,13 @@ func (r *distributionDataSource) Schema(_ context.Context, _ datasource.SchemaRe
 								Description: schemaDescriptions["config_backend_origin_request_headers"],
 								ElementType: types.StringType,
 							},
+							"geofencing": schema.MapAttribute{
+								Description: "A map of URLs to a list of countries where content is allowed.",
+								Optional:    true,
+								ElementType: types.ListType{
+									ElemType: types.StringType,
+								},
+							},
 						},
 					},
 					"regions": schema.ListAttribute{

stackit/internal/services/cdn/distribution/resource.go

@@ -88,9 +88,10 @@ type optimizerConfig struct {
 }
 
 type backend struct {
-	Type                 string             `tfsdk:"type"`                   // The type of the backend. Currently, only "http" backend is supported
-	OriginURL            string             `tfsdk:"origin_url"`             // The origin URL of the backend
-	OriginRequestHeaders *map[string]string `tfsdk:"origin_request_headers"` // Request headers that should be added by the CDN distribution to incoming requests
+	Type                 string               `tfsdk:"type"`                   // The type of the backend. Currently, only "http" backend is supported
+	OriginURL            string               `tfsdk:"origin_url"`             // The origin URL of the backend
+	OriginRequestHeaders *map[string]string   `tfsdk:"origin_request_headers"` // Request headers that should be added by the CDN distribution to incoming requests
+	Geofencing           *map[string][]string `tfsdk:"geofencing"`             // The geofencing is an object mapping multiple alternative origins to country codes.
 }
 
 var configTypes = map[string]attr.Type{
@@ -106,10 +107,15 @@ var optimizerTypes = map[string]attr.Type{
 	"enabled": types.BoolType,
 }
 
+var geofencingTypes = types.MapType{ElemType: types.ListType{
+	ElemType: types.StringType,
+}}
+
 var backendTypes = map[string]attr.Type{
 	"type":                   types.StringType,
 	"origin_url":             types.StringType,
 	"origin_request_headers": types.MapType{ElemType: types.StringType},
+	"geofencing":             geofencingTypes,
 }
 
 var domainTypes = map[string]attr.Type{
@@ -256,6 +262,13 @@ func (r *distributionResource) Schema(_ context.Context, _ resource.SchemaReques
 								Description: schemaDescriptions["config_backend_origin_request_headers"],
 								ElementType: types.StringType,
 							},
+							"geofencing": schema.MapAttribute{
+								Description: "A map of URLs to a list of countries where content is allowed.",
+								Optional:    true,
+								ElementType: types.ListType{
+									ElemType: types.StringType,
+								},
+							},
 						},
 					},
 					"regions": schema.ListAttribute{
@@ -414,6 +427,7 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe
 				OriginRequestHeaders: configModel.Backend.OriginRequestHeaders,
 				OriginUrl:            &configModel.Backend.OriginURL,
 				Type:                 &configModel.Backend.Type,
+				Geofencing:           configModel.Backend.Geofencing,
 			},
 		},
 		Regions:          &regions,
@@ -584,11 +598,34 @@ func mapFields(distribution *cdn.Distribution, model *Model) error {
 			return core.DiagsToError(diags)
 		}
 	}
+	// geofencing
+	geofencingVal := types.MapNull(geofencingTypes.ElemType)
+	if geofencingAPI := distribution.Config.Backend.HttpBackend.Geofencing; geofencingAPI != nil && len(*geofencingAPI) > 0 {
+		geofencingMap := make(map[string]attr.Value)
+		for url, countries := range *geofencingAPI {
+			countryVals := []attr.Value{}
+			for _, country := range countries {
+				countryVals = append(countryVals, types.StringValue(country))
+			}
+			listVal, diags := types.ListValue(types.StringType, countryVals)
+			if diags.HasError() {
+				return core.DiagsToError(diags)
+			}
+			geofencingMap[url] = listVal
+		}
+
+		mappedGeofencing, diags := types.MapValue(geofencingTypes.ElemType, geofencingMap)
+		if diags.HasError() {
+			return core.DiagsToError(diags)
+		}
+		geofencingVal = mappedGeofencing
+	}
 	// note that httpbackend is hardcoded here as long as it is the only available backend
 	backend, diags := types.ObjectValue(backendTypes, map[string]attr.Value{
 		"type":                   types.StringValue(*distribution.Config.Backend.HttpBackend.Type),
 		"origin_url":             types.StringValue(*distribution.Config.Backend.HttpBackend.OriginUrl),
 		"origin_request_headers": originRequestHeaders,
+		"geofencing":             geofencingVal,
 	})
 	if diags.HasError() {
 		return core.DiagsToError(diags)
@@ -678,6 +715,7 @@ func toCreatePayload(ctx context.Context, model *Model) (*cdn.CreateDistribution
 		Regions:              cfg.Regions,
 		BlockedCountries:     cfg.BlockedCountries,
 		OriginRequestHeaders: cfg.Backend.HttpBackend.OriginRequestHeaders,
+		Geofencing:           cfg.Backend.HttpBackend.Geofencing,
 		Optimizer:            optimizer,
 	}
 
@@ -722,6 +760,22 @@ func convertConfig(ctx context.Context, model *Model) (*cdn.Config, error) {
 		}
 	}
 
+	// geofencing
+	geofencing := map[string][]string{}
+	if configModel.Backend.Geofencing != nil {
+		for endpoint, countryCodes := range *configModel.Backend.Geofencing {
+			geofencingContry := make([]string, len(countryCodes))
+			for i, countryCode := range countryCodes {
+				validatedBlockedCountry, err := validateCountryCode(countryCode)
+				if err != nil {
+					return nil, err
+				}
+				geofencingContry[i] = validatedBlockedCountry
+			}
+			geofencing[endpoint] = geofencingContry
+		}
+	}
+
 	// originRequestHeaders
 	originRequestHeaders := map[string]string{}
 	if configModel.Backend.OriginRequestHeaders != nil {
@@ -736,6 +790,7 @@ func convertConfig(ctx context.Context, model *Model) (*cdn.Config, error) {
 				OriginRequestHeaders: &originRequestHeaders,
 				OriginUrl:            &configModel.Backend.OriginURL,
 				Type:                 &configModel.Backend.Type,
+				Geofencing:           &geofencing,
 			},
 		},
 		Regions:          &regions,

stackit/internal/services/cdn/distribution/resource_test.go

@@ -17,10 +17,18 @@ func TestToCreatePayload(t *testing.T) {
 		"testHeader1": types.StringValue("testHeaderValue1"),
 	}
 	originRequestHeaders := types.MapValueMust(types.StringType, headers)
+	geofencingCountries := types.ListValueMust(types.StringType, []attr.Value{
+		types.StringValue("DE"),
+		types.StringValue("FR"),
+	})
+	geofencing := types.MapValueMust(geofencingTypes.ElemType, map[string]attr.Value{
+		"https://de.mycoolapp.com": geofencingCountries,
+	})
 	backend := types.ObjectValueMust(backendTypes, map[string]attr.Value{
 		"type":                   types.StringValue("http"),
 		"origin_url":             types.StringValue("https://www.mycoolapp.com"),
 		"origin_request_headers": originRequestHeaders,
+		"geofencing":             geofencing,
 	})
 	regions := []attr.Value{types.StringValue("EU"), types.StringValue("US")}
 	regionsFixture := types.ListValueMust(types.StringType, regions)
@@ -61,6 +69,9 @@ func TestToCreatePayload(t *testing.T) {
 				OriginUrl:        cdn.PtrString("https://www.mycoolapp.com"),
 				Regions:          &[]cdn.Region{"EU", "US"},
 				BlockedCountries: &[]string{"XX", "YY", "ZZ"},
+				Geofencing: &map[string][]string{
+					"https://de.mycoolapp.com": {"DE", "FR"},
+				},
 			},
 			IsValid: true,
 		},
@@ -82,6 +93,9 @@ func TestToCreatePayload(t *testing.T) {
 				Regions:          &[]cdn.Region{"EU", "US"},
 				Optimizer:        cdn.NewOptimizer(true),
 				BlockedCountries: &[]string{"XX", "YY", "ZZ"},
+				Geofencing: &map[string][]string{
+					"https://de.mycoolapp.com": {"DE", "FR"},
+				},
 			},
 			IsValid: true,
 		},
@@ -126,10 +140,18 @@ func TestConvertConfig(t *testing.T) {
 		"testHeader1": types.StringValue("testHeaderValue1"),
 	}
 	originRequestHeaders := types.MapValueMust(types.StringType, headers)
+	geofencingCountries := types.ListValueMust(types.StringType, []attr.Value{
+		types.StringValue("DE"),
+		types.StringValue("FR"),
+	})
+	geofencing := types.MapValueMust(geofencingTypes.ElemType, map[string]attr.Value{
+		"https://de.mycoolapp.com": geofencingCountries,
+	})
 	backend := types.ObjectValueMust(backendTypes, map[string]attr.Value{
 		"type":                   types.StringValue("http"),
 		"origin_url":             types.StringValue("https://www.mycoolapp.com"),
 		"origin_request_headers": originRequestHeaders,
+		"geofencing":             geofencing,
 	})
 	regions := []attr.Value{types.StringValue("EU"), types.StringValue("US")}
 	regionsFixture := types.ListValueMust(types.StringType, regions)
@@ -169,6 +191,9 @@ func TestConvertConfig(t *testing.T) {
 						},
 						OriginUrl: cdn.PtrString("https://www.mycoolapp.com"),
 						Type:      cdn.PtrString("http"),
+						Geofencing: &map[string][]string{
+							"https://de.mycoolapp.com": {"DE", "FR"},
+						},
 					},
 				},
 				Regions:          &[]cdn.Region{"EU", "US"},
@@ -194,6 +219,9 @@ func TestConvertConfig(t *testing.T) {
 						},
 						OriginUrl: cdn.PtrString("https://www.mycoolapp.com"),
 						Type:      cdn.PtrString("http"),
+						Geofencing: &map[string][]string{
+							"https://de.mycoolapp.com": {"DE", "FR"},
+						},
 					},
 				},
 				Regions:          &[]cdn.Region{"EU", "US"},
@@ -246,11 +274,17 @@ func TestMapFields(t *testing.T) {
 		"type":                   types.StringValue("http"),
 		"origin_url":             types.StringValue("https://www.mycoolapp.com"),
 		"origin_request_headers": originRequestHeaders,
+		"geofencing":             types.MapNull(geofencingTypes.ElemType),
 	})
 	regions := []attr.Value{types.StringValue("EU"), types.StringValue("US")}
 	regionsFixture := types.ListValueMust(types.StringType, regions)
 	blockedCountries := []attr.Value{types.StringValue("XX"), types.StringValue("YY"), types.StringValue("ZZ")}
 	blockedCountriesFixture := types.ListValueMust(types.StringType, blockedCountries)
+	geofencingCountries := types.ListValueMust(types.StringType, []attr.Value{types.StringValue("DE"), types.StringValue("BR")})
+	geofencing := types.MapValueMust(geofencingTypes.ElemType, map[string]attr.Value{
+		"test/": geofencingCountries,
+	})
+	geofencingInput := map[string][]string{"test/": {"DE", "BR"}}
 	optimizer := types.ObjectValueMust(optimizerTypes, map[string]attr.Value{
 		"enabled": types.BoolValue(true),
 	})
@@ -347,6 +381,26 @@ func TestMapFields(t *testing.T) {
 			}),
 			IsValid: true,
 		},
+		"happy_path_with_geofencing": {
+			Expected: expectedModel(func(m *Model) {
+				backendWithGeofencing := types.ObjectValueMust(backendTypes, map[string]attr.Value{
+					"type":                   types.StringValue("http"),
+					"origin_url":             types.StringValue("https://www.mycoolapp.com"),
+					"origin_request_headers": originRequestHeaders,
+					"geofencing":             geofencing,
+				})
+				m.Config = types.ObjectValueMust(configTypes, map[string]attr.Value{
+					"backend":           backendWithGeofencing,
+					"regions":           regionsFixture,
+					"optimizer":         types.ObjectNull(optimizerTypes),
+					"blocked_countries": blockedCountriesFixture,
+				})
+			}),
+			Input: distributionFixture(func(d *cdn.Distribution) {
+				d.Config.Backend.HttpBackend.Geofencing = &geofencingInput
+			}),
+			IsValid: true,
+		},
 		"happy_path_status_error": {
 			Expected: expectedModel(func(m *Model) {
 				m.Status = types.StringValue("ERROR")