feat(cdn): add geoblocking (#906)

relates to STACKITCDN-841

Author: ChristianHamm

docs/data-sources/cdn_distribution.md

@@ -43,6 +43,10 @@ data "stackit_cdn_distribution" "example" {
 <a id="nestedatt--config"></a>
 ### Nested Schema for `config`
 
+Optional:
+
+- `blocked_countries` (List of String) The configured countries where distribution of content is blocked
+
 Read-Only:
 
 - `backend` (Attributes) The configured backend for the distribution (see [below for nested schema](#nestedatt--config--backend))

docs/guides/stackit_cdn_with_custom_domain.md

@@ -21,7 +21,8 @@ This guide outlines the process of creating a STACKIT CDN distribution and confi
           type       = "http"
           origin_url = "mybackend.onstackit.cloud"
         }
-        regions = ["EU", "US", "ASIA", "AF", "SA"]
+        regions           = ["EU", "US", "ASIA", "AF", "SA"]
+        blocked_countries = ["DE", "AT", "CH"]
       }
     }
     

docs/resources/cdn_distribution.md

@@ -23,7 +23,9 @@ resource "stackit_cdn_distribution" "example_distribution" {
       type       = "http"
       origin_url = "mybackend.onstackit.cloud"
     }
-    regions = ["EU", "US", "ASIA", "AF", "SA"]
+    regions           = ["EU", "US", "ASIA", "AF", "SA"]
+    blocked_countries = ["DE", "AT", "CH"]
+
     optimizer = {
       enabled = true
     }
@@ -59,6 +61,7 @@ Required:
 
 Optional:
 
+- `blocked_countries` (List of String) The configured countries where distribution of content is blocked
 - `optimizer` (Attributes) Configuration for the Image Optimizer. This is a paid feature that automatically optimizes images to reduce their file size for faster delivery, leading to improved website performance and a better user experience. (see [below for nested schema](#nestedatt--config--optimizer))
 
 <a id="nestedatt--config--backend"></a>

examples/resources/stackit_cdn_distribution/resource.tf

@@ -5,7 +5,9 @@ resource "stackit_cdn_distribution" "example_distribution" {
       type       = "http"
       origin_url = "mybackend.onstackit.cloud"
     }
-    regions = ["EU", "US", "ASIA", "AF", "SA"]
+    regions           = ["EU", "US", "ASIA", "AF", "SA"]
+    blocked_countries = ["DE", "AT", "CH"]
+
     optimizer = {
       enabled = true
     }

stackit/internal/services/cdn/cdn_acc_test.go

@@ -24,6 +24,7 @@ var instanceResource = map[string]string{
 	"config_backend_origin_url": "https://test-backend-1.cdn-dev.runs.onstackit.cloud",
 	"config_regions":            "\"EU\", \"US\"",
 	"config_regions_updated":    "\"EU\", \"US\", \"ASIA\"",
+	"blocked_countries":         "\"CU\", \"AQ\"", // Do NOT use DE or AT here, because the request might be blocked by bunny at the time of creation - don't lock yourself out
 	"custom_domain_prefix":      uuid.NewString(), // we use a different domain prefix each test run due to inconsistent upstream release of domains, which might impair consecutive test runs
 }
 
@@ -38,7 +39,9 @@ func configResources(regions string) string {
 							type = "http"
 							origin_url = "%s"
 						}
-						regions = [%s]
+						regions           = [%s]
+						blocked_countries = [%s]
+            
 						optimizer = {
 							enabled = true
 						}
@@ -60,7 +63,9 @@ func configResources(regions string) string {
 					type       = "CNAME"
 					records    = ["${stackit_cdn_distribution.distribution.domains[0].name}."]
 				}
-		`, testutil.CdnProviderConfig(), testutil.ProjectId, instanceResource["config_backend_origin_url"], regions, testutil.ProjectId, testutil.ProjectId, instanceResource["custom_domain_prefix"])
+		`, testutil.CdnProviderConfig(), testutil.ProjectId, instanceResource["config_backend_origin_url"],
+		regions, instanceResource["blocked_countries"], testutil.ProjectId,
+		testutil.ProjectId, instanceResource["custom_domain_prefix"])
 }
 
 func configCustomDomainResources(regions string) string {
@@ -111,6 +116,9 @@ func TestAccCDNDistributionResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.regions.#", "2"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.regions.0", "EU"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.regions.1", "US"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.#", "2"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.1", "AQ"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", "true"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "status", "ACTIVE"),
@@ -191,6 +199,9 @@ func TestAccCDNDistributionResource(t *testing.T) {
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.regions.#", "2"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.regions.0", "EU"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.regions.1", "US"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.#", "2"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.1", "AQ"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "config.optimizer.enabled", "true"),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttr("data.stackit_cdn_distribution.distribution", "status", "ACTIVE"),
@@ -217,6 +228,9 @@ func TestAccCDNDistributionResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.regions.0", "EU"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.regions.1", "US"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.regions.2", "ASIA"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.#", "2"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.0", "CU"),
+					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.blocked_countries.1", "AQ"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "config.optimizer.enabled", "true"),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttr("stackit_cdn_distribution.distribution", "status", "ACTIVE"),

stackit/internal/services/cdn/distribution/datasource.go

@@ -149,6 +149,11 @@ func (r *distributionDataSource) Schema(_ context.Context, _ datasource.SchemaRe
 						Description: schemaDescriptions["config_regions"],
 						ElementType: types.StringType,
 					},
+					"blocked_countries": schema.ListAttribute{
+						Optional:    true,
+						Description: schemaDescriptions["config_blocked_countries"],
+						ElementType: types.StringType,
+					},
 					"optimizer": schema.SingleNestedAttribute{
 						Description: schemaDescriptions["config_optimizer"],
 						Computed:    true,

stackit/internal/services/cdn/distribution/resource.go

@@ -57,6 +57,7 @@ var schemaDescriptions = map[string]string{
 	"config_optimizer":                      "Configuration for the Image Optimizer. This is a paid feature that automatically optimizes images to reduce their file size for faster delivery, leading to improved website performance and a better user experience.",
 	"config_backend_origin_url":             "The configured backend type for the distribution",
 	"config_backend_origin_request_headers": "The configured origin request headers for the backend",
+	"config_blocked_countries":              "The configured countries where distribution of content is blocked",
 	"domain_name":                           "The name of the domain",
 	"domain_status":                         "The status of the domain",
 	"domain_type":                           "The type of the domain. Each distribution has one domain of type \"managed\", and domains of type \"custom\" may be additionally created by the user",
@@ -76,22 +77,26 @@ type Model struct {
 }
 
 type distributionConfig struct {
-	Backend   backend      `tfsdk:"backend"`   // The backend associated with the distribution
-	Regions   *[]string    `tfsdk:"regions"`   // The regions in which data will be cached
-	Optimizer types.Object `tfsdk:"optimizer"` // The optimizer configuration
+	Backend          backend      `tfsdk:"backend"`           // The backend associated with the distribution
+	Regions          *[]string    `tfsdk:"regions"`           // The regions in which data will be cached
+	BlockedCountries *[]string    `tfsdk:"blocked_countries"` // The countries for which content will be blocked
+	Optimizer        types.Object `tfsdk:"optimizer"`         // The optimizer configuration
 }
+
 type optimizerConfig struct {
 	Enabled types.Bool `tfsdk:"enabled"`
 }
+
 type backend struct {
 	Type                 string             `tfsdk:"type"`                   // The type of the backend. Currently, only "http" backend is supported
 	OriginURL            string             `tfsdk:"origin_url"`             // The origin URL of the backend
 	OriginRequestHeaders *map[string]string `tfsdk:"origin_request_headers"` // Request headers that should be added by the CDN distribution to incoming requests
 }
 
 var configTypes = map[string]attr.Type{
-	"backend": types.ObjectType{AttrTypes: backendTypes},
-	"regions": types.ListType{ElemType: types.StringType},
+	"backend":           types.ObjectType{AttrTypes: backendTypes},
+	"regions":           types.ListType{ElemType: types.StringType},
+	"blocked_countries": types.ListType{ElemType: types.StringType},
 	"optimizer": types.ObjectType{
 		AttrTypes: optimizerTypes,
 	},
@@ -258,6 +263,11 @@ func (r *distributionResource) Schema(_ context.Context, _ resource.SchemaReques
 						Description: schemaDescriptions["config_regions"],
 						ElementType: types.StringType,
 					},
+					"blocked_countries": schema.ListAttribute{
+						Optional:    true,
+						Description: schemaDescriptions["config_blocked_countries"],
+						ElementType: types.StringType,
+					},
 				},
 			},
 		},
@@ -378,6 +388,26 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe
 		regions = append(regions, *regionEnum)
 	}
 
+	// blockedCountries
+	// Use a pointer to a slice to distinguish between an empty list (unblock all) and nil (no change).
+	var blockedCountries *[]string
+	if configModel.BlockedCountries != nil {
+		// Use a temporary slice
+		tempBlockedCountries := []string{}
+
+		for _, blockedCountry := range *configModel.BlockedCountries {
+			validatedBlockedCountry, err := validateCountryCode(blockedCountry)
+			if err != nil {
+				core.LogAndAddError(ctx, &resp.Diagnostics, "Update CDN distribution", fmt.Sprintf("Blocked countries: %v", err))
+				return
+			}
+			tempBlockedCountries = append(tempBlockedCountries, validatedBlockedCountry)
+		}
+
+		// Point to the populated slice
+		blockedCountries = &tempBlockedCountries
+	}
+
 	configPatch := &cdn.ConfigPatch{
 		Backend: &cdn.ConfigPatchBackend{
 			HttpBackendPatch: &cdn.HttpBackendPatch{
@@ -386,7 +416,8 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe
 				Type:                 &configModel.Backend.Type,
 			},
 		},
-		Regions: &regions,
+		Regions:          &regions,
+		BlockedCountries: blockedCountries,
 	}
 
 	if !utils.IsUndefined(configModel.Optimizer) {
@@ -411,7 +442,9 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe
 	}).Execute()
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Update CDN distribution", fmt.Sprintf("Patch distribution: %v", err))
+		return
 	}
+
 	waitResp, err := wait.UpdateDistributionWaitHandler(ctx, r.client, projectId, distributionId).WaitWithContext(ctx)
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Update CDN distribution", fmt.Sprintf("Waiting for update: %v", err))
@@ -423,6 +456,7 @@ func (r *distributionResource) Update(ctx context.Context, req resource.UpdateRe
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Update CDN distribution", fmt.Sprintf("Processing API payload: %v", err))
 		return
 	}
+
 	diags = resp.State.Set(ctx, model)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
@@ -501,6 +535,7 @@ func mapFields(distribution *cdn.Distribution, model *Model) error {
 	model.CreatedAt = types.StringValue(distribution.CreatedAt.String())
 	model.UpdatedAt = types.StringValue(distribution.UpdatedAt.String())
 
+	// distributionErrors
 	distributionErrors := []attr.Value{}
 	if distribution.Errors != nil {
 		for _, e := range *distribution.Errors {
@@ -513,6 +548,7 @@ func mapFields(distribution *cdn.Distribution, model *Model) error {
 	}
 	model.Errors = modelErrors
 
+	// regions
 	regions := []attr.Value{}
 	for _, r := range *distribution.Config.Regions {
 		regions = append(regions, types.StringValue(string(r)))
@@ -521,6 +557,21 @@ func mapFields(distribution *cdn.Distribution, model *Model) error {
 	if diags.HasError() {
 		return core.DiagsToError(diags)
 	}
+
+	// blockedCountries
+	var blockedCountries []attr.Value
+	if distribution.Config != nil && distribution.Config.BlockedCountries != nil {
+		for _, c := range *distribution.Config.BlockedCountries {
+			blockedCountries = append(blockedCountries, types.StringValue(string(c)))
+		}
+	}
+
+	modelBlockedCountries, diags := types.ListValue(types.StringType, blockedCountries)
+	if diags.HasError() {
+		return core.DiagsToError(diags)
+	}
+
+	// originRequestHeaders
 	originRequestHeaders := types.MapNull(types.StringType)
 	if origHeaders := distribution.Config.Backend.HttpBackend.OriginRequestHeaders; origHeaders != nil && len(*origHeaders) > 0 {
 		headers := map[string]attr.Value{}
@@ -557,9 +608,10 @@ func mapFields(distribution *cdn.Distribution, model *Model) error {
 		}
 	}
 	cfg, diags := types.ObjectValue(configTypes, map[string]attr.Value{
-		"backend":   backend,
-		"regions":   modelRegions,
-		"optimizer": optimizerVal,
+		"backend":           backend,
+		"regions":           modelRegions,
+		"blocked_countries": modelBlockedCountries,
+		"optimizer":         optimizerVal,
 	})
 	if diags.HasError() {
 		return core.DiagsToError(diags)
@@ -624,6 +676,7 @@ func toCreatePayload(ctx context.Context, model *Model) (*cdn.CreateDistribution
 		IntentId:             cdn.PtrString(uuid.NewString()),
 		OriginUrl:            cfg.Backend.HttpBackend.OriginUrl,
 		Regions:              cfg.Regions,
+		BlockedCountries:     cfg.BlockedCountries,
 		OriginRequestHeaders: cfg.Backend.HttpBackend.OriginRequestHeaders,
 		Optimizer:            optimizer,
 	}
@@ -646,6 +699,8 @@ func convertConfig(ctx context.Context, model *Model) (*cdn.Config, error) {
 	if diags.HasError() {
 		return nil, core.DiagsToError(diags)
 	}
+
+	// regions
 	regions := []cdn.Region{}
 	for _, r := range *configModel.Regions {
 		regionEnum, err := cdn.NewRegionFromValue(r)
@@ -655,6 +710,19 @@ func convertConfig(ctx context.Context, model *Model) (*cdn.Config, error) {
 		regions = append(regions, *regionEnum)
 	}
 
+	// blockedCountries
+	var blockedCountries []string
+	if configModel.BlockedCountries != nil {
+		for _, blockedCountry := range *configModel.BlockedCountries {
+			validatedBlockedCountry, err := validateCountryCode(blockedCountry)
+			if err != nil {
+				return nil, err
+			}
+			blockedCountries = append(blockedCountries, validatedBlockedCountry)
+		}
+	}
+
+	// originRequestHeaders
 	originRequestHeaders := map[string]string{}
 	if configModel.Backend.OriginRequestHeaders != nil {
 		for k, v := range *configModel.Backend.OriginRequestHeaders {
@@ -670,7 +738,8 @@ func convertConfig(ctx context.Context, model *Model) (*cdn.Config, error) {
 				Type:                 &configModel.Backend.Type,
 			},
 		},
-		Regions: &regions,
+		Regions:          &regions,
+		BlockedCountries: &blockedCountries,
 	}
 
 	if !utils.IsUndefined(configModel.Optimizer) {
@@ -687,3 +756,25 @@ func convertConfig(ctx context.Context, model *Model) (*cdn.Config, error) {
 
 	return cdnConfig, nil
 }
+
+// validateCountryCode checks for a valid country user input. This is just a quick check
+// since the API already does a more thorough check.
+func validateCountryCode(country string) (string, error) {
+	if len(country) != 2 {
+		return "", errors.New("country code must be exactly 2 characters long")
+	}
+
+	upperCountry := strings.ToUpper(country)
+
+	// Check if both characters are alphabetical letters within the ASCII range A-Z.
+	// Yes, we could use the unicode package, but we are only targeting ASCII letters specifically, so
+	// let's omit this dependency.
+	char1 := upperCountry[0]
+	char2 := upperCountry[1]
+
+	if !((char1 >= 'A' && char1 <= 'Z') && (char2 >= 'A' && char2 <= 'Z')) {
+		return "", fmt.Errorf("country code '%s' must consist of two alphabetical letters (A-Z or a-z)", country)
+	}
+
+	return upperCountry, nil
+}