Merge pull request #10 from Flaconi/PLT-861-rate-limiting

PLT-861 added ratelimit phase

.github/CODEOWNERS

@@ -1 +1 @@
-* @Flaconi/devops
+* @Flaconi/devops @Flaconi/platform

README.md

@@ -90,16 +90,14 @@ list(object({
     expression = string
     action     = string
     action_parameters = optional(object({
-      # phase: http_request_origin, action: route
-      host_header = optional(string)
-      origin = optional(object({
-        host = optional(string)
-        port = optional(number)
-      }), null)
-
       # phase: http_config_settings, action: set_config
       polish = optional(string)
 
+      # phase: http_log_custom_fields, action: log_custom_field
+      cookie_fields   = optional(list(string))
+      request_fields  = optional(list(string))
+      response_fields = optional(list(string))
+
       # phase: http_request_dynamic_redirect, action: redirect
       from_value = optional(object({
         preserve_query_string = optional(bool)
@@ -114,11 +112,6 @@ list(object({
       products = optional(list(string))
       ruleset  = optional(string)
 
-      # phase: http_log_custom_fields, action: log_custom_field
-      cookie_fields   = optional(list(string))
-      request_fields  = optional(list(string))
-      response_fields = optional(list(string))
-
       # phase: http_request_firewall_managed, action: block, challenge, js_challenge, log, managed_challenge, skip
       id      = optional(string)
       version = optional(string)
@@ -138,12 +131,30 @@ list(object({
         })), [])
       }), null)
 
+      # phase: http_request_origin, action: route
+      host_header = optional(string)
+      origin = optional(object({
+        host = optional(string)
+        port = optional(number)
+      }), null)
+
       # phase: http_request_transform
       uri = optional(object({
         path  = optional(string)
         query = optional(string)
       }))
     }), null)
+    # phase: http_ratelimit, action: block, challenge, js_challenge, log, managed_challenge
+    ratelimit = optional(object({
+      characteristics            = optional(list(string))
+      counting_expression        = optional(string)
+      mitigation_timeout         = optional(number)
+      period                     = optional(number)
+      requests_per_period        = optional(number)
+      requests_to_origin         = optional(bool)
+      score_per_period           = optional(number)
+      score_response_header_name = optional(string)
+    }), null)
     description = optional(string)
     enabled     = optional(bool, true)
     logging = optional(object({

main.tf

@@ -13,19 +13,14 @@ resource "cloudflare_ruleset" "this" {
       dynamic "action_parameters" {
         for_each = rules.value.action_parameters[*]
         content {
-          # http_request_origin
-          host_header = action_parameters.value.host_header
-          dynamic "origin" {
-            for_each = rules.value.action_parameters.origin[*]
-            content {
-              host = origin.value.host
-              port = origin.value.port
-            }
-          }
-
           # http_config_settings
           polish = action_parameters.value.polish
 
+          # http_log_custom_fields
+          cookie_fields   = action_parameters.value.cookie_fields
+          request_fields  = action_parameters.value.request_fields
+          response_fields = action_parameters.value.response_fields
+
           # http_request_dynamic_redirect
           dynamic "from_value" {
             for_each = rules.value.action_parameters.from_value[*]
@@ -43,11 +38,6 @@ resource "cloudflare_ruleset" "this" {
           ruleset  = action_parameters.value.ruleset
           products = action_parameters.value.products
 
-          # http_log_custom_fields
-          cookie_fields   = action_parameters.value.cookie_fields
-          request_fields  = action_parameters.value.request_fields
-          response_fields = action_parameters.value.response_fields
-
           # http_request_firewall_managed
           id      = action_parameters.value.id
           version = action_parameters.value.version
@@ -77,6 +67,16 @@ resource "cloudflare_ruleset" "this" {
             }
           }
 
+          # http_request_origin
+          host_header = action_parameters.value.host_header
+          dynamic "origin" {
+            for_each = rules.value.action_parameters.origin[*]
+            content {
+              host = origin.value.host
+              port = origin.value.port
+            }
+          }
+
           # http_request_transform
           dynamic "uri" {
             for_each = rules.value.action_parameters.uri[*]
@@ -98,9 +98,26 @@ resource "cloudflare_ruleset" "this" {
           }
         }
       }
+
+      # http_ratelimit
+      dynamic "ratelimit" {
+        for_each = rules.value.ratelimit[*]
+        content {
+          characteristics            = ratelimit.value.characteristics
+          counting_expression        = ratelimit.value.counting_expression
+          mitigation_timeout         = ratelimit.value.mitigation_timeout
+          period                     = ratelimit.value.period
+          requests_per_period        = ratelimit.value.requests_per_period
+          requests_to_origin         = ratelimit.value.requests_to_origin
+          score_per_period           = ratelimit.value.score_per_period
+          score_response_header_name = ratelimit.value.score_response_header_name
+        }
+      }
+
       description = rules.value.description
       enabled     = rules.value.enabled
       expression  = rules.value.expression
+
       dynamic "logging" {
         for_each = rules.value.logging[*]
         content {

variables.tf

@@ -34,8 +34,8 @@ variable "phase" {
   # https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset#phase
   # https://developers.cloudflare.com/ruleset-engine/reference/phases-list/
   validation {
-    condition     = can(contains(["http_config_settings", "http_log_custom_fields", "http_request_dynamic_redirect", "http_request_firewall_custom", "http_request_firewall_managed", "http_request_origin"], var.phase))
-    error_message = "Only the following phase types are allowed: http_config_settings, http_log_custom_fields, http_request_dynamic_redirect, http_request_firewall_custom, http_request_firewall_managed, http_request_origin."
+    condition     = contains(["http_config_settings", "http_log_custom_fields", "http_ratelimit", "http_request_dynamic_redirect", "http_request_firewall_custom", "http_request_firewall_managed", "http_request_origin", "http_request_transform"], var.phase)
+    error_message = "Only the following phase types are allowed: http_config_settings, http_log_custom_fields, http_ratelimit, http_request_dynamic_redirect, http_request_firewall_custom, http_request_firewall_managed, http_request_origin, http_request_transform."
   }
 }
 
@@ -51,16 +51,14 @@ variable "rules" {
     expression = string
     action     = string
     action_parameters = optional(object({
-      # phase: http_request_origin, action: route
-      host_header = optional(string)
-      origin = optional(object({
-        host = optional(string)
-        port = optional(number)
-      }), null)
-
       # phase: http_config_settings, action: set_config
       polish = optional(string)
 
+      # phase: http_log_custom_fields, action: log_custom_field
+      cookie_fields   = optional(list(string))
+      request_fields  = optional(list(string))
+      response_fields = optional(list(string))
+
       # phase: http_request_dynamic_redirect, action: redirect
       from_value = optional(object({
         preserve_query_string = optional(bool)
@@ -75,11 +73,6 @@ variable "rules" {
       products = optional(list(string))
       ruleset  = optional(string)
 
-      # phase: http_log_custom_fields, action: log_custom_field
-      cookie_fields   = optional(list(string))
-      request_fields  = optional(list(string))
-      response_fields = optional(list(string))
-
       # phase: http_request_firewall_managed, action: block, challenge, js_challenge, log, managed_challenge, skip
       id      = optional(string)
       version = optional(string)
@@ -99,12 +92,30 @@ variable "rules" {
         })), [])
       }), null)
 
+      # phase: http_request_origin, action: route
+      host_header = optional(string)
+      origin = optional(object({
+        host = optional(string)
+        port = optional(number)
+      }), null)
+
       # phase: http_request_transform
       uri = optional(object({
         path  = optional(string)
         query = optional(string)
       }))
     }), null)
+    # phase: http_ratelimit, action: block, challenge, js_challenge, log, managed_challenge
+    ratelimit = optional(object({
+      characteristics            = optional(list(string))
+      counting_expression        = optional(string)
+      mitigation_timeout         = optional(number)
+      period                     = optional(number)
+      requests_per_period        = optional(number)
+      requests_to_origin         = optional(bool)
+      score_per_period           = optional(number)
+      score_response_header_name = optional(string)
+    }), null)
     description = optional(string)
     enabled     = optional(bool, true)
     logging = optional(object({