feat(cdn): Add support for configuring WAF

[matheuspolitano]

Description

https://jira.schwarz/browse/STACKITCDN-723

I want to add support for the waf configuration block in the CDN distribution resource,so that users can programmatically manage security tiers, paranoia levels, and granular rule overrides (Enabled/Disabled/Log-only) via Terraform.

Checklist

• Issue was linked above
• Code format was applied: make fmt
• Examples were added / adjusted (see examples/ directory)
• Docs are up-to-date: make generate-docs (will be checked by CI)
• Unit tests got implemented or updated
• Acceptance tests got implemented or updated (see e.g. here)
• Unit tests are passing: make test (will be checked by CI)
• No linter issues: make lint (will be checked by CI)

[matheuspolitano]

@Fyusel @marceljk Kindly prioritize the review of PR #1333, as the current pull request builds upon those changes.

[marceljk]

@Fyusel @marceljk Kindly prioritize the review of PR #1333, as the current pull request builds upon those changes.

#1333 is merged now. Please rebase this PR

[marceljk]

Why do you need the state here? Is it needed to set WAFMODE_DISABLED or can configPatch.Waf set to null to remove it?

Nevertheless, I think you can check here also configPlanModel.Waf.IsNull() instead of !utils.IsUndefined(configStateModel.Waf) and would have the same outcome but without the need accessing the state

[matheuspolitano]

We are no longer persisting states once the WAF is removed, it is only disabled and change the type to free a pushed the API

[marceljk]

But for this you don't need the state. You can just set WafConfigPatch always to mode=disabled and type=free, when in the terraform config nothing related to Waf is defined.

Then you can remove the added stateModel and revert all renamings from Model -> PlanModel. I would actually prefer to avoid here, handling the state and config model, because this can lead in the future to issue when someone mixes them. And this resource is already really big.

[marceljk]

Suggested change

	func SortedStringsToListValue(items []string) basetypes.ListValue {
	if len(items) == 0 {
	func SortedStringsToListValue(items []string) basetypes.ListValue {
	if items == nil {
	return types.ListNull(types.StringType)
	}
	if len(items) == 0 {

I would return here a null list in case the string slice is also null. null list != empty list
This will also need some adjustment to the tests

[marceljk]

We have in our SDK also a slice with all the enum. Use it here instead of referencing each enum by hand

Suggested change

	Validators: []validator.String{stringvalidator.OneOf(string(cdnSdk.WAFMODE_DISABLED), string(cdnSdk.WAFMODE_ENABLED), string(cdnSdk.WAFMODE_LOG_ONLY))},
	Validators: []validator.String{stringvalidator.OneOf(sdkUtils.EnumSliceToStringSlice(cdnSdk.AllowedWafModeEnumValues)...)},

[marceljk]

same here

[marceljk]

same here

[marceljk]

But for this you don't need the state. You can just set WafConfigPatch always to mode=disabled and type=free, when in the terraform config nothing related to Waf is defined.

Then you can remove the added stateModel and revert all renamings from Model -> PlanModel. I would actually prefer to avoid here, handling the state and config model, because this can lead in the future to issue when someone mixes them. And this resource is already really big.