| .. | ||
| files | ||
| .terraform.lock.hcl | ||
| 010-provider.tf | ||
| 020-variables.tf | ||
| 030-object-storage.tf | ||
| 040-bucket-setup.tf | ||
| 050-cdn.tf | ||
| 060-outputs.tf | ||
| MAINTAINERS.md | ||
| README.md | ||
| stackit.docs.yaml | ||
| terraform.tfvars.example | ||
Static Website on STACKIT CDN with S3 Backend
A reference implementation showing how to deploy a static website using STACKIT CDN with STACKIT Object Storage as the origin.
Architecture
flowchart LR
U(User) -->|HTTPS request| Edge(CDN Edge)
Edge --> B(Bucket)
Edge -->|cached response| U
subgraph WAF
Edge
end
Prerequisites
- Terraform >= 1.5
- A STACKIT project
- A STACKIT service account with sufficient permissions
- A STACKIT service account JSON key file
Setup
Copy terraform.tfvars.example to terraform.tfvars and fill in your values, then run:
terraform init
terraform apply
After apply, visit the output domain:
bucket_name = "firm-dassie"
cdn_distribution_id = "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx"
cdn_managed_domain = "https://xxxxxxx.cdn.onstackit.cloud"
cdn_status = "ACTIVE"
Configuration
Variables
| Variable | Description | Default |
|---|---|---|
stackit_project_id |
STACKIT project ID | — |
stackit_service_account_key_path |
Path to SA key JSON | — |
stackit_region |
STACKIT region | eu01 |
cdn_enabled_regions |
CDN regions: EU, US, ASIA, AF, SA |
["EU"] |
cdn_blocked_countries |
ISO 3166-1 alpha-2 codes to block | [] |
Verify WAF
WAF
The example enables the WAF in ENABLED mode with @builtin/crs/request rules, restricting accepted methods to GET and HEAD.
URL=$(terraform output -raw cdn_managed_domain)
# GET request — allowed (200)
curl -sI "${URL}/"
# POST request — blocked by WAF (403)
curl -sI -X POST "${URL}/"
# HEAD request — allowed (200)
curl -sI --head "${URL}/"
If the WAF blocks the POST request correctly, you'll see a 403 Forbidden response. If you see 200 OK, the WAF is either not yet active or misconfigured.
Cleanup
terraform destroy