Summary: Managing edge security configuration manually doesn't scale. Terraform brings Infrastructure-as-Code (IaC) to edge platforms—enabling version-controlled, reproducible, and auditable security and acceleration configurations. This guide shows how to manage your entire edge infrastructure with Terraform.
The manual management problem:
You're managing edge security through a web console:
What could go wrong?
The solution: Terraform—managing your entire edge security configuration as code, with version control, code review, automated deployment, and instant rollback.
| Capability | Manual Console | Terraform IaC |
|---|---|---|
| Version history | ❌ | ✅ (Git) |
| Code review | ❌ | ✅ (Pull requests) |
| Rollback | ❌ | ✅ (terraform apply previous version) |
| Reproducibility | ❌ | ✅ (Same config = same result) |
| Audit trail | Limited | ✅ (Git log + Terraform state) |
| Multi-environment | Manual copy | ✅ (Variables per environment) |
| Automation | ❌ | ✅ (CI/CD pipelines) |
| Documentation | Separate docs | ✅ (Code IS documentation) |
Use Terraform when:
Don't need Terraform when:
# Install Terraform
brew install terraform # macOS
# or download from https://terraform.io/downloads
# Verify installation
terraform version
# Terraform v1.7.0+
# main.tf
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud"
version = ">= 1.81.0"
}
}
}
provider "tencentcloud" {
secret_id = var.secret_id
secret_key = var.secret_key
region = "ap-guangzhou"
}
# Variables (never hardcode secrets!)
variable "secret_id" {
type = string
sensitive = true
}
variable "secret_key" {
type = string
sensitive = true
}
# zone.tf
resource "tencentcloud_teo_zone" "main" {
zone_name = "example.com"
plan_type = "sta" # Standard plan
tags = {
environment = "production"
team = "platform"
managed_by = "terraform"
}
}
# Output zone ID for other resources
output "zone_id" {
value = tencentcloud_teo_zone.main.id
}
# dns.tf
resource "tencentcloud_teo_dns_record" "www" {
zone_id = tencentcloud_teo_zone.main.id
type = "CNAME"
name = "www"
content = "origin.example.com"
mode = "proxied" # Enable edge acceleration
ttl = 300
}
resource "tencentcloud_teo_dns_record" "api" {
zone_id = tencentcloud_teo_zone.main.id
type = "CNAME"
name = "api"
content = "api-origin.example.com"
mode = "proxied"
ttl = 300
}
resource "tencentcloud_teo_dns_record" "cdn" {
zone_id = tencentcloud_teo_zone.main.id
type = "CNAME"
name = "cdn"
content = "cdn-origin.example.com"
mode = "proxied"
ttl = 300
}
# security.tf
# WAF Configuration
resource "tencentcloud_teo_security_policy" "waf" {
zone_id = tencentcloud_teo_zone.main.id
entity = "example.com"
config {
waf_config {
switch = "on"
level = "strict" # strict, normal, loose
mode = "block" # block, observe
}
rate_limit_config {
switch = "on"
user_rules {
rule_name = "login-rate-limit"
threshold = 10
period = 60 # seconds
action = "block"
conditions {
match_from = "url"
match_param = ""
operator = "equal"
match_content = "/api/login"
}
}
user_rules {
rule_name = "api-rate-limit"
threshold = 100
period = 60
action = "challenge"
conditions {
match_from = "url"
match_param = ""
operator = "prefix"
match_content = "/api/"
}
}
}
bot_config {
switch = "on"
bot_managed_rule {
action = "drop"
rule_id = 1001 # Known bad bots
trans_manage = "drop"
}
intelligence_rule {
switch = "on"
items {
label = "search_engine"
action = "allow"
}
items {
label = "automation"
action = "challenge"
}
}
}
ddos_config {
switch = "on"
}
}
}
# cache.tf
resource "tencentcloud_teo_rule_engine" "cache_rules" {
zone_id = tencentcloud_teo_zone.main.id
rule_name = "static-content-cache"
status = "enable"
rules {
# Cache static assets for 7 days
conditions {
match_from = "url"
operator = "regex"
match_content = "\\.(jpg|jpeg|png|gif|css|js|woff2|svg|ico)$"
}
actions {
normal_action {
action = "CacheConfig"
parameters {
name = "CacheTime"
values = ["604800"] # 7 days in seconds
}
}
}
}
}
resource "tencentcloud_teo_rule_engine" "dynamic_cache" {
zone_id = tencentcloud_teo_zone.main.id
rule_name = "dynamic-content-cache"
status = "enable"
rules {
# Cache product pages for 60 seconds
conditions {
match_from = "url"
operator = "prefix"
match_content = "/products/"
}
actions {
normal_action {
action = "CacheConfig"
parameters {
name = "CacheTime"
values = ["60"] # 60 seconds
}
}
}
}
}
# Initialize Terraform
terraform init
# Plan changes (review before applying)
terraform plan -var-file="production.tfvars"
# Apply changes
terraform apply -var-file="production.tfvars"
# Verify deployment
terraform show
# .github/workflows/edge-deploy.yml
name: Edge Security Deployment
on:
push:
branches: [main]
paths: ['terraform/**']
pull_request:
branches: [main]
paths: ['terraform/**']
jobs:
plan:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
working-directory: terraform
- run: terraform plan -var-file="production.tfvars" -no-color
working-directory: terraform
env:
TF_VAR_secret_id: ${{ secrets.TENCENT_SECRET_ID }}
TF_VAR_secret_key: ${{ secrets.TENCENT_SECRET_KEY }}
apply:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
working-directory: terraform
- run: terraform apply -auto-approve -var-file="production.tfvars"
working-directory: terraform
env:
TF_VAR_secret_id: ${{ secrets.TENCENT_SECRET_ID }}
TF_VAR_secret_key: ${{ secrets.TENCENT_SECRET_KEY }}
Developer → Git Push → Pull Request → Code Review → Merge → Terraform Apply
Every security change goes through code review before deployment. No more accidental misconfigurations.
# environments/production.tfvars
zone_name = "example.com"
plan_type = "sta"
waf_level = "strict"
rate_limit = 100
bot_action = "block"
# environments/staging.tfvars
zone_name = "staging.example.com"
plan_type = "per"
waf_level = "normal"
rate_limit = 1000 # Higher limit for testing
bot_action = "observe" # Monitor only in staging
# Deploy to staging
terraform apply -var-file="environments/staging.tfvars"
# Deploy to production
terraform apply -var-file="environments/production.tfvars"
SaaS platform managing 50 domains:
Before (Manual Console):
After (Terraform IaC):
git revert)Results:
Mistake 1: Hardcoding Secrets in Terraform Files
Never put API keys in .tf files. Use environment variables or secret managers.
Mistake 2: Not Using State Locking
Concurrent terraform apply can corrupt state. Use remote state with locking (S3 + DynamoDB or Terraform Cloud).
Mistake 3: Applying Without Plan Review
Always run terraform plan and review changes before terraform apply.
Mistake 4: Not Testing in Staging First
Apply changes to staging environment first. Verify before production deployment.
Mistake 5: Not Versioning State Files
Use remote state storage (not local). State files contain sensitive information.
Manual configuration doesn't scale. Terraform brings version control, code review, and automation to your edge security.
Get Started in 3 Steps:
| Plan | Best For | Specifications | Original Price | Promo Price |
|---|---|---|---|---|
| Free | Personal Developers, MVP Teams | Basic protection & static acceleration | —— | $0/month |
| Personal | Early-Stage Businesses | 50GB + 3M requests | CDN + Security | $4.2/month | $0.9/month |
| Basic | Growing Businesses | 500GB + 20M requests | OWASP TOP 10 | $57/month | $32/month |
| Standard | Enterprise Businesses | 3TB + 50M requests | WAF + Bot Management | $590/month | $299/month |
Get Started with Tencent Cloud EdgeOne
View Current Promotions & Discounts
Stop clicking through consoles. Terraform + edge CDN = version-controlled, code-reviewed, automated security at scale. Try it free today.