Updating the basic settings of a resource

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

1. View the description of the CLI command to update a resource:

   yc cdn resource update --help
   

2. Get a list of all resources in the default folder:

   yc cdn resource list --format yaml
   

   Result:

   id: s0me1dkfjq********
   folder_id: s0mef01der7p********
   cname: testexample.com
   created_at: "2022-01-19T09:23:57.921365Z"
   updated_at: "2022-01-19T10:55:30.305141Z"
   active: true
   options:
     edge_cache_settings:
       enabled: true
       default value: "345600"
     cache_http_headers:
       enabled: true
       value:
       - content-type
       - content-length
       - connection
       - server
       - date
       - test
     stale:
       enabled: true
       value:
       - error
       - updating
     allowed_http_methods:
       value:
       - GET
       - POST
       - HEAD
       - OPTIONS
   origin_group_id: "89783"
   origin_group_name: My origins group
   origin_protocol: HTTP
   ssl_certificate:
     type: DONT_USE
     status: READY
   

3. Edit the resource settings:

   yc cdn resource update <resource_ID> \
     <flag> <new_value>
   

   To configure a TLS certificate for a CDN resource, use these parameters:

   • --dont-use-ssl-cert: Do not use a certificate. The resource will be available only over HTTP.

   • --cert-manager-ssl-cert-id: Certificate ID. The resource will be available over HTTP and HTTPS.

     Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.

     The certificate must be located in the same folder as your CDN resource.

   To enable request redirects on a CDN resource, use these parameters:

   • --rewrite-body: Rewrite rule, e.g., --rewrite-body '/(.*) /new-folder/$1'.

     A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.

     You can use regular expressions in the rule.

     For more information, see Rewrite rule.

   • --rewrite-flag: Flag. The possible values are:

     • break: Terminates the processing of the current set of directives.
     • last: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
     • redirect: Returns a temporary redirect with the 302 status code to the user. This flag is used if the replacement string does not start with http://, https://, or $scheme.
     • permanent: Returns a permanent redirect with the 301 status code to the user.

   To disable request redirects on a CDN resource, use the --clear-rewrite parameter.

   If you want to restrict access to resource content with secure tokens, use the following parameters:

   • --secure-key: Secret key, a string of 6 to 32 characters.
   • --enable-ip-url-signing: Optional parameter that restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.

   See also Setting up access via a secure token.

   If you want to restrict access to resource content using an IP address access policy, use the following parameters:

   • --acl-excepted-values: IP address for which access to the content will be allowed or denied. For the address, specify the subnet prefix in CIDR notation, e.g., 192.168.3.2/32 or 2a03:d000:2980:7::8/128.

     You can only provide one IP address in the --acl-excepted-values parameter. To provide multiple addresses, set the --acl-excepted-values parameter for each address.

   • --policy-type: Policy type. The possible values are as follows:

     • allow: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the --acl-excepted-values parameter.
     • deny: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the --acl-excepted-values parameter.

   To disable the IP-based access policy, use the --clear-ip-address-acl parameter.

   To add or remove labels, use the --add-labels, --remove-labels, and --remove-all-labels parameters.

   For more information about the yc cdn resource update command, see the CLI reference.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To update the parameters of a CDN resource created using Terraform:

1. Open the Terraform configuration file and edit the fragment with the resource description:

   resource "yandex_cdn_resource" "my_resource" {
       cname               = "<domain_name>"
       active              = true
       origin_protocol     = "https"
       origin_group_id     = <origin_group_ID>
       secondary_hostnames = ["<additional_domain_name_1>", "additional_domain_name_2"]
       ssl_certificate {
         type = "certificate_manager"
         certificate_manager_id = "<certificate_ID>"
       }
       options {
         redirect_http_to_https = true
         secure_key = "<secret_key>"
         enable_ip_url_signing = true
         ip_address_acl {
           excepted_values = ["<IP_address_1>", "<IP_address_2>", ..., "<IP_address_n>"]
           policy_type = "<policy_type>"
         }
       }
   }
   

   Where:

   • cname: Primary domain name used for content distribution. This is a required parameter.

   • active: Optional flag for content availability to end users, wheretrue means the CDN content is available to clients, and false means that the content not available. The default value is true.

   • origin_protocol: Optional origin protocol. The default value is http.

   • origin_group_id: Origin group ID. This is a required parameter. Use the ID from the description of the origin group in the yandex_cdn_origin_group resource.

   • secondary_hostnames: Optional additional domain names.

   • ssl_certificate: Optional SSL certificate parameters:

     • type: Certificate type. The possible values are:

       • not_used: Certificate is not used. This is a default value.

       • certificate_manager: Custom certificate. Specify the certificate ID in the certificate_manager_id parameter.

         Certificates from Yandex Certificate Manager are supported. You can issue a new Let's Encrypt® certificate or upload one of your own.

         The certificate must be located in the same folder as your CDN resource.

     • certificate_manager_id: Custom certificate ID in Certificate Manager.

   • options: Optional additional parameters of the CDN resource:

     • redirect_http_to_https: Parameter to redirect clients from HTTP to HTTPS, true or false. This parameter is available if an SSL certificate is used.

     • secure_key: Secret key, that is a string of 6 to 32 characters, which is required to restrict access to a resource using secure tokens.

     • enable_ip_url_signing: Optional parameter that enables restricting access to a CDN resource by IP address using secure tokens. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an MD5 hash for a pre-signed URL. If the parameter is not set, file access will be allowed from any IP address.

     • ip_address_acl: IP-based access policy parameters:

       • ip_address_acl: List of IP addresses for which access to the resource content will be allowed or denied. Separate IP addresses by commas. For each address, specify the subnet prefix in CIDR notation, e.g., 192.168.3.2/32 or 2a03:d000:2980:7::8/128.

       • policy_type: Policy type. The possible values are as follows:

         • allow: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the ip_address_acl.excepted_values parameter.
         • deny: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the ip_address_acl.excepted_values parameter.

     Note

     Deleting the secure_key and ip_address_acl parameters in the configuration file will not automatically disable them. You can delete secure_key and ip_address_acl using the CLI or API.

   For more information about the yandex_cdn_resource properties in Terraform, see the provider documentation.

2. In the command line, go to the directory with the Terraform configuration file.

3. Check the configuration using this command:

   terraform validate
   

   If the configuration is correct, you will get this message:

   Success! The configuration is valid.
   

4. Run this command:

   terraform plan
   

   You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

5. Apply the changes:

   terraform apply
   

6. Type yes and press Enter to confirm the changes.

   You can check the CDN resource update in the management console or using this CLI command:

   yc cdn resource list
   

Use the update REST API method for the Resource resource or the ResourceService/Update gRPC API call.

You can restrict access to the resource with secure tokens and an IP-based access policy.