feat: add tencentcloud waf deployer

2025-06-08 13:39:53 +00:00 · 2025-02-17 12:52:51 +08:00 · 2025-02-17 12:52:51 +08:00 · a40b078e9c
commit a40b078e9c
parent 61b7165bac
19 changed files with 386 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -123,7 +123,7 @@ make local.run
 | Webhook 回调                            | 可部署到 Webhook                                                         |
 | [Kubernetes](https://kubernetes.io/)    | 可部署到 Kubernetes Secret                                               |
 | [阿里云](https://www.aliyun.com/)       | 可部署到阿里云 OSS、CDN、DCDN、ESA、SLB（CLB/ALB/NLB）、WAF、Live 等服务 |
-| [腾讯云](https://cloud.tencent.com/)    | 可部署到腾讯云 COS、CDN、ECDN、EdgeOne、CLB、CSS 等服务                  |
+| [腾讯云](https://cloud.tencent.com/)    | 可部署到腾讯云 COS、CDN、ECDN、EdgeOne、CLB、WAF、CSS 等服务             |
 | [百度智能云](https://cloud.baidu.com/)  | 可部署到百度智能云 CDN 等服务                                            |
 | [华为云](https://www.huaweicloud.com/)  | 可部署到华为云 CDN、ELB、WAF 等服务                                      |
 | [火山引擎](https://www.volcengine.com/) | 可部署到火山引擎 TOS、CDN、DCDN、CLB、ImageX、Live 等服务                |
--- a/README_EN.md
+++ b/README_EN.md
@ -122,7 +122,7 @@ The following hosting providers are supported:
 | Webhook                                         | Supports deployment to Webhook                                                   |
 | [Kubernetes](https://kubernetes.io/)            | Supports deployment to Kubernetes Secret                                         |
 | [Alibaba Cloud](https://www.alibabacloud.com/)  | Supports deployment to Alibaba Cloud OSS, CDN, DCDN, SLB(CLB/ALB/NLB), WAF, Live |
-| [Tencent Cloud](https://www.tencentcloud.com/)  | Supports deployment to Tencent Cloud COS, CDN, ECDN, EdgeOne, CLB, CSS           |
+| [Tencent Cloud](https://www.tencentcloud.com/)  | Supports deployment to Tencent Cloud COS, CDN, ECDN, EdgeOne, CLB, WAF, CSS      |
 | [Baidu AI Cloud](https://intl.cloud.baidu.com/) | Supports deployment to Baidu AI CLoud CDN                                        |
 | [Huawei Cloud](https://www.huaweicloud.com/)    | Supports deployment to Huawei Cloud CDN, ELB, WAF                                |
 | [Volcengine](https://www.volcengine.com/)       | Supports deployment to Volcengine TOS, CDN, DCDN, CLB, ImageX, Live              |
--- a/go.mod
+++ b/go.mod
@ -34,7 +34,7 @@ require (
 	github.com/qiniu/go-sdk/v7 v7.25.2
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn v1.0.1096
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1096
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1096
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1099
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/live v1.0.1096
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.1096
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1096
@ -95,6 +95,7 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/technoweenie/multipartstreamer v1.0.1 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1099 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.17.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -829,6 +829,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1096/go.mod h1
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1084/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1096 h1:DMokC7T0UF8wMfT1kD+mX3M+hc2C06gmFvQ9gsfRPmI=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1096/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1099 h1:4fQ53ORk6Eayw1H2kg43PoBnUuhGR6WRG6rtec/i3oI=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1099/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1084 h1:kwctN0WQYt8/iKP+iRCTCwdzEMIXsXklbRIib5rjeQ8=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1084/go.mod h1:qE67ApiBzeRvzeDsV+GxyIDbVIDemsKpHXllQATz/Vw=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/live v1.0.1096 h1:h9FP40Ycg45egJlZcjbLyc4IUeFoq+wSpR43sHMALtM=
@ -837,6 +839,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.1096 h1:7ZmPus
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.1096/go.mod h1:aMpGcDskqqhXtfMaeo2egO61tgh/zt07L1ohSPwmjWk=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1096 h1:N62IFKL1ZRNQ7WPLNn8x9eYnwM4lOUIVY3buW6kbGtg=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1096/go.mod h1:4PZRRpZp+jvYBUbUajsoZREnk7sJXMnPAiGB4IX8IkM=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1099 h1:kD+8RKF0uJCr7VaurAUA11NNAoln0HaagMCgQV6EnUw=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1099/go.mod h1:ellbjD8eHKHS4ixscLdiPJI8QoFIk0YNEgaDjxXMECM=
 github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
 github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
--- a/internal/deployer/providers.go
+++ b/internal/deployer/providers.go
@ -38,6 +38,7 @@ import (
 	pTencentCloudECDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-ecdn"
 	pTencentCloudEO "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-eo"
 	pTencentCloudSSLDeploy "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-ssl-deploy"
+	pTencentCloudWAF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-waf"
 	pUCloudUCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/ucloud-ucdn"
 	pUCloudUS3 "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/ucloud-us3"
 	pVolcEngineCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-cdn"
@ -432,7 +433,7 @@ func createDeployer(options *deployerOptions) (deployer.Deployer, logger.Logger,
 			return deployer, logger, err
 		}

-	case domain.DeployProviderTypeTencentCloudCDN, domain.DeployProviderTypeTencentCloudCLB, domain.DeployProviderTypeTencentCloudCOS, domain.DeployProviderTypeTencentCloudCSS, domain.DeployProviderTypeTencentCloudECDN, domain.DeployProviderTypeTencentCloudEO, domain.DeployProviderTypeTencentCloudSSLDeploy:
+	case domain.DeployProviderTypeTencentCloudCDN, domain.DeployProviderTypeTencentCloudCLB, domain.DeployProviderTypeTencentCloudCOS, domain.DeployProviderTypeTencentCloudCSS, domain.DeployProviderTypeTencentCloudECDN, domain.DeployProviderTypeTencentCloudEO, domain.DeployProviderTypeTencentCloudSSLDeploy, domain.DeployProviderTypeTencentCloudWAF:
 		{
 			access := domain.AccessConfigForTencentCloud{}
 			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
@ -505,6 +506,16 @@ func createDeployer(options *deployerOptions) (deployer.Deployer, logger.Logger,
 				}, logger)
 				return deployer, logger, err

+			case domain.DeployProviderTypeTencentCloudWAF:
+				deployer, err := pTencentCloudWAF.NewWithLogger(&pTencentCloudWAF.TencentCloudWAFDeployerConfig{
+					SecretId:   access.SecretId,
+					SecretKey:  access.SecretKey,
+					Domain:     maps.GetValueAsString(options.ProviderDeployConfig, "domain"),
+					DomainId:   maps.GetValueAsString(options.ProviderDeployConfig, "domainId"),
+					InstanceId: maps.GetValueAsString(options.ProviderDeployConfig, "instanceId"),
+				}, logger)
+				return deployer, logger, err
+
 			default:
 				break
 			}
--- a/internal/domain/provider.go
+++ b/internal/domain/provider.go
@ -127,6 +127,7 @@ const (
 	DeployProviderTypeTencentCloudECDN      = DeployProviderType("tencentcloud-ecdn")
 	DeployProviderTypeTencentCloudEO        = DeployProviderType("tencentcloud-eo")
 	DeployProviderTypeTencentCloudSSLDeploy = DeployProviderType("tencentcloud-ssldeploy")
+	DeployProviderTypeTencentCloudWAF       = DeployProviderType("tencentcloud-waf")
 	DeployProviderTypeUCloudUCDN            = DeployProviderType("ucloud-ucdn")
 	DeployProviderTypeUCloudUS3             = DeployProviderType("ucloud-us3")
 	DeployProviderTypeVolcEngineCDN         = DeployProviderType("volcengine-cdn")
--- a/internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos.go
@ -1,4 +1,4 @@
-package tencentcloudcdn
+package tencentcloudcos

 import (
 	"context"
--- a/internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos_test.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos_test.go
@ -1,4 +1,4 @@
-package tencentcloudcdn_test
+package tencentcloudcos_test

 import (
 	"context"
--- a/internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo.go
@ -1,4 +1,4 @@
-package tencentcloudeteo
+package tencentcloudeo

 import (
 	"context"
--- a/internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo_test.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo_test.go
@ -1,4 +1,4 @@
-package tencentcloudeteo_test
+package tencentcloudeo_test

 import (
 	"context"
--- a/internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf.go
@ -0,0 +1,134 @@
+package tencentcloudwaf
+
+import (
+	"context"
+	"errors"
+
+	xerrors "github.com/pkg/errors"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	tcWaf "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf/v20180125"
+
+	"github.com/usual2970/certimate/internal/pkg/core/deployer"
+	"github.com/usual2970/certimate/internal/pkg/core/logger"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+	uploaderp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
+)
+
+type TencentCloudWAFDeployerConfig struct {
+	// 腾讯云 SecretId。
+	SecretId string `json:"secretId"`
+	// 腾讯云 SecretKey。
+	SecretKey string `json:"secretKey"`
+	// 腾讯云地域。
+	Region string `json:"region"`
+	// 防护域名（不支持泛域名）。
+	Domain string `json:"domain"`
+	// 防护域名 ID。
+	DomainId string `json:"domainId"`
+	// 防护域名所属实例 ID。
+	InstanceId string `json:"instanceId"`
+}
+
+type TencentCloudWAFDeployer struct {
+	config      *TencentCloudWAFDeployerConfig
+	logger      logger.Logger
+	sdkClient   *tcWaf.Client
+	sslUploader uploader.Uploader
+}
+
+var _ deployer.Deployer = (*TencentCloudWAFDeployer)(nil)
+
+func New(config *TencentCloudWAFDeployerConfig) (*TencentCloudWAFDeployer, error) {
+	return NewWithLogger(config, logger.NewNilLogger())
+}
+
+func NewWithLogger(config *TencentCloudWAFDeployerConfig, logger logger.Logger) (*TencentCloudWAFDeployer, error) {
+	if config == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	if logger == nil {
+		return nil, errors.New("logger is nil")
+	}
+
+	client, err := createSdkClient(config.SecretId, config.SecretKey, config.Region)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to create sdk clients")
+	}
+
+	uploader, err := uploaderp.New(&uploaderp.TencentCloudSSLUploaderConfig{
+		SecretId:  config.SecretId,
+		SecretKey: config.SecretKey,
+	})
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
+	}
+
+	return &TencentCloudWAFDeployer{
+		logger:      logger,
+		config:      config,
+		sdkClient:   client,
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *TencentCloudWAFDeployer) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
+	if d.config.Domain == "" {
+		return nil, errors.New("config `domain` is required")
+	}
+	if d.config.DomainId == "" {
+		return nil, errors.New("config `domainId` is required")
+	}
+	if d.config.InstanceId == "" {
+		return nil, errors.New("config `instanceId` is required")
+	}
+
+	// 上传证书到 SSL
+	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to upload certificate file")
+	} else {
+		d.logger.Logt("certificate file uploaded", upres)
+	}
+
+	// 查询单个 SaaS 型 WAF 域名详情
+	// REF: https://cloud.tencent.com/document/api/627/82938
+	describeDomainDetailsSaasReq := tcWaf.NewDescribeDomainDetailsSaasRequest()
+	describeDomainDetailsSaasReq.Domain = common.StringPtr(d.config.Domain)
+	describeDomainDetailsSaasReq.DomainId = common.StringPtr(d.config.DomainId)
+	describeDomainDetailsSaasReq.InstanceId = common.StringPtr(d.config.InstanceId)
+	describeDomainDetailsSaasResp, err := d.sdkClient.DescribeDomainDetailsSaas(describeDomainDetailsSaasReq)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.DescribeDomainDetailsSaas'")
+	} else {
+		d.logger.Logt("已查询到 SaaS 型 WAF 域名详情", describeDomainDetailsSaasResp.Response)
+	}
+
+	// 编辑 SaaS 型 WAF 域名
+	// REF: https://cloud.tencent.com/document/api/627/94309
+	modifySpartaProtectionReq := tcWaf.NewModifySpartaProtectionRequest()
+	modifySpartaProtectionReq.Domain = common.StringPtr(d.config.Domain)
+	modifySpartaProtectionReq.DomainId = common.StringPtr(d.config.DomainId)
+	modifySpartaProtectionReq.InstanceID = common.StringPtr(d.config.InstanceId)
+	modifySpartaProtectionReq.CertType = common.Int64Ptr(2)
+	modifySpartaProtectionReq.SSLId = common.StringPtr(upres.CertId)
+	modifySpartaProtectionResp, err := d.sdkClient.ModifySpartaProtection(modifySpartaProtectionReq)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.ModifySpartaProtection'")
+	} else {
+		d.logger.Logt("已编辑 SaaS 型 WAF 域名", modifySpartaProtectionResp.Response)
+	}
+
+	return &deployer.DeployResult{}, nil
+}
+
+func createSdkClient(secretId, secretKey, region string) (*tcWaf.Client, error) {
+	credential := common.NewCredential(secretId, secretKey)
+	client, err := tcWaf.NewClient(credential, region, profile.NewClientProfile())
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
--- a/internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf_test.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf_test.go
@ -0,0 +1,89 @@
+package tencentcloudwaf_test
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	provider "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-waf"
+)
+
+var (
+	fInputCertPath string
+	fInputKeyPath  string
+	fSecretId      string
+	fSecretKey     string
+	fRegion        string
+	fDomain        string
+	fDomainId      string
+	fInstanceId    string
+)
+
+func init() {
+	argsPrefix := "CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_"
+
+	flag.StringVar(&fInputCertPath, argsPrefix+"INPUTCERTPATH", "", "")
+	flag.StringVar(&fInputKeyPath, argsPrefix+"INPUTKEYPATH", "", "")
+	flag.StringVar(&fSecretId, argsPrefix+"SECRETID", "", "")
+	flag.StringVar(&fSecretKey, argsPrefix+"SECRETKEY", "", "")
+	flag.StringVar(&fRegion, argsPrefix+"REGION", "", "")
+	flag.StringVar(&fDomain, argsPrefix+"DOMAIN", "", "")
+	flag.StringVar(&fDomainId, argsPrefix+"DOMAINID", "", "")
+	flag.StringVar(&fInstanceId, argsPrefix+"INSTANCEID", "", "")
+}
+
+/*
+Shell command to run this test:
+
+	go test -v ./tencentcloud_waf_test.go -args \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_INPUTCERTPATH="/path/to/your-input-cert.pem" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_INPUTKEYPATH="/path/to/your-input-key.pem" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_SECRETID="your-secret-id" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_SECRETKEY="your-secret-key" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_REGION="ap-guangzhou" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_DOMAIN="example.com" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_DOMAINID="your-domain-id" \
+	--CERTIMATE_DEPLOYER_TENCENTCLOUDWAF_INSTANCEID="your-instance-id"
+*/
+func TestDeploy(t *testing.T) {
+	flag.Parse()
+
+	t.Run("Deploy", func(t *testing.T) {
+		t.Log(strings.Join([]string{
+			"args:",
+			fmt.Sprintf("INPUTCERTPATH: %v", fInputCertPath),
+			fmt.Sprintf("INPUTKEYPATH: %v", fInputKeyPath),
+			fmt.Sprintf("SECRETID: %v", fSecretId),
+			fmt.Sprintf("SECRETKEY: %v", fSecretKey),
+			fmt.Sprintf("REGION: %v", fRegion),
+			fmt.Sprintf("DOMAIN: %v", fDomain),
+			fmt.Sprintf("INSTANCEID: %v", fInstanceId),
+		}, "\n"))
+
+		deployer, err := provider.New(&provider.TencentCloudWAFDeployerConfig{
+			SecretId:   fSecretId,
+			SecretKey:  fSecretKey,
+			Region:     fRegion,
+			Domain:     fDomain,
+			DomainId:   fDomainId,
+			InstanceId: fInstanceId,
+		})
+		if err != nil {
+			t.Errorf("err: %+v", err)
+			return
+		}
+
+		fInputCertData, _ := os.ReadFile(fInputCertPath)
+		fInputKeyData, _ := os.ReadFile(fInputKeyPath)
+		res, err := deployer.Deploy(context.Background(), string(fInputCertData), string(fInputKeyData))
+		if err != nil {
+			t.Errorf("err: %+v", err)
+			return
+		}
+
+		t.Logf("ok: %v", res)
+	})
+}
--- a/ui/src/components/workflow/node/DeployNodeConfigForm.tsx
+++ b/ui/src/components/workflow/node/DeployNodeConfigForm.tsx
@ -47,6 +47,7 @@ import DeployNodeConfigFormTencentCloudCSSConfig from "./DeployNodeConfigFormTen
 import DeployNodeConfigFormTencentCloudECDNConfig from "./DeployNodeConfigFormTencentCloudECDNConfig.tsx";
 import DeployNodeConfigFormTencentCloudEOConfig from "./DeployNodeConfigFormTencentCloudEOConfig.tsx";
 import DeployNodeConfigFormTencentCloudSSLDeployConfig from "./DeployNodeConfigFormTencentCloudSSLDeployConfig";
+import DeployNodeConfigFormTencentCloudWAFConfig from "./DeployNodeConfigFormTencentCloudWAFConfig";
 import DeployNodeConfigFormUCloudUCDNConfig from "./DeployNodeConfigFormUCloudUCDNConfig.tsx";
 import DeployNodeConfigFormUCloudUS3Config from "./DeployNodeConfigFormUCloudUS3Config.tsx";
 import DeployNodeConfigFormVolcEngineCDNConfig from "./DeployNodeConfigFormVolcEngineCDNConfig.tsx";
@ -192,6 +193,8 @@ const DeployNodeConfigForm = forwardRef<DeployNodeConfigFormInstance, DeployNode
          return <DeployNodeConfigFormTencentCloudEOConfig {...nestedFormProps} />;
        case DEPLOY_PROVIDERS.TENCENTCLOUD_SSL_DEPLOY:
          return <DeployNodeConfigFormTencentCloudSSLDeployConfig {...nestedFormProps} />;
+        case DEPLOY_PROVIDERS.TENCENTCLOUD_WAF:
+          return <DeployNodeConfigFormTencentCloudWAFConfig {...nestedFormProps} />;
        case DEPLOY_PROVIDERS.UCLOUD_UCDN:
          return <DeployNodeConfigFormUCloudUCDNConfig {...nestedFormProps} />;
        case DEPLOY_PROVIDERS.UCLOUD_US3:
--- a/ui/src/components/workflow/node/DeployNodeConfigFormTencentCloudWAFConfig.tsx
+++ b/ui/src/components/workflow/node/DeployNodeConfigFormTencentCloudWAFConfig.tsx
@ -0,0 +1,107 @@
+import { useTranslation } from "react-i18next";
+import { Form, type FormInstance, Input } from "antd";
+import { createSchemaFieldRule } from "antd-zod";
+import { z } from "zod";
+
+import { validDomainName } from "@/utils/validators";
+
+type DeployNodeConfigFormTencentCloudWAFConfigFieldValues = Nullish<{
+  region: string;
+  domain: string;
+  domainId: string;
+  instanceId: string;
+}>;
+
+export type DeployNodeConfigFormTencentCloudWAFConfigProps = {
+  form: FormInstance;
+  formName: string;
+  disabled?: boolean;
+  initialValues?: DeployNodeConfigFormTencentCloudWAFConfigFieldValues;
+  onValuesChange?: (values: DeployNodeConfigFormTencentCloudWAFConfigFieldValues) => void;
+};
+
+const initFormModel = (): DeployNodeConfigFormTencentCloudWAFConfigFieldValues => {
+  return {};
+};
+
+const DeployNodeConfigFormTencentCloudWAFConfig = ({
+  form: formInst,
+  formName,
+  disabled,
+  initialValues,
+  onValuesChange,
+}: DeployNodeConfigFormTencentCloudWAFConfigProps) => {
+  const { t } = useTranslation();
+
+  const formSchema = z.object({
+    region: z
+      .string({ message: t("workflow_node.deploy.form.tencentcloud_waf_region.placeholder") })
+      .nonempty(t("workflow_node.deploy.form.tencentcloud_waf_region.placeholder"))
+      .trim(),
+    domain: z
+      .string({ message: t("workflow_node.deploy.form.tencentcloud_waf_domain.placeholder") })
+      .refine((v) => validDomainName(v), t("common.errmsg.domain_invalid")),
+    domainId: z
+      .string({ message: t("workflow_node.deploy.form.tencentcloud_waf_domain_id.placeholder") })
+      .nonempty(t("workflow_node.deploy.form.tencentcloud_waf_domain_id.placeholder"))
+      .trim(),
+    instanceId: z
+      .string({ message: t("workflow_node.deploy.form.tencentcloud_waf_instance_id.placeholder") })
+      .nonempty(t("workflow_node.deploy.form.tencentcloud_waf_instance_id.placeholder"))
+      .trim(),
+  });
+  const formRule = createSchemaFieldRule(formSchema);
+
+  const handleFormChange = (_: unknown, values: z.infer<typeof formSchema>) => {
+    onValuesChange?.(values);
+  };
+
+  return (
+    <Form
+      form={formInst}
+      disabled={disabled}
+      initialValues={initialValues ?? initFormModel()}
+      layout="vertical"
+      name={formName}
+      onValuesChange={handleFormChange}
+    >
+      <Form.Item
+        name="region"
+        label={t("workflow_node.deploy.form.tencentcloud_waf_region.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("workflow_node.deploy.form.tencentcloud_waf_region.tooltip") }}></span>}
+      >
+        <Input placeholder={t("workflow_node.deploy.form.tencentcloud_waf_region.placeholder")} />
+      </Form.Item>
+
+      <Form.Item
+        name="domain"
+        label={t("workflow_node.deploy.form.tencentcloud_waf_domain.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("workflow_node.deploy.form.tencentcloud_waf_domain.tooltip") }}></span>}
+      >
+        <Input placeholder={t("workflow_node.deploy.form.tencentcloud_waf_domain.placeholder")} />
+      </Form.Item>
+
+      <Form.Item
+        name="domainId"
+        label={t("workflow_node.deploy.form.tencentcloud_waf_domain_id.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("workflow_node.deploy.form.tencentcloud_waf_domain_id.tooltip") }}></span>}
+      >
+        <Input placeholder={t("workflow_node.deploy.form.tencentcloud_waf_domain_id.placeholder")} />
+      </Form.Item>
+
+      <Form.Item
+        name="instanceId"
+        label={t("workflow_node.deploy.form.tencentcloud_waf_instance_id.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("workflow_node.deploy.form.tencentcloud_waf_instance_id.tooltip") }}></span>}
+      >
+        <Input placeholder={t("workflow_node.deploy.form.tencentcloud_waf_instance_id.placeholder")} />
+      </Form.Item>
+    </Form>
+  );
+};
+
+export default DeployNodeConfigFormTencentCloudWAFConfig;
--- a/ui/src/domain/provider.ts
+++ b/ui/src/domain/provider.ts
@ -208,6 +208,7 @@ export const DEPLOY_PROVIDERS = Object.freeze({
  TENCENTCLOUD_ECDN: `${ACCESS_PROVIDERS.TENCENTCLOUD}-ecdn`,
  TENCENTCLOUD_EO: `${ACCESS_PROVIDERS.TENCENTCLOUD}-eo`,
  TENCENTCLOUD_SSL_DEPLOY: `${ACCESS_PROVIDERS.TENCENTCLOUD}-ssldeploy`,
+  TENCENTCLOUD_WAF: `${ACCESS_PROVIDERS.TENCENTCLOUD}-waf`,
  UCLOUD_UCDN: `${ACCESS_PROVIDERS.UCLOUD}-ucdn`,
  UCLOUD_US3: `${ACCESS_PROVIDERS.UCLOUD}-us3`,
  VOLCENGINE_CDN: `${ACCESS_PROVIDERS.VOLCENGINE}-cdn`,
@ -267,6 +268,7 @@ export const deployProvidersMap: Map<DeployProvider["type"] | string, DeployProv
    [DEPLOY_PROVIDERS.TENCENTCLOUD_ECDN, "provider.tencentcloud.ecdn", DEPLOY_CATEGORIES.CDN],
    [DEPLOY_PROVIDERS.TENCENTCLOUD_EO, "provider.tencentcloud.eo", DEPLOY_CATEGORIES.CDN],
    [DEPLOY_PROVIDERS.TENCENTCLOUD_CLB, "provider.tencentcloud.clb", DEPLOY_CATEGORIES.LOADBALANCE],
+    [DEPLOY_PROVIDERS.TENCENTCLOUD_WAF, "provider.tencentcloud.waf", DEPLOY_CATEGORIES.FIREWALL],
    [DEPLOY_PROVIDERS.TENCENTCLOUD_CSS, "provider.tencentcloud.css", DEPLOY_CATEGORIES.LIVE],
    [DEPLOY_PROVIDERS.TENCENTCLOUD_SSL_DEPLOY, "provider.tencentcloud.ssl_deploy", DEPLOY_CATEGORIES.OTHER],
    [DEPLOY_PROVIDERS.HUAWEICLOUD_CDN, "provider.huaweicloud.cdn", DEPLOY_CATEGORIES.CDN],
--- a/ui/src/i18n/locales/en/nls.provider.json
+++ b/ui/src/i18n/locales/en/nls.provider.json
@ -73,6 +73,7 @@
  "provider.tencentcloud.ecdn": "Tencent Cloud - ECDN (Enterprise Content Delivery Network)",
  "provider.tencentcloud.eo": "Tencent Cloud - EdgeOne",
  "provider.tencentcloud.ssl_deploy": "Tencent Cloud - via SSL Certificate Service Deployment Job",
+  "provider.tencentcloud.waf": "Tencent Cloud - WAF (Web Application Firewall)",
  "provider.ucloud": "UCloud",
  "provider.ucloud.ucdn": "UCloud - UCDN (UCloud Content Delivery Network)",
  "provider.ucloud.us3": "UCloud - US3 (UCloud Object-based Storage)",
--- a/ui/src/i18n/locales/en/nls.workflow.nodes.json
+++ b/ui/src/i18n/locales/en/nls.workflow.nodes.json
@ -388,6 +388,18 @@
  "workflow_node.deploy.form.tencentcloud_ssl_deploy_resource_ids.tooltip": "For more information, see <a href=\"https://cloud.tencent.com.cn/document/product/400/91667\" target=\"_blank\">https://cloud.tencent.com.cn/document/product/400/91667</a>",
  "workflow_node.deploy.form.tencentcloud_ssl_deploy_resource_ids.multiple_input_modal.title": "Change Tencent Cloud resource IDs",
  "workflow_node.deploy.form.tencentcloud_ssl_deploy_resource_ids.multiple_input_modal.placeholder": "Please enter Tencent Cloud resouce ID",
+  "workflow_node.deploy.form.tencentcloud_waf_region.label": "Tencent Cloud WAF region",
+  "workflow_node.deploy.form.tencentcloud_waf_region.placeholder": "Please enter Tencent Cloud WAF region (e.g. ap-guangzhou)",
+  "workflow_node.deploy.form.tencentcloud_waf_region.tooltip": "For more information, see <a href=\"https://www.tencentcloud.com/document/product/627/38085\" target=\"_blank\">https://www.tencentcloud.com/document/product/627/38085</a>",
+  "workflow_node.deploy.form.tencentcloud_waf_domain.label": "Tencent Cloud WAF domain",
+  "workflow_node.deploy.form.tencentcloud_waf_domain.placeholder": "Please enter Tencent Cloud WAF domain name",
+  "workflow_node.deploy.form.tencentcloud_waf_domain.tooltip": "For more information, see <a href=\"https://console.tencentcloud.com/waf\" target=\"_blank\">https://console.tencentcloud.com/waf</a>",
+  "workflow_node.deploy.form.tencentcloud_waf_domain_id.label": "Tencent Cloud WAF domain ID",
+  "workflow_node.deploy.form.tencentcloud_waf_domain_id.placeholder": "Please enter Tencent Cloud WAF domain ID",
+  "workflow_node.deploy.form.tencentcloud_waf_domain_id.tooltip": "For more information, see <a href=\"https://console.tencentcloud.com/waf\" target=\"_blank\">https://console.tencentcloud.com/waf</a>",
+  "workflow_node.deploy.form.tencentcloud_waf_instance_id.label": "Tencent Cloud WAF instance ID",
+  "workflow_node.deploy.form.tencentcloud_waf_instance_id.placeholder": "Please enter Tencent Cloud WAF instance ID",
+  "workflow_node.deploy.form.tencentcloud_waf_instance_id.tooltip": "For more information, see <a href=\"https://console.tencentcloud.com/waf\" target=\"_blank\">https://console.tencentcloud.com/waf</a>",
  "workflow_node.deploy.form.ucloud_ucdn_domain_id.label": "UCloud UCDN domain ID",
  "workflow_node.deploy.form.ucloud_ucdn_domain_id.placeholder": "Please enter UCloud UCDN domain ID",
  "workflow_node.deploy.form.ucloud_ucdn_domain_id.tooltip": "For more information, see <a href=\"https://console.ucloud-global.com/ucdn\" target=\"_blank\">https://console.ucloud-global.com/ucdn</a>",
--- a/ui/src/i18n/locales/zh/nls.provider.json
+++ b/ui/src/i18n/locales/zh/nls.provider.json
@ -73,6 +73,7 @@
  "provider.tencentcloud.ecdn": "腾讯云 - 全站加速网络 ECDN",
  "provider.tencentcloud.eo": "腾讯云 - 边缘安全加速平台 EdgeOne",
  "provider.tencentcloud.ssl_deploy": "腾讯云 - 通过 SSL 证书服务创建部署任务",
+  "provider.tencentcloud.waf": "腾讯云 - Web 应用防火墙 WAF",
  "provider.ucloud": "优刻得",
  "provider.ucloud.ucdn": "优刻得 - 内容分发 UCDN",
  "provider.ucloud.us3": "优刻得 - 对象存储 US3",
--- a/ui/src/i18n/locales/zh/nls.workflow.nodes.json
+++ b/ui/src/i18n/locales/zh/nls.workflow.nodes.json
@ -391,6 +391,18 @@
  "workflow_node.deploy.form.tencentcloud_ssl_deploy_resource_ids.tooltip": "这是什么？请参阅 <a href=\"https://cloud.tencent.com.cn/document/product/400/91667\" target=\"_blank\">https://cloud.tencent.com.cn/document/product/400/91667</a><br><br>注意与各产品本身的实例 ID 区分。",
  "workflow_node.deploy.form.tencentcloud_ssl_deploy_resource_ids.multiple_input_modal.title": "修改腾讯云云产品资源 ID",
  "workflow_node.deploy.form.tencentcloud_ssl_deploy_resource_ids.multiple_input_modal.placeholder": "请输入腾讯云云产品资源 ID",
+  "workflow_node.deploy.form.tencentcloud_waf_region.label": "腾讯云 WAF 产品地域",
+  "workflow_node.deploy.form.tencentcloud_waf_region.placeholder": "请输入腾讯云 WAF 产品地域（例如：ap-guangzhou）",
+  "workflow_node.deploy.form.tencentcloud_waf_region.tooltip": "这是什么？请参阅 <a href=\"https://cloud.tencent.com/document/product/627/47525\" target=\"_blank\">https://cloud.tencent.com/document/product/627/47525</a>",
+  "workflow_node.deploy.form.tencentcloud_waf_domain.label": "腾讯云 WAF 防护域名",
+  "workflow_node.deploy.form.tencentcloud_waf_domain.placeholder": "请输入腾讯云 WAF 防护域名",
+  "workflow_node.deploy.form.tencentcloud_waf_domain.tooltip": "这是什么？请参阅 see <a href=\"https://console.cloud.tencent.com/waf\" target=\"_blank\">https://console.cloud.tencent.com/waf</a>",
+  "workflow_node.deploy.form.tencentcloud_waf_domain_id.label": "腾讯云 WAF 域名 ID",
+  "workflow_node.deploy.form.tencentcloud_waf_domain_id.placeholder": "请输入腾讯云 WAF 域名 ID",
+  "workflow_node.deploy.form.tencentcloud_waf_domain_id.tooltip": "这是什么？请参阅 <a href=\"https://console.cloud.tencent.com/waf\" target=\"_blank\">https://console.cloud.tencent.com/waf</a>",
+  "workflow_node.deploy.form.tencentcloud_waf_instance_id.label": "腾讯云 WAF 实例 ID",
+  "workflow_node.deploy.form.tencentcloud_waf_instance_id.placeholder": "请输入腾讯云 WAF 实例 ID",
+  "workflow_node.deploy.form.tencentcloud_waf_instance_id.tooltip": "这是什么？请参阅 <a href=\"https://console.cloud.tencent.com/waf\" target=\"_blank\">https://console.cloud.tencent.com/waf</a>",
  "workflow_node.deploy.form.ucloud_ucdn_domain_id.label": "优刻得 UCDN 域名 ID",
  "workflow_node.deploy.form.ucloud_ucdn_domain_id.placeholder": "请输入优刻得 UCDN 域名 ID",
  "workflow_node.deploy.form.ucloud_ucdn_domain_id.tooltip": "这是什么？请参阅 <a href=\"https://console.ucloud.cn/ucdn\" target=\"_blank\">https://console.ucloud.cn/ucdn</a>",