[Yandex Cloud documentation](../../../index.md) > [Yandex Cloud CDN](../../index.md) > [Step-by-step guides](../index.md) > Resources > Updating basic settings of a resource

# Updating the basic settings of a resource

To update the basic settings of a [resource](../../concepts/resource.md):

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where your resource is located.

  1. Navigate to **Cloud CDN**.

  1. Click the resource name.

  1. In the top-right corner, click ![image](../../../_assets/console-icons/pencil.svg) **Edit**.

  1. Edit the resource settings.

      {% note warning %}

      You cannot change the primary [domain name used for content distribution](../../concepts/resource.md#hostnames).

      {% endnote %}

      * To add [labels](../../concepts/labels.md):

          * Click **Add label**.
          * Enter a label in `key: value` format.
          * Press **Enter**.

      * To configure a [TLS certificate](../../concepts/clients-to-servers-tls.md) for a CDN resource, in the **Certificate type** field, select one of the options:

          * `Don't use`: Resource will only be available over HTTP.


          * `Use from Certificate Manager`: Select a certificate. The resource will be available over HTTP and HTTPS.

              Certificates from [Yandex Certificate Manager](../../../certificate-manager/index.md) are supported. You can [issue a new Let's Encrypt® certificate](../../../certificate-manager/operations/managed/cert-create.md) or [upload one of your own](../../../certificate-manager/operations/import/cert-create.md).
              
              The certificate must be located in the same [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) as your CDN resource.

          To learn more, see [Configuring TLS certificates for HTTPS connections between clients and the CDN](../../concepts/clients-to-servers-tls.md).

      * To enable [request redirects](../../concepts/http-rewrite.md) on a CDN resource:

          1. Enable **Redirect requests**.
          1. In the **Rewrite rule** field, set a rule, e.g., `/(.*) /new-folder/$1`.

              A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.
              
              You can use regular expressions in the rule. 
              
              For more information, see [Rewrite rule](../../concepts/http-rewrite.md#rewrite-rule).

          1. In the **Flag** field, specify the required [flag](../../concepts/http-rewrite.md#flag):

              * `break`: Terminates the processing of the current set of directives.
              * `last`: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
              * `redirect`: Returns a temporary `redirect` with the `302` status code to the user. This flag is used if the replacement string does not start with `http://`, `https://`, or `$scheme`.
              * `permanent`: Returns a permanent `redirect` with the `301` status code to the user.

      * To restrict access to resource content with [secure tokens](../../concepts/secure-tokens.md), enable **Access via secure token**:

          * Specify a **Secret key** that is a string of 6 to 32 characters. You will need a secret key to generate [pre-signed URLs](../../concepts/secure-tokens.md#protected-link).
          
              You can view the secret key you saved in the management console or using the `yc cdn resource list` [CLI](../../../cli/index.md) command.
          * Use the **Limit access by IP address** field to restrict access to content by IP address:
          
             * `Only trusted IP addresses`: Access to files will be allowed only from a specific IP address of the content recipient. The IP address itself is provided outside the CDN resource and specified as a parameter when generating an [MD5](https://en.wikipedia.org/wiki/MD5) hash for a pre-signed URL.
             * `No restrictions`: Access to files will be allowed from any IP address.

          Optionally, to restrict access to resource content using an [IP-based access policy](../../concepts/ip-address-acl.md), enable **IP-based access**:
          
          * Select the type of access policy:
          
              * `Block all except`: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified below.
              * `Allow all except`: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified below.
          
          * In the **List of IP addresses** field, specify the list of IP addresses [excluded](../../concepts/ip-address-acl.md#ip-list) from the above access policy.
          
              You must specify IP addresses with a subnet prefix in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) separated by commas. For example, `192.168.3.2/32, 192.168.17.0/24`.

          For more information, see [Setting up access via a secure token](enable-secure-token.md).

  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command to update a resource:

      ```bash
      yc cdn resource update --help
      ```

  1. Get a list of all resources in the default folder:

      ```bash
      yc cdn resource list --format yaml
      ```

      Result:

      ```text
      id: s0me1dkfjq********
      folder_id: s0mef01der7p********
      cname: testexample.com
      created_at: "2022-01-19T09:23:57.921365Z"
      updated_at: "2022-01-19T10:55:30.305141Z"
      active: true
      options:
        edge_cache_settings:
          enabled: true
          default value: "345600"
        cache_http_headers:
          enabled: true
          value:
          - content-type
          - content-length
          - connection
          - server
          - date
          - test
        stale:
          enabled: true
          value:
          - error
          - updating
        allowed_http_methods:
          value:
          - GET
          - HEAD
          - OPTIONS
      origin_group_id: "89783"
      origin_group_name: My origins group
      origin_protocol: HTTP
      ssl_certificate:
        type: DONT_USE
        status: READY
      ```

  1. Edit the resource settings:

      ```bash
      yc cdn resource update <resource_ID> \
        <flag> <new_value>
      ```

      To configure a [TLS certificate](../../concepts/clients-to-servers-tls.md) for a CDN resource, use these parameters:
      
      * `--dont-use-ssl-cert`: Do not use a certificate. The resource will be available only over HTTP.
      * `--cert-manager-ssl-cert-id`: Certificate ID. The resource will be available over HTTP and HTTPS.
      
        Certificates from [Yandex Certificate Manager](../../../certificate-manager/index.md) are supported. You can [issue a new Let's Encrypt® certificate](../../../certificate-manager/operations/managed/cert-create.md) or [upload one of your own](../../../certificate-manager/operations/import/cert-create.md).
        
        The certificate must be located in the same [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) as your CDN resource.

      To enable [request redirects](../../concepts/http-rewrite.md) on a CDN resource, use these parameters:

      * `--rewrite-body`: Rewrite rule, e.g., `--rewrite-body '/(.*) /new-folder/$1'`.

          A rewrite rule must contain two space-separated directives: the original path you need to replace, and the edited path, which replaces the original path.
          
          You can use regular expressions in the rule. 
          
          For more information, see [Rewrite rule](../../concepts/http-rewrite.md#rewrite-rule).
      * `--rewrite-flag`: [Flag](../../concepts/http-rewrite.md#flag). The possible values are:

          * `break`: Terminates the processing of the current set of directives.
          * `last`: Terminates the processing of the current set of directives and starts searching for a new CDN server that matches the new URI.
          * `redirect`: Returns a temporary `redirect` with the `302` status code to the user. This flag is used if the replacement string does not start with `http://`, `https://`, or `$scheme`.
          * `permanent`: Returns a permanent `redirect` with the `301` status code to the user.

      To disable [request redirects](../../concepts/http-rewrite.md) on a CDN resource, use the `--clear-rewrite` parameter.

      If you want to restrict access to resource content with [secure tokens](../../concepts/secure-tokens.md), use the following parameters:
      
      * `--secure-key`: Secret key, a string of 6 to 32 characters.
      * `--enable-ip-url-signing`: Optional parameter that restricts access to the CDN resource by IP address. The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an [MD5](https://en.wikipedia.org/wiki/MD5) hash for a [pre-signed URL](../../concepts/secure-tokens.md#protected-link). If the parameter is not set, file access will be allowed from any IP address.
      
      See also [Setting up access via a secure token](enable-secure-token.md).
      
      If you want to restrict access to resource content using an [IP address access policy](../../concepts/ip-address-acl.md), use the following parameters:
      
      * `--acl-excepted-values`: IP address for which access to the content will be allowed or denied. For the address, specify the subnet prefix in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation), e.g., `192.168.3.2/32` or `2a03:d000:2980:7::8/128`.
      
          You can only provide one IP address in the `--acl-excepted-values` parameter. To provide multiple addresses, set the `--acl-excepted-values` parameter for each address.
      
      * `--policy-type`: [Policy type](../../concepts/ip-address-acl.md#policy-type). The possible values are as follows:
      
          * `allow`: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the `--acl-excepted-values` parameter.
          * `deny`: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the `--acl-excepted-values` parameter.

      To disable the IP-based access policy, use the `--clear-ip-address-acl` parameter.

      To add or remove [labels](../../concepts/labels.md), use the `--add-labels`, `--remove-labels`, and `--remove-all-labels` parameters.

      For more information about the `yc cdn resource update` command, see the [CLI reference](../../../cli/cli-ref/cdn/cli-ref/resource/update.md).

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To update the parameters of a CDN resource created using Terraform:

  1. Open the Terraform configuration file and edit the fragment with the resource description:

      ```hcl
      resource "yandex_cdn_resource" "my_resource" {
          cname               = "<domain_name>"
          active              = true
          origin_protocol     = "https"
          origin_group_id     = <origin_group_ID>
          secondary_hostnames = ["<additional_domain_name_1>", "additional_domain_name_2"]
          provider_type       = "<CDN_provider>"
          ssl_certificate {
            type = "certificate_manager"
            certificate_manager_id = "<certificate_ID>"
          }
          options {
            redirect_http_to_https = true
            secure_key             = "<secret_key>"
            enable_ip_url_signing  = true
            ip_address_acl {
              excepted_values = ["<IP_address_1>", "<IP_address_2>", ..., "<IP_address_n>"]
              policy_type     = "<policy_type>"
            }
          }
      }
      ```
      
      Where:
      * `cname`: Primary domain name used for content distribution. This is a required setting.
      * `active`: Flag for content availability to end users, where `true` means the CDN content is available to clients, and `false` means the content not available. The default value is `true`. This is an optional setting.
      * `origin_protocol`: Protocol for origins. The default value is `http`. This is an optional setting.
      * `origin_group_id`: [Origin group](../../concepts/origins.md) ID. This is a required setting. Use the ID from the description of the origin group in the `yandex_cdn_origin_group` resource.
      * `secondary_hostnames`: Additional domain names. This is an optional setting.
      * `provider_type`: CDN provider. This is an optional setting. The only possible value is `ourcdn`, the Yandex Cloud CDN provider.
      * `ssl_certificate`: SSL certificate parameters. This is an optional setting. The possible values are:
      
          * `type`: Certificate type.
      
              * `not_used`: Certificate is not used. This is a default value.
              * `certificate_manager`: Custom certificate. Specify the certificate ID in the `certificate_manager_id` parameter.
      
                Certificates from [Yandex Certificate Manager](../../../certificate-manager/index.md) are supported. You can [issue a new Let's Encrypt® certificate](../../../certificate-manager/operations/managed/cert-create.md) or [upload one of your own](../../../certificate-manager/operations/import/cert-create.md).
                
                The certificate must be located in the same [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) as your CDN resource.
      
          * `certificate_manager_id`: Custom certificate ID in Certificate Manager.
      
      * `options`: Additional parameters of the CDN resource. This is an optional setting. The possible values are:
      
          * `redirect_http_to_https`: Parameter to redirect clients from HTTP to HTTPS, `true` or `false`. This parameter is available if an SSL certificate is used.
          * `secure_key`: Secret key, that is a string of 6 to 32 characters, which is required to restrict access to a resource using [secure tokens](../../concepts/secure-tokens.md).
          * `enable_ip_url_signing`: Optional parameter that enables restricting access to a CDN resource by IP address using [secure tokens](../../concepts/secure-tokens.md). The trusted IP address itself is provided outside the CDN resource and specified as a parameter when generating an [MD5](https://en.wikipedia.org/wiki/MD5) hash for a [pre-signed URL](../../concepts/secure-tokens.md#protected-link). If the parameter is not set, file access will be allowed from any IP address.
      
          * `ip_address_acl`: [IP-based access policy](../../concepts/ip-address-acl.md) parameters:
      
              * `excepted_values`: [List of IP addresses](../../concepts/ip-address-acl.md#ip-list) allowed or denied access to the resource's content. Separate IP addresses by commas. For each address, specify the subnet prefix in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation), e.g., `192.168.3.2/32` or `2a03:d000:2980:7::8/128`.
              * `policy_type`: [Policy type](../../concepts/ip-address-acl.md#policy-type). The possible values are as follows:
      
                  * `allow`: ALLOW policy. Access to the resource content will be allowed for any IP addresses other than those specified in the `ip_address_acl.excepted_values` parameter.
                  * `deny`: DENY policy. Access to the resource content will be denied for any IP addresses other than those specified in the `ip_address_acl.excepted_values` parameter.
      
          {% note info %}
      
          Deleting the `secure_key` and `ip_address_acl` parameters in the configuration file will not automatically disable them. You can delete `secure_key` and `ip_address_acl` using the [CLI](../../../cli/quickstart.md) or [API](../../../api-design-guide/concepts/general.md).
      
          {% endnote %}
      
      For more information about the `yandex_cdn_resource` properties in Terraform, see the [provider documentation](../../../terraform/resources/cdn_resource.md).

  1. In the command line, go to the directory with the Terraform configuration file.

  1. Check the configuration using this command:
     ```bash
     terraform validate
     ```

     If the configuration is valid, you will get this message:

     ```text
     Success! The configuration is valid.
     ```

  1. Run this command:
     ```bash
     terraform plan
     ```

     You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

  1. Apply the configuration changes:
     ```bash
     terraform apply
     ```

  1. Type `yes` and press **Enter** to confirm the changes.

     You can check the CDN resource update in the [management console](https://console.yandex.cloud) or using this [CLI](../../../cli/quickstart.md) command:

     ```bash
     yc cdn resource list
     ```

- API {#api}

  Use the [update](../../api-ref/Resource/update.md) REST API method for the [Resource](../../api-ref/Resource/index.md) resource or the [ResourceService/Update](../../api-ref/grpc/Resource/update.md) gRPC API call.

  You can restrict access to the resource with [secure tokens](../../concepts/secure-tokens.md) and an [IP-based access policy](../../concepts/ip-address-acl.md).

{% endlist %}

It may take up to 15 minutes for the new settings of the existing resource to apply to the CDN servers. After that, we recommend [purging the resource cache](purge-cache.md).

## Examples {#examples}

{% list tabs group=instructions %}

- CLI {#cli}

  Change the protocol for origins from HTTP to HTTPS and select a Let's Encrypt® certificate [added](../../../certificate-manager/operations/managed/cert-create.md) to Certificate Manager or an [uploaded](../../../certificate-manager/operations/import/cert-create.md) certificate of your own:

    ```bash
    yc cdn resource update s0me1dkfjq******** \
      --origin-protocol HTTPS \
      --cert-manager-ssl-cert-id <certificate_ID>
    ```

  Result:

    ```text
    id: s0me1dkfjq********

    ...

    cname: testexample.com
    active: true

    ...

    origin_group_id: "89783"
    origin_group_name: My origins group
    origin_protocol: HTTPS
    ssl_certificate:
    type: CM
    status: CREATING
    ```

{% endlist %}