How to shoot yourself in the foot while setting up Bunny CDN

For andreas-jaggi.ch I wanted to try out Bunny CDN.
Everything went very smooth and I nicely used Terraform to configure Edge Rules blocking all unwanted access.
As andreas-jaggi.ch does not have much content this resulted in a list of allowed files similar to this:

resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" {
  pullzone    = bunnynet_pullzone.andreas_jaggi.id
  description = "block not(known good) http://www.andreas-jaggi.ch"
  enabled     = true
  match_type  = "MatchNone"
  actions     = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }]

  triggers = [
    {
      match_type = "MatchAny",
      patterns = [
        "http://www.andreas-jaggi.ch/",
        "http://www.andreas-jaggi.ch/favicon.ico",
        "http://www.andreas-jaggi.ch/robots.txt",
        "http://www.andreas-jaggi.ch/security.txt",
      ],
      type = "Url", parameter1 = null, parameter2 = null
    },
  ]
}

After this I did setup the www subdomain as CNAME and added it as additional hostname to the CDN Pullzone.
But the process to get a Let's Encrypt certificate for the www subdomain always failed with an error.

This is where I messed up.
Turns out my Edge Rules blocking all unwanted access also blocked the Let's Encrypt validation requests. 🤦

Once I realized this (which took a shamefully long amount of time), I added an entry to the Edge Rules for the .well-known/acme-challenge/ subpath:

resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" {
  pullzone    = bunnynet_pullzone.andreas_jaggi.id
  description = "block not(known good) https://www.andreas-jaggi.ch"
  enabled     = true
  match_type  = "MatchNone"
  actions     = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }]

  triggers = [
    {
      match_type = "MatchAny",
      patterns = [
        "http://www.andreas-jaggi.ch/",
        "http://www.andreas-jaggi.ch/favicon.ico",
        "http://www.andreas-jaggi.ch/robots.txt",
        "http://www.andreas-jaggi.ch/security.txt",
        "http://www.andreas-jaggi.ch/.well-known/acme-challenge/*",
      ],
      type = "Url", parameter1 = null, parameter2 = null
    },
  ]
}

With this in place, the process worked immediately and the www subdomain now also serves encrypted traffic. 🔐