F5 Distributed Cloud WAAP deployment with Terraform

F5 Distributed Cloud WAAP solution can be deployed from the F5 Distirbuted Cloud Console, but also from an API and Terraform plans.

WAAP means Web Application and API Protection. It includes DDoS, WAF, Bot and API protections

In this article, we will focus on how to deploy/create:

  • A WAAP policy
  • A distributed load balancer with this WAAP policy assigned targeting a public FQDN

Find the F5 Distributed Cloud Terraform provider

To do so, I will refer to F5 Distributed Cloud Terraform provider: https://registry.terraform.io/providers/volterraedge/volterra/latest 

 

Find Terraform plans samples on Github

You can find Terraform plans on our DevCentral Github repo: https://github.com/f5devcentral/terraform-volterra 

 

Prepare and run the Terraform plan

In this article, we will use this sample: https://github.com/f5devcentral/terraform-volterra/tree/main/HTTP_and_Origin_Pool/LB_EXTERNAL_HTTPS_autocert_new_WAAP 

This plan will create:

  • An Origin Pool
  • A WAAP Policy
  • A HTTPS LB (auto-cert from Let's Encrypt) using the 2 previous objects

Step #1 - configure the variables

Modify the variable.tf file accordingly. You must provide;

  • Your F5 Distributed Cloud API certificate and key
  • Your F5 Distributed Cloud tenant name
variable "api_cert" {
            type = string
            default = "/PATH/certificate.cert"
        }
        
        variable "api_key" {
          type = string
          default = "/PATH/private_key.key"
        }
        
        variable "api_url" {
            type = string
            default = "https://YOUT_TENANT.console.ves.volterra.io/api"
        }

 

Step #2 - confiure the plan

Please find below the plan with the 3 sections to create the 3 objects.

You must change some values as:

  • VOLTERRA_NS: the NameSpace where the objects will be created
  • APP_FQDN: Origin Pool FQDN targeting the back end application
  • WAAP_POLICY_TO_CREATE: Name of the WAAP Policy
  • mypublic.appfqdn.com: HTTPS LB FQDN

 

//==========================================================================
//Definition of the Origin, 1-origin.tf
//Start of the TF file
resource "volterra_origin_pool" "op-ip-internal" {
  name                   = "op-ip-internal"
  //Name of the namespace where the origin pool must be deployed
  namespace              = "VOLTERRA_NS"
 
   origin_servers {

    public_name {
      dns_name = "APP_FQDN"
    }

    labels = {
    }
  }

  no_tls = true
  port = "80"
  endpoint_selection     = "LOCALPREFERED"
  loadbalancer_algorithm = "LB_OVERRIDE"
}
//End of the file
//==========================================================================

//Definition of the WAAP Policy
resource "volterra_app_firewall" "waap-tf" {
  name      = "WAAP_POLICY_TO_CREATE"
  namespace = "VOLTERRA_NS"

  // One of the arguments from this list "allow_all_response_codes allowed_response_codes" must be set
  allow_all_response_codes = true
  // One of the arguments from this list "default_anonymization custom_anonymization disable_anonymization" must be set
  default_anonymization = true
  // One of the arguments from this list "use_default_blocking_page blocking_page" must be set
  use_default_blocking_page = true
  // One of the arguments from this list "default_bot_setting bot_protection_setting" must be set
  default_bot_setting = true
  // One of the arguments from this list "default_detection_settings detection_settings" must be set
  default_detection_settings = true
  // One of the arguments from this list "use_loadbalancer_setting blocking monitoring" must be set
  use_loadbalancer_setting = true
  // Blocking mode - optional - if not set, policy is in MONITORING
  blocking = true
}

//==========================================================================
//Definition of the Load-Balancer, 2-https-lb.tf
//Start of the TF file
resource "volterra_http_loadbalancer" "lb-https-tf" {
  depends_on = [volterra_origin_pool.op-ip-internal]
  //Mandatory "Metadata"
  name      = "lb-https-tf"
  //Name of the namespace where the origin pool must be deployed
  namespace = "VOLTERRA_NS"
  //End of mandatory "Metadata" 
  //Mandatory "Basic configuration" with Auto-Cert 
  domains = ["mypublic.appfqdn.com"]
  https_auto_cert {
    add_hsts = true
    http_redirect = true
    no_mtls = true
    enable_path_normalize = true
    tls_config {
        default_security = true
      }
  }
  default_route_pools {
      pool {
        name = "op-ip-internal"
        namespace = "VOLTERRA_NS"
      }
      weight = 1
    }
  //Mandatory "VIP configuration"
  advertise_on_public_default_vip = true
  //End of mandatory "VIP configuration"
  //Mandatory "Security configuration"
  no_service_policies = true
  no_challenge = true
  disable_rate_limit = true
  //WAAP Policy reference, created earlier in this plan - refer to the same name
  app_firewall {
    name = "WAAP_POLICY_TO_CREATE"
    namespace = "VOLTERRA_NS"
  }
  multi_lb_app = true
  user_id_client_ip = true
  //End of mandatory "Security configuration"
  //Mandatory "Load Balancing Control"
  source_ip_stickiness = true
  //End of mandatory "Load Balancing Control"
  
}

//End of the file
//==========================================================================

 

Step #3 - apply the Terraform plan

It is time to apply the plan.

terraform init
terraform plan

 

Demo time

Please find below a demo of this deployment with Terraform

 

Conclusion

In less than 5 minutes, we exposed an application on F5 Distributed Cloud infrastructure and we protected this application thanks to F5 Distributed Cloud WAAP.

Updated Nov 15, 2022
Version 2.0