F5 Distributed Cloud WAAP deployment with Terraform
F5 Distributed Cloud WAAP solution can be deployed from the F5 Distirbuted Cloud Console, but also from an API and Terraform plans.
WAAP means Web Application and API Protection. It includes DDoS, WAF, Bot and API protections
In this article, we will focus on how to deploy/create:
- A WAAP policy
- A distributed load balancer with this WAAP policy assigned targeting a public FQDN
"Nature is a mutable cloud, which is always and never the same." - Ralph Waldo Emerson
We might not wax that philosophically around here, but our heads are in the cloud nonetheless! Join the F5 Distributed Cloud user group today and learn more with your peers and other F5 experts.
Find the F5 Distributed Cloud Terraform provider
To do so, I will refer to F5 Distributed Cloud Terraform provider: https://registry.terraform.io/providers/volterraedge/volterra/latest
Find Terraform plans samples on Github
You can find Terraform plans on our DevCentral Github repo: https://github.com/f5devcentral/terraform-volterra
Prepare and run the Terraform plan
In this article, we will use this sample: https://github.com/f5devcentral/terraform-volterra/tree/main/HTTP_and_Origin_Pool/LB_EXTERNAL_HTTPS_autocert_new_WAAP
This plan will create:
- An Origin Pool
- A WAAP Policy
- A HTTPS LB (auto-cert from Let's Encrypt) using the 2 previous objects
Step #1 - configure the variables
Modify the variable.tf file accordingly. You must provide;
- Your F5 Distributed Cloud API certificate and key
- Your F5 Distributed Cloud tenant name
variable "api_cert" {
type = string
default = "/PATH/certificate.cert"
}
variable "api_key" {
type = string
default = "/PATH/private_key.key"
}
variable "api_url" {
type = string
default = "https://YOUT_TENANT.console.ves.volterra.io/api"
}
Step #2 - confiure the plan
Please find below the plan with the 3 sections to create the 3 objects.
You must change some values as:
- VOLTERRA_NS: the NameSpace where the objects will be created
- APP_FQDN: Origin Pool FQDN targeting the back end application
- WAAP_POLICY_TO_CREATE: Name of the WAAP Policy
- mypublic.appfqdn.com: HTTPS LB FQDN
//==========================================================================
//Definition of the Origin, 1-origin.tf
//Start of the TF file
resource "volterra_origin_pool" "op-ip-internal" {
name = "op-ip-internal"
//Name of the namespace where the origin pool must be deployed
namespace = "VOLTERRA_NS"
origin_servers {
public_name {
dns_name = "APP_FQDN"
}
labels = {
}
}
no_tls = true
port = "80"
endpoint_selection = "LOCALPREFERED"
loadbalancer_algorithm = "LB_OVERRIDE"
}
//End of the file
//==========================================================================
//Definition of the WAAP Policy
resource "volterra_app_firewall" "waap-tf" {
name = "WAAP_POLICY_TO_CREATE"
namespace = "VOLTERRA_NS"
// One of the arguments from this list "allow_all_response_codes allowed_response_codes" must be set
allow_all_response_codes = true
// One of the arguments from this list "default_anonymization custom_anonymization disable_anonymization" must be set
default_anonymization = true
// One of the arguments from this list "use_default_blocking_page blocking_page" must be set
use_default_blocking_page = true
// One of the arguments from this list "default_bot_setting bot_protection_setting" must be set
default_bot_setting = true
// One of the arguments from this list "default_detection_settings detection_settings" must be set
default_detection_settings = true
// One of the arguments from this list "use_loadbalancer_setting blocking monitoring" must be set
use_loadbalancer_setting = true
// Blocking mode - optional - if not set, policy is in MONITORING
blocking = true
}
//==========================================================================
//Definition of the Load-Balancer, 2-https-lb.tf
//Start of the TF file
resource "volterra_http_loadbalancer" "lb-https-tf" {
depends_on = [volterra_origin_pool.op-ip-internal]
//Mandatory "Metadata"
name = "lb-https-tf"
//Name of the namespace where the origin pool must be deployed
namespace = "VOLTERRA_NS"
//End of mandatory "Metadata"
//Mandatory "Basic configuration" with Auto-Cert
domains = ["mypublic.appfqdn.com"]
https_auto_cert {
add_hsts = true
http_redirect = true
no_mtls = true
enable_path_normalize = true
tls_config {
default_security = true
}
}
default_route_pools {
pool {
name = "op-ip-internal"
namespace = "VOLTERRA_NS"
}
weight = 1
}
//Mandatory "VIP configuration"
advertise_on_public_default_vip = true
//End of mandatory "VIP configuration"
//Mandatory "Security configuration"
no_service_policies = true
no_challenge = true
disable_rate_limit = true
//WAAP Policy reference, created earlier in this plan - refer to the same name
app_firewall {
name = "WAAP_POLICY_TO_CREATE"
namespace = "VOLTERRA_NS"
}
multi_lb_app = true
user_id_client_ip = true
//End of mandatory "Security configuration"
//Mandatory "Load Balancing Control"
source_ip_stickiness = true
//End of mandatory "Load Balancing Control"
}
//End of the file
//==========================================================================
Step #3 - apply the Terraform plan
It is time to apply the plan.
terraform init
terraform plan
Demo time
Please find below a demo of this deployment with Terraform
Conclusion
In less than 5 minutes, we exposed an application on F5 Distributed Cloud infrastructure and we protected this application thanks to F5 Distributed Cloud WAAP.
Nice! Are there also Ansible Collections for F5 XC? Maybe the token part will work with Ansible and the URI module adding it as a custom header but I could not find anything about Client SSL Auth with Ansible. EDIT: Found this https://github.com/f5devcentral/xcwaapdemoguide/tree/main/ansible but not a lot of examples and see that token is used so maybe SSL cert is still not an option.
Matt_Dierick - can you say, per Nikoolayy1 question above, whether SSL Cert is / is not yet an option?
- milanozenNimbostratus
- Terraform
- F5 Cloud-init
- F5 Declarative Onboarding (DO)
- F5 Application Services 3 Extension (AS3)
- F5 Cloud Failover Extension (CFE)
- F5 Telemetry Streaming (TS)