on
20-Feb-2022
18:00
- edited on
15-Nov-2022
13:11
by
JRahm
F5 Distributed Cloud WAAP solution can be deployed from the F5 Distirbuted Cloud Console, but also from an API and Terraform plans.
WAAP means Web Application and API Protection. It includes DDoS, WAF, Bot and API protections
In this article, we will focus on how to deploy/create:
To do so, I will refer to F5 Distributed Cloud Terraform provider: https://registry.terraform.io/providers/volterraedge/volterra/latest
You can find Terraform plans on our DevCentral Github repo: https://github.com/f5devcentral/terraform-volterra
In this article, we will use this sample: https://github.com/f5devcentral/terraform-volterra/tree/main/HTTP_and_Origin_Pool/LB_EXTERNAL_HTTPS_...
This plan will create:
Modify the variable.tf file accordingly. You must provide;
variable "api_cert" {
type = string
default = "/PATH/certificate.cert"
}
variable "api_key" {
type = string
default = "/PATH/private_key.key"
}
variable "api_url" {
type = string
default = "https://YOUT_TENANT.console.ves.volterra.io/api"
}
Please find below the plan with the 3 sections to create the 3 objects.
You must change some values as:
//==========================================================================
//Definition of the Origin, 1-origin.tf
//Start of the TF file
resource "volterra_origin_pool" "op-ip-internal" {
name = "op-ip-internal"
//Name of the namespace where the origin pool must be deployed
namespace = "VOLTERRA_NS"
origin_servers {
public_name {
dns_name = "APP_FQDN"
}
labels = {
}
}
no_tls = true
port = "80"
endpoint_selection = "LOCALPREFERED"
loadbalancer_algorithm = "LB_OVERRIDE"
}
//End of the file
//==========================================================================
//Definition of the WAAP Policy
resource "volterra_app_firewall" "waap-tf" {
name = "WAAP_POLICY_TO_CREATE"
namespace = "VOLTERRA_NS"
// One of the arguments from this list "allow_all_response_codes allowed_response_codes" must be set
allow_all_response_codes = true
// One of the arguments from this list "default_anonymization custom_anonymization disable_anonymization" must be set
default_anonymization = true
// One of the arguments from this list "use_default_blocking_page blocking_page" must be set
use_default_blocking_page = true
// One of the arguments from this list "default_bot_setting bot_protection_setting" must be set
default_bot_setting = true
// One of the arguments from this list "default_detection_settings detection_settings" must be set
default_detection_settings = true
// One of the arguments from this list "use_loadbalancer_setting blocking monitoring" must be set
use_loadbalancer_setting = true
// Blocking mode - optional - if not set, policy is in MONITORING
blocking = true
}
//==========================================================================
//Definition of the Load-Balancer, 2-https-lb.tf
//Start of the TF file
resource "volterra_http_loadbalancer" "lb-https-tf" {
depends_on = [volterra_origin_pool.op-ip-internal]
//Mandatory "Metadata"
name = "lb-https-tf"
//Name of the namespace where the origin pool must be deployed
namespace = "VOLTERRA_NS"
//End of mandatory "Metadata"
//Mandatory "Basic configuration" with Auto-Cert
domains = ["mypublic.appfqdn.com"]
https_auto_cert {
add_hsts = true
http_redirect = true
no_mtls = true
enable_path_normalize = true
tls_config {
default_security = true
}
}
default_route_pools {
pool {
name = "op-ip-internal"
namespace = "VOLTERRA_NS"
}
weight = 1
}
//Mandatory "VIP configuration"
advertise_on_public_default_vip = true
//End of mandatory "VIP configuration"
//Mandatory "Security configuration"
no_service_policies = true
no_challenge = true
disable_rate_limit = true
//WAAP Policy reference, created earlier in this plan - refer to the same name
app_firewall {
name = "WAAP_POLICY_TO_CREATE"
namespace = "VOLTERRA_NS"
}
multi_lb_app = true
user_id_client_ip = true
//End of mandatory "Security configuration"
//Mandatory "Load Balancing Control"
source_ip_stickiness = true
//End of mandatory "Load Balancing Control"
}
//End of the file
//==========================================================================
It is time to apply the plan.
terraform init
terraform plan
Please find below a demo of this deployment with Terraform
In less than 5 minutes, we exposed an application on F5 Distributed Cloud infrastructure and we protected this application thanks to F5 Distributed Cloud WAAP.
Nice! Are there also Ansible Collections for F5 XC? Maybe the token part will work with Ansible and the URI module adding it as a custom header but I could not find anything about Client SSL Auth with Ansible. EDIT: Found this https://github.com/f5devcentral/xcwaapdemoguide/tree/main/ansible but not a lot of examples and see that token is used so maybe SSL cert is still not an option.
@Matt_Dierick - can you say, per @Nikoolayy1 question above, whether SSL Cert is / is not yet an option?