Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation)

This is a green field scenario. Here we will use the Terraform resources to create a F5 BIG-IP Advanced WAF Policy and manage its lifecycle.

 

Table of Content

 

 

Workflow for creating a F5 BIG-IP Advanced Web Application Firewall Policy

First, create 3 files:

  • main.tf
  • variables.tf
  • inputs.auto.tfvars

 

variables.tf

variable bigip {}
variable username {}
variable password {}

 

inputs.auto.tfvars

bigip = "10.1.1.9:443"
username = "admin"
password = "yYyYyYy"

 

main.tf

terraform {
  required_providers {
    bigip = {
      source = "F5Networks/bigip"
      version = "1.15"
    }
  }
}

provider "bigip" {
  address  = var.bigip
  username = var.username
  password = var.password
}

resource "bigip_waf_policy" "this" {
  name                 = "scenario1"
  partition            = "Common"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux"]
}

 

here is how run it:

 

foo@bar:~$ terraform init
foo@bar:~$ terraform plan -out scenario1.waf
foo@bar:~$ terraform apply "scenario1"

 

 

 

 

Create an API Protection F5 BIG-IP Advanced WAF Policy

Here we are going to create an F5 BIG-IP Advanced WAF Policy protecting a RESTful API importing an OpenAPI Specifications File (both OAS v2.0 and v3.0 are supported).

 

variables.tf

variable bigip {}
variable username {}
variable password {}

 

inputs.auto.tfvars

bigip = "10.1.1.9:443"
username = "admin"
password = "yYyYyYy"

 

main.tf

terraform {
  required_providers {
    bigip = {
      source = "F5Networks/bigip"
      version = "1.15"
    }
  }
}

provider "bigip" {
  address  = var.bigip
  username = var.username
  password = var.password
}


resource "bigip_waf_policy" "this" {
  partition                 = "Common"
  name                      = "scenario1.swagger"
  template_name             = "POLICY_TEMPLATE_API_SECURITY"
  application_language      = "utf-8"
  enforcement_mode          = "blocking"
  server_technologies       = ["MySQL", "Unix/Linux", "MongoDB"]
  open_api_files            = ["https://api.swaggerhub.com/apis/F5EMEASSA/API-Sentence/3.0.1"]
  parameters                = [data.bigip_waf_entity_parameter.P1.json, data.bigip_waf_entity_parameter.P2.json, data.bigip_waf_entity_parameter.P3.json]
  signatures                = [data.bigip_waf_signatures.S1.json, data.bigip_waf_signatures.S2.json]

 

What we do here is the equivalent of the following manual configuration:

How to create an OpenAPI security policy using a Swagger file.

here is how run it:

foo@bar:~$ terraform init
foo@bar:~$ terraform plan -out scenario1.swagger
foo@bar:~$ terraform apply "scenario1"

 

Demo Video

 

 

Resources

Terraform Registry documentation
F5 BIG-IP Terraform Provider
Lab guide

 

Article Series

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Intro)

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation) 
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 2 - Policy Import)
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 3 - Migrate)
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 4 - Policy Lifecycle management)
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 5 - Working with Policy Builder)
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Best Practices)
 
Published Sep 23, 2022
Version 1.0
cloud
devops
security
No CommentsBe the first to comment