Manage F5 BIG-IP FAST with Terraform (Part 4 - Manage Canary testing of AWAF policies)
Here we will use F5 BIG-IP Application Services Templates Terraform resources to manage Canary testing of F5 BIG-IP Advanced WAF (F5 BIG-IP AWAF) policies for one application.
The goal will be to send HTTP request with a specific HTTP header value to a new version of F5 BIG-IP Advanced WAF policy and all other requests to the current version of F5 BIG-IP Advanced WAF policy. After enough test and feedbacks you can decide to adapt the new version of F5 BIG-IP Advanced WAF policy or to apply the new version of F5 BIG-IP Advanced WAF policy to all HTTP requests.
Table of Content
Workflow to manage Canary testing of AWAF policies
First, create 4 files:
- main.tf
- variables.tf
- inputs.auto.tfvars
- providers.tf
variables.tf
variable "bigip" {}
variable "username" {}
variable "password" {}
variable "policyname" {
type = string
default = ""
}
variable "partition" {
type = string
default = "Common"
}
inputs.auto.tfvars
bigip = "10.1.1.9:443"
username = "admin"
password = "A7U+=$vJ"
partition = "Common"
policyname = "myApp7_ltm_policy"
providers.tf
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = ">= 1.16.0"
}
}
}
provider "bigip" {
address = var.bigip
username = var.username
password = var.password
}
main.tf
resource "bigip_waf_policy" "app1_waf_v1" {
provider = bigip
description = "Current version of the WAF Policy"
name = "v1"
partition = "Common"
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
application_language = "utf-8"
enforcement_mode = "blocking"
server_technologies = ["Apache Tomcat", "MySQL", "Unix/Linux"]
}
resource "bigip_waf_policy" "app1_waf_v2" {
provider = bigip
description = "new version of the WAF Policy"
name = "v2"
partition = "Common"
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
application_language = "utf-8"
enforcement_mode = "blocking"
server_technologies = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
}
module "canary_app1" {
source = "github.com/f5devcentral/fast-terraform//canary_policy_header?ref=v1.0.0"
providers = {
bigip = bigip
}
name = var.policyname
partition = var.partition
header_name = "user_profile"
header_value = "earlyAdopter"
new_waf_policy = bigip_waf_policy.app1_waf_v2.name
current_waf_policy = bigip_waf_policy.app1_waf_v1.name
depends_on = [bigip_waf_policy.app1_waf_v1, bigip_waf_policy.app1_waf_v2]
}
resource "bigip_fast_https_app" "this" {
application = "myApp7"
tenant = "scenario7"
virtual_server {
ip = "10.1.10.227"
port = 443
}
tls_server_profile {
tls_cert_name = "/Common/default.crt"
tls_key_name = "/Common/default.key"
}
pool_members {
addresses = ["10.1.10.120", "10.1.10.121", "10.1.10.122"]
port = 80
}
snat_pool_address = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
endpoint_ltm_policy = ["${module.canary_app1.ltmPolicyName}"]
security_log_profiles = ["/Common/Log all requests"]
depends_on = [bigip_waf_policy.app1_waf_v1, bigip_waf_policy.app1_waf_v2, module.canary_app1.ltmPolicyName]
}
We are using a module to create F5 BIG-IP LTM policy. F5 BIG-IP LTM policy will select the F5 BIG-IP Advanced WAF policy based on HTTP header value.
here is how run it:
$ terraform init -upgrade
$ terraform plan -out scenario7
$ terraform apply "scenario7"
Demo Video
Resources
Terraform Registry documentation