Manage F5 BIG-IP FAST with Terraform (Part 4 - Manage Canary testing of AWAF policies)

Here we will use F5 BIG-IP Application Services Templates Terraform resources to manage Canary testing of F5 BIG-IP Advanced WAF (F5 BIG-IP AWAF) policies for one application.

The goal will be to send HTTP request with a specific HTTP header value to a new version of F5 BIG-IP Advanced WAF policy and all other requests to the current version of F5 BIG-IP Advanced WAF policy. After enough test and feedbacks you can decide to adapt the new version of F5 BIG-IP Advanced WAF policy or to apply the new version of F5 BIG-IP Advanced WAF policy to all HTTP requests.

 

Table of Content

 

Workflow to manage Canary testing of AWAF policies

First, create 4 files:

  • main.tf
  • variables.tf
  • inputs.auto.tfvars
  • providers.tf

 

variables.tf

variable "bigip" {}
variable "username" {}
variable "password" {}
variable "policyname" {
  type    = string
  default = ""

}
variable "partition" {
  type    = string
  default = "Common"
}

 

inputs.auto.tfvars

bigip      = "10.1.1.9:443"
username   = "admin"
password   = "A7U+=$vJ"
partition  = "Common"
policyname = "myApp7_ltm_policy"

 

providers.tf

terraform {
  required_providers {
    bigip = {
      source = "F5Networks/bigip"
      version = ">= 1.16.0"
    }
  }
}
provider "bigip" {
  address  = var.bigip
  username = var.username
  password = var.password
}

 

main.tf

resource "bigip_waf_policy" "app1_waf_v1" {
  provider             = bigip
  description          = "Current version of the WAF Policy"
  name                 = "v1"
  partition            = "Common"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux"]
}

resource "bigip_waf_policy" "app1_waf_v2" {
  provider             = bigip
  description          = "new version of the WAF Policy"
  name                 = "v2"
  partition            = "Common"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
}

module "canary_app1" {
  source = "github.com/f5devcentral/fast-terraform//canary_policy_header?ref=v1.0.0"
  providers = {
    bigip = bigip
  }
  name               = var.policyname
  partition          = var.partition
  header_name        = "user_profile"
  header_value       = "earlyAdopter"
  new_waf_policy     = bigip_waf_policy.app1_waf_v2.name
  current_waf_policy = bigip_waf_policy.app1_waf_v1.name
  depends_on         = [bigip_waf_policy.app1_waf_v1, bigip_waf_policy.app1_waf_v2]
}

resource "bigip_fast_https_app" "this" {
  application = "myApp7"
  tenant      = "scenario7"
  virtual_server {
    ip   = "10.1.10.227"
    port = 443
  }
  tls_server_profile {
    tls_cert_name = "/Common/default.crt"
    tls_key_name  = "/Common/default.key"
  }
  pool_members {
    addresses = ["10.1.10.120", "10.1.10.121", "10.1.10.122"]
    port      = 80
  }
  snat_pool_address     = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
  endpoint_ltm_policy   = ["${module.canary_app1.ltmPolicyName}"]
  security_log_profiles = ["/Common/Log all requests"]
  depends_on            = [bigip_waf_policy.app1_waf_v1, bigip_waf_policy.app1_waf_v2, module.canary_app1.ltmPolicyName]
}

We are using a module to create F5 BIG-IP LTM policy. F5 BIG-IP LTM policy will select the F5 BIG-IP Advanced WAF policy based on HTTP header value.

 

here is how run it:

$ terraform init -upgrade
$ terraform plan -out scenario7
$ terraform apply "scenario7"

 

Demo Video

 

 

Resources

Terraform Registry documentation

 

Article Series

Manage F5 BIG-IP FAST with Terraform (Part 4 - Manage Canary testing of AWAF policies)
Published Dec 05, 2022
Version 1.0
No CommentsBe the first to comment