Manage F5 BIG-IP FAST with Terraform (Part 3 - Manage multiple AWAF policies based on HTTP criteria)

The goal of this use case is to deploy a new HTTPS application with F5 BIG-IP Advanced Web Application Firewall policy on F5 BIG-IP device using F5 BIG-IP Application Services Templates Terraform resources. Web application firewall policies and pools will be applied based on hostname or uri path.

This configuration can be applied in a public cloud when there is only one public IP and you want to manage different applications and the associated Web Application Firewall policy. The selection can be based on hostname or uri.

 

Table of Content

 

Workflow to manage multiple AWAF policies and pools based on HTTP criteria

First, create 4 files:

  • main.tf
  • variables.tf
  • inputs.auto.tfvars
  • providers.tf

 

variables.tf

variable "bigip" {}
variable "username" {}
variable "password" {}
variable "policyname" {
  type    = string
  default = ""

}
variable "partition" {
  type    = string
  default = "Common"
}

 

inputs.auto.tfvars

bigip = "10.1.1.9:443"
username = "admin"
password = "whatIsYourBigIPPassword?"
partition  = "Common"
policyname = "myApp6_ltm_policy"

 

providers.tf

terraform {
  required_providers {
    bigip = {
      source = "F5Networks/bigip"
      version = ">= 1.16.0"
    }
  }
}
provider "bigip" {
  address  = var.bigip
  username = var.username
  password = var.password
}

 

main.tf

resource "bigip_waf_policy" "app1" {
  provider             = bigip
  description          = "WAF Policy for App1"
  name                 = "app1"
  partition            = var.partition
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux"]
}

resource "time_sleep" "wait_a" {
  create_duration = "10s"
  depends_on      = [bigip_waf_policy.app1, bigip_waf_policy.app2]
}

resource "time_sleep" "wait_b" {
  create_duration = "10s"
  depends_on      = [bigip_waf_policy.restricted]
}

resource "bigip_waf_policy" "app2" {
  provider             = bigip
  description          = "WAF Policy for App2"
  name                 = "app2"
  partition            = var.partition
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
}

resource "bigip_waf_policy" "restricted" {
  provider             = bigip
  description          = "WAF Policy for restricted areas"
  name                 = "restricted"
  partition            = var.partition
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
  depends_on           = [time_sleep.wait_a]
}

resource "bigip_waf_policy" "default" {
  provider             = bigip
  description          = "desfault WAF Policy"
  name                 = "default"
  partition            = var.partition
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]
  depends_on           = [time_sleep.wait_b]
}

resource "bigip_ltm_pool" "pool1" {
  provider            = bigip
  name                = "/${var.partition}/pool1"
  allow_nat           = "yes"
  allow_snat          = "yes"
  load_balancing_mode = "round-robin"
}

resource "bigip_ltm_pool_attachment" "pool1-member" {
  pool = bigip_ltm_pool.pool1.name
  node = "10.1.10.120:80"
}

resource "bigip_ltm_pool" "pool2" {
  provider            = bigip
  name                = "/${var.partition}/pool2"
  allow_nat           = "yes"
  allow_snat          = "yes"
  load_balancing_mode = "round-robin"
}

resource "bigip_ltm_pool_attachment" "pool2-member" {
        pool = bigip_ltm_pool.pool2.name
        node = "10.1.10.121:80"
}

resource "bigip_ltm_pool" "pool_restricted" {
  provider            = bigip
  name                = "/${var.partition}/pool_restricted"
  allow_nat           = "yes"
  allow_snat          = "yes"
  load_balancing_mode = "round-robin"
}

module "consolidated_vips" {
  source = "github.com/f5devcentral/fast-terraform//multiple_waf_policies?ref=v1.0.0"
  providers = {
    bigip = bigip
  }
  name      = var.policyname
  partition = var.partition
  rules = [
    {
      name      = "WWW1_App"
      hostname  = ["www1.f5demo.com", "app1.f5demo.com"]
      policy    = bigip_waf_policy.app1.name
      pool_name = bigip_ltm_pool.pool1.name
    },
    {
      name      = "WWW2_App"
      hostname  = ["www2.f5demo.com"]
      policy    = bigip_waf_policy.app2.name
      pool_name = bigip_ltm_pool.pool2.name
    },
    {
      name      = "restricted"
      path      = ["/restricted", "/admin", "/hr"]
      policy    = bigip_waf_policy.restricted.name
      pool_name = bigip_ltm_pool.pool_restricted.name
  }]
  default_policy = bigip_waf_policy.default.name
  depends_on     = [bigip_waf_policy.app1, bigip_waf_policy.app2, bigip_waf_policy.restricted, bigip_waf_pol
icy.default]
}

resource "bigip_fast_https_app" "this" {
  application = "myApp6"
  tenant      = "scenario6"
  virtual_server {
    ip   = "10.1.10.226"
    port = 443
  }
  tls_server_profile {
    tls_cert_name = "/Common/default.crt"
    tls_key_name  = "/Common/default.key"
  }
  snat_pool_address     = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
  endpoint_ltm_policy   = ["${module.consolidated_vips.ltmPolicyName}"]
  security_log_profiles = ["/Common/Log all requests"]
  depends_on            = [bigip_waf_policy.app1, bigip_waf_policy.app2, bigip_waf_policy.restricted, bigip_
waf_policy.default, module.consolidated_vips.ltmPolicyName]
}

 

here is how run it:

$ terraform init -upgrade
$ terraform plan -out scenario6
$ terraform apply "scenario6"

 

Demo Video

 

 

Resources

Terraform Registry documentation

 

Article Series

Manage F5 BIG-IP FAST with Terraform (Part 3 - Manage multiple AWAF policies based on HTTP criteria)
Published Nov 28, 2022
Version 1.0
No CommentsBe the first to comment