Last updated on: 2023-09-29 03:24:53.

Advanced WAF Integration with Terraform

Introduction

See also

You can deploy the F5 BIG-IP Advanced Web Application Firewall (Advanced WAF) security policies using the declarative JSON format, facilitating easy integration into a CI/CD pipeline. The declarative policies are extracted from a source control system, for example Git, and imported into the BIG-IP. Using the provided declarative policy templates, you can modify the necessary parameters, save the JSON file, and import the updated security policy into your BIG-IP devices. The declarative policy copies the content of the template and adds the adjustments and modifications on to it. The templates therefore enable you to concentrate only on the specific settings that need adopting for the specific application that the policy protects.

Use Terraform to manage Advanced WAF policy resource with its adjustments and modifications on a BIG-IP. It outputs an up-to-date WAF Policy in a JSON format, so you can store it in a registry and/or push it to your BIG-IP.

F5 BIG-IP Advanced WAF Policy structure

The supported declarative policy structure includes three logical sections:

  • The “core” section includes all the building parameters of the policy (name, description, enforcement mode, and server technologies).
  • The “adjustment” section includes attributes of the policy that override or add to those defined in the template. Attributes included in this section can have both properties that are particular to the protected application, such as server technologies, URLs, or parameters; and modifications to settings defined by the template, such as enabling the Data Guard, if disabled in the template and specifying Data Guard attributes. In general, use the adjustments section for defining major features of the policy that are different from the template.
  • The “modifications” section includes actions that modify the declarative policy as it is defined in the adjustments section. In general, use the modifications section for frequent and granular changes that are required to tune the policy, such as reducing false positives, patching vulnerabilities, and other similar changes.

When you define an attribute in both the adjustments and modifications sections, the policy is deployed with the value as it appears in the modifications section. When an attribute appears in the modifications section multiple times, the policy is deployed with the value as it appears in the latest definition in the modifications section.

Prerequisites

Before working with declarative policies, familiarize yourself with the F5 BIG-IP Application Security Manager and general BIG-IP terminology. Information is found in the F5 Knowledge Centers.

To read, modify, or import declarative policies, you must have the following:

  • BIG-IP devices running version 16.1.x or later
  • BIG-IP Administrator role permissions
  • An active Advanced WAF license on the BIG-IP devices
  • Terraform provider BIG-IP v1.15.2 and above

Example Usage

Example usage for json file
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
data "bigip_waf_entity_parameter" "Param1" {
  name            = "Param1"
  type            = "explicit"
  data_type       = "alpha-numeric"
  perform_staging = true
}

data "bigip_waf_entity_parameter" "Param2" {
  name            = "Param2"
  type            = "explicit"
  data_type       = "alpha-numeric"
  perform_staging = true
}

data "bigip_waf_entity_url" "URL" {
  name     = "URL1"
  protocol = "http"
}

data "bigip_waf_entity_url" "URL2" {
  name = "URL2"
}

resource "bigip_waf_policy" "test-awaf" {
  name                 = "testpolicyravi"
  partition            = "Common"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["MySQL", "Unix/Linux", "MongoDB"]
  parameters           = [data.bigip_waf_entity_parameter.Param1.json, data.bigip_waf_entity_parameter.Param2.json]
  urls                 = [data.bigip_waf_entity_url.URL.json, data.bigip_waf_entity_url.URL2.json]
}

Integration resources and data sources

F5 BIG-IP Advanced WAF Resources:

F5 BIG-IP Advanced WAF Data Sources: