F5 BIG-IP Advanced WAF Integration with Terraform

Introduction

See also

The F5 BIG-IP Advanced Web Application Firewall (Advanced WAF) security policies can be deployed using the declarative JSON format, facilitating easy integration into a CI/CD pipeline. The declarative policies are extracted from a source control system, for example Git, and imported into the BIG-IP. Using the provided declarative policy templates, you can modify the necessary parameters, save the JSON file, and import the updated security policy into your BIG-IP devices. The declarative policy copies the content of the template and adds the adjustments and modifications on to it. The templates therefore allow you to concentrate only on the specific settings that need to be adapted for the specific application that the policy protects.

Terraform can be used to manage Advanced WAF policy resource with its adjustments and modifications on a BIG-IP. It outputs an up-to-date WAF Policy in a JSON format so you can store it in a registry and/or push it to your BIG-IP.

F5 BIG-IP Advanced WAF Policy structure

The supported declarative policy structure includes three logical sections:

  • The “core” section includes all the building parameters of the policy (name, description, enforcement mode, server technologies…).
  • The “adjustment” section includes attributes of the policy that override or add to those defined in the template. Attributes included in this section can include both properties that are particular to the protected application, such as server technologies, URLs, or parameters; and modifications to settings defined by the template, such as enabling the Data Guard if it is disabled in the template and specifying Data Guard attributes. In general, the adjustments section is used for defining major features of the policy which are different from template.
  • The modifications section includes actions that modify the declarative policy as it is defined in the adjustments section. In general, while the modifications section is used for frequent and granular changes that are required to tune the policy, such as reducing false positives, patching vulnerabilities, etc.

When an attribute is defined in both the adjustments and modifications sections, the policy is deployed with the value as it appears in the modifications section. When an attribute appears in the modifications section multiple times, the policy is deployed with the value as it appears in the latest definition in the modifications section.

Prerequisites

Before working with declarative policies, make sure you are familiar with the F5 BIG-IP Application Security Manager and general BIG-IP terminology. Information is found in the F5 Knowledge Centers. To read, modify, or import declarative policies, you must have:

  • BIG-IP devices running version 16.1.x or later
  • BIG-IP Administrator role permissions
  • An active Advanced WAF license on the BIG-IP devices
  • Terraform provider BIG-IP v1.15.2 and above

Example Usage

Example usage for json file
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
data "bigip_waf_entity_parameter" "Param1" {
  name            = "Param1"
  type            = "explicit"
  data_type       = "alpha-numeric"
  perform_staging = true
}

data "bigip_waf_entity_parameter" "Param2" {
  name            = "Param2"
  type            = "explicit"
  data_type       = "alpha-numeric"
  perform_staging = true
}

data "bigip_waf_entity_url" "URL" {
  name     = "URL1"
  protocol = "http"
}

data "bigip_waf_entity_url" "URL2" {
  name = "URL2"
}

resource "bigip_waf_policy" "test-awaf" {
  name                 = "testpolicyravi"
  partition            = "Common"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["MySQL", "Unix/Linux", "MongoDB"]
  parameters           = [data.bigip_waf_entity_parameter.Param1.json, data.bigip_waf_entity_parameter.Param2.json]
  urls                 = [data.bigip_waf_entity_url.URL.json, data.bigip_waf_entity_url.URL2.json]
}

Terraform Integration Resources and Data Sources

F5 BIG-IP Advanced WAF Resources:

F5 BIG-IP Advanced WAF Data Sources: