Skip to content

Commit

Permalink
Merge pull request #21 from F5Networks/awaf_devel_integration
Browse files Browse the repository at this point in the history 
adding awaf integrations
  • Loading branch information
@RavinderReddyF5
RavinderReddyF5 authored Aug 8, 2022
2 parents 3e0fb8a + 5151d2a commit 49bdfe2
Show file tree
Hide file tree
Showing 13 changed files with 675 additions and 23 deletions.
70 changes: 70 additions & 0 deletions examples/bigip_aws_3nic_deploy_awaf/DVGATest.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "Test_DVGA_AS3",
"${tenant_name}": {
"class": "Tenant",
"defaultRouteDomain": 0,
"DVGA": {
"class": "Application",
"template": "generic",
"VS_DVGA": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"virtualAddresses": [
"${vs_server}"
],
"virtualPort": 8084,
"redirect80": false,
"pool": "dvga_app_mem",
"securityLogProfiles": [
{
"bigip": "/Common/Log all requests"
}
],
"profileTCP": {
"egress": "wan",
"ingress": {
"use": "TCP_Profile"
}
},
"profileHTTP": {
"use": "custom_http_profile"
},
"policyWAF": {
"bigip": "${policy_ref}"
},
"serverTLS": {
"bigip": "/Common/clientssl"
}
},
"dvga_app_mem": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": ${app_port},
"serverAddresses": [
"${app_server}"
]
}
]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60
}
}
}
}
}
67 changes: 67 additions & 0 deletions examples/bigip_aws_3nic_deploy_awaf/DVGATest_nopretect.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "Test_DVGA_AS3",
"${tenant_name}": {
"class": "Tenant",
"defaultRouteDomain": 0,
"DVGA": {
"class": "Application",
"template": "generic",
"VS_DVGA": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"virtualAddresses": [
"${vs_server}"
],
"virtualPort": 8084,
"redirect80": false,
"pool": "dvga_app_mem",
"securityLogProfiles": [
{
"bigip": "/Common/Log all requests"
}
],
"profileTCP": {
"egress": "wan",
"ingress": {
"use": "TCP_Profile"
}
},
"profileHTTP": {
"use": "custom_http_profile"
},
"serverTLS": {
"bigip": "/Common/clientssl"
}
},
"dvga_app_mem": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": ${app_port},
"serverAddresses": [
"${app_server}"
]
}
]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60
}
}
}
}
}
54 changes: 54 additions & 0 deletions examples/bigip_aws_3nic_deploy_awaf/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
## Deploys F5 BIG-IP AWS Cloud

This Terraform module example deploys 3-NIC BIG-IP in AWS, deployed BIGIP will be having management/external/internal interface associated with user provided subnet and security-group

## Steps to clone and use the module example locally

```shell
git clone https://github.com/f5devcentral/terraform-aws-bigip-module
cd terraform-aws-bigip-module/examples/bigip_aws_3nic_deploy/
```

- Then follow the stated process in Example Usage below

## Example Usage

- Modify `terraform.tfvars` according to the requirement by changing `region` and `AllowedIPs` variables as follows:

```hcl
region = "ap-south-1"
AllowedIPs = ["0.0.0.0/0"]
```
- Next, run the following commands to create and destroy your configuration
```shell
terraform init
terraform plan
terraform apply
terraform destroy
```
#### Optional Input Variables
| Name | Description | Type | Default |
|------|-------------|------|---------|
| prefix | Prefix for resources created by this module | `string` | tf-aws-bigip |
| cidr | aws VPC CIDR | `string` | 10.2.0.0/16 |
| availabilityZones | If you want the VM placed in an Availability Zone, and the AWS region you are deploying to supports it, specify the numbers of the existing Availability Zone you want to use | `List` | ["us-east-1a"] |
#### Output Variables
| Name | Description |
|------|-------------|
| mgmtPublicIP | The actual ip address allocated for the resource |
| mgmtPublicDNS | fqdn to connect to the first vm provisioned |
| mgmtPort | Mgmt Port |
| f5\_username | BIG-IP username |
| bigip\_password | BIG-IP Password (if dynamic_password is choosen it will be random generated password or if aws_secretmanager_auth is choosen it will be aws_secretsmanager_secret_version secret string ) |
| mgmtPublicURL | Complete url including DNS and port|
| private\_addresses | List of BIG-IP private addresses |
| public\_addresses | List of BIG-IP public addresses |
| vpc\_id | VPC Id where BIG-IP Deployed |
**NOTE:** A local json file will get generated which contains the DO declaration
84 changes: 84 additions & 0 deletions examples/bigip_aws_3nic_deploy_awaf/bigip.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = "1.15.0"
}
}
}

provider "bigip" {
address = format("%s:%s", module.bigip.*.mgmtPublicIP[0], module.bigip.*.mgmtPort[0])
username = module.bigip.*.f5_username[0]
password = module.bigip.*.bigip_password[0]
}

resource "bigip_do" "postonboard3nic" {
count = var.instance_count
do_json = module.bigip[count.index].onboard_do
# depends_on = [module.bigip]
}

resource "time_sleep" "wait_for_onboardbigip" {
depends_on = [bigip_do.postonboard3nic]
create_duration = "100s"
}

data "bigip_waf_entity_url" "URL" {
name = "/graphql"
protocol = "http"
method = "*"
perform_staging = true
type = "explicit"
}

resource "bigip_waf_policy" "testgraphql" {
application_language = "utf-8"
name = "testgraphql"
enforcement_mode = "blocking"
template_name = "POLICY_TEMPLATE_GRAPHQL"
type = "security"
policy_builder {
learning_mode = "disabled"
}
signatures_settings {
signature_staging = false
}
graphql_profile {
name = "graphql_profile"
}
file_types {
name = "php"
type = "explicit"
}
urls = [data.bigip_waf_entity_url.URL.json]
signatures = [for k, v in data.bigip_waf_signatures.map : v.json]
depends_on = [time_sleep.wait_for_onboardbigip]
# modifications = [local.modifications]
}

# ## GRAPHQL NO PRETECT
# ##
# resource "bigip_as3" "as33" {
# as3_json = templatefile("DVGATest_nopretect.tpl", {
# tenant_name = "DVGATest"
# app_server = format("%s",aws_instance.webserver.private_ip)
# app_port = 9005
# vs_server = format("%s",flatten(module.bigip.*.private_addresses[0].public_private.private_ip)[0])
# policy_ref = format("/%s/%s", bigip_waf_policy.testgraphql.partition, bigip_waf_policy.testgraphql.name)
# })
# depends_on = [bigip_waf_policy.testgraphql,time_sleep.wait_for_onboardbigip]
# }

# GRAPHQL PRETECT
#
resource "bigip_as3" "as33" {
as3_json = templatefile("DVGATest.tpl", {
tenant_name = "DVGATest"
app_server = format("%s", aws_instance.webserver.private_ip)
app_port = 9005
vs_server = format("%s", flatten(module.bigip.*.private_addresses[0].public_private.private_ip)[0])
policy_ref = format("/%s/%s", bigip_waf_policy.testgraphql.partition, bigip_waf_policy.testgraphql.name)
})
depends_on = [bigip_waf_policy.testgraphql, time_sleep.wait_for_onboardbigip]
}
12 changes: 12 additions & 0 deletions examples/bigip_aws_3nic_deploy_awaf/init.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash
sudo rm -rf /var/lib/cloud/*
sudo apt upgrade -y
sudo apt update -y
sudo apt install docker.io -y
sudo service docker start
sudo usermod -a -G docker $USER
sudo docker run --name docker-nginx -dit -p 9004:80 nginx:latest
sudo docker run --name juice-shop -dit -p 9000:3000 registry.hub.docker.com/bkimminich/juice-shop
sudo docker run --name web-dvwa -dit -p 9001:80 registry.hub.docker.com/vulnerables/web-dvwa
sudo docker run --name hackazon -dit -p 9002:80 registry.hub.docker.com/ianwijaya/hackazon
sudo docker run --name graphql -dit -p 9005:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga
Loading

0 comments on commit 49bdfe2

Please sign in to comment.