Back to blog

Follow and Subscribe

Introducing Cloud WAF Terraform Support

Liam Mayron

Staff Product Manager , Fastly

Terraform, from HashiCorp, enables DevOps teams to deploy cloud infrastructure as code. Fastly supports Terraform across our product lines and today we’re excited to share enhancements to our Next-Gen WAF Terraform provider for our Cloud WAF deployment model which will further streamline operations for our secure DevOps users.

A key capability of the Fastly Next-Gen WAF (powered by Signal Sciences) is the broadest range of deployment options for a WAF – on-premises, at the edge, or in the cloud. We combine this flexibility with a strong commitment to infrastructure as code (IaC) to support modern, automated deployment with solutions like Terraform. With today’s update, we’ve extended our Terraform support to include provisioning new Cloud WAF deployments for new application instances and managing certificates to secure them. This functionality, in addition to our existing Terraform providers for the core functionality of the Fastly Next-Gen WAF and Fastly CDN, enables DevOps teams to seamlessly deploy our cloud-based WAF solution alongside other changes to their environment when using Terraform. This functionality has always been part of our API and web interfaces, and now we have extended it to cover IaC use cases. 

Our cloud-based WAF deployment method is quick to deploy and easy to manage. There are no agents to deploy – we maintain the WAF and run it in our cloud infrastructure. Instead, a simple DNS change is all that’s needed to protect your applications with the Fastly Next-Gen WAF. A single management console streamlines monitoring and maintenance of all WAF instances, even in hybrid environments with a mix of cloud, edge, and agent deployments. 

Deploying a Cloud WAF Instance is documented on the Terraform Registry sigsci_corp_cloudwaf_instance resource page and can be done with the following HCL:

resource "sigsci_corp_cloudwaf_instance" "test_corp_cloudwaf" {
  name = "Test CloudWAF"
  description = "for test"
  region = "ap-northeast-1"
  tls_min_version = "1.2"
  use_uploaded_certificates = true
  workspace_configs {
    site_name = sigsci_site.this.short_name
    instance_location = "direct"
    listener_protocols = [ "https", ]
    routes {
      certificate_ids = [
        "A01bc234-5678-9de0-a12b-3456c789d12d",
      ]
      connection_pooling = true
      domains = [ "example.com", ]
      origin = "https://origin.example.com"
      pass_host_header = true
      trust_proxy_headers = false
    }
  }
}

Additionally, when using your own domain names with cloud-based deployments (as opposed to Fastly subdomains), it is possible to upload your own certificates to be associated with those domains. To upload your own certificates, use the `sigsci_corp_cloudwaf_certificate` resource (defined below). For certificates, updates only support changing the name so any change to the private key or certificates will result in a new resource being created. See more on this in the Terraform Registry documentation.

resource "sigsci_corp_cloudwaf_certificate" "test_corp_cloudwaf_certificate" {
  name = "Test Cloud WAF Certificate"
  certificate_body = <<CERT
-----BEGIN CERTIFICATE-----
[encoded certificate]
-----END CERTIFICATE-----
CERT
  certificate_chain = <<CHAIN
-----BEGIN CERTIFICATE-----
[encoded certificate chain]
-----END CERTIFICATE-----
CHAIN
  private_key = <<PRIVATEKEY
-----BEGIN PRIVATE KEY-----
[encoded privatekey]]
----END PRIVATE KEY-----
PRIVATEKEY
}

Ready to get started? Get the Fastly WAF Terraform provider today. 

Read more about Fastly and Terraform:

Talk to us!