Use Terraform to Manage CloudGuard WAF
The CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using Infrastructure as Code (IaC).
Terraform uses the concept of Providers to provide an open-source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources.
The deployment option for WAF SaaS is currently not available. We are actively working on developing a Terraform provider for our WAF SaaS deployment option and will notify our users once it becomes available.
Terraform Resources
The terraform files and usage examples are available in 2 locations:
The Terraform registry.
The origin GitHub repository for the Terraform registry.
API Keys For Terraform Provider Access
Step 1: Get API Keys
Follow the "Create an API Key" action in the Management API reference guide.
We strongly recommend that you store the credentials in a secured and authenticated location, like HashiCorp's vault or other vault.
Step 2: Use the API Keys in Terraform Provider
The API Keys' credentials can be used by the provider in 3 different methods:
Saved in the environment variables INEXT_CLIENT_ID and INEXT_ACCESS_KEY.
(Less secure) Explicitly set within the terraform file using the client_id and access_key fields in the provider block, as seen in the example tf files in this documentation.
Terraform input variables.
When keys are stored in a vault, make sure to have a protected process to inject the keys from the vault into Terraform Provider, without additional systems being able to access them.
Using the Terraform Provider
A terraform file includes a list of the terraform providers to use. Make sure the following is added to the beginning of each of your terraform files:
Terraform Input Variables for the "inext" provider
Region
According to your tenant's data residency as can be seen in Global Settings->Account Settings.
Ireland
eu
United States
us
API Keys
client_id and access_key - optional variables, as explained above, providing another method of sending the API keys.
Enforce Tool
A unique aspect to using CloudGuard WAF is the "Enforce" action.
Terraform is used to configure the system and create a configuration state that can be changed when required. However, "Enforce" is not a state but a single action that tells CloudGuard WAF to pass the configured security to the agents.
In essence, all changes that are made when running terraform apply
are done under a session of the configured API key. In CloudGuard WAF, each session must be published to be able to enforce your configured policies on your assets. Think of it as committing your changes to be able to make a release.
It is normally performed after every configuration change, but it is not an inherent action to configuration changes. For this reason there is a separate tool provided to processes to enforce the policy configuration.
Enforce Tool Download
The "Enforce" CLI tool is available through our GitHub repository.
This repository includes a CLI utility for this exact use case, which includes 2 commands: publish
and enforce
.
Enforce Tool Usage
There are three options to pass the client ID, access key and region when publishing or enforcing a policy using the CLI:
Option 1: Set the environment variables:
INEXT_REGION
,INEXT_CLIENT_ID
andINEXT_ACCESS_KEY
and runinext <command>
Using this method right afterterraform apply
will use the same environment variables that were already injected in the method of your choosing.Option 2: Set credentials using command line parameters
--client-id
(shorthand-c
) for client ID,--access-key
(shorthand-k
) for the access key, and -r for region.Option 3: Create a yaml file at
~/.inext.yaml
with the following content:Run
inext <command>
and the CLI would use the file ~/.inext.yaml by default, you could also configure a different path for this configuration file using:inext --config <path> enforce
Example Terraform Files
We are providing example Terraform files to both test and use as a baseline for your configurations.
Download
See the links to the Terraform Resources at the top of the page. Each option also includes the example files.
Usage
Make sure you install Terraform according to the instructions in the Terraform website.
Open a command line to the folder where the example file was unzipped.
For the example, set the environment variables using the export command to your API keys. Otherwise, as noted in the API Keys section, create a secure process to transfer the API Keys from a secure location like a vault to the terraform deployment process.
Edit the Terraform files if you wish to adjust the example.
Run:
terraform init
Run
terraform apply
, verify that the resource is planned for creation, enter yes, and press Enter.You can verify the configuration was applied by browsing to Infinity Portal and watching the objects in the Web UI.
Last updated