Skip to content

Commit

Permalink
resolved conflicts
Browse files Browse the repository at this point in the history
  • Loading branch information
Ishika RAY committed Dec 6, 2024
2 parents 470e978 + cded2a5 commit 96ce14c
Show file tree
Hide file tree
Showing 15 changed files with 122 additions and 36 deletions.
11 changes: 6 additions & 5 deletions .github/workflows/waf-k8s-apply.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ on:
branches:
- deploy-waf-k8s
pull_request:
workflow_dispatch:

jobs:
terraform_infra:
Expand Down Expand Up @@ -77,7 +78,7 @@ jobs:
run: exit 1

- name: Terraform Apply
if: github.ref == 'refs/heads/deploy-waf-k8s' && github.event_name == 'push'
if: github.ref == 'refs/heads/deploy-waf-k8s' && ( github.event_name == 'push' || github.event_name == 'workflow_dispatch')
run: terraform apply -auto-approve -input=false

terraform_eks:
Expand Down Expand Up @@ -151,7 +152,7 @@ jobs:
run: exit 1

- name: Terraform Apply
if: github.ref == 'refs/heads/deploy-waf-k8s' && github.event_name == 'push'
if: github.ref == 'refs/heads/deploy-waf-k8s' && ( github.event_name == 'push' || github.event_name == 'workflow_dispatch')
run: terraform apply -auto-approve -input=false


Expand Down Expand Up @@ -226,7 +227,7 @@ jobs:
run: exit 1

- name: Terraform Apply
if: github.ref == 'refs/heads/deploy-waf-k8s' && github.event_name == 'push'
if: github.ref == 'refs/heads/deploy-waf-k8s' && ( github.event_name == 'push' || github.event_name == 'workflow_dispatch')
run: terraform apply -auto-approve -input=false


Expand Down Expand Up @@ -341,7 +342,7 @@ jobs:
run: exit 1

- name: Terraform Apply
if: github.ref == 'refs/heads/deploy-waf-k8s' && github.event_name == 'push'
if: github.ref == 'refs/heads/deploy-waf-k8s' && ( github.event_name == 'push' || github.event_name == 'workflow_dispatch')
run: terraform apply -auto-approve -input=false


Expand Down Expand Up @@ -417,7 +418,7 @@ jobs:
run: exit 1

- name: Terraform Apply
if: github.ref == 'refs/heads/deploy-waf-k8s' && github.event_name == 'push'
if: github.ref == 'refs/heads/deploy-waf-k8s' && ( github.event_name == 'push' || github.event_name == 'workflow_dispatch')
run: terraform apply -auto-approve -input=false
env:
TF_VAR_site_name: ${{ secrets.TF_VAR_site_name }}
2 changes: 1 addition & 1 deletion .github/workflows/waf-on-ce-aws-apply.yml
Original file line number Diff line number Diff line change
Expand Up @@ -301,4 +301,4 @@ jobs:

- name: Terraform Apply
if: github.ref == 'refs/heads/deploy-waf-aws-ce' && github.event_name == 'push'
run: terraform apply -auto-approve -input=false
run: terraform apply -auto-approve -input=false
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,9 @@ Examples of F5 Distributed Cloud (XC) deployments utilizing Terraform. For more
| [**PRE-REQUISITE:** Intro Course (Introduction and Initial Automation Configuration)](https://trainingf5cloud.teachable.com/p/automation-examples) | [**PRE-REQUISITE:** Initial Configuration for Teachable Courses GIT Repo](https://github.com/f5devcentral/f5-xc-terraform-examples/tree/main/teachable/00-intro) |
| [Multi-Cloud Networking Course (Network Connect)](https://trainingf5cloud.teachable.com/p/automation-examples-mcn-network-connect) | [MCN Network Connect GIT Repo](https://github.com/f5devcentral/f5-xc-terraform-examples/tree/main/teachable/01-mcn-networkconnect) |
| [Multi-Cloud Networking Course (App Connect)](https://trainingf5cloud.teachable.com/p/automation-examples-mcn-app-connect) | [MCN App Delivery Fabric GIT Repo](https://github.com/f5devcentral/f5-xc-terraform-examples/blob/main/workflow-guides/smcn/app-delivery-fabric/README.rst) |
| [F5 Distributed Cloud Web Application Firewall (WAF) on Customer Edge](https://trainingf5cloud.teachable.com/p/waf-on-ce) | [Deploy F5 XC WAF on XC Customer Edge in Azure (SaaS Console, Automation)](https://github.com/f5devcentral/f5-xc-waap-terraform-examples/blob/main/workflow-guides/waf/f5-xc-waf-on-ce/azure/README.rst) |
| [F5 Distributed Cloud Web Application Firewall (WAF) on Customer Edge: Azure](https://trainingf5cloud.teachable.com/p/waf-on-ce) | [Deploy F5 XC WAF on XC Customer Edge in Azure (SaaS Console, Automation)](https://github.com/f5devcentral/f5-xc-waap-terraform-examples/blob/main/workflow-guides/waf/f5-xc-waf-on-ce/azure/README.rst) |
| [F5 Distributed Cloud API Security on Customer Edge](https://trainingf5cloud.teachable.com/p/api_security_on_customer_edge) | [Deploy F5 XC API Security on XC Customer Edges (SaaS Console, Automation)](https://github.com/f5devcentral/f5-xc-waap-terraform-examples/blob/main/workflow-guides/api-security/f5-xc-apisec-on-ce-eks/README.rst) |
| [F5 Distributed Cloud Web Application Firewall (WAF) on Customer Edge: AWS](https://trainingf5cloud.teachable.com/p/web-application-firewall-waf-on-customer-edge-aws) | [Deploy F5 XC WAF on XC Customer Edge in AWS (SaaS Console, Automation)](https://github.com/f5devcentral/f5-xc-waap-terraform-examples/blob/main/workflow-guides/waf/f5-xc-waf-on-ce/aws/README.rst) |


## Getting Started
Expand Down
2 changes: 1 addition & 1 deletion aws/eks-cluster/ce-deployment/data.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
data "tfe_outputs" "infra" {
organization = var.tf_cloud_organization
workspace = "${coalesce(var.aws_waf_ce, "infra")}"
workspace = "${coalesce(var.aws_waf_ce, "aws-infra")}"
}
data "tfe_outputs" "eks" {
organization = var.tf_cloud_organization
Expand Down
2 changes: 1 addition & 1 deletion aws/eks-cluster/ce-deployment/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ variable "tf_cloud_organization" {
variable "aws_waf_ce" {
description = "Infra workspace name in terraform cloud."
type = string
default = "aws-infra"
default = ""
}
2 changes: 1 addition & 1 deletion aws/eks-cluster/data.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
data "tfe_outputs" "infra" {
organization = var.tf_cloud_organization
workspace = "${coalesce(var.aws_waf_ce, "aws-infra")}"
workspace = "${coalesce(var.aws_waf_ce, "infra")}"
}

data "aws_instances" "my_worker_nodes" {
Expand Down
4 changes: 2 additions & 2 deletions aws/eks-cluster/eks_cluster.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

# Create EKS cluster and node groups
resource "aws_eks_cluster" "eks-tf" {

Expand All @@ -25,8 +24,9 @@ resource "aws_eks_node_group" "private-node-group-1-tf" {
node_group_name = format("%s-private-ng-1-%s", local.project_prefix, local.build_suffix)
node_role_arn = aws_iam_role.workernodes.arn
subnet_ids = var.skip_private_subnet_creation ? [for i in aws_subnet.eks-external: i.id] : [for i in aws_subnet.eks-internal: i.id]
disk_size = 30
instance_types = ["t3.xlarge"]

scaling_config {
desired_size = var.desired_size
max_size = var.max_size
Expand Down
2 changes: 1 addition & 1 deletion shared/booksinfo/data.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
data "tfe_outputs" "infra" {
organization = var.tf_cloud_organization
workspace = "${coalesce(var.aws_waf_ce, "aws-infra")}"
workspace = "${coalesce(var.aws_waf_ce, "infra")}"
}
data "tfe_outputs" "eks" {
organization = var.tf_cloud_organization
Expand Down
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ Workflow File: `mcn-smg-destroy.yaml </.github/workflows/mcn-smg-destroy.yaml>`_

**STEP 7:** Once CE sites are online, to validate the test infra & demo app accessibility, copy the public IP of CE site in `GCP CE Site View mode`.

.. image:: assets/gcp-site-ip.jpg
.. image:: assets/gcp-site-ip-step7.jpg

**STEP 8:** Add this IP in your hosts file mapping to your product page load balancer domain name (or you can create A record in your domain registrar) and you should be able to access the demo application as below

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ Testing:
Step by step process using automation scripts
#############################################

Coming Soon...
Check this `readme <./automation-demo-guide.rst>`_ for more details on automation.


**Support**
Expand Down
Binary file modified workflow-guides/waf/f5-xc-waf-on-k8s/assets/xc-tfvars.JPG
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
104 changes: 94 additions & 10 deletions workflow-guides/waf/f5-xc-waf-on-k8s/automation-workflow.rst
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,16 @@ Prerequisites
Workflow Steps
-----------------

Create a token
-----------------------
- For deploying WAF on k8s, please copy both yml files in workflow folder to root folder .github/workflows folder. For ex: `waf-k8s-apply.yml <https://github.com/f5devcentral/f5-xc-terraform-examples/blob/main/.github/workflows/waf-k8s-apply.yml>`__

- Login to Distributed Cloud, click on `Multi-Cloud-Connect`, navigate to `Site Management` and then to `Site Tokens` as shown below

.. image:: /workflow-guides/waf/f5-xc-waf-on-k8s/assets/site-token.jpg

- Create a site token with CE site name (`ce-k8s`) and copy the ID
- Create a site token with CE site name and copy the ID & name.
**NOTE: MAKE SURE TOKEN IS NEWLY CREATED OR EXISTING TOKEN NOT BEING USED BY OTHER CE SITES FROM REGISTRATIONS PAGE IN SITE MANAGEMENT DROP-DOWN**


List of Products Used
Expand Down Expand Up @@ -100,8 +103,8 @@ GitHub
- TF_CLOUD_ORGANIZATION: Your Terraform Cloud Organization name
- TF_CE_LATITUDE: Your CE location latitude
- TF_CE_LONGITUDE: Your CE location longitude
- TF_CE_TOKEN: CE token ID generated in Distributed Cloud
- TF_VAR_SITE_NAME: CE site name to be registered
- TF_CE_TOKEN: CE token ID generated from above `Create a token` section
- TF_VAR_SITE_NAME: CE site name to be registered. **NOTE: Make sure this matches with the token name created in `Create a token` section**
- TF_CLOUD_WORKSPACE\_\ *<Workspace Name>*: Create for each
workspace in your workflow per each job

Expand Down Expand Up @@ -163,17 +166,98 @@ f5-xc-waf-on-k8s destroy-waf-k8s

- k8s_pool = "true if backend is residing in k8s"

- serviceName = "k8s service name of backend. Set this to productpage.default."
- serviceName = "k8s service name of backend. If you are using our demo app set this to **productpage.default**."

- serviceport = "k8s service port of backend. For bookinfo demo application you can keep this value as 9080."

- advertise_sites = "set to false if want to advertise on public"

- http_only = "set to true if want to advertise on http protocol"

Check below image for sample data
- advertise_sites = "set to true as we want to advertise this on CE"

- http_only = "set to true as we want to use only http protocol"

**NOTE: Please don't add site_name varible once again here as this variable is already added in action secrets. Keep other fields as false**

Check below file content for sample tfvars data

.. code-block:: language
#XC Global
api_url = "https://tenant.console.ves.volterra.io/api"
xc_tenant = "tenant-id"
xc_namespace = "default"
#XC LB
app_domain = "waf-k8s.<domain>.com"
#XC WAF
xc_waf_blocking = true
xc_data_guard = "false"
# k8 pool and LB inputs
k8s_pool = "true"
serviceName = "productpage.default"
serviceport = "9080"
advertise_sites = "true"
http_only = "true"
eks_ce_site = "true"
user_site = "true"
#Only set to true if infrastructure is vk8s in XC
vk8s = false
xc_project_prefix = ""
xc_delegation = "false"
ip_address_on_site_pool = "false"
#XC Azure CE site creation
az_ce_site = "false"
#XC Service Discovery
xc_service_discovery = "false"
#XC AI/ML Settings for MUD, APIP - NOTE: Only set if using AI/ML settings from the shared namespace
xc_app_type = []
xc_multi_lb = false
#XC API Protection and Discovery
xc_api_disc = false
xc_api_pro = false
xc_api_spec = []
#Enable API schema validation
xc_api_val = false
#Enable API schema validation on all endpoints
xc_api_val_all = false
#Validation properties for request and response validation
xc_api_val_properties = [] #Example ["PROPERTY_QUERY_PARAMETERS", "PROPERTY_PATH_PARAMETERS", "PROPERTY_CONTENT_TYPE", "PROPERTY_COOKIE_PARAMETERS", "PROPERTY_HTTP_HEADERS", "PROPERTY_HTTP_BODY"]
xc_resp_val_properties = [] #Example ["PROPERTY_HTTP_HEADERS", "PROPERTY_CONTENT_TYPE", "PROPERTY_HTTP_BODY", "PROPERTY_RESPONSE_CODE"]
#Validation Mode active for requests and responses (false = skip)
xc_api_val_active = false
xc_resp_val_active = false
#Validation Enforment Type (only one of these should be set to true)
enforcement_block = false
enforcement_report = false
#Allow access to unprotected endpoints
fall_through_mode_allow = false
#Enable API Validation custom rules
xc_api_val_custom = false
#XC Bot Defense
xc_bot_def = false
#XC DDoS
xc_ddos_pro = false
#XC Malicious User Detection
xc_mud = false
# CE configs
gcp_ce_site = "false"
aws_ce_site = "false"
# infra (Needed values: aws-infra, azure-infra, gcp-infra)
aws = "aws-infra"
azure = ""
gcp = ""
.. image:: /workflow-guides/waf/f5-xc-waf-on-k8s/assets/xc-tfvars.JPG
**STEP 4:** Also update default value of ``aws_waf_ce`` variable in ``variables.tf`` file of ``/aws/eks-cluster``, ``/aws/eks-cluster/ce-deployment`` and ``/shared/booksinfo`` folders if it's not ``infra``. Commit and push your build branch to your forked repo, Build will run and can be monitored in the GitHub Actions tab and TF Cloud console

Expand Down
22 changes: 11 additions & 11 deletions xc/terraform.tfvars
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
#Global
#Only set to true if infrastructure is vk8s in XC
vk8s = false
<<<<<<< HEAD
xc_project_prefix = ""
=======
xc_project_prefix = "cek8s"
>>>>>>> cded2a5f0506bddb6b104012aa0bf53066bf6e62
#XC Global
api_url = "https://treino.console.ves.volterra.io/api"
Expand All @@ -15,6 +19,12 @@ app_domain = "waf-k8s.f5-hyd-xcdemo.com"
xc_waf_blocking = true
xc_data_guard = "false"
#XC Azure CE site creation
az_ce_site = "false"
#XC Service Discovery
xc_service_discovery = "false"
# k8 pool and LB inputs
k8s_pool = "true"
serviceName = "productpage.default"
Expand All @@ -24,17 +34,6 @@ http_only = "true"
eks_ce_site = "true"
user_site = "true"


xc_delegation = "false"
ip_address_on_site_pool = "false"

#XC Azure CE site creation
az_ce_site = "false"

#XC Service Discovery
xc_service_discovery = "false"

#XC AI/ML Settings for MUD, APIP - NOTE: Only set if using AI/ML settings from the shared namespace
xc_app_type = []
xc_multi_lb = false
Expand Down Expand Up @@ -73,6 +72,7 @@ xc_mud = false
# CE configs
gcp_ce_site = "false"
aws_ce_site = "false"
site_name = "ce-k8s"
# infra (Needed values: aws-infra, azure-infra, gcp-infra)
aws = "aws-infra"
Expand Down

0 comments on commit 96ce14c

Please sign in to comment.