From ca962450a92e504a95cf86c1f2995638fda8bb25 Mon Sep 17 00:00:00 2001
From: Janibasha <m.janibasha@f5.com>
Date: Mon, 4 Sep 2023 22:13:02 +0530
Subject: [PATCH] updated work-flow and files

---
 .../.github}/workflows/waap-k8s-apply.yml     | 276 ++++++++-
 .../.github}/workflows/waap-k8s-destroy.yml   |   0
 .../f5-xc-waf-on-k8s/k8s-ce/bookinfo-app.tf   | 535 ------------------
 .../waf/f5-xc-waf-on-k8s/k8s-ce/ce-k8s-lb.tf  |  22 -
 .../waf/f5-xc-waf-on-k8s/k8s-ce/main.tf       | 475 ----------------
 .../{ => terraform}/booksinfo/data.tf         |   0
 .../{ => terraform}/booksinfo/locals.tf       |   0
 .../{ => terraform}/booksinfo/main.tf         |   0
 .../{ => terraform}/booksinfo/providers.tf    |   0
 .../{ => terraform}/booksinfo/variables.tf    |   2 +-
 .../{ => terraform}/booksinfo/versions.tf     |   9 +-
 .../terraform/ce-deployment/ce-deploy.tf      | 294 ++++++++++
 .../terraform/ce-deployment/data.tf           |  12 +
 .../terraform/ce-deployment/locals.tf         |   7 +
 .../terraform/ce-deployment/providers.tf      |  10 +
 .../terraform/ce-deployment/variables.tf      |  24 +
 .../terraform/ce-deployment/versions.tf       |  11 +
 .../terraform/lb-ce/ce-k8s-lb.tf              |  16 +
 .../f5-xc-waf-on-k8s/terraform/lb-ce/data.tf  |  13 +
 .../terraform/lb-ce/locals.tf                 |   7 +
 .../terraform/lb-ce/providers.tf              |  10 +
 .../terraform/lb-ce/variables.tf              |  10 +
 .../terraform/lb-ce/versions.tf               |  11 +
 .../terraform/registration/data.tf            |   8 +
 .../terraform/registration/locals.tf          |   6 +
 .../terraform/registration/providers.tf       |   3 +
 .../terraform/registration/registration.tf    |   7 +
 .../terraform/registration/variables.tf       |  20 +
 .../terraform/registration/versions.tf        |   9 +
 .../waf/f5-xc-waf-on-k8s/terraform/xc/data.tf |   4 +
 .../f5-xc-waf-on-k8s/terraform/xc/locals.tf   |   6 +
 .../f5-xc-waf-on-k8s/terraform/xc/outputs.tf  |   9 +
 .../terraform/xc/providers.tf                 |   3 +
 .../terraform/xc/variables.tf                 |  47 ++
 .../f5-xc-waf-on-k8s/terraform/xc/versions.tf |   9 +
 .../terraform/xc/xc_loadbalancer.tf           |  71 +++
 .../f5-xc-waf-on-k8s/terraform/xc/xc_waf.tf   |  20 +
 37 files changed, 919 insertions(+), 1047 deletions(-)
 rename {.github => workflow-guides/waf/f5-xc-waf-on-k8s/.github}/workflows/waap-k8s-apply.yml (52%)
 rename {.github => workflow-guides/waf/f5-xc-waf-on-k8s/.github}/workflows/waap-k8s-destroy.yml (100%)
 delete mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/bookinfo-app.tf
 delete mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/ce-k8s-lb.tf
 delete mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/main.tf
 rename workflow-guides/waf/f5-xc-waf-on-k8s/{ => terraform}/booksinfo/data.tf (100%)
 rename workflow-guides/waf/f5-xc-waf-on-k8s/{ => terraform}/booksinfo/locals.tf (100%)
 rename workflow-guides/waf/f5-xc-waf-on-k8s/{ => terraform}/booksinfo/main.tf (100%)
 rename workflow-guides/waf/f5-xc-waf-on-k8s/{ => terraform}/booksinfo/providers.tf (100%)
 rename workflow-guides/waf/f5-xc-waf-on-k8s/{ => terraform}/booksinfo/variables.tf (61%)
 rename workflow-guides/waf/f5-xc-waf-on-k8s/{ => terraform}/booksinfo/versions.tf (51%)
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/ce-deploy.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/data.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/locals.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/providers.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/variables.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/versions.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/ce-k8s-lb.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/data.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/locals.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/providers.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/variables.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/versions.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/data.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/locals.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/providers.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/registration.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/variables.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/versions.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/data.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/locals.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/outputs.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/providers.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/variables.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/versions.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_loadbalancer.tf
 create mode 100644 workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_waf.tf

diff --git a/.github/workflows/waap-k8s-apply.yml b/workflow-guides/waf/f5-xc-waf-on-k8s/.github/workflows/waap-k8s-apply.yml
similarity index 52%
rename from .github/workflows/waap-k8s-apply.yml
rename to workflow-guides/waf/f5-xc-waf-on-k8s/.github/workflows/waap-k8s-apply.yml
index d623f5bc8..fd2872003 100644
--- a/.github/workflows/waap-k8s-apply.yml
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/.github/workflows/waap-k8s-apply.yml
@@ -1,4 +1,4 @@
-name: "WAAP + K8s Apply"
+name: "WAF on K8s Apply"
 
 on:
   push:
@@ -154,13 +154,14 @@ jobs:
         if: github.ref == 'refs/heads/deploy-waap-k8s' && github.event_name == 'push'
         run: terraform apply -auto-approve -input=false
 
+
   terraform_bookinfo:
-    name: "Booksinfo WebApp"
+    name: "Bookinfo"
     runs-on: ubuntu-latest
     needs: terraform_eks
     defaults:
       run:
-        working-directory: ./workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo
+        working-directory: ./workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -228,14 +229,277 @@ jobs:
         run: terraform apply -auto-approve -input=false
 
 
+  terraform_ce:
+    name: "CE Deployment"
+    runs-on: ubuntu-latest
+    needs: terraform_bookinfo
+    defaults:
+      run:
+        working-directory: ./workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+      - name: Setup Terraform Backend
+        id: backend
+        run: |
+          cat > configmap.tf << EOF
+          terraform {
+            cloud {
+              organization = "${{ secrets.TF_CLOUD_ORGANIZATION }}"
+              workspaces {
+                name = "${{ secrets.TF_CLOUD_WORKSPACE_CE }}"
+              }
+            }
+          }
+          EOF          
+
+      - name: Setup Configmap
+        id: configmap
+        run: |
+          cat > backend.tf << EOF
+          resource "kubectl_manifest" "configmap" {
+              yaml_body = <<YAML
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: vpm-cfg
+            namespace: ves-system
+          data:
+           config.yaml: |
+            Vpm:
+              # CHANGE ME
+              ClusterName: ce-k8s
+              ClusterType: ce
+              Config: /etc/vpm/config.yaml
+              DisableModules: ["recruiter"]
+              # CHANGE ME
+              Latitude: ${{ secrets.TF_CLOUD_LATITUDE }}
+              # CHANGE ME
+              Longitude: ${{ secrets.TF_CLOUD_LONGITUDE }}
+              MauriceEndpoint: https://register.ves.volterra.io
+              MauricePrivateEndpoint: https://register-tls.ves.volterra.io
+              PrivateNIC: eth0
+              SkipStages: ["osSetup", "etcd", "kubelet", "master", "voucher", "workload", "controlWorkload"]
+              # CHANGE ME
+              Token: ${{ secrets.TF_CLOUD_TOKEN }}
+              CertifiedHardware: k8s-minikube-voltmesh
+          YAML
+          EOF     
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -no-color -input=false
+        continue-on-error: true
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show Plan</summary>
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+            </details>
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/deploy-waap-k8s' && github.event_name == 'push'
+        run: terraform apply -auto-approve -input=false
+
+
+  terraform_approve:
+    name: "Site Registration"
+    runs-on: ubuntu-latest
+    needs: terraform_ce
+    defaults:
+      run:
+        working-directory: ./workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+      - name: Setup Terraform Backend
+        id: backend
+        run: |
+          cat > backend.tf << EOF
+          terraform { 
+            cloud {
+              organization = "${{ secrets.TF_CLOUD_ORGANIZATION }}"
+              workspaces {
+                name = "${{ secrets.TF_CLOUD_WORKSPACE_REG }}"
+              }
+            }
+          }
+          EOF
+          echo "${{secrets.P12}}" | base64 -d > api.p12
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -no-color -input=false
+        continue-on-error: true
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show Plan</summary>
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+            </details>
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/deploy-waap-k8s' && github.event_name == 'push'
+        run: terraform apply -auto-approve -input=false
+
+
+  terraform_celb:
+    name: "K8s LB Creation"
+    runs-on: ubuntu-latest
+    needs: terraform_approve
+    defaults:
+      run:
+        working-directory: ./workflow-guides/waf/f5-xc-waf-on-k8s/lb-ce
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # need to add sleep time here for all deployments to come up
+      - name: Wait
+        id: wait
+        run: sleep 900
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+      - name: Setup Terraform Backend
+        id: backend
+        run: |
+          cat > backend.tf << EOF
+          terraform {
+            cloud {
+              organization = "${{ secrets.TF_CLOUD_ORGANIZATION }}"
+              workspaces {
+                name = "${{ secrets.TF_CLOUD_WORKSPACE_BOOKINFO }}"
+              }
+            }
+          }
+          EOF          
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -no-color -input=false
+        continue-on-error: true
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show Plan</summary>
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+            </details>
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/deploy-waap-k8s' && github.event_name == 'push'
+        run: terraform apply -auto-approve -input=false
+
 
   terraform_xc:
     name: "F5XC WAAP"
     runs-on: ubuntu-latest
-    needs: terraform_bookinfo
+    needs: terraform_celb
     defaults:
       run:
-        working-directory: ./xc
+        working-directory: ./workflow-guides/waf/f5-xc-waf-on-k8s/lb-ce/xc
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -302,4 +566,4 @@ jobs:
 
       - name: Terraform Apply
         if: github.ref == 'refs/heads/deploy-waap-k8s' && github.event_name == 'push'
-        run: terraform apply -auto-approve -input=false
+        run: terraform apply -auto-approve -input=false
\ No newline at end of file
diff --git a/.github/workflows/waap-k8s-destroy.yml b/workflow-guides/waf/f5-xc-waf-on-k8s/.github/workflows/waap-k8s-destroy.yml
similarity index 100%
rename from .github/workflows/waap-k8s-destroy.yml
rename to workflow-guides/waf/f5-xc-waf-on-k8s/.github/workflows/waap-k8s-destroy.yml
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/bookinfo-app.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/bookinfo-app.tf
deleted file mode 100644
index 34fe36ddf..000000000
--- a/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/bookinfo-app.tf
+++ /dev/null
@@ -1,535 +0,0 @@
-resource "kubernetes_manifest" "service_details" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Service"
-    "metadata" = {
-      "labels" = {
-        "app" = "details"
-        "service" = "details"
-      }
-      "name" = "details"
-    }
-    "spec" = {
-      "ports" = [
-        {
-          "name" = "http"
-          "port" = 9080
-        },
-      ]
-      "selector" = {
-        "app" = "details"
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "serviceaccount_bookinfo_details" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "ServiceAccount"
-    "metadata" = {
-      "labels" = {
-        "account" = "details"
-      }
-      "name" = "bookinfo-details"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "deployment_details_v1" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "Deployment"
-    "metadata" = {
-      "labels" = {
-        "app" = "details"
-        "version" = "v1"
-      }
-      "name" = "details-v1"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "app" = "details"
-          "version" = "v1"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "app" = "details"
-            "version" = "v1"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "image" = "docker.io/istio/examples-bookinfo-details-v1:1.17.0"
-              "imagePullPolicy" = "IfNotPresent"
-              "name" = "details"
-              "ports" = [
-                {
-                  "containerPort" = 9080
-                },
-              ]
-              "securityContext" = {
-                "runAsUser" = 1000
-              }
-            },
-          ]
-          "serviceAccountName" = "bookinfo-details"
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "service_ratings" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Service"
-    "metadata" = {
-      "labels" = {
-        "app" = "ratings"
-        "service" = "ratings"
-      }
-      "name" = "ratings"
-    }
-    "spec" = {
-      "ports" = [
-        {
-          "name" = "http"
-          "port" = 9080
-        },
-      ]
-      "selector" = {
-        "app" = "ratings"
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "serviceaccount_bookinfo_ratings" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "ServiceAccount"
-    "metadata" = {
-      "labels" = {
-        "account" = "ratings"
-      }
-      "name" = "bookinfo-ratings"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "deployment_ratings_v1" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "Deployment"
-    "metadata" = {
-      "labels" = {
-        "app" = "ratings"
-        "version" = "v1"
-      }
-      "name" = "ratings-v1"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "app" = "ratings"
-          "version" = "v1"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "app" = "ratings"
-            "version" = "v1"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "image" = "docker.io/istio/examples-bookinfo-ratings-v1:1.17.0"
-              "imagePullPolicy" = "IfNotPresent"
-              "name" = "ratings"
-              "ports" = [
-                {
-                  "containerPort" = 9080
-                },
-              ]
-              "securityContext" = {
-                "runAsUser" = 1000
-              }
-            },
-          ]
-          "serviceAccountName" = "bookinfo-ratings"
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "service_reviews" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Service"
-    "metadata" = {
-      "labels" = {
-        "app" = "reviews"
-        "service" = "reviews"
-      }
-      "name" = "reviews"
-    }
-    "spec" = {
-      "ports" = [
-        {
-          "name" = "http"
-          "port" = 9080
-        },
-      ]
-      "selector" = {
-        "app" = "reviews"
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "serviceaccount_bookinfo_reviews" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "ServiceAccount"
-    "metadata" = {
-      "labels" = {
-        "account" = "reviews"
-      }
-      "name" = "bookinfo-reviews"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "deployment_reviews_v1" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "Deployment"
-    "metadata" = {
-      "labels" = {
-        "app" = "reviews"
-        "version" = "v1"
-      }
-      "name" = "reviews-v1"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "app" = "reviews"
-          "version" = "v1"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "app" = "reviews"
-            "version" = "v1"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "env" = [
-                {
-                  "name" = "LOG_DIR"
-                  "value" = "/tmp/logs"
-                },
-              ]
-              "image" = "docker.io/istio/examples-bookinfo-reviews-v1:1.17.0"
-              "imagePullPolicy" = "IfNotPresent"
-              "name" = "reviews"
-              "ports" = [
-                {
-                  "containerPort" = 9080
-                },
-              ]
-              "securityContext" = {
-                "runAsUser" = 1000
-              }
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/tmp"
-                  "name" = "tmp"
-                },
-                {
-                  "mountPath" = "/opt/ibm/wlp/output"
-                  "name" = "wlp-output"
-                },
-              ]
-            },
-          ]
-          "serviceAccountName" = "bookinfo-reviews"
-          "volumes" = [
-            {
-              "emptyDir" = {}
-              "name" = "wlp-output"
-            },
-            {
-              "emptyDir" = {}
-              "name" = "tmp"
-            },
-          ]
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "deployment_reviews_v2" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "Deployment"
-    "metadata" = {
-      "labels" = {
-        "app" = "reviews"
-        "version" = "v2"
-      }
-      "name" = "reviews-v2"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "app" = "reviews"
-          "version" = "v2"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "app" = "reviews"
-            "version" = "v2"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "env" = [
-                {
-                  "name" = "LOG_DIR"
-                  "value" = "/tmp/logs"
-                },
-              ]
-              "image" = "docker.io/istio/examples-bookinfo-reviews-v2:1.17.0"
-              "imagePullPolicy" = "IfNotPresent"
-              "name" = "reviews"
-              "ports" = [
-                {
-                  "containerPort" = 9080
-                },
-              ]
-              "securityContext" = {
-                "runAsUser" = 1000
-              }
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/tmp"
-                  "name" = "tmp"
-                },
-                {
-                  "mountPath" = "/opt/ibm/wlp/output"
-                  "name" = "wlp-output"
-                },
-              ]
-            },
-          ]
-          "serviceAccountName" = "bookinfo-reviews"
-          "volumes" = [
-            {
-              "emptyDir" = {}
-              "name" = "wlp-output"
-            },
-            {
-              "emptyDir" = {}
-              "name" = "tmp"
-            },
-          ]
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "deployment_reviews_v3" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "Deployment"
-    "metadata" = {
-      "labels" = {
-        "app" = "reviews"
-        "version" = "v3"
-      }
-      "name" = "reviews-v3"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "app" = "reviews"
-          "version" = "v3"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "app" = "reviews"
-            "version" = "v3"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "env" = [
-                {
-                  "name" = "LOG_DIR"
-                  "value" = "/tmp/logs"
-                },
-              ]
-              "image" = "docker.io/istio/examples-bookinfo-reviews-v3:1.17.0"
-              "imagePullPolicy" = "IfNotPresent"
-              "name" = "reviews"
-              "ports" = [
-                {
-                  "containerPort" = 9080
-                },
-              ]
-              "securityContext" = {
-                "runAsUser" = 1000
-              }
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/tmp"
-                  "name" = "tmp"
-                },
-                {
-                  "mountPath" = "/opt/ibm/wlp/output"
-                  "name" = "wlp-output"
-                },
-              ]
-            },
-          ]
-          "serviceAccountName" = "bookinfo-reviews"
-          "volumes" = [
-            {
-              "emptyDir" = {}
-              "name" = "wlp-output"
-            },
-            {
-              "emptyDir" = {}
-              "name" = "tmp"
-            },
-          ]
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "service_productpage" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Service"
-    "metadata" = {
-      "labels" = {
-        "app" = "productpage"
-        "service" = "productpage"
-      }
-      "name" = "productpage"
-    }
-    "spec" = {
-      "ports" = [
-        {
-          "name" = "http"
-          "port" = 9080
-        },
-      ]
-      "selector" = {
-        "app" = "productpage"
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "serviceaccount_bookinfo_productpage" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "ServiceAccount"
-    "metadata" = {
-      "labels" = {
-        "account" = "productpage"
-      }
-      "name" = "bookinfo-productpage"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "deployment_productpage_v1" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "Deployment"
-    "metadata" = {
-      "labels" = {
-        "app" = "productpage"
-        "version" = "v1"
-      }
-      "name" = "productpage-v1"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "app" = "productpage"
-          "version" = "v1"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "app" = "productpage"
-            "version" = "v1"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "image" = "docker.io/istio/examples-bookinfo-productpage-v1:1.17.0"
-              "imagePullPolicy" = "IfNotPresent"
-              "name" = "productpage"
-              "ports" = [
-                {
-                  "containerPort" = 9080
-                },
-              ]
-              "securityContext" = {
-                "runAsUser" = 1000
-              }
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/tmp"
-                  "name" = "tmp"
-                },
-              ]
-            },
-          ]
-          "serviceAccountName" = "bookinfo-productpage"
-          "volumes" = [
-            {
-              "emptyDir" = {}
-              "name" = "tmp"
-            },
-          ]
-        }
-      }
-    }
-  }
-}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/ce-k8s-lb.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/ce-k8s-lb.tf
deleted file mode 100644
index 6d88637f9..000000000
--- a/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/ce-k8s-lb.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-resource "kubernetes_manifest" "service_ves_system_lb_ver" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Service"
-    "metadata" = {
-      "name" = "lb-ver"
-      "namespace" = "ves-system"
-    }
-    "spec" = {
-      "ports" = [
-        {
-          "name" = "http"
-          "port" = 80
-        },
-      ]
-      "selector" = {
-        "app" = "ver"
-      }
-      "type" = "LoadBalancer"
-    }
-  }
-}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/main.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/main.tf
deleted file mode 100644
index 2a866d0e5..000000000
--- a/workflow-guides/waf/f5-xc-waf-on-k8s/k8s-ce/main.tf
+++ /dev/null
@@ -1,475 +0,0 @@
-resource "kubernetes_manifest" "namespace_ves_system" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Namespace"
-    "metadata" = {
-      "name" = "ves-system"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "serviceaccount_ves_system_volterra_sa" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "ServiceAccount"
-    "metadata" = {
-      "name" = "volterra-sa"
-      "namespace" = "ves-system"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "role_ves_system_volterra_admin_role" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "Role"
-    "metadata" = {
-      "name" = "volterra-admin-role"
-      "namespace" = "ves-system"
-    }
-    "rules" = [
-      {
-        "apiGroups" = [
-          "*",
-        ]
-        "resources" = [
-          "*",
-        ]
-        "verbs" = [
-          "*",
-        ]
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "rolebinding_ves_system_volterra_admin_role_binding" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "RoleBinding"
-    "metadata" = {
-      "name" = "volterra-admin-role-binding"
-      "namespace" = "ves-system"
-    }
-    "roleRef" = {
-      "apiGroup" = "rbac.authorization.k8s.io"
-      "kind" = "Role"
-      "name" = "volterra-admin-role"
-    }
-    "subjects" = [
-      {
-        "apiGroup" = ""
-        "kind" = "ServiceAccount"
-        "name" = "volterra-sa"
-        "namespace" = "ves-system"
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "daemonset_ves_system_volterra_ce_init" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "DaemonSet"
-    "metadata" = {
-      "name" = "volterra-ce-init"
-      "namespace" = "ves-system"
-    }
-    "spec" = {
-      "selector" = {
-        "matchLabels" = {
-          "name" = "volterra-ce-init"
-        }
-      }
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "name" = "volterra-ce-init"
-          }
-        }
-        "spec" = {
-          "containers" = [
-            {
-              "image" = "gcr.io/volterraio/volterra-ce-init"
-              "name" = "volterra-ce-init"
-              "securityContext" = {
-                "privileged" = true
-              }
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/host"
-                  "name" = "hostroot"
-                },
-              ]
-            },
-          ]
-          "hostNetwork" = true
-          "hostPID" = true
-          "serviceAccountName" = "volterra-sa"
-          "volumes" = [
-            {
-              "hostPath" = {
-                "path" = "/"
-              }
-              "name" = "hostroot"
-            },
-          ]
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_manifest" "serviceaccount_ves_system_vpm_sa" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "ServiceAccount"
-    "metadata" = {
-      "name" = "vpm-sa"
-      "namespace" = "ves-system"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "role_ves_system_vpm_role" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "Role"
-    "metadata" = {
-      "name" = "vpm-role"
-      "namespace" = "ves-system"
-    }
-    "rules" = [
-      {
-        "apiGroups" = [
-          "*",
-        ]
-        "resources" = [
-          "*",
-        ]
-        "verbs" = [
-          "*",
-        ]
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "clusterrole_ves_system_vpm_cluster_role" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "ClusterRole"
-    "metadata" = {
-      "name" = "vpm-cluster-role"
-      "namespace" = "ves-system"
-    }
-    "rules" = [
-      {
-        "apiGroups" = [
-          "",
-        ]
-        "resources" = [
-          "nodes",
-        ]
-        "verbs" = [
-          "get",
-          "list",
-        ]
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "rolebinding_ves_system_vpm_role_binding" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "RoleBinding"
-    "metadata" = {
-      "name" = "vpm-role-binding"
-      "namespace" = "ves-system"
-    }
-    "roleRef" = {
-      "apiGroup" = "rbac.authorization.k8s.io"
-      "kind" = "Role"
-      "name" = "vpm-role"
-    }
-    "subjects" = [
-      {
-        "apiGroup" = ""
-        "kind" = "ServiceAccount"
-        "name" = "vpm-sa"
-        "namespace" = "ves-system"
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "clusterrolebinding_vpm_sa" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "ClusterRoleBinding"
-    "metadata" = {
-      "name" = "vpm-sa"
-    }
-    "roleRef" = {
-      "apiGroup" = "rbac.authorization.k8s.io"
-      "kind" = "ClusterRole"
-      "name" = "vpm-cluster-role"
-    }
-    "subjects" = [
-      {
-        "kind" = "ServiceAccount"
-        "name" = "vpm-sa"
-        "namespace" = "ves-system"
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "clusterrolebinding_ver" {
-  manifest = {
-    "apiVersion" = "rbac.authorization.k8s.io/v1"
-    "kind" = "ClusterRoleBinding"
-    "metadata" = {
-      "name" = "ver"
-    }
-    "roleRef" = {
-      "apiGroup" = "rbac.authorization.k8s.io"
-      "kind" = "ClusterRole"
-      "name" = "cluster-admin"
-    }
-    "subjects" = [
-      {
-        "kind" = "ServiceAccount"
-        "name" = "ver"
-        "namespace" = "ves-system"
-      },
-    ]
-  }
-}
-
-resource "kubernetes_manifest" "configmap_ves_system_vpm_cfg" {
-  manifest = {
-    "apiVersion" = "v1"
-    "data" = {
-      "config.yaml" = <<-EOT
-      Vpm:
-        # CHANGE ME
-        ClusterName: ce-k8s
-        ClusterType: ce
-        Config: /etc/vpm/config.yaml
-        DisableModules: ["recruiter"]
-        # CHANGE ME
-        Latitude: 11.3850
-        # CHANGE ME
-        Longitude: 71.4867
-        MauriceEndpoint: https://register.ves.volterra.io
-        MauricePrivateEndpoint: https://register-tls.ves.volterra.io
-        PrivateNIC: eth0
-        SkipStages: ["osSetup", "etcd", "kubelet", "master", "voucher", "workload", "controlWorkload"]
-        # CHANGE ME
-        Token: c91bc500-009a-484b-9ef0-11aa4574e500
-        CertifiedHardware: k8s-minikube-voltmesh
-      EOT
-    }
-    "kind" = "ConfigMap"
-    "metadata" = {
-      "name" = "vpm-cfg"
-      "namespace" = "ves-system"
-    }
-  }
-}
-
-resource "kubernetes_manifest" "statefulset_ves_system_vp_manager" {
-  manifest = {
-    "apiVersion" = "apps/v1"
-    "kind" = "StatefulSet"
-    "metadata" = {
-      "name" = "vp-manager"
-      "namespace" = "ves-system"
-    }
-    "spec" = {
-      "replicas" = 1
-      "selector" = {
-        "matchLabels" = {
-          "name" = "vpm"
-        }
-      }
-      "serviceName" = "vp-manager"
-      "template" = {
-        "metadata" = {
-          "labels" = {
-            "name" = "vpm"
-            "statefulset" = "vp-manager"
-          }
-        }
-        "spec" = {
-          "affinity" = {
-            "podAntiAffinity" = {
-              "requiredDuringSchedulingIgnoredDuringExecution" = [
-                {
-                  "labelSelector" = {
-                    "matchExpressions" = [
-                      {
-                        "key" = "name"
-                        "operator" = "In"
-                        "values" = [
-                          "vpm",
-                        ]
-                      },
-                    ]
-                  }
-                  "topologyKey" = "kubernetes.io/hostname"
-                },
-              ]
-            }
-          }
-          "containers" = [
-            {
-              "image" = "gcr.io/volterraio/vpm"
-              "imagePullPolicy" = "Always"
-              "name" = "vp-manager"
-              "securityContext" = {
-                "privileged" = true
-              }
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/etc/vpm"
-                  "name" = "etcvpm"
-                },
-                {
-                  "mountPath" = "/var/lib/vpm"
-                  "name" = "varvpm"
-                },
-                {
-                  "mountPath" = "/etc/podinfo"
-                  "name" = "podinfo"
-                },
-                {
-                  "mountPath" = "/data"
-                  "name" = "data"
-                },
-              ]
-            },
-          ]
-          "initContainers" = [
-            {
-              "command" = [
-                "/bin/sh",
-                "-c",
-                "cp /tmp/config.yaml /etc/vpm",
-              ]
-              "image" = "busybox"
-              "name" = "vpm-init-config"
-              "volumeMounts" = [
-                {
-                  "mountPath" = "/etc/vpm"
-                  "name" = "etcvpm"
-                },
-                {
-                  "mountPath" = "/tmp/config.yaml"
-                  "name" = "vpmconfigmap"
-                  "subPath" = "config.yaml"
-                },
-              ]
-            },
-          ]
-          "serviceAccountName" = "vpm-sa"
-          "terminationGracePeriodSeconds" = 1
-          "volumes" = [
-            {
-              "downwardAPI" = {
-                "items" = [
-                  {
-                    "fieldRef" = {
-                      "fieldPath" = "metadata.labels"
-                    }
-                    "path" = "labels"
-                  },
-                ]
-              }
-              "name" = "podinfo"
-            },
-            {
-              "configMap" = {
-                "name" = "vpm-cfg"
-              }
-              "name" = "vpmconfigmap"
-            },
-          ]
-        }
-      }
-      "volumeClaimTemplates" = [
-        {
-          "metadata" = {
-            "name" = "etcvpm"
-          }
-          "spec" = {
-            "accessModes" = [
-              "ReadWriteOnce",
-            ]
-            "resources" = {
-              "requests" = {
-                "storage" = "1Gi"
-              }
-            }
-          }
-        },
-        {
-          "metadata" = {
-            "name" = "varvpm"
-          }
-          "spec" = {
-            "accessModes" = [
-              "ReadWriteOnce",
-            ]
-            "resources" = {
-              "requests" = {
-                "storage" = "1Gi"
-              }
-            }
-          }
-        },
-        {
-          "metadata" = {
-            "name" = "data"
-          }
-          "spec" = {
-            "accessModes" = [
-              "ReadWriteOnce",
-            ]
-            "resources" = {
-              "requests" = {
-                "storage" = "1Gi"
-              }
-            }
-          }
-        },
-      ]
-    }
-  }
-}
-
-resource "kubernetes_manifest" "service_ves_system_vpm" {
-  manifest = {
-    "apiVersion" = "v1"
-    "kind" = "Service"
-    "metadata" = {
-      "name" = "vpm"
-      "namespace" = "ves-system"
-    }
-    "spec" = {
-      "ports" = [
-        {
-          "port" = 65003
-          "protocol" = "TCP"
-          "targetPort" = 65003
-        },
-      ]
-      "selector" = {
-        "name" = "vpm"
-      }
-      "type" = "NodePort"
-    }
-  }
-}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/data.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/data.tf
similarity index 100%
rename from workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/data.tf
rename to workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/data.tf
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/locals.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/locals.tf
similarity index 100%
rename from workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/locals.tf
rename to workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/locals.tf
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/main.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/main.tf
similarity index 100%
rename from workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/main.tf
rename to workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/main.tf
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/providers.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/providers.tf
similarity index 100%
rename from workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/providers.tf
rename to workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/providers.tf
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/variables.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/variables.tf
similarity index 61%
rename from workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/variables.tf
rename to workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/variables.tf
index 5d2883cae..8afcfb230 100644
--- a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/variables.tf
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/variables.tf
@@ -6,5 +6,5 @@ variable "tf_cloud_organization" {
 
 variable "ssh_key" {
   type        = string
-  description = "Unneeded for arcadia, only present for warning handling with TF cloud variable set"
+  description = "Only present for warning handling with TF cloud variable set"
 }
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/versions.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/versions.tf
similarity index 51%
rename from workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/versions.tf
rename to workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/versions.tf
index 68d464ebf..49ffe4224 100644
--- a/workflow-guides/waf/f5-xc-waf-on-k8s/booksinfo/versions.tf
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/booksinfo/versions.tf
@@ -2,14 +2,7 @@ terraform {
   required_version = ">= 0.14.0"
   required_providers {
     aws = ">= 4"
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-      version = "2.16.1"
-    }
-    helm = {
-      source  = "hashicorp/helm"
-      version = ">=2.7.0"
-    }
+
 	kubectl = {
       source  = "gavinbunney/kubectl"
       version = ">= 1.7.0"
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/ce-deploy.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/ce-deploy.tf
new file mode 100644
index 000000000..c25b44f7c
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/ce-deploy.tf
@@ -0,0 +1,294 @@
+resource "kubectl_manifest" "ns" {
+    yaml_body = <<YAML
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ves-system
+YAML
+}
+
+resource "kubectl_manifest" "sa" {
+    yaml_body = <<YAML
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: volterra-sa
+  namespace: ves-system
+YAML
+}
+
+resource "kubectl_manifest" "role" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: volterra-admin-role
+  namespace: ves-system
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+YAML
+}
+
+resource "kubectl_manifest" "role-binding" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: volterra-admin-role-binding
+  namespace: ves-system
+subjects:
+- kind: ServiceAccount
+  name: volterra-sa
+  apiGroup: ""
+  namespace: ves-system
+roleRef:
+  kind: Role
+  name: volterra-admin-role
+  apiGroup: rbac.authorization.k8s.io
+YAML
+}
+
+
+resource "kubectl_manifest" "daemonset" {
+    yaml_body = <<YAML
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: volterra-ce-init
+  namespace: ves-system
+spec:
+  selector:
+    matchLabels:
+      name: volterra-ce-init
+  template:
+    metadata:
+      labels:
+        name: volterra-ce-init
+    spec:
+      hostNetwork: true
+      hostPID: true
+      serviceAccountName: volterra-sa
+      containers:
+      - name: volterra-ce-init
+        image: gcr.io/volterraio/volterra-ce-init
+        volumeMounts:
+        - name: hostroot
+          mountPath: /host
+        securityContext:
+          privileged: true
+      volumes:
+      - name: hostroot
+        hostPath:
+          path: /
+YAML
+}
+
+
+resource "kubectl_manifest" "sa2" {
+    yaml_body = <<YAML
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vpm-sa
+  namespace: ves-system
+YAML
+}
+
+resource "kubectl_manifest" "role2" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vpm-role
+  namespace: ves-system
+rules:
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+YAML
+}
+
+resource "kubectl_manifest" "cluster-role" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vpm-cluster-role
+  namespace: ves-system
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list"]
+YAML
+}
+
+resource "kubectl_manifest" "role-binding2" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vpm-role-binding
+  namespace: ves-system
+subjects:
+- kind: ServiceAccount
+  name: vpm-sa
+  apiGroup: ""
+  namespace: ves-system
+roleRef:
+  kind: Role
+  name: vpm-role
+  apiGroup: rbac.authorization.k8s.io
+YAML
+}
+
+
+resource "kubectl_manifest" "ClusterRoleBinding" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vpm-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vpm-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: vpm-sa
+  namespace: ves-system
+YAML
+}
+
+
+resource "kubectl_manifest" "ClusterRoleBinding2" {
+    yaml_body = <<YAML
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: ver
+  namespace: ves-system
+YAML
+}
+
+
+resource "kubectl_manifest" "StatefulSet" {
+    yaml_body = <<YAML
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: vp-manager
+  namespace: ves-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: vpm
+  serviceName: "vp-manager"
+  template:
+    metadata:
+      labels:
+        name: vpm
+        statefulset: vp-manager
+    spec:
+      serviceAccountName: vpm-sa
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: name
+                operator: In
+                values:
+                - vpm
+            topologyKey: kubernetes.io/hostname
+      initContainers:
+      - name : vpm-init-config
+        image: busybox
+        volumeMounts:
+        - name: etcvpm
+          mountPath: /etc/vpm
+        - name: vpmconfigmap
+          mountPath: /tmp/config.yaml
+          subPath: config.yaml
+        command:
+        - "/bin/sh"
+        - "-c"
+        - "cp /tmp/config.yaml /etc/vpm"
+      containers:
+      - name: vp-manager
+        image: gcr.io/volterraio/vpm
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: etcvpm
+          mountPath: /etc/vpm
+        - name: varvpm
+          mountPath: /var/lib/vpm
+        - name: podinfo
+          mountPath: /etc/podinfo
+        - name: data
+          mountPath: /data
+        securityContext:
+          privileged: true
+      terminationGracePeriodSeconds: 1
+      volumes:
+      - name: podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+      - name: vpmconfigmap
+        configMap:
+          name: vpm-cfg
+  volumeClaimTemplates:
+  - metadata:
+      name: etcvpm
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 1Gi
+  - metadata:
+      name: varvpm
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 1Gi
+  - metadata:
+      name: data
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 1Gi
+YAML
+}
+
+
+resource "kubectl_manifest" "service" {
+    yaml_body = <<YAML
+apiVersion: v1
+kind: Service
+metadata:
+  name: vpm
+  namespace: ves-system
+spec:
+  type: NodePort
+  selector:
+    name: vpm
+  ports:
+  - protocol: TCP
+    port: 65003
+    targetPort: 65003
+YAML
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/data.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/data.tf
new file mode 100644
index 000000000..6cf8a1320
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/data.tf
@@ -0,0 +1,12 @@
+data "tfe_outputs" "infra" {
+  organization = var.tf_cloud_organization
+  workspace = "infra"
+}
+data "tfe_outputs" "eks" {
+  organization = var.tf_cloud_organization
+  workspace = "eks"
+}
+
+data "aws_eks_cluster_auth" "auth" {
+  name = data.tfe_outputs.eks.values.cluster_name
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/locals.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/locals.tf
new file mode 100644
index 000000000..271fdee72
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/locals.tf
@@ -0,0 +1,7 @@
+locals {
+  project_prefix = data.tfe_outputs.infra.values.project_prefix
+  host = data.tfe_outputs.eks.values.cluster_endpoint
+  aws_region = data.tfe_outputs.infra.values.aws_region
+  cluster_ca_certificate = data.tfe_outputs.eks.values.kubeconfig-certificate-authority-data
+  cluster_name = data.tfe_outputs.eks.values.cluster_name
+} 
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/providers.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/providers.tf
new file mode 100644
index 000000000..b12d081b5
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/providers.tf
@@ -0,0 +1,10 @@
+provider "aws" {
+    region     = local.aws_region
+}
+
+provider "kubectl" {
+    host = local.host
+    cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
+    token = data.aws_eks_cluster_auth.auth.token
+    load_config_file       = false
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/variables.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/variables.tf
new file mode 100644
index 000000000..b655aecd6
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/variables.tf
@@ -0,0 +1,24 @@
+#TF Cloud
+variable "tf_cloud_organization" {
+  type        = string
+  description = "TF cloud org (Value set in TF cloud)"
+}
+
+#XC
+variable "xc_tenant" {
+  type        = string
+  description = "Your F5 XC tenant name"
+}
+variable "api_url" {
+  type        = string
+  description = "Your F5 XC tenant api url"
+}
+variable "xc_namespace" {
+  type        = string
+  description = "Volterra app namespace where the object will be created. This cannot be system or shared ns."
+}
+
+variable "xc_clustername" {
+  type        = string
+  description = "Cluster name to be registered in Volterra."
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/versions.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/versions.tf
new file mode 100644
index 000000000..49ffe4224
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/ce-deployment/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    aws = ">= 4"
+
+	kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/ce-k8s-lb.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/ce-k8s-lb.tf
new file mode 100644
index 000000000..a260832e5
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/ce-k8s-lb.tf
@@ -0,0 +1,16 @@
+resource "kubectl_manifest" "verlb-service" {
+    yaml_body = <<YAML
+apiVersion: v1
+kind: Service
+metadata:
+  name: lb-ver
+  namespace: ves-system
+spec:
+  type: LoadBalancer
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: ver
+YAML
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/data.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/data.tf
new file mode 100644
index 000000000..8a085762b
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/data.tf
@@ -0,0 +1,13 @@
+data "tfe_outputs" "infra" {
+  organization = var.tf_cloud_organization
+  workspace = "infra"
+}
+
+data "tfe_outputs" "eks" {
+  organization = var.tf_cloud_organization
+  workspace = "eks"
+}
+
+data "aws_eks_cluster_auth" "auth" {
+  name = data.tfe_outputs.eks.values.cluster_name
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/locals.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/locals.tf
new file mode 100644
index 000000000..271fdee72
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/locals.tf
@@ -0,0 +1,7 @@
+locals {
+  project_prefix = data.tfe_outputs.infra.values.project_prefix
+  host = data.tfe_outputs.eks.values.cluster_endpoint
+  aws_region = data.tfe_outputs.infra.values.aws_region
+  cluster_ca_certificate = data.tfe_outputs.eks.values.kubeconfig-certificate-authority-data
+  cluster_name = data.tfe_outputs.eks.values.cluster_name
+} 
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/providers.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/providers.tf
new file mode 100644
index 000000000..b12d081b5
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/providers.tf
@@ -0,0 +1,10 @@
+provider "aws" {
+    region     = local.aws_region
+}
+
+provider "kubectl" {
+    host = local.host
+    cluster_ca_certificate = base64decode(local.cluster_ca_certificate)
+    token = data.aws_eks_cluster_auth.auth.token
+    load_config_file       = false
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/variables.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/variables.tf
new file mode 100644
index 000000000..813fc1799
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/variables.tf
@@ -0,0 +1,10 @@
+#TF Cloud
+variable "tf_cloud_organization" {
+  type = string
+  description = "TF cloud org (Value set in TF cloud)"
+}
+
+variable "ssh_key" {
+  type        = string
+  description = "Only present for warning handling with TF cloud variable set"
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/versions.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/versions.tf
new file mode 100644
index 000000000..49ffe4224
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/lb-ce/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    aws = ">= 4"
+
+	kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/data.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/data.tf
new file mode 100644
index 000000000..e402684d4
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/data.tf
@@ -0,0 +1,8 @@
+data "tfe_outputs" "infra" {
+  organization = var.tf_cloud_organization
+  workspace = "infra"
+}
+data "tfe_outputs" "eks" {
+  organization = var.tf_cloud_organization
+  workspace = "eks"
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/locals.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/locals.tf
new file mode 100644
index 000000000..274106ff9
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  project_prefix = data.tfe_outputs.infra.values.project_prefix
+  host = data.tfe_outputs.eks.values.cluster_endpoint
+  aws_region = data.tfe_outputs.infra.values.aws_region
+  cluster_name = data.tfe_outputs.eks.values.cluster_name
+} 
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/providers.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/providers.tf
new file mode 100644
index 000000000..89fc410b6
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/providers.tf
@@ -0,0 +1,3 @@
+provider "volterra" {
+    url   = var.api_url
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/registration.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/registration.tf
new file mode 100644
index 000000000..d3a757272
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/registration.tf
@@ -0,0 +1,7 @@
+resource "volterra_registration_approval" "k8s-ce" {
+  cluster_name  = local.cluster_name
+  cluster_size  = 1
+  retry = 5
+  wait_time = 60
+  hostname = "vp-manager-0"
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/variables.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/variables.tf
new file mode 100644
index 000000000..554f19551
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/variables.tf
@@ -0,0 +1,20 @@
+#TF Cloud
+variable "tf_cloud_organization" {
+  type        = string
+  description = "TF cloud org (Value set in TF cloud)"
+}
+
+#XC
+variable "xc_tenant" {
+  type        = string
+  description = "Your F5 XC tenant name"
+}
+variable "api_url" {
+  type        = string
+  description = "Your F5 XC tenant api url"
+}
+variable "xc_namespace" {
+  type        = string
+  description = "Volterra app namespace where the object will be created. This cannot be system or shared ns."
+}
+
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/versions.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/versions.tf
new file mode 100644
index 000000000..40a411dfb
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/registration/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.14.0"
+  required_providers {
+    volterra = {
+      source = "volterraedge/volterra"
+      version = ">= 0.11.19"
+    }
+  }
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/data.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/data.tf
new file mode 100644
index 000000000..74e1eb041
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/data.tf
@@ -0,0 +1,4 @@
+data "tfe_outputs" "infra" {
+  organization = var.tf_cloud_organization
+  workspace = "infra"
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/locals.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/locals.tf
new file mode 100644
index 000000000..8e314a2f5
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  project_prefix = data.tfe_outputs.infra.values.project_prefix
+  build_suffix = data.tfe_outputs.infra.values.build_suffix
+  k8s_origin_pool = true
+
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/outputs.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/outputs.tf
new file mode 100644
index 000000000..aa5a02081
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/outputs.tf
@@ -0,0 +1,9 @@
+output "xc_lb_name" {
+  value = nonsensitive(volterra_http_loadbalancer.lb_https.name)
+}
+output "xc_waf_name" {
+  value = nonsensitive(volterra_app_firewall.waap-tf.name)
+}
+output "endpoint" {
+  value = var.app_domain
+}
\ No newline at end of file
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/providers.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/providers.tf
new file mode 100644
index 000000000..89fc410b6
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/providers.tf
@@ -0,0 +1,3 @@
+provider "volterra" {
+    url   = var.api_url
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/variables.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/variables.tf
new file mode 100644
index 000000000..b549a34c6
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/variables.tf
@@ -0,0 +1,47 @@
+#TF Cloud
+variable "tf_cloud_organization" {
+  type        = string
+  description = "TF cloud org (Value set in TF cloud)"
+}
+variable "ssh_key" {
+  type        = string
+  description = "Unneeded for XC, only present for warning handling with TF cloud variable set"
+}
+#XC
+variable "xc_tenant" {
+  type        = string
+  description = "Your F5 XC tenant name" 
+}
+variable "api_url" {
+  type        = string
+  description = "Your F5 XC tenant api url"
+}
+variable "xc_namespace" {
+  type        = string
+  description = "Volterra app namespace where the object will be created. This cannot be system or shared ns."
+}
+variable "app_domain" {
+  type        = string
+  description = "FQDN for the app. If you have delegated domain `prod.example.com`, then your app_domain can be `<app_name>.prod.example.com`"
+}
+
+#XC WAF
+variable "xc_waf_blocking" {
+  type        = string
+  description = "Set XC WAF to Blocking(true) or Monitoring(false)"
+  default     = "false"
+}
+
+variable "serviceName" {
+  type        = string
+  description = "k8s service name"
+  default     = null
+}
+
+variable "deployment" {
+  type  = string
+  description = "k8s site name"
+  default = "ce-k8s"
+}
+
+
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/versions.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/versions.tf
new file mode 100644
index 000000000..8f4e61d68
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.14.0"  
+  required_providers {
+    volterra = {
+      source = "volterraedge/volterra"
+      version = ">= 0.11.19"
+    }
+  }
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_loadbalancer.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_loadbalancer.tf
new file mode 100644
index 000000000..74fcfb85a
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_loadbalancer.tf
@@ -0,0 +1,71 @@
+# Create XC LB config
+resource "volterra_origin_pool" "k8s-site-op" {
+  name                   = format("%s-xcop-%s", local.project_prefix, local.build_suffix)
+  namespace              = var.xc_namespace
+  endpoint_selection     = "LOCAL_PREFERRED"
+  loadbalancer_algorithm = "LB_OVERRIDE"
+  port                   = 9080
+  no_tls                 = true
+
+  dynamic "origin_servers" {
+    for_each = local.k8s_origin_pool ? [1] : [0]
+    content {
+    k8s_service {
+      service_name  = var.serviceName
+      vk8s_networks = true
+      outside_network = true
+      site_locator {
+        site {
+          name      = var.deployment
+          namespace = "system"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "volterra_http_loadbalancer" "k8s-site-demo" {
+  name                            = format("%s-xclb-%s", local.project_prefix, local.build_suffix)
+  namespace                       = var.xc_namespace
+  no_challenge                    = true
+  domains                         = [var.app_domain]
+
+  advertise_on_public_default_vip = false
+  disable_rate_limit              = true
+  service_policies_from_namespace = true
+  disable_waf                     = false
+
+  app_firewall {
+    name = volterra_app_firewall.waap-tf.name
+    namespace = var.xc_namespace
+  }
+
+  advertise_custom {
+    advertise_where {
+      site {
+          name      = var.deployment
+          namespace = "system"
+      }
+    }
+
+  }
+
+  https_auto_cert {
+    http_redirect = true
+  }
+
+  default_route_pools {
+    pool {
+      namespace = var.xc_namespace
+      name = volterra_origin_pool.k8s-site-op.name
+    }
+  }
+  round_robin = true
+
+  enable_ip_reputation {
+    ip_threat_categories = [ "SPAM_SOURCES", "NETWORK", "MOBILE_THREATS" ]
+  }
+
+  depends_on = [ volterra_origin_pool.k8s-site-op]
+}
diff --git a/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_waf.tf b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_waf.tf
new file mode 100644
index 000000000..b38090876
--- /dev/null
+++ b/workflow-guides/waf/f5-xc-waf-on-k8s/terraform/xc/xc_waf.tf
@@ -0,0 +1,20 @@
+resource "volterra_app_firewall" "waap-tf" {
+  name                     = format("%s-xcw-%s", local.project_prefix, local.build_suffix)
+  description              = format("WAF in block mode for %s", "${local.project_prefix}-xcw-${local.build_suffix}")
+  namespace                = var.xc_namespace
+
+  // One of the arguments from this list "allow_all_response_codes allowed_response_codes" must be set
+  allow_all_response_codes = true
+  // One of the arguments from this list "default_anonymization custom_anonymization disable_anonymization" must be set
+  default_anonymization = true
+  // One of the arguments from this list "use_default_blocking_page blocking_page" must be set
+  use_default_blocking_page = true
+  // One of the arguments from this list "default_bot_setting bot_protection_setting" must be set
+  default_bot_setting = true
+  // One of the arguments from this list "default_detection_settings detection_settings" must be set
+  default_detection_settings = true
+  // One of the arguments from this list "use_loadbalancer_setting blocking monitoring" must be set
+  use_loadbalancer_setting = true
+  // Blocking mode - optional - if not set, policy is in MONITORING
+  blocking = var.xc_waf_blocking
+}