Skip to content

Commit

Permalink
Merge pull request #69 from knowbase/v2.3.2-1
Browse files Browse the repository at this point in the history
V2.3.2-1 resolve API specification variable issue.
  • Loading branch information
knowbase authored Jul 6, 2023
2 parents 72fdd4b + 66274ea commit 7bcb3a1
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 85 deletions.
14 changes: 14 additions & 0 deletions xc/terraform.tfvars.examples
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,20 @@ xc_multi_lb = false
xc_api_disc = false
xc_api_pro = false
xc_api_spec = []
#Enable API schema validation
xc_api_val = false
#Enable API schema validation on all endpoints
xc_api_val_all = false
xc_api_val_properties = ["PROPERTY_QUERY_PARAMETERS", "PROPERTY_PATH_PARAMETERS", "PROPERTY_CONTENT_TYPE", "PROPERTY_COOKIE_PARAMETERS", "PROPERTY_HTTP_HEADERS", "PROPERTY_HTTP_BODY"]
#Validation Mode active for endpoint (false = skip)
xc_api_val_active = false
#Validation Enforment Type (only one of these should be set to true)
enforcement_block = false
enforcement_report = false
#Allow access to unprotected endpoints
fall_through_mode_allow = false
#Enable API Validation custom rules
xc_api_val_custom = false

#XC Bot Defense
xc_bot_def = false
Expand Down
37 changes: 19 additions & 18 deletions xc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ variable "ssh_key" {
#XC
variable "xc_tenant" {
type = string
description = "Your F5 XC tenant name"
description = "Your F5 XC tenant name"
}
variable "api_url" {
type = string
Expand All @@ -32,7 +32,7 @@ variable "xc_waf_blocking" {
}
#XC AI/ML Settings for MUD, APIP - NOTE: Only set if using AI/ML settings from the shared namespace
variable "xc_app_type" {
type = list
type = list(any)
description = "Set Apptype for shared AI/ML"
default = null
}
Expand All @@ -53,7 +53,7 @@ variable "xc_api_pro" {
default = "false"
}
variable "xc_api_spec" {
type = list
type = list(any)
description = "XC object store path to swagger spec ex: https://my.tenant.domain/api/object_store/namespaces/my-ns/stored_objects/swagger/file-name/v1-22-01-12"
default = null
}
Expand All @@ -70,12 +70,7 @@ variable "xc_api_val_all" {
variable "xc_api_val_properties" {
type = list(string)
default = ["PROPERTY_QUERY_PARAMETERS", "PROPERTY_PATH_PARAMETERS", "PROPERTY_CONTENT_TYPE", "PROPERTY_COOKIE_PARAMETERS", "PROPERTY_HTTP_HEADERS", "PROPERTY_HTTP_BODY"]

}
variable "xc_api_val_properties_all" {
type = string
description = "Enable API Validation on all properties"
default = "false"

}
variable "xc_api_val_active" {
type = string
Expand All @@ -91,23 +86,29 @@ variable "enforcement_report" {
type = string
description = "Enable enforcement report"
default = "false"
}
variable "xc_api_val_properties_block" {
type = list(string)
default = ["PROPERTY_QUERY_PARAMETERS", "PROPERTY_PATH_PARAMETERS", "PROPERTY_CONTENT_TYPE", "PROPERTY_COOKIE_PARAMETERS", "PROPERTY_HTTP_HEADERS", "PROPERTY_HTTP_BODY"]

}
variable "fall_through_mode_allow" {
type = string
description = "Enable fall through mode allow"
default = "false"
}
variable "xc_api_val_custom" {
type = string
description = "Enable API Validation custom rules"
default = "false"
}

#XC Bot Defense
variable "xc_bot_def" {
type = string
type = string
description = "Enable XC Bot Defense"
default = "false"
default = "false"
}
#XC DDoS Protection
variable "xc_ddos_pro" {
type = string
type = string
description = "Enable XC DDoS Protection"
default = "false"
default = "false"
}
#XC Malicious User Detection
variable "xc_mud" {
Expand Down
124 changes: 57 additions & 67 deletions xc/xc_loadbalancer.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# Create XC LB config

resource "volterra_origin_pool" "op" {
name = format("%s-xcop-%s", local.project_prefix, local.build_suffix)
namespace = var.xc_namespace
description = format("Origin pool pointing to origin server %s", local.origin_server)
name = format("%s-xcop-%s", local.project_prefix, local.build_suffix)
namespace = var.xc_namespace
description = format("Origin pool pointing to origin server %s", local.origin_server)
dynamic "origin_servers" {
for_each = local.dns_origin_pool ? [1] : []
content {
Expand All @@ -17,11 +17,11 @@ resource "volterra_origin_pool" "op" {
content {
public_ip {
ip = local.origin_server
}
}
}
}
no_tls = true
port = local.origin_port
no_tls = true
port = local.origin_port
endpoint_selection = "LOCAL_PREFERRED"
loadbalancer_algorithm = "LB_OVERRIDE"
}
Expand All @@ -30,86 +30,86 @@ resource "volterra_http_loadbalancer" "lb_https" {
name = format("%s-xclb-%s", local.project_prefix, local.build_suffix)
namespace = var.xc_namespace
labels = {
"ves.io/app_type" = length(var.xc_app_type) != 0 ? volterra_app_type.app-type[0].name : null
"ves.io/app_type" = length(var.xc_app_type) != 0 ? volterra_app_type.app-type[0].name : null
}
description = format("HTTPS loadbalancer object for %s origin server", local.project_prefix)
domains = [var.app_domain]
description = format("HTTPS loadbalancer object for %s origin server", local.project_prefix)
domains = [var.app_domain]
advertise_on_public_default_vip = true
default_route_pools {
pool {
name = volterra_origin_pool.op.name
namespace = var.xc_namespace
}
weight = 1
pool {
name = volterra_origin_pool.op.name
namespace = var.xc_namespace
}
weight = 1
}
https_auto_cert {
add_hsts = false
http_redirect = true
no_mtls = true
add_hsts = false
http_redirect = true
no_mtls = true
enable_path_normalize = true
tls_config {
default_security = true
}
default_security = true
}
}
app_firewall {
name = volterra_app_firewall.waap-tf.name
name = volterra_app_firewall.waap-tf.name
namespace = var.xc_namespace
}
disable_waf = false
round_robin = true
service_policies_from_namespace = true
multi_lb_app = var.xc_multi_lb ? true : false
user_id_client_ip = true
source_ip_stickiness = true
multi_lb_app = var.xc_multi_lb ? true : false
user_id_client_ip = true
source_ip_stickiness = true

#API Protection Configuration
#API Protection Configuration

dynamic "enable_api_discovery" {
for_each = var.xc_api_disc ? [1] : []
content {
enable_learn_from_redirect_traffic = true
}
}
}
dynamic "api_speficiation" {
dynamic "api_specification" {
for_each = var.xc_api_pro ? [1] : []
content {
api_definition {
name = volterra_api_definition.api-def[0].name
name = volterra_api_definition.api-def[0].name
namespace = volterra_api_definition.api-def[0].namespace
tenant = var.xc_tenant
tenant = var.xc_tenant
}
validation_disabled = var.xc_api_val ? false : true
dynamic "validation_all_spec_endpoints" {
for_each = var.xc_api_val_all ? [1] : []
content {
validation_mode {
dynamic validation_mode_active {
dynamic "validation_mode_active" {
for_each = var.xc_api_val_active ? [1] : []
content {
request_validation_properties = var.xc_api_val_properties
enforcement_block = var.enforcement_block
enforcement_report = var.enforcement_report
}
enforcement_block = var.enforcement_block
enforcement_report = var.enforcement_report
}
}
}
fall_through_mode {
fall_through_mode_allow = var.fall_through_allow ? true : false
dynamic fall_through_mode_custom {
dynamic "fall_through_mode_custom" {
for_each = var.fall_through_mode_allow ? [0] : [1]
content {
open_api_validation_rules {
metadata {
name = format("%s-apip-fall-through-block-%s", local.project_prefix, local.build_suffix)
}
action_block = true
base_path = "/"
base_path = "/"
}
open_api_validation_rules {
metadata {
name = format("%s-apip-fall-through-report-%s", local.project_prefix, local.build_suffix)
}
action_report = true
base_path = "/"
base_path = "/"
}
}
}
Expand All @@ -124,54 +124,44 @@ resource "volterra_http_loadbalancer" "lb_https" {
name = format("%s-apip-val-rule-block-%s", local.project_prefix, local.build_suffix)
}
validation_mode {
dynamic validation_mode_active {
dynamic "validation_mode_active" {
for_each = var.xc_api_val_active ? [1] : []
content {
request_validation_properties = var.xc_api_val_properties
enforcement_block = var.enforcement_block
enforcement_report = var.enforcement_report
enforcement_block = var.enforcement_block
enforcement_report = var.enforcement_report
}
}
}
any_domain = true
base_path = "/"
base_path = "/"
}
fall_through_mode {
fall_through_mode_allow = var.fall_through_allow ? true : false
dynamic fall_through_mode_custom {
dynamic "fall_through_mode_custom" {
for_each = var.fall_through_mode_allow ? [0] : [1]
content {
open_api_validation_rules {
metadata {
name = format("%s-apip-fall-through-block-%s", local.project_prefix, local.build_suffix)
}
action_block = true
base_path = "/"
base_path = "/"
}
open_api_validation_rules {
metadata {
name = format("%s-apip-fall-through-report-%s", local.project_prefix, local.build_suffix)
}
action_report = true
base_path = "/"
base_path = "/"
}
}
}
}
}
}
}
}
}
/*
dynamic "api_definition" {
for_each = var.xc_api_pro ? [1] : []
content {
name = volterra_api_definition.api-def[0].name
namespace = volterra_api_definition.api-def[0].namespace
tenant = var.xc_tenant
}
}
*/

dynamic "api_protection_rules" {
for_each = var.xc_api_pro ? [1] : []
Expand All @@ -184,7 +174,7 @@ resource "volterra_http_loadbalancer" "lb_https" {
deny = true
}
base_path = "/api"
api_group = join("-",["ves-io-api-def", volterra_api_definition.api-def[0].name, "all-operations"])
api_group = join("-", ["ves-io-api-def", volterra_api_definition.api-def[0].name, "all-operations"])
}
api_groups_rules {
metadata {
Expand All @@ -198,7 +188,7 @@ resource "volterra_http_loadbalancer" "lb_https" {
}
}

#BOT Configuration
#BOT Configuration
dynamic "bot_defense" {
for_each = var.xc_bot_def ? [1] : []
content {
Expand All @@ -208,7 +198,7 @@ resource "volterra_http_loadbalancer" "lb_https" {
javascript_location = "AFTER_HEAD"
}
disable_mobile_sdk = true
js_download_path = "/common.js"
js_download_path = "/common.js"
protected_app_endpoints {
metadata {
name = format("%s-bot-rule-%s", local.project_prefix, local.build_suffix)
Expand Down Expand Up @@ -236,11 +226,11 @@ resource "volterra_http_loadbalancer" "lb_https" {
}
}
regional_endpoint = "US"
timeout = 1000
timeout = 1000
}
}

#DDoS Configuration
#DDoS Configuration
dynamic "enable_ddos_detection" {
for_each = var.xc_ddos_pro ? [1] : []
content {
Expand All @@ -255,24 +245,24 @@ resource "volterra_http_loadbalancer" "lb_https" {
}
block = true
ddos_client_source {
country_list = [ "COUNTRY_KP"]
country_list = ["COUNTRY_KP"]
}
}
}
#Common Security Controls

#Common Security Controls

disable_rate_limit = true
enable_malicious_user_detection = var.xc_mud ? true : null
no_challenge = contains(var.xc_app_type, "mud") || var.xc_mud ? false : true
no_challenge = contains(var.xc_app_type, "mud") || var.xc_mud ? false : true

dynamic "policy_based_challenge" {
for_each = var.xc_mud ? [1] : []
content {
default_js_challenge_parameters = true
default_js_challenge_parameters = true
default_captcha_challenge_parameters = true
default_mitigation_settings = true
no_challenge = true
default_mitigation_settings = true
no_challenge = true
rule_list {}
}
}
Expand All @@ -281,8 +271,8 @@ resource "volterra_http_loadbalancer" "lb_https" {
content {
malicious_user_mitigation {
namespace = volterra_malicious_user_mitigation.mud-mitigation[0].namespace
name = volterra_malicious_user_mitigation.mud-mitigation[0].name
}
name = volterra_malicious_user_mitigation.mud-mitigation[0].name
}
}
}
}
Expand Down

0 comments on commit 7bcb3a1

Please sign in to comment.