updates

Author: BrooksCunningham

mtls-terraform-example/README.md

@@ -0,0 +1,7 @@
+# mtls demo
+You'll need to do two steps.
+
+Run `terraform apply`
+Update DNS
+Uncomment the mtls configurations
+Run `terraform apply`

mtls-terraform-example/main.tf

@@ -0,0 +1,232 @@
+# Configure the Fastly Provider
+provider "fastly" {
+  api_key = var.FASTLY_API_KEY
+}
+
+#### Fastly VCL Service - Start
+resource "fastly_service_vcl" "frontend-vcl-service" {
+  name = "mtls demo - ${var.USER_VCL_SERVICE_DOMAIN_NAME}"
+
+  domain {
+    name    = var.USER_VCL_SERVICE_DOMAIN_NAME
+    comment = "mtls demo"
+  }
+  backend {
+    address           = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+    name              = "vcl_service_origin"
+    port              = 443
+    use_ssl           = true
+    ssl_cert_hostname = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+    ssl_sni_hostname  = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+    override_host     = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+  }
+
+  #### Disable caching, but keep request collapsing https://www.fastly.com/documentation/reference/vcl/variables/backend-response/beresp-cacheable/#effects-on-request-collapsing
+  snippet {
+    name = "Disable caching"
+    content = "set beresp.cacheable = false;"
+    type = "fetch"
+    priority = 9000
+  }
+
+  #### Useful for debugging with response headers
+  # snippet {
+  #   name = "Debug headers"
+  #   content = file("${path.module}/vcl/debug_headers.vcl")
+  #   type = "fetch"
+  #   priority = 120
+  # }
+
+  #### NGWAF Dynamic Snippets - MANAGED BY FASTLY - Start
+  dynamicsnippet {
+    name     = "ngwaf_config_init"
+    type     = "init"
+    priority = 0
+  }
+  dynamicsnippet {
+    name     = "ngwaf_config_miss"
+    type     = "miss"
+    priority = 9000
+  }
+  dynamicsnippet {
+    name     = "ngwaf_config_pass"
+    type     = "pass"
+    priority = 9000
+  }
+  dynamicsnippet {
+    name     = "ngwaf_config_deliver"
+    type     = "deliver"
+    priority = 9000
+  }
+  #### NGWAF Dynamic Snippets - MANAGED BY FASTLY - End
+
+  dictionary {
+    name = "Edge_Security"
+  }
+
+  # logging_honeycomb {
+  #   dataset = "NGWAF_EDGE_DATASET"
+  #   name = "NGWAF_EDGE_LOGS"
+  #   token = var.HONEYCOMB_API_KEY
+  #   format = file("${path.module}/ngwaf_honeycomb_logging_format.json")
+  # }
+
+  # logging_splunk {
+  #   name  = var.SPLUNK_LOGGING_NAME
+  #   token = var.SPLUNK_LOGGING_TOKEN
+  #   url   = var.SPLUNK_LOGGING_URL
+  #   format_version = 2
+  #   format = file("${path.module}/ngwaf_splunk_logging_format.json")
+  #   tls_ca_cert = file("${path.module}/splunk_ca_cert.pem")
+  #   use_tls = true
+  # }
+
+  force_destroy = true
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
+  }
+
+  service_id = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id = each.value.snippet_id
+
+  content = "### Fastly managed ngwaf_config_init"
+
+  manage_snippets = false
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
+  }
+
+  service_id = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id = each.value.snippet_id
+
+  content = "### Fastly managed ngwaf_config_miss"
+
+  manage_snippets = false
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
+  }
+
+  service_id = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id = each.value.snippet_id
+
+  content = "### Fastly managed ngwaf_config_pass"
+
+  manage_snippets = false
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
+  }
+
+  service_id = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id = each.value.snippet_id
+
+  content = "### Fastly managed ngwaf_config_deliver"
+
+  manage_snippets = false
+}
+
+#### Fastly VCL Service - End
+
+provider "sigsci" {
+  corp           = var.NGWAF_CORP
+  email          = var.NGWAF_EMAIL
+  auth_token     = var.NGWAF_TOKEN
+  fastly_api_key = var.FASTLY_API_KEY
+}
+
+resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
+  # https://registry.terraform.io/providers/signalsciences/sigsci/latest/docs/resources/edge_deployment
+  site_short_name = var.NGWAF_SITE
+}
+
+resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
+  # https://registry.terraform.io/providers/signalsciences/sigsci/latest/docs/resources/edge_deployment_service
+  site_short_name = var.NGWAF_SITE
+  fastly_sid      = fastly_service_vcl.frontend-vcl-service.id
+
+  activate_version = true
+  percent_enabled  = 100
+
+  depends_on = [
+    sigsci_edge_deployment.ngwaf_edge_site_service,
+    fastly_service_vcl.frontend-vcl-service,
+    fastly_service_dynamic_snippet_content.ngwaf_config_init,
+    fastly_service_dynamic_snippet_content.ngwaf_config_miss,
+    fastly_service_dynamic_snippet_content.ngwaf_config_pass,
+    fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
+  ]
+}
+
+resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
+  site_short_name = var.NGWAF_SITE
+  fastly_sid      = fastly_service_vcl.frontend-vcl-service.id
+
+  fastly_service_vcl_active_version = fastly_service_vcl.frontend-vcl-service.active_version
+
+  depends_on = [
+    sigsci_edge_deployment_service.ngwaf_edge_service_link,
+  ]
+}
+
+#### Edge deploy and sync - End
+
+output "live_waf_love_output" {
+  value = <<tfmultiline
+  
+  #### Click the URL to go to the Fastly VCL service ####
+  https://cfg.fastly.com/${fastly_service_vcl.frontend-vcl-service.id}
+
+  #### Click the URL to go to the Fastly NGWAF service ####
+  https://dashboard.signalsciences.net/corps/${var.NGWAF_CORP}/sites/${var.NGWAF_SITE}
+  
+  #### Send a test request with curl. ####
+  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
+
+  #### Send an test as traversal with curl. ####
+  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd" -d foo=bar
+
+  #### Send an test as XSS with curl. ####
+  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?foo=%3Cscript%3E" -d foo=bar
+
+  #### Troubleshoot the logging configuration if necessary. ####
+  https://docs.fastly.com/en/guides/setting-up-remote-log-streaming#troubleshooting-common-logging-errors
+  curl https://api.fastly.com/service/${fastly_service_vcl.frontend-vcl-service.id}/logging_status -H fastly-key:$FASTLY_API_KEY
+  
+  tfmultiline
+
+  description = "Output hints on what to do next."
+
+  depends_on = [
+    sigsci_edge_deployment_service.ngwaf_edge_service_link
+  ]
+}
+
+
+provider "http" {}
+#### Edge deploy linked data - start
+data "http" "linked_fastly_services" {
+  url = "https://dashboard.signalsciences.net/api/v0/corps/${var.NGWAF_CORP}/sites/${var.NGWAF_SITE}/edgeDeployment"
+
+  request_headers = {
+    x-api-user   = var.NGWAF_EMAIL
+    x-api-token  = var.NGWAF_TOKEN
+    Content-Type = "application/json"
+  }
+  depends_on = [sigsci_edge_deployment_service.ngwaf_edge_service_link]
+}
+#### Edge deploy linked data - end
+
+output "services_linked_to_ngwaf_output" {
+  value = [for item in jsondecode(data.http.linked_fastly_services.response_body)["ServicesAttached"] : item.id]
+}

mtls-terraform-example/mtls-configuration.tf

@@ -0,0 +1,51 @@
+#### mTLS configuration - start
+
+resource "null_resource" "generate_ca" {
+  provisioner "local-exec" {
+    command = <<EOT
+      mkdir -p certs &&
+      openssl genrsa 4096 > certs/ca-key.pem &&
+      openssl req -new -x509 -nodes -days 3650 -key certs/ca-key.pem -subj "/CN=mtl-demo-ca" > certs/ca-cert.pem
+    EOT
+  }
+}
+
+resource "null_resource" "generate_client_cert" {
+  provisioner "local-exec" {
+    command = <<EOT
+      openssl req -newkey rsa:2048 -days 365 -nodes -keyout certs/client-key1.pem -subj "/CN=client1" > certs/client-req.pem &&
+      openssl x509 -req -in certs/client-req.pem -days 365 -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -set_serial 01 > certs/client-cert1.pem
+    EOT
+  }
+
+  depends_on = [null_resource.generate_ca]
+}
+
+resource "fastly_tls_subscription" "certainly_tls" {
+  domains               = [for domain in fastly_service_vcl.frontend-vcl-service.domain : domain.name]
+  certificate_authority = "certainly"
+}
+
+resource "fastly_tls_subscription_validation" "certainly_tls" {
+  subscription_id = fastly_tls_subscription.certainly_tls.id
+}
+
+data "fastly_tls_configuration" "default" {
+  default    = true
+  depends_on = [fastly_tls_subscription_validation.certainly_tls]
+}
+
+data "fastly_tls_activation" "mtls_demo" {
+  # domain     = [for domain in fastly_service_vcl.frontend-vcl-service.domain : domain.name]
+  domain     = tolist(fastly_service_vcl.frontend-vcl-service.domain)[0].name
+}
+
+resource "fastly_tls_mutual_authentication" "mtls_demo" {
+  activation_ids = [data.fastly_tls_activation.mtls_demo.id]
+  name = "mtls demo - mtls-demo.livewaflove.com"
+  cert_bundle    = file("${path.module}/certs/ca-cert.pem")
+  enforced       = false
+}
+
+
+#### mTLS config - end

mtls-terraform-example/providers.tf

@@ -0,0 +1,17 @@
+# Terraform 0.13+ requires providers to be declared in a "required_providers" block
+# https://registry.terraform.io/providers/fastly/fastly/latest/docs
+terraform {
+  required_providers {
+    fastly = {
+      source  = "fastly/fastly"
+      version = ">= 5.11.0"
+    }
+    sigsci = {
+      source  = "signalsciences/sigsci"
+      version = ">= 3.3.0"
+    }
+    http = {
+      source = "hashicorp/http"
+    }
+  }
+}

mtls-terraform-example/variables.tf

@@ -0,0 +1,70 @@
+# Fastly Edge VCL configuration
+variable "FASTLY_API_KEY" {
+    type        = string
+    description = "This is API key for the Fastly VCL edge configuration."
+}
+
+#### VCL Service variables - Start
+variable "USER_VCL_SERVICE_DOMAIN_NAME" {
+  type = string
+  description = "Frontend domain for your service."
+  default = "ngwaf-tf-demo.global.ssl.fastly.net"
+}
+
+variable "USER_VCL_SERVICE_BACKEND_HOSTNAME" {
+  type          = string
+  description   = "hostname used for backend."
+  default       = "http-me.glitch.me"
+}
+
+#### VCL Service variables - End
+
+#### NGWAF variables - Start
+
+variable "NGWAF_CORP" {
+  type          = string
+  description   = "Corp name for NGWAF"
+}
+
+variable "NGWAF_SITE" {
+  type          = string
+  description   = "Site name for NGWAF"
+}
+
+variable "NGWAF_EMAIL" {
+    type        = string
+    description = "Email address associated with the token for the NGWAF API."
+}
+variable "NGWAF_TOKEN" {
+    type        = string
+    description = "Secret token for the NGWAF API."
+    sensitive   = true
+}
+#### NGWAF variables - End
+
+#### External Logging - Start
+variable "HONEYCOMB_API_KEY" {
+  # https://www.honeycomb.io/
+    type        = string
+    description = "Secret token for the Honeycomb API."
+    sensitive   = true
+    default = ""
+}
+
+# Splunk
+variable "SPLUNK_LOGGING_NAME" {
+  type = string
+  default = "SPLUNK_LOGGING"
+}
+
+variable "SPLUNK_LOGGING_TOKEN" {
+  type = string
+  sensitive = true
+  default = ""
+}
+
+variable "SPLUNK_LOGGING_URL" {
+  type = string
+  default = ""
+}
+#### External Logging - END