Quick start with Terraform example code
- Wallarm account in the EU Cloud or US Cloud
- Username and password of the user with the Deploy role added to your company's Wallarm account. To add a new user, please follow the instructions
- AWS account and user with the admin permissions
- Accepted Terms for the WordPress Certified by Bitnami and Automattic and Wallarm Node (AI‑based NG-WAF instance) by Wallarm products on AWS Marketplace
- Installed
terraform
CLI tools version 0.12.18 or later - Installed
jq
CLI tools - Installed
git
CLI tools - Installed
aws
CLI tools
- Download Terraform code example.
- Prepare Terraform environment and variables.
- Deploy described stack.
- Test Wallarm node operation.
Terraform code used in this example can be cloned from the open GitHub repository using the following command:
git clone -b stable/3.6 --single-branch https://github.com/wallarm/terraform-example.git
To clone the example code for the lower node version, please replace 3.6
with the relevant value in the branch name.
Configuration files are located in the terraform
folder of the repository:
-
variables.tf
is used to define necessary Terraform variables which describe the managed environment -
main.tf
holds the Terraform code which performed the actual AWS provisioning
-
Set environment variables with credentials for the Wallarm user with the Deploy role:
export TF_VAR_deploy_username='DEPLOY_USERNAME' export TF_VAR_deploy_password='DEPLOY_PASSWORD'
-
DEPLOY_USERNAME
is the email of the user with the Deploy role -
DEPLOY_PASSWORD
is the password of the user with the Deploy role
-
-
Set environment variables with your AWS access keys:
export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_ACCESS_KEY'
-
YOUR_ACCESS_KEY_ID
is your access key ID -
YOUR_SECRET_ACCESS_KEY
is your secret access key
-
-
(Optional) Specify your public SSH key in the
key_pair
variable in thevariables.tf
file, if you plan to access the employed EC2 instances using SSH. -
(Optional) Specify the
api.wallarm.com
API endpoint in thewallarm_api_domain
variable in thevariables.tf
file, if you use the EU Cloud. If you use the US Cloud, please leave an existing value. -
(Optional) Set AWS region data in the variables listed below in the
variables.tf
file. The provided example is configured for AWS regionus-west-1
(North California).-
aws_region
(you can find the list of AWS regions here) az_a
az_b
-
wallarm_node_ami_id
with the used AWS EC2 Wallarm filtering node image ID got by the command below. Please replaceREGION_CODE
byaws-region
value:
aws ec2 describe-images --filters "Name=name,Values=*wallarm-node-3-6*" --region REGION_CODE | jq -r '.Images[] | "\(.ImageId)"'
-
wordpress_ami_id
with the used AWS EC2 Wordpress image ID got by the command below. Please replaceREGION_CODE
byaws-region
value:
aws ec2 describe-images --filters "Name=name,Values=*bitnami-wordpress-5.3.2-3-linux-ubuntu-16.04*" --region REGION_CODE | jq -r '.Images[] | "\(.ImageId)"'
-
-
Go to the
terraform
folder of the cloned repository:cd terraform-example/terraform
-
Deploy the whole stack using the following commands:
terraform init terraform plan terraform apply
After a successful run, Terraform will print out a DNS name of the deployed NLB instance. For example:
Apply complete! Resources: 4 added, 2 changed, 4 destroyed.
Outputs:
waf_nlb_dns_name = [
"tf-wallarm-demo-asg-nlb-7b32738728e6ea44.elb.us-east-1.amazonaws.com",
]
The DNS name can be used to access the freshly installed Wordpress service with Wallarm cluster deployed in front of it.
The Wallarm cluster is configured with a self-signed SSL certificate so it should be possible to access the same DNS name using HTTPS protocol but the browser will show a security warning.
You can simulate a web attack by adding /?id='or+1=1--a-<script>prompt(1)</script>'
to the web request - the request should be blocked by Wallarm with response code 403:
A few minutes after simulating a web attack it should be possible to see two blocked attacks - SQLI and XSS - in Wallarm Console → Events:
Wallarm node deployment settings are performed in the wallarm_launch_config
object of the main.tf
file. To change settings to your own, please use directive description available by the link.
To remove the demonstration environment, please use the terraform destroy
command.
On the first run terraform apply command fails with message "Error: Provider produced inconsistent final plan". What to do?
Please try to run terraform apply
one more time. This should solve the problem.
You can get a remote access to the server using user admin
and proper SSH private key.
-
Get a remote access to the server using user
admin
and proper SSH private key. -
Review cloud-init logs:
/var/log/cloud-init.log
/var/log/cloud-init-output.log
-
Review running processes using the command
ps -ef
. -
Check the NGINX configuration for correctness using command
nginx -t
. -
Review NGINX error logs in the file
/var/log/nginx/error.log
.