Skip to content

Specification of the Wallarm cloud-init Script

If following the Infrastructure as Code (IaC) approach, you may need to use the cloud-init script to deploy the Wallarm node to the public cloud. Starting from release 4.0, Wallarm distributes its cloud images with the ready‑to‑use cloud-init.py script that is described in this topic.

Overview of the Wallarm cloud-init script

The Wallarm cloud-init script is available under the /opt/wallarm/usr/share/wallarm-common/cloud-init.py path in the Wallarm AWS cloud image. This script performs both an initial and advanced instance configuration with the following main stages involved:

  • Runs the Wallarm node previously created in the Wallarm Cloud by executing the Wallarm register-node script

  • Configures the instance in accordance with either the proxy or mirror approach specified in the preset variable (if deploying Wallarm using the Terraform module)

  • Fine-tunes the instance in accordance with NGINX snippets

  • Fine-tunes the Wallarm node

  • Performs health checks for the Load Balancer

The cloud-init script is run only once on instance boot, instance restart does not force its launch. You will find more details in the AWS documentation on the script concept.

Running the Wallarm cloud-init script

You can run the Wallarm cloud-init script as follows:

  • Launch a cloud instance and use its metadata to describe the cloud-init.py script run

  • Create an instance Launch Template with the cloud-init.py script and further create an auto scaling group based on it

The example of the script execution to run the Wallarm node as a proxy server for httpbin.org:

#!/bin/bash
set -e

### Prevent NGINX from running without
### Wallarm enabled, it is not recommended to
### run health check before all things get done
###
systemctl stop nginx.service

/opt/wallarm/usr/share/wallarm-common/cloud-init.py \
    -t xxxxx-base64-registration-token-from-wallarm-cloud-xxxxx \
    -p proxy \
    -m monitoring \
    --proxy-pass https://httpbin.org

systemctl restart nginx.service

echo Wallarm Node successfuly configured!

To meet the Infrastructure as Code (IaC) approach, we have implemented the Terraform module for AWS that can be an illustrative example of the Wallarm cloud-init script usage.

The Wallarm cloud-init script help data

usage: /opt/wallarm/usr/share/wallarm-common/cloud-init.py [-h] -t TOKEN [-H HOST] [--skip-register] [-p {proxy,mirror,custom}]
                                                      [-m {off,monitoring,safe_blocking,block}] [--proxy-pass PROXY_PASS]
                                                      [--libdetection] [--global-snippet GLOBAL_SNIPPET_FILE]
                                                      [--http-snippet HTTP_SNIPPET_FILE] [--server-snippet SERVER_SNIPPET_FILE]
                                                      [-l LOG_LEVEL]

Runs the Wallarm node with the specified configuration in the PaaS cluster. https://docs.wallarm.com/waf-installation/cloud-
platforms/cloud-init/

optional arguments:
  -h, --help            show this help message and exit
  -t TOKEN, --token TOKEN
                        Wallarm node token copied from the Wallarm Console UI.
  -H HOST, --host HOST  Wallarm API server specific for the Wallarm Cloud being used: https://docs.wallarm.com/about-wallarm-
                        waf/overview/#cloud. By default, api.wallarm.com.
  --skip-register       Skips the stage of local running the node created in the Wallarm Cloud (skips the register-node script
                        execution). This stage is crucial for successful node deployment.
  -p {proxy,mirror,custom}, --preset {proxy,mirror,custom}
                        Wallarm node preset: "proxy" for the node to operate as a proxy server, "mirror" for the node to process
                        mirrored traffic, "custom" for configuration defined via NGINX snippets only.
  -m {off,monitoring,safe_blocking,block}, --mode {off,monitoring,safe_blocking,block}
                        Traffic filtration mode: https://docs.wallarm.com/admin-en/configure-parameters-en/#wallarm_mode.
  --proxy-pass PROXY_PASS
                        Proxied server protocol and address. Required if "proxy" is specified as a preset.
  --libdetection        Whether to use the libdetection library during the traffic analysis: https://docs.wallarm.com/about-wallarm-
                        waf/protecting-against-attacks.md#library-libdetection.
  --global-snippet GLOBAL_SNIPPET_FILE
                        Custom configuration to be added to the NGINX global configuration.
  --http-snippet HTTP_SNIPPET_FILE
                        Custom configuration to be added to the "http" configuration block of NGINX.
  --server-snippet SERVER_SNIPPET_FILE
                        Custom configuration to be added to the "server" configuration block of NGINX.
  -l LOG_LEVEL, --log LOG_LEVEL
                        Level of verbosity.

This script covers a few most popular configurations for AWS, GCP, Azure and other PaaS. If you need a more powerful configuration,
you are welcome to review Wallarm node public documentation: https://docs.wallarm.com.