Quick start with Terraform example code
- Quick Start
- Step 1: Downloading Terraform code example
- Step 2: Preparing Terraform environment and variables
- Step 3: Deploying described stack
- Step 4: Testing Wallarm node operation
- On the first run terraform apply command fails with message "Error: Provider produced inconsistent final plan". What to do?
- How to access the created Wallarm node instances?
- It looks like a filtering node is not getting configured properly. How to debug the instance?
Clone this wiki locally
- Wallarm account in the EU Cloud or US Cloud
- Username and password of the user with the Deploy role added to your company's Wallarm account. To add a new user, please follow the instructions
- AWS account and user with the admin permissions
- Accepted Terms for the WordPress Certified by Bitnami and Automattic and Wallarm Node (AI‑based NG-WAF instance) by Wallarm products on AWS Marketplace
terraformCLI tools version 0.12.18 or later
- Download Terraform code example.
- Prepare Terraform environment and variables.
- Deploy described stack.
- Test Wallarm node operation.
Terraform code used in this example can be cloned from the open GitHub repository using the following command:
git clone -b stable/3.6 --single-branch https://github.com/wallarm/terraform-example.git
To clone the example code for the lower node version, please replace
3.6 with the relevant value in the branch name.
Configuration files are located in the
terraform folder of the repository:
variables.tfis used to define necessary Terraform variables which describe the managed environment
main.tfholds the Terraform code which performed the actual AWS provisioning
Set environment variables with credentials for the Wallarm user with the Deploy role:
export TF_VAR_deploy_username='DEPLOY_USERNAME' export TF_VAR_deploy_password='DEPLOY_PASSWORD'
DEPLOY_USERNAMEis the email of the user with the Deploy role
DEPLOY_PASSWORDis the password of the user with the Deploy role
Set environment variables with your AWS access keys:
export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_ACCESS_KEY'
YOUR_ACCESS_KEY_IDis your access key ID
YOUR_SECRET_ACCESS_KEYis your secret access key
(Optional) Specify your public SSH key in the
key_pairvariable in the
variables.tffile, if you plan to access the employed EC2 instances using SSH.
(Optional) Specify the
api.wallarm.comAPI endpoint in the
wallarm_api_domainvariable in the
variables.tffile, if you use the EU Cloud. If you use the US Cloud, please leave an existing value.
(Optional) Set AWS region data in the variables listed below in the
variables.tffile. The provided example is configured for AWS region
aws_region(you can find the list of AWS regions here)
wallarm_node_ami_idwith the used AWS EC2 Wallarm filtering node image ID got by the command below. Please replace
aws ec2 describe-images --filters "Name=name,Values=*wallarm-node-3-6*" --region REGION_CODE | jq -r '.Images | "\(.ImageId)"'
wordpress_ami_idwith the used AWS EC2 Wordpress image ID got by the command below. Please replace
aws ec2 describe-images --filters "Name=name,Values=*bitnami-wordpress-5.3.2-3-linux-ubuntu-16.04*" --region REGION_CODE | jq -r '.Images | "\(.ImageId)"'
Go to the
terraformfolder of the cloned repository:
Deploy the whole stack using the following commands:
terraform init terraform plan terraform apply
After a successful run, Terraform will print out a DNS name of the deployed NLB instance. For example:
Apply complete! Resources: 4 added, 2 changed, 4 destroyed. Outputs: waf_nlb_dns_name = [ "tf-wallarm-demo-asg-nlb-7b32738728e6ea44.elb.us-east-1.amazonaws.com", ]
The DNS name can be used to access the freshly installed Wordpress service with Wallarm cluster deployed in front of it.
The Wallarm cluster is configured with a self-signed SSL certificate so it should be possible to access the same DNS name using HTTPS protocol but the browser will show a security warning.
You can simulate a web attack by adding
/?id='or+1=1--a-<script>prompt(1)</script>' to the web request - the request should be blocked by Wallarm with response code 403:
A few minutes after simulating a web attack it should be possible to see two blocked attacks - SQLI and XSS - in Wallarm Console → Events:
Wallarm node deployment settings are performed in the
wallarm_launch_config object of the
main.tf file. To change settings to your own, please use directive description available by the link.
To remove the demonstration environment, please use the
terraform destroy command.
On the first run terraform apply command fails with message "Error: Provider produced inconsistent final plan". What to do?
Please try to run
terraform apply one more time. This should solve the problem.
You can get a remote access to the server using user
admin and proper SSH private key.
Get a remote access to the server using user
adminand proper SSH private key.
Review cloud-init logs:
Review running processes using the command
Check the NGINX configuration for correctness using command
Review NGINX error logs in the file