This Terraform module provisions an Imperva WAF Gateway Management Server (also known as 'MX') on GCP. The MX is a critical component in the Imperva WAF Gateway architecture, serving as the centralized management interface for configuring Imperva WAF Gateways.
| Name | Version |
|---|---|
| terraform | >= 1.9 |
| >= 6.0.0 |
For the GCP prerequisites, please see the documentation.
provider "google" {
project = "my-project"
region = "europe-west3"
}
variable "mx_password" {
type = string
description = "The password for the WAF Management Server"
sensitive = true
}
module "imperva_mx" {
source = "imperva/wafgateway/mx/google"
waf_version = "15.4.0.10"
mx_password = var.mx_password
vpc_network = "my-vpc-network"
subnet_name = "my-subnet"
timezone = "UTC"
instance_type = "n2-standard-4"
zone = "europe-west3-a"
ssh_access_source_ranges = ["10.0.1.0/24", "10.0.2.0/24"]
ui_access_source_ranges = ["10.0.0.0/8"]
}This version of the module supports the following WAF Gateway versions:
- 14.7.0.160
- 14.7.0.170
- 14.7.0.180
- 15.3.0.10
- 15.3.0.20
- 15.4.0.10
The waf_version input variable must be set to one of these versions. If you need to use a different version, please open an issue or pull request.
If you are using the Gateway module in conjunction with the MX module, you can reference the MX outputs directly in the Gateway module configuration:
module "imperva_gw" {
source = "imperva/wafgateway-gw/google"
waf_version = "15.4.0.10"
management_server_config = {
ip = module.imperva_mx.management_server_ip
password = var.mx_password
vpc_network = "my-vpc-network"
network_tag = module.imperva_mx.network_tag
}
...
}This allows you to register your WAF Gateway instances to your MX without defining explicit dependencies or hard-coding the MX IP address or network tag.
| Name | Source | Version |
|---|---|---|
| commons | imperva/wafgateway-commons/google | 1.2.1 |
| Name | Type |
|---|---|
| google_compute_firewall.mx_firewall | resource |
| google_compute_instance.mx_instance | resource |
| google_secret_manager_secret.mx_admin_secret | resource |
| google_secret_manager_secret_iam_member.mx_admin_secret_iam_member | resource |
| google_secret_manager_secret_version.mx_admin_secret_version | resource |
| google_service_account.deployment_service_account | resource |
| random_string.resource_prefix | resource |
| time_sleep.await_mx_ftl | resource |
| google_client_config.this | data source |
| google_compute_subnetwork.data_mx_subnet | data source |
| template_cloudinit_config.mx_gcp_deploy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| instance_type | The desired machine type for your Management Server instance. | string |
n/a | yes |
| mx_password | A password for your Management Server's admin user. | string |
n/a | yes |
| subnet_name | The subnet name for your Management Server instance. Must be under the specified VPC network. | string |
n/a | yes |
| vpc_network | The name of your target VPC network. | string |
n/a | yes |
| waf_version | The Imperva WAF Gateway version to deploy (format: 'x.y.0.z'). | string |
n/a | yes |
| zone | The zone in which your Management Server instance will be deployed. Must be under the same region as the specified VPC network. | string |
n/a | yes |
| block_project_ssh_keys | When true, project-wide SSH keys cannot be used to access the deployed instances. | bool |
false |
no |
| deployment_name | A unique prefix for all deployed resources. If not provided, a random prefix will be generated. | string |
"" |
no |
| enable_termination_protection | When true, the Management Server instance will be protected from accidental deletion. | bool |
false |
no |
| external_ip_address | An unused external IPv4 address for your Management Server instance. Leave empty if no external IP address is needed. | string |
"" |
no |
| external_ip_network_tier | The desired network service tier for your Management Server's external IP address. Leave empty if no external IP address is needed. | string |
"" |
no |
| post_script | An optional bash script or command that will be executed at the end of the Gateway instance startup. | string |
"" |
no |
| private_ip_address | A custom private IPv4 address for your Management Server instance. The address must be within the subnetwork's range. Leave empty for automatic assignment. | string |
"" |
no |
| ssh_access_source_ranges | A list of IPv4 ranges in CIDR format that should have access to your Management Server via port 22 (e.g. 10.0.1.0/24). | list(string) |
[] |
no |
| timezone | The desired timezone for your Management Server instance. | string |
"UTC" |
no |
| ui_access_source_ranges | A list of IPv4 ranges in CIDR format that should have access to your Management Server via port 8083 (e.g. 10.0.1.0/24). | list(string) |
[] |
no |
| Name | Description |
|---|---|
| instance_name | The name of the WAF Management Server instance. |
| management_server_external_ip | The external IP address of the WAF Management Server instance. Use this IP to access the Management Server from outside the VPC network. |
| management_server_ip | The internal IP address of the WAF Management Server instance. Use this IP to register Gateways to your Management Server. |
| management_server_url | The URL to access the WAF Management Server user interface. Use this URL to log in with the admin user and the password you provided. |
| network_tag | The network tag assigned to the Management Server instance. Use this tag to allow traffic from Gateways to the Management Server. |