1. Home
  2. Solutions
  3. Tutorials

Deploying Next-Gen WAF with the Fastly Terraform Provider

This tutorial guides you through deploying Fastly's Next-Gen Web Application Firewall (Next-Gen WAF) for web and API endpoint security, which allows you to add an edge security service onto our Edge Cloud Platform without needing to make any modifications to your own hosting environment.

You will use the following Terraform provider:

Prerequisites

Before deploying the Next-Gen WAF, ensure you have the a Fastly API key with service creation and management permissions;

1. Configure Terraform provider

Ensure Terraform is configured with the required providers for Fastly:

providers.tf
Terraform HCL
terraform {
  required_providers {
    fastly = {
      source  = "fastly/fastly"
      version = ">= 8.0.0"
    }
  }
}

2. Define variables

Declare the necessary variables and resources for the Fastly Delivery Service configuration and Next-Gen WAF settings. This includes specifying domain names, backend hostnames, and API keys.

variables.tf
Terraform HCL
variable "FASTLY_API_KEY" {
  type        = string
  description = "This is the API key for the Fastly VCL edge configuration."
  sensitive   = true
}


variable "USER_VCL_SERVICE_DOMAIN_NAME" {
  type        = string
  description = "Frontend domain for your service."
  default     = "ngwaf-tf-demo.global.ssl.fastly.net"
}


variable "USER_VCL_SERVICE_BACKEND_HOSTNAME" {
  type        = string
  description = "hostname used for backend."
  default     = "http-me.fastly.dev"
}
variables.tf
Terraform HCL
 
 
variable "NGWAF_WORKSPACE" {
  type        = string
  description = "Workspace name for NGWAF"
  default     = "ngwaf_workspace_example"
}


variable "NGWAF_WORKSPACE_DESC" {
  type        = string
  description = "Description for NGWAF Workspace"
  default     = "This is a workspace"
}

3. Set values for variables

The values for the declared variables must be available to the environment where Terraform is running following HashiCorp's guidance for managing variables.

4. Create the Next-Gen WAF workspace

Use the Fastly provider to create the Next-Gen WAF Workspace.

main.tf
Terraform HCL
 
 
resource "fastly_ngwaf_workspace" "ngwaf_edge_workspace" {
  name        = var.NGWAF_WORKSPACE
  description = var.NGWAF_WORKSPACE_DESC
  mode        = "log"
  attack_signal_thresholds {
    one_minute  = 100
    ten_minutes = 500
    one_hour    = 1000
    immediate   = true
  }
}

5. Update the Fastly VCL service

You add the workspace to a service by using the product_enablement block, and setting a traffic_ramp percentage. You can use lower percentages if you want to test your workspace.

main.tf
Terraform HCL
 
 
resource "fastly_service_vcl" "frontend-vcl-service" {
  name = "Frontend VCL Service - NGWAF edge deploy ${var.USER_VCL_SERVICE_DOMAIN_NAME}"


  product_enablement {
    ngwaf {
      enabled      = true
      workspace_id = fastly_ngwaf_workspace.ngwaf_edge_workspace.id
      traffic_ramp = 100
    }
  }


  domain {
    name    = var.USER_VCL_SERVICE_DOMAIN_NAME
    comment = "Frontend VCL Service - NGWAF edge deploy"
  }
  backend {
    address           = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
    name              = "vcl_service_origin"
    port              = 443
    use_ssl           = true
    ssl_cert_hostname = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
    ssl_sni_hostname  = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
    override_host     = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
  }


  force_destroy = true
}

6. Apply configuration

Apply the Terraform configuration using the following command:

terraform apply

When the configuration is applied the Fastly provider will then do the following:

  1. Clone the existing active configuration.
  2. Create a new workspace with the configured properties.
  3. Enable the ngwaf product with the newly created workspace.
  4. Activate the new version with the workspace attached.

Deployment Types

Deploying Next-Gen WAF edge to a new VCL service

For new implementations, you may use the complete Terraform implementation.

Deploying Next-Gen WAF edge to an existing VCL service

The above methodology can work for an existing VCL service as well. Adding the product_enablement block to the service with the Workspace ID will attach the Next-Gen WAF to the service.

Deploying Next-Gen WAF edge to an existing Next-Gen WAF site

If you already have a Next-Gen WAF site you wish to use with the Next-Gen WAF edge implementation, then you should import the workspace using Terraform. Then attach the service as demonstrated above.

import.tf
Terraform HCL
import {
  to = fastly_ngwaf_workspace.ngwaf_edge_workspace
  id = "YOURWORKSPACEID"
}
main.tf
Terraform HCL
 
 
resource "fastly_ngwaf_workspace" "ngwaf_edge_workspace" {
  name        = var.NGWAF_WORKSPACE
  description = var.NGWAF_WORKSPACE_DESC
  mode        = "log"
  attack_signal_thresholds {
    one_minute  = 100
    ten_minutes = 500
    one_hour    = 1000
    immediate   = true
  }
}
Fastly
© Fastly 2026