--- title: Deploying Next-Gen WAF with the Fastly Terraform Provider summary: null url: >- https://www.fastly.com/documentation/solutions/tutorials/security/next-gen-waf-edge-integration-fastly-provider --- > **IMPORTANT:** This feature is only available to Next-Gen WAF customers with access to the Next-Gen WAF product in the Fastly control panel. If you don't have access to the product in the Fastly control panel, refer to the [Deploying Next-Gen WAF with the Signal Sciences Terraform Provider](https://www.fastly.com/documentation/solutions/tutorials/security/next-gen-waf-edge-integration/) tutorial instead. This tutorial guides you through deploying Fastly's Next-Gen WAF for web and API endpoint security, which allows you to add an edge security service onto our Edge Cloud Platform without needing to make any modifications to your own hosting environment. You will use the following Terraform provider: - [providers/fastly/fastly](https://registry.terraform.io/providers/fastly/fastly/latest/docs) ## Prerequisites Before deploying the Next-Gen WAF, ensure you have the a [Fastly API key](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/using-api-tokens/#creating-api-tokens) with service creation and management permissions; ## 1. Configure Terraform provider Ensure Terraform is configured with the required providers for Fastly: ## 2. Define variables Declare the necessary variables and resources for the Fastly Delivery Service configuration and Next-Gen WAF settings. This includes specifying domain names, backend hostnames, and API keys. ## 3. Set values for variables The values for the declared variables must be available to the environment where Terraform is running following HashiCorp's guidance for [managing variables](https://developer.hashicorp.com/terraform/enterprise/workspaces/variables/managing-variables). ## 4. Create the Next-Gen WAF workspace Use the Fastly provider to create the Next-Gen WAF Workspace. ## 5. Update the Fastly VCL service You add the workspace to a service by using the `product_enablement` block, and setting a `traffic_ramp` percentage. You can use lower percentages if you want to test your workspace. ## 6. Apply configuration Apply the Terraform configuration using the following command: ```term terraform apply ``` When the configuration is applied the Fastly provider will then do the following: 1. Clone the existing active configuration. 2. Create a new workspace with the configured properties. 3. Enable the `ngwaf` product with the newly created workspace. 4. Activate the new version with the workspace attached. ## Deployment Types ### Deploying Next-Gen WAF edge to a new VCL service For new implementations, you may use the complete Terraform implementation. ### Deploying Next-Gen WAF edge to an existing VCL service The above methodology can work for an existing VCL service as well. Adding the `product_enablement` block to the service with the Workspace ID will attach the Next-Gen WAF to the service. ### Deploying Next-Gen WAF edge to an existing Next-Gen WAF site If you already have a Next-Gen WAF site you wish to use with the Next-Gen WAF edge implementation, then you should import the workspace using Terraform. Then attach the service as demonstrated above.