---
title: Deploying Next-Gen WAF with the Signal Sciences Terraform Provider
summary: null
url: >-
  https://www.fastly.com/documentation/solutions/tutorials/next-gen-waf-edge-integration
---

> **IMPORTANT:** This feature is only available to Next-Gen WAF customers who **cannot** access the WAF using the Fastly control panel. If you can access the WAF in the Fastly control panel, refer to the [Deploying Next-Gen WAF with the Fastly Terraform Provider](https://www.fastly.com/documentation/solutions/tutorials/next-gen-waf-edge-integration-fastly-provider/) tutorial instead.

This tutorial guides you through deploying Fastly's Next-Gen Web Application Firewall (Next-Gen WAF) for web and API endpoint security using the [Edge Deployment method](https://docs.fastly.com/signalsciences/install-guides/edge/edge-deployment/), which allows you to add an edge security service onto our Edge Cloud Platform without needing to make any modifications to your own hosting environment.

You will use the following Terraform providers:

- [providers/signalsciences/sigsci](https://registry.terraform.io/providers/signalsciences/sigsci/latest/docs)
- [providers/fastly/fastly](https://registry.terraform.io/providers/fastly/fastly/latest/docs)

# Prerequisites

Before deploying the Next-Gen WAF, ensure you have the following:

- A [Fastly Edge API key](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/using-api-tokens/#creating-api-tokens) with service creation and management permissions;
- A [Next-Gen WAF API key](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf) with Corp Admin permissions;
- An established Next-Gen WAF corp and [site](https://www.fastly.com/documentation/guides/next-gen-waf/managing-sites).

## 1. Configure Terraform providers

Ensure Terraform 0.13+ is configured with the required providers for Fastly:

## 2. Define variables

Declare the necessary variables and resources for the Fastly Edge VCL configuration, Next-Gen WAF settings, and dynamic snippets. This includes specifying domain names, backend hostnames, and API keys.

## 3. Set values for variables

The values for the declared variables must be available to the environment where Terraform is running following HashiCorp's guidance for [managing variables](https://developer.hashicorp.com/terraform/enterprise/workspaces/variables/managing-variables).

## 4. Update the Fastly VCL service

Before linking the Next-Gen WAF edge deployment to the VCL service, you must add placeholders for [dynamic snippets](https://www.fastly.com/documentation/guides/full-site-delivery/fastly-vcl/vcl-snippets/using-vcl-snippets) and a [dictionary](https://www.fastly.com/documentation/guides/full-site-delivery/dictionaries) that will be used by the Next-Gen WAF integration. If the configurations are not added by Terraform, then Terraform will attempt to remove or replace the settings needed for the Next-Gen WAF Edge implementation. This behavior exists because the Next-Gen WAF Edge implementation uses the Terraform provider to make updates which impact the resources defined by the Fastly provider. Populating the dictionary and dynamic snippets with the desired values for the Next-Gen WAF edge deployment will be handled via the Terraform provider.

The dynamic snippets are simply commented VCL and act as a placeholder for the modifications that will occur via the Next-Gen WAF edge deployment. It is worth noting that both the dictionary and dynamic snippets are versionless. This means when modifications are made (even in subsequent service versions), those modifications will persist.

The priority of the snippets `ngwaf_config_miss` and `ngwaf_config_pass` are intentionally high, to avoid conflicts with any existing VCL logic.

## 5. Integrate the Next-Gen WAF Edge deployment

Use the Signal Sciences provider to create the Next-Gen WAF Edge Service and link it to the Fastly VCL service. This step involves setting up a dictionary and updating dynamic snippets maintained by Fastly.

_NOTE:_ The updated dynamic snippets will not be overwritten by subsequent terraform updates because of the `manage_snippets = false` setting in the dynamic snippet Terraform configuration. If `manage_snippets` is not set to `false`, then the dynamic snippets will be overwritten and traffic for your service will not be protected by the edge Next-Gen WAF deployment.

Additionally, if you don't have [dynamic backends enabled](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/ngwaf-control-panel/maintaining-edge-waf-deployments-using-the-next-gen-waf-control-panel/#checking-whether-dynamic-backends-are-enabled), you need to add the following:

## 6. Apply configuration

Apply the Terraform configuration using the following command.

```term
terraform apply -parallelism=1
```

`-parallelism=1` is required based on guidance from the Signal Sciences Terraform provider. [In case of errors…](https://registry.terraform.io/providers/signalsciences/sigsci/latest/docs/guides/FAQ#in-case-of-errors)

When the configuration is applied, the dynamic snippets will be added in a VCL version. The Signal Sciences provider will then do the following:

1. Clone the existing active configuration.
2. Populate the dynamic snippets and Dictionary with the values needed for the Next-Gen WAF integration.
3. Activate the new version.

> **TIP:** Your local Terraform state for the VCL service won't reflect this newly incremented version of the VCL service. Run <kbd>terraform apply -parallelism=1</kbd> again in order to match the local state to the remote state. This `terraform apply` should not make any changes to the VCL service. After a successful  run, you should see outputs like the following:

```text
Outputs:

live_waf_love_output = <

You must then update all Terraform resources that depend on the `sigsci_site` resource, by replacing all references to `sigsci_site.ngwaf_edge_site.short_name` with the value `var.NGWAF_SITE`.

## Optional: Identifying Fastly Delivery services linked with Next-Gen WAF edge deployments

Terraform can provide helpful outputs when doing a deployment. The example below shows you how to identify different Delivery services linked to a Next-Gen WAF edge deployment.

# Full reference implementation

The [fastly/ngwaf-terraform-edge-deploy](https://github.com/fastly/security-use-cases/tree/main/ngwaf-terraform-edge-deploy) repository closely follows the recommendations in this tutorial.