# Use Terraform with Link11 WAAP

Link11 WAAP infrastructure can be managed using Terraform. The provider is [here](https://github.com/link11dev/terraform-provider-link11waap), along with its [documentation](https://registry.terraform.io/providers/link11dev/link11waap/latest/docs).

If you're unfamiliar with L11WAAP (especially the API), the information below is recommended reading. Resources are described below in two ways:

* [According to traffic flow](#resources-according-to-traffic-flow) through the system, to understand the resources' roles.
* [According to internal relationships](#resources-according-to-internal-relationships), to understand dependencies and configuration.

For each resource, a link is provided to an in-depth description of that feature in the UI. Sometimes the UI will provide more configuration options than the resource does, but the links should be helpful in understanding the purpose and use of each resource.&#x20;

{% hint style="warning" %}
When Link11 WAAP is updated via the provider, **the updates must be published** before they will take effect.&#x20;

This can be done through the [UI](/console-walkthrough/system/publish-changes.md), [API](https://waap.docs.link11.com/using-the-product/how-do-i.../pages/8c4fZjD3vu6AWariZrzK#put-api-v4.3-tools-publish-config), or the *link11waap\_publish* resource.
{% endhint %}

## Resources according to traffic flow

Consider a request originating at a client, and destined for the origin server. Here are the Terraform resources (shown in bold) that are involved as the request flows through the system.

<figure><img src="/files/93yojsTHY4yGrRcuVLaW" alt=""><figcaption><p>click to enlarge</p></figcaption></figure>

### Client connection to Link11 WAAP

#### Certificates and Load Balancers

These are necessary for the connection between the client and Link11. More info: [Certificates](/console-walkthrough/sites/ssl/certificates.md) and [Load Balancers](/console-walkthrough/sites/ssl/load-balancers.md).

### Traffic Source Verification

#### Trusted Networks

Link11 WAAP will only accept traffic from the trusted sources listed in [Planet Trusted Networks](/console-walkthrough/sites/proxy-templates.md#trusted-sources). These can be:

* Specific IP addresses, e.g. of load balancers
* Or the traffic sources specified in one or more Global Filters, e.g., a CDN.

#### Mobile Application Group (optional)

Link11 customers who publish native iOS or Android applications for their clients can include the Link11 WAAP Mobile SDK: a unique client certification mechanism for iOS and Android apps.

If the client is using an SDK-enabled app, then a [Mobile Application Group](/console-walkthrough/sites/mobile-application-groups.md) will define the necessary parameters for Link11 WAAP to authenticate the client.&#x20;

### Policy Mapping and Traffic Routing

#### Server Group

Within Link11 WAAP, the request's destination domain parameters are defined as a [Server Group](/console-walkthrough/sites/server-groups.md).

#### Proxy Template

Link11 WAAP acts as a proxy. The [Proxy Template](/console-walkthrough/sites/proxy-templates.md) defines its characteristics in this role; the Server Group is based upon this template.

#### Security Policy

A [Security Policy](/console-walkthrough/security/security-policies.md) assigns security rulesets (those that will be enforced in the next stage) to destination paths within the Server Group.&#x20;

They also determine the Edge Functions and Backend Service (see below) that will be used for the request.

### Traffic Processing

#### Global Filters

[Global Filters](/console-walkthrough/security/global-filters.md) analyze incoming requests and attach a variety of tags, according to the request's characteristics. They can also be configured to block certain requests.

As the name implies, Global Filters apply to all requests, regardless of their destination paths.

#### Rate Limits

[Rate Limit Rules](/console-walkthrough/security/rate-limit-rules.md) block traffic sources that send an excessive number of requests within a defined time period.

#### ACL Profile

Depending on a request's tags, an [ACL Profile](/console-walkthrough/security/acl-policies.md) can block it, exempt it from further processing, or perform other actions.

#### Edge Functions (optional)

[Edge Functions](/console-walkthrough/sites/edge-functions.md) are custom Lua code that can be run at various points during traffic processing, to extend Link11 WAAP's capabilities.

### Forward Legitimate Requests

#### Backend Service

Link11 WAAP will pass legitimate traffic through to the server(s) specified in the [Backend Service](/console-walkthrough/sites/backend-services.md).

The Backend Service definition that will be used is specified in the Security Policy.

### Config, Publishing, and Users

These resources are necessary for administering Link11 WAAP.

* [Config](/using-the-product/the-link11-waap-api/internal-data-structures.md#the-fundamental-data-structure-configuration): Most resources include a *config\_id* parameter. A configuration is a complete definition of L11WAAP's behavior for a specific environment; a customer can maintain multiple configurations (e.g., development, staging, and production). The default value for *config\_id* is `prod`.
* [Publishing](/using-the-product/best-practices/publish-your-changes.md): When L11WAAP's configuration is updated, the updates must be published before they will take effect.
* [Users](/console-walkthrough/system/users-management.md): This resource is for administering users of the Link11 WAAP system.

## Resources according to internal relationships

This diagram illustrates the relationships among some of the infrastructure resources.

<figure><img src="/files/uiNsn3RqCbtNQUDLvZnM" alt=""><figcaption></figcaption></figure>

The foundational resource is a Server Group, which usually represents a domain. Each Server Group is based upon a Proxy Template, has one or more certificates associated with it, and can incorporate an optional Mobile Application Group.&#x20;

Each Server Group contains at least one Security Policy, or (more commonly) contains a set of Security Policies defined for different paths within the Server Group.&#x20;

Each Security Policy associates a destination path with several types of security rulesets and other settings.

{% hint style="info" %}
The current Terraform version does not provide a resource for [Content Filter Profiles](/console-walkthrough/security/content-filter/profiles.md) (which define how requests are filtered according to threat signatures). The system will use a default Profile.
{% endhint %}

## More information

L11WAAP's Terraform provider is primarily a wrapper around the API. If there are questions about resource parameters or other issues, it can be helpful to read the reference guide for the equivalent API operation, which can be found in the [list of API namespaces](/reference-information/api/namespace-reference.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waap.docs.link11.com/using-the-product/how-do-i.../use-terraform-with-link11-waap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.