Code comparison between deploying AS3 or FAST API Declarations with Ansible and Terraform
I found it interesting about the different ways to deploy AS3 declarations with Ansible and Terraform and I will provide some examples and a comparison at the end of the Article.
My examples below are based on the links that are in the codeshare article.
1. Ansible and AS3/FAST
With Ansible there are 2 ways to deploy AS3 declarations with the Ansible default URI module as given in the link https://clouddocs.f5.com/training/fas-ansible-workshop-101/3.0-as3-intro.html (the example uses "delegate_to: localhost" but with "connection: local" it is the same and sometimes one or the other is used to solve some bugs from what I have seen) or using the new F5 module 'bigip_as3_deploy'' , as given in link https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/playbook_tutorial.html , that is much newer and simpler. The two Ansible modules in most cases do the same and support jinja2 templates as shown below but as I mentioned the F5 module is just 4 lines of code, I recommend going with it and only if a bug or a limitation is found then to try the URI module. Another advantige that "bigip_as3_deploy" has is that when a change is pushed to the AS3 (an exta node is added to the declaration or something else) this is seen in the playbook output.
F5 has ansible collection called "bigip_fast_application" that seems to use the f5 FAST iApp templates that are the replacement for the iApp templates for even simpler deployment of AS3 as FAST is a frontend for AS3 but there is not a lot of documentation about it but after playing around, I managed to figure it out 😉 (see example 3)
https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/module_index.html
---
- name: LINKLIGHT AS3
hosts: bigip
connection: local
gather_facts: false
collections:
- f5networks.f5_bigip
vars:
pool_members: "{{ groups['webnodes_as3'] }}"
ansible_host: xxxx
ansible_user: xxxx
ansible_httpapi_password: xxxx
ansible_httpapi_port: 443
ansible_network_os: f5networks.f5_bigip.bigip
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
private_ip: 20.20.20.22
Example_1:
tasks:
- name: CREATE AS3 JSON BODY
set_fact:
as3_app_body: "{{ lookup('template', 'as3_template.j2', split_lines=False) }}"
- name: Deploy or Update AS3
bigip_as3_deploy:
content: "{{ lookup('template','tenant_base.j2', split_lines=False) }}"
tags: [ deploy ]
Example_2:
tasks:
- name: CREATE AS3 JSON BODY
set_fact:
as3_app_body: "{{ lookup('template', 'as3_template.j2', split_lines=False) }}"
- name: PUSH AS3
uri:
url: "https://{{ ansible_host }}/mgmt/shared/appsvcs/declare"
method: POST
body: "{{ lookup('template','tenant_base.j2', split_lines=False) }}"
status_code: 200
timeout: 300
body_format: json
force_basic_auth: yes
user: "{{ ansible_user }}"
password: "{{ ansible_httpapi_password }}"
validate_certs: no
Example template as3_template.j2
"web_app": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"{{private_ip}}"
],
"pool": "app_pool"
},
"app_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 443,
"serverAddresses": [
{% set comma = joiner(",") %}
{% for mem in pool_members %}
{{comma()}} "{{ hostvars[mem]['ansible_host'] }}"
{% endfor %}
]
}
]
}
}
Example template tenant_base.j2
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "testid",
"label": "test-label",
"remark": "test-remark",
"WorkshopExample":{
"class": "Tenant",
{{ as3_app_body }}
}
}
}
Example_3 and template simple_http.json
- name: Create FAST application
bigip_fast_application:
template: "examples/simple_http"
content: "{{ lookup('template', 'simple_http.json') }}"
state: "create"
{
"tenant_name": "Tenant9",
"application_name": "Application1",
"virtual_port": 443,
"virtual_address": "192.168.1.2",
"server_port": 80,
"server_addresses": ["10.10.10.1"]
}
2. Terraform and AS3/FAST
With Terraform there are again two ways to deploy AS3 declarations and one is to use the AS3 resource "bigip_as3" as seen in the link https://clouddocs.f5.com/products/orchestration/terraform/latest/userguide/as3-integration.html and the other is to use "bigip_fastxxx" resources as seen in the link https://community.f5.com/t5/technical-articles/manage-f5-big-ip-fast-with-terraform-intro/tac-p/309615#M13882 that are based on the F5 fast templates that in the background are again AS3. The "bigip_as3" is a nice option, simalar to Ansible "files" but as we saw in Ansible we can also not only files Jinja2 templates that can use the Ansible variables to make a dynamic configuration. The workaround seems to use "bigip_fastxxx" but this still limits us to 4 predefined FAST templates.
Example1:
variable hostname {
type = string
default = "xxxx"
}
variable username {
type = string
default = "xxxx"
}
variable password {
type = string
default = "xxxx"
}
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
}
}
}
provider "bigip" {
address = var.hostname
username = var.username
password = var.password
}
resource "bigip_as3" "as3-example2" {
as3_json = "${file("example1.json")}"
}
resource "bigip_fast_https_app" "this" {
application = "myApp4"
tenant = "scenario4"
virtual_server {
ip = "10.1.10.224"
port = 443
}
tls_server_profile {
tls_cert_name = "/Common/default.crt"
tls_key_name = "/Common/default.key"
}
pool_members {
addresses = ["10.1.10.120", "10.1.10.121", "10.1.10.122"]
port = 80
}
snat_pool_address = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
load_balancing_mode = "least-connections-member"
monitor {
send_string = "GET / HTTP/1.1\\r\\nHost: example.com\\r\\nConnection: Close\\r\\n\\r\\n"
response = "200 OK"
}
}
Example file example1.file:
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "example-declaration-01",
"label": "Sample 1",
"remark": "Simple HTTP application with round robin pool",
"Sample_01": {
"class": "Tenant",
"defaultRouteDomain": 0,
"Application_1": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.0.2.10"
],
"pool": "web_pool"
},
"web_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 80,
"serverAddresses": [
"192.0.1.100",
"192.0.1.110"
]
}
]
}
}
}
}
}
Edit:
Now I saw that F5 has made a new terraform resource named "bigip_fast_application" that is the same as the Ansible resource with the same name and it can use any FAST template and the JSON file from the Ansible example to create a FAST iApp Service but still the Jinja2 options for inserting variables in Templates are not possible with Terraform, so it will be more complex to make dynamic files for Terraform to ingest.
Example2:
resource "bigip_fast_application" "foo-app" {
template = "examples/simple_http"
fast_json = "${file("new_fast_app.json")}"
}
3. Ansible and Terraform comparison
Ansible and Terraform are great tools and it depends what you are seeking but Ansible defenetly seems the more versatile one, compared to Terraform with it's jinja2 support for sharing variables with the template files as with example "hostvars[mem]['ansible_host'] ", where the pool member's IP Addresses are taken from the Ansible inventory file. Terraform with it's "FAST" resources that utilize the FAST iApp templates, provides even more simplicy to configuring basic TCP/UDP/HTTP or HTTPS services but the Ansible module bigip_fast_application does the same and it is not limited to just 4 FAST templates (as I mentioned Terraform has released bigip_fast_application, so now it is not limited to just the 4 templates). With it's template support when a new RPM AS3 is released Ansible can use it as for Terraform in some cases a new resource needs to be created by the F5 vendor/provider for it to be available in Terraform.
There are constantly new AS3 definitions and RPM packages and Ansible has the edge in that regard with it's flexible jinja2 templates that can ingest variables! Terraform seems to have a jinja2 provider, so maybe it can auto create file that Terraform can use bit it seems complex and I have not used it or found an article about how it works, so maybe I will do a post in the future about this 😎
I am not saying in no way that Terraform shouldn't be used as when deploying resources in the AWS/Azure or other cloud provider then there Terraform is king! Better have just one tool to deploy your IaC (infrastructure as code) that will deploy the cloud native services and the F5 Virtual Machines and their configuration. If you use standard configurations that Terraform is covering, by all means better have one tool than two tools for Automation. Also terraform is better for discovering the state of already existing resources that have already been deployed as Ansible is weaker in that regard.
The deployment of F5 AWAF/ASM policies seems the next big thing as it can now also be automated, using the declarative model, so maybe I will do a comparison between Ansible and Terraform in the future for Declarative WAF deployments. Still from what I have seen the same principles seem in place, where with Terraform is easier to do it, especially for cloud deployments but Ansible has more flexibility. The cool thing is that the Declarative WAF has an "url" parameter, so the security policy can be pulled from github for example as a source of truth, so Ansible and Terraform can just be used to push the AS3 declaration to the F5 devices that will then pull the needed data from the URL.
"Arcadia_WAF_API_policy": {
"class": "WAF_Policy",
"url": "http://10.1.20.4/root/as3-waf-api/-/raw/master/policy-api.json",
"ignoreChanges": true
},
Till then, this is a nice video and articles about the subject:
https://www.youtube.com/watch?v=Ecua-WRGyJc
https://community.f5.com/t5/technical-articles/advanced-waf-v16-0-declarative-api/ta-p/289251
Edit:
Now Terraform has the option for the F5 ASM/AWAF to inject learning suggestions that the policy builder has made for a Terraform created policy and this is something Ansible still can't do. In the future Ansible could be able to do the same.
You can check:
As a fast note also as of now GTM/DNS configurations can be managed with AS3 😀
https://www.youtube.com/watch?v=OHSBpOtQg_0&t=411s
Please share your opinions as I am glad hear them and get more usefull info for this topic!