F5 Per-App AS3 Part 2 How to see if there are manual changes!
Many times when automating stuff you could miss if there are actual changes that someone has made manually but there is a way to see if that is the case.
Code version:
The code was tested on 17.1.5.3
AS3: 3.55
For more about AS3 and per-app AS3 see my previous code share Part 1 article:
https://community.f5.com/kb/codeshare/f5-per-app-as3-part-1-how-share-tenant-specific-object/345072
First we will send Per-App AS3 declaration as shown below.
{
"id": "per-app-declarationn",
"schemaVersion": "3.55.0",
"controls": {
"class": "Controls",
"logLevel": "debug",
"trace": true,
"traceResponse": true
},
"A2": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.0.3.10"
],
"pool": "web2_pool"
},
"web2_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [{
"servicePort": 80,
"serverAddresses": [
"192.7.21.10",
"192.7.21.11"
]
}]
}
}
}
Then we will change for example virtual server ip from 10.0.3.10 to 10.0.3.11 and we will send the same declaration but with "dryRun" set to true as this will cause AS3 to validate the config but not to execute it and with trace and traceResponse we will get the difference 😎
{
"id": "per-app-declarationn",
"schemaVersion": "3.55.0",
"controls": {
"class": "Controls",
"logLevel": "debug",
"trace": true,
"dryRun": true,
"traceResponse": true
},
"A2": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.0.3.10"
],
"pool": "web2_pool"
},
"web2_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [{
"servicePort": 80,
"serverAddresses": [
"192.7.21.10",
"192.7.21.11"
]
}]
}
}
}
Now we see that the IP has been changed from 10.0.3.10 to 10.0.3.11 and here we go now we have the difference !
This can be added in CI/CD to always first do "dry-run" using the original declaration to see if there are changes before executing the new AS3 declaration that could be for example changing the IP address to 10.0.3.12 but using the official way. Look at the Json reply "diff" section that is seen thanks to trace and traceResponse options and an automation can just check this section and stop the new deployment if the manual changes need to be reviewed first.
For AS3 basic declaration not Per-App actually the "dry-run" is a different. F5 likes changing the naming like Local Traffic policies to Endpoint Policies or naming of TLS profiles between GU/TMSH and AS3 😅
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/refs/heads/main/schema/3.55.0/as3-schema.json",
"class": "AS3",
"action": "dry-run",
"logLevel": "debug",
"trace": true,
"traceResponse": true,
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.55.0",
"id": "BIG-IP-Example-Tenant",
"Example": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"Example_Response": {
"remark": "Used for F5 response",
"class": "iRule",
"iRule": {
"base64": "d2hlbiBIVFRQX1JFUVVFU1Qgew0KICAgSFRUUDo6cmVzcG9uZCAyMDAgY29udGVudCB7DQogICAgICA8aHRtbD4NCiAgICAgICAgIDxoZWFkPg0KICAgICAgICAgICAgPHRpdGxlPkFwb2xvZ3kgUGFnZTwvdGl0bGU+DQogICAgICAgICA8L2hlYWQ+DQogICAgICAgICA8Ym9keT4NCiAgICAgICAgICAgIFdlIGFyZSBzb3JyeSwgYnV0IHRoZSBzaXRlIHlvdSBhcmUgbG9va2luZyBmb3IgaXMgdGVtcG9yYXJpbHkgb3V0IG9mIHNlcnZpY2U8YnI+DQogICAgICAgICAgICBJZiB5b3UgZmVlbCB5b3UgaGF2ZSByZWFjaGVkIHRoaXMgcGFnZSBpbiBlcnJvciwgcGxlYXNlIHRyeSBhZ2Fpbi4NCiAgICAgICAgIDwvYm9keT4NCiAgICAgIDwvaHRtbD4NCiAgIH0NCn0="
}
}
}
}
}
}
This will not show if someone has manually added a vlan for example as only changes on the apps that were deployed with AS3 will be seen. For those you will get error like the one below when you try to delete the partition.
"" 0107082a:3: All objects must be removed from a partition ""
https://my.f5.com/manage/s/article/K02718312
https://my.f5.com/manage/s/article/K000138638
Github link:
https://github.com/Nikoolayy1/AS3-Per-App-Manual-Changes/tree/main
