How to Use BIG-IQ and Ansible to Build Advanced BIG-IP Automation Workflows
It’s no secret that automation of networking, security, and application development processes offers a laundry list of benefits—reduced deployment time, lowered cost, fewer errors, and more resilient systems, to name a few. One of the most popular tools for building automation workflows is Ansible. Ansible is a powerful, open-source tool that simplifies and automates many common tasks and enables infrastructure as code for creating, deploying, and managing F5 application delivery and security services. This is accomplished through playbooks and roles available on Ansible Galaxy.
Another way to streamline working with BIG-IP is with BIG-IQ Centralized Management. BIG-IQ combines deep, app-centric visibility and dashboarding together with device, configuration, and policy management in a unified, intuitive user interface. From BIG-IQ, you can create new BIG-IP Virtual Editions (VEs), provision them with Declarative Onboarding, create advanced AS3 services, move deployments, upgrade software, and much more.
Together Ansible and BIG-IQ make automation and management of your BIG-IP environment simple and straightforward—enabling an effective, intuitive, data-rich, and highly visual solution that offers value to networking/F5 gurus, security practitioners, and application owners/developers alike.
To make things even easier, the F5 team has developed several community-supported Ansible roles that are designed to inject automation into workflows and make BIG-IQ’s simple app-centric management functionality even better.
Please note that this workflow assumes that you already have a BIG-IQ Centralized Management deployment up and running. The end result will be a fully provisioned BIG-IP deployment that can be fully managed—client-to-server visibility, troubleshooting, object level configuration, etc.—from BIG-IQ’s intuitive, role-specific GUI. You can get started with these roles and workflows today by checking out F5’s repository on Ansible Galaxy. To use these Ansible roles and playbooks, you’ll need to download and install them to a local workstation that will be used for managing F5 deployments.
Use the Ansible roles for BIG-IQ below to:
- Create new VEs
- Onboard VEs with DO
- Create and deploy common objects such as SSL certs and WAF policies
- Create AS3 application delivery and security services
- Move deployments across BIG-IPs
For additional how-to-use resources, guidance, and labs for BIG-IQ, check out the video library and the BIG-IQ labs.
Create a BIG-IP VE in AWS
tasks:
- name: Create a VE in AWS
include_role:
name: f5devcentral.bigiq_create_ve
vars:
cloud_environment: "BIG-IQ AWS US-East"
ve_name: "bigipvm01"
register: status
- name: Get AWS BIG-IP VE IP address (port 8443)
debug:
msg: "{{ ve_ip_address }}"
- name: Get AWS BIG-IP VE private Key Filename
debug:
msg: "{{ private_key_filename }}"
Onboard the New BIG-IP VE with Declarative Onboarding
tasks:
- name: Onboard BIG-IP VE with DO
include_role:
name: f5devcentral.atc_deploy
vars:
atc_service: Device
atc_method: POST
atc_declaration: "{{ lookup('template','do_bigip_aws.j2') }}"
atc_delay: 30
atc_retries: 15
register: atc_DO_status
do_bigip_aws.j2:
{
"class": "DO",
"declaration": {
"schemaVersion": "1.5.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"myLicense": {
"class": "License",
"licenseType": "licensePool",
"licensePool": "byol-pool",
"bigIpUsername": "admin",
"bigIpPassword": "secret"
},
"myProvision": {
"class": "Provision",
"ltm": "nominal",
"avr": "nominal"
},
"myNtp": {
"class": "NTP",
"servers": [
"169.254.169.123"
],
"timezone": "UTC"
},
"admin": {
"class": "User",
"shell": "bash",
"userType": "regular",
"partitionAccess": {
"all-partitions": {
"role": "admin"
}
},
"password": "secret"
},
"hostname": "bigipvm01.example.com"
}
},
"targetUsername": "admin",
"targetHost": "{{ ve_ip_address }}",
"targetPort": 8443,
"targetSshKey": {
"path": "{{ private_key_filename }}"
},
"bigIqSettings": {
"conflictPolicy": "USE_BIGIQ",
"deviceConflictPolicy": "USE_BIGIP",
"failImportOnConflict": false,
"versionedConflictPolicy": "KEEP_VERSION",
"statsConfig": {
"enabled": true
}
}
}
Create SSL Certificate and Key on BIG-IQ
tasks:
- name: Authenticate to BIG-IQ
uri:
url: https://{{ provider.server }}:{{ provider.server_port }}/mgmt/shared/authn/login
method: POST
headers:
Content-Type: application/json
body:
username: "{{ provider.user }}"
password: "{{ provider.password }}"
loginProviderName: "{{ provider.auth_provider | default('tmos') }}"
body_format: json
timeout: 60
status_code: 200, 202
validate_certs: "{{ provider.validate_certs }}"
register: auth
- name: Create SSL Certificate and Key on BIG-IQ
uri:
url: https://{{ provider.server }}:{{ provider.server_port }}/mgmt/cm/adc-core/tasks/certificate-management
method: POST
headers:
Content-Type: application/json
X-F5-Auth-Token: "{{ auth.json.token.token }}"
body: |
{
"issuer": "Self",
"itemName": "mywebapp.crt",
"itemPartition": "Common",
"durationInDays": 365,
"country": "US",
"commonName": "mywebapp.example.com ",
"division": "MyDiv",
"organization": "MyOrg",
"locality": "Seattle",
"state": "WA",
"subjectAlternativeName": "DNS: mywebapp.example.com",
"securityType": "normal",
"keyType": "RSA",
"keySize": 2048,
"command": "GENERATE_CERT"
}
body_format: json
timeout: 60
status_code: 200, 202
validate_certs: "{{ provider.validate_certs }}"
register: json_response
Pin and Deploy SSL Certificates and Key to BIG-IP
tasks:
- name: Pin and deploy SSL certificate and key to BIG-IP
include_role:
name: f5devcentral.bigiq_pinning_deploy_objects
vars:
bigiq_task_name: "Deployment through Ansible/API - mywebapp"
modules:
- name: ltm
pins:
- { type: "sslCertReferences", name: "mywebapp.crt" }
- { type: "sslKeyReferences", name: "mywebapp.key" }
device_address: "{{ ve_ip_address }}"
register: status
Deploy an AS3 Service to BIG-IP
tasks:
- name: Deploy AS3 application services to BIG-IP
include_role:
name: f5devcentral.atc_deploy
vars:
atc_service: AS3
atc_method: POST
atc_declaration: "{{ lookup('template','as3_bigiq_https_app.j2') }}"
atc_delay: 30
atc_retries: 15
register: atc_AS3_status
as3_bigiq_https_app.j2:
{
"class": "AS3",
"action": "deploy",
"declaration": {
"class": "ADC",
"schemaVersion": "3.12.0",
"target": {
"address": "{{ ve_ip_address }}"
},
"myorg": {
"class": "Tenant",
"mywebapp": {
"class": "Application",
"schemaOverlay": "AS3-F5-HTTPS-offload-lb-existing-cert-template-big-iq-default-v1",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"pool": "Pool",
"enable": true,
"serverTLS": "TLS_Server",
"virtualPort": 443,
"profileAnalytics": {
"use": "Analytics_Profile"
},
"virtualAddresses": [
"0.0.0.0"
]
},
"Pool": {
"class": "Pool",
"members": [
{
"adminState": "enable",
"servicePort": 80,
"serverAddresses": 10.1.3.23
}
]
},
"TLS_Server": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "Certificate"
}
]
},
"Certificate": {
"class": "Certificate",
"privateKey": {
"bigip": "/Common/mywebapp.key"
},
"certificate": {
"bigip": "/Common/mywebapp.crt"
}
},
"Analytics_Profile": {
"class": "Analytics_Profile",
"collectIp": false,
"collectGeo": false,
"collectUrl": false,
"collectMethod": false,
"collectUserAgent": false,
"collectOsAndBrowser": false,
"collectPageLoadTime": false,
"collectResponseCode": true,
"collectClientSideStatistics": true
}
}
}
}
}
Move an AS3 Service Within BIG-IQ Dashboard
tasks:
- name: Move an AS3 application service in BIG-IQ dashboard.
include_role:
name: f5devcentral.bigiq_move_app_dashboard
vars:
apps:
- name: myWebApp
pins:
- name: "myorg_mywebapp"
register: status
Published Oct 22, 2020
Version 1.0
No CommentsBe the first to comment