Integrate BIG-IP policy management into CI/CD pipeline using Terraform and GitHub Actions

AS3 (Application Services 3) is a part of F5 Automation Toolchain which provides a flexible, low overhead mechanism for managing configurations on a BIG-IP device. In this blog, I will show you how to integrate your security and network policy management into your CICD pipelines using AS3, Terraform, GitHub Actions.

With Terraform and GitHub Actions, you can enable continuous integration and deployment practices to automate, test and deploy BIG-IP configurations as part of a pipeline.

Environment Setup

In the rest of this blog, we will go over how to create a sample workflow using GitHub Actions and Terraform. This workflow will be used to deploy an AS3 template which contains WAF (ASM) policy that will protect the backend application from any attacks.

Prerequisite

·     BIG-IP device with AS3 rpm installed and ASM enabled.

·     Backend application instance

·     GitHub account

·     AWS account

·     Local instance of Terraform installed and running (I am using Terraform version 0.14.7)

·     Terraform Cloud account

 

Setting up local CLI for Terraform Cloud

Sign in into Terraform cloud at https://www.terraform.io/

Click on Create a New workspace, select CLI (Command Line Interface) Driven Workspace and assign your workspace a name – e.g., ‘bigip-ci’

Leave the browser window and go to your terminal to clone the ‘f5devcentral/bigip-ci.git’ repository.

 

git clone https://github.com/f5devcentral/bigip-ci.git
cd bigip-ci
terraform login

 

When prompted, say ‘YES’ to proceed. This will open a new browser window where you will be asked to Create API token as shown. Give a name for your token and click ‘create API token’.

Copy the token you created and paste it into your terminal window. Your terminal will be waiting for input as shown.

Token for app.terraform.io:
Enter a value: <your token>

Set up GitHub environment to access AWS and Terraform Cloud

Go to https://github.com/<yourusername>/bigip-ci/settings/secrets/actions and create the secrets as shown below, also update the TF_API_TOKEN which you have created before

 

Enter all the secrets as shown above in your GitHub repo - AWS Secrets Key and Key ID, also update ASW_SESSION_TOKEN if you are using it.

Add your infrastructure details in Terraform cloud

On the Terraform Cloud, under the Workspace bigip-ci update the terraform variables listed below.

BIG-IP variables - address, port, username, password.  Variable deployWAF is the AS3 configuration file that has a WAF policy referenced. You can customize this to meet your requirements.

 

Before proceeding, review the main.tf and deployWAF.json and customize it as per your deployment.

cat main.tf 
terraform {
 required_providers {
  bigip = {
   source = "F5Networks/bigip"
   version = "1.4.0"
  }
 }
 backend "remote" {
  organization = "SCStest"
  workspaces {
   name = "bigip-ci"
  }
 }
}
provider "aws" {
 region = "us-west-2"
}
provider "bigip" {
 address = "https://${var.address}:${var.port}"
 username = var.username
 password = var.password
}

# deploy application using as3
resource "bigip_as3" "DeployApp" {
 as3_json = file(var.deployWAF)
}

 

Testing the CI workflow

Our environment is now setup such that the Actions workflow gets trigged when there is a PULL REQUEST to the MASTER branch. Let’s test it out by committing a minor change. On the terminal execute:

# check you are pointing to which branch
git status
#  checkout to the dev branch
git checkout dev. 
# add the changed files to gitHub, this will be your main.tf and deployWAF.json 
git add .
git commit -m "deployWAF"
# push the files to  dev branch
git push

 

Create a pull request, merge to master to trigger the Actions Workflow

 

 

Merge the pull request:

 

Click on the ‘Actions’ tab in your GitHub repo to see the trigged workflow as shown below:

 

 

When you click on the workflow, you can see the summary of jobs that are executed. A green check means the run was successful.

 

The GitHub Actions Workflow

The above merge of the Pull Request executed the sample workflow at .github/workflow/bigip-ci.yml. As shown below, the workflow has various ‘event definitions’ and ‘jobs’. In this case the event is on pull_request, and the jobs are terraform runs. The jobs listed in this workflow are: Setup Terraform, Terraform Init, Terraform Plan and Terraform Apply.

name: "bigip_waf"

on:
  push:
    branches:
      - master
  pull_request:

jobs:
  terraform:
    name: "Terraform"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1
        with:
          # terraform_version: 0.13.0:
          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

      - name: Terraform Init
        id: init
        run: terraform init

      - name: Terraform Plan
        id: plan
        if: github.event_name == 'pull_request'
        run: terraform plan -no-color
        continue-on-error: true

      - uses: actions/github-script@0.9.0
        if: github.event_name == 'pull_request'
        env:
          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`

            <details><summary>Show Plan</summary>

            \`\`\`${process.env.PLAN}\`\`\`

            </details>

            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

              
            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

      - name: Terraform Plan Status
        if: steps.plan.outcome == 'failure'
        run: exit 1

      - name: Terraform Apply
        if: github.ref == 'refs/heads/master' && github.event_name == 'push'
        run: terraform apply -auto-approve

 

Conclusion:

BIG-IP policy management can be very easily included into your CI/CD pipelines. You can use any tools such as Jenkins, GitHub actions etc. I showed how to use GitHub Actions workflow and Terraform cloud for my setup. You can use this in your environment using the same workflow, and by changing the terraform file depending upon your BIG-IP configurations. Using similar concepts, you can test BIG-IP configurations in every state of the application delivery lifecycle – development, staging as well as in production. I hope this is helpful. Please share your thoughts and comments below.