Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 3 - Migrate)
The goal of this article is to present how you can migrate a F5 BIG-IP Advanced WAF Policy from a F5 BIG-IP to another.
Table of Content
- Table of Content
- Introduction
- Workflow
- File creation
- Run terraform commands
- Demo Video
- Resources
- Article Series
Introduction
You can meet this scenario in multiple use-cases:
- migrating from a F5 BIG-IP to another (platform refresh)
- Re-Hosting (aka Lift&Shift) in a Cloud migration project
- Back-and-Forth importing / exporting F5 BIG-IP Advanced WAF Policies between environments (dev / test / QA / Production)
TL;DR that’s just an import (see Part 2) but applied to a different instance.
Workflow
File creation
Create 4 files:
- main.tf
- variables.tf
- inputs.auto.tfvars
- outputs.tf
variables.tf
variable previous_bigip {}
variable new_bigip {}
variable username {}
variable password {}
inputs.auto.tfvars
previous_bigip = "10.1.1.8:443"
new_bigip = "10.1.1.9:443"
username = "admin"
password = "whatIsYourBigIPPassword?"
main.tf
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = "1.15"
}
}
}
provider "bigip" {
alias = "old"
address = var.previous_bigip
username = var.username
password = var.password
}
provider "bigip" {
alias = "new"
address = var.new_bigip
username = var.username
password = var.password
}
resource "bigip_waf_policy" "current" {
provider = bigip.old
partition = "Common"
name = "scenario3"
template_name = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
}
Note: the template name can be set to anything. When it is imported, we will overwrite the value
Here we defined two F5BIG-IPs: "old" and "new". The "old" F5 BIG-IP has the existing F5 BIG-IP Advanced WAF Policy, the "new" is our target.
Run terraform commands
Same as in (Part 2) Import and Manage an existing F5 BIG-IP Advanced WAF Policy, we need the policyID.
Now, run the following commands, so we can:
- Initialize the terraform project
- Import the current F5 BIG-IP Advanced WAF policy from the "old" F5 BIG-IP into our state
- Create the F5 BIG-IP Advanced WAF Policy resource for the "F5 BIG-IP" pointing to the imported state
- Configure the lifecycle of our F5 BIG-IP Advanced WAF Policy
foo@bar:~$ terraform init
foo@bar:~$ terraform import bigip_waf_policy.current YiEQ4l1Fw1U9UnB2-mTKWA
At this point we can either output the JSON Policy into a local file or a remote repo so we can use it as the policy_import_json baseline for the new F5 BIG-IP.
foo@bar:~$ terraform show -json | jq '.values.root_module.resources[].values.policy_export_json | fromjson' > currentWAFPolicy.json
resource "bigip_waf_policy" "migrated" {
provider = bigip.new
application_language = "utf-8"
partition = "Common"
name = "scenario3"
policy_id = "YiEQ4l1Fw1U9UnB2-mTKWA"
template_name = "POLICY_TEMPLATE_COMPREHENSIVE"
type = "security"
policy_import_json = file("${path.module}/currentWAFPolicy.json")
}
At this point you can now remove the current bigip_waf_policy resource.
In the case you keep both the old and the new devices and plan to keep doing changes on the old device just put an implicit reference to it
resource "bigip_waf_policy" "migrated" {
provider = bigip.new
application_language = "utf-8"
partition = "Common"
name = "scenario3"
policy_id = "YiEQ4l1Fw1U9UnB2-mTKWA"
template_name = "POLICY_TEMPLATE_COMPREHENSIVE"
type = "security"
policy_import_json = bigip_waf_policy.current.policy_export_json
}
Demo Video
Nice!
- buulamAdmin
This is a great solution!