Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 3 - Migrate)

The goal of this article is to present how you can migrate a F5 BIG-IP Advanced WAF Policy from a F5 BIG-IP to another.

Table of Content

Introduction

You can meet this scenario in multiple use-cases:

migrating from a F5 BIG-IP to another (platform refresh)
Re-Hosting (aka Lift&Shift) in a Cloud migration project
Back-and-Forth importing / exporting F5 BIG-IP Advanced WAF Policies between environments (dev / test / QA / Production)

TL;DR that’s just an import (see Part 2) but applied to a different instance.

Workflow

File creation

Create 4 files:

main.tf
variables.tf
inputs.auto.tfvars
outputs.tf

variables.tf

variable previous_bigip {}
variable new_bigip {}
variable username {}
variable password {}

inputs.auto.tfvars

previous_bigip = "10.1.1.8:443"
new_bigip = "10.1.1.9:443"
username = "admin"
password = "whatIsYourBigIPPassword?"

main.tf

terraform {
  required_providers {
    bigip = {
      source = "F5Networks/bigip"
      version = "1.15"
    }
  }
}

provider "bigip" {
  alias    = "old"
  address  = var.previous_bigip
  username = var.username
  password = var.password
}

provider "bigip" {
  alias    = "new"
  address  = var.new_bigip
  username = var.username
  password = var.password
}


resource "bigip_waf_policy" "current" {
  provider             = bigip.old
  partition            = "Common"
  name                 = "scenario3"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
}

Note: the template name can be set to anything. When it is imported, we will overwrite the value

Here we defined two F5BIG-IPs: "old" and "new". The "old" F5 BIG-IP has the existing F5 BIG-IP Advanced WAF Policy, the "new" is our target.

Run terraform commands

Same as in (Part 2) Import and Manage an existing F5 BIG-IP Advanced WAF Policy, we need the policyID.

Now, run the following commands, so we can:

Initialize the terraform project
Import the current F5 BIG-IP Advanced WAF policy from the "old" F5 BIG-IP into our state
Create the F5 BIG-IP Advanced WAF Policy resource for the "F5 BIG-IP" pointing to the imported state
Configure the lifecycle of our F5 BIG-IP Advanced WAF Policy

foo@bar:~$ terraform init
foo@bar:~$ terraform import bigip_waf_policy.current YiEQ4l1Fw1U9UnB2-mTKWA

At this point we can either output the JSON Policy into a local file or a remote repo so we can use it as the policy_import_json baseline for the new F5 BIG-IP.

foo@bar:~$ terraform show -json | jq '.values.root_module.resources[].values.policy_export_json | fromjson' > currentWAFPolicy.json

resource "bigip_waf_policy" "migrated" {
provider = bigip.new
application_language = "utf-8"
partition = "Common"
name = "scenario3"
policy_id = "YiEQ4l1Fw1U9UnB2-mTKWA"
template_name = "POLICY_TEMPLATE_COMPREHENSIVE"
type = "security"
policy_import_json = file("${path.module}/currentWAFPolicy.json")
}

At this point you can now remove the current bigip_waf_policy resource.

In the case you keep both the old and the new devices and plan to keep doing changes on the old device just put an implicit reference to it

resource "bigip_waf_policy" "migrated" {
    provider	           = bigip.new
    application_language = "utf-8"
    partition            = "Common"
    name                 = "scenario3"
    policy_id            = "YiEQ4l1Fw1U9UnB2-mTKWA"
    template_name        = "POLICY_TEMPLATE_COMPREHENSIVE"
    type                 = "security"
    policy_import_json   = bigip_waf_policy.current.policy_export_json
}