Manage F5 BIG-IP FAST with Terraform (Intro)

In this article, i will present a suite of use cases using the F5 BIG-IP Application Services Templates (FAST) Terraform resources introduced on the F5 BIG-IP Terraform Provider on version 1.16.

• Introduction
• Requirements
• Best Practices
• Description
• What is Terraform?
• F5 BIG-IP Application Service Templates
• F5 BIG-IP Application Service Templates resources
• Resources
• Article Series

Introduction

Requirements

• It requires F5 BIG-IP FAST latest version (1.22) because we use the F5 BIG-IP Application Service Templates.
• Terraform version +0.11 (see minimal requirements)
• F5 BIG-IP AS3 installed on F5 BIG-IP device F5 BIG-IP AS3
• F5 BIG-IP FAST installed on F5 BIG-IP device F5 BIG-IP FAST

Best Practices

Increasing the memory allocation for AS3 and increasing the timeout for REST API is recommended F5 BIG-IP AS3 Best Practices You can apply the following steps and/or adapt it to your environment:

• tmsh modify sys db provision.extramb value 512
• tmsh modify sys db restjavad.useextramb value true
• tmsh save sys config
• tmsh modify sys db icrd.timeout value 180
• tmsh modify sys db restjavad.timeout value 180
• tmsh modify sys db restnoded.timeout value 180
• tmsh modify sys db icrd.timeout value 180
• tmsh save sys config
• tmsh restart sys service restjavad
• tmsh restart sys service restnoded

Description

The current version is 1.16 and it gives the capability to :

• Create an UDP application
• Create a TCP application
• Create a HTTP application
• Create a HTTPS application
• Create multiple applications in the same tenant
• Create an application using existing items on F5 BIG-IP device
• Manage multiple AWAF policies and pools based on HTTP criteria
• Manage Canary testing of AWAF policies

What is Terraform?

 

“HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. »

https://www.terraform.io/intro

"… but wait! Terraform is not a Configuration Management tool. I should use Ansible for that!”

True.

Terraform is not a config management tool and I would say: “use whatever you feel comfortable and happy working with”… but keep also that in mind:

• We keep a record of the state created in the past and can easily track security changes who did what and when.
• If your underlying infrastructure is Public Cloud, you may already use Terraform for any other cloud services. You may want to reduce automation tool sprawl, to keep a consistent end-to-end state and reduce the learning and adoption curves.

 

F5 BIG-IP Application Service Templates

 

F5 BIG-IP Application Services Templates (FAST) provides a way to streamline deployment of applications on F5 BIG-IP using templatized AS3 declarations. FAST enables users to deploy templated AS3-based configurations via a declarative API (with AS3 as the first use-case), as well as via a self-generated forms-based GUI. 

The FAST Extension provides a toolset for templating and managing AS3 Applications on BIG-IP.

FAST is:

• A flexible and powerful templating system
• An effective way to deploy applications on the BIG-IP system using AS3
• Seamless integration and insertion into CI/CD pipelines

The documentation of F5 BIG-IP Application Services Templates (FAST) is located here.

 

F5 BIG-IP Application Service Templates resources

The F5 BIG-IP Terraform resources leverage our F5 BIG-IP Application Service Templates.

• The bigip_fast_udp_app resource will create and manage FAST UDP applications on BIG-IP from provided JSON declaration.
• The bigip_fast_tcp_app resource will create and manage FAST TCP applications on BIG-IP from provided JSON declaration.
• The bigip_fast_http_app resource will create and manage FAST HTTP applications on BIG-IP.
• the bigip_fast_https_app resource will create and manage FAST HTTPS applications on BIG-IP.

F5 BIG-IP Application Service Templates resources allows to create a new item in the virtual server configuration like a pool or a monitor but also to reuse existing items.

 

Here an example of bigip_fast_https_app resources:

resource "bigip_fast_https_app" "this" {
  application               = "myApp4"
  tenant                    = "scenario4"
  virtual_server            {
    ip                        = "10.1.10.224"
    port                      = 443
  }
  tls_server_profile {
    tls_cert_name             = "/Common/app4.crt"
    tls_key_name              = "/Common/app4.key"
  }
  pool_members  {
    addresses                 = ["10.1.10.120", "10.1.10.121", "10.1.10.122"]
    port                      = 80
  }
  snat_pool_address = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
  load_balancing_mode       = "least-connections-member"
  monitor       {
    send_string               = "GET / HTTP/1.1\\r\\nHost: example.com\\r\\nConnection: Close\\r\\n\\r\\n"
    response                  = "200 OK"
  }
  depends_on          = [bigip_ssl_certificate.app4crt, bigip_ssl_key.app4key]
}

 

Resources

Terraform Registry documentation