Manage F5 BIG-IP FAST with Terraform (Intro)

In this article, i will present a suite of use cases using the F5 BIG-IP Application Services Templates (FAST) Terraform resources introduced on the F5 BIG-IP Terraform Provider on version 1.16.

Introduction

Requirements

Best Practices

Increasing the memory allocation for AS3 and increasing the timeout for REST API is recommended F5 BIG-IP AS3 Best Practices You can apply the following steps and/or adapt it to your environment:
  • tmsh modify sys db provision.extramb value 512
  • tmsh modify sys db restjavad.useextramb value true
  • tmsh save sys config
  • tmsh modify sys db icrd.timeout value 180
  • tmsh modify sys db restjavad.timeout value 180
  • tmsh modify sys db restnoded.timeout value 180
  • tmsh modify sys db icrd.timeout value 180
  • tmsh save sys config
  • tmsh restart sys service restjavad
  • tmsh restart sys service restnoded

Description

The current version is 1.16 and it gives the capability to :
  • Create an UDP application
  • Create a TCP application
  • Create a HTTP application
  • Create a HTTPS application
  • Create multiple applications in the same tenant
  • Create an application using existing items on F5 BIG-IP device
  • Manage multiple AWAF policies and pools based on HTTP criteria
  • Manage Canary testing of AWAF policies

What is Terraform?

 

HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. »

https://www.terraform.io/intro

"… but wait! Terraform is not a Configuration Management tool. I should use Ansible for that!

True.

Terraform is not a config management tool and I would say: “use whatever you feel comfortable and happy working with”… but keep also that in mind:

  • We keep a record of the state created in the past and can easily track security changes who did what and when.
  • If your underlying infrastructure is Public Cloud, you may already use Terraform for any other cloud services. You may want to reduce automation tool sprawl, to keep a consistent end-to-end state and reduce the learning and adoption curves.

 

F5 BIG-IP Application Service Templates

 

F5 BIG-IP Application Services Templates (FAST) provides a way to streamline deployment of applications on F5 BIG-IP using templatized AS3 declarations. FAST enables users to deploy templated AS3-based configurations via a declarative API (with AS3 as the first use-case), as well as via a self-generated forms-based GUI. 

The FAST Extension provides a toolset for templating and managing AS3 Applications on BIG-IP.

FAST is:

  • A flexible and powerful templating system
  • An effective way to deploy applications on the BIG-IP system using AS3
  • Seamless integration and insertion into CI/CD pipelines

The documentation of F5 BIG-IP Application Services Templates (FAST) is located here.

 

F5 BIG-IP Application Service Templates resources

The F5 BIG-IP Terraform resources leverage our F5 BIG-IP Application Service Templates.

  • The bigip_fast_udp_app resource will create and manage FAST UDP applications on BIG-IP from provided JSON declaration.
  • The bigip_fast_tcp_app resource will create and manage FAST TCP applications on BIG-IP from provided JSON declaration.
  • The bigip_fast_http_app resource will create and manage FAST HTTP applications on BIG-IP.
  • the bigip_fast_https_app resource will create and manage FAST HTTPS applications on BIG-IP.

F5 BIG-IP Application Service Templates resources allows to create a new item in the virtual server configuration like a pool or a monitor but also to reuse existing items.

 

Here an example of bigip_fast_https_app resources:
resource "bigip_fast_https_app" "this" {
  application               = "myApp4"
  tenant                    = "scenario4"
  virtual_server            {
    ip                        = "10.1.10.224"
    port                      = 443
  }
  tls_server_profile {
    tls_cert_name             = "/Common/app4.crt"
    tls_key_name              = "/Common/app4.key"
  }
  pool_members  {
    addresses                 = ["10.1.10.120", "10.1.10.121", "10.1.10.122"]
    port                      = 80
  }
  snat_pool_address = ["10.1.10.50", "10.1.10.51", "10.1.10.52"]
  load_balancing_mode       = "least-connections-member"
  monitor       {
    send_string               = "GET / HTTP/1.1\\r\\nHost: example.com\\r\\nConnection: Close\\r\\n\\r\\n"
    response                  = "200 OK"
  }
  depends_on          = [bigip_ssl_certificate.app4crt, bigip_ssl_key.app4key]
}

 

Resources

Terraform Registry documentation

 

Article Series

Manage F5 BIG-IP FAST with Terraform (Intro)

Published Nov 28, 2022
Version 1.0