Using F5's Terraform modules in an air-gapped environment

Introduction

IT Industry research, such as Accelerate, shows improving a company's ability to deliver software is critical to their overall success. The following key practices and design principles are cornerstones to that improvement.

  • Version control of code and configuration
  • Automation of Deployment
  • Automation of Testing and Test Data Management
  • "Shifting Left" on Security
  • Loosely Coupled Architectures
  • Pro-active Notification


F5 has published Terraform modules on GitHub.com to help customers adopt deployment automation practices, focused on streamlining instantiation of BIG-IPs on AWS, Azure, and Google. Using these modules allows F5 customers to leverage their embedded knowledge and expertise.


But we have limited access to public resources

Not all customer Terraform automation hosts running the CLI or enterprise products are able to access public internet resources like GitHub.com and the Terraform Registry. The following steps describe how to create and maintain a private air-gapped copy of F5's modules for these secured customer environments.


Creating your air-gapped copy of the modules you need

This example uses a personal GitHub account as an analog for air-gapped targets. So, we can't use the fork feature of github.com to create the copy.

For this approach, we're assuming a workstation that has access to both the source repository host and the target repository host. So, not truly fully air-gapped. We'll show a workflow using 

git bundle
in the future.


  1. Retrieve remote URL for one of the modules at F5's devcentral GitHub account


  1. Export the remote URL for the source repository
export MODULEGITHUBURL="git@github.com:f5devcentral/terraform-aws-bigip-module.git"
  1. Create a repository on target air-gapped host
  2. Follow the appropriate directions for the air-gapped hosted Git (BitBucket, GitLab, GitHub Enterprise, etc.). And, retrieve the remote url for this repository.
  3. Export the remote URL for the air-gapped repository

Note: The air-gapped repository is still empty at this point.

Note: The example is using github.com, your real-world use will be using your internal git host

export MODULEAIRGAPURL="git@github.com:myteamsaccount/localmodulerepo.git"
  1. Clone the module source repository
  2. This example uses F5's module for Azure
git clone $MODULEGITHUBURL
  1. Add the target repository as an additional remote

Again, we're using F5's AWS module as an example. We're using the remote url exported as 

MODULEAIRGAPURL
to create the additional git repository remote.

cd terraform-aws-bigip-module
git remote add airgap $MODULEAIRGAPURL
  1. Pass the latest to the air-gapped repository

Note: In the example below we're pushing the 

main
branch. In some older repositories, the primary repository branch may still be named 
master
.

Note: Pushing the tags into the airgap repository is critical to version management of the modules.

# get the latest from the origin repository
git fetch origin
# push any changes to the airgap repository
git push airgap main
# push all repository tags to the airgap repository
git push --tags airgap

Using your air-gapped copy of the modules

  1. Identify the module version to use

This lists all of the tags available in the repository.

git tag

e.g.

0.9.2
v0.9
v0.9.1
v0.9.3
v0.9.4
v0.9.5
  1. Review new versions for environment acceptance

At this point, your organization should perform any acceptance testing of the new tags prior to using them in production environments.

  1. Source reference in Terraform module using git
  2. Unlike using the Terraform Registry, when using git as your module resource the version reference is included in the source URL. The source reference is the prefix 
    git::
    followed by the remote URL of the airgap repository, followed by 
    ?ref=
    , finally followed by the tag identified in the previous step.

Note: We are referencing the airgap repository, NOT the origin repository.

Note: It is highly recommended to include the version reference in the URL. If the reference is not included in the URL, the latest commit to the default branch will be used at apply time. This means that the results of an apply will be non-deterministic, causing unexpected results, possibly service disruptions.

module "bigip" {
 source = "git::https://github.com/myteamsaccount/localmodulerepo.git?ref=v0.9.3"
 ...
}

Check out Terraform for more detailed configuration requirements


Source reference in Terraform module using a private Terraform registry

If you have an instance of Terraform Enterprise it's possible to connect the private git repository created above to the [private module registry(https://www.terraform.io/docs/enterprise/admin/module-sharing.html)] available in Terraform Enterprise.

module "bigip" {
 source = "privateregistry/modulereference"
 version = "v0.9.3"
 ...
}


Maintaining your air-gapped copy of the modules

  1. On-going maintenance of private repository
  2. Once the repository is established, perform the following actions whenever you want to retrieve the latest versions of the F5 modules. If you have a registry enabled on Terraform Enterprise, it should update automatically when the private repository is updated.
# get the latest from the origin repository
git fetch origin
# push any changes to the airgap repository
git push airgap main
# push all repository tags to the airgap repository
git push --tags airgap
  1. Review new versions for environment acceptance
  2. When your private repository is updated, do not forget to perform any acceptance testing you need to validate compliance and compatibility with your environment's expectations.

Other references

Installing and running iControl extensions in isolated GCP VPCs

Deploy BIG-IP on GCP with GDM without Internet access

Updated Jun 06, 2023
Version 2.0
application delivery
BIG-IP
devops
HashiCorp
infrastructure as code
terraform
No CommentsBe the first to comment