Introduction

The purpose of this article is to give a brief overview of the F5 Python SDK. The F5 Python SDK provides a programmatic interface to BIG-IP and its modules. We will cover the basic concepts and definitions of F5 Networks BIG-IP iControl REST interface and how they relate to the SDK in its current state (LTM / core, etc.). We will also demonstrate some calls and then show the current state of AFM in the SDK. As the AFM is not yet developed, we will show one way to build a framework that makes taking the restful JSON endpoints and programmatically iterating to pull additional endpoints.

Concepts

The SDK is an Object model based SDK for the F5 Networks BIG-IP iControl REST interface. The structure of the SDK calls maps to iControl REST:

  http://192.168.1.1/mgmt/tm/ltm/pool/~Common~mypool/members/~Common~m1:80

                  |----|--|---|----|--------------|-------|-------------|

                  |root|OC|OC |Coll| Resource     | SC    |SubColl Resrc|

Organizing Collection:  

An organizing collection is a superset of other collections.  These are not configurable; rather, they contain other submodules which either contain configurable objects (Collection) or are configurable objects (Resource). For example, the ltm or net module listing would be an organizing collection, whereas ltm/pool or net/vlan would be collections. To retrieve either type, you use the get_collection method as shown below, with abbreviated output.

Example:

•   f5.bigip.tm maps to tmsh
•   f5.bigip.tm.sys maps to ‘System’
•   f5.bigip.tm.ltm module maps to ‘Local Traffic’

Collection:  

A collection is similar to an organizing collection in that it is not a configurable object. Unlike an organizing collection, however, a collection only contains references to objects (or resources) of the same type. In the SDK, collection objects are usually plural, while Resource objects are singular. When the Resource object’s corresponding URI is already plural, we append the name of the collection with _s.

Example:

Example: Use f5.bigip.resource.Collection.get_collection() to get a list of the objects in the f5.bigip.tm.ltm.pool collection.

Resource:

A resource is a fully configurable object for which the CURDLE methods are supported. 

 Methods 

Subcollection:

A subcollection is a Collection that’s attached to a higher-level Resource object. Subcollections are almost exactly the same as collections; the exception is that they can only be accessed via the resource they’re attached to (the ‘parent’ resource).

Example:

A pool resource has a members_s subcollection attached to it; you must create or load the ‘parent’ resource (pool) before you can access the subcollection (members_s).

  >>> from f5.bigip import ManagementRoot

  >>> mgmt = ManagementRoot('192.168.1.1', 'myuser', 'mypass')

  >>> pool = mgmt.tm.ltm.pools.pool.load(partition='Common', name='p1')

  >>> members = pool.members_s.get_collection()

Subcollection Resource:

 A subcollection resource is essentially the same as a resource. As with collections and subcollections, the only difference between the two is that you must access the subcollection resource via the subcollection attached to the main resource. 

Example

To build on the subcollection example: pool is the resource, members_s is the subcollection, and members (the actual pool member) is the subcollection resource.

  >>> from f5.bigip import ManagementRoot

  >>> mgmt = ManagementRoot('192.168.1.1', 'myuser', 'mypass')

  >>> pool = mgmt.tm.ltm.pools.pool.load(partition='Common', name='p1')

  >>> member = pool.members_s.members.load(partition='Common', name='n1:80')

REST URIs:

You can directly infer REST URIs from the python expressions, and vice versa.

Examples

• Expression:     mgmt = ManagementRoot('<ip_address>', '<username>', '<password>')
• URI Returned:   [https://%3cip_address%3e/mgmt/]https://<ip_address>/mgmt/
• Expression:     cm = mgmt.cm('<ip_address>', '<username>', '<password>')
• URI Returned:   [https://%3cip_address%3e/mgmt/cm]https://<ip_address>/mgmt/cm
• Expression:     tm = mgmt.tm('<ip_address>', '<username>', '<password>')
• URI Returned:   [https://%3cip_address%3e/mgmt/tm]https://<ip_address>/mgmt/tm
• Expression:     ltm = mgmt.tm.ltm('<ip_address>', '<username>', '<password>')
• URI Returned:   [https://%3cip_address%3e/mgmt/tm/ltm/]https://<ip_address>/mgmt/tm/ltm/
• Expression:     pools1 = mgmt.tm.ltm.pools
• URI Returned:   [https://%3cip_address%3e/mgmt/tm/ltm/pool]https://<ip_address>/mgmt/tm/ltm/pool
• Expression:     pool_a = pools1.create(partition="Common", name="foo")
• URI Returned:   [https://%3cip_address%3e/mgmt/tm/ltm/pool/~Common~foo]https://<ip_address>/mgmt/tm/ltm/pool/~Common~foo

Test the SDK:

Create a Virtual Environment

Here are the steps to set up a Python virtual environment:

1. Install Python. You can download the installer from the official website.
2. Install pip. Python3 usually comes with pip preinstalled. However, if you get an error, you can install it using the following command: 

   python get-pip.py

   .
3. Install virtualenv. You can install it using the following command: 

   pip install virtualenv

   .
4. Create a virtual environment. You can create a virtual environment by specifying the target directory (absolute or relative to the current directory) which is to contain the virtual environment. The create method will either create the environment in the specified directory, or raise an appropriate exception. You can create a virtual environment using the following command: 

   python3 -m venv f5venv

   .
5. Activate the virtual environment by running

   source f5venv/bin/activate

6. Install f5-sdk into the virtual environmet by running

   pip install f5-sdk

    
7. Run the sample script provided below. 

AFM Code Sample

from f5.bigip import ManagementRoot
import requests
import logging
import json
import sys

class objectview(object):
    def __init__(self, d):
        self.__dict__ = d

def bigip():
    return {
        "bigip": "10.155.255.16",
        "rest_url": "https://admin:admin@",
        "rest_user": "admin",
        "rest_pwd": "admin",
        "partition": "Common"
    }

def afm_rest_api():
    policy_name = "restApiDemo"
    rule_name = "restApiDemoRule"
    return {
        "create_policy": "/mgmt/tm/security/firewall/policy",
        "add_rule": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name+"/rules",
        "get_rules": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name+"/rules",
        "change_rule": "/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/"+rule_name,
        "delete_rule": "/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/"+rule_name,
        "global_context": "/mgmt/tm/security/firewall/globalRules/",
        "global_rules": "/mgmt/tm/security/firewall/globalRules",
        "delete_policy": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name
    }

def create_firewall_pollcy():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    payload = '''{"name": "restApiDemo"}'''
    logger.info(bip.rest_url + bip.bigip + api.create_policy) 
    resp = requests.post(bip.rest_url + bip.bigip + api.create_policy, headers={'accept': 'application/json','content-type': 'application/json'}, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def add_rule():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"name":"restApiDemoRule", "action":"reject", "place-before":"first"}'''
    logger.info(bip.rest_url + bip.bigip + api.add_rule) 
    resp = requests.post(bip.rest_url + bip.bigip + api.add_rule, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def display_rules():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    logger.info(bip.rest_url + bip.bigip + api.add_rule) 
    resp = requests.get(bip.rest_url + bip.bigip + api.get_rules, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

def change_rule():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"action":"accept"}'''
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.patch(bip.rest_url + bip.bigip + api.change_rule, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def delete_rule():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    logger.info(bip.rest_url + bip.bigip + api.delete_rule) 
    resp = requests.delete(bip.rest_url + bip.bigip + api.change_rule, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

def global_context():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"enforcedPolicy":"restApiDemo"}'''
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.patch(bip.rest_url + bip.bigip + api.global_context, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def global_rules():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.get(bip.rest_url + bip.bigip + api.global_rules, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

def delete_policy():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"enforcedPolicy":""}'''
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.patch(bip.rest_url + bip.bigip + api.global_rules, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    resp = requests.delete(bip.rest_url + bip.bigip + api.delete_policy, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

if __name__ == "__main__":
    logger = logging.getLogger(__name__)
    logger.setLevel(logging.INFO)
    formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")
    handler = logging.StreamHandler(sys.stdout)
    handler.setFormatter(formatter)
    logger.addHandler(handler)
    command= " ".join( sys.argv[1:] )
    if command == "":
        logger.info("""Examples:"
        python afm_rest_api.py "create_firewall_pollcy()"
        python afm_rest_api.py "add_rule()"
        python afm_rest_api.py "display_rules()"
        python afm_rest_api.py "change_rule()"
        python afm_rest_api.py "delete_rule()"        
        python afm_rest_api.py "global_context()"
        python afm_rest_api.py "global_rules()"
        python afm_rest_api.py "delete_policy()""")        
    else:
        logger.info(command)
        eval(command)