on - edited on by
JimmyPackets
Introduction
IT Industry research, such as Accelerate, shows improving a company's ability to deliver software is critical to their overall success. The following key practices and design principles are cornerstones to that improvement.
- Version control of code and configuration
- Automation of Deployment
- Automation of Testing and Test Data Management
- "Shifting Left" on Security
- Loosely Coupled Architectures
- Pro-active Notification
F5 has published Terraform modules on GitHub.com to help customers adopt deployment automation practices, focused on streamlining instantiation of BIG-IPs on AWS, Azure, and Google. Using these modules allows F5 customers to leverage their embedded knowledge and expertise.
But we have limited access to public resources
Not all customer Terraform automation hosts running the CLI or enterprise products are able to access public internet resources like GitHub.com and the Terraform Registry. The following steps describe how to create and maintain a private air-gapped copy of F5's modules for these secured customer environments.
Creating your air-gapped copy of the modules you need
This example uses a personal GitHub account as an analog for air-gapped targets. So, we can't use the fork feature of github.com to create the copy.
For this approach, we're assuming a workstation that has access to both the source repository host and the target repository host. So, not truly fully air-gapped. We'll show a workflow using
git bundle- Retrieve remote URL for one of the modules at F5's devcentral GitHub account
- Export the remote URL for the source repository
export MODULEGITHUBURL="git@github.com:f5devcentral/terraform-aws-bigip-module.git"
- Create a repository on target air-gapped host
- Follow the appropriate directions for the air-gapped hosted Git (BitBucket, GitLab, GitHub Enterprise, etc.). And, retrieve the remote url for this repository.
- Export the remote URL for the air-gapped repository
Note: The air-gapped repository is still empty at this point.
Note: The example is using github.com, your real-world use will be using your internal git host
export MODULEAIRGAPURL="git@github.com:myteamsaccount/localmodulerepo.git"
- Clone the module source repository
- This example uses F5's module for Azure
git clone $MODULEGITHUBURL
- Add the target repository as an additional remote
Again, we're using F5's AWS module as an example. We're using the remote url exported as
MODULEAIRGAPURLcd terraform-aws-bigip-module git remote add airgap $MODULEAIRGAPURL
- Pass the latest to the air-gapped repository
Note: In the example below we're pushing the
mainmasterNote: Pushing the tags into the airgap repository is critical to version management of the modules.
# get the latest from the origin repository git fetch origin # push any changes to the airgap repository git push airgap main # push all repository tags to the airgap repository git push --tags airgap
Using your air-gapped copy of the modules
- Identify the module version to use
This lists all of the tags available in the repository.
git tag
e.g.
0.9.2 v0.9 v0.9.1 v0.9.3 v0.9.4 v0.9.5
- Review new versions for environment acceptance
At this point, your organization should perform any acceptance testing of the new tags prior to using them in production environments.
- Source reference in Terraform module using git
- Unlike using the Terraform Registry, when using git as your module resource the version reference is included in the source URL. The source reference is the prefix
followed by the remote URL of the airgap repository, followed bygit::
, finally followed by the tag identified in the previous step.?ref=
Note: We are referencing the airgap repository, NOT the origin repository.
Note: It is highly recommended to include the version reference in the URL. If the reference is not included in the URL, the latest commit to the default branch will be used at apply time. This means that the results of an apply will be non-deterministic, causing unexpected results, possibly service disruptions.
module "bigip" {
source = "git::https://github.com/myteamsaccount/localmodulerepo.git?ref=v0.9.3"
...
}
Check out Terraform for more detailed configuration requirements
Source reference in Terraform module using a private Terraform registry
If you have an instance of Terraform Enterprise it's possible to connect the private git repository created above to the [private module registry(https://www.terraform.io/docs/enterprise/admin/module-sharing.html)] available in Terraform Enterprise.
module "bigip" {
source = "privateregistry/modulereference"
version = "v0.9.3"
...
}
Maintaining your air-gapped copy of the modules
- On-going maintenance of private repository
- Once the repository is established, perform the following actions whenever you want to retrieve the latest versions of the F5 modules. If you have a registry enabled on Terraform Enterprise, it should update automatically when the private repository is updated.
# get the latest from the origin repository git fetch origin # push any changes to the airgap repository git push airgap main # push all repository tags to the airgap repository git push --tags airgap
- Review new versions for environment acceptance
- When your private repository is updated, do not forget to perform any acceptance testing you need to validate compliance and compatibility with your environment's expectations.
Other references
Installing and running iControl extensions in isolated GCP VPCs