Forum Discussion

crowe's avatar
crowe
Icon for Cirrus rankCirrus
May 09, 2021

Allow dev team to change iRule status remotely using f5-control or postman

We currently have f5-control static web page that allows our dev team to check pool member status as well as place site into maintenance mode. During our promotional sales, we have an iRule in place to redirect traffic to a different pool when the site connections exceed a specific number. The iRule has a simple 0/1 for on/off and like below, when it is "set GK_active 1" it will intercept traffic and redirect, when it is "set GK_active 0" it will not.

 

"when HTTP_REQUEST {

 

 set GK_active 0"

 

 

I would like to be able to give a couple memebers of the dev team access to change the state of this iRule but not sure of the best method without allowing them to log in with full access to the F5 via gui or tmsh. It would be nice if there was a way to accomplish this using a script via postman or adding it as an option in the f5-control static web page. 

 

 

The web page was setup prior to me joining the team, I haven't found any option to show and allow iRules there only pool memebers and status' of virtual servers. 

 

 

Would love to get some feedback of some ideas to do this, we do not currently have BIG-IQ for management either, only managing directly from the F5's. 

 

 

Thank you in advance!!!!

application delivery
BIG-IP
devops
iRules

3 Replies

Sort By
  • AlexBCT's avatar
    AlexBCT
    Icon for Cumulonimbus rankCumulonimbus
    May 10, 2021

    Hi,

     

    Not sure if this is a full/useful answer, but here is my two cents; Instead of letting them change the iRule, how about you put that variable in a DataGroup and let them change that instead? Purely from a risk perspective, that should reduce the chance of anyone breaking anything in the iRule by accident. You can then do a "class search" lookup to check the value of the variable.

    Possibly better still, you can put the variable in an external data group which may be accessed by a more generic function. You can then possibly also give those users more restrictive access to the system, though it will likely still be too much access.

     

    Unfortunately, if you want to have their access locked down to only specific objects in specific roles, you indeed would have to go to BigIQ.

    • Rob_Stonham's avatar
      Rob_Stonham
      Icon for Cirrus rankCirrus
      May 12, 2021

      AlexBCT,

       

      Could the datagroup be placed in it's own Partition (/Dev-Access) and the iRule reference the datagroup there? eg /Dev-Access/maintenance_datagroup. My understanding is that iRules can access resources in other partition, so this should work.

       

      The dev team could then just be given permissions to manage the /Dev-Access partition and the iRule attached to the live server could be safely left in /Common (or another partition).

       

      Rob

       

  • crowe's avatar
    crowe
    Icon for Cirrus rankCirrus
    May 10, 2021

    Thanks so much! I hadn’t thought about trying to accomplish it using the data group. I will do some testing with the data groups in our lower environment.