AS3 Limitations
Below are some limitations of AS3 as means of Automation. config deployment is locked down by Automation, no manual intervention possible for below use cases - incidents - new requirements/features need to wait for automation to be updated - Automation failures cause deployment to be stalled until automation is fixed - Operational issues, maybe require out-of-band changes outside of AS3 - Source of truth must be reconciled periodically with F5 device to check for config drift - 2 layers of failures during config deployment one is Automation and second is source of truth, therefore involves more troubleshooting effort - Reliance on an External Source of Truth management, non-native to F5 and not supported by F5 - AS3 is Less mature compared to iControl Rest, iControl Rest was introduced in TMOS 11.xBest Practice to Store AS3 State/Source of Truth ?
What is the best option to store AS3 state ? I have seen organisations using the below Terraform state files As repos on github/bitbuket NoSQL Databases S3 Storage on Amazon Which one of the above is scalable and best suited to store to AS3 state files ?
Unable to set 'Session Ticket' attribute in TLS_Server object using AS3
I am currently in the process of migrating our F5 config towards AS3. However, I am currently running into an issue while converting the 'Session Ticket' attribute of our clientssl profiles (TLS_Server in AS3) While the AS3 Schema reference allows to provide a sessionTickets attribute for TLS_CLIENT objects, there is no such option for TLS_Server objects that I am able to find. Does anybody know how to set this attribute for SERVER_TLS objects in AS3? Is it just not possible? Is there a different option I need to use with AS3? Thanks in advanceF5 Per applications AS3 Declarations via Terraform
F5 Per applications AS3 Declarations via Terraform. Good evening all, I would like to put together a proof of concept surrounding using Terraform (the clients preferred automation platform) to populate and manage AS3 declarations. I am attempting to follow the following F5 docs page in my lab, and it is not working as I would have expected. [https://clouddocs.f5.com/products/orchestration/terraform/latest/BIG-IP/per-app-as3.html#example2](https://clouddocs.f5.com/products/orchestration/terraform/latest/BIG-IP/per-app-as3.html#example2) I have two separate files such is suggested in the article. One with two applications (app1-2.json) that acts as the base line for the first push, then a second file (app3.json) with a third application that I would like to ADD to the existing AS3 deceleration leaving my F5 with 3 total applications. I have one file [main.tf](http://main.tf) that looks like the following: resource "bigip\_as3" "as3-example" { as3\_json = file("app1-2.json") tenant\_filter = var.tenant tenant\_name = "Tenant" } I use that [main.tf](http://main.tf) file to push the original app1-2 file to produce the initial declaration with two applications. Then, I edit that file to look like resource "bigip\_as3" "as3-example" { \# as3\_json = data.template\_file.init.rendered as3\_json = file("app3.json") tenant\_filter = var.tenant tenant\_name = "Tenant" } Since per-application declarations are enabled, I assumed editing this file and applying it would push the third application and leave the other two in tact. That is not the case. When I push this edited [main.tf](http://main.tf) file, it edits the existing declaration deleting app1 and app 2 and creating app3. Can anyone shed some light on how we are supposed to use Terraform in per application deployments? I feel like I have to be missing something silly.
F5 - AS3 - BIGIQ / BIGIP SchemaVersion Missunderstanding
Dear community, I was wondering about the AS3 version currently used in order to deploy my AS3 on my BIG-IP target through BIG-IQ. BIG-IQ should install this current AS3 version on F5 BIG-IP target when deploying AS3 declaration. Checking on my BIG-IQ, 3.44.0 curl -sk -H "Content-Type: application/json" -H "X-F5-Auth-Token: $TOKEN" -X GET "https://$BIGIQ/mgmt/shared/appsvcs/info" {"version":"3.44.0","release":"3","schemaCurrent":"3.44.0","schemaMinimum":"3.0.0"} Checking on my F5 BIG-IP, v 3.44.0 #pwd /var/config/rest/iapps/f5-appsvcs # cat version 3.44.0-3 My current AS3 declaration (I'm manually forcing schemaVersion) through BIG-IQ : { "class": "AS3", "action": "patch", "schemaVersion": "3.44.0", "patchBody": [ { "class": "ADC", "schemaVersion": "3.44.0", "target": { "address": "X.X.X.X" }, "op": "add", "path": "/Automation/APP_TEST_1.2.12.140_446", "value": { "class": "Application", "remark": "REFERENCE : NULL_REFERENCE_20241109215237", "schemaOverlay": "AS3-F5-HTTPS-PASSTHROUGH-lb-template-big-iq", .... etc } Application Deployment logs from my BIG-IQ : At the bottom : "schemaVersion": "3.12.0" I don't understand why it's using this older schemaVersion, it should use the current 3.44.0. Is there any policy on BIG-IQ that can enforce this weird behavior ? { "id": "autogen_a4c95a0f-13e3-4078-92c3-3a8e6ea6f10c", "class": "ADC", "controls": { "class": "Controls", "userAgent": "BIG-IQ/8.3 Configured by API" }, "Automation": { "class": "Tenant", "APP_TEST_1.2.12.140_446": { "class": "Application", "remark": "REFERENCE : NULL_REFERENCE_20241109215237", "template": "tcp", "serviceMain": { "pool": "/Automation/APP_TEST_1.2.12.140_446/HTTPS_443_pool", "class": "Service_TCP", "enable": true, "profileTCP": { "use": "/Automation/APP_TEST_1.2.12.140_446/HTTPS_443_tcp_profile" }, "virtualPort": 446, "virtualAddresses": [ "1.2.12.140" ], "persistenceMethods": [ "source-address" ], "profileAnalyticsTcp": { "use": "/Automation/APP_TEST_1.2.12.140_446/Analytics_TCP_Profile" } }, "HTTPS_443_pool": { "class": "Pool", "members": [ { "adminState": "enable", "shareNodes": true, "servicePort": 443, "serverAddresses": [ "1.2.12.13" ] } ], "monitors": [ { "use": "/Automation/APP_TEST_1.2.12.140_446/HTTPS_443_monitor" } ], "loadBalancingMode": "least-connections-member" }, "HTTPS_443_monitor": { "send": "GET /\r\n", "class": "Monitor", "receive": "none", "targetPort": 443, "monitorType": "http", "adaptiveWindow": 180, "adaptiveLimitMilliseconds": 1000, "adaptiveDivergencePercentage": 100 }, "Analytics_TCP_Profile": { "class": "Analytics_TCP_Profile", "collectCity": false, "collectRegion": true, "collectCountry": true, "collectNexthop": false, "collectPostCode": false, "collectContinent": true, "collectRemoteHostIp": false, "collectedByClientSide": true, "collectedByServerSide": true, "collectRemoteHostSubnet": true }, "HTTPS_443_tcp_profile": { "class": "TCP_Profile", "synMaxRetrans": 3, "finWaitTimeout": 5 } } }, "updateMode": "selective", "schemaVersion": "3.12.0" } Thanks in advance for your help !
Creating External Monitors via AS3
I am trying to create an external monitor via AS3 using a script that exists as part of a gitlab project. See: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#monitor-external F5 provides an example here. exert: "mNewExternalMonitorFile": { "class": "Monitor", "monitorType": "external", "interval": 5, "upInterval": 0, "timeUntilUp": 0, "timeout": 16, "expand": false, "script": { "url": "https://example.com/monitor.sh" }, "environmentVariables": { "USER": "example" } } I am able to do this exact thing with the url portion replaced with a local resource. However, I need to be able to provide authentication/authorization details to the resource. There are other resources in AS3 that use the property Resource_URL. Unfortunately I can't use this because of the way Monitor_External is configured. Alternatively, is there a way for me to point to the local BigIP "/shared" directory and pull the script from there?
