29 July 2020
Manage F5 BIG-IPs in Azure with Terraform Cloud
by Mark J Menger
Introduction
IT Industry research, such as Accelerate, shows improving a company’s ability to deliver software is critical to their overall success. The following key practices and design principles are cornerstones to that improvement.
- Version control of code and configuration
- Automation of Deployment
- Automation of Testing and Test Data Management
- “Shifting Left” on Security
- Loosely Coupled Architectures
- Pro-active Notification
What’s the point
The demonstration resources described below show how tools like Git, HashiCorp Terraform, HashiCorp Sentinel, Chef Inspec and F5’s Automation Toolchain can be used to introduce some of the practices listed above to F5 BIG-IPs and the IT services they help deliver. By following along with the README in the demonstration repository and the video walk-throughs listed below, you should be able to run this demonstration and explore the implications for your own environments.
Caveats
- The particular source control approach shown in this demonstration is one of many. Before using this approach to support your Infrastructure as Code and Configuration Management assets and workflows, you should learn about different patterns of source code management and determine what best fits your team’s needs.
- In addition, these repositories use simplifying demonstration shortcuts for password, key, and network security. Production-ready enterprise designs and workflows should be used in place of these shortcuts.
DO NOT ASSUME THAT THE CODE AND CONFIGURATION IN THESE REPOSITORIES IS PRODUCTION-READY
- A variety of tools are used in this demonstration. In most cases they are not exclusively required and can be replaced with other similar tools.
Setting up your demonstration automation host
Before running the demonstration code, you’ll need to set up the IDE host and the Azure account. Instructions for those steps may be found here
Video walk-throughs
- Fork the repository and open it in Visual Studio Code(1m36s)
Once the tools are installed, you can create your own copy of the repository and open it in your IDE. In the videos, Visual Studio Code is used as the IDE. In order to follow along, you’ll need to create your own repository in order to set up the Terraform Cloud configuration and make your own adjustments to build configuration (e.g. the number of application servers deployed)
- Set up a Terraform Cloud workspace(1m38s)
Before running the Terraform Cloud workflow, a Terraform Cloud workspace is required. This video steps you through manually configuring the workspace and linking it to your cloned repository.
- Programmatically set up Terraform Cloud workspaces for production, test, and development(10m40s)
Setting up the workspaces programmatically has the benefits of rapid consistent results and executable knowledge in the form of scripts and configuration files. In this video we step you through programmatically building workspaces for production, test, and development environments using this repository. We also programmatically configure simple source-controlled compliance Sentinal policies.
- Initial build of production, test, and development(7m59s)
Everything should be ready for the first build of your production, test, and development environments. In this video, we step you through manually triggering Terraform Cloud builds. In addition, we’ll see the impact of Sentinel policies in use, how to override policies that have been triggered, and the audit trail that results.
- Automated testing of production(4m18s)
Once your environment builds have completed, it’s critical to validate that they are fit for use. In this video, we step you through a simple set of tests that validate the readiness of the F5 BIG-IPs built by the Terraform Cloud workflow. These tests are not comprehensive, but demonstrate the benefits of an executable “definition of done.” The source of an updated version of the Inspec tests used in the demonstration is here.
- Manual inspection of production(2m45s)
In this video, we walk through the BIG-IPs that were built in the production environment. We inspect the virtual servers and their associated pools, noting the number of application servers that were built and joined to the pool. We leave it as an exercise for the reader (or possibly an updated video) to look for the WAF deployed with the virtual server. The WAF is retrieved from source control here.
In addition, you can experiment with changing the version of the WAF in the AS3 template in the stanza shown below. Legitimate versions are 0.1.0, 0.1.1, 0.2.0, and 0.2.1. If you choose to do this, follow the same workflow shown in the next video.
"ASM_Policy": {
"class": "WAF_Policy",
"url": "https://github.com/mjmenger/waf-policy/raw/0.1.1/asm_policy.xml",
"ignoreChanges": false
}
- Programmatically add application servers and include them in the BIG-IP virtual server(8m6s)
In this video, we explore the use-case of expanding the pool in the previously built production environment, using a simple change in source control. We’ll see the Terraform Cloud workflow automatically trigger a new build based on a merge commit to your cloned repository. New application servers will be built and automatically added to the pool by F5’s Service Discovery iApp.
What’s next?
If you’ve followed along through the all of the use-cases in the demonstration repository, you’ve see the following:
- Source-controlled build of an application environment
- Managed changes with logging of authoring and approvals
- Automated scaling of application resources and BIG-IP configuration
- Automated updates to BIG-IP WAF policies
If you want to realize the benefits of these practices for your IT service delivery, please reach out to your F5 account team.
tags: big-ip - automation - hashicorp - terraform - devops