Resource Bundling & L4-7 Policies

This template implements a generic mechanism that allows various system resources to be ‘bundled’ within the template and/or loading dynamically from a URL. This mechanism allows users to deploy the following types of resources:

  • Packaged within template:

    • iRules
    • ASM (Web Application Firewall) Policies
    • APM (Identity & Access Management) Policies
  • Dynamically loaded from URL:

    • iRules

    • ASM Policies

    • APM Policies

    • SSL/TLS Objects:

      • Certificates
      • Keys
      • Certificate Chain/Bundle

The two methods detailed below are NOT mutually exclusive and may be used together without issue.

Bundling

Bundling resources with the template allows a user to create packaged templates for specific use cases. Because resources are packaged as part of the template this mechanism is appropriate for environments that properly version control the template itself and do not need the ability to load resources dynamically at runtime.

For a step-by-step walk through on this process please refer to Building a Custom Template. The following steps are required to use this functionality:

  1. Download the source tree for the iApp

  2. Install required packages on the build system

  3. Place resources in the appropriate location under the bundled directory

  4. Build the template using the command

    python build.py -nd -a <optional name>
    
  5. Upload the resulting template to the BIG-IP system

Bundled items will now be available to select for deployment via the vs__BundledItems table.

Row in this table are specified using a

<type>:<name>

format. Examples are:

  • irule:my_irule
    
  • asm:my_asm_policy
    
  • apm:my_apm_policy
    

With the exception of APM policies multiple resources of each type can be deployed with each deployment by adding rows to the table.

Dynamic Loading from URL

Dynamic loading of resources allows for a more flexible approach to automated deployment in Continuous Integration/Continuous Deployment environments. This mechanism allows URLs to be specified for resources that are then loaded at runtime from the BIG-IP system. To accomplish this the vs__BundledItems table is used with a special syntax that specifies the URL of the resource to load:

Synt ax Description
i

rule :url =<ur l>

An iRule resource. The file MUST exist on the remote server
i

rule :url opti onal =<ur l>

An OPTIONAL iRule resource. The deployment will continue even if the resource does not exist on the remote server
a

sm:u rl=< url>

An ASM Policy resource. The file MUST exist on the remote server
a

pm:u rl=< url>

An APM Policy resource. The file MUST exist on the remote server. Only one APM resource is supported.

Note

This feature requires network connectivity from the BIG-IP system to the server hosting the remote resources.

Variable substitution is available within the URL string to allow runtime specification of URL components. The variables currently supported are:

Vari able Description
%APP _NAM E% The name of the iApp deployment
%APP _PAT H% The path of the iApp deployment
%PAR TITI ON% The name of the BIG-IP partition used for deployment
%VS_ NAME % The value of the vs__Name field
%VS_ DESC R% The value of the vs__Description field
%EXT 1% The value of the extensions__Field1 field
%EXT 2% The value of the extensions__Field2 field
%EXT 3% The value of the extensions__Field3 field

For example, if the name of our iApp deployment was

my_http_app

providing:

irule:url=https://git.company.com/infra/adc/%APP_NAME%/default_irule.irule

Would result in a URL of:

https://git.company.com/infra/adc/my_http_app/default_irule.irule

The same constraints mentioned in Item Bundling apply when loading multiple resources via URLs

Referencing Bundled Policies

In the case of ASM and APM policies, the mechanism used by the postdeploy_bundler only CREATES the resources on the system. To utilize the resource you must cross-reference it in the appropriate presentation layer fields.

APM Policy

To use a policy deployed via the bundler you must specify the value

use-bundled

in the vs__ProfileAccess field. The postdeploy_bundler will then associate the APM policy with the Virtual Server automatically.

An example is provided in IAM/APM Policy Deployment

ASM Policies

To use an ASM policy deployed via the bundler you must create a L7 policy that references the resource name as a target. The format for the name is

bundled:<resource name>

and it must be specified as a value for a Parameter in the L7 Policy Action table. An example of this can be found in WAF/ASM Policy Deployment

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.