Resource Bundling & L4-7 Policies¶
This template implements a generic mechanism that allows various system resources to be ‘bundled’ within the template and/or loading dynamically from a URL. This mechanism allows users to deploy the following types of resources:
Packaged within template:
- iRules
- ASM (Web Application Firewall) Policies
- APM (Identity & Access Management) Policies
Dynamically loaded from URL:
ASM Policies
APM Policies
SSL/TLS Objects:
- Certificates
- Keys
- Certificate Chain/Bundle
The two methods detailed below are NOT mutually exclusive and may be used together without issue.
Bundling
Bundling resources with the template allows a user to create packaged templates for specific use cases. Because resources are packaged as part of the template this mechanism is appropriate for environments that properly version control the template itself and do not need the ability to load resources dynamically at runtime.
For a step-by-step walk through on this process please refer to Building a Custom Template. The following steps are required to use this functionality:
Download the source tree for the iApp
Install required packages on the build system
Place resources in the appropriate location under the bundled directory
Build the template using the command
python build.py -nd -a <optional name>
Upload the resulting template to the BIG-IP system
Bundled items will now be available to select for deployment via the vs__BundledItems table.
Row in this table are specified using a
<type>:<name>
format. Examples are:
irule:my_irule
asm:my_asm_policy
apm:my_apm_policy
With the exception of APM policies multiple resources of each type can be deployed with each deployment by adding rows to the table.
Dynamic Loading from URL
Dynamic loading of resources allows for a more flexible approach to automated deployment in Continuous Integration/Continuous Deployment environments. This mechanism allows URLs to be specified for resources that are then loaded at runtime from the BIG-IP system. To accomplish this the vs__BundledItems table is used with a special syntax that specifies the URL of the resource to load:
Synt ax | Description |
---|---|
i
rule :url =<ur l> |
An iRule resource. The file MUST exist on the remote server |
i
rule :url opti onal =<ur l> |
An OPTIONAL iRule resource. The deployment will continue even if the resource does not exist on the remote server |
a
sm:u rl=< url> |
An ASM Policy resource. The file MUST exist on the remote server |
a
pm:u rl=< url> |
An APM Policy resource. The file MUST exist on the remote server. Only one APM resource is supported. |
Note
This feature requires network connectivity from the BIG-IP system to the server hosting the remote resources.
Variable substitution is available within the URL string to allow runtime specification of URL components. The variables currently supported are:
Vari able | Description |
---|---|
%APP _NAM E% | The name of the iApp deployment |
%APP _PAT H% | The path of the iApp deployment |
%PAR TITI ON% | The name of the BIG-IP partition used for deployment |
%VS_ NAME % | The value of the vs__Name field |
%VS_ DESC R% | The value of the vs__Description field |
%EXT 1% | The value of the extensions__Field1 field |
%EXT 2% | The value of the extensions__Field2 field |
%EXT 3% | The value of the extensions__Field3 field |
For example, if the name of our iApp deployment was
my_http_app
providing:
irule:url=https://git.company.com/infra/adc/%APP_NAME%/default_irule.irule
Would result in a URL of:
https://git.company.com/infra/adc/my_http_app/default_irule.irule
The same constraints mentioned in Item Bundling apply when loading multiple resources via URLs
Referencing Bundled Policies
In the case of ASM and APM policies, the mechanism used by the postdeploy_bundler only CREATES the resources on the system. To utilize the resource you must cross-reference it in the appropriate presentation layer fields.
APM Policy
To use a policy deployed via the bundler you must specify the value
use-bundled
in the vs__ProfileAccess field. The postdeploy_bundler will then associate the APM policy with the Virtual Server automatically.
An example is provided in IAM/APM Policy Deployment
ASM Policies
To use an ASM policy deployed via the bundler you must create a L7 policy that references the resource name as a target. The format for the name is
bundled:<resource name>
and it must be specified as a value for a Parameter in the L7 Policy Action table. An example of this can be found in WAF/ASM Policy Deployment
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.