Deploy Configuration to Access Devices¶
Overview¶
Access groups help synchronize Access policies across multiple devices. The devices that need a common set of Access policies must be added to the Access group in order to have a synchronized configuration. This document describes the necessary APIs and steps needed to deploy an Access group configuration to devices in an Access group.
Prerequisites¶
To deploy an Access group configuration for devices in an Access group, the following pre-requisites must be met.
- The BIG-IQ system is operational, has completed the setup, and has all the system level configurations in place.
- An Access group is created with zero or more devices.
- Users have the necessary RBAC permissions to the “Access Deployer” & “Local Traffic and Network Deployer” roles in order to deploy the configuration to the devices.
Required Information¶
In addition to the prerequisites, the user must provide the following information for adding the device to an Access group.
- An Access group Name.
- The BIG-IP device reference for devices in the BIG-IQ system.
Actions¶
Using the BIG-IQ API, the user can perform the following actions to collect necessary information and reimport the device-specific configuration for the one or more devices in an Access group.
- List of Access BIG-IP devices.
- Deploy an Access group configuration to devices in an Access group by initiating and monitoring the “Access Deploy Configuration” task.
List Access BIG-IP devices¶
To list existing BIG-IP devices discovered in the BIG-IQ system, users
must use the “Access All BIG-IP Devices” API. This API lists all BIG-IP
devices where Access configurations are imported. Any device that has
the “properties/cm-access-allBigIpDevices/cm:access:access-group-name”
: “<access_group_name>” belongs to the <access_group_name> Access
group.
GET https://<management_ip>/shared/resolver/device-groups/cm-access-allBigIpDevices/devices
Response
{
"items": [
{
"address": “<device_ip_address>",
"build": "0.0.1843",
"deviceUri": "https://<device_ip_address>:<device_https_port_default_443>",
"edition": "Final",
"groupName": "cm-access-allBigIpDevices",
"hostname": “<device_host_name>",
"httpsPort": <device_https_port_default_443>,
"isClustered": false,
"isLicenseExpired": false,
"isVirtual": true,
"machineId": "77dab84d-4fab-498a-83d2-7c839b095229",
"managementAddress": “<device_management_ip>",
"mcpDeviceName": "/Common/<device_name>",
"product": "BIG-IP",
"properties": {
"discovered": true,
"imported": true,
"supportsIncrementalDiscovery": true,
"lastDiscoveredDateTime": "2018-02-08T13:55:01.789Z",
"lastUserDiscoveredDateTime": "2018-02-08T13:34:42.780Z",
"cm:access:access-group-name": “<access_group_name>",
"cm:access:swg-provisioned": true,
"cm:access:access-group-device-link": "https://localhost/mgmt/shared/resolver/device-groups/<device_group_name>/devices/77dab84d-4fab-498a-83d2-7c839b095229",
"cm:access:import-version": "13.1.0",
"cm:access:access-group-link": "https://localhost/mgmt/shared/resolver/device-groups/<access_group_name>",
"importedDateTime": "2018-02-08T13:35:05.069Z",
"importStatus": "FINISHED",
"discoveryStatus": "FINISHED"
},
"restFrameworkVersion": "13.1.0-0.0.1843",
"selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/77dab84d-4fab-498a-83d2-7c839b095229",
"slots": [
],
"state": "ACTIVE",
"trustDomainGuid": "ca44652e-43c4-4f46-8b97005056b0a86c",
"uuid": "77dab84d-4fab-498a-83d2-7c839b095229",
"version": "13.1.0"
}
],
"kind": "shared:resolver:device-groups:devicegroupdevicecollectionstate",
"selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices"
}
Initiate and monitor the “Access Deploy Configuration” task to deploy an Access group configuration to devices in an Access group¶
You should do the following steps:
- Set the skipDistribition flag to false. If this flag is set to true, the the deploy task pauses at the EVALUATE step, and the task must be restarted.
- Set disableUnusedObjectRemoval to true. If this flag is false, any objects not used in a device are removed from the device.
- subDeploy must be set to true to deploy Access-used LTM objects such as pool, snat pool, virtual server, and server ssl profiles.
POST https://<management\_ip>/mgmt/cm/access/tasks/super-deploy
{
"name" : "deploy_access_group_configuration_to_devices",
"deviceReferences": [{"link":"https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/77dab84d-4fab-498a-83d2-7c839b095229"}],
"skipDistribution": false,
"subDeploy": true,
"disableUnusedObjectRemoval": true,
"deviceGroupReference": {"link":"https://localhost/mgmt/shared/resolver/device-groups/<access_group_name>"}
}
Response
{
"subDeploy": true,
"disableUnusedObjectRemoval": true,
"skipDistribution": false,
"deviceReferences": [
{
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/77dab84d-4fab-498a-83d2-7c839b095229"
}
],
"deviceGroupReference": {
"link": "https://localhost/mgmt/shared/resolver/device-groups/<access_group_name>"
},
"id": "0073c9b8-c711-4968-a958-f422f7120402",
"status": "STARTED",
"name": "deploy_access_group_configuration_to_devices",
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"identityReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}
],
"ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
"taskWorkerGeneration": 1,
"generation": 1,
"lastUpdateMicros": 1518121703245530,
"kind": "cm:access:tasks:super-deploy:superdeployconfigtaskstate",
"selfLink": "https://localhost/mgmt/cm/access/tasks/super-deploy/0073c9b8-c711-4968-a958-f422f7120402"
}
Poll for the status of the task until the task status changes to FINISHED or FAILED state.
GET https://<management_ip>/mgmt/cm/access/tasks/super-deploy/<task_id>
Response
{
"currentStep": "WAIT_FOR_EVALUATE_MAIN",
"deployTaskReference": {
"link": "https://localhost/mgmt/cm/access/tasks/deploy-configuration/99703190-1fee-42f2-a798-de9adaddbf40"
},
"deviceGroupReference": {
"link": "https://localhost/mgmt/shared/resolver/device-groups/<access_group_name>"
},
"deviceReferences": [
{
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/77dab84d-4fab-498a-83d2-7c839b095229"
}
],
"disableUnusedObjectRemoval": true,
"id": "0073c9b8-c711-4968-a958-f422f7120402",
"identityReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind": "cm:access:tasks:super-deploy:superdeployconfigtaskstate",
"mainModule": {
"module": "access",
"status": "STARTED"
},
"name": "deploy_access_group_configuration_to_devices",
"ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
"selfLink": "https://localhost/mgmt/cm/access/tasks/super-deploy/0073c9b8-c711-4968-a958-f422f7120402",
"skipDistribution": false,
"startDateTime": "2018-02-08T12:28:23.279-0800",
"status": "STARTED",
"subDeploy": true,
"subModule": {
"module": "adc_core"
},
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"username": "admin"
}
GET https://<management_ip>/mgmt/cm/access/tasks/super-deploy/<task_id>
Response
{
"currentStep": "DONE",
"deployDeviceErrors": [],
"deployTaskReference": {
"link": "https://localhost/mgmt/cm/access/tasks/deploy-configuration/99703190-1fee-42f2-a798-de9adaddbf40"
},
"deviceGroupReference": {
"link": "https://localhost/mgmt/shared/resolver/device-groups/<access_group_name>"
},
"deviceReferences": [
{
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/77dab84d-4fab-498a-83d2-7c839b095229"
}
],
"disableUnusedObjectRemoval": true,
"endDateTime": "2018-02-08T12:29:38.305-0800",
"generation": 17,
"id": "0073c9b8-c711-4968-a958-f422f7120402",
"identityReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind": "cm:access:tasks:super-deploy:superdeployconfigtaskstate",
"lastUpdateMicros": 1518121778356473,
"mainModule": {
"module": "access",
"status": "FINISHED",
"startTime": "2018-02-08T20:29:16.076Z",
"endTime": "2018-02-08T20:29:37.299Z"
},
"name": "deploy_access_group_configuration_to_devices",
"ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
"selfLink": "https://localhost/mgmt/cm/access/tasks/super-deploy/0073c9b8-c711-4968-a958-f422f7120402",
"skipDistribution": false,
"startDateTime": "2018-02-08T12:28:23.279-0800",
"status": "FINISHED",
"subDeploy": true,
"subDeployTaskReference": {
"link": "https://localhost/mgmt/cm/adc-core/tasks/deploy-configuration/3a66e610-b60f-444f-b651-b74b6ae4ee25"
},
"subModule": {
"module": "adc_core",
"status": "FINISHED",
"startTime": "2018-02-08T20:29:11.436Z",
"endTime": "2018-02-08T20:29:14.734Z"
},
"subObjectsTaskReference": {
"link": "https://localhost/mgmt/cm/access/tasks/resolve-cross-module-references/3f38c488-4402-4ec9-9838-77df308c3bef"
},
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"username": "admin"
}
Result¶
By using the BIG-IQ API to perform the above tasks, users can write a script for deploying an Access group configuration to devices in an Access group.