AWS¶
This Terraform module deploys N-NIC F5 BIG-IP in AWS cloud. You can deploy multiple instances of BIG-IP with the module count feature.
Prerequisites¶
The templates below are tested on Terraform v0.13.0 and v0.14.0:
- provider registry.terraform.io/hashicorp/aws v3.8.0
- provider registry.terraform.io/hashicorp/random v2.3.0
- provider registry.terraform.io/hashicorp/template v2.1.2
- provider registry.terraform.io/hashicorp/null v2.1.2
BIG-IP version | Terraform v0.13 | Terraform v0.14 |
---|---|---|
BIG-IP 16.x | X | X |
BIG-IP 15.x | X | X |
BIG-IP 14.x | X | X |
BIG-IP 13.x | X | X |
Password Management¶
By default, the BIG-IP module dynamically generates passwords.
cat terraform-aws-bigip-module/variables.tf
variable aws_secretmanager_auth {
description = "Whether to use key vault to pass authentication"
type = bool
default = false
}
Outputs:
bigip_password = [
"xxxxxxxxxxxxxxxxxx",
]
To use AWS secret manager password, you must enable the variable aws_secretmanager_auth
to true
and supply the secret name to variable aws_secretmanager_secret_id
.
cat terraform-aws-bigip-module/variables.tf
variable aws_secretmanager_auth {
description = "Whether to use key vault to pass authentication"
type = bool
default = true
}
variable aws_secretmanager_secret_id {
description = "AWS Secret Manager Secret ID that stores the BIG-IP password"
type = string
default = "tf-aws-bigip-bigip-secret-9759"
}
Outputs:
bigip_password = [
"xxxxxxxxxxxxxxx",
]
Example Usage¶
There should be one-to-one mapping between subnet_ids and securitygroup_ids. For example if you have two or more external subnet_ids, you must give the same number of external securitygroup_ids to the module.
Users can have dynamic or static private IP allocation. If the primary/secondary private IP value is null, it will be dynamic or else static private IP allocation. With Static private IP allocation, you can assign primary and secondary private IPs for external interfaces, whereas the primary private IP is for management and internal interfaces.
If you are using static private IP allocation, you cannot use module count because the same private IPs will be allocated to multiple BIG-IP instances based on the module count.
With Dynamic Private IP Allocation, you must pass null value to primary/secondary private IP declaration and module count will be supported.
Note
Sometimes the given static primary and secondary private IPs may get exchanged. This limitation is present in AWS.
#
#Example of 1-NIC Deployment Module usage
#
module bigip {
count = var.instance_count
source = "../../"
prefix = "bigip-aws-1nic"
ec2_key_name = aws_key_pair.generated_key.key_name
mgmt_subnet_ids = [{ "subnet_id" = "subnet_id_mgmt", "public_ip" = true, "private_ip_primary" = ""}]
mgmt_securitygroup_ids = ["securitygroup_id_mgmt"]
}
#
#Example of 2-NIC Deployment Module usage
#
module bigip {
count = var.instance_count
source = "../../"
prefix = "bigip-aws-2nic"
ec2_key_name = aws_key_pair.generated_key.key_name
mgmt_subnet_ids = [{ "subnet_id" = "subnet_id_mgmt", "public_ip" = true, "private_ip_primary" = ""}]
mgmt_securitygroup_ids = ["securitygroup_id_mgmt"]
external_subnet_ids = [{ "subnet_id" = "subnet_id_external", "public_ip" = true, "private_ip_primary" = "", "private_ip_secondary" = ""}]
external_securitygroup_ids = ["securitygroup_id_external"]
}
#
#Example of 3-NIC Deployment Module usage
#
module bigip {
count = var.instance_count
source = "../../"
prefix = "bigip-aws-3nic"
ec2_key_name = aws_key_pair.generated_key.key_name
mgmt_subnet_ids = [{ "subnet_id" = "subnet_id_mgmt", "public_ip" = true, "private_ip_primary" = ""}]
mgmt_securitygroup_ids = ["securitygroup_id_mgmt"]
external_subnet_ids = [{ "subnet_id" = "subnet_id_external", "public_ip" = true, "private_ip_primary" = "", "private_ip_secondary" = ""}]
external_securitygroup_ids = ["securitygroup_id_external"]
internal_subnet_ids = [{"subnet_id" = "subnet_id_internal", "public_ip"=false, "private_ip_primary" = ""}]
internal_securitygroup_ids = ["securitygropu_id_internal"]
}
#
#Example of 4-NIC Deployment Module usage with two external public interfaces, one management and internal interface. There should be one-to-one mapping between subnet_ids and securitygroup_ids).
#
module bigip {
count = var.instance_count
source = "../../"
prefix = "bigip-aws-4nic"
ec2_key_name = aws_key_pair.generated_key.key_name
mgmt_subnet_ids = [{ "subnet_id" = "subnet_id_mgmt", "public_ip" = true }]
mgmt_securitygroup_ids = ["securitygroup_id_mgmt"]
external_subnet_ids = [{ "subnet_id" = "subnet_id_external", "public_ip" = true },{"subnet_id" = "subnet_id_external2", "public_ip" = true }]
external_securitygroup_ids = ["securitygroup_id_external","securitygroup_id_external"]
internal_subnet_ids = [{"subnet_id" = "subnet_id_internal", "public_ip"=false }]
internal_securitygroup_ids = ["securitygropu_id_internal"]
}
Similarly, you can have N-NIC deployments based on user-provided subnet_ids and securitygroup_ids. With module count, you can deploy multiple BIG-IP instances in the AWS cloud (with the default value of 1).
Example of 3-NIC Deployment with static private ip allocation
module bigip {
source = "../../"
count = var.instance_count
prefix = format("%s-3nic", var.prefix)
ec2_key_name = aws_key_pair.generated_key.key_name
aws_secretmanager_secret_id = aws_secretsmanager_secret.bigip.id
mgmt_subnet_ids = [{ "subnet_id" = aws_subnet.mgmt.id, "public_ip" = true, "private_ip_primary" = "10.0.1.4"}]
mgmt_securitygroup_ids = [module.mgmt-network-security-group.this_security_group_id]
external_securitygroup_ids = [module.external-network-security-group-public.this_security_group_id]
internal_securitygroup_ids = [module.internal-network-security-group-public.this_security_group_id]
external_subnet_ids = [{ "subnet_id" = aws_subnet.external-public.id, "public_ip" = true, "private_ip_primary" = "10.0.2.4", "private_ip_secondary" = "10.0.2.5"}]
internal_subnet_ids = [{ "subnet_id" = aws_subnet.internal.id, "public_ip" = false, "private_ip_primary" = "10.0.3.4"}]
}
InSpec Tool¶
The BIG-IP Automation Toolchain InSpec Profile is used for testing the readiness of Automation Tool Chain (ATC) components. After module deployment, you can use the InSpec tool to verify BIG-IP connectivity with ATC components.
This InSpec profile evaluates the following:
- Basic connectivity to a BIG-IP management endpoint:
bigip-connectivity
- Availability of the Declarative Onboarding (DO) service:
bigip-declarative-onboarding
- Version reported by the Declarative Onboarding (DO) service:
bigip-declarative-onboarding-version
- Availability of the Application Services (AS3) service:
bigip-application-services
- Version reported by the Application Services (AS3) service:
bigip-application-services-version
- Availability of the Telemetry Streaming (TS) service:
bigip-telemetry-streaming
- Version reported by the Telemetry Streaming (TS) service:
bigip-telemetry-streaming-version
- Availability of the Cloud Failover Extension (CFE) service:
bigip-cloud-failover-extension
- Version reported by the Cloud Failover Extension (CFE) service:
bigip-cloud-failover-extension-version
To run InSpec tests, you can either run the inspec exec command or execute runtests.sh in any one of example NIC folders which will run below the inspec command. For example:
inspec exec inspec/bigip-ready --input bigip_address=$BIGIP_MGMT_IP bigip_port=$BIGIP_MGMT_PORT user=$BIGIP_USER password=$BIGIP_PASSWORD do_version=$DO_VERSION as3_version=$AS3_VERSION ts_version=$TS_VERSION fast_version=$FAST_VERSION cfe_version=$CFE_VERSION
Required and Optional Input Variables¶
Required variables must be set in the module block when using this module. Optional variables have default values and do not need to be set to use this module. You may set these variables to override their default values.
Note
For each external interface there will be one primary, secondary private IP will be assigned.
Output Variables¶
Parameter | Description/Notes |
---|---|
mgmtPublicIP | The actual IP address allocated for the resource. |
mgmtPublicDNS | FQDN to connect to the first VM provisioned. |
mgmtPort | The Mgmt Port. |
f5_username | BIG-IP username. |
bigip_password | The BIG-IP Password. If dynamic_password is selected, then it will be a randomly generated password. If aws_secretmanager_auth is selected, then it will be an aws_secretsmanager_secret_version secret string. |
private_addresses | List of BIG-IP private addresses. |
public_addresses | List of BIG-IP public addresses. |
Note
A local json file that contains the DO declaration will be generated.