initial sgw (42a16f8f) · Commits · f5labs / f5devops

terraform/f5-sgw-ts/modules/functions/bigip/as3.json

0 → 100644

+177 −0

Original line number	Diff line number	Diff line
		{
		"class": "AS3",
		"action": "deploy",
		"persist": true,
		"declaration": {
		"class": "ADC",
		"schemaVersion": "3.13.0",
		"id": "123abc",
		"label": "Sample 1",
		"remark": "HTTPS with predictive-node pool",
		"Sample_01": {
		"class": "Tenant",
		"A1": {
		"class": "Application",
		"template": "https",
		"serviceMain": {
		"class": "Service_HTTPS",
		"virtualPort": 8443,
		"virtualAddresses": [
		"0.0.0.0"
		],
		"securityLogProfiles": [
		{
		"bigip": "/Common/Log all requests"
		},
		{
		"use": "telemetry_security_log_profile"
		}
		],
		"snat": "auto",
		"pool": "web_pool",
		"policyWAF": {
		"use": "My_ASM_Policy"
		},
		"serverTLS": "webtls",
		"profileTrafficLog": {
		"use": "telemetry_traffic_log_profile"
		}
		},
		"My_ASM_Policy": {
		"class": "WAF_Policy",
		"url": "https://raw.githubusercontent.com/garyluf5/f5tools/master/asm-policies/asm-policy-linux-medium.xml",
		"ignoreChanges": true
		},
		"web_pool": {
		"class": "Pool",
		"monitors": [
		"tcp"
		],
		"members": [
		{
		"servicePort": 80,
		"serverAddresses": [
		"${backendvm_ip}"
		]
		}
		]
		},
		"telemetry": {
		"class": "Pool",
		"members": [
		{
		"enable": true,
		"serverAddresses": [
		"255.255.255.254"
		],
		"servicePort": 6514
		}
		],
		"monitors": [
		{
		"bigip": "/Common/tcp"
		}
		]
		},
		"telemetry_local_pool": {
		"class": "Pool",
		"monitors": [{
		"bigip": "/Common/tcp"
		}],
		"members": [
		{
		"servicePort": 6514,
		"serverAddresses": [
		"255.255.255.254"
		]
		}
		]
		},
		"telemetry_local_rule": {
		"remark": "Only required when TS is a local listener",
		"class": "iRule",
		"iRule": "when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}"
		},
		"telemetry_local": {
		"remark": "Only required when TS is a local listener",
		"class": "Service_TCP",
		"virtualAddresses": [
		"255.255.255.254"
		],
		"virtualPort": 6514,
		"iRules": [
		"telemetry_local_rule"
		]
		},
		"telemetry_hsl": {
		"class": "Log_Destination",
		"type": "remote-high-speed-log",
		"protocol": "tcp",
		"pool": {
		"use": "telemetry"
		}
		},
		"telemetry_formatted": {
		"class": "Log_Destination",
		"type": "splunk",
		"forwardTo": {
		"use": "telemetry_hsl"
		}
		},
		"telemetry_publisher": {
		"class": "Log_Publisher",
		"destinations": [
		{
		"use": "telemetry_formatted"
		}
		]
		},
		"telemetry_traffic_log_profile": {
		"class": "Traffic_Log_Profile",
		"requestSettings": {
		"requestEnabled": true,
		"requestProtocol": "mds-tcp",
		"requestPool": {
		"use": "telemetry_local_pool"
		},
		"requestTemplate": "event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\""
		}
		},
		"telemetry_security_log_profile": {
		"class": "Security_Log_Profile",
		"application": {
		"localStorage": false,
		"remoteStorage": "splunk",
		"protocol": "tcp",
		"servers": [
		{
		"address": "255.255.255.254",
		"port": "6514"
		}
		],
		"storageFilter": {
		"requestType": "all"
		}
		}
		},
		"webtls": {
		"class": "TLS_Server",
		"certificates": [{
		"certificate": "webcert"
		}]
		},
		"webcert": {
		"class": "Certificate",
		"remark": "in practice we recommend using a passphrase",
		"certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
		"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
		"passphrase": {
		"ciphertext": "ZjVmNQ==",
		"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
		}
		}
		}
		}
		}
		}

terraform/f5-sgw-ts/modules/functions/bigip/main.tf

0 → 100644

+119 −0

Original line number	Diff line number	Diff line

		#
		# Create random password for BIG-IP
		#
		resource "random_password" "password" {
		length = 16
		special = true
		override_special = "_%@"
		}

		#
		# Create Secret Store and Store BIG-IP Password
		#
		resource "aws_secretsmanager_secret" "bigip" {
		name = format("%s-bigip-secret-%s", var.prefix, random_id.id.hex)
		}
		resource "aws_secretsmanager_secret_version" "bigip-pwd" {
		secret_id = aws_secretsmanager_secret.bigip.id
		secret_string = random_password.password.result
		}


		#
		# Create the BIG-IP appliances
		#
		module "bigip" {
		# source = "f5devcentral/bigip/aws"
		# version = "0.1.2"
		source = "github.com/f5devcentral/terraform-aws-bigip?ref=multiple-public-ips"

		prefix = format(
		"%s-bigip-3-nic_with_new_vpc-%s",
		var.prefix,
		random_id.id.hex
		)
		aws_secretmanager_secret_id = aws_secretsmanager_secret.bigip.id
		f5_ami_search_name = "F5 BIGIP-15.* PAYG-Best 200Mbps*"
		f5_instance_count = length(var.azs)
		ec2_key_name = var.ec2_key_name
		ec2_instance_type = "c4.xlarge"
		DO_URL = "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.8.0/f5-declarative-onboarding-1.8.0-2.noarch.rpm"

		mgmt_subnet_security_group_ids = [
		module.bigip_sg.this_security_group_id,
		module.bigip_mgmt_sg.this_security_group_id
		]


		public_subnet_security_group_ids = [
		module.bigip_sg.this_security_group_id,
		module.bigip_mgmt_sg.this_security_group_id
		]

		private_subnet_security_group_ids = [
		module.bigip_sg.this_security_group_id,
		module.bigip_mgmt_sg.this_security_group_id
		]


		vpc_public_subnet_ids = module.vpc.public_subnets
		vpc_private_subnet_ids = module.vpc.private_subnets
		vpc_mgmt_subnet_ids = module.vpc.database_subnets
		}


		#
		# Create a security group for BIG-IP
		#
		module "bigip_sg" {
		source = "terraform-aws-modules/security-group/aws"

		name = format("%s-bigip-%s", var.prefix, random_id.id.hex)
		description = "Security group for BIG-IP Demo"
		vpc_id = module.vpc.vpc_id

		ingress_cidr_blocks = [var.allowed_app_cidr]
		ingress_rules = ["http-80-tcp", "https-443-tcp"]

		ingress_with_source_security_group_id = [
		{
		rule = "all-all"
		source_security_group_id = module.bigip_sg.this_security_group_id
		}
		]

		# Allow ec2 instances outbound Internet connectivity
		egress_cidr_blocks = ["0.0.0.0/0"]
		egress_rules = ["all-all"]
		}

		#
		# Create a security group for BIG-IP Management
		#
		module "bigip_mgmt_sg" {
		source = "terraform-aws-modules/security-group/aws"

		name = format("%s-bigip-mgmt-%s", var.prefix, random_id.id.hex)
		description = "Security group for BIG-IP Demo"
		vpc_id = module.vpc.vpc_id

		ingress_cidr_blocks = [var.allowed_mgmt_cidr]
		ingress_rules = ["https-443-tcp", "https-8443-tcp", "ssh-tcp"]

		ingress_with_source_security_group_id = [
		{
		rule = "all-all"
		source_security_group_id = module.bigip_mgmt_sg.this_security_group_id
		}
		]

		# Allow ec2 instances outbound Internet connectivity
		egress_cidr_blocks = ["0.0.0.0/0"]
		egress_rules = ["all-all"]
		}

		data "aws_network_interface" "bar" {
		count = length(module.bigip.public_nic_ids)
		id = module.bigip.public_nic_ids[count.index]
		}
		No newline at end of file

terraform/f5-sgw-ts/modules/functions/bigip/outputs.tf

0 → 100644

+0 −0

Empty file added.

terraform/f5-sgw-ts/modules/functions/bigip/vars.tf

0 → 100644

+0 −0

Empty file added.

terraform/f5-sgw-ts/modules/functions/jumpbox/main.tf

0 → 100644

+137 −0

Original line number	Diff line number	Diff line


		data "aws_ami" "latest-ubuntu" {
		most_recent = true
		owners = ["099720109477"] # Canonical

		filter {
		name = "name"
		values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
		}

		filter {
		name = "virtualization-type"
		values = ["hvm"]
		}
		}


		module "jumphost" {
		source = "terraform-aws-modules/ec2-instance/aws"
		version = "~> 2.0"

		name = format("%s-demo-jumphost-%s", var.prefix, random_id.id.hex)
		instance_count = length(var.azs)

		ami = data.aws_ami.latest-ubuntu.id
		associate_public_ip_address = true
		instance_type = "t2.xlarge"
		key_name = var.ec2_key_name
		monitoring = false
		vpc_security_group_ids = [module.jumphost_sg.this_security_group_id]
		subnet_ids = module.vpc.public_subnets

		# this box needs to know the ip address of the bigip and the juicebox host
		# it also needs to know the bigip username and password to use

		tags = {
		Terraform = "true"
		Environment = "dev"
		Application = var.prefix
		}
		}

		#
		# Create a security group for the jumphost
		#
		module "jumphost_sg" {
		source = "terraform-aws-modules/security-group/aws"

		name = format("%s-jumphost-%s", var.prefix, random_id.id.hex)
		description = "Security group for BIG-IP Demo"
		vpc_id = module.vpc.vpc_id

		ingress_cidr_blocks = [var.allowed_mgmt_cidr]
		ingress_rules = ["https-443-tcp", "ssh-tcp"]
		ingress_with_cidr_blocks = [
		{
		from_port = 3300
		to_port = 3300
		protocol = "tcp"
		description = "Juiceshop ports"
		cidr_blocks = var.allowed_mgmt_cidr
		},
		{
		from_port = 3000
		to_port = 3000
		protocol = "tcp"
		description = "Juiceshop ports"
		cidr_blocks = var.allowed_mgmt_cidr
		},
		]

		# Allow ec2 instances outbound Internet connectivity
		egress_cidr_blocks = ["0.0.0.0/0"]
		egress_rules = ["all-all"]
		}
		#
		# Create and place the inventory.yml file for the ansible demo
		#
		resource "null_resource" "transfer" {
		count = length(var.azs)
		provisioner "file" {
		content = templatefile(
		"${path.module}/hostvars_template.yml",
		{
		bigip_host_ip = join(",",element(module.bigip.mgmt_addresses,count.index))#bigip_host_ip = module.bigip.mgmt_public_ips[count.index] the ip address that the bigip has on the management subnet
		bigip_host_dns = module.bigip.mgmt_public_dns[count.index] # the DNS name of the bigip on the public subnet
		bigip_domain = "${var.region}.compute.internal"
		bigip_username = "admin"
		bigip_password = random_password.password.result
		ec2_key_name = var.ec2_key_name
		ec2_username = "ubuntu"
		log_pool = cidrhost(cidrsubnet(var.cidr,8,count.index + var.internal_subnet_offset),250)
		bigip_external_self_ip = element(flatten(data.aws_network_interface.bar[count.index].private_ips),0) # the ip address that the bigip has on the public subnet
		bigip_internal_self_ip = join(",",element(module.bigip.private_addresses,count.index)) # the ip address that the bigip has on the private subnet
		juiceshop_virtual_ip = element(flatten(data.aws_network_interface.bar[count.index].private_ips),1)
		grafana_virtual_ip = element(flatten(data.aws_network_interface.bar[count.index].private_ips),2)
		appserver_gateway_ip = cidrhost(cidrsubnet(var.cidr,8,count.index + var.internal_subnet_offset),1)
		appserver_guest_ip = module.dockerhost.private_ip[count.index]
		appserver_host_ip = module.jumphost.private_ip[count.index] # the ip address that the jumphost has on the public subnet
		bigip_dns_server = "8.8.8.8"
		}
		)

		destination = "~/inventory.yml"

		connection {
		type = "ssh"
		user = "ubuntu"
		private_key = file(var.ec2_key_file)
		host = module.jumphost.public_ip[count.index]
		}
		}
		}



		resource "aws_eip" "juiceshop" {
		count = length(var.azs)
		vpc = true
		network_interface = "${data.aws_network_interface.bar[count.index].id}"
		associate_with_private_ip = element(flatten(data.aws_network_interface.bar[count.index].private_ips),1)
		tags = {
		Name = format("%s-juiceshop-eip-%s%s", var.prefix, random_id.id.hex,count.index)
		}
		}

		resource "aws_eip" "grafana" {
		count = length(var.azs)
		vpc = true
		network_interface = "${data.aws_network_interface.bar[count.index].id}"
		associate_with_private_ip = element(flatten(data.aws_network_interface.bar[count.index].private_ips),2)
		tags = {
		Name = format("%s-grafana-eip-%s%s", var.prefix, random_id.id.hex,count.index)
		}

		}