Skip to content

Commit cde813f

Browse files
steveh565steveh565
committed
automate ATC in VMSS instance onboarding
1 parent 9a9cd3d commit cde813f

File tree

10 files changed

+860
-38
lines changed

10 files changed

+860
-38
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,3 +13,5 @@ terraform/az-aks-cluster/terraform.tfstate
1313
terraform/az-aks-cluster/.terraform.tfstate.lock.info
1414
terraform/az-aks-cluster/terraform.tfstate.backup
1515
terraform/az-auto-scaleset/terraform.tfstate.backup
16+
terraform/az-auto-scaleset/files/as3.json
17+
terraform/az-auto-scaleset/files/runtime-init.yaml

f5BigIp/ts.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
"My_Consumer": {
3737
"class": "Telemetry_Consumer",
3838
"type": "Generic_HTTP",
39-
"host": "20.220.251.246",
39+
"host": "52.156.22.174",
4040
"protocol": "http",
4141
"port": 7080,
4242
"path": "/",

terraform/az-auto-scaleset/atc_data.tf

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
# VM01 DO Declaration from template
2+
data "template_file" "ScScADC-F5VM01_F5-do_json" {
3+
template = "${file("${path.module}/templates/f5_do.tmpl.json")}"
4+
vars = {
5+
regkey = "LBZRD-MGMGU-ZKROE-DAONR-XINJLCK"
6+
host1 = "ScScADC-F5VM01-F5"
7+
host2 = "ScScADC-F5VM02-F5"
8+
domainname = "csd.local"
9+
local_host = "ScScADC-F5VM01-F5"
10+
local_selfip1 = azurerm_network_interface.ScScADC-F5VM01_F5-nic2.private_ip_addresses[0]
11+
local_selfip2 = azurerm_network_interface.ScScADC-F5VM01_F5-nic3.private_ip_addresses[0]
12+
remote_selfip = azurerm_network_interface.ScScADC-F5VM01_F5-nic1.private_ip_addresses[0]
13+
dns_server1 = "8.8.8.8"
14+
dns_server2 = "168.63.129.16"
15+
ntp_server = "ntp.cira.ca"
16+
gateway = "${cidrhost(azurerm_subnet.ScPcCNR-VDC_Core-External_F5-snet.address_prefix, 1)}" //"100.96.184.1"
17+
int_gateway = "${cidrhost(azurerm_subnet.ScPcCNR-VDC_Core-Transit_F5-snet.address_prefix, 1)}" //"100.96.185.1"
18+
int_cidr = "10.101.0.0/16"
19+
paz_cidr = "192.168.0.0/16"
20+
sandbox_cidr = "172.168.0.0/16"
21+
timezone = "UTC"
22+
banner_color = "red"
23+
admin_user = "azops"
24+
admin_pass = "Canada12345"
25+
}
26+
}
27+
28+
29+
# VM02 DO Declaration from template
30+
data "template_file" "ScScADC-F5VM02_F5-do_json" {
31+
template = "${file("${path.module}/templates/f5_do.tmpl.json")}"
32+
vars = {
33+
regkey = "DIYMH-YZMUX-HMDWG-UKVXZ-EIQDGIA"
34+
host1 = "ScScADC-F5VM01-F5"
35+
host2 = "ScScADC-F5VM02-F5"
36+
domainname = "csd.local"
37+
local_host = "ScScADC-F5VM02-F5"
38+
local_selfip1 = azurerm_network_interface.ScScADC-F5VM02_F5-nic2.private_ip_addresses[0]
39+
local_selfip2 = azurerm_network_interface.ScScADC-F5VM02_F5-nic3.private_ip_addresses[0]
40+
remote_selfip = azurerm_network_interface.ScScADC-F5VM01_F5-nic1.private_ip_addresses[0]
41+
dns_server1 = "8.8.8.8"
42+
dns_server2 = "168.63.129.16"
43+
ntp_server = "ntp.cira.ca"
44+
gateway = "${cidrhost(azurerm_subnet.ScPcCNR-VDC_Core-External_F5-snet.address_prefix, 1)}" //"100.96.184.1"
45+
int_gateway = "${cidrhost(azurerm_subnet.ScPcCNR-VDC_Core-Transit_F5-snet.address_prefix, 1)}" //"100.96.185.1"
46+
int_cidr = "10.101.0.0/16"
47+
paz_cidr = "192.168.0.0/16"
48+
sandbox_cidr = "172.168.0.0/16"
49+
timezone = "UTC"
50+
banner_color = "red"
51+
admin_user = "azops"
52+
admin_pass = "Canada12345"
53+
}
54+
}
55+
56+
# TS Declaration from template
57+
data "template_file" "ScScADC-F5VM01_F5-ts_json" {
58+
template = "${file("${path.module}/templates/f5_ts.tmpl.json")}"
59+
depends_on = [azurerm_log_analytics_workspace.ScPcCSDF5law]
60+
vars = {
61+
law_id = "${azurerm_log_analytics_workspace.ScPcCSDF5law.workspace_id}"
62+
law_primkey = "${azurerm_log_analytics_workspace.ScPcCSDF5law.primary_shared_key}"
63+
location = "canadaCentral"
64+
}
65+
}
66+
67+
68+
69+
# AS3 TS Declaration from template
70+
data "template_file" "ScScADC-F5VM01_F5-as3_ts_json" {
71+
template = "${file("${path.module}/templates/f5_as3_ts.tmpl.json")}"
72+
vars = {
73+
webssh_vs_addr = azurerm_subnet.ScPcCNR-VDC_Core-External_F5-snet.address_prefix
74+
}
75+
}
76+
77+

terraform/az-auto-scaleset/atc_data_debug.tf

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
2+
# Render VM Onboard script (for debugging purposes)
3+
resource "local_file" "ScScADC-F5VM_F5-vm_onboard_file" {
4+
content = data.template_file.ScScADC-F5VM_F5-vm_onboard.rendered
5+
filename = "${path.module}/files/ScScADC-F5VM_F5-vm_onboard.sh"
6+
}
7+
8+
# Render AS3 TS declaration
9+
resource "local_file" "ScScADC-F5VM01_F5-as3_ts_json_file" {
10+
content = data.template_file.ScScADC-F5VM01_F5-as3_ts_json.rendered
11+
filename = "${path.module}/files/ScScADC-F5VM01_F5-as3_ts.json"
12+
}
13+
14+
# Render TS declaration
15+
resource "local_file" "ScScADC-F5VM01_F5-ts_json_file" {
16+
content = data.template_file.ScScADC-F5VM01_F5-ts_json.rendered
17+
filename = "${path.module}/files/ScScADC-F5VM01_F5-ts.json"
18+
}
19+
20+
# Render DO declaration
21+
resource "local_file" "ScScADC-F5VM02_F5-do_json_file" {
22+
content = data.template_file.ScScADC-F5VM02_F5-do_json.rendered
23+
filename = "${path.module}/files/ScScADC-F5VM02_F5-do.json"
24+
}
25+
26+
# Render DO declaration
27+
resource "local_file" "ScScADC-F5VM01_F5-do_json_file" {
28+
content = data.template_file.ScScADC-F5VM01_F5-do_json.rendered
29+
filename = "${path.module}/files/ScScADC-F5VM01_F5-do.json"
30+
}

terraform/az-auto-scaleset/bigip.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "f5vmss" {
4646
location = data.azurerm_resource_group.main.location
4747
resource_group_name = data.azurerm_resource_group.main.name
4848
sku = var.instance_type
49-
instances = 2
49+
instances = var.instances
5050
admin_username = var.f5_username
5151
admin_password = var.f5_password
5252
disable_password_authentication = false

terraform/az-auto-scaleset/templates/files/README.md

Whitespace-only changes.

terraform/az-auto-scaleset/templates/new_as3_ts.tmpl

Lines changed: 254 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,254 @@
1+
{
2+
"class": "ADC",
3+
"schemaVersion": "3.16.0",
4+
"remark": "Configure BIG-IP Common/Shared objects",
5+
"Common": {
6+
"Shared": {
7+
"class": "Application",
8+
"template": "shared",
9+
"maintenance_rule": {
10+
"remark": "Default Maintenance iRule",
11+
"class": "iRule",
12+
"iRule": "when HTTP_REQUEST {\n HTTP::respond 200 content \"<html><head><title>Maintenance</title></head><body><strong>This site is in maintenance now.</strong></body></html>\"\n}"
13+
},
14+
"wildcardAddress": {
15+
"class": "Service_Address",
16+
"virtualAddress": "0.0.0.0"
17+
},
18+
"lb_healthProbe_rule": {
19+
"remark": "Respond to LB healthProbe",
20+
"class": "iRule",
21+
"iRule": "when CLIENT_ACCEPTED {\n TCP::close\n}"
22+
},
23+
"lb_healthProbe_vs": {
24+
"class": "Service_TCP",
25+
"remark": "LB Health Probe VS",
26+
"virtualPort": 666,
27+
"virtualAddresses": [
28+
{ "use": "wildcardAddress" }
29+
],
30+
"iRules": [
31+
"lb_healthProbe_rule"
32+
]
33+
},
34+
"telemetry_local_rule": {
35+
"remark": "Only required when TS is a local listener",
36+
"class": "iRule",
37+
"iRule": "when CLIENT_ACCEPTED {\n node 127.0.0.1 6514\n}"
38+
},
39+
"telemetry_local": {
40+
"remark": "Only required when TS is a local listener",
41+
"class": "Service_TCP",
42+
"virtualAddresses": [
43+
"255.255.255.254"
44+
],
45+
"virtualPort": 6514,
46+
"iRules": [
47+
"telemetry_local_rule"
48+
]
49+
},
50+
"telemetry": {
51+
"class": "Pool",
52+
"members": [
53+
{
54+
"enable": true,
55+
"serverAddresses": [
56+
"255.255.255.254"
57+
],
58+
"servicePort": 6514
59+
}
60+
],
61+
"monitors": [
62+
{
63+
"bigip": "/Common/tcp"
64+
}
65+
]
66+
},
67+
"telemetry_hsl": {
68+
"class": "Log_Destination",
69+
"type": "remote-high-speed-log",
70+
"protocol": "tcp",
71+
"pool": {
72+
"use": "telemetry"
73+
}
74+
},
75+
"telemetry_formatted": {
76+
"class": "Log_Destination",
77+
"type": "splunk",
78+
"forwardTo": {
79+
"use": "telemetry_hsl"
80+
}
81+
},
82+
"telemetry_publisher": {
83+
"class": "Log_Publisher",
84+
"destinations": [
85+
{
86+
"use": "telemetry_formatted"
87+
}
88+
]
89+
},
90+
"telemetry_traffic_log_profile": {
91+
"class": "Traffic_Log_Profile",
92+
"responseSettings": {
93+
"responseEnabled": true,
94+
"responseProtocol": "mds-tcp",
95+
"responsePool": {
96+
"use": "telemetry"
97+
},
98+
"requestTemplate": "event_source=\"request_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\"",
99+
"responseTemplate": "event_source=\"response_logging\",hostname=\"$BIGIP_HOSTNAME\",client_ip=\"$CLIENT_IP\",server_ip=\"$SERVER_IP\",http_method=\"$HTTP_METHOD\",http_uri=\"$HTTP_URI\",response_msec=\"$RESPONSE_MSEC\",response_size=\"RESPONSE_SIZE\",virtual_name=\"$VIRTUAL_NAME\",event_timestamp=\"$DATE_HTTP\""
100+
}
101+
},
102+
"telemetry_security_log_profile": {
103+
"class": "Security_Log_Profile",
104+
"application": {
105+
"localStorage": false,
106+
"remoteStorage": "splunk",
107+
"protocol": "tcp",
108+
"servers": [
109+
{
110+
"address": "255.255.255.254",
111+
"port": "6514"
112+
}
113+
],
114+
"storageFilter": {
115+
"requestType": "illegal-including-staged-signatures"
116+
}
117+
},
118+
"network": {
119+
"publisher": {
120+
"use": "telemetry_publisher"
121+
},
122+
"storageFormat": {
123+
"fields": [
124+
"action",
125+
"dest-ip",
126+
"dest-port",
127+
"src-ip",
128+
"src-port"
129+
]
130+
},
131+
"logRuleMatchAccepts": true,
132+
"logRuleMatchRejects": true,
133+
"logRuleMatchDrops": true,
134+
"logIpErrors": true,
135+
"logTcpErrors": true,
136+
"logTcpEvents": true
137+
}
138+
}
139+
}
140+
},
141+
"INET": {
142+
"class": "Tenant",
143+
"IpFwding": {
144+
"class": "Application",
145+
"template": "generic",
146+
"IpFwdingSvc": {
147+
"class": "Service_Forwarding",
148+
"remark": "IP Forwarding Virtual Server",
149+
"virtualAddresses": [
150+
{ "use": "/Common/Shared/wildcardAddress" }
151+
],
152+
"virtualPort": 0,
153+
"forwardingType": "ip",
154+
"layer4": "tcp",
155+
"profileL4": "basic",
156+
"allowVlans": [
157+
{ "bigip": "/Common/internal" }
158+
]
159+
}
160+
}
161+
},
162+
"SRA": {
163+
"class": "Tenant",
164+
"Webtop": {
165+
"class": "Application",
166+
"template": "https",
167+
"serviceMain": {
168+
"class": "Service_HTTPS",
169+
"redirect80": false,
170+
"virtualAddresses": [
171+
{ "use": "/Common/Shared/wildcardAddress" }
172+
],
173+
"virtualPort": 10443,
174+
"snat": "none",
175+
"profileTCP": {
176+
"bigip": "/Common/f5-tcp-progressive"
177+
},
178+
"profileHTTP": {
179+
"use": "webtop_http"
180+
},
181+
"clientTLS": {
182+
"bigip": "/Common/serverssl-insecure-compatible"
183+
},
184+
"serverTLS": "webtop_clientssl",
185+
"policyWAF": {
186+
"use": "Ingress_WAF_Policy"
187+
},
188+
"profileTrafficLog": {
189+
"use": "/Common/Shared/telemetry_traffic_log_profile"
190+
},
191+
"securityLogProfiles": [
192+
{
193+
"bigip": "/Common/Log all requests"
194+
},
195+
{
196+
"use": "/Common/Shared/telemetry_security_log_profile"
197+
}
198+
],
199+
"allowVlans": [
200+
{ "bigip": "/Common/external" }
201+
]
202+
},
203+
"webtop_http": {
204+
"class": "HTTP_Profile",
205+
"hstsInsert": true,
206+
"hstsPreload": true
207+
},
208+
"Ingress_WAF_Policy": {
209+
"class": "WAF_Policy",
210+
"url": "https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/generic_ready_template/Passive_Deployment_Policy_13_1.xml",
211+
"ignoreChanges": true
212+
},
213+
"webtop_clientssl": {
214+
"certificates": [
215+
{
216+
"certificate": "Wildcard_certificate"
217+
}
218+
],
219+
"ciphers": "DEFAULT",
220+
"requireSNI": false,
221+
"class": "TLS_Server"
222+
},
223+
"Wildcard_certificate": {
224+
"class": "Certificate",
225+
"remark": "in practice we recommend using a passphrase",
226+
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDtTCCAp2gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQGEwJVUzET\nMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJTXlDb21wYW55MQ4wDAYDVQQD\nDAVsYWJDQTAeFw0xOTA0MjUyMzM3NDVaFw0yOTA0MjIyMzM3NDVaMF8xCzAJBgNV\nBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRQwEgYDVQQKEwtGNSBOZXR3b3JrczEO\nMAwGA1UECxMFU2FsZXMxGDAWBgNVBAMTD3dlYnRvcC5mNXNlLmNvbTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO6mWzsOY0UuRzSiVU65gmlSit4d7tW4\nE/kWYY3LT/dxG2V/kzHhO70amNCTDVv5oAKkToLYCdJNWWxEI+EgUigDtg/v4E1R\nH0KEQdGC6RHnYK8kOmWWm9Pminh1P1o03QiJ41zj5KcyFYJq4pFRctN5iPs0+F/Y\n5JBDbPcnuk3OuRLxI67tPwqAQQurXcvGzCYF1y1zxlHxxWyUbuTdCo3GeO2Vo3bN\nMSTSj9hmxc8QEXif1qA/KDnLtY+IemptJT5aC0WZRwp2lncKOpSLcMcdQAprxHYA\n6LLkztNqVwCXQFjA7zfVRXV63JGhjV+oR4O8yemLffUVydihXzcsruMCAwEAAaOB\nlDCBkTAJBgNVHRMEAjAAMB0GA1UdDgQWBBRjzhMuUopHVdDvj9xvCskIPacvQzAf\nBgNVHSMEGDAWgBQMgRSSF2oS8RCZJADBj3YSv90EsTAOBgNVHQ8BAf8EBAMCBeAw\nNAYDVR0lAQH/BCowKAYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDAwYIKwYB\nBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAKxtUE9tImn6MF0E2RNYeaTkIyCozjPw\nARofuW4eE5VKoZyq8JCbzUG44yT8gCSAj24LYuM7mk9CceHpu4pSyLHuptP1W8ZT\nzpy4BPHaeFoJZCgBW8KkOdlW/4WRTmbfG3YaxPClOj7f5P4Tkw2XaftPJqQWZnCx\npEBU8e5AVOSmV1/vkhEi5FjV1aCXEm2DH9TJQtxABKGCaNtwnS701mmJH0HWlDSm\nMyBI/jTOO2XMoWGEzL9pIMiPPGZZbGWUIfvfhsgBFnJoSUa9ijteR5CLhX7DIfAl\njuMTHgWmsN80SOIEUaLYNfeFQxkgL0uVc8nzc3JGN+78h+Ktg4piRCM=\n-----END CERTIFICATE-----",
227+
"privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDupls7DmNFLkc0\nolVOuYJpUoreHe7VuBP5FmGNy0/3cRtlf5Mx4Tu9GpjQkw1b+aACpE6C2AnSTVls\nRCPhIFIoA7YP7+BNUR9ChEHRgukR52CvJDpllpvT5op4dT9aNN0IieNc4+SnMhWC\nauKRUXLTeYj7NPhf2OSQQ2z3J7pNzrkS8SOu7T8KgEELq13LxswmBdctc8ZR8cVs\nlG7k3QqNxnjtlaN2zTEk0o/YZsXPEBF4n9agPyg5y7WPiHpqbSU+WgtFmUcKdpZ3\nCjqUi3DHHUAKa8R2AOiy5M7TalcAl0BYwO831UV1etyRoY1fqEeDvMnpi331FcnY\noV83LK7jAgMBAAECggEAE06WFuMFGPWzgQiZCjNr34V0AqA9UEECLKao4cXPBF+8\nLavyhpiIMrZSIp2i+Qvq7AvK5j8AHGlxkJa6qF3rB521PvjTFq43bzQv9vk2TeKA\nKesuZkWW+b+u+CvUIkIgl65AHKW7O+OLZe+rwMHsHju430nbxjVP2HP7/srSAbVN\nt3yyXPmI4VSB2P8NzkYCzr/B46LcS/2OBno9iwjQwDspQNJhpUmxPsFfG0OS0WWh\nqLgpUvG8GEPkCv8fRjjrqh9iJ3kZOpmv5nQ1OE0ypwYoPhJDiJAAZiXRtPImoM06\n2M6CbvtdunRuVvVNBYgu75jRgunZycQJP48tWWcWsQKBgQD7/X1WKBIqJRZcDYTf\n8pHFDzZxhDOpYX31vddk7A3xv9XvqQVCu6hkbFvMu5b80AOeYlo2SCvaA97sS7Bp\nbafoT6ZCwBztEBjk9v+X0LOSg847c/ik3+M9Nsnpv9N0qdjGtPgm8Kb15PaiHYAH\nT6kLkvYCFS5G17B2sVoOoWg7fQKBgQDycoX2+FPMPFqUesZ3BlAcZM8sVFTg1VL6\nRGesJLrT/3ueOUiCWjjcJlPodBNg2Y8N3hQV0CdwGxR14nKoVw0vpv+r/iJp1F7s\nsGqjtMIw6fHdqPdX2GIvraIxU+j8p94R1ACii3aztqcluJ1S8CsNmUxgUoMJKtO/\ntvNB4Pjh3wKBgELz/kpXCUSDaCZ7PRPXup12RkvxCVz212Xk1AcvpSDXjLtJ2Gj7\nvWk5VUbXjO2NQ3jgvwFvOZ+Kqb90+OF6TkOubgmMS+M9BLBJZG3s+Nl0BebMEIOW\nLSWFmi5uVnvH6R4a1VhbVrE87b7zQaIvq0W0/YJeKFaQVoWi57+9aRltAoGBANV/\n5FjH9YM04s8+Dudht8pJO+ddnCEhuiCJfIIrFhr6MHH1H9UqfkffuKRLE4WGEGO1\n3RoYY6JlNm9ZKn7zqbj85ske0k8/pRfpgv8Gfrt0SHlaAfZppo016k5mBhX3/abV\nenmpNq6reiXNnT0cIc2n4YoxHxNDk5SQF0c8Re8hAoGATtdkvUp4f6A4v9ppdJZs\npz7M6/NbKGJH9F3GZseSKTBKgtndiBugrfePOrcdC+4O0i33lvWDOs70kREC4wCG\nXMt36aS9Z384Pl7Z7FhiVQrTF2ZuRP/6v1r3iJDHixmJYQzjBO2Zh1D7Sf39BxOv\n2h0dFcPMKaZcLsXTFH1qS0I=\n-----END PRIVATE KEY-----"
228+
}
229+
},
230+
"WebSSHProxy": {
231+
"class": "Application",
232+
"template": "http",
233+
"serviceMain": {
234+
"class": "Service_HTTP",
235+
"virtualPort": 10022,
236+
"snat": "none",
237+
"profileTCP": {
238+
"bigip": "/Common/f5-tcp-progressive"
239+
},
240+
"virtualAddresses": [
241+
"${webssh_vs_addr}"
242+
],
243+
"iRules": [
244+
{
245+
"bigip": "/Common/WebSSH2_plugin/webssh2_node"
246+
}
247+
],
248+
"allowVlans": [
249+
{ "bigip": "/Common/external" }
250+
]
251+
}
252+
}
253+
}
254+
}

0 commit comments

Comments
 (0)