Manage BIG-IPs in Azure using Terraform Cloud

Introduction

In this article I’ll outline a suite of demonstration resources designed to help you and your IT team explore the possibilities of applying DevOps practices in your own environments. The demonstration resources described below show how tools like Git, HashiCorp Terraform, HashiCorp Sentinel, Chef Inspec and F5's Automation Toolchain can be used to introduce some of the practices listed above to F5 BIG-IPs and the IT services they help deliver. By following along with the README in the demonstration repository and the video walk-throughs listed below, you should be able to run this demonstration on your own.

Software Delivery Key Practices

IT Industry research, such as Accelerate, shows improving a company's ability to deliver software has a significant positive benefit to their overall success. The following practices and design principles are cornerstones to that improvement.

• Version control of code and configuration
• Automation of Deployment
• Automation of Testing and Test Data Management
• "Shifting Left" on Security
• Loosely Coupled Architectures
• Pro-active Notification

Caveats

• These repositories use simplifying demonstration shortcuts for password, key, and network security. Production-ready enterprise designs and workflows should be used in place of these shortcuts.
• DO NOT ASSUME THAT THE CODE AND CONFIGURATION IN THESE REPOSITORIES IS PRODUCTION-READY
• The particular source control approach shown in this demonstration is one of many. Before using this approach to support your Infrastructure as Code and Configuration Management assets and workflows, you should learn about different patterns of source code management and determine what best fits your team's needs.
• A variety of tools are used in this demonstration. In most cases they are not exclusively required and can be replaced with other similar tools.
• The demonstration uses a licensed version of Terraform Cloud in order to demonstrate the capabilities of HashiCorp Sentinel. If you are using the free version of Terraform Cloud you won't be able to try the policy compliance use-cases, and the rest of the demonstration code should work as expected.

Setting up your demonstration automation host

Before running the demonstration code, you'll need to set up the IDE host and the Azure account. Instructions for those steps are here

Video walk-throughs

• Fork the repository and open it in Visual Studio Code (1m36s)

• Set up a Terraform Cloud workspace (1m38s)

• Programmatically set up Terraform Cloud workspaces for production, test, and development (10m40s)

• Initial build of production, test, and development (7m59s)

Everything should be ready for the first build of your production, test, and development environments. In this video, we step you through manually triggering Terraform Cloud builds. In addition, we'll see the impact of Sentinel policies in use, how to override policies that have been triggered, and the audit trail that results.

• Automated testing of production (4m18s)

Once your environment builds have completed, it's critical to validate that they are fit for use. In this video, we step you through a simple set of tests that validate the readiness of the F5 BIG-IPs built by the Terraform Cloud workflow. These tests are not comprehensive, but demonstrate the benefits of an executable "definition of done." The source of an updated version of the Inspec tests used in the demonstration is here.

• Manual inspection of production (2m45s)

In this video, we walk through the BIG-IPs that were built in the production environment. We inspect the virtual servers and their associated pools, noting the number of application servers that were built and joined to the pool.

• Programmatically add application servers and include them in the BIG-IP virtual server (8m6s)

In this video, we explore the use-case of expanding the pool in the previously built production environment, using a simple change in source control. We'll see the Terraform Cloud workflow automatically trigger a new build based on a merge commit to your cloned repository. New application servers will be built and automatically added to the pool by F5's Service Discovery iApp.

• Update WAF from a source control repository (no video walk-through)

We leave it as an exercise for the reader (or possibly an updated video) to look for the WAF deployed with the virtual server. The WAF is retrieved from source control here.

In addition, you can experiment with changing the version of the WAF in the AS3 template in the stanza shown below. Usable values for versions are 0.1.0, 0.1.1, 0.2.0, and 0.2.1. If you choose to do this, follow the same workflow shown in the previous video about scaling the number of application servers.

"ASM_Policy": {
    "class": "WAF_Policy",
    "url": "https://github.com/mjmenger/waf-policy/raw/0.1.1/asm_policy.xml",
    "ignoreChanges": false
}

What's next?

If you've followed along through the all of the use-cases in the demonstration repository, you have seen the following:

• Source-controlled build of an application environment, including BIG-IPs, virtual servers, pools, and WAF policies.
• Managed changes with logging of authoring and approvals.
• Automated scaling of application resources and BIG-IP configuration.
• Automated updates to BIG-IP WAF policies.

If you want to realize the benefits of these practices for your IT service delivery, please reach out to your F5 account team.