Deploy F5 HTTPS VIPs using Terraform and HashiCorp Vault PKI Secrets engine

Diagram

Components

Let’s Build our lab

vault server -dev -dev-root-token-id root
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write -field=certificate pki/root/generate/internal \
common_name="example.com" \
ttl=87600h > CA_cert.crt# Configure the CA and CRL URL
vault write pki/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki/crl"
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="example.com Intermediate Authority" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
vault write pki_int/roles/example-dot-com \
allowed_domains=”example.com” \
allow_subdomains=true \
ttls="10m" \
max_ttl=”30m”
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = "1.13.1"
}
vault = {
source = "hashicorp/vault"
version = "3.5.0"
}
}
}
provider "vault" {
address = var.vaultaddress
token = var.vault_token
}
provider "bigip" {
address = var.bigipmgmt
username = var.bigipmgmtuser
password = var.bigippass
}
module "app" {
source = "./app"
tenant = "local-demo"
vip_address = "10.99.99.10"
common_name = "test.example.com"
pki_name = "example-dot-com"
pool_members = ["10.10.0.1", "10.10.0.2"]
}
resource "vault_pki_secret_backend_cert" "app" {
backend = "pki_int"
name = var.pki_name
common_name = var.common_name
}
resource "bigip_as3" "app_services" {
as3_json = local.as3_json
}
resource "local_file" "as3" {
content = local.as3_json
filename = "${path.module}/as3-bigip.json"
}
locals {
as3_json = templatefile("./as3templates/https.tpl", {
TENANT = var.tenant
VIP_ADDRESS = var.vip_address
MY_POOLMEMBERS = jsonencode(var.pool_members)
CERT = jsonencode(vault_pki_secret_backend_cert.app.certificate)
KEY = jsonencode(vault_pki_secret_backend_cert.app.private_key)
CA_CHAIN = jsonencode(vault_pki_secret_backend_cert.app.ca_chain)
})
}
bigipmgmt     = "192.168.86.46"
bigipmgmtuser = "admin"
bigippass = "W3e098!"
vault_token = "hvs.Wj7FJ8yYwUZGkrUB4x"
vaultaddress = "http://192.168.86.69:8200"

End Results:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store