Terraform BIGIP AS3 with Vault PKI Engine
I have been working with F5 BIGIPs for over 15 years and I’ve built many best practices around deploying secure web application. So it only makes sense that publish my first terraform module that builds a production setup with f5 bigip using AS3 and HashiCorp Vault PKI Engine.
Objective: Automate the deployment of F5 VIPS with the Power of HashiCorp Vault PKI Engine.
The module allows developers or network engineers to deploy a best practice AS3 VIP based on specific input about the application.
Terraform Module
You can download the terraform bigip app module from here https://registry.terraform.io/modules/sebbycorp/app/bigip/latest
I build the following module for customers to consume and deploy f5 vips using AS3 with Vault PKI Engine.
Requirements:
- HashiCorp Vault setup with a PKI Engine.. click on the link to set
- Require information to build your F5 VIP configuration.
F5App Requirements:
For every F5 deployment the networking team always needs provide the following information:
- Name of the VIP/tenant
- AS3 Template (HTTPS, HTTP, TCP..etc)
- HashiCorp PKI backend its going to use (this is where the certs get generated)
- Virtual IP Address (VIP)
- Pool member Port
- Monitor it wants to use
- Load Balancing Method (default is round-robin)
- Pool members
Example Code
Here is an example of my main.tf that uses the terraform module.
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = "1.15.1"
}
}
}provider "bigip" {
address = "192.168.86.68"
username = "admin"
password = "W3lcome098!"
}provider "vault" {
address = "http://192.168.86.69:8200"
token = "hvs.Wj7FJddddrHGZGkrUB4x"
}module "webfrontapp" {
source = "sebbycorp/app/bigip"
version = "1.0.4"
tenant = "tf-as3-test"
common_name = "tf-as3-test.maniak.academy"
as3tmpl = "shttps"
vault_pki_backend = "pki_int"
vip_address = "10.99.100.3"
pki_name = "example-dot-com"
pool_members_port = "443"
monitor = "https"
load_balancing_mode = "least-connections-member"
pool_members = ["10.11.5.1", "10.11.5.2", "10.11.5.3"]
}
BIGIP F5 deployed with AS3
“Application Services 3 Extension (referred to as AS3 Extension or more often simply AS3) is a flexible, low-overhead mechanism for managing application-specific configurations on a BIG-IP system. AS3 uses a declarative model, meaning you provide a JSON declaration rather than a set of imperative commands. The declaration represents the configuration which AS3 is responsible for creating on a BIG-IP system. AS3 is well-defined according to the rules of JSON Schema, and declarations validate according to JSON Schema. AS3 accepts declaration updates via REST (push), reference (pull), or CLI (flat file editing)” — from here
HashiCorp Vault
“Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods. Using Vault’s UI, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable. “ — from here
Vault PKI Secret Engine
“The PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault’s built-in authentication and authorization mechanisms provide the verification functionality.” — from here