zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

F5 blueprint (#1787) 

---------

Co-authored-by: Luca Prete <lucaprete@google.com>
This commit is contained in:
Luca Prete 2023-11-22 19:48:13 +01:00 committed by GitHub
parent 2997bdeee5
commit 642f65b841
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 1940 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
blueprints/third-party-solutions/README.md
View File

@ -20,4 +20,10 @@ The blueprints in this folder show how to automate installation of specific thir
<a href="./phpipam/" title="phpIPAM bootstrap example"><img src="./phpipam/images/phpipam.png" align="left" width="320px"></a> <p style="margin-left: 340px">This [example](./phpipam/) shows how to quickly bootstrap a serverless phpIPAM instance on GCP using Cloud Run. This comes with typical enterprise features like Shared VPC, Cloud Armor with IAP and, possibly, private exposure via Internal Application Load Balancer. Indeed, the script supports deploying the application either publicly via Global Application Load Balancer with restricted access based on IPs (Cloud Armor) and identities (Identity Aware Proxy) or privately via Internal Application Load Balancer.</p>
<br clear="left">
### F5 BigIP
<a href="./f5-bigip/" title="F5 BigIP"><img src="./phpipam/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">These examples show how to deploy both private and public active/active F5 BigIP-VE load balancers in GCP.</p>
<br clear="left">

11
blueprints/third-party-solutions/f5-bigip/README.md Normal file
View File

@ -0,0 +1,11 @@
# Third Party Solutions
The blueprints in this folder show how to deploy both private and public active/active F5 BigIP-VE load balancers in GCP.
## Blueprints
### F5 BigIP
<a href="./f5-bigip-ha-active/" title="F5 BigIP HA active-active"><img src="./f5-bigip-ha-active/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">This example shows how to deploy both private and public active/active F5 BigIP-VE load balancers in GCP. It deploys external and/or internal GCP network passthrough load balancers in front of the F5 VMs in order to load balance the ingress traffic between them and it supports both IPv4 and IPv6.</p>
<br clear="left">

325
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/README.md Normal file
View File

@ -0,0 +1,325 @@
# F5 BigIP-VE HA active-active blueprint
This blueprint allows to create external active/active private and/or public F5 BigIP-VE load balancers.
## Design notes
- The blueprint supports by default two VPCs: a `dataplane` network and a `management` network.
- We don't use the `F5 Cloud Failover Extension (CFE)`. This would imply an active/passive architecture, it would limit the number of instances to two, it would use static routes and it would require F5 VMs service accounts to have roles set, so they can configure routes.
- We deploy instead as many active instances users need and we make them reachable through passthrough GCP load balancers.
- The blueprint allows to expose the F5 instances both externally and internally, using internal and external passthrough load balancers. You can also choose to expose the same F5 instances both externally and internally at the same time.
- The blueprint supports dual-stack (IPv4/IPv6).
- We deliberately use the original F5-BigIP `startup-script.tpl` file. We haven't changed it and we pass to it the same variables, so it should be easier to swap it with custom scripts.
## Examples
<!-- BEGIN TOC -->
- [Design notes](#design-notes)
- [Examples](#examples)
- [Single instance](#single-instance)
- [Active/active instances](#activeactive-instances)
- [Change the shared instances configuration](#change-the-shared-instances-configuration)
- [Public load F5 load balancers](#public-load-f5-load-balancers)
- [Multiple forwarding rules and dual-stack (IPv4/IPv6)](#multiple-forwarding-rules-and-dual-stack-ipv4ipv6)
- [Use the GCP secret manager](#use-the-gcp-secret-manager)
- [Variables](#variables)
- [Outputs](#outputs)
<!-- END TOC -->
### Single instance
By default, the blueprint deploys one or more instances in a region. These instances are behind an internal network passthrough (L3_DEFAULT) load balancer.
```hcl
module "f5-lb" {
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active"
project_id = "my-project"
prefix = "test"
region = "europe-west1"
instance_dedicated_configs = {
a = {
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
network_config = {
alias_ip_range_address = "192.168.1.0/24"
alias_ip_range_name = "ip-range-a"
}
}
}
vpc_config = {
dataplane = {
network = "projects/my-project/global/networks/dataplane"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/dataplane"
}
management = {
network = "projects/my-project/global/networks/management"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/management"
}
}
}
# tftest modules=6 resources=8 inventory=single-instance.yaml
```
### Active/active instances
To add more than one instance, add items to the `instance_dedicated_configs` variable. Keys specify the the zones where the instances are deployed.
```hcl
module "f5-lb" {
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active"
project_id = "my-project"
prefix = "test"
region = "europe-west1"
instance_dedicated_configs = {
a = {
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
network_config = {
alias_ip_range_address = "192.168.1.0/24"
alias_ip_range_name = "ip-range-a"
}
}
b = {
license_key = "XXXXX-YYYYY-WWWWW-ZZZZZ-PPPPPP"
network_config = {
alias_ip_range_address = "192.168.2.0/24"
alias_ip_range_name = "ip-range-b"
}
}
}
vpc_config = {
dataplane = {
network = "projects/my-project/global/networks/dataplane"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/dataplane"
}
management = {
network = "projects/my-project/global/networks/management"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/management"
}
}
}
# tftest modules=7 resources=12 inventory=active-active-instances.yaml
```
### Change the shared instances configuration
You can change one or more properties used by the shared instances, leveraging the `instance_shared_config` variable.
```hcl
module "f5-lb" {
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active"
project_id = "my-project"
prefix = "test"
region = "europe-west1"
instance_dedicated_configs = {
a = {
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
network_config = {
alias_ip_range_address = "192.168.1.0/24"
alias_ip_range_name = "ip-range-a"
}
}
b = {
license_key = "XXXXX-YYYYY-WWWWW-ZZZZZ-PPPPPP"
network_config = {
alias_ip_range_address = "192.168.2.0/24"
alias_ip_range_name = "ip-range-b"
}
}
}
instance_shared_config = {
boot_disk = {
size = 150
}
instance_type = "n2-standard-8"
tags = ["f5-lbs"]
username = "f5admin"
}
vpc_config = {
dataplane = {
network = "projects/my-project/global/networks/dataplane"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/dataplane"
}
management = {
network = "projects/my-project/global/networks/management"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/management"
}
}
}
# tftest modules=7 resources=12 inventory=shared-config.yaml
```
### Public load F5 load balancers
You can configure the blueprint so it deploys external network passthrough load balancers, so you can expose on Internet your F5 load balancer(s).
```hcl
module "f5-lb" {
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active"
project_id = "my-project"
prefix = "test"
region = "europe-west1"
instance_dedicated_configs = {
a = {
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
network_config = {
alias_ip_range_address = "192.168.1.0/24"
alias_ip_range_name = "ip-range-a"
}
}
b = {
license_key = "XXXXX-YYYYY-WWWWW-ZZZZZ-PPPPPP"
network_config = {
alias_ip_range_address = "192.168.2.0/24"
alias_ip_range_name = "ip-range-b"
}
}
}
forwarding_rules_config = {
"ext-ipv4" = {
external = true
}
}
vpc_config = {
dataplane = {
network = "projects/my-project/global/networks/dataplane"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/dataplane"
}
management = {
network = "projects/my-project/global/networks/management"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/management"
}
}
}
# tftest modules=7 resources=12 inventory=public-load-balancers.yaml
```
### Multiple forwarding rules and dual-stack (IPv4/IPv6)
You can configure the blueprint in order to expose both internal and external load balancers.
Each load balancer can have multiple forwarding rules, eventually both IPv4 and IPv6.
```hcl
module "f5-lb" {
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active"
project_id = "my-project"
prefix = "test"
region = "europe-west1"
instance_dedicated_configs = {
a = {
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
network_config = {
alias_ip_range_address = "192.168.1.0/24"
alias_ip_range_name = "ip-range-a"
}
}
b = {
license_key = "XXXXX-YYYYY-WWWWW-ZZZZZ-PPPPPP"
network_config = {
alias_ip_range_address = "192.168.2.0/24"
alias_ip_range_name = "ip-range-b"
}
}
}
forwarding_rules_config = {
"ext-ipv4" = {
external = true
}
"ext-ipv6" = {
external = true
ip_version = "IPV6"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/ipv6_external"
}
"int-ipv4" = {}
"int-ipv6" = {
ip_version = "IPV6"
}
}
vpc_config = {
dataplane = {
network = "projects/my-project/global/networks/dataplane"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/dataplane"
}
management = {
network = "projects/my-project/global/networks/management"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/management"
}
}
}
# tftest modules=8 resources=20 inventory=multiple-fw-rules.yaml
```
### Use the GCP secret manager
By default, this blueprint (and the `startup-script.tpl`) stores the F5 admin password in plain-text as a metadata of the F5 VMs. Most of administrators change this password in F5 soon after the boot.
The example shows how to leverage instead the GCP secret manager.
```hcl
module "f5-lb" {
source = "./fabric/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active"
project_id = "my-project"
prefix = "test"
region = "europe-west1"
instance_shared_config = {
secret = {
is_gcp = true
value = "f5_secret_name" # needs to be defined in the same project
}
}
instance_dedicated_configs = {
a = {
license_key = "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
network_config = {
alias_ip_range_address = "192.168.1.0/24"
alias_ip_range_name = "ip-range-a"
}
}
}
vpc_config = {
dataplane = {
network = "projects/my-project/global/networks/dataplane"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/dataplane"
}
management = {
network = "projects/my-project/global/networks/management"
subnetwork = "projects/my-project/regions/europe-west1/subnetworks/management"
}
}
}
# tftest modules=6 resources=8 inventory=secret-manager.yaml
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [instance_dedicated_configs](variables.tf#L43) | The F5 VMs configuration. The map keys are the zones where the VMs are deployed. | <code title="map&#40;object&#40;&#123;&#10; network_config &#61; object&#40;&#123;&#10; alias_ip_range_address &#61; string&#10; alias_ip_range_name &#61; string&#10; dataplane_address &#61; optional&#40;string&#41;&#10; management_address &#61; optional&#40;string&#41;&#10; &#125;&#41;&#10; license_key &#61; optional&#40;string, &#34;AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE&#34;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | ✓ | |
| [prefix](variables.tf#L78) | The name prefix used for resources. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L83) | The project id where we deploy the resources. | <code>string</code> | ✓ | |
| [region](variables.tf#L88) | The region where we deploy the F5 IPs. | <code>string</code> | ✓ | |
| [vpc_config](variables.tf#L93) | The dataplane and mgmt network and subnetwork self links. | <code title="object&#40;&#123;&#10; dataplane &#61; object&#40;&#123;&#10; network &#61; string&#10; subnetwork &#61; string&#10; &#125;&#41;&#10; management &#61; object&#40;&#123;&#10; network &#61; string&#10; subnetwork &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [forwarding_rules_config](variables.tf#L17) | The optional configurations of the GCP load balancers forwarding rules. | <code title="map&#40;object&#40;&#123;&#10; address &#61; optional&#40;string&#41;&#10; external &#61; optional&#40;bool, false&#41;&#10; global_access &#61; optional&#40;bool, true&#41;&#10; ip_version &#61; optional&#40;string, &#34;IPV4&#34;&#41;&#10; protocol &#61; optional&#40;string, &#34;L3_DEFAULT&#34;&#41;&#10; subnetwork &#61; optional&#40;string&#41; &#35; used for IPv6 NLBs&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; l4 &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [health_check_config](variables.tf#L32) | The optional health check configuration. The variable types are enforced by the underlying module. | <code>map&#40;any&#41;</code> | | <code title="&#123;&#10; tcp &#61; &#123;&#10; port &#61; 65535&#10; port_specification &#61; &#34;USE_FIXED_PORT&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [instance_shared_config](variables.tf#L56) | The F5 VMs shared configurations. | <code title="object&#40;&#123;&#10; boot_disk &#61; optional&#40;object&#40;&#123;&#10; image &#61; optional&#40;string, &#34;projects&#47;f5-7626-networks-public&#47;global&#47;images&#47;f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742&#34;&#41;&#10; size &#61; optional&#40;number, 100&#41;&#10; type &#61; optional&#40;string, &#34;pd-ssd&#34;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; enable_ipv6 &#61; optional&#40;bool, false&#41; &#35; needs to be true to receive traffic from IPv6 forwarding rules&#10; instance_type &#61; optional&#40;string, &#34;n2-standard-4&#34;&#41;&#10; secret &#61; optional&#40;object&#40;&#123;&#10; is_gcp &#61; optional&#40;bool, false&#41;&#10; value &#61; optional&#40;string, &#34;mysecret&#34;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; service_account &#61; optional&#40;string&#41;&#10; ssh_public_key &#61; optional&#40;string, &#34;my_key.pub&#34;&#41;&#10; tags &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; username &#61; optional&#40;string, &#34;admin&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [f5_management_ips](outputs.tf#L17) | The F5 management interfaces IP addresses. | |
| [forwarding_rules_configs](outputs.tf#L25) | The GCP forwarding rules configurations. | |
<!-- END TFDOC -->

BIN
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

1
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/diagram.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

104
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/load_balancers.tf Normal file
View File

@ -0,0 +1,104 @@
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
ilb_forwarding_rules_config = {
for k, v in var.forwarding_rules_config
: k => {
address = try(module.lb-addresses.internal_addresses["${var.prefix}-ilb-${k}"].address)
global_access = v.global_access
ip_version = v.ip_version
protocol = v.protocol
} if v.external == false
}
nlb_forwarding_rules_config = {
for k, v in var.forwarding_rules_config
: k => {
address = try(module.lb-addresses.external_addresses["${var.prefix}-nlb-${k}"].address)
ip_version = v.ip_version
protocol = v.protocol
subnetwork = v.subnetwork
} if v.external == true
}
}
module "lb-addresses" {
source = "../../../../modules/net-address"
project_id = var.project_id
external_addresses = {
for k, v in var.forwarding_rules_config
: k => {
address = v.address
ipv6 = v.ip_version == "IPV6" ? { endpoint_type = "NETLB" } : null
name = "${var.prefix}-nlb-${k}"
region = var.region
subnetwork = var.vpc_config["dataplane"]["subnetwork"]
} if v.external == true
}
internal_addresses = {
for k, v in var.forwarding_rules_config
: k => {
address = v.address
ipv6 = v.ip_version == "IPV6" ? {} : null
name = "${var.prefix}-ilb-${k}"
region = var.region
subnetwork = var.vpc_config["dataplane"]["subnetwork"]
} if v.external == false
}
}
module "passthrough-ilb" {
count = (
length(local.ilb_forwarding_rules_config) > 0
? 1
: 0
)
source = "../../../../modules/net-lb-int"
project_id = var.project_id
region = var.region
name = "${var.prefix}-ilb"
forwarding_rules_config = local.ilb_forwarding_rules_config
health_check_config = var.health_check_config
backends = [
for k, _ in var.instance_dedicated_configs
: { group = module.bigip-vms[k].group.self_link }
]
vpc_config = {
network = var.vpc_config["dataplane"]["network"]
subnetwork = var.vpc_config["dataplane"]["subnetwork"]
}
}
module "passthrough-nlb" {
count = (
length(local.nlb_forwarding_rules_config) > 0
? 1
: 0
)
source = "../../../../modules/net-lb-ext"
project_id = var.project_id
region = var.region
name = "${var.prefix}-nlb"
forwarding_rules_config = local.nlb_forwarding_rules_config
health_check_config = var.health_check_config
backends = [
for k, _ in var.instance_dedicated_configs
: { group = module.bigip-vms[k].group.self_link }
]
}

139
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/main.tf Normal file
View File

@ -0,0 +1,139 @@
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_f5_urls = {
as3 = "https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.46.0/f5-appsvcs-3.46.0-5.noarch.rpm"
cfe = "https://github.com/F5Networks/f5-cloud-failover-extension/releases/download/v1.15.0/f5-cloud-failover-1.15.0-0.noarch.rpm"
do = "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.39.0/f5-declarative-onboarding-1.39.0-4.noarch.rpm"
fast = "https://github.com/F5Networks/f5-appsvcs-templates/releases/download/v1.25.0/f5-appsvcs-templates-1.25.0-1.noarch.rpm"
init = "https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v1.6.2/dist/f5-bigip-runtime-init-1.6.2-1.gz.run"
ts = "https://github.com/F5Networks/f5-telemetry-streaming/releases/download/v1.33.0/f5-telemetry-1.33.0-1.noarch.rpm"
}
_f5_urls_split = {
for k, v in local._f5_urls
: k => split("/", v)
}
_f5_vers = {
as3 = split("-", local._f5_urls_split.as3[length(local._f5_urls_split.as3) - 1])[2]
cfe = split("-", local._f5_urls_split.cfe[length(local._f5_urls_split.cfe) - 1])[3]
do = split("-", local._f5_urls_split.do[length(local._f5_urls_split.do) - 1])[3]
fast = format("v%s", split("-", local._f5_urls_split.fast[length(local._f5_urls_split.fast) - 1])[3])
ts = format("v%s", split("-", local._f5_urls_split.ts[length(local._f5_urls_split.ts) - 1])[2])
}
f5_config = merge(
{ NIC_COUNT = true },
{ for k, v in local._f5_urls : upper("${k}_url") => v },
{ for k, v in local._f5_vers : upper("${k}_ver") => v },
)
}
module "vm-addresses-dp" {
source = "../../../../modules/net-address"
project_id = var.project_id
internal_addresses = {
for k, v in var.instance_dedicated_configs : k => {
address = try(v.network_config.dataplane_address, null)
name = "${var.prefix}-${k}-dp"
region = var.region
subnetwork = var.vpc_config.dataplane.subnetwork
}
}
}
module "vm-addresses-mgmt" {
source = "../../../../modules/net-address"
project_id = var.project_id
internal_addresses = {
for k, v in var.instance_dedicated_configs
: k => {
address = try(v.network_config.management_address, null)
name = "${var.prefix}-${k}-mgmt"
region = var.region
subnetwork = var.vpc_config.management.subnetwork
}
}
}
module "bigip-vms" {
for_each = var.instance_dedicated_configs
source = "../../../../modules/compute-vm"
project_id = var.project_id
zone = "${var.region}-${each.key}"
name = "${var.prefix}-lb-${each.key}"
instance_type = var.instance_shared_config.instance_type
can_ip_forward = true
tags = var.instance_shared_config.tags
boot_disk = {
initialize_params = var.instance_shared_config.boot_disk
}
group = {
named_ports = {}
}
metadata = {
startup-script = replace(templatefile("${path.module}/startup-script.tpl",
merge(local.f5_config, {
onboard_log = "/var/log/startup-script.log",
libs_dir = "/config/cloud/gcp/node_modules",
bigip_username = var.instance_shared_config.username,
gcp_secret_manager_authentication = var.instance_shared_config.secret.is_gcp,
bigip_password = var.instance_shared_config.secret.value,
license_key = each.value.license_key,
ssh_keypair = try(file(var.instance_shared_config.ssh_public_key), ""),
})), "/\r/", "")
}
network_interfaces = [
{
network = var.vpc_config.dataplane.network
subnetwork = var.vpc_config.dataplane.subnetwork
stack_type = (
var.instance_shared_config.enable_ipv6
? "IPV4_IPV6"
: "IPV4_ONLY"
)
addresses = {
internal = module.vm-addresses-dp.internal_addresses["${var.prefix}-${each.key}-dp"].address
}
alias_ips = {
"${each.value.network_config.alias_ip_range_name}" = each.value.network_config.alias_ip_range_address
}
},
{
network = var.vpc_config.management.network
subnetwork = var.vpc_config.management.subnetwork
stack_type = (
var.instance_shared_config.enable_ipv6
? "IPV4_IPV6"
: "IPV4_ONLY"
)
addresses = {
internal = module.vm-addresses-mgmt.internal_addresses["${var.prefix}-${each.key}-mgmt"].address
}
}
]
service_account = {
email = var.instance_shared_config.service_account
scopes = [
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/userinfo.email"
]
}
}

46
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/outputs.tf Normal file
View File

@ -0,0 +1,46 @@
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "f5_management_ips" {
description = "The F5 management interfaces IP addresses."
value = {
for k, v in module.bigip-vms
: v.id => v.internal_ips[1]
}
}
output "forwarding_rules_configs" {
description = "The GCP forwarding rules configurations."
value = {
external = {
for _, v in try(module.passthrough-nlb[0].forwarding_rules, {})
: v.name => {
address = v.ip_address
ip_version = v.ip_version
protocol = v.ip_protocol
}
},
internal = {
for _, v in try(module.passthrough-ilb[0].forwarding_rules, {})
: v.name => {
address = v.ip_address
global_access = v.allow_global_access
ip_version = v.ip_version
protocol = v.ip_protocol
}
}
}
}

276
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/startup-script.tpl Normal file
View File

@ -0,0 +1,276 @@
# Copyright 2014-2019 F5 Networks Inc.
#
# This file usees code from the following third-party project:
# * [terraform-gcp-bigip-module] - [https://github.com/F5Networks/terraform-gcp-bigip-module]
#
# The code from this project is licensed under the Apache 2.0 license.
#!/bin/bash
# Setup console and startup-script logging
LOG_FILE=/var/log/cloud/startup-script.log
mkdir -p /var/log/cloud
[[ -f $LOG_FILE ]] || /usr/bin/touch $LOG_FILE
npipe=/tmp/$$.tmp
trap "rm -f $npipe" EXIT
mknod $npipe p
tee <$npipe -a $LOG_FILE /dev/ttyS0 &
exec 1>&-
exec 1>$npipe
exec 2>&1
# Run Immediately Before MCPD starts
/usr/bin/setdb provision.extramb 1024
/usr/bin/setdb restjavad.useextramb true
# skip startup script if already complete
if [[ -f /config/startup_finished ]]; then
echo "Onboarding complete, skip startup script"
exit
fi
mkdir -p /config/cloud /var/config/rest/downloads /var/lib/cloud/icontrollx_installs
# Create runtime configuration on first boot
if [[ ! -f /config/nicswap_finished ]]; then
cat << 'EOF' > /config/cloud/runtime-init-conf.yaml
---
controls:
extensionInstallDelayInMs: 60000
runtime_parameters:
- name: USER_NAME
type: static
value: ${bigip_username}
- name: SSH_KEYS
type: static
value: "${ssh_keypair}"
- name: HOST_NAME
type: metadata
metadataProvider:
environment: gcp
type: compute
field: name
EOF
if ${gcp_secret_manager_authentication}; then
cat << 'EOF' >> /config/cloud/runtime-init-conf.yaml
- name: ADMIN_PASS
type: secret
secretProvider:
environment: gcp
type: SecretsManager
version: latest
secretId: ${bigip_password}
pre_onboard_enabled: []
EOF
else
cat << 'EOF' >> /config/cloud/runtime-init-conf.yaml
- name: ADMIN_PASS
type: static
value: ${bigip_password}
pre_onboard_enabled: []
EOF
fi
cat /config/cloud/runtime-init-conf.yaml > /config/cloud/runtime-init-conf-backup.yaml
cat << 'EOF' >> /config/cloud/runtime-init-conf.yaml
extension_packages:
install_operations:
- extensionType: do
extensionVersion: ${DO_VER}
extensionUrl: ${DO_URL}
- extensionType: as3
extensionVersion: ${AS3_VER}
extensionUrl: ${AS3_URL}
- extensionType: ts
extensionVersion: ${TS_VER}
extensionUrl: ${TS_URL}
- extensionType: cf
extensionVersion: ${CFE_VER}
extensionUrl: ${CFE_URL}
- extensionType: fast
extensionVersion: ${FAST_VER}
extensionUrl: ${FAST_URL}
extension_services:
service_operations:
- extensionType: do
type: inline
value:
schemaVersion: 1.0.0
class: Device
async: true
Common:
class: Tenant
hostname: '{{{HOST_NAME}}}.com'
My_License:
class: License
licenseType: regKey
regKey: ${license_key}
myNtp:
class: NTP
servers:
- 169.254.169.254
timezone: UTC
myDns:
class: DNS
nameServers:
- 169.254.169.254
myProvisioning:
class: Provision
ltm: nominal
admin:
class: User
partitionAccess:
all-partitions:
role: admin
password: '{{{ADMIN_PASS}}}'
shell: bash
keys:
- '{{{SSH_KEYS}}}'
userType: regular
'{{{USER_NAME}}}':
class: User
partitionAccess:
all-partitions:
role: admin
password: '{{{ADMIN_PASS}}}'
shell: bash
keys:
- '{{{SSH_KEYS}}}'
userType: regular
post_onboard_enabled: []
EOF
cat << 'EOF' >> /config/cloud/runtime-init-conf-backup.yaml
extension_services:
service_operations:
- extensionType: do
type: inline
value:
schemaVersion: 1.0.0
class: Device
async: true
Common:
class: Tenant
hostname: '{{{HOST_NAME}}}.com'
myNtp:
class: NTP
servers:
- 169.254.169.254
timezone: UTC
myDns:
class: DNS
nameServers:
- 169.254.169.254
myProvisioning:
class: Provision
ltm: nominal
admin:
class: User
partitionAccess:
all-partitions:
role: admin
password: '{{{ADMIN_PASS}}}'
shell: bash
keys:
- '{{{SSH_KEYS}}}'
userType: regular
'{{{USER_NAME}}}':
class: User
partitionAccess:
all-partitions:
role: admin
password: '{{{ADMIN_PASS}}}'
shell: bash
keys:
- '{{{SSH_KEYS}}}'
userType: regular
post_onboard_enabled: []
EOF
fi
# Create nic_swap script when multi nic on first boot
COMPUTE_BASE_URL="http://metadata.google.internal/computeMetadata/v1"
if [[ ${NIC_COUNT} && ! -f /config/nicswap_finished ]]; then
cat << 'EOF' >> /config/cloud/nic_swap.sh
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
echo "before nic swapping"
tmsh list sys db provision.1nicautoconfig
tmsh list sys db provision.managementeth
echo "after nic swapping"
bigstart stop tmm
tmsh modify sys db provision.managementeth value eth1
tmsh modify sys db provision.1nicautoconfig value disable
bigstart start tmm
wait_bigip_ready
echo "---Mgmt interface setting---"
tmsh list sys db provision.managementeth
tmsh list sys db provision.1nicautoconfig
sed -i "s/iface0=eth0/iface0=eth1/g" /etc/ts/common/image.cfg
echo "Done changing interface"
echo "Set TMM networks"
MGMTADDRESS=$(curl -s -f --retry 10 -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/ip)
MGMTMASK=$(curl -s -f --retry 10 -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/subnetmask)
MGMTGATEWAY=$(curl -s -f --retry 10 -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway)
MGMTMTU=$(curl -s -f --retry 10 -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/mtu)
MGMTNETWORK=$(/bin/ipcalc -n $MGMTADDRESS $MGMTMASK | cut -d= -f2)
echo $MGMTADDRESS
echo $MGMTMASK
echo $MGMTGATEWAY
echo $MGMTMTU
echo $MGMTNETWORK
tmsh modify sys global-settings gui-setup disabled
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh delete sys management-route all
tmsh delete sys management-ip all
tmsh create sys management-ip $${MGMTADDRESS}/32
tmsh create sys management-route mgmt_gw network $${MGMTGATEWAY}/32 type interface mtu $${MGMTMTU}
tmsh create sys management-route mgmt_net network $${MGMTNETWORK}/$${MGMTMASK} gateway $${MGMTGATEWAY} mtu $${MGMTMTU}
tmsh create sys management-route default gateway $${MGMTGATEWAY} mtu $${MGMTMTU}
tmsh modify sys global-settings remote-host add { metadata.google.internal { hostname metadata.google.internal addr 169.254.169.254 } }
tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }
echo "Setting DNS resolver to Cloud DNS"
tmsh modify sys dns name-servers add { 169.254.169.254 }
tmsh save /sys config
/usr/bin/touch /config/nicswap_finished
reboot
EOF
fi
# Create run_runtime_init.sh script on first boot
if [[ ! -f /config/nicswap_finished ]]; then
cat << 'EOF' >> /config/cloud/run_runtime_init.sh
#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready
for i in {1..30}; do
curl -fv --retry 1 --connect-timeout 5 -L ${INIT_URL} -o "/var/config/rest/downloads/f5-bigip-runtime-init.gz.run" && break || sleep 10
done
bash /var/config/rest/downloads/f5-bigip-runtime-init.gz.run -- '--cloud gcp' 2>&1
/usr/local/bin/f5-bigip-runtime-init --config-file /config/cloud/runtime-init-conf.yaml 2>&1
sleep 5
/usr/local/bin/f5-bigip-runtime-init --config-file /config/cloud/runtime-init-conf-backup.yaml 2>&1
sleep 5
/usr/local/bin/f5-bigip-runtime-init --config-file /config/cloud/runtime-init-conf-backup.yaml 2>&1
/usr/bin/touch /config/startup_finished
EOF
fi
# Run scripts based on number of nics
if ${NIC_COUNT}; then
if [[ -f /config/nicswap_finished ]]; then
echo "Running run_runtime_init.sh"
chmod +x /config/cloud/run_runtime_init.sh
nohup /config/cloud/run_runtime_init.sh &
else
chmod +x /config/cloud/nic_swap.sh
nohup /config/cloud/nic_swap.sh &
fi
else
echo "Running run_runtime_init.sh"
chmod +x /config/cloud/run_runtime_init.sh
nohup /config/cloud/run_runtime_init.sh &
fi

105
blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active/variables.tf Normal file
View File

@ -0,0 +1,105 @@
/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "forwarding_rules_config" {
type = map(object({
address = optional(string)
external = optional(bool, false)
global_access = optional(bool, true)
ip_version = optional(string, "IPV4")
protocol = optional(string, "L3_DEFAULT")
subnetwork = optional(string) # used for IPv6 NLBs
}))
description = "The optional configurations of the GCP load balancers forwarding rules."
default = {
l4 = {}
}
}
variable "health_check_config" {
description = "The optional health check configuration. The variable types are enforced by the underlying module."
type = map(any)
default = {
tcp = {
port = 65535
port_specification = "USE_FIXED_PORT"
}
}
}
variable "instance_dedicated_configs" {
description = "The F5 VMs configuration. The map keys are the zones where the VMs are deployed."
type = map(object({
network_config = object({
alias_ip_range_address = string
alias_ip_range_name = string
dataplane_address = optional(string)
management_address = optional(string)
})
license_key = optional(string, "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE")
}))
}
variable "instance_shared_config" {
description = "The F5 VMs shared configurations."
type = object({
boot_disk = optional(object({
image = optional(string, "projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742")
size = optional(number, 100)
type = optional(string, "pd-ssd")
}), {})
enable_ipv6 = optional(bool, false) # needs to be true to receive traffic from IPv6 forwarding rules
instance_type = optional(string, "n2-standard-4")
secret = optional(object({
is_gcp = optional(bool, false)
value = optional(string, "mysecret")
}), {})
service_account = optional(string)
ssh_public_key = optional(string, "my_key.pub")
tags = optional(list(string), [])
username = optional(string, "admin")
})
default = {}
}
variable "prefix" {
type = string
description = "The name prefix used for resources."
}
variable "project_id" {
type = string
description = "The project id where we deploy the resources."
}
variable "region" {
type = string
description = "The region where we deploy the F5 IPs."
}
variable "vpc_config" {
description = "The dataplane and mgmt network and subnetwork self links."
type = object({
dataplane = object({
network = string
subnetwork = string
})
management = object({
network = string
subnetwork = string
})
})
}

154
tests/blueprints/third_party_solutions/f5_bigip/f5_bigip_ha_active/examples/active-active-instances.yaml Normal file
View File

@ -0,0 +1,154 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.f5-lb.module.bigip-vms["a"].google_compute_instance.default[0]:
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-a
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.1.0/24
subnetwork_range_name: ip-range-a
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
tags: null
zone: europe-west1-a
module.f5-lb.module.bigip-vms["a"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-a
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-a
module.f5-lb.module.lb-addresses.google_compute_address.internal["l4"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-ilb-l4
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.bigip-vms["b"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-b
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.2.0/24
subnetwork_range_name: ip-range-b
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
service_account:
- scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/userinfo.email
tags: null
zone: europe-west1-b
module.f5-lb.module.bigip-vms["b"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-b
named_port: []
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-b
module.f5-lb.module.passthrough-ilb[0].google_compute_forwarding_rule.forwarding_rules["l4"]:
all_ports: true
allow_global_access: true
allow_psc_global_access: null
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: INTERNAL
name: test-ilb-l4
network: projects/my-project/global/networks/dataplane
ports: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
healthy_threshold: 2
name: test-ilb
project: my-project
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.passthrough-ilb[0].google_compute_region_backend_service.default:
description: Terraform managed.
load_balancing_scheme: INTERNAL
name: test-ilb
network: projects/my-project/global/networks/dataplane
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.vm-addresses-dp.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-dp
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.vm-addresses-mgmt.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-mgmt
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management

241
tests/blueprints/third_party_solutions/f5_bigip/f5_bigip_ha_active/examples/multiple-fw-rules.yaml Normal file
View File

@ -0,0 +1,241 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.f5-lb.module.bigip-vms["a"].google_compute_instance.default[0]:
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-a
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.1.0/24
subnetwork_range_name: ip-range-a
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
tags: null
zone: europe-west1-a
module.f5-lb.module.bigip-vms["a"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-a
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-a
module.f5-lb.module.bigip-vms["b"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-b
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.2.0/24
subnetwork_range_name: ip-range-b
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
service_account:
- scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/userinfo.email
tags: null
zone: europe-west1-b
module.f5-lb.module.bigip-vms["b"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-b
named_port: []
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-b
module.f5-lb.module.lb-addresses.google_compute_address.external["ext-ipv4"]:
address_type: EXTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-nlb-ext-ipv4
project: my-project
region: europe-west1
module.f5-lb.module.lb-addresses.google_compute_address.external["ext-ipv6"]:
address_type: EXTERNAL
description: Terraform managed.
ip_version: IPV6
ipv6_endpoint_type: NETLB
name: test-nlb-ext-ipv6
project: my-project
region: europe-west1
module.f5-lb.module.lb-addresses.google_compute_address.internal["int-ipv4"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-ilb-int-ipv4
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.lb-addresses.google_compute_address.internal["int-ipv6"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: IPV6
ipv6_endpoint_type: null
name: test-ilb-int-ipv6
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_forwarding_rule.forwarding_rules["int-ipv4"]:
all_ports: true
allow_global_access: true
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: INTERNAL
name: test-ilb-int-ipv4
network: projects/my-project/global/networks/dataplane
ports: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_forwarding_rule.forwarding_rules["int-ipv6"]:
all_ports: true
allow_global_access: true
ip_protocol: L3_DEFAULT
ip_version: IPV6
load_balancing_scheme: INTERNAL
name: test-ilb-int-ipv6
network: projects/my-project/global/networks/dataplane
ports: null
project: my-project
region: europe-west1
source_ip_ranges: null
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
healthy_threshold: 2
name: test-ilb
project: my-project
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.passthrough-ilb[0].google_compute_region_backend_service.default:
connection_draining_timeout_sec: 0
description: Terraform managed.
load_balancing_scheme: INTERNAL
name: test-ilb
network: projects/my-project/global/networks/dataplane
outlier_detection: []
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.passthrough-nlb[0].google_compute_forwarding_rule.forwarding_rules["ext-ipv4"]:
all_ports: true
allow_global_access: null
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: EXTERNAL
name: test-nlb-ext-ipv4
project: my-project
region: europe-west1
module.f5-lb.module.passthrough-nlb[0].google_compute_forwarding_rule.forwarding_rules["ext-ipv6"]:
all_ports: true
allow_global_access: null
ip_protocol: L3_DEFAULT
ip_version: IPV6
load_balancing_scheme: EXTERNAL
name: test-nlb-ext-ipv6
ports: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/ipv6_external
module.f5-lb.module.passthrough-nlb[0].google_compute_region_backend_service.default:
connection_draining_timeout_sec: 0
description: Terraform managed.
load_balancing_scheme: EXTERNAL
locality_lb_policy: null
name: test-nlb
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.passthrough-nlb[0].google_compute_region_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
grpc_health_check: []
healthy_threshold: 2
http2_health_check: []
http_health_check: []
https_health_check: []
name: test-nlb
project: my-project
region: europe-west1
ssl_health_check: []
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.vm-addresses-dp.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-dp
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.vm-addresses-mgmt.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-mgmt
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management

152
tests/blueprints/third_party_solutions/f5_bigip/f5_bigip_ha_active/examples/public-load-balancers.yaml Normal file
View File

@ -0,0 +1,152 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.f5-lb.module.bigip-vms["a"].google_compute_instance.default[0]:
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-a
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.1.0/24
subnetwork_range_name: ip-range-a
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
tags: null
zone: europe-west1-a
module.f5-lb.module.bigip-vms["a"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-a
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-a
module.f5-lb.module.lb-addresses.google_compute_address.external["ext-ipv4"]:
address_type: EXTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-nlb-ext-ipv4
project: my-project
region: europe-west1
module.f5-lb.module.bigip-vms["b"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-b
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.2.0/24
subnetwork_range_name: ip-range-b
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
service_account:
- scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/userinfo.email
tags: null
zone: europe-west1-b
module.f5-lb.module.bigip-vms["b"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-b
named_port: []
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-b
module.f5-lb.module.passthrough-nlb[0].google_compute_forwarding_rule.forwarding_rules["ext-ipv4"]:
all_ports: true
allow_global_access: null
allow_psc_global_access: null
description: null
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: EXTERNAL
name: test-nlb-ext-ipv4
ports: null
project: my-project
region: europe-west1
module.f5-lb.module.passthrough-nlb[0].google_compute_region_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
healthy_threshold: 2
name: test-nlb
project: my-project
region: europe-west1
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.passthrough-nlb[0].google_compute_region_backend_service.default:
description: Terraform managed.
load_balancing_scheme: EXTERNAL
name: test-nlb
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.vm-addresses-dp.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-dp
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.vm-addresses-mgmt.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-mgmt
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management

112
tests/blueprints/third_party_solutions/f5_bigip/f5_bigip_ha_active/examples/secret-manager.yaml Normal file
View File

@ -0,0 +1,112 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.f5-lb.module.bigip-vms["a"].google_compute_instance.default[0]:
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-a
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.1.0/24
subnetwork_range_name: ip-range-a
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
tags: null
zone: europe-west1-a
module.f5-lb.module.bigip-vms["a"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-a
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-a
module.f5-lb.module.lb-addresses.google_compute_address.internal["l4"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-ilb-l4
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_forwarding_rule.forwarding_rules["l4"]:
all_ports: true
allow_global_access: true
allow_psc_global_access: null
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: INTERNAL
name: test-ilb-l4
network: projects/my-project/global/networks/dataplane
ports: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
healthy_threshold: 2
name: test-ilb
project: my-project
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.passthrough-ilb[0].google_compute_region_backend_service.default:
description: Terraform managed.
load_balancing_scheme: INTERNAL
name: test-ilb
network: projects/my-project/global/networks/dataplane
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.vm-addresses-dp.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-dp
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.vm-addresses-mgmt.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-mgmt
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management

156
tests/blueprints/third_party_solutions/f5_bigip/f5_bigip_ha_active/examples/shared-config.yaml Normal file
View File

@ -0,0 +1,156 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.f5-lb.module.bigip-vms["a"].google_compute_instance.default[0]:
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 150
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-8
name: test-lb-a
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.1.0/24
subnetwork_range_name: ip-range-a
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
tags:
- f5-lbs
zone: europe-west1-a
module.f5-lb.module.bigip-vms["a"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-a
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-a
module.f5-lb.module.lb-addresses.google_compute_address.internal["l4"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-ilb-l4
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.bigip-vms["b"].google_compute_instance.default[0]:
advanced_machine_features: []
allow_stopping_for_update: true
attached_disk: []
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 150
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-8
name: test-lb-b
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.2.0/24
subnetwork_range_name: ip-range-b
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
service_account:
- scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/userinfo.email
tags:
- f5-lbs
zone: europe-west1-b
module.f5-lb.module.bigip-vms["b"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-b
named_port: []
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-b
module.f5-lb.module.passthrough-ilb[0].google_compute_forwarding_rule.forwarding_rules["l4"]:
all_ports: true
allow_global_access: true
allow_psc_global_access: null
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: INTERNAL
name: test-ilb-l4
network: projects/my-project/global/networks/dataplane
ports: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
healthy_threshold: 2
name: test-ilb
project: my-project
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.passthrough-ilb[0].google_compute_region_backend_service.default:
description: Terraform managed.
load_balancing_scheme: INTERNAL
name: test-ilb
network: projects/my-project/global/networks/dataplane
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.vm-addresses-dp.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-dp
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.vm-addresses-mgmt.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-mgmt
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management

112
tests/blueprints/third_party_solutions/f5_bigip/f5_bigip_ha_active/examples/single-instance.yaml Normal file
View File

@ -0,0 +1,112 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.f5-lb.module.bigip-vms["a"].google_compute_instance.default[0]:
boot_disk:
- initialize_params:
- image: projects/f5-7626-networks-public/global/images/f5-bigip-15-1-2-1-0-0-10-byol-ltm-2boot-loc-210115160742
size: 100
type: pd-ssd
can_ip_forward: true
description: Managed by the compute-vm Terraform module.
machine_type: n2-standard-4
name: test-lb-a
network_interface:
- access_config: []
alias_ip_range:
- ip_cidr_range: 192.168.1.0/24
subnetwork_range_name: ip-range-a
ipv6_access_config: []
network: projects/my-project/global/networks/dataplane
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
- access_config: []
alias_ip_range: []
ipv6_access_config: []
network: projects/my-project/global/networks/management
stack_type: IPV4_ONLY
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management
project: my-project
tags: null
zone: europe-west1-a
module.f5-lb.module.bigip-vms["a"].google_compute_instance_group.unmanaged[0]:
description: Managed by the compute-vm Terraform module.
name: test-lb-a
network: projects/my-project/global/networks/dataplane
project: my-project
zone: europe-west1-a
module.f5-lb.module.lb-addresses.google_compute_address.internal["l4"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-ilb-l4
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_forwarding_rule.forwarding_rules["l4"]:
all_ports: true
allow_global_access: true
allow_psc_global_access: null
ip_protocol: L3_DEFAULT
ip_version: IPV4
load_balancing_scheme: INTERNAL
name: test-ilb-l4
network: projects/my-project/global/networks/dataplane
ports: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.passthrough-ilb[0].google_compute_health_check.default[0]:
check_interval_sec: 5
description: Terraform managed.
healthy_threshold: 2
name: test-ilb
project: my-project
tcp_health_check:
- port: 65535
port_name: null
port_specification: USE_FIXED_PORT
proxy_header: NONE
timeout_sec: 5
unhealthy_threshold: 2
module.f5-lb.module.passthrough-ilb[0].google_compute_region_backend_service.default:
description: Terraform managed.
load_balancing_scheme: INTERNAL
name: test-ilb
network: projects/my-project/global/networks/dataplane
project: my-project
protocol: UNSPECIFIED
region: europe-west1
module.f5-lb.module.vm-addresses-dp.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-dp
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/dataplane
module.f5-lb.module.vm-addresses-mgmt.google_compute_address.internal["a"]:
address_type: INTERNAL
description: Terraform managed.
ip_version: null
ipv6_endpoint_type: null
name: test-a-mgmt
network: null
project: my-project
region: europe-west1
subnetwork: projects/my-project/regions/europe-west1/subnetworks/management