terraform-provider-bigip icon indicating copy to clipboard operation
terraform-provider-bigip copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

Ability to add Route domains and Tenants

Open Otimun opened this issue 3 years ago • 9 comments

Is your feature request related to a problem? Please describe.

When creating new VE devices using Terraform, I need to resort to Declarative Onboarding to create new Route domains, then I need to run AS3 to create multiple tenants, before I can use these tenants in my vlan configuration. Having to use Declarative Onboarding and AS3 to make adjustments in my vlans is a big hassle, especially because the outcome of running DO on a live system has an unsure outcome.

Describe the solution you'd like

Being able to use Terraform to create a routing domain and a tenant so that I can make use of them during the VLAN creation.

Describe alternatives you've considered

I have a semi working solution using Declarative Onboarding and AS3, but it is far from being clear in the code.

Otimun avatar May 17 '22 21:05 Otimun

@Otimun Please share the manifests used with DO and AS3 to validate this issue. Recommend using AS3 and DO. However we want to verify the issue.

trinaths avatar Jul 06 '22 16:07 trinaths

Hi @trinaths thank you for your response. To create the number of route domains using DO, I use a template:

{
%{~ for idx, routedomain in routedomains ~}
        "${routedomain}" : {
            "class" : "RouteDomain",
            "id" : ${format("%d",idx + 1)},
            "vlans" : []
        },
%{~ endfor ~}
}

and create the number of routedomains using the following code: do_routedomains_template = replace(templatefile("${path.module}/do_routedomain.tftpl", { routedomains = var.partition_names }), "},}", "}}")

Then I merge this template with the actual DO configuration before pushing it to the F5.

The main issue here is the problem that yo normally use DO only once (at provisioning) and adding extra routedomains later on if a new partition needs to be generated needs to be either done manually or using a custom script. Hence the feature request.

The creation of the partition/tenant is tightly linked with this same situation. AS3 works similar. I use the following template to create the partitions using AS3:

{
%{~ for idx, partition in partitions ~} 
    "${partition}" : {
        "class" : "Tenant",
        "defaultRouteDomain" : ${format("%d",idx + 1)},
        "initial" : {
            "class" : "Application",
            "VS-initial" : {
           "class" : "Service_HTTP",
              "virtualAddresses" : [
                "1.2.3.4"
                ]
            }
        }
    },
%{~ endfor ~}
}

and in locals I use this code to generate the partitions before merging it with a simple empty AS3 file: as3_partitions_template = replace(templatefile("${path.module}/as3_partitions.tftpl", { partitions = var.partition_names }), "},}", "}}")

I need to do this before the actual AS3 call with the configuration of the virtual servers because my vlan creation depends on the partition configuration. Being able to separate Route domains and Tenants/Partitions from AS3 and DO would therefor greatly enhance the flexibility of the code. Giving the oportunity to add new partitions with a new routedomain and its network interfaces.

Otimun avatar Jul 07 '22 19:07 Otimun

Are there any plans to extend the terraform provider to support routedomain creation ?

pr0c4 avatar Mar 28 '23 18:03 pr0c4

Hi @pr0c4,

Have you tried using DO? https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/schema-reference.html#routedomain

pgouband avatar Mar 29 '23 07:03 pgouband

hello @pgouband,

Can I use DO for a brownfield ? TF provider vs AS3/DO is more appealing because i can automate new stuff next to existing stuff.

I was thinking the logic of pool member attachment can be used for the vlan attachment to the route domain.

pr0c4 avatar May 12 '23 11:05 pr0c4

Hi @pr0c4,

I was able to add a vlan and a route domain using Terraform (DO resource) on a BIG-IP device with a configuration but to keep the current configuration (vlans, self IP, ...), current config needs to be added in the DO declaration.

pgouband avatar May 22 '23 13:05 pgouband

Thanks for the reply @pgouband. Can I just push a partial declaration of vlans and self-IPs or I would need to add all my F5 config in the DO declaration ? (AAA/SNMP/Syslog/HA....)

pr0c4 avatar May 23 '23 07:05 pr0c4

Hi @pr0c4,

Partial declaration works. I tested quickly and HA is still working. After applying the config, a sync will be asked by the device as the configuration has changed.

also if you try to push a declaration without the IP (and all the config needed - vlan for example) used for HA, an error message will appear:

Error: error while reading the response body :map[class:Result code:202 errors:[010713b1:3: Cannot delete IP (10.1.10.132) because it is used by the system state-mirroring (Primary Mirror Address) setting.] message:invalid config - rolling back status:ROLLING_BACK]

I suggest you test in a lab environment before testing in production

pgouband avatar May 24 '23 08:05 pgouband

Hello,

Sorry for the late reply, I did not have time to work on this a lot.

I tried partial declarations on big-ip v15 with do 1.41.0 and it did not work, once i pasted some vlan and selfip it deleted the rest of the config( lab, so fine :) ) This means we could try for new deployments.

Unfortunately it seems i can't add vlans to the RD list (like described here.

pr0c4 avatar Jan 04 '24 15:01 pr0c4