terraform-provider-bigip icon indicating copy to clipboard operation
terraform-provider-bigip copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

Add F5 Cluster configuration (configsync, failoveraddresses, trust)

Open Otimun opened this issue 3 years ago • 3 comments

Unable to use current terraform configuration to build a cluster. Have been trying to use the documented resources:

bigip_cm_device bigip_cm_devicegroup

There seem to be a number of things missing for the cluster to be constructed:

  • Ability to configure configsync on current cm_device (resource cm_device is only able to be used to create a new device)
  • Ability to configurer failoveraddresses (on current cm device)
  • Ability to initiate trust between cluster members

Is your feature request related to a problem? Please describe.

I am trying to move the cluster building away from Declarative Onboarding since this is a little sketchy at times. Steps undertaken to see if current terraform provider is able to achieve building a cluster:

first trying to create resources with at least the configsync_ip

resource "bigip_cm_device" "cm_device" {
  count              = var.init_ha_group
  name              = "${var.hostname}.${var.domain}"
  configsync_ip = var.sync_ip_address
  depends_on   = [bigip_net_selfip.sync_selfIP]
}

failed because cannot create new device object with same name as already exists: ╷ │ Error: HTTP 409 :: {"code":409,"message":"01020066:3: The requested system device () already exists in partition Common.","errorStack":[],"apiError":3} │ │ with module.clustering_2.bigip_cm_device.cm_device, │ on ../../../modules/f5_clustering/clustering.tf line 17, in resource "bigip_cm_device" "cm_device": │ 17: resource "bigip_cm_device" "cm_device" { │

Importing the cm_device and then trying to make the adjustments:

terraform import module.clustering_1.bigip_cm_device.cm_device <name host1>
terraform import module.clustering_2.bigip_cm_device.cm_device <name host2>
terraform apply

failed because a modify was not possible on device: │ Error: HTTP 403 :: {"code":403,"message":"Operation is not supported on component /cm/device.","errorStack":[],"apiError":1} │ │ with module.clustering_1.bigip_cm_device.cm_device, │ on ../../../modules/f5_clustering/clustering.tf line 17, in resource "bigip_cm_device" "cm_device": │ 17: resource "bigip_cm_device" "cm_device" {

When adding the other device with the command and creating the HA_Group:

resource "bigip_cm_device" "cm_device" {
  count             = var.init_ha_group
  name          = "${var.hostname_peer}.${var.domain}"
  configsync_ip = var.sync_peer_ip_address
  depends_on    = [bigip_net_selfip.sync_selfIP]
}

resource "bigip_cm_devicegroup" "HA_Group" {
  count             = var.init_ha_group
  name              = "HA_Group"
  auto_sync         = "enabled"
  network_failover  = "enabled"
  full_load_on_sync = "false"
  save_on_auto_sync = "false"
  type              = "sync-failover"
  device {
    name = "${var.hostname}.${var.domain}"
  }
  device {
    name = "${var.hostname_peer}.${var.domain}"
  }
  depends_on = [
    bigip_cm_device.cm_device
  ]
}

The configuration was succesfull, but the new device did not actually represent the other f5.

From the above it is clear that the current terraform resources are not adequate to build a F5 cluster. Hence this is a feature request to be able to do so with aditional resources.

Describe the solution you'd like

Implementation and documentation of steps to create a cluster using Terraform. The solution most probably will need the following working parts:

  • Configure configsync
  • Configure failover Addresses
  • Configure mirroring ip addresses
  • Build trust
  • HA group seems to be working correctly, but seems to be missing the ASM sync options.
  • It also seems that the cm device resource needs to be updated in a way to be able to work with the current configuration.

Describe alternatives you've considered

This is currently working with Declarative Onboarding using the following code: "configsync": { "class": "ConfigSync", "configsyncIp": "/Common/${SYNC_SELF}/address" }, "failoverAddress": { "class": "FailoverUnicast", "addressPorts": [ { "address": "/Common/${SYNC_SELF}/address", "port": 1026 }, { "address": "${MGMT_IP}", "port": 1026 } ] }, "trust": { "class": "DeviceTrust", "localUsername": "admin", "localPassword": "${ADMIN_PASSWORD}", "remoteHost": "${MGMT_IP_OTHER}", "remoteUsername": "admin", "remotePassword": "${ADMIN_PASSWORD}" }, "HA_Group": { "class": "DeviceGroup", "type": "sync-failover", "members": [ "${MGMT_IP_OTHER}", "${MGMT_IP}" ], "owner": "${MGMT_IP_OTHER}", "autoSync": true, "saveOnAutoSync": false, "networkFailover": true, "fullLoadOnSync": false, "asmSync": "${ASM_SYNC}" }

Otimun avatar Jun 06 '22 18:06 Otimun

@Otimun Suggest use DO and share your feedback.

trinaths avatar Jul 06 '22 16:07 trinaths

Hi @trinaths, thanks for your response. This configuration does work in DO, but to keep Declarative Onboarding as a module working for all devices (both standalone and cluster devices) I've removed it from the funcionality there.

Instead I found another workaround using bigip_command resources:

resource "bigip_command" "ha_configuration" {
  commands = [
    "modify cm device ${var.hostname}.${var.domain} configsync-ip ${var.sync_ip_address}",
    "modify cm device ${var.hostname}.${var.domain} unicast-address { { ip ${var.sync_ip_address} port 1026 } { ip management-ip port 1026 } }",
  ]
  depends_on = [bigip_net_selfip.sync_selfIP]
}

resource "bigip_command" "delete_ha" {
  commands = [
    "modify cm device  ${var.hostname}.${var.domain} configsync-ip none",
    "modify cm device ${var.hostname}.${var.domain} unicast-address none"
  ]
  when       = "destroy"
  depends_on = [bigip_net_selfip.sync_selfIP]
}

resource "bigip_command" "trust_configuration" {
  count = var.create_ha
  commands = [
    "modify cm trust-domain add-device { device-ip ${var.ip_address_peer} device-name ${var.hostname_peer}.${var.domain} username ${var.username} password ${var.password} }"
  ]
  depends_on = [bigip_command.ha_configuration]
}

resource "bigip_command" "delete_trust" {
  commands = [
    "modify cm trust-domain remove-device ${var.hostname_peer}.${var.domain}"
  ]
  when = "destroy"
}

resource "bigip_cm_devicegroup" "HA_Group" {
  count             = var.create_ha
  name              = "HA_Group"
  auto_sync         = "enabled"
  network_failover  = "enabled"
  full_load_on_sync = "false"
  save_on_auto_sync = "false"
  type              = "sync-failover"
  device {
    name = "${var.hostname}.${var.domain}"
  }
  device {
    name = "${var.hostname_peer}.${var.domain}"
  }
  depends_on = [
    bigip_command.trust_configuration
  ]
}

resource "bigip_command" "initial_config_sync" {
  count = var.create_ha
  commands = [
    "run cm config-sync to-group ${bigip_cm_devicegroup.HA_Group[0].name}"
  ]
  depends_on = [bigip_cm_devicegroup.HA_Group]
}

Still it would be very nice to be able to use normal terraform resources to create clusters rather than making use of bigip_command resources.

Otimun avatar Jul 07 '22 19:07 Otimun

+1 on this request, would be nice to avoid using DO altogether thanks @Otimun for sharing, was building this on my own

pr0c4 avatar Jul 24 '22 13:07 pr0c4