BIG-IP - Terraform Provider¶
Overview¶
This example uses Terraform to create a private key and a throwaway, self-signed SSL certificate. These resources are in the tls.tf file. This certificate is then loaded onto the BIG-IP and a clientSSL profile is created on the BIG-IP using this certificate. The resources using the BIG-IP provider are in the bigip_config.tf file.
How to use this example¶
Prerequisites¶
You will need a running BIG-IP, and you will need to know the admin username and password.
Instructions¶
Change directory to this directory, ie,
cd [directory_with_.tf_files]Run
terraform initto download the required providersRun
terraform applyand you will be prompted for the username, password, and the mgmt IP address of the running BIG-IP that you are targeting. After entering these and typingyesat the prompt, Terraform will create a certificate, load that certificate into BIG-IP, and create an SSL profile.
Advanced¶
After trying this example with a self-signed certificate, you should use your own SSL certificate, which you should store securely in a vault. The key can be provided to the BIG-IP provider bigip_ssl_key resource in PEM format.
Overview of files¶
Unless you want advanced configurations, these file does not need to be edited. The below serves for an explanation of the files only.
variables.tf
| This file defines the variables that you will be prompted for when you run the terraform apply command.
#variable for BIG-IP
variable "bigip_user" {}
variable "bigip_password" {
sensitive = true
}
variable "bigip_mgmt_ip" {}
providers.tf
| This file configures the BIG-IP provider based on the inputs to the prompts in your terraform apply command.
provider "bigip" {
address = "https://${var.bigip_mgmt_ip}"
username = var.bigip_user
password = var.bigip_password
}
terraform {
required_providers {
bigip = {
source = "f5networks/bigip"
version = "~> 1.5"
}
}
}
tls.tf | This file simply creates a temporary, throwaway SSL certificate for use in this demo.
resource "tls_private_key" "myprivatekey" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "mycertificate" {
key_algorithm = "RSA"
private_key_pem = tls_private_key.myprivatekey.private_key_pem
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 12
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
bigip_config.tf | This file contains the resources that configure the BIG-IP, including the installation of the SSL certificate created, and the creation of the SSL profile.
resource "bigip_ssl_certificate" "test-cert" {
name = "servercert.crt"
content = tls_self_signed_cert.mycertificate.cert_pem
partition = "Common"
}
resource "bigip_ssl_key" "test-key" {
name = "serverkey.key"
content = tls_private_key.myprivatekey.private_key_pem
partition = "Common"
}
resource "bigip_ltm_profile_client_ssl" "myClientSSLProfile" {
depends_on = [
bigip_ssl_key.test-key,
bigip_ssl_certificate.test-cert
]
name = "/Common/myClientSSLProfile"
defaults_from = "/Common/clientssl"
#authenticate = "always"
ciphers = "DEFAULT"
cert = "/Common/servercert.crt"
key = "/Common/serverkey.key"
}