search

F5Networks / terraform-aws-bigip-module

Terraform module for Deploying BIG-IP in AWS
Apache License 2.0
10 stars 21 forks source link

EIP tagging ability needed for CFE #35

Open JeffGiroux opened 1 year ago

JeffGiroux commented 1 year ago

The EIPs created by the BIG-IP module need the ability to be tagged. This would allow a user to meet the Cloud Failover prereqs for AWS which state proper NIC tagging and EIP tagging. Currently a workaround is required to use data objects to retrieve EIP IDs based on public IP outputs. User requires ability to tag EIP during BIG-IP module deployment.

Similar to use case in https://github.com/F5Networks/terraform-aws-bigip-module/issues/22

workaround

Specifically, the secondary IP of the NIC which is associated with the EIP is the value of the tag. The following two tags are required on each EIP.

# Public VIP info
data "aws_eip" "bigip_vip" {
  public_ip = module.bigip.public_addresses["external_secondary_public"][0]
}
data "aws_eip" "bigip2_vip" {
  public_ip = module.bigip2.public_addresses["external_secondary_public"][0]
}

# tagging
resource "aws_ec2_tag" "bigip2_vip_label" {
  resource_id = data.aws_eip.bigip2_vip.id
  key         = "f5_cloud_failover_label"
  value       = var.f5_cloud_failover_label
}
resource "aws_ec2_tag" "bigip2_vip_ips" {
  resource_id = data.aws_eip.bigip2_vip.id
  key         = "f5_cloud_failover_vips"
  value       = "${element(flatten(module.bigip.private_addresses["public_private"]["private_ips"][0]), 1)},${element(flatten(module.bigip2.private_addresses["public_private"]["private_ips"][0]), 1)}"
}

This is an ugly workaround but just showing the tags needed. The failover vips requires the IPs of the secondary NICs as tag values for CFE to function. My workaround is above. If we had ability to apply EIP tags, that would help.

RavinderReddyF5 commented 1 year ago

HI @JeffGiroux , we are already made changes to tag external EIP, based on variable externalnic_failover_tags

https://github.com/F5Networks/terraform-aws-bigip-module/blob/main/main.tf#L63-L68

JeffGiroux commented 1 year ago

Per CFE requirements, the NIC and EIP have different tags. The way the fix has been implemented will mean adding all NIC and EIP tags into the new tag variable. That is fine for me…but will those additional NIC mapping tags caused a problem with the EIP? And will the additional EIP VIP IP address tag cause a conflict with the NIC?