RavinderReddyF5
commented
4 years ago 
Hi @onurbrc , You can Assign a policy to Virtual Server using Terraform as below, actually there are Multiple Issues like
-
Not able to Create Policy Rule
-
Not able Publish Policy which is causing policy addition to Virtual Server Not happening
After resolving those issues i am able to configure policy and assign it to Virtual server as below.
Terraform Configuration:
root@terraformclient:~/Go_Workspace/src/github.com/terraform-providers/terraform-provider-bigip# cat ltmpolicy.tf
provider "bigip" {
address = "xxx.xxx.xxx.xxx"
username = "admin"
password = "F5site02"
}
resource "bigip_ltm_pool" "wild-pool" {
name = "/Common/test-pool"
load_balancing_mode = "round-robin"
allow_snat = "yes"
allow_nat = "yes"
}
resource "bigip_ltm_node" "ltm-node" {
name = "/Common/webservice"
address = "172.17.240.182%2"
connection_limit = "0"
dynamic_ratio = "1"
monitor = "default"
rate_limit = "disabled"
}
resource "bigip_ltm_pool_attachment" "attach-node" {
pool = "${bigip_ltm_pool.wild-pool.name}"
node ="${bigip_ltm_node.ltm-node.name}:0"
}
resource "bigip_ltm_policy" "http_to_https_redirect" {
name = "http_to_https_redirect"
strategy = "/Common/first-match"
requires = ["http"]
published_copy = "Drafts/http_to_https_redirect"
controls = ["forwarding"]
rule {
name = "http_to_https_redirect_rule"
action {
tm_name = "http_to_https_redirect"
redirect = true
location = "tcl:https://[HTTP::host][HTTP::uri]"
http_reply = true
}
}
}
resource "bigip_ltm_virtual_server" "test_vs3" {
name = "/Common/test_vs2"
destination = "172.17.240.53"
source ="0.0.0.0/0"
port = 0
ip_protocol="tcp"
profiles = ["/Common/http","/Common/tcp"]
policies = ["${bigip_ltm_policy.http_to_https_redirect.name}"]
}Terraform init:
root@terraformclient:~/Go_Workspace/src/github.com/terraform-providers/terraform-provider-bigip# terraform init
Initializing the backend...
Initializing provider plugins...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.Terraform Apply:
root@terraformclient:~/Go_Workspace/src/github.com/terraform-providers/terraform-provider-bigip# terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# bigip_ltm_node.ltm-node will be created
+ resource "bigip_ltm_node" "ltm-node" {
+ address = "172.17.240.182%2"
+ connection_limit = 0
+ dynamic_ratio = 1
+ id = (known after apply)
+ monitor = "default"
+ name = "/Common/webservice"
+ rate_limit = "disabled"
+ state = (known after apply)
}
# bigip_ltm_policy.http_to_https_redirect will be created
+ resource "bigip_ltm_policy" "http_to_https_redirect" {
+ controls = [
+ "forwarding",
]
+ id = (known after apply)
+ name = "http_to_https_redirect"
+ published_copy = "Drafts/http_to_https_redirect"
+ requires = [
+ "http",
]
+ strategy = "/Common/first-match"
+ rule {
+ name = "http_to_https_redirect_rule"
+ action {
+ app_service = (known after apply)
+ application = (known after apply)
+ asm = (known after apply)
+ avr = (known after apply)
+ cache = (known after apply)
+ carp = (known after apply)
+ category = (known after apply)
+ classify = (known after apply)
+ clone_pool = (known after apply)
+ code = (known after apply)
+ compress = (known after apply)
+ content = (known after apply)
+ cookie_hash = (known after apply)
+ cookie_insert = (known after apply)
+ cookie_passive = (known after apply)
+ cookie_rewrite = (known after apply)
+ decompress = (known after apply)
+ defer = (known after apply)
+ destination_address = (known after apply)
+ disable = (known after apply)
+ domain = (known after apply)
+ enable = (known after apply)
+ expiry = (known after apply)
+ expiry_secs = (known after apply)
+ expression = (known after apply)
+ extension = (known after apply)
+ facility = (known after apply)
+ forward = (known after apply)
+ from_profile = (known after apply)
+ hash = (known after apply)
+ host = (known after apply)
+ http = (known after apply)
+ http_basic_auth = (known after apply)
+ http_cookie = (known after apply)
+ http_header = (known after apply)
+ http_referer = (known after apply)
+ http_reply = true
+ http_set_cookie = (known after apply)
+ http_uri = (known after apply)
+ ifile = (known after apply)
+ insert = (known after apply)
+ internal_virtual = (known after apply)
+ ip_address = (known after apply)
+ key = (known after apply)
+ l7dos = (known after apply)
+ length = (known after apply)
+ location = "tcl:https://[HTTP::host][HTTP::uri]"
+ log = (known after apply)
+ ltm_policy = (known after apply)
+ member = (known after apply)
+ message = (known after apply)
+ netmask = (known after apply)
+ nexthop = (known after apply)
+ node = (known after apply)
+ offset = (known after apply)
+ path = (known after apply)
+ pem = (known after apply)
+ persist = (known after apply)
+ pin = (known after apply)
+ policy = (known after apply)
+ pool = (known after apply)
+ port = (known after apply)
+ priority = (known after apply)
+ profile = (known after apply)
+ protocol = (known after apply)
+ query_string = (known after apply)
+ rateclass = (known after apply)
+ redirect = true
+ remove = (known after apply)
+ replace = (known after apply)
+ request = (known after apply)
+ request_adapt = (known after apply)
+ reset = (known after apply)
+ response = (known after apply)
+ response_adapt = (known after apply)
+ scheme = (known after apply)
+ script = (known after apply)
+ select = (known after apply)
+ server_ssl = (known after apply)
+ set_variable = (known after apply)
+ snat = (known after apply)
+ snatpool = (known after apply)
+ source_address = (known after apply)
+ ssl_client_hello = (known after apply)
+ ssl_server_handshake = (known after apply)
+ ssl_server_hello = (known after apply)
+ ssl_session_id = (known after apply)
+ status = (known after apply)
+ tcl = (known after apply)
+ tcp_nagle = (known after apply)
+ text = (known after apply)
+ timeout = (known after apply)
+ tm_name = "http_to_https_redirect"
+ uie = (known after apply)
+ universal = (known after apply)
+ value = (known after apply)
+ virtual = (known after apply)
+ vlan = (known after apply)
+ vlan_id = (known after apply)
+ wam = (known after apply)
+ write = (known after apply)
}
}
}
# bigip_ltm_pool.wild-pool will be created
+ resource "bigip_ltm_pool" "wild-pool" {
+ allow_nat = "yes"
+ allow_snat = "yes"
+ id = (known after apply)
+ load_balancing_mode = "round-robin"
+ monitors = (known after apply)
+ name = "/Common/test-pool"
+ reselect_tries = (known after apply)
+ service_down_action = (known after apply)
+ slow_ramp_time = (known after apply)
}
# bigip_ltm_pool_attachment.attach-node will be created
+ resource "bigip_ltm_pool_attachment" "attach-node" {
+ id = (known after apply)
+ node = "/Common/webservice:0"
+ pool = "/Common/test-pool"
}
# bigip_ltm_virtual_server.test_vs3 will be created
+ resource "bigip_ltm_virtual_server" "test_vs3" {
+ client_profiles = (known after apply)
+ destination = "172.17.240.53"
+ fallback_persistence_profile = (known after apply)
+ id = (known after apply)
+ ip_protocol = "tcp"
+ mask = "255.255.255.255"
+ name = "/Common/test_vs2"
+ persistence_profiles = (known after apply)
+ policies = [
+ "http_to_https_redirect",
]
+ port = 0
+ profiles = [
+ "/Common/http",
+ "/Common/tcp",
]
+ server_profiles = (known after apply)
+ snatpool = (known after apply)
+ source = "0.0.0.0/0"
+ source_address_translation = (known after apply)
+ translate_address = (known after apply)
+ translate_port = (known after apply)
+ vlans_enabled = (known after apply)
}
Plan: 5 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
bigip_ltm_pool.wild-pool: Creating...
bigip_ltm_node.ltm-node: Creating...
bigip_ltm_policy.http_to_https_redirect: Creating...
bigip_ltm_node.ltm-node: Creation complete after 0s [id=/Common/webservice]
bigip_ltm_pool.wild-pool: Creation complete after 0s [id=/Common/test-pool]
bigip_ltm_pool_attachment.attach-node: Creating...
bigip_ltm_pool_attachment.attach-node: Creation complete after 0s [id=/Common/test-pool-/Common/webservice:0]
bigip_ltm_policy.http_to_https_redirect: Creation complete after 0s [id=http_to_https_redirect]
bigip_ltm_virtual_server.test_vs3: Creating...
bigip_ltm_virtual_server.test_vs3: Creation complete after 1s [id=/Common/test_vs2]
Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
Terraform Update:
root@terraformclient:~/Go_Workspace/src/github.com/terraform-providers/terraform-provider-bigip# terraform apply
bigip_ltm_node.ltm-node: Refreshing state... [id=/Common/webservice]
bigip_ltm_pool.wild-pool: Refreshing state... [id=/Common/test-pool]
bigip_ltm_policy.http_to_https_redirect: Refreshing state... [id=http_to_https_redirect]
bigip_ltm_pool_attachment.attach-node: Refreshing state... [id=/Common/test-pool-/Common/webservice:0]
bigip_ltm_virtual_server.test_vs3: Refreshing state... [id=/Common/test_vs2]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Terraform Destroy:
root@terraformclient:~/Go_Workspace/src/github.com/terraform-providers/terraform-provider-bigip# terraform destroy
bigip_ltm_pool.wild-pool: Refreshing state... [id=/Common/test-pool]
bigip_ltm_node.ltm-node: Refreshing state... [id=/Common/webservice]
bigip_ltm_policy.http_to_https_redirect: Refreshing state... [id=http_to_https_redirect]
bigip_ltm_pool_attachment.attach-node: Refreshing state... [id=/Common/test-pool-/Common/webservice:0]
bigip_ltm_virtual_server.test_vs3: Refreshing state... [id=/Common/test_vs2]
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# bigip_ltm_node.ltm-node will be destroyed
- resource "bigip_ltm_node" "ltm-node" {
- address = "172.17.240.182%2" -> null
- connection_limit = 0 -> null
- dynamic_ratio = 1 -> null
- id = "/Common/webservice" -> null
- monitor = "default" -> null
- name = "/Common/webservice" -> null
- rate_limit = "disabled" -> null
- state = "unchecked" -> null
}
# bigip_ltm_policy.http_to_https_redirect will be destroyed
- resource "bigip_ltm_policy" "http_to_https_redirect" {
- controls = [
- "forwarding",
] -> null
- id = "http_to_https_redirect" -> null
- name = "http_to_https_redirect" -> null
- published_copy = "Drafts/http_to_https_redirect" -> null
- requires = [
- "http",
] -> null
- strategy = "/Common/first-match" -> null
- rule {
- name = "http_to_https_redirect_rule" -> null
- action {
- asm = false -> null
- avr = false -> null
- cache = false -> null
- carp = false -> null
- classify = false -> null
- code = 0 -> null
- compress = false -> null
- cookie_hash = false -> null
- cookie_insert = false -> null
- cookie_passive = false -> null
- cookie_rewrite = false -> null
- decompress = false -> null
- defer = false -> null
- destination_address = false -> null
- disable = false -> null
- enable = false -> null
- expiry_secs = 0 -> null
- forward = false -> null
- hash = false -> null
- http = false -> null
- http_basic_auth = false -> null
- http_cookie = false -> null
- http_header = false -> null
- http_host = false -> null
- http_referer = false -> null
- http_reply = true -> null
- http_set_cookie = false -> null
- http_uri = false -> null
- insert = false -> null
- l7dos = false -> null
- length = 0 -> null
- location = "tcl:https://[HTTP::host][HTTP::uri]" -> null
- log = false -> null
- ltm_policy = false -> null
- offset = 0 -> null
- pem = false -> null
- persist = false -> null
- pin = false -> null
- port = 0 -> null
- redirect = true -> null
- remove = false -> null
- replace = false -> null
- request = false -> null
- request_adapt = false -> null
- reset = false -> null
- response = false -> null
- response_adapt = false -> null
- select = false -> null
- server_ssl = false -> null
- set_variable = false -> null
- source_address = false -> null
- ssl_client_hello = false -> null
- ssl_server_handshake = false -> null
- ssl_server_hello = false -> null
- ssl_session_id = false -> null
- status = 0 -> null
- tcl = false -> null
- tcp_nagle = false -> null
- timeout = 0 -> null
- tm_name = "http_to_https_redirect" -> null
- uie = false -> null
- universal = false -> null
- vlan_id = 0 -> null
- wam = false -> null
- write = false -> null
}
}
}
# bigip_ltm_pool.wild-pool will be destroyed
- resource "bigip_ltm_pool" "wild-pool" {
- allow_nat = "yes" -> null
- allow_snat = "yes" -> null
- id = "/Common/test-pool" -> null
- load_balancing_mode = "round-robin" -> null
- monitors = [
- "",
] -> null
- name = "/Common/test-pool" -> null
- reselect_tries = 0 -> null
- service_down_action = "none" -> null
- slow_ramp_time = 0 -> null
}
# bigip_ltm_pool_attachment.attach-node will be destroyed
- resource "bigip_ltm_pool_attachment" "attach-node" {
- id = "/Common/test-pool-/Common/webservice:0" -> null
- node = "/Common/webservice:0" -> null
- pool = "/Common/test-pool" -> null
}
# bigip_ltm_virtual_server.test_vs3 will be destroyed
- resource "bigip_ltm_virtual_server" "test_vs3" {
- client_profiles = [] -> null
- destination = "172.17.240.53" -> null
- id = "/Common/test_vs2" -> null
- ip_protocol = "tcp" -> null
- irules = [] -> null
- mask = "255.255.255.255" -> null
- name = "/Common/test_vs2" -> null
- persistence_profiles = [] -> null
- policies = [
- "http_to_https_redirect",
] -> null
- port = 0 -> null
- profiles = [
- "/Common/http",
- "/Common/tcp",
] -> null
- server_profiles = [] -> null
- source = "0.0.0.0/0" -> null
- source_address_translation = "none" -> null
- translate_address = "enabled" -> null
- translate_port = "enabled" -> null
- vlans = [] -> null
- vlans_enabled = false -> null
}
Plan: 0 to add, 0 to change, 5 to destroy.
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
bigip_ltm_pool_attachment.attach-node: Destroying... [id=/Common/test-pool-/Common/webservice:0]
bigip_ltm_virtual_server.test_vs3: Destroying... [id=/Common/test_vs2]
bigip_ltm_pool_attachment.attach-node: Destruction complete after 0s
bigip_ltm_pool.wild-pool: Destroying... [id=/Common/test-pool]
bigip_ltm_node.ltm-node: Destroying... [id=/Common/webservice]
bigip_ltm_virtual_server.test_vs3: Destruction complete after 0s
bigip_ltm_policy.http_to_https_redirect: Destroying... [id=http_to_https_redirect]
bigip_ltm_pool.wild-pool: Destruction complete after 0s
bigip_ltm_node.ltm-node: Destruction complete after 0s
bigip_ltm_policy.http_to_https_redirect: Destruction complete after 0s
Destroy complete! Resources: 5 destroyed.
ISSUE TYPE
COMPONENT NAME
TERRAFORM VERSION
BIGIP VERSION
SUMMARY
Hi !
It would be nice being able to add http requests redirection to https for virtual servers listening on 80 which traffic must be on https ports instead. The CLI example as follow :
TMSH EXAMPLE
EXPECTED RESULTS
QUESTIONS
Considering that bigip_ltm_policy resource already exists, how can I assign a policy to a given bigip_ltm_virtual_server resource ?
Thank you in advance.