Ability to add Route domains and Tenants

[Otimun]

Is your feature request related to a problem? Please describe.

When creating new VE devices using Terraform, I need to resort to Declarative Onboarding to create new Route domains, then I need to run AS3 to create multiple tenants, before I can use these tenants in my vlan configuration. Having to use Declarative Onboarding and AS3 to make adjustments in my vlans is a big hassle, especially because the outcome of running DO on a live system has an unsure outcome.

Describe the solution you'd like

Being able to use Terraform to create a routing domain and a tenant so that I can make use of them during the VLAN creation.

Describe alternatives you've considered

I have a semi working solution using Declarative Onboarding and AS3, but it is far from being clear in the code.

[trinaths]

@Otimun Please share the manifests used with DO and AS3 to validate this issue. Recommend using AS3 and DO. However we want to verify the issue.

[Otimun]

Hi @trinaths thank you for your response. To create the number of route domains using DO, I use a template:

{
%{~ for idx, routedomain in routedomains ~}
        "${routedomain}" : {
            "class" : "RouteDomain",
            "id" : ${format("%d",idx + 1)},
            "vlans" : []
        },
%{~ endfor ~}
}

and create the number of routedomains using the following code:
do_routedomains_template = replace(templatefile("${path.module}/do_routedomain.tftpl", { routedomains = var.partition_names }), "},}", "}}")

Then I merge this template with the actual DO configuration before pushing it to the F5.

The main issue here is the problem that yo normally use DO only once (at provisioning) and adding extra routedomains later on if a new partition needs to be generated needs to be either done manually or using a custom script. Hence the feature request.

The creation of the partition/tenant is tightly linked with this same situation. AS3 works similar. I use the following template to create the partitions using AS3:

{
%{~ for idx, partition in partitions ~} 
    "${partition}" : {
        "class" : "Tenant",
        "defaultRouteDomain" : ${format("%d",idx + 1)},
        "initial" : {
            "class" : "Application",
            "VS-initial" : {
           "class" : "Service_HTTP",
              "virtualAddresses" : [
                "1.2.3.4"
                ]
            }
        }
    },
%{~ endfor ~}
}

and in locals I use this code to generate the partitions before merging it with a simple empty AS3 file:
as3_partitions_template = replace(templatefile("${path.module}/as3_partitions.tftpl", { partitions = var.partition_names }), "},}", "}}")

I need to do this before the actual AS3 call with the configuration of the virtual servers because my vlan creation depends on the partition configuration. Being able to separate Route domains and Tenants/Partitions from AS3 and DO would therefor greatly enhance the flexibility of the code. Giving the oportunity to add new partitions with a new routedomain and its network interfaces.

[pr0c4]

Are there any plans to extend the terraform provider to support routedomain creation ?

[pgouband]

Hi @pr0c4,

Have you tried using DO?
https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/schema-reference.html#routedomain

[pr0c4]

hello @pgouband,

Can I use DO for a brownfield ?
TF provider vs AS3/DO is more appealing because i can automate new stuff next to existing stuff.

I was thinking the logic of pool member attachment can be used for the vlan attachment to the route domain.

[pgouband]

Hi @pr0c4,

I was able to add a vlan and a route domain using Terraform (DO resource) on a BIG-IP device with a configuration but to keep the current configuration (vlans, self IP, ...), current config needs to be added in the DO declaration.

[pr0c4]

Thanks for the reply @pgouband. Can I just push a partial declaration of vlans and self-IPs or I would need to add all my F5 config in the DO declaration ? (AAA/SNMP/Syslog/HA....)

[pgouband]

Hi @pr0c4,

Partial declaration works. I tested quickly and HA is still working.
After applying the config, a sync will be asked by the device as the configuration has changed.

also if you try to push a declaration without the IP (and all the config needed - vlan for example) used for HA, an error message will appear:

Error: error while reading the response body :map[class:Result code:202 errors:[010713b1:3: Cannot delete IP (10.1.10.132) because it is used by the system state-mirroring (Primary Mirror Address) setting.] message:invalid config - rolling back status:ROLLING_BACK]

I suggest you test in a lab environment before testing in production

[pr0c4]

Hello,

Sorry for the late reply, I did not have time to work on this a lot.

I tried partial declarations on big-ip v15 with do 1.41.0 and it did not work, once i pasted some vlan and selfip it deleted the rest of the config( lab, so fine :) ) This means we could try for new deployments.

Unfortunately it seems i can't add vlans to the RD list (like described here.