Merge pull request #31 from codygreen/master

Milestone 0.1.2

Author: mjmenger

.gitignore

@@ -9,4 +9,9 @@
 *.tfvars
 
 # Terraform crash log
-**/crash.log
+**/crash.log
+
+# Go Tests
+**/vendor
+**/Gopkg.toml
+**/Gopkg.lock

.travis.yml

@@ -0,0 +1,23 @@
+language: go
+sudo: false
+
+go:
+- master
+
+branches:
+  only:
+    - master
+
+env:
+  - TF_INPUT=false TF_IN_AUTOMATION=true
+
+# Install terraform
+before_install:
+  - curl -sLo /tmp/terraform.zip https://releases.hashicorp.com/terraform/0.12.9/terraform_0.12.9_linux_amd64.zip
+  - unzip /tmp/terraform.zip -d /tmp
+  - mkdir -p ~/bin
+  - mv /tmp/terraform ~/bin
+  - export PATH="~/bin:$PATH"
+
+script: 
+  - go test -v -count=1 -timeout 30m ./...

README.md

@@ -1,37 +1,79 @@
 # AWS BIG-IP Terraform Module 
-Terraform module to deploy an F5 BIG-IP in AWS.  This module currently supports 1 and 3 nic deployments using the AWS Marketplace PAYG (pay-as-you-go) license.
+Terraform module to deploy an F5 BIG-IP in AWS.  This module currently supports 1 and 3 nic deployments and defaults to using the AWS Marketplace PAYG (pay-as-you-go) 200Mbps BEST license.  If you would like to use a bring your own license (BYOL) AMI the set the *f5_ami_search_name* variable accordingly.
 
 **NOTE:** You will need to accept the AWS Marketplace offer for your selected BIG-IP AMI.  
 **NOTE:** This code is provided for demonstration purposes and is not intended to be used for production deployments. 
 
+## Password Policy (New in 0.1.2)
+For security reasons the module no longer generates a random password that is stored in the Terraform state file. Instead, a password must be created in the AWS Secrets Manager and the Secret name must be supplied to the module.  For demonstration purposes, the examples show how to do this using an randomly generated password.
+
+## Dependencies
+This module requires that the user has created a password and stored it in the AWS Secret Manager before calling the module. For information on how to do this please refer to the [AWS Secret Manager docs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html).
+
 ## Terraform Version
 This modules supports Terraform 0.12 and higher
 
-## Example 1-NIC Deployment
+## Examples
+We have provided some common deployment examples below.  However, if you would like to see full end-to-end examples with the creation of all required objects check out the [examples](https://github.com/f5devcentral/terraform-aws-bigip/tree/master/examples) folder in the [GitHub repository](https://github.com/f5devcentral/terraform-aws-bigip/).
+
+### Example 1-NIC Deployment PAYG
+```hcl
+module bigip {
+  source = "f5devcentral/bigip/aws"
+  version = "0.1.2"
+
+  prefix            = "bigip"
+  f5_instance_count = 1
+  ec2_key_name      = "my-key"
+  aws_secretmanager_secret_id = "my_bigip_password"
+  mgmt_subnet_security_group_ids = [sg-01234567890abcdef]
+  vpc_mgmt_subnet_ids = [subnet-01234567890abcdef]
+}
+```
+### Example 1-NIC Deployment BYOL
 ```hcl
 module bigip {
   source = "f5devcentral/bigip/aws"
+  version = "0.1.2"
 
   prefix            = "bigip"
   f5_instance_count = 1
   ec2_key_name      = "my-key"
+  aws_secretmanager_secret_id = "my_bigip_password"
   mgmt_subnet_security_group_ids = [sg-01234567890abcdef]
   vpc_mgmt_subnet_ids = [subnet-01234567890abcdef]
+  f5_ami_search_name = "F5 Networks BIGIP-14.0.1*BYOL*All Modules 1 Boot*"
 }
 ```
-## Example 3-NIC Deployment
+
+### Example 3-NIC Deployment PAYG
 ```hcl
 module bigip {
   source = "f5devcentral/bigip/aws"
+  version = "0.1.2"
 
   prefix            = "bigip"
   f5_instance_count = 1
   ec2_key_name      = "my-key"
+  aws_secretmanager_secret_id = "my_bigip_password"
   mgmt_subnet_security_group_ids = [sg-01234567890abcdef]
   public_subnet_security_group_ids = [sg-01234567890ghijkl]
   private_subnet_security_group_ids = [sg-01234567890mnopqr]
   vpc_mgmt_subnet_ids = [subnet-01234567890abcdef]
-  vpc_private_subnet_ids = [subnet-01234567890ghijkl]
-  vpc_mgmt_subnet_ids    = [subnet-01234567890mnopqr]
+  vpc_public_subnet_ids = [subnet-01234567890ghijkl]
+  vpc_private_subnet_ids    = [subnet-01234567890mnopqr]
 }
+```
+
+## Finding AWS Machine Images (AMI)
+If there is a specific F5 BIG-IP AMI you would like to use you can update the f5_ami_search_name variable to reflect the AMI name or name pattern you are looking for.
+
+Example to find F5 AMIs for PAYG 200Mbps BEST licensing:
+```bash
+aws ec2 describe-images --owners 679593333241 --filters "Name=name, Values=F5 Networks BIGIP-14.0.1-0.0.14* PAYG - Best 200Mbps*"
+```
+
+Example to find F5 AMIs for BYOL 200Mbps BEST licensing:
+```bash
+aws ec2 describe-images --owners 679593333241 --filters "Name=name, Values=F5 Networks BIGIP-14.0.1*BYOL*All Modules 1 Boot*"
 ```

examples/1_nic_with_new_vpc/README.md

@@ -1,5 +1,7 @@
 # New VPC with a 1-nic BIG-IP in each AZ
-This examples deploys a new VPC and builds a 1-nic BIG-IP in each availability zones
+This examples deploys a new VPC with subnets across 2 availability zones.  It also builds a 1-nic BIG-IP in each availability zone.
+
+**Note:** This example creates a random, temporary password for the BIG-IP which is stored in the Terraform state file.  This is not a good practice for production environments.  Ideally, you would use a random password generated by the AWS Secrets Manager.
 
 ## Usage
 To run this example run the following commands:

examples/1_nic_with_new_vpc/main.tf

@@ -1,5 +1,7 @@
 provider "aws" {
   region = local.region
+  # access_key = var.AccessKeyID
+  # secret_key = var.SecretAccessKey
 }
 
 #
@@ -9,6 +11,26 @@ resource "random_id" "id" {
   byte_length = 2
 }
 
+#
+# Create random password for BIG-IP
+#
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "_%@"
+}
+
+#
+# Create Secret Store and Store BIG-IP Password
+#
+resource "aws_secretsmanager_secret" "bigip" {
+  name = format("%s-bigip-secret-%s", var.prefix, random_id.id.hex)
+}
+resource "aws_secretsmanager_secret_version" "bigip-pwd" {
+  secret_id     = aws_secretsmanager_secret.bigip.id
+  secret_string = random_password.password.result
+}
+
 #
 # Create the VPC 
 #
@@ -97,8 +119,9 @@ module bigip {
     local.prefix,
     random_id.id.hex
   )
-  f5_instance_count = length(local.azs)
-  ec2_key_name      = var.ec2_key_name
+  f5_instance_count           = length(local.azs)
+  ec2_key_name                = var.ec2_key_name
+  aws_secretmanager_secret_id = aws_secretsmanager_secret.bigip.id
   mgmt_subnet_security_group_ids = [
     module.web_server_sg.this_security_group_id,
     module.web_server_secure_sg.this_security_group_id,

examples/1_nic_with_new_vpc/outputs.tf

@@ -19,5 +19,11 @@ output "bigip_mgmt_port" {
 }
 # BIG-IP Password
 output "password" {
-  value = module.bigip.password
+  value     = random_password.password
+  sensitive = true
+}
+
+# BIG-IP Password Secret name
+output "aws_secretmanager_secret_name" {
+  value = aws_secretsmanager_secret.bigip.name
 }

examples/1_nic_with_new_vpc/variables.tf

@@ -6,3 +6,13 @@ variable "ec2_key_name" {
   description = "AWS EC2 Key name for SSH access"
   type        = string
 }
+
+# variable "AccessKeyID" {}
+
+# variable "SecretAccessKey" {}
+
+variable "prefix" {
+  description = "Prefix for resources created by this module"
+  type        = string
+  default     = "terraform-aws-bigip-1nic"
+}

examples/3_nic_with_new_vpc/README.md

@@ -0,0 +1,17 @@
+# New VPC with a 3-nic BIG-IP in each AZ
+This examples deploys a new VPC with subnets across 2 availability zones.  It also builds a 3-nic BIG-IP in each availability zone.
+
+**Note:** This example creates a random, temporary password for the BIG-IP which is stored in the Terraform state file.  This is not a good practice for production environments.  Ideally, you would use a random password generated by the AWS Secrets Manager.
+
+## Usage
+To run this example run the following commands:
+```bash
+terraform init
+terraform plan
+terraform apply --auto-approve 
+```
+
+**Note:** this examples deploys resources that will cost money.  Please run the following command to destroy your environment when finished:
+```bash
+terraform destroy --auto-approve
+```

examples/3_nic_with_new_vpc/main.tf

@@ -9,6 +9,26 @@ resource "random_id" "id" {
   byte_length = 2
 }
 
+#
+# Create random password for BIG-IP
+#
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "_%@"
+}
+
+#
+# Create Secret Store and Store BIG-IP Password
+#
+resource "aws_secretsmanager_secret" "bigip" {
+  name = format("%s-bigip-secret-%s", var.prefix, random_id.id.hex)
+}
+resource "aws_secretsmanager_secret_version" "bigip-pwd" {
+  secret_id     = aws_secretsmanager_secret.bigip.id
+  secret_string = random_password.password.result
+}
+
 #
 # Create the VPC 
 #
@@ -98,8 +118,10 @@ module bigip {
     local.prefix,
     random_id.id.hex
   )
-  f5_instance_count = length(local.azs)
-  ec2_key_name      = var.ec2_key_name
+  f5_instance_count           = length(local.azs)
+  ec2_instance_type           = "m5.large"
+  ec2_key_name                = var.ec2_key_name
+  aws_secretmanager_secret_id = aws_secretsmanager_secret.bigip.id
   mgmt_subnet_security_group_ids = [
     module.web_server_secure_sg.this_security_group_id,
     module.ssh_secure_sg.this_security_group_id

examples/3_nic_with_new_vpc/outputs.tf

@@ -19,5 +19,11 @@ output "bigip_mgmt_port" {
 }
 # BIG-IP Password
 output "password" {
-  value = module.bigip.password
+  value     = random_password.password
+  sensitive = true
+}
+
+# BIG-IP Password Secret name
+output "aws_secretmanager_secret_name" {
+  value = aws_secretsmanager_secret.bigip.name
 }