Module puppetlabs/f5
| Download |
|
Module description
Puppet Labs F5 module
Warning: this project is currently work in progress, pending sections are planned features.
Overview
The F5 module was written against F5 VE version 10.1.0.3341. F5 have released version 11 with several API changes but currently they have not released any hardware or software running version 11. This provider uses several version 10.1 API, so it is not expected to work with older F5 devices.
Thanks to the following contributor/testers for this module (outside of PuppetLabs employees):
- Bernard Nauwelaerts
- Brenton Leanhardt (brenton)
- Bret McMillan (bretm-rh)
- Matthew Carpenter
- Moshe Hyzon
- Scott Henson (shenson)
Installation and Usage
Since we can not directly install a puppet agent on F5, it is managed through an intermediate proxy system running puppet agent similar to cisco devices. The requirement for the proxy system:
- Puppet 2.7.+
- F5 iControl gem
The following puppet manifest will deploy f5 gem on the f5_proxy system and deploy the appropriate config:
node f5_proxy_system {
include f5
f5::config { "f5.puppetlabs.lan":
username => 'admin',
password => 'admin',
url => 'f5.puppetlabs.lan',
target => '/etc/puppetlabs/puppet/device/f5.puppetlabs.lan.conf'
}
cron { "bigip":
command => 'puppet device --deviceconf /etc/puppetlabs/puppet/device/f5.puppetlabs.lan.conf',
min => fqdn_rand(60),
}
}
-
Create F5 Device configuration file in $confdir/device.conf (typically /etc/puppet/device.conf or /etc/puppetlabs/puppet/device.conf)
[certname] type f5 url https://username:password@address/ -
F5 Partition support is added as part of device.conf (url.path of “” or “/” is interpretted as Common partition): url https://username:password@address/partition
-
Create the corresponding node configuration on the puppet master site.pp:
node f5.puppetlabs.lan { f5_rule { 'demo': ensure => 'present', definition => 'when HTTP_REQUEST {}', } } -
Execute puppet device command *:
$ puppet device -
Currently to simplify testing we allow usage of custom puppet fact to query/configure f5 resources against a specific system *:
$ FACTER_url=https://admin:admin@f5.puppetlabs.lan/ puppet resource f5_rule
Known Limitations
- puppet agent on the proxy system will only enforce the system catalog, and it will not enforce the network device catalog. Network devices should be scheduled via cron to run puppet device command with the appropriate flags.
- puppet device will run against all device specified in device.conf. If they should not be applied simultanously, maintain seperate conf files for f5 device and specify –deviceconfig.
- puppet resource attribute hash values will be squashed unless the following commit 23d5aeb or feature #9879 is included in puppet on the proxy server.
-
Because pluginsync only support custom facts/functions #7316, all puppet commands needs the appropriate RUBYLIB path (including puppet master):
export RUBYLIB=/etc/puppet/modules/f5/lib/:$RUBYLIB
For more information see: http://www.puppetlabs.com/blog/puppet-network-device-management/
F5 Facts
Similar to Puppet 2.7 cisco devices, the F5 facts are not collected via facter, so please review $vardir/yaml/facts for F5 system information.
--- !ruby/object:Puppet::Node::Facts
expiration: 2011-08-19 10:26:54.779410 -07:00
name: bigip
values:
clientversion: 2.7.2
environment: production
clientcert: bigip
!ruby/sym _timestamp: 2011-08-19 09:56:55.077534 -07:00
!ruby/sym annunciator_board_part_revision: ""
!ruby/sym annunciator_board_serial: ""
!ruby/sym chassis_serial: b500b9b79397
!ruby/sym disk_free_/: 82 MB
!ruby/sym disk_free_/config: 369 MB
!ruby/sym disk_free_/shared: 1835 MB
!ruby/sym disk_free_/usr: 301 MB
!ruby/sym disk_free_/var/log: 1829 MB
!ruby/sym disk_free_/var: 2219 MB
!ruby/sym disk_size_/: 201 MB
!ruby/sym disk_size_/config: 398 MB
!ruby/sym disk_size_/shared: 2015 MB
!ruby/sym disk_size_/usr: 1007 MB
!ruby/sym disk_size_/var/log: 2015 MB
!ruby/sym disk_size_/var: 2421 MB
!ruby/sym domain: puppetlabs.lan
!ruby/sym fqdn: f5.puppetlabs.lan
!ruby/sym group_id: DefaultGroup
!ruby/sym hardware_cache_size: 3072 KB
!ruby/sym hardware_cores: "1"
!ruby/sym hardware_cpu_mhz: "2654.616"
!ruby/sym hardware_cpus: id002 cpus
!ruby/sym hardware_cpus_model: *id001
!ruby/sym hardware_cpus_slot: "0"
!ruby/sym hardwaremodel: i686
!ruby/sym host_board_part_revision: ""
!ruby/sym host_board_serial: ""
!ruby/sym hostname: f5
!ruby/sym macaddress: 00:0C:29:B7:93:97
!ruby/sym marketing_name: Z99
!ruby/sym model: id001 Intel(R) Core(TM)2 Duo CPU P8800 @ 2.66GHz
!ruby/sym name: *id002
!ruby/sym os_release: 2.6.18-164.2.1.el5.1.0.f5app
!ruby/sym os_version: "#1 SMP Sat Feb 6 00:16:40 PST 2010"
!ruby/sym platform: Z99
!ruby/sym product_category: Z99
!ruby/sym pva_version: ""
!ruby/sym slot: "0"
!ruby/sym switch_board_part_revision: ""
!ruby/sym switch_board_serial: ""
!ruby/sym system_id: 568E1D2F-1974-0D1B-F952-4691FBEAE92D
!ruby/sym system_name: Linux
!ruby/sym timezone: PDT
!ruby/sym uptime: 1 days
!ruby/sym uptime_days: "1"
!ruby/sym uptime_hours: "30"
!ruby/sym uptime_seconds: "108141"
!ruby/sym version: BIG-IP_v10.1.0
Appendix
Sample Puppet F5 manifests and usage notes where applicable. F5 API documentation: http://devcentral.f5.com/wiki/iControl.APIReference.ashx
f5_(key certificate) content attribute accepts the certificate in PEM format:----BEGIN CERTIFICATE-----
MIICbDCCAdWgAwIBAgIBATANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApyYWlk
...
-----END CERTIFICATE-----
The certificate content can be embedded via file or template function:
f5_key { 'ca-key':
ensure => 'present',
content => file('/etc/puppet/ssl/ca_key.pem'),
mode => 'MANAGEMENT_MODE_DEFAULT',
}
f5_certificate { 'ca-bundle':
ensure => 'present',
content => file('/etc/puppet/ssl/ca_bundle.pem'),
mode => 'MANAGEMENT_MODE_DEFAULT',
}
Certificates comparison is completed via sha1 fingerprint which is also used during logging instead of the actual certificate content.
notice: /Stage[main]//F5_certificate[ca-bundle]/content: content changed 'sha1(0197e53f31798d43eac830b8561887dae22fd5c2)' to 'sha1(39c2e7fa576e98431bbab66ca0cb14e01cb8bfe4)'
f5_file resource is intended for f5_external_class to manage datagroup files. The performance in v10 is slow because it requires downloading the file to calculate the file checksum. Content should be the string content of the file, and internally the type converts into md5 checksum (example below content comparison value is ‘md5(b8353824beaf868010d823cf128ecc97)’). f5_files are processed in 64KB chunks per F5 recommendation: http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/144/iControl-101–06–File-Transfer-APIs.aspx.
f5_file { '/config/addr.class':
ensure => 'present',
content => 'host 192.168.1.1,
host 192.168.1.2 := "host 2",
network 192.168.2.0/24,
network 192.168.3.0/24 := "network 2",',
}
f5_monitor { 'my_https':
ensure => 'present',
manual_resume_state => 'STATE_ENABLED',
template_destination => ['ATYPE_STAR_ADDRESS_STAR_PORT', '*:*'],
template_integer_property => { 'ITYPE_INTERVAL' => '5',
'ITYPE_PROBE_INTERVAL' => '0',
'ITYPE_PROBE_NUM_PROBES' => '0',
'ITYPE_PROBE_NUM_SUCCESSES' => '0',
'ITYPE_PROBE_TIMEOUT' => '0',
'ITYPE_TIMEOUT' => '16',
'ITYPE_TIME_UNTIL_UP' => '0',
'ITYPE_UNSET' => '0',
'ITYPE_UP_INTERVAL' => '0' },
template_state => 'STATE_ENABLED',
template_string_property => { 'STYPE_CIPHER_LIST' => 'DEFAULT:+SHA:+3DES:+kEDH',
'STYPE_CLIENT_CERTIFICATE' => '',
'STYPE_CLIENT_KEY' => '',
'STYPE_PASSWORD' => '',
'STYPE_RECEIVE' => '',
'STYPE_SEND' => 'GET /',
'STYPE_SSL_OPTIONS' => 'enabled',
'STYPE_USERNAME' => '' },
template_transparent_mode => 'false',
template_type => 'TTYPE_HTTPS',
}
f5_node { '192.168.1.1':
ensure => 'present',
connection_limit => '10',
dynamic_ratio => '1',
ratio => '1',
screen_name => 'demo_node',
session_enabled_state => 'STATE_ENABLED',
}
F5_pool resource notes:
- The member attribute is not order dependent, the monitor_associate is order dependent.
- The member attribute may contain addresses A.B.C.D%ID such as: 192.168.1.1.%0, ID indicates route domain (0 is common).
See F5 documentation: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide101/tmos_route_domains.html
f5_pool { 'webserver':
ensure => 'present',
action_on_service_down => 'SERVICE_DOWN_ACTION_NONE',
allow_nat_state => 'STATE_ENABLED',
allow_snat_state => 'STATE_ENABLED',
client_ip_tos => '65535',
client_link_qos => '65535',
gateway_failsafe_unit_id => '0',
lb_method => 'LB_METHOD_ROUND_ROBIN',
member => { '192.168.1.1:80' => { 'ratio' => '1' ,
'dynamic_ratio' => '1',
'priority' => '2',
'connection_limit' => '0' },
'192.168.1.2:80' => { 'ratio' => '1',
'dynamic_ratio' => '1',
'priority' => '1',
'connection_limit' => '0' } },
minimum_active_member => '0',
minimum_up_member => '0',
minimum_up_member_action => 'HA_ACTION_FAILOVER',
minimum_up_member_enabled_state => 'STATE_DISABLED',
monitor_association => { 'monitor_templates' => ['http', 'demo'],
'quorum' => '0',
'type' => 'MONITOR_RULE_TYPE_AND_LIST' },
server_ip_tos => '65535',
server_link_qos => '65535',
simple_timeout => '0',
slow_ramp_time => '10',
}
f5_rule { 'demo':
ensure => 'present',
definition => 'when HTTP_REQUEST {}',
}
f5_snat { 'nat':
ensure => 'present',
connection_mirror_state => 'STATE_DISABLED',
original_address => ['0.0.0.0', '0.0.0.0'],
source_port_behavior => 'SOURCE_PORT_PRESERVE',
translation_target => ['SNAT_TYPE_TRANSLATION_ADDRESS', '10.10.10.10'],
vlan => { 'state' => 'STATE_DISABLED',
'vlans' => ['default'] },
}
f5_snatpool { 'nat_pool':
ensure => 'present',
member => ['1.1.1.1', '1.1.1.2'],
}
f5_snattranslationaddress { '1.1.1.1':
ensure => 'present',
arp_state => 'STATE_ENABLED',
connection_limit => '0',
enabled_state => 'STATE_ENABLED',
ip_timeout => '4294967295',
tcp_timeout => '4294967295',
udp_timeout => '4294967295',
unit_id => '1',
}
F5_virtualserver does not atomically change rules (F5 API limitation), so to reorder rule priority please use irule priority which can be modified in f5_rule. See: http://devcentral.f5.com/wiki/iRules.priority.ashx
f5_virtualserver { 'www':
ensure => 'present',
cmp_enable_mode => 'RESOURCE_TYPE_CMP_ENABLE_ALL',
cmp_enabled_state => 'STATE_ENABLED',
connection_limit => '5000000',
connection_mirror_state => 'STATE_DISABLED',
destination => '192.168.1.1:90',
enabled_state => 'STATE_DISABLED',
gtm_score => '0',
protocol => 'PROTOCOL_TCP',
profile => { 'http' => 'PROFILE_CONTEXT_TYPE_ALL',
'oneconnect' => 'PROFILE_CONTEXT_TYPE_ALL' },
rule => [ 'demo', 'demo2' ],
snat_pool => 'alpha',
snat_type => 'SNAT_TYPE_SNATPOOL',
source_port_behavior => 'SOURCE_PORT_PRESERVE',
translate_address_state => 'STATE_ENABLED',
translate_port_state => 'STATE_ENABLED',
type => 'RESOURCE_TYPE_POOL',
vlan => { 'state' => 'STATE_DISABLED',
'vlans' => ['default'] },
wildmask => '255.255.255.255',
}
F5 datagroup consists of f5_string_class and f5_external_class. f5_external_class will autorequire f5_files that matches the file_name (fully qualified file path).
f5_string_class { 'default_accept_language':
ensure => 'present',
members => {'en' => '', 'ja' => '', 'zh-cn' => '', 'zh-tw' => ''},
}
f5_external_class { 'addr':
ensure => 'present',
data_separator => ':=',
file_format => 'FILE_FORMAT_CSV',
file_mode => 'FILE_MODE_TYPE_READ_WRITE',
file_name => '/config/addr.class',
type => 'CLASS_TYPE_ADDRESS',
}
Development
The following section applies to developers of this module only.
Testing
You will need to install the ‘f5-icontrol’ gem for most of the tests to work. This file is available in the ‘files’ section of this module.
gem install --no-ri files/f5-icontrol-10.2.0.2.gem
Release notes for version 0.3.0
PuppetLabs F5 version 0.3.0:
- Add F5 file type/provider support.
- Add F5 profilepersistence type/provider support.
- Add F5 datagroup string_class, external_class support.
- Add spec tests for most f5 types.
- Fix bug with f5 key/certificates where key/cert are bundled in same PEM.
- Fix bug with f5 cert bundles.
- Fix some facts value that were inaccessible.
- Fix F5_profileclientssl iniitialzing f5 device during compilation.
- Update f5::config define type and template to support partition.
- Updatd type documentation to match iControl API documentation.
Types
f5_certificate
Description
Manage F5 certificate.
Parameters
- name
The certificate name.
- real_content
Stores actual certificate PEM-formatted content.
- mode
The certificate management mode. An enumerated type that will describe what mode of key/cert management to use. Values can match
/^MANAGEMENT_MODE_(DEFAULT|WEBSERVER|EM|IQUERY|IQUERY_BIG3D)$/.
Properties
- ensure
F5 certificate resource state. Valid values are present, absent. Valid values are
present,absent.
- content
The cerficate content in PEM format (sha1 fingerprint).
Providers
- f5_certificate
Manages f5 certificates
Default for
feature==posix.
f5_external_class
Description
Manages F5 External classes (datagroups)
Parameters
- name
The external class name.
Properties
- ensure
F5 External Class resource state. Valid values are present, absent. Valid values are
present,absent.
- file_format
The file format for the specified classes. This should only be called for external classes, since it does not make sense for non-external classes. Values can match
/^FILE_FORMAT_(UNKNOWN|CSV)$/.
- file_mode
The file modes for the specified classes. This should only be called for external classes, since it does not make sense for non-external classes. Values can match
/^FILE_MODE_(UNKNOWN|TYPE_READ|TYPE_READ_WRITE)$/.
- file_name
The file names for the specified classes. This should only be called for external classes, since it does not make sense for non-external classes.
- data_separator
The class types for the specified classes. Values can match
/^[[:punct:][:space:]]+$/.
- type
The class types for the specified classes. Values can match
/^CLASS_TYPE_(UNDEFINED|ADDRESS|STRING|VALUE)$/.
Providers
- f5_external_class
Manages f5 String classes (datagroups)
Default for
feature==posix.
f5_file
Description
Manages F5 file.
Parameters
- path
The path to file on F5 device, must be absolute file path.
- real_content
The file’s real content.
Properties
- ensure
F5 file resource state. Valid values are present, absent. Valid values are
present,absent.
- content
The file content.
Providers
- f5_file
Manages f5 String classes (datagroups)
Default for
feature==posix.
f5_key
Description
Manage F5 key.
Parameters
- name
The key name.
- real_content
Stores actual key PEM-formatted content.
- mode
The key management mode. An enumerated type that will describe what mode of key/cert management to use. Values can match
/^MANAGEMENT_MODE_(DEFAULT|WEBSERVER|EM|IQUERY|IQUERY_BIG3D)$/.
Properties
- ensure
F5 key resource state. Valid values are present, absent. Valid values are
present,absent.
- content
The cerficate key in PEM format (sha1 fingerprint).
Providers
- f5_key
Manages f5 cert
Default for
feature==posix.
f5_monitor
Description
Manage F5 monitor.
Parameters
- name
The monitor name.
- is_directly_usable
Determines if the specified monitor templates can be used directly, or a user-defined monitor based on each monitor must be created first before it can be used.
- is_read_only
Determines if the specified monitor templates are read-only. The user can only modify properties for read/write monitor templates.
- parent_template
The parent monitor templates from which the specified monitor templates are derived. A user-defined monitor template will get its defaults from its parent monitor template.
Properties
- ensure
F5 monitor resource state. Valid values are present, absent. Valid values are
present,absent.
- manual_resume_state
The monitor templates’ manual resume states. When enabled and a monitor has marked an object down, that object will not be marked up by the monitor, i.e. the object will be manually marked up. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- template_destination
The destination IP:port values for the specified templates. NOTE: This should only be done when the monitor templates in ‘template_names’ have NOT been associated to any node addresses or pool members.
- template_integer_property
The integer property values of the specified monitor templates.
- template_state
The monitor templates’ enabled/disabled states. This will enable/disable all instances that use the specified templates. This serves as a quick and convenient method to enable/disable all instances, but if you want only to enable/disable a specific instance, use set_instance_enabled. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- template_string_property
The string property values of the specified monitor templates.
- template_type
The template types of the specified monitor templates. Values can match
/^TTYPE_(UNSET|ICMP|TCP|TCP_ECHO|EXTERNAL|HTTP|HTTPS|NNTP|FTP|POP3|SMTP|MSSQL|GATEWAY|IMAP|RADIUS|LDAP|WMI|SNMP_DCA(|_BASE)|REAL_SERVER|UDP|NONE|ORACLE|SOAP|GATEWAY_ICMP|SIP|TCP_HALF_OPEN|SCRIPTED|WAP|RPC|SMB|SASP|MODULE_SCORE|FIREPASS|INBAND|RADIUS_ACCOUNTING|DIAMETER|VIRTUAL_LOCATION|MYSQL|POSTGRESQL)$/.
- template_transparent_mode
The monitor template transparent mode. Valid values are
true,false.
Providers
- f5_monitor
Manages f5 monitor
Default for
feature==posix.
f5_node
Description
Manage F5 node.
Parameters
- name
The node name. v9.0 API uses IP addresses, v11.0 API uses names. Values can match
/^[[:alpha:][:digit:]\.]+$/.
Properties
- ensure
F5 node resource state. Valid values are present, absent. Valid values are
present,absent.
- connection_limit
The connection limits for the specified node addresses. Values can match
/^\d+$/.
- dynamic_ratio
The dynamic ratios of a node addresses. Values can match
/^\d+$/.
- ratio
The ratios for the specified node addresses. Values can match
/^\d+$/.
- screen_name
The screen names for the specified node addresses.
- session_enabled_state
The states that allows new sessions to be established for the specified node addresses. Values can match
/^STATE_(DISABLED|ENABLED)$/.
Providers
- f5_node
Manages f5 node
Default for
feature==posix.
f5_pool
Description
Manage F5 pool.
Parameters
- name
The pool name.
- membership
Properties
- ensure
F5 pool resource state. Valid values are present, absent. Valid values are
present,absent.
- action_on_service_down
The action to take when the node goes down for the specified pools. Values can match
/^SERVICE_DOWN_ACTION_(NONE|RESET|DROP|RESELECT)$/.
- allow_nat_state
The states indicating whether NATs are allowed for the specified pool. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- allow_snat_state
The states indicating whether SNATs are allowed for the specified pools. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- client_ip_tos
The IP ToS values for client traffic for the specified pools. Values can match
/^\d+$/.
- client_link_qos
The link QoS values for client traffic for the specified pools. Values can match
/^\d+$/.
- gateway_failsafe_device
The gateway failsafe devices for the specified pools. (v11.0)
- gateway_failsafe_unit_id
The gateway failsafe unit IDs for the specified pools. (v9.0) Values can match
/^\d+$/.
- lb_method
The load balancing methods for the specified pools. Values can match
/^LB_METHOD_(ROUND_ROBIN|RATIO_MEMBER|LEAST_CONNECTION_MEMBER|OBSERVED_MEMBER|PREDICTIVE_MEMBER|RATIO_NODE_ADDRESS|LEAST_CONNECTION_NODE_ADDRESS|FASTEST_NODE_ADDRESS|OBSERVED_NODE_ADDRESS|PREDICTIVE_NODE_ADDESS|DYNAMIC_RATIO|FASTEST_APP_RESPONSE|LEAST_SESSIONS|DYNAMIC_RATIO_MEMBER|L3_ADDR|UNKNOWN|WEIGHTED_LEAST_CONNECTION_MEMBER|WEIGHTED_LEAST_CONNECTION_NODE_ADDRESS|RATIO_SESSION|RATIO_LEAST_CONNECTION_MEMBER|RATIO_LEAST_CONNECTION_NODE_ADDRESS)$/.
- member
The list of pool members.
- minimum_active_member
The minimum active member counts for the specified pools. Values can match
/^\d+$/.
- minimum_up_member
The minimum member counts that are required to be UP for the specified pools. Values can match
/^\d+$/.
- minimum_up_member_action
The actions to be taken if the minimum number of members required to be UP for the specified pools is not met.
- minimum_up_member_enabled_state
The states indicating that the feature that requires a minimum number of members to be UP is enabled/disabled for the specified pools.
- monitor_association
The monitor associations for the specified pools, i.e. the monitor rules used by the pools. The pool monitor association should be specified as a hash consisting of the following keys: { ‘monitor_templates’ => [], ‘quorum’ => ‘0’, ‘type’ => ‘MONITOR_RULE_TYPE_AND_LIST’ }
- server_ip_tos
The IP ToS values for server traffic for the specified pools. Values can match
/^\d+$/.
- server_link_qos
The link QoS values for server traffic for the specified pools. Values can match
/^\d+$/.
- simple_timeout
The simple timeouts for the specified pools. Values can match
/^\d+$/.
- slow_ramp_time
The ramp-up time (in seconds) to gradually ramp up the load on newly added or freshly detected UP pool members. Values can match
/^\d+$/.
Providers
- f5_pool
Manages f5 pool
Default for
feature==posix.
f5_profileclientssl
Description
Manage F5 Client SSL profiles.
Parameters
- name
The Client SSL profile name.
Properties
- ensure
Add or delete Client SSL profile. Valid values are
present,absent.
- certificate_file
The certificate filenames to be used by BIG-IP acting as an SSL server.
- key_file
The key filenames to be used by BIG-IP acting as an SSL server. If a full path is not specified, the file name is relative to /config/ssl/ssl.key.
- ca_file
The CA to use to validate client certificates
- client_certificate_ca_file
The CA to use to validate client certificates
- peer_certification_mode
The peer certification modes for the specified client SSL profiles.
Providers
- f5_profileclientssl
Manages f5 device clientssl profile
Default for
feature==posix.
f5_profilepersistence
Description
Manage F5 Client SSL profiles.
Parameters
- name
The persistence profile name.
Properties
- ensure
F5 profilepersistence resource state. Valid values are present, absent. Valid values are
present,absent.
- across_pool_state
The states to indicate whether persistence entries added under this profile are available across pools. (v9.0)
- across_service_state
The states to indicate whether persistence entries added under this profile are available across services. (v9.0)
- across_virtual_state
The states to indicate whether persistence entries added under this profile are available across virtuals. (v9.0)
- cookie_expiration
The cookie expiration in seconds for the specified Persistence profiles. Applicable when peristence mode is PERSISTENCE_MODE_COOKIE. (v9.0)
- cookie_hash_length
The cookie hash lengths for the specified profiles. Applicable when peristence mode is PERSISTENCE_MODE_COOKIE, and cookie persistence method is COOKIE_PERSISTENCE_METHOD_HASH. (v9.0)
- cookie_hash_offset
The cookie hash offsets for the specified profiles. Applicable when peristence mode is PERSISTENCE_MODE_COOKIE, and cookie persistence method is COOKIE_PERSISTENCE_METHOD_HASH. (v9.0)
- cookie_name
The cookie names for the specified Persistence profiles. Applicable when peristence mode is PERSISTENCE_MODE_COOKIE. (v9.0)
- cookie_persistence_method
The cookie persistence methods to be used when in cookie persistence mode. Applicable when peristence mode is PERSISTENCE_MODE_COOKIE. (v9.0)
- default_profile
The names of the default profiles from which the specified profiles will derive default values for its attributes. (v9.0)
- description
The descriptions for a set of persistence profiles. (v11.0)
- ending_hash_pattern
the pattern marking the end of the section of payload data whose hashed value is used for the persistence value for a set of persistence profiles. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH and the hash method is PERSISTENCE_HASH_CARP. (v10.1)
- hash_length
The length of payload data whose hashed value is used for the persistence value for a set of persistence profiles. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH and the hash method is PERSISTENCE_HASH_CARP. (v10.1)
- hash_method
The hash method used to generate the persistence values for a set of persistence profiles. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH. (v10.1)
- hash_more_data_state
The enabled state whether to perform another hash operation after the current hash operation completes for a set of persistence profiles. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH and the hash method is PERSISTENCE_HASH_CARP. (v10.1)
- hash_offset
The offset to the start of the payload data whose hashed value is used as the persistence value for a set of persistence profiles. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH and the hash method is PERSISTENCE_HASH_CARP. (v10.1)
- map_proxy_address
The proxy map address used when map proxies state is enabled on source address persistence mode. (v11.0)
- map_proxy_class
The proxy map IP address class/datagroup name used when map known proxies state is enabled on source address persistence mode. (v11.0)
- map_proxy_state
The states to indicate whether to map known proxies when the persistence mode is source address affinity. (v9.0)
- mask
The masks used in either simple or sticky persistence mode. (v9.0)
- maximum_hash_buffer_size
The maximum size of the buffer used to hold the section of the payload data whose hashed value is used for the persistence value for a set of persistence values. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH and the hash method is PERSISTENCE_HASH_CARP. (v10.1)
- mirror_state
The mirror states for the specified Persistence profiles. (v9.0)
- msrdp_without_session_directory_state
The states to indicate whether MS terminal services have been configured without a session directory for the specified Persistence profiles. (v9.0)
- override_connection_limit_state
The state indicating, when enabled, that the pool member connection limits are not enforced for persisted clients. (v11.0)
- persistence_mode
The persistence modes for the specified Persistence profiles. (v9.0)
- rule
The UIE rules for the specified Persistence profiles. Applicable when peristence mode is PERSISTENCE_MODE_UIE. (v9.0)
- sip_info
The sip_info headers for the specified Persistence profiles. Applicable when peristence mode is PERSISTENCE_MODE_SIP. (v9.4.2)
- starting_hash_pattern
The pattern marking the start of the section of payload data whose hashed value is used for the persistence value for a set of persistence profiles. This only returns useful values if the persistence mode is PERSISTENCE_MODE_HASH and the hash method is PERSISTENCE_HASH_CARP. (v10.1)
- timeout
The timeout for the specified Persistence profiles. The number of seconds to timeout a persistence entry. (v9.0)
Providers
- f5_profilepersistence
Manages f5 profilepersistence
Default for
feature==posix.
f5_rule
Description
Manage F5 rule.
Parameters
- name
The rule name.
Properties
- ensure
F5 rule resource state. Valid values are present, absent. Valid values are
present,absent.
- definition
The rule definition.
Providers
- f5_rule
Manages f5 pool
Default for
feature==posix.
f5_snat
Description
Manage F5 snat.
Parameters
- name
The snat name.
Properties
- ensure
F5 snat resource state. Valid values are present, absent. Valid values are
present,absent.
- connection_mirror_state
The connection mirror states for a specified SNATs. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- original_address
The list of original client addresses used to filter the traffic to the SNATs.
- source_port_behavior
The source port behavior for the specified SNATs. Values can match
/^SOURCE_PORT_(PRESERVE|PRESERVE_STRICT|CHANGE)$/.
- translation_target
The translation targets for the specified SNATs. If the target type is SNAT_TYPE_AUTOMAP, then the translation object should be empty.
- vlan
The list of VLANs on which access to the specified SNATs is disabled/enabled.
Providers
- f5_snat
Manages f5 snat
Default for
feature==posix.
f5_snatpool
Description
Manage F5 snatpool.
Parameters
- name
The snatpool name.
- membership
Properties
- ensure
F5 snatpool resource state. Valid values are present, absent. Valid values are
present,absent.
- member
The list of members belonging to the specified SNAT pools.
Providers
- f5_snatpool
Manages f5 snatpool
Default for
feature==posix.
f5_snattranslationaddress
Description
Manage F5 snat translation address.
Parameters
- name
The snat translation address name.
Properties
- ensure
F5 snattranstlationaddress resource state. Valid values are present, absent. Valid values are
present,absent.
- arp_state
The ARP states for the specified tranlation SNAT address. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- connection_limit
The connection limits of the specified original SNAT translation address. Values can match
/^\d+$/.
- enabled_state
The state of a SNAT translation address. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- ip_timeout
The IP idle timeouts of the specified SNAT translation address. Values can match
/^\d+$/.
- tcp_timeout
The TCP idle timeouts of the specified SNAT translation address. Values can match
/^\d+$/.
- udp_timeout
The UDP idle timeouts of the specified SNAT translation addresses. Values can match
/^\d+$/.
- unit_id
The unit IDs for the specified tranlation SNAT address. Values can match
/^\d+$/.
Providers
- f5_snattranslationaddress
Manages f5 snattranslationaddress
Default for
feature==posix.
f5_string_class
Description
Manages F5 String classes (datagroups)
Parameters
- name
The string class name.
Properties
- ensure
F5 Sting Class resource state. Valid values are present, absent. Valid values are
present,absent.
- members
The string class members.
Providers
- f5_string_class
Manages f5 String classes (datagroups)
Default for
feature==posix.
f5_virtualserver
Description
Manage F5 virtualserver.
Parameters
- name
The virtual server name.
Properties
- ensure
Add or delete virtualserver. Valid values are
present,absent.
- clone_pool
The virtual server clone pool.
- cmp_enabled_state
The virtual server cmp enable state. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- connection_limit
The virtual server connection limit. Values can match
/^\d+$/.
- connection_mirror_state
The virtual server connection limit. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- default_pool_name
The virtual server default pool name.
- destination
The virtual server destination virtual address and port.
- enabled_state
The virtual server state.
- fallback_persistence_profile
The virtual server fallback persistent profile.
- gtm_score
The virtual server gtm score.
- last_hop_pool
The virtual server lasnat64 state.
- nat64_state
The virtual server nat64 state. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- protocol
The virtual server protocol. Values can match
/^PROTOCOL_(ANY|IPV6|ROUTING|NONE|FRAGMENT|DSTOPTS|TCP|UDP|ICMP|ICMPV6|OSPF|SCTP)$/.
- rate_class
The virtual server rate class.
- persistence_profile
the virtual server persistence profiles.
- profile
the virtual server profiles.
- rule
The virtual server rules. The rule order isn’t enforced since F5 API does not provide ability to reorder rules, use irule priority to dictate rule processing order
- snat_type
The virtual server snat type. Values can match
/^SNAT_TYPE_(NONE|TRANSLATION_ADDRESS|SNATPOOL|AUTOMAP)$/.
- snat_pool
Virtual server snat_pool.
- source_port_behavior
The virtual server source port behavior. Values can match
/^SOURCE_PORT_(PRESERVE|PRESERVE_STRICT|CHANGE)$/.
- translate_address_state
The virtual server translate address state. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- translate_port_state
The virtual server translate port state. Values can match
/^STATE_(DISABLED|ENABLED)$/.
- type
The virtual server type. Values can match
/^RESOURCE_TYPE_(POOL|IP_FORWARDING|L2_FORWARDING|REJECT|FAST_L4|FAST_HTTP|STATELESS)$/.
- vlan
The virtual server vlan.
- wildmask
The virtual server wildmask.
Providers
- f5_virtualserver
Manages f5 device
Default for
feature==posix.