Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
2648 lines (2647 sloc) 83.4 KB
{
"AWSTemplateFormatVersion": "2010-09-09",
"Conditions": {
"noCustomImageId": {
"Fn::Equals": [
"OPTIONAL",
{
"Ref": "customImageId"
}
]
},
"noSkuKeyword1": {
"Fn::Equals": [
"OPTIONAL",
{
"Ref": "bigIqLicenseSkuKeyword1"
}
]
},
"noUnitOfMeasure": {
"Fn::Equals": [
"OPTIONAL",
{
"Ref": "bigIqLicenseUnitOfMeasure"
}
]
},
"optin": {
"Fn::Equals": [
"Yes",
{
"Ref": "allowUsageAnalytics"
}
]
}
},
"Description": "Template v4.1.4: AWS CloudFormation Template for creating a Same-AZ cluster of 3NIC BIG-IPs in an existing VPC **WARNING** This template creates Amazon EC2 Instances. You will be billed for the AWS resources used if you create a stack from this template.",
"Mappings": {
"BigipRegionMap": {
"ap-northeast-1": {
"AllOneBootLocation": "ami-113f42fc",
"AllTwoBootLocations": "ami-dc3f4231",
"LTMOneBootLocation": "ami-893d4064",
"LTMTwoBootLocations": "ami-15cdbff8"
},
"ap-northeast-2": {
"AllOneBootLocation": "ami-04eb9812dfb6c904a",
"AllTwoBootLocations": "ami-0951d036eadafbbf8",
"LTMOneBootLocation": "ami-095ed980984e47567",
"LTMTwoBootLocations": "ami-08e74bef43b50496f"
},
"ap-south-1": {
"AllOneBootLocation": "ami-08fc42da3ff3a2d67",
"AllTwoBootLocations": "ami-0ff0591a2d8bae0fe",
"LTMOneBootLocation": "ami-06a5e9d07a87628e2",
"LTMTwoBootLocations": "ami-04cedf27cf408c6fd"
},
"ap-southeast-1": {
"AllOneBootLocation": "ami-36e5a6dc",
"AllTwoBootLocations": "ami-28e6a5c2",
"LTMOneBootLocation": "ami-5ae6a5b0",
"LTMTwoBootLocations": "ami-23e5a6c9"
},
"ap-southeast-2": {
"AllOneBootLocation": "ami-e15bfa83",
"AllTwoBootLocations": "ami-64208106",
"LTMOneBootLocation": "ami-7e23821c",
"LTMTwoBootLocations": "ami-47238225"
},
"ca-central-1": {
"AllOneBootLocation": "ami-2151dc45",
"AllTwoBootLocations": "ami-7153de15",
"LTMOneBootLocation": "ami-0953de6d",
"LTMTwoBootLocations": "ami-0b53de6f"
},
"eu-central-1": {
"AllOneBootLocation": "ami-a2989449",
"AllTwoBootLocations": "ami-6d999586",
"LTMOneBootLocation": "ami-4c9995a7",
"LTMTwoBootLocations": "ami-a098944b"
},
"eu-west-1": {
"AllOneBootLocation": "ami-5317f6be",
"AllTwoBootLocations": "ami-e919f804",
"LTMOneBootLocation": "ami-f20dec1f",
"LTMTwoBootLocations": "ami-ff16f712"
},
"eu-west-2": {
"AllOneBootLocation": "ami-10b14477",
"AllTwoBootLocations": "ami-07b14460",
"LTMOneBootLocation": "ami-f4b44193",
"LTMTwoBootLocations": "ami-f1b44196"
},
"eu-west-3": {
"AllOneBootLocation": "ami-0146d8cbed1025718",
"AllTwoBootLocations": "ami-059c37dcf60b81393",
"LTMOneBootLocation": "ami-0fa9facfb67630f1f",
"LTMTwoBootLocations": "ami-02202cb0faa252f9e"
},
"sa-east-1": {
"AllOneBootLocation": "ami-00b63cf358955934b",
"AllTwoBootLocations": "ami-0fd5a3951f725ef2e",
"LTMOneBootLocation": "ami-03ef0413d10698b8f",
"LTMTwoBootLocations": "ami-07fd80ef7f2003570"
},
"us-east-1": {
"AllOneBootLocation": "ami-58c3d327",
"AllTwoBootLocations": "ami-39c8d846",
"LTMOneBootLocation": "ami-8acedef5",
"LTMTwoBootLocations": "ami-8ecfdff1"
},
"us-east-2": {
"AllOneBootLocation": "ami-2b4e4b4e",
"AllTwoBootLocations": "ami-334d4856",
"LTMOneBootLocation": "ami-a84d48cd",
"LTMTwoBootLocations": "ami-294e4b4c"
},
"us-gov-west-1": {
"AllOneBootLocation": "ami-72059813",
"AllTwoBootLocations": "ami-557ce134",
"LTMOneBootLocation": "ami-0d14896c",
"LTMTwoBootLocations": "ami-04059865"
},
"us-west-1": {
"AllOneBootLocation": "ami-a24ea2c1",
"AllTwoBootLocations": "ami-a04ea2c3",
"LTMOneBootLocation": "ami-aa4ea2c9",
"LTMTwoBootLocations": "ami-144ea277"
},
"us-west-2": {
"AllOneBootLocation": "ami-414e6b39",
"AllTwoBootLocations": "ami-8f5f7af7",
"LTMOneBootLocation": "ami-2355705b",
"LTMTwoBootLocations": "ami-245a7f5c"
}
}
},
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "NETWORKING CONFIGURATION"
},
"Parameters": [
"Vpc",
"managementSubnetAz1",
"managementSubnetAz2",
"subnet1Az1",
"subnet1Az2",
"subnet2Az1",
"subnet2Az2",
"availabilityZone1",
"availabilityZone2",
"numberOfAdditionalNics",
"additionalNicLocation"
]
},
{
"Label": {
"default": "INSTANCE CONFIGURATION"
},
"Parameters": [
"imageName",
"customImageId",
"instanceType",
"applicationInstanceType",
"licenseKey1",
"licenseKey2",
"managementGuiPort",
"sshKey",
"restrictedSrcAddress",
"restrictedSrcAddressApp",
"ntpServer",
"timezone"
]
},
{
"Label": {
"default": "TAGS"
},
"Parameters": [
"application",
"environment",
"group",
"owner",
"costcenter"
]
},
{
"Label": {
"default": "BIG-IQ LICENSING CONFIGURATION"
},
"Parameters": [
"bigIqAddress",
"bigIqUsername",
"bigIqPasswordS3Arn",
"bigIqLicensePoolName",
"bigIqLicenseUnitOfMeasure",
"bigIqLicenseSkuKeyword1"
]
},
{
"Label": {
"default": "TEMPLATE ANALYTICS"
},
"Parameters": [
"allowUsageAnalytics"
]
},
{
"Label": {
"default": "VIRTUAL SERVICE CONFIGURATION"
},
"Parameters": [
"declarationUrl"
]
}
],
"ParameterLabels": {
"Vpc": {
"default": "VPC"
},
"additionalNicLocation": {
"default": "Additional NIC Location"
},
"allowUsageAnalytics": {
"default": "Send Anonymous Statistics to F5"
},
"application": {
"default": "Application"
},
"applicationInstanceType": {
"default": "Application Instance Type"
},
"availabilityZone1": {
"default": "Availability Zone 1"
},
"availabilityZone2": {
"default": "Availability Zone 2"
},
"bigIqAddress": {
"default": "BIG-IQ address (private)"
},
"bigIqLicensePoolName": {
"default": "BIG-IQ License Pool Name"
},
"bigIqLicenseSkuKeyword1": {
"default": "BIG-IQ SKU Keyword 1"
},
"bigIqLicenseUnitOfMeasure": {
"default": "BIG-IQ Unit Of Measure"
},
"bigIqPasswordS3Arn": {
"default": "S3 ARN of the BIG-IQ Password File"
},
"bigIqUsername": {
"default": "BIG-IQ user with Licensing Privileges"
},
"costcenter": {
"default": "Cost Center"
},
"customImageId": {
"default": "Custom Image Id"
},
"declarationUrl": {
"default": "AS3 Declaration URL"
},
"environment": {
"default": "Environment"
},
"group": {
"default": "Group"
},
"imageName": {
"default": "BIG-IP Image Name"
},
"instanceType": {
"default": "AWS Instance Size"
},
"licenseKey1": {
"default": "License Key 1"
},
"licenseKey2": {
"default": "License Key 2"
},
"managementGuiPort": {
"default": "BIG-IP Management Port"
},
"managementSubnetAz1": {
"default": "Management Subnet AZ1"
},
"managementSubnetAz2": {
"default": "Management Subnet AZ2"
},
"ntpServer": {
"default": "NTP Server"
},
"numberOfAdditionalNics": {
"default": "Number Of Additional NICs"
},
"owner": {
"default": "Owner"
},
"restrictedSrcAddress": {
"default": "Source Address(es) for Management Access"
},
"restrictedSrcAddressApp": {
"default": "Source Address(es) for Web Application Access (80/443)"
},
"sshKey": {
"default": "SSH Key"
},
"subnet1Az1": {
"default": "Subnet1 in AZ1"
},
"subnet1Az2": {
"default": "Subnet1 in AZ2"
},
"subnet2Az1": {
"default": "Subnet2 in AZ1"
},
"subnet2Az2": {
"default": "Subnet2 in AZ2"
},
"timezone": {
"default": "Timezone (Olson)"
}
}
},
"Version": "4.1.4"
},
"Outputs": {
"Bigip1ExternalInterfacePrivateIp": {
"Description": "Internally routable IP of the public interface on BIG-IP",
"Value": {
"Fn::GetAtt": [
"Bigip1subnet1Az1Interface",
"PrimaryPrivateIpAddress"
]
}
},
"Bigip1InstanceId": {
"Description": "Instance Id of BIG-IP in Amazon",
"Value": {
"Ref": "Bigip1Instance"
}
},
"Bigip1InternalInterface": {
"Description": "Internal interface ID on BIG-IP",
"Value": {
"Ref": "Bigip1InternalInterface"
}
},
"Bigip1InternalInterfacePrivateIp": {
"Description": "Internally routable IP of internal interface on BIG-IP",
"Value": {
"Fn::GetAtt": [
"Bigip1InternalInterface",
"PrimaryPrivateIpAddress"
]
}
},
"Bigip1subnet1Az1Interface": {
"Description": "External interface Id on BIG-IP",
"Value": {
"Ref": "Bigip1subnet1Az1Interface"
}
},
"Bigip2ExternalInterfacePrivateIp": {
"Description": "Internally routable IP of the public interface on BIG-IP",
"Value": {
"Fn::GetAtt": [
"Bigip2subnet1Az1Interface",
"PrimaryPrivateIpAddress"
]
}
},
"Bigip2InstanceId": {
"Description": "Instance Id of BIG-IP in Amazon",
"Value": {
"Ref": "Bigip2Instance"
}
},
"Bigip2InternalInterface": {
"Description": "Internal interface ID on BIG-IP",
"Value": {
"Ref": "Bigip2InternalInterface"
}
},
"Bigip2InternalInterfacePrivateIp": {
"Description": "Internally routable IP of internal interface on BIG-IP",
"Value": {
"Fn::GetAtt": [
"Bigip2InternalInterface",
"PrimaryPrivateIpAddress"
]
}
},
"Bigip2subnet1Az1Interface": {
"Description": "External interface Id on BIG-IP",
"Value": {
"Ref": "Bigip2subnet1Az1Interface"
}
},
"availabilityZone1": {
"Description": "Availability Zone",
"Value": {
"Fn::GetAtt": [
"Bigip1Instance",
"AvailabilityZone"
]
}
},
"availabilityZone2": {
"Description": "Availability Zone",
"Value": {
"Fn::GetAtt": [
"Bigip2Instance",
"AvailabilityZone"
]
}
},
"bigipExternalSecurityGroup": {
"Description": "Public or External Security Group",
"Value": {
"Ref": "bigipExternalSecurityGroup"
}
},
"bigipInternalSecurityGroup": {
"Description": "Private or Internal Security Group",
"Value": {
"Ref": "bigipInternalSecurityGroup"
}
},
"bigipManagementSecurityGroup": {
"Description": "Management Security Group",
"Value": {
"Ref": "bigipManagementSecurityGroup"
}
}
},
"Parameters": {
"Vpc": {
"ConstraintDescription": "This must be an existing VPC within the working region.",
"Type": "AWS::EC2::VPC::Id"
},
"allowUsageAnalytics": {
"AllowedValues": [
"Yes",
"No"
],
"Default": "Yes",
"Description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent.",
"Type": "String"
},
"application": {
"Default": "f5app",
"Description": "Name of the Application Tag",
"Type": "String"
},
"bigIqAddress": {
"ConstraintDescription": "Verify the private IP address of the BIG-IQ device that contains the pool of licenses",
"Description": "Private IP address of the BIG-IQ device that contains the pool of BIG-IP licenses",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"bigIqLicensePoolName": {
"ConstraintDescription": "Verify the Name of BIG-IQ License Pool",
"Description": "Name of the pool on BIG-IQ that contains the BIG-IP licenses",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"bigIqLicenseSkuKeyword1": {
"ConstraintDescription": "Verify the BIG-IQ license filter to use for sku keyword 1",
"Default": "OPTIONAL",
"Description": "The BIG-IQ license filter (based on SKU keyword) you want to use for licensing the BIG-IPs from the BIG-IQ, for example LTM, BR, BT, ASM or LTMASM. Note: This is only required when licensing with an ELA/subscription (utility) pool on the BIG-IQ, if not using this pool type leave the default of OPTIONAL.",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"bigIqLicenseUnitOfMeasure": {
"ConstraintDescription": "Verify the BIG-IQ License Unit Of Measure",
"Default": "OPTIONAL",
"Description": "The BIG-IQ license unit of measure to use during BIG-IP licensing via BIG-IQ, for example yearly, monthly, daily or hourly. Note: This is only required when licensing with an ELA/subscription (utility) pool on the BIG-IQ, if not using this pool type leave the default of OPTIONAL.",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"bigIqPasswordS3Arn": {
"ConstraintDescription": "Verify the S3 ARN of BIG-IQ Password file",
"Description": "S3 ARN of the BIG-IQ Password file. e.g. arn:aws:s3:::bucket_name/full_path_to_file for public regions. For GovCloud (US) region, start with arn:aws-us-gov:s3. For China region, start with arn:aws-cn:s3.",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"bigIqUsername": {
"ConstraintDescription": "Verify the BIG-IQ user with privileges to license BIG-IP. Can be Admin, Device Manager, or Licensing Manager",
"Description": "BIG-IQ user with privileges to license BIG-IP. Must be 'Admin', 'Device Manager', or 'Licensing Manager'",
"MaxLength": "255",
"MinLength": "1",
"Type": "String"
},
"costcenter": {
"Default": "f5costcenter",
"Description": "Name of the Cost Center Tag",
"Type": "String"
},
"customImageId": {
"ConstraintDescription": "Must be a valid AMI Id",
"Default": "OPTIONAL",
"Description": "If you would like to deploy using a custom BIG-IP image, provide the AMI Id. **Note**: Unless specifically required, leave the default of **OPTIONAL**",
"MaxLength": 255,
"MinLength": 1,
"Type": "String"
},
"declarationUrl": {
"AllowedPattern": "^(http:\\/\\/|https:\\/\\/)?[a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,5}(:[0-9]{1,5})?(\\/.*)?$|^none$",
"Default": "none",
"Description": "URL for the AS3 declaration JSON file to be deployed. Leave as **none** to deploy without a service configuration.",
"Type": "String"
},
"environment": {
"Default": "f5env",
"Description": "Name of the Environment Tag",
"Type": "String"
},
"group": {
"Default": "f5group",
"Description": "Name of the Group Tag",
"Type": "String"
},
"imageName": {
"AllowedValues": [
"AllTwoBootLocations",
"LTMTwoBootLocations"
],
"ConstraintDescription": "Must be a valid F5 BIG-IP VE image type",
"Default": "AllTwoBootLocations",
"Description": "Image names starting with All have all BIG-IP modules available. Image names starting with LTM have only the LTM module available. Use Two Boot Locations if you expect to upgrade the BIG-IP VE in the future (the Two Boot Location options are only applicable to BIG-IP v13.1.1 or later).",
"Type": "String"
},
"instanceType": {
"AllowedValues": [
"m5.xlarge",
"m5.4xlarge",
"m5.large",
"m5.12xlarge",
"m4.xlarge",
"m4.large",
"m4.4xlarge",
"m4.2xlarge",
"m4.16xlarge",
"m4.10xlarge",
"m3.xlarge",
"m3.medium",
"m3.large",
"m3.2xlarge",
"cc2.8xlarge",
"c5.xlarge",
"c5.large",
"c5.4xlarge",
"c5.9xlarge",
"c4.xlarge",
"c4.8xlarge",
"c4.4xlarge",
"c4.2xlarge",
"c3.xlarge",
"c3.8xlarge",
"c3.4xlarge",
"c3.2xlarge"
],
"ConstraintDescription": "Must be a valid EC2 instance type for BIG-IP",
"Default": "m5.xlarge",
"Description": "Size of the F5 BIG-IP Virtual Instance",
"Type": "String"
},
"managementSubnetAz1": {
"ConstraintDescription": "The subnet ID must be within an existing VPC",
"Description": "Management Subnet ID",
"Type": "AWS::EC2::Subnet::Id"
},
"ntpServer": {
"Default": "0.pool.ntp.org",
"Description": "NTP server for this implementation",
"Type": "String"
},
"owner": {
"Default": "f5owner",
"Description": "Name of the Owner Tag",
"Type": "String"
},
"restrictedSrcAddress": {
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x.",
"Description": " The IP address range used to SSH and access managment GUI on the EC2 instances",
"MaxLength": "18",
"MinLength": "9",
"Type": "String"
},
"restrictedSrcAddressApp": {
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x.",
"Description": " The IP address range that can be used to access web traffic (80/443) to the EC2 instances",
"MaxLength": "18",
"MinLength": "9",
"Type": "String"
},
"sshKey": {
"Description": "EC2 KeyPair to enable SSH access to the BIG-IP instance",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"subnet1Az1": {
"ConstraintDescription": "The subnet ID must be within an existing VPC",
"Description": "Public or External subnet",
"Type": "AWS::EC2::Subnet::Id"
},
"subnet2Az1": {
"ConstraintDescription": "The subnet ID must be within an existing VPC",
"Description": "Private or Internal subnet ID",
"Type": "AWS::EC2::Subnet::Id"
},
"timezone": {
"Default": "UTC",
"Description": "Olson timezone string from /usr/share/zoneinfo",
"Type": "String"
}
},
"Resources": {
"Bigip1Instance": {
"Metadata": {
"AWS::CloudFormation::Init": {
"config": {
"commands": {
"000-disable-1nicautoconfig": {
"command": "/usr/bin/setdb provision.1nicautoconfig disable"
},
"010-install-libs": {
"command": {
"Fn::Join": [
" ",
[
"mkdir -p /var/log/cloud/aws;",
"nohup /config/installCloudLibs.sh",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"020-generate-password": {
"command": {
"Fn::Join": [
"",
[
"nohup /config/waitThenRun.sh",
" f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
" --signal PASSWORD_CREATED",
" --file f5-rest-node",
" --cl-args '/config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/generatePassword --file /config/cloud/aws/.adminPassword --encrypt'",
" --log-level silly",
" -o /var/log/cloud/aws/generatePassword.log",
" &>> /var/log/cloud/aws/install.log < /dev/null",
" &"
]
]
}
},
"030-create-admin-user": {
"command": {
"Fn::Join": [
"",
[
"nohup /config/waitThenRun.sh",
" f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
" --wait-for PASSWORD_CREATED",
" --signal ADMIN_CREATED",
" --file /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/createUser.sh",
" --cl-args '--user admin",
" --password-file /config/cloud/aws/.adminPassword",
" --password-encrypted",
"'",
" --log-level silly",
" -o /var/log/cloud/aws/createUser.log",
" &>> /var/log/cloud/aws/install.log < /dev/null",
" &"
]
]
}
},
"040-network-config": {
"command": {
"Fn::Join": [
"",
[
"GATEWAY_MAC=`ifconfig eth1 | egrep HWaddr | awk '{print tolower($5)}'`; ",
"GATEWAY_CIDR_BLOCK=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/network/interfaces/macs/${GATEWAY_MAC}/subnet-ipv4-cidr-block`; ",
"GATEWAY_NET=${GATEWAY_CIDR_BLOCK%/*}; ",
"GATEWAY_PREFIX=${GATEWAY_CIDR_BLOCK#*/}; ",
"GATEWAY=`echo ${GATEWAY_NET} | awk -F. '{ print $1\".\"$2\".\"$3\".\"$4+1 }'`; ",
"GATEWAY_MAC2=`ifconfig eth2 | egrep HWaddr | awk '{print tolower($5)}'`\n",
"GATEWAY_CIDR_BLOCK2=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/network/interfaces/macs/${GATEWAY_MAC2}/subnet-ipv4-cidr-block`; ",
"GATEWAY_PREFIX2=${GATEWAY_CIDR_BLOCK2#*/}; ",
"nohup /config/waitThenRun.sh ",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/network.js ",
"--host localhost ",
"--user admin ",
"--password-url file:///config/cloud/aws/.adminPassword ",
"--password-encrypted ",
"-o /var/log/cloud/aws/network.log ",
"--log-level silly ",
"--wait-for ADMIN_CREATED ",
"--signal NETWORK_CONFIG_DONE ",
"--vlan name:external,nic:1.1 ",
"--default-gw ${GATEWAY} ",
"--self-ip name:external-self,address:",
{
"Fn::GetAtt": [
"Bigip1subnet1Az1Interface",
"PrimaryPrivateIpAddress"
]
},
"/${GATEWAY_PREFIX},vlan:external,allow:none ",
"--vlan name:internal,nic:1.2 ",
"--self-ip 'name:internal-self,address:",
{
"Fn::GetAtt": [
"Bigip1InternalInterface",
"PrimaryPrivateIpAddress"
]
},
"/'${GATEWAY_PREFIX2}',vlan:internal,allow:tcp:4353 udp:1026' ",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"050-onboard-BIG-IP": {
"command": {
"Fn::If": [
"optin",
{
"Fn::Join": [
" ",
[
"REGION=\"",
{
"Ref": "AWS::Region"
},
"\";",
"DEPLOYMENTID=`echo \"",
{
"Ref": "AWS::StackId"
},
"\"|sha512sum|cut -d \" \" -f 1`;",
"CUSTOMERID=`echo \"",
{
"Ref": "AWS::AccountId"
},
"\"|sha512sum|cut -d \" \" -f 1`;",
"NAME_SERVER=`/config/cloud/aws/getNameServer.sh eth1`;",
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js",
"--install-ilx-package file:///config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm",
"--wait-for NETWORK_CONFIG_DONE",
"--signal ONBOARD_DONE",
"-o /var/log/cloud/aws/onboard.log",
"--log-level silly",
"--no-reboot",
"--host localhost",
"--user admin",
"--password-url file:///config/cloud/aws/.adminPassword",
"--password-encrypted",
"--hostname `curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`",
"--ntp ",
{
"Ref": "ntpServer"
},
"--tz ",
{
"Ref": "timezone"
},
"--dns ${NAME_SERVER}",
"--module ltm:nominal",
"--license-pool --cloud aws",
"--big-iq-host",
{
"Ref": "bigIqAddress"
},
"--big-iq-user",
{
"Ref": "bigIqUsername"
},
"--license-pool-name",
{
"Ref": "bigIqLicensePoolName"
},
"--big-iq-password-uri",
{
"Ref": "bigIqPasswordS3Arn"
},
"--unit-of-measure",
{
"Fn::If": [
"noUnitOfMeasure",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseUnitOfMeasure"
}
]
},
"--sku-keyword-1",
{
"Fn::If": [
"noSkuKeyword1",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseSkuKeyword1"
}
]
},
"--metrics \"cloudName:aws,region:${REGION},bigipVersion:13.1.1-0.0.4,customerId:${CUSTOMERID},deploymentId:${DEPLOYMENTID},templateName:f5-prod-stack-same-az-cluster-bigiq-3nic-bigip.template,templateVersion:4.1.4,licenseType:bigiq\"",
"--ping",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
},
{
"Fn::Join": [
" ",
[
"NAME_SERVER=`/config/cloud/aws/getNameServer.sh eth1`;",
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js",
"--install-ilx-package file:///config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm",
"--wait-for NETWORK_CONFIG_DONE",
"--signal ONBOARD_DONE",
"-o /var/log/cloud/aws/onboard.log",
"--log-level silly",
"--no-reboot",
"--host localhost",
"--user admin",
"--password-url file:///config/cloud/aws/.adminPassword",
"--password-encrypted",
"--hostname `curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`",
"--ntp ",
{
"Ref": "ntpServer"
},
"--tz ",
{
"Ref": "timezone"
},
"--dns ${NAME_SERVER}",
"--module ltm:nominal",
"--license-pool --cloud aws",
"--big-iq-host",
{
"Ref": "bigIqAddress"
},
"--big-iq-user",
{
"Ref": "bigIqUsername"
},
"--license-pool-name",
{
"Ref": "bigIqLicensePoolName"
},
"--big-iq-password-uri",
{
"Ref": "bigIqPasswordS3Arn"
},
"--unit-of-measure",
{
"Fn::If": [
"noUnitOfMeasure",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseUnitOfMeasure"
}
]
},
"--sku-keyword-1",
{
"Fn::If": [
"noSkuKeyword1",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseSkuKeyword1"
}
]
},
"--ping",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
]
}
},
"060-custom-config": {
"command": {
"Fn::Join": [
" ",
[
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
"--file /config/cloud/aws/custom-config.sh",
"--cwd /config/cloud/aws",
"-o /var/log/cloud/aws/custom-config.log",
"--log-level silly",
"--wait-for ONBOARD_DONE",
"--signal CUSTOM_CONFIG_DONE",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"065-cluster": {
"command": {
"Fn::Join": [
" ",
[
"HOSTNAME=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`;",
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js",
"--wait-for CUSTOM_CONFIG_DONE",
"--signal CLUSTER_DONE",
"-o /var/log/cloud/aws/cluster.log",
"--log-level silly",
"--host localhost",
"--user admin",
"--password-url file:///config/cloud/aws/.adminPassword",
"--password-encrypted",
"--cloud aws",
"--provider-options 's3Bucket:",
{
"Ref": "S3Bucket"
},
"'",
"--master",
"--config-sync-ip",
{
"Fn::GetAtt": [
"Bigip1InternalInterface",
"PrimaryPrivateIpAddress"
]
},
"--create-group",
"--device-group across_az_failover_group",
"--sync-type sync-failover",
"--network-failover",
"--device ${HOSTNAME}",
"--auto-sync",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"070-rm-password": {
"command": {
"Fn::Join": [
" ",
[
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
"--file /config/cloud/aws/rm-password.sh",
"-o /var/log/cloud/aws/rm-password.log",
"--log-level silly",
"--wait-for CLUSTER_DONE",
"--signal PASSWORD_REMOVED",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
}
},
"files": {
"/config/cloud/aws/custom-config.sh": {
"content": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"EXTIP='",
{
"Fn::GetAtt": [
"Bigip1subnet1Az1Interface",
"PrimaryPrivateIpAddress"
]
},
"'\n",
"EXTPRIVIP='",
{
"Fn::Select": [
"0",
{
"Fn::GetAtt": [
"Bigip1subnet1Az1Interface",
"SecondaryPrivateIpAddresses"
]
}
]
},
"'\n",
"HOSTNAME=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`\n",
"INTIP='",
{
"Fn::GetAtt": [
"Bigip1InternalInterface",
"PrimaryPrivateIpAddress"
]
},
"'\n",
"PEER_EXTPRIVIP='",
{
"Fn::Select": [
"0",
{
"Fn::GetAtt": [
"Bigip2subnet1Az1Interface",
"SecondaryPrivateIpAddresses"
]
}
]
},
"'\n",
"PROGNAME=$(basename $0)\n",
"function error_exit {\n",
"echo \"${PROGNAME}: ${1:-\\\"Unknown Error\\\"}\" 1>&2\n",
"exit 1\n",
"}\n",
"declare -a tmsh=()\n",
"echo 'starting custom-config.sh'\n",
"tmsh+=(\n",
"\"tmsh modify sys db dhclient.mgmt { value disable }\"\n",
"\"tmsh modify cm device ${HOSTNAME} unicast-address { { effective-ip ${INTIP} effective-port 1026 ip ${INTIP} } }\"\n",
"\"tmsh load sys application template /config/cloud/aws/f5.service_discovery.tmpl\"\n",
"\"tmsh load sys application template /config/cloud/aws/f5.cloud_logger.v1.0.0.tmpl\"\n",
"\"tmsh save /sys config\")\n",
"for CMD in \"${tmsh[@]}\"\n",
"do\n",
" \"/config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/waitForMcp.sh\"\n",
" if $CMD;then\n",
" echo \"command $CMD successfully executed.\"\n",
" else\n",
" error_exit \"$LINENO: An error has occurred while executing $CMD. Aborting!\"\n",
" fi\n",
"done\n",
"date\n",
"### START CUSTOM CONFIGURTION\n",
"source /config/cloud/aws/onboard_config_vars\n",
"deployed=\"no\"\n",
"url_regex=\"(http:\\/\\/|https:\\/\\/)?[a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,5}(:[0-9]{1,5})?(\\/.*)?$\"\n",
"file_loc=\"/config/cloud/custom_config\"\n",
"if [[ $declarationUrl =~ $url_regex ]]; then\n",
" response_code=$(/usr/bin/curl -sk -w \"%{http_code}\" $declarationUrl -o $file_loc)\n",
" if [[ $response_code == 200 ]]; then\n",
" echo \"Custom config download complete; checking for valid JSON.\"\n",
" cat $file_loc | jq .class\n",
" if [[ $? == 0 ]]; then\n",
" response_code=$(/usr/bin/curl -skvvu ${adminUsername}:$passwd -w \"%{http_code}\" -X POST -H \"Content-Type: application/json\" https://localhost:${managementGuiPort}/mgmt/shared/appsvcs/declare -d @$file_loc -o /dev/null)\n",
" if [[ $response_code == 200 || $response_code == 502 ]]; then\n",
" echo \"Deployment of custom application succeeded.\"\n",
" deployed=\"yes\"\n",
" else\n",
" echo \"Failed to deploy custom application; continuing...\"\n",
" fi\n",
" else\n",
" echo \"Custom config was not valid JSON, continuing...\"\n",
" fi\n",
" else\n",
" echo \"Failed to download custom config; continuing...\"\n",
" fi\n",
"else\n",
" echo \"Custom config was not a URL, continuing...\"\n",
"fi\n",
"### END CUSTOM CONFIGURATION"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/aws/f5.cloud_logger.v1.0.0.tmpl": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-iapps/v2.3.2/f5-cloud-logger/f5.cloud_logger.v1.0.0.tmpl"
},
"/config/cloud/aws/f5.service_discovery.tmpl": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-iapps/v2.3.2/f5-service-discovery/f5.service_discovery.tmpl"
},
"/config/cloud/aws/getNameServer.sh": {
"content": {
"Fn::Join": [
"\n",
[
"INTERFACE=$1",
"INTERFACE_MAC=`ifconfig ${INTERFACE} | egrep HWaddr | awk '{print tolower($5)}'`",
"VPC_CIDR_BLOCK=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE_MAC}/vpc-ipv4-cidr-block`",
"VPC_NET=${VPC_CIDR_BLOCK%/*}",
"NAME_SERVER=`echo ${VPC_NET} | awk -F. '{ printf \"%d.%d.%d.%d\", $1, $2, $3, $4+2 }'`",
"echo $NAME_SERVER"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/aws/onboard_config_vars": {
"content": {
"Fn::Join": [
"",
[
"",
"#!/bin/bash\n",
"# Generated from 4.1.4\n",
"hostname=`curl http://169.254.169.254/latest/meta-data/hostname`\n",
"region='",
{
"Ref": "AWS::Region"
},
"'\n",
"adminUsername='admin'\n",
"managementGuiPort='443'\n",
"timezone='",
{
"Ref": "timezone"
},
"'\n",
"ntpServer='",
{
"Ref": "ntpServer"
},
"'\n",
"declarationUrl='",
{
"Ref": "declarationUrl"
},
"'\n",
"passwd=$(f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/decryptDataFromFile.js --data-file /config/cloud/aws/.adminPassword)\n"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/aws/rm-password.sh": {
"content": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"PROGNAME=$(basename $0)\n",
"function error_exit {\n",
"echo \"${PROGNAME}: ${1:-\"Unknown Error\"}\" 1>&2\n",
"exit 1\n",
"}\n",
"date\n",
"echo 'starting rm-password.sh'\n",
"declare -a tmsh=()\n",
"tmsh+=(\"rm /config/cloud/aws/.adminPassword\")\n",
"for CMD in \"${tmsh[@]}\"\n",
"do\n",
" if $CMD;then\n",
" echo \"command $CMD successfully executed.\"\n",
" else\n",
" error_exit \"$LINENO: An error has occurred while executing $CMD. Aborting!\"\n",
" fi\n",
"done\n",
"date\n"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/v3.6.0/dist/lts/f5-appsvcs-3.5.1-5.noarch.rpm"
},
"/config/cloud/f5-cloud-libs-aws.tar.gz": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs-aws/v2.4.0/dist/f5-cloud-libs-aws.tar.gz"
},
"/config/cloud/f5-cloud-libs.tar.gz": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/v4.8.1/dist/f5-cloud-libs.tar.gz"
},
"/config/installCloudLibs.sh": {
"content": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"echo about to execute",
"checks=0",
"while [ $checks -lt 120 ]; do echo checking mcpd",
" tmsh -a show sys mcp-state field-fmt | grep -q running",
" if [ $? == 0 ]; then",
" echo mcpd ready",
" break",
" fi",
" echo mcpd not ready yet",
" let checks=checks+1",
" sleep 10",
"done",
"echo loading verifyHash script",
"if ! tmsh load sys config merge file /config/verifyHash; then",
" echo cannot validate signature of /config/verifyHash",
" exit",
"fi",
"echo loaded verifyHash",
"declare -a filesToVerify=(\"/config/cloud/f5-cloud-libs.tar.gz\" \"/config/cloud/f5-cloud-libs-aws.tar.gz\" \"/config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm\" \"/config/cloud/aws/f5.service_discovery.tmpl\" \"/config/cloud/aws/f5.cloud_logger.v1.0.0.tmpl\")",
"for fileToVerify in \"${filesToVerify[@]}\"",
"do",
" echo verifying \"$fileToVerify\"",
" if ! tmsh run cli script verifyHash \"$fileToVerify\"; then",
" echo \"$fileToVerify\" is not valid",
" exit 1",
" fi",
" echo verified \"$fileToVerify\"",
"done",
"mkdir -p /config/cloud/aws/node_modules/@f5devcentral",
"echo expanding f5-cloud-libs.tar.gz",
"tar xvfz /config/cloud/f5-cloud-libs.tar.gz -C /config/cloud/aws/node_modules/@f5devcentral",
"echo installing dependencies",
"tar xvfz /config/cloud/f5-cloud-libs-aws.tar.gz -C /config/cloud/aws/node_modules/@f5devcentral",
"echo cloud libs install complete",
"touch /config/cloud/cloudLibsReady"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/verifyHash": {
"content": "cli script /Common/verifyHash {\nproc script::run {} {\n if {[catch {\n set hashes(f5-cloud-libs.tar.gz) 18f1d7db0fe52eceb72aa2f2b56152926c126d153f0f65953441fea79a756c3c5ff847da2ed7b70c153da5490ffd54e3f93eaab33e8d6df46619a525b26e3505\n set hashes(f5-cloud-libs-aws.tar.gz) 076c969cbfff12efacce0879820262b7787c98645f1105667cc4927d4acfe2466ed64c777b6d35957f6df7ae266937dde42fef4c8b1f870020a366f7f910ffb5\n set hashes(f5-cloud-libs-azure.tar.gz) 57fae388e8aa028d24a2d3fa2c029776925011a72edb320da47ccd4fb8dc762321c371312f692b7b8f1c84e8261c280f6887ba2e0f841b50547e6e6abc8043ba\n set hashes(f5-cloud-libs-gce.tar.gz) 1677835e69967fd9882ead03cbdd24b426627133b8db9e41f6de5a26fef99c2d7b695978ac189f00f61c0737e6dbb638d42dea43a867ef4c01d9507d0ee1fb2f\n set hashes(f5-cloud-libs-openstack.tar.gz) 5c83fe6a93a6fceb5a2e8437b5ed8cc9faf4c1621bfc9e6a0779f6c2137b45eab8ae0e7ed745c8cf821b9371245ca29749ca0b7e5663949d77496b8728f4b0f9\n set hashes(f5-cloud-libs-consul.tar.gz) 2c6face582064600553f442a67a58bc7c19533923fac72a88edef0a90a845a5b9c45b5ba340184292a27a3319d8b8118364d16ea17f6225d31f7c2e997be9775\n set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0\n set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034\n set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe\n set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d\n set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d\n set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396\n set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f\n set hashes(f5.aws_advanced_ha.v1.4.0rc3.tmpl) 2f2339b4bc3a23c9cfd42aae2a6de39ba0658366f25985de2ea53410a745f0f18eedc491b20f4a8dba8db48970096e2efdca7b8efffa1a83a78e5aadf218b134\n set hashes(f5.aws_advanced_ha.v1.4.0rc4.tmpl) 2418ac8b1f1884c5c096cbac6a94d4059aaaf05927a6a4508fd1f25b8cc6077498839fbdda8176d2cf2d274a27e6a1dae2a1e3a0a9991bc65fc74fc0d02ce963\n set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6\n set hashes(deploy_waf.sh) 1a3a3c6274ab08a7dc2cb73aedc8d2b2a23cd9e0eb06a2e1534b3632f250f1d897056f219d5b35d3eed1207026e89989f754840fd92969c515ae4d829214fb74\n set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620\n set hashes(f5.service_discovery.tmpl) 4811a95372d1dbdbb4f62f8bcc48d4bc919fa492cda012c81e3a2fe63d7966cc36ba8677ed049a814a930473234f300d3f8bced2b0db63176d52ac99640ce81b\n set hashes(f5.cloud_logger.v1.0.0.tmpl) 64a0ed3b5e32a037ba4e71d460385fe8b5e1aecc27dc0e8514b511863952e419a89f4a2a43326abb543bba9bc34376afa114ceda950d2c3bd08dab735ff5ad20\n set hashes(f5-appsvcs-3.5.1-5.noarch.rpm) ba71c6e1c52d0c7077cdb25a58709b8fb7c37b34418a8338bbf67668339676d208c1a4fef4e5470c152aac84020b4ccb8074ce387de24be339711256c0fa78c8\n\n set file_path [lindex $tmsh::argv 1]\n set file_name [file tail $file_path]\n\n if {![info exists hashes($file_name)]} {\n tmsh::log err \"No hash found for $file_name\"\n exit 1\n }\n\n set expected_hash $hashes($file_name)\n set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]\n if { $expected_hash eq $computed_hash } {\n exit 0\n }\n tmsh::log err \"Hash does not match for $file_path\"\n exit 1\n }]} {\n tmsh::log err {Unexpected error in verifyHash}\n exit 1\n }\n }\n script-signature Nbpb2UCK1Rcn2WrsZvPhOlXQ7N6CMLcFtjCm+VnfPVYiAONJvsqEOAv8ohgg7yiTV95sL7uwNUwAfxBwzJ1oSXSHBz4/VSMEopvH0+GmdrvHzHFmWT9VOJYm+OMzd/xngMfFZesFrtWcJ9BwhnBcmqVfEv1ueGOPYbXvbz2NuyT8CTNqy4MizzWYhouYqTX8OeTk1ts+nCd+D6fm31xKhUgChx1bw5H6VnuTntbe2kWw5R+KW+Jk2J45EEk4/5rrzYqH9uJhVNegPEPf0QckniILC5WBUPtvOqKoAHxpLgJntnEVzMDnWQdqYoOvtgAKHzYFDFlWZrcsGq7/ywE4vQ==\n signing-key /Common/f5-irule\n}",
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/waitThenRun.sh": {
"content": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"while true; do echo \"waiting for cloud libs install to complete\"",
" if [ -f /config/cloud/cloudLibsReady ]; then",
" break",
" else",
" sleep 10",
" fi",
"done",
"\"$@\""
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
}
}
}
}
},
"Properties": {
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": "true",
"VolumeType": "gp2"
}
},
{
"DeviceName": "/dev/xvdb",
"NoDevice": {}
}
],
"IamInstanceProfile": {
"Ref": "bigipServiceDiscoveryProfile"
},
"ImageId": {
"Fn::If": [
"noCustomImageId",
{
"Fn::FindInMap": [
"BigipRegionMap",
{
"Ref": "AWS::Region"
},
{
"Ref": "imageName"
}
]
},
{
"Ref": "customImageId"
}
]
},
"InstanceType": {
"Ref": "instanceType"
},
"KeyName": {
"Ref": "sshKey"
},
"NetworkInterfaces": [
{
"Description": "Management Interface",
"DeviceIndex": "0",
"NetworkInterfaceId": {
"Ref": "Bigip1ManagementInterface"
}
},
{
"Description": "Public or External Interface",
"DeviceIndex": "1",
"NetworkInterfaceId": {
"Ref": "Bigip1subnet1Az1Interface"
}
},
{
"Description": "Private or Internal Interface",
"DeviceIndex": "2",
"NetworkInterfaceId": {
"Ref": "Bigip1InternalInterface"
}
}
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "application"
}
},
{
"Key": "Costcenter",
"Value": {
"Ref": "costcenter"
}
},
{
"Key": "Environment",
"Value": {
"Ref": "environment"
}
},
{
"Key": "Group",
"Value": {
"Ref": "group"
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"Big-IP1: ",
{
"Ref": "AWS::StackName"
}
]
]
}
},
{
"Key": "Owner",
"Value": {
"Ref": "owner"
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"/opt/aws/apitools/cfn-init-1.4-0.amzn1/bin/cfn-init -v -s ",
{
"Ref": "AWS::StackId"
},
" -r ",
"Bigip1Instance",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
},
"Type": "AWS::EC2::Instance"
},
"Bigip1InternalInterface": {
"Properties": {
"Description": "Internal Interface for the BIG-IP",
"GroupSet": [
{
"Ref": "bigipInternalSecurityGroup"
}
],
"SubnetId": {
"Ref": "subnet2Az1"
}
},
"Type": "AWS::EC2::NetworkInterface"
},
"Bigip1ManagementInterface": {
"Properties": {
"Description": "Management Interface for the BIG-IP",
"GroupSet": [
{
"Ref": "bigipManagementSecurityGroup"
}
],
"SubnetId": {
"Ref": "managementSubnetAz1"
}
},
"Type": "AWS::EC2::NetworkInterface"
},
"Bigip1subnet1Az1Interface": {
"Properties": {
"Description": "Public External Interface for the BIG-IP",
"GroupSet": [
{
"Ref": "bigipExternalSecurityGroup"
}
],
"SecondaryPrivateIpAddressCount": "1",
"SubnetId": {
"Ref": "subnet1Az1"
}
},
"Type": "AWS::EC2::NetworkInterface"
},
"Bigip2Instance": {
"DependsOn": "Bigip1Instance",
"Metadata": {
"AWS::CloudFormation::Init": {
"config": {
"commands": {
"000-disable-1nicautoconfig": {
"command": "/usr/bin/setdb provision.1nicautoconfig disable"
},
"010-install-libs": {
"command": {
"Fn::Join": [
" ",
[
"mkdir -p /var/log/cloud/aws;",
"nohup /config/installCloudLibs.sh",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"020-generate-password": {
"command": {
"Fn::Join": [
"",
[
"nohup /config/waitThenRun.sh",
" f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
" --signal PASSWORD_CREATED",
" --file f5-rest-node",
" --cl-args '/config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/generatePassword --file /config/cloud/aws/.adminPassword --encrypt'",
" --log-level silly",
" -o /var/log/cloud/aws/generatePassword.log",
" &>> /var/log/cloud/aws/install.log < /dev/null",
" &"
]
]
}
},
"030-create-admin-user": {
"command": {
"Fn::Join": [
"",
[
"nohup /config/waitThenRun.sh",
" f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
" --wait-for PASSWORD_CREATED",
" --signal ADMIN_CREATED",
" --file /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/createUser.sh",
" --cl-args '--user admin",
" --password-file /config/cloud/aws/.adminPassword",
" --password-encrypted",
"'",
" --log-level silly",
" -o /var/log/cloud/aws/createUser.log",
" &>> /var/log/cloud/aws/install.log < /dev/null",
" &"
]
]
}
},
"040-network-config": {
"command": {
"Fn::Join": [
"",
[
"GATEWAY_MAC=`ifconfig eth1 | egrep HWaddr | awk '{print tolower($5)}'`; ",
"GATEWAY_CIDR_BLOCK=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/network/interfaces/macs/${GATEWAY_MAC}/subnet-ipv4-cidr-block`; ",
"GATEWAY_NET=${GATEWAY_CIDR_BLOCK%/*}; ",
"GATEWAY_PREFIX=${GATEWAY_CIDR_BLOCK#*/}; ",
"GATEWAY=`echo ${GATEWAY_NET} | awk -F. '{ print $1\".\"$2\".\"$3\".\"$4+1 }'`; ",
"GATEWAY_MAC2=`ifconfig eth2 | egrep HWaddr | awk '{print tolower($5)}'`\n",
"GATEWAY_CIDR_BLOCK2=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/network/interfaces/macs/${GATEWAY_MAC2}/subnet-ipv4-cidr-block`; ",
"GATEWAY_PREFIX2=${GATEWAY_CIDR_BLOCK2#*/}; ",
"nohup /config/waitThenRun.sh ",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/network.js ",
"--host localhost ",
"--user admin ",
"--password-url file:///config/cloud/aws/.adminPassword ",
"--password-encrypted ",
"-o /var/log/cloud/aws/network.log ",
"--log-level silly ",
"--wait-for ADMIN_CREATED ",
"--signal NETWORK_CONFIG_DONE ",
"--vlan name:external,nic:1.1 ",
"--default-gw ${GATEWAY} ",
"--self-ip name:external-self,address:",
{
"Fn::GetAtt": [
"Bigip2subnet1Az1Interface",
"PrimaryPrivateIpAddress"
]
},
"/${GATEWAY_PREFIX},vlan:external,allow:none ",
"--vlan name:internal,nic:1.2 ",
"--self-ip 'name:internal-self,address:",
{
"Fn::GetAtt": [
"Bigip2InternalInterface",
"PrimaryPrivateIpAddress"
]
},
"/'${GATEWAY_PREFIX2}',vlan:internal,allow:tcp:4353 udp:1026' ",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"050-onboard-BIG-IP": {
"command": {
"Fn::If": [
"optin",
{
"Fn::Join": [
" ",
[
"REGION=\"",
{
"Ref": "AWS::Region"
},
"\";",
"DEPLOYMENTID=`echo \"",
{
"Ref": "AWS::StackId"
},
"\"|sha512sum|cut -d \" \" -f 1`;",
"CUSTOMERID=`echo \"",
{
"Ref": "AWS::AccountId"
},
"\"|sha512sum|cut -d \" \" -f 1`;",
"NAME_SERVER=`/config/cloud/aws/getNameServer.sh eth1`;",
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js",
"--install-ilx-package file:///config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm",
"--wait-for NETWORK_CONFIG_DONE",
"--signal ONBOARD_DONE",
"-o /var/log/cloud/aws/onboard.log",
"--log-level silly",
"--no-reboot",
"--host localhost",
"--user admin",
"--password-url file:///config/cloud/aws/.adminPassword",
"--password-encrypted",
"--hostname `curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`",
"--ntp ",
{
"Ref": "ntpServer"
},
"--tz ",
{
"Ref": "timezone"
},
"--dns ${NAME_SERVER}",
"--module ltm:nominal",
"--license-pool --cloud aws",
"--big-iq-host",
{
"Ref": "bigIqAddress"
},
"--big-iq-user",
{
"Ref": "bigIqUsername"
},
"--license-pool-name",
{
"Ref": "bigIqLicensePoolName"
},
"--big-iq-password-uri",
{
"Ref": "bigIqPasswordS3Arn"
},
"--unit-of-measure",
{
"Fn::If": [
"noUnitOfMeasure",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseUnitOfMeasure"
}
]
},
"--sku-keyword-1",
{
"Fn::If": [
"noSkuKeyword1",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseSkuKeyword1"
}
]
},
"--metrics \"cloudName:aws,region:${REGION},bigipVersion:13.1.1-0.0.4,customerId:${CUSTOMERID},deploymentId:${DEPLOYMENTID},templateName:f5-prod-stack-same-az-cluster-bigiq-3nic-bigip.template,templateVersion:4.1.4,licenseType:bigiq\"",
"--ping",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
},
{
"Fn::Join": [
" ",
[
"NAME_SERVER=`/config/cloud/aws/getNameServer.sh eth1`;",
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js",
"--install-ilx-package file:///config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm",
"--wait-for NETWORK_CONFIG_DONE",
"--signal ONBOARD_DONE",
"-o /var/log/cloud/aws/onboard.log",
"--log-level silly",
"--no-reboot",
"--host localhost",
"--user admin",
"--password-url file:///config/cloud/aws/.adminPassword",
"--password-encrypted",
"--hostname `curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`",
"--ntp ",
{
"Ref": "ntpServer"
},
"--tz ",
{
"Ref": "timezone"
},
"--dns ${NAME_SERVER}",
"--module ltm:nominal",
"--license-pool --cloud aws",
"--big-iq-host",
{
"Ref": "bigIqAddress"
},
"--big-iq-user",
{
"Ref": "bigIqUsername"
},
"--license-pool-name",
{
"Ref": "bigIqLicensePoolName"
},
"--big-iq-password-uri",
{
"Ref": "bigIqPasswordS3Arn"
},
"--unit-of-measure",
{
"Fn::If": [
"noUnitOfMeasure",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseUnitOfMeasure"
}
]
},
"--sku-keyword-1",
{
"Fn::If": [
"noSkuKeyword1",
{
"Ref": "AWS::NoValue"
},
{
"Ref": "bigIqLicenseSkuKeyword1"
}
]
},
"--ping",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
]
}
},
"060-custom-config": {
"command": {
"Fn::Join": [
" ",
[
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
"--file /config/cloud/aws/custom-config.sh",
"--cwd /config/cloud/aws",
"-o /var/log/cloud/aws/custom-config.log",
"--log-level silly",
"--wait-for ONBOARD_DONE",
"--signal CUSTOM_CONFIG_DONE",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"065-cluster": {
"command": {
"Fn::Join": [
" ",
[
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/cluster.js",
"--wait-for CUSTOM_CONFIG_DONE",
"--signal CLUSTER_DONE",
"-o /var/log/cloud/aws/cluster.log",
"--log-level silly",
"--host localhost",
"--user admin",
"--password-url file:///config/cloud/aws/.adminPassword",
"--password-encrypted",
"--cloud aws",
"--provider-options 's3Bucket:",
{
"Ref": "S3Bucket"
},
"'",
"--config-sync-ip",
{
"Fn::GetAtt": [
"Bigip2InternalInterface",
"PrimaryPrivateIpAddress"
]
},
"--join-group",
"--device-group across_az_failover_group",
"--remote-host ",
{
"Fn::GetAtt": [
"Bigip1ManagementInterface",
"PrimaryPrivateIpAddress"
]
},
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
},
"070-rm-password": {
"command": {
"Fn::Join": [
" ",
[
"nohup /config/waitThenRun.sh",
"f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/runScript.js",
"--file /config/cloud/aws/rm-password.sh",
"-o /var/log/cloud/aws/rm-password.log",
"--log-level silly",
"--wait-for CLUSTER_DONE",
"--signal PASSWORD_REMOVED",
"&>> /var/log/cloud/aws/install.log < /dev/null &"
]
]
}
}
},
"files": {
"/config/cloud/aws/custom-config.sh": {
"content": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"EXTIP='",
{
"Fn::GetAtt": [
"Bigip2subnet1Az1Interface",
"PrimaryPrivateIpAddress"
]
},
"'\n",
"EXTPRIVIP='",
{
"Fn::Select": [
"0",
{
"Fn::GetAtt": [
"Bigip2subnet1Az1Interface",
"SecondaryPrivateIpAddresses"
]
}
]
},
"'\n",
"HOSTNAME=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/hostname`\n",
"INTIP='",
{
"Fn::GetAtt": [
"Bigip2InternalInterface",
"PrimaryPrivateIpAddress"
]
},
"'\n",
"PROGNAME=$(basename $0)\n",
"function error_exit {\n",
"echo \"${PROGNAME}: ${1:-\\\"Unknown Error\\\"}\" 1>&2\n",
"exit 1\n",
"}\n",
"declare -a tmsh=()\n",
"echo 'starting custom-config.sh'\n",
"tmsh+=(\n",
"\"tmsh modify sys db dhclient.mgmt { value disable }\"\n",
"\"tmsh modify cm device ${HOSTNAME} unicast-address { { effective-ip ${INTIP} effective-port 1026 ip ${INTIP} } }\"\n",
"\"tmsh save /sys config\")\n",
"for CMD in \"${tmsh[@]}\"\n",
"do\n",
" \"/config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/waitForMcp.sh\"\n",
" if $CMD;then\n",
" echo \"command $CMD successfully executed.\"\n",
" else\n",
" error_exit \"$LINENO: An error has occurred while executing $CMD. Aborting!\"\n",
" fi\n",
"done\n",
"date\n"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/aws/f5.cloud_logger.v1.0.0.tmpl": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-iapps/v2.3.2/f5-cloud-logger/f5.cloud_logger.v1.0.0.tmpl"
},
"/config/cloud/aws/f5.service_discovery.tmpl": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-iapps/v2.3.2/f5-service-discovery/f5.service_discovery.tmpl"
},
"/config/cloud/aws/getNameServer.sh": {
"content": {
"Fn::Join": [
"\n",
[
"INTERFACE=$1",
"INTERFACE_MAC=`ifconfig ${INTERFACE} | egrep HWaddr | awk '{print tolower($5)}'`",
"VPC_CIDR_BLOCK=`curl -s -f --retry 20 http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE_MAC}/vpc-ipv4-cidr-block`",
"VPC_NET=${VPC_CIDR_BLOCK%/*}",
"NAME_SERVER=`echo ${VPC_NET} | awk -F. '{ printf \"%d.%d.%d.%d\", $1, $2, $3, $4+2 }'`",
"echo $NAME_SERVER"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/aws/onboard_config_vars": {
"content": {
"Fn::Join": [
"",
[
"",
"#!/bin/bash\n",
"# Generated from 4.1.4\n",
"hostname=`curl http://169.254.169.254/latest/meta-data/hostname`\n",
"region='",
{
"Ref": "AWS::Region"
},
"'\n",
"adminUsername='admin'\n",
"managementGuiPort='443'\n",
"timezone='",
{
"Ref": "timezone"
},
"'\n",
"ntpServer='",
{
"Ref": "ntpServer"
},
"'\n",
"declarationUrl='",
{
"Ref": "declarationUrl"
},
"'\n",
"passwd=$(f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/decryptDataFromFile.js --data-file /config/cloud/aws/.adminPassword)\n"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/aws/rm-password.sh": {
"content": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"PROGNAME=$(basename $0)\n",
"function error_exit {\n",
"echo \"${PROGNAME}: ${1:-\"Unknown Error\"}\" 1>&2\n",
"exit 1\n",
"}\n",
"date\n",
"echo 'starting rm-password.sh'\n",
"declare -a tmsh=()\n",
"tmsh+=(\"rm /config/cloud/aws/.adminPassword\")\n",
"for CMD in \"${tmsh[@]}\"\n",
"do\n",
" if $CMD;then\n",
" echo \"command $CMD successfully executed.\"\n",
" else\n",
" error_exit \"$LINENO: An error has occurred while executing $CMD. Aborting!\"\n",
" fi\n",
"done\n",
"date\n"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/v3.6.0/dist/lts/f5-appsvcs-3.5.1-5.noarch.rpm"
},
"/config/cloud/f5-cloud-libs-aws.tar.gz": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs-aws/v2.4.0/dist/f5-cloud-libs-aws.tar.gz"
},
"/config/cloud/f5-cloud-libs.tar.gz": {
"group": "root",
"mode": "000755",
"owner": "root",
"source": "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/v4.8.1/dist/f5-cloud-libs.tar.gz"
},
"/config/installCloudLibs.sh": {
"content": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"echo about to execute",
"checks=0",
"while [ $checks -lt 120 ]; do echo checking mcpd",
" tmsh -a show sys mcp-state field-fmt | grep -q running",
" if [ $? == 0 ]; then",
" echo mcpd ready",
" break",
" fi",
" echo mcpd not ready yet",
" let checks=checks+1",
" sleep 10",
"done",
"echo loading verifyHash script",
"if ! tmsh load sys config merge file /config/verifyHash; then",
" echo cannot validate signature of /config/verifyHash",
" exit",
"fi",
"echo loaded verifyHash",
"declare -a filesToVerify=(\"/config/cloud/f5-cloud-libs.tar.gz\" \"/config/cloud/f5-cloud-libs-aws.tar.gz\" \"/config/cloud/f5-appsvcs-3.5.1-5.noarch.rpm\" \"/config/cloud/aws/f5.service_discovery.tmpl\" \"/config/cloud/aws/f5.cloud_logger.v1.0.0.tmpl\")",
"for fileToVerify in \"${filesToVerify[@]}\"",
"do",
" echo verifying \"$fileToVerify\"",
" if ! tmsh run cli script verifyHash \"$fileToVerify\"; then",
" echo \"$fileToVerify\" is not valid",
" exit 1",
" fi",
" echo verified \"$fileToVerify\"",
"done",
"mkdir -p /config/cloud/aws/node_modules/@f5devcentral",
"echo expanding f5-cloud-libs.tar.gz",
"tar xvfz /config/cloud/f5-cloud-libs.tar.gz -C /config/cloud/aws/node_modules/@f5devcentral",
"echo installing dependencies",
"tar xvfz /config/cloud/f5-cloud-libs-aws.tar.gz -C /config/cloud/aws/node_modules/@f5devcentral",
"echo cloud libs install complete",
"touch /config/cloud/cloudLibsReady"
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/verifyHash": {
"content": "cli script /Common/verifyHash {\nproc script::run {} {\n if {[catch {\n set hashes(f5-cloud-libs.tar.gz) 18f1d7db0fe52eceb72aa2f2b56152926c126d153f0f65953441fea79a756c3c5ff847da2ed7b70c153da5490ffd54e3f93eaab33e8d6df46619a525b26e3505\n set hashes(f5-cloud-libs-aws.tar.gz) 076c969cbfff12efacce0879820262b7787c98645f1105667cc4927d4acfe2466ed64c777b6d35957f6df7ae266937dde42fef4c8b1f870020a366f7f910ffb5\n set hashes(f5-cloud-libs-azure.tar.gz) 57fae388e8aa028d24a2d3fa2c029776925011a72edb320da47ccd4fb8dc762321c371312f692b7b8f1c84e8261c280f6887ba2e0f841b50547e6e6abc8043ba\n set hashes(f5-cloud-libs-gce.tar.gz) 1677835e69967fd9882ead03cbdd24b426627133b8db9e41f6de5a26fef99c2d7b695978ac189f00f61c0737e6dbb638d42dea43a867ef4c01d9507d0ee1fb2f\n set hashes(f5-cloud-libs-openstack.tar.gz) 5c83fe6a93a6fceb5a2e8437b5ed8cc9faf4c1621bfc9e6a0779f6c2137b45eab8ae0e7ed745c8cf821b9371245ca29749ca0b7e5663949d77496b8728f4b0f9\n set hashes(f5-cloud-libs-consul.tar.gz) 2c6face582064600553f442a67a58bc7c19533923fac72a88edef0a90a845a5b9c45b5ba340184292a27a3319d8b8118364d16ea17f6225d31f7c2e997be9775\n set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0\n set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034\n set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe\n set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d\n set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d\n set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396\n set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f\n set hashes(f5.aws_advanced_ha.v1.4.0rc3.tmpl) 2f2339b4bc3a23c9cfd42aae2a6de39ba0658366f25985de2ea53410a745f0f18eedc491b20f4a8dba8db48970096e2efdca7b8efffa1a83a78e5aadf218b134\n set hashes(f5.aws_advanced_ha.v1.4.0rc4.tmpl) 2418ac8b1f1884c5c096cbac6a94d4059aaaf05927a6a4508fd1f25b8cc6077498839fbdda8176d2cf2d274a27e6a1dae2a1e3a0a9991bc65fc74fc0d02ce963\n set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6\n set hashes(deploy_waf.sh) 1a3a3c6274ab08a7dc2cb73aedc8d2b2a23cd9e0eb06a2e1534b3632f250f1d897056f219d5b35d3eed1207026e89989f754840fd92969c515ae4d829214fb74\n set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620\n set hashes(f5.service_discovery.tmpl) 4811a95372d1dbdbb4f62f8bcc48d4bc919fa492cda012c81e3a2fe63d7966cc36ba8677ed049a814a930473234f300d3f8bced2b0db63176d52ac99640ce81b\n set hashes(f5.cloud_logger.v1.0.0.tmpl) 64a0ed3b5e32a037ba4e71d460385fe8b5e1aecc27dc0e8514b511863952e419a89f4a2a43326abb543bba9bc34376afa114ceda950d2c3bd08dab735ff5ad20\n set hashes(f5-appsvcs-3.5.1-5.noarch.rpm) ba71c6e1c52d0c7077cdb25a58709b8fb7c37b34418a8338bbf67668339676d208c1a4fef4e5470c152aac84020b4ccb8074ce387de24be339711256c0fa78c8\n\n set file_path [lindex $tmsh::argv 1]\n set file_name [file tail $file_path]\n\n if {![info exists hashes($file_name)]} {\n tmsh::log err \"No hash found for $file_name\"\n exit 1\n }\n\n set expected_hash $hashes($file_name)\n set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]\n if { $expected_hash eq $computed_hash } {\n exit 0\n }\n tmsh::log err \"Hash does not match for $file_path\"\n exit 1\n }]} {\n tmsh::log err {Unexpected error in verifyHash}\n exit 1\n }\n }\n script-signature Nbpb2UCK1Rcn2WrsZvPhOlXQ7N6CMLcFtjCm+VnfPVYiAONJvsqEOAv8ohgg7yiTV95sL7uwNUwAfxBwzJ1oSXSHBz4/VSMEopvH0+GmdrvHzHFmWT9VOJYm+OMzd/xngMfFZesFrtWcJ9BwhnBcmqVfEv1ueGOPYbXvbz2NuyT8CTNqy4MizzWYhouYqTX8OeTk1ts+nCd+D6fm31xKhUgChx1bw5H6VnuTntbe2kWw5R+KW+Jk2J45EEk4/5rrzYqH9uJhVNegPEPf0QckniILC5WBUPtvOqKoAHxpLgJntnEVzMDnWQdqYoOvtgAKHzYFDFlWZrcsGq7/ywE4vQ==\n signing-key /Common/f5-irule\n}",
"group": "root",
"mode": "000755",
"owner": "root"
},
"/config/waitThenRun.sh": {
"content": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"while true; do echo \"waiting for cloud libs install to complete\"",
" if [ -f /config/cloud/cloudLibsReady ]; then",
" break",
" else",
" sleep 10",
" fi",
"done",
"\"$@\""
]
]
},
"group": "root",
"mode": "000755",
"owner": "root"
}
}
}
}
},
"Properties": {
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": "true",
"VolumeType": "gp2"
}
},
{
"DeviceName": "/dev/xvdb",
"NoDevice": {}
}
],
"IamInstanceProfile": {
"Ref": "bigipServiceDiscoveryProfile"
},
"ImageId": {
"Fn::If": [
"noCustomImageId",
{
"Fn::FindInMap": [
"BigipRegionMap",
{
"Ref": "AWS::Region"
},
{
"Ref": "imageName"
}
]
},
{
"Ref": "customImageId"
}
]
},
"InstanceType": {
"Ref": "instanceType"
},
"KeyName": {
"Ref": "sshKey"
},
"NetworkInterfaces": [
{
"Description": "Management Interface",
"DeviceIndex": "0",
"NetworkInterfaceId": {
"Ref": "Bigip2ManagementInterface"
}
},
{
"Description": "Public or External Interface",
"DeviceIndex": "1",
"NetworkInterfaceId": {
"Ref": "Bigip2subnet1Az1Interface"
}
},
{
"Description": "Private or Internal Interface",
"DeviceIndex": "2",
"NetworkInterfaceId": {
"Ref": "Bigip2InternalInterface"
}
}
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "application"
}
},
{
"Key": "Costcenter",
"Value": {
"Ref": "costcenter"
}
},
{
"Key": "Environment",
"Value": {
"Ref": "environment"
}
},
{
"Key": "Group",
"Value": {
"Ref": "group"
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"Big-IP2: ",
{
"Ref": "AWS::StackName"
}
]
]
}
},
{
"Key": "Owner",
"Value": {
"Ref": "owner"
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"/opt/aws/apitools/cfn-init-1.4-0.amzn1/bin/cfn-init -v -s ",
{
"Ref": "AWS::StackId"
},
" -r ",
"Bigip2Instance",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
},
"Type": "AWS::EC2::Instance"
},
"Bigip2InternalInterface": {
"Properties": {
"Description": "Internal Interface for the BIG-IP",
"GroupSet": [
{
"Ref": "bigipInternalSecurityGroup"
}
],
"SubnetId": {
"Ref": "subnet2Az1"
}
},
"Type": "AWS::EC2::NetworkInterface"
},
"Bigip2ManagementInterface": {
"Properties": {
"Description": "Management Interface for the BIG-IP",
"GroupSet": [
{
"Ref": "bigipManagementSecurityGroup"
}
],
"SubnetId": {
"Ref": "managementSubnetAz1"
}
},
"Type": "AWS::EC2::NetworkInterface"
},
"Bigip2subnet1Az1Interface": {
"Properties": {
"Description": "Public External Interface for the BIG-IP",
"GroupSet": [
{
"Ref": "bigipExternalSecurityGroup"
}
],
"SecondaryPrivateIpAddressCount": "1",
"SubnetId": {
"Ref": "subnet1Az1"
}
},
"Type": "AWS::EC2::NetworkInterface"
},
"S3Bucket": {
"Properties": {
"AccessControl": "BucketOwnerFullControl"
},
"Type": "AWS::S3::Bucket"
},
"bigipExternalSecurityGroup": {
"Properties": {
"GroupDescription": "Public or external interface rules",
"SecurityGroupIngress": [
{
"CidrIp": {
"Ref": "restrictedSrcAddressApp"
},
"FromPort": "80",
"IpProtocol": "tcp",
"ToPort": "80"
},
{
"CidrIp": {
"Ref": "restrictedSrcAddressApp"
},
"FromPort": "443",
"IpProtocol": "tcp",
"ToPort": "443"
}
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "application"
}
},
{
"Key": "Costcenter",
"Value": {
"Ref": "costcenter"
}
},
{
"Key": "Environment",
"Value": {
"Ref": "environment"
}
},
{
"Key": "Group",
"Value": {
"Ref": "group"
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"Bigip External Security Group:",
{
"Ref": "AWS::StackName"
}
]
]
}
},
{
"Key": "Owner",
"Value": {
"Ref": "owner"
}
}
],
"VpcId": {
"Ref": "Vpc"
}
},
"Type": "AWS::EC2::SecurityGroup"
},
"bigipInternalSecurityGroup": {
"Properties": {
"GroupDescription": "Allow All from Intra-VPC only",
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "application"
}
},
{
"Key": "Costcenter",
"Value": {
"Ref": "costcenter"
}
},
{
"Key": "Environment",
"Value": {
"Ref": "environment"
}
},
{
"Key": "Group",
"Value": {
"Ref": "group"
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"Bigip Internal Security Group:",
{
"Ref": "AWS::StackName"
}
]
]
}
},
{
"Key": "Owner",
"Value": {
"Ref": "owner"
}
}
],
"VpcId": {
"Ref": "Vpc"
}
},
"Type": "AWS::EC2::SecurityGroup"
},
"bigipManagementSecurityGroup": {
"Properties": {
"GroupDescription": "BIG-IP management interface policy",
"SecurityGroupIngress": [
{
"CidrIp": {
"Ref": "restrictedSrcAddress"
},
"FromPort": "22",
"IpProtocol": "tcp",
"ToPort": "22"
},
{
"CidrIp": {
"Ref": "restrictedSrcAddress"
},
"FromPort": "443",
"IpProtocol": "tcp",
"ToPort": "443"
}
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "application"
}
},
{
"Key": "Costcenter",
"Value": {
"Ref": "costcenter"
}
},
{
"Key": "Environment",
"Value": {
"Ref": "environment"
}
},
{
"Key": "Group",
"Value": {
"Ref": "group"
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"Bigip Management Security Group:",
{
"Ref": "AWS::StackName"
}
]
]
}
},
{
"Key": "Owner",
"Value": {
"Ref": "owner"
}
}
],
"VpcId": {
"Ref": "Vpc"
}
},
"Type": "AWS::EC2::SecurityGroup"
},
"bigipSecurityGroupIngressBigiqLic": {
"Properties": {
"CidrIp": {
"Fn::Join": [
"",
[
{
"Ref": "bigIqAddress"
},
"/32"
]
]
},
"FromPort": "443",
"GroupId": {
"Ref": "bigipManagementSecurityGroup"
},
"IpProtocol": "tcp",
"ToPort": "443"
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"bigipSecurityGroupIngressConfigSync": {
"Properties": {
"FromPort": "4353",
"GroupId": {
"Ref": "bigipInternalSecurityGroup"
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "bigipInternalSecurityGroup"
},
"ToPort": "4353"
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"bigipSecurityGroupIngressHa": {
"Properties": {
"FromPort": "1026",
"GroupId": {
"Ref": "bigipInternalSecurityGroup"
},
"IpProtocol": "udp",
"SourceSecurityGroupId": {
"Ref": "bigipInternalSecurityGroup"
},
"ToPort": "1026"
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"bigipSecurityGroupIngressManagmentSame": {
"Properties": {
"FromPort": "443",
"GroupId": {
"Ref": "bigipManagementSecurityGroup"
},
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "bigipManagementSecurityGroup"
},
"ToPort": "443"
},
"Type": "AWS::EC2::SecurityGroupIngress"
},
"bigipServiceDiscoveryAccessRole": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeAddresses",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeRouteTables",
"ec2:ReplaceRoute",
"ec2:assignprivateipaddresses",
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": {
"Ref": "bigIqPasswordS3Arn"
}
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:*:s3:::",
{
"Ref": "S3Bucket"
}
]
]
}
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:*:s3:::",
{
"Ref": "S3Bucket"
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "BigipServiceDiscoveryPolicy"
}
]
},
"Type": "AWS::IAM::Role"
},
"bigipServiceDiscoveryProfile": {
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "bigipServiceDiscoveryAccessRole"
}
]
},
"Type": "AWS::IAM::InstanceProfile"
}
}
}
You can’t perform that action at this time.