A comprehensive demonstration Ansible-based solution to quickly build and deploy an application in a public cloud using F5 and NGINX technology
- F5 BIG-IP 14.1.0.3-0.0.6 (or greater) with LTM and ASM modules licensed
- RedHat Ansible 2.8
- Chef Inspec 4.7+
-
This demo assumes an environment build using http://github.com/mjmenger/terraform-aws-bigip-setup. Connect to the jumphost using the information and credentials provided by the environment build.
-
The jumphost must be able to connect to your specified BIG-IP. Run the following from within the jumphost to validate configuration and connectivity.
inspec exec demo-setup --input bigip_host=[hostname of bigip] bigip_mgmt_port=[mgmt port of bigip]
- Both the BIG-IP and Ubuntu server require outbound conectivity to github.com and npmjs.com
- before connecting to your jumphost, place the private key on the jumphost with the following command
scp -i <path to privatekeyfile> ubuntu@<ubuntuserver>:~/privatekeyfile
- ssh into your jumphost with the following command
ssh -i <path to privatekeyfile> ubuntu@<ubuntuserver>
- prepare the jumphost to run the ansible playbook with the follow commands
git clone https://github.com/aknot242/ansible-uber-demo.git
cp ~/inventory.yml ~/ansible-uber-demo/ansible/inventory.yml
cd ansible-uber-demo
./install-ubuntu-dependencies.sh # This will install the linux dependencies required to run Docker and Ansible.
- run the ansible playboook with the following command
./deploy.sh
- If you would like to generate traffic to the Juice Shop site, use following command from the jumphost. The first argument is the destination Virtual Server configured for Juice Shop. The second argument is the number of times the traffic generation script should run.
./run-load.sh http://10.1.10.20 10
- To attack the Juice Shop site scanning for security vulnerabilities, use this example command from the jumphost. The first argument is the destination Virtual Server configured for Juice Shop.
./run-attack.sh http://10.1.10.20
The F5 Automation Toolchain packages used in this project are Application Services 3, Declarative Onboarding and Telemetry Streaming. The default variables in the Ansible Playbook are configured to use specific tagged releases for each of these packages. The default values can be seen here. You can also specify that you would like Ansible to fetch the latest release, no matter the tag using the <package name>_use_latest
variables per package.
The following is a high-level flow of the steps taken when preparing for and executing this playbook. (* denotes steps that are not currently implemented for you):
- Git pull Ansible workbooks *
- Build Ubuntu host *
- Install Ubuntu dependencies
- Build BIG-IPs
- Install Declarative Onboarding (DO)
- Install Application Services 3 (AS3)
- Install Telemetry Streaming (TS)
- Build containers
- Grafana
- API call to install GeoLocation map plugin
- API call to add datasources
- API call to import JSON dashboard
- Graphite & StatsD
- ElasticSearch
- API call to build the index
- API call to set the query size and fieldsize
- API call to set field settings
- Grafana
- Configure AS3 TS common log entities
- Configure AS3 Juice Shop VS
- Send TS Declaration to BIG-IP
- Demo!
- Send automated requests to Juice Shop application
- Execute OWASP ZAP to discover and exploit vulnerabilities in Juice Shop application
- Show working Juice Shop web site
- Show Grafana dashboard
The following are the actual steps needed to execute the demo:
- Boot up images
- Ssh into BIG-IP and run the following
tmsh
modify auth user admin prompt-for-password
save sys config
quit
- Ssh into Ubuntu server and run the following
git clone https://github.com/aknot242/ansible-uber-demo.git
cd ansible-uber-demo
- Set password in host vars file:
nano ansible/host_vars/10.1.1.4.yml
- Run
./install-ubuntu-dependencies.sh
- Run
./deploy.sh
- Run load script:
./run-load.sh http://10.1.10.20 10
- Run attack script:
./run-attack.sh http://10.1.10.20
Variables can be overridden in a number of locations in the playbooks. Primarily, the variables are set in the inventory.yml file. To learn about variable precendence in Ansible, see the user guide.
Variable Name | Description | Required |
---|---|---|
ansible_connection | Connection type used when connecting to the Ubuntu host. | * |
ansible_user | User name with which to login to the Ubuntu server via ssh. | * |
ansible_become | determines if privilege escalation is used while issuing Ansible tasks on the Ubuntu server. | * |
app_server_address | The address that is assigned to the Juice Shop and Grafana Virtual Server pool members. If the add_ubuntu_interface variable is set to true, this address will also be assigned to the eth1 interface of the Ubuntu server. |
* |
Variable Name | Description | Required |
---|---|---|
ansible_connection | Instructs ansible to suppress the use of ssh when connecting to this host. More info here. |
* |
app_server_gateway | The gateway address to be used when creating the additional interface on the Ubuntu server. |
|
add_ubuntu_interface | Boolean to add an optional network interface (eth1) to the Ubuntu server using the NetPlan role. |
Variable Name | Description | Required |
---|---|---|
bigip_provider | BIG-IP management connection information. Documented here. |
* |
bigip_validate_certs | Determines whether or not a TLS certificate is validated when connecting to the BIG-IP's management API for the scope of the Ansible plays. |
* |
bigip_domain | Used when building the FQDN portion of the BIG-IP host name as well as the DNS search suffix. |
* |
bigip_hostname | Fully qualified host name of the BIG-IP. | * |
bigip_ntp_server | A comma-separated double-quoted list of NTP servers that the BIG-IP should use. | * |
bigip_ntp_timezone | The name of the NTP timezone. See the TZ database name column on this page for examples. |
* |
bigip_dns_server | A quoted IP address of your DNS server. | * |
bigip_dns_search | The DNS search domain. | * |
bigip_external_self_ip | The BIG-IPs self-ip address on the external interface. | * |
bigip_internal_self_ip | The BIG-IPs self-ip address on the internal interface. | * |
juiceshop_virtual_address | The IP address of the Juice Shop Virtual Server that will be created. | * |
grafana_virtual_address | The IP address of the Grafana Virtual Server that will be created. | * |
log_pool | The IP address of the Virtual Server and looging pool that the LTM Request Policy and ASM Logs will target. Recommended to use an IP address on the Internal network, as it is not needed to be accessed publically. |
* |
bigip_license | The license key for the BIG-IP. If not specified, the BIG-IP will not be licensed when the playbook runs. |
- Thanks to mrlesmithjr for his Netplan Ansible Role