diff --git a/README.md b/README.md
index 532dc61..b4743e6 100644
--- a/README.md
+++ b/README.md
@@ -1,337 +1,183 @@
-# Deploying the Secure Azure Cloud Architecture BIG-IP VE - ConfigSync Cluster (Active/Active): 3 NIC
-
-[](https://f5cloudsolutions.herokuapp.com)
-
-## Contents
-
-- [CHANGELOG](CHANGELOG.md)
-- [Introduction](#introduction)
-- [What is SCCA](#what-is-secure-cloud-computing-architecture)
-- [What is Included](#what-is-included-in-this-template)
-- [Prerequisites](#prerequisites)
-- [Important Configuration Notes](#important-configuration-notes)
-- [Security](#security)
-- [Getting Help](#help)
-- [Installation](#installation)
-- [Configuration Example](#configuration-example)
-- [Service Discovery](#service-discovery)
+# F5 & Azure Secure Cloud Computing Architecture
+
+
+
+- [F5 & Azure Secure Cloud Computing Architecture](#f5--azure-secure-cloud-computing-architecture)
+ - [Introduction](#introduction)
+ - [Prerequisites](#prerequisites)
+ - [Important configuration notes](#important-configuration-notes)
+ - [Variables](#variables)
+ - [Requirements](#requirements)
+ - [Providers](#providers)
+ - [Inputs](#inputs)
+ - [Outputs](#outputs)
+ - [Deployment](#deployment)
+ - [Docker](#docker)
+ - [Destruction](#destruction)
+ - [Docker](#docker-1)
+ - [Development](#development)
+
+
## Introduction
-This README will provide a baseline introduction into the Secure Cloud Computing Architecture (SCCA), Infrastructure as Code (IaC), and summarize a portion of the guidance to comply with the guidance provided. Links will be provided for more in-depth explanations.
-
-## What is Secure Cloud Computing Architecture (SCCA)
+Moving to the Cloud can be tough. The Department of Defense (DoD) has requirements to protect the Defense Information System Networks (DISN) and DoD Information Networks (DoDIN), even for workloads residing in a Cloud Service Provider (CSP). Per the SCCA Functional Requirements Document, the purpose of SCCA is to provide a barrier of protection between the DISN and commercial cloud services used by the DoD.
-Moving to the Cloud can be tough. The Department of Defense (DoD) still has requirements to protect the Defense Information System Networks (DISN) and DoD Information Networks (DoDIN), even when living in a Cloud Service Provider (CSP). Per the SCCA Functional Requirements Document, the purpose of SCCA is to provide a barrier of protection between the DISN and commercial cloud services used by the DoD.
+“It specifically addresses attacks originating from mission applications that reside within the Cloud Service Environment (CSE) upon both the DISN infrastructure and neighboring tenants in a multi-tenant environment. It provides a consistent CSP independent level of security that enables the use of commercially available Cloud Service Offerings (CSO) for hosting DoD mission applications operating at all DoD Information System Impact Levels (i.e. 2, 4, 5, & 6).” * [https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf](https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf)
-“It specifically addresses attacks originating from mission applications that reside within the Cloud Service Environment (CSE) upon both the DISN infrastructure and neighboring tenants in a multi-tenant environment. It provides a consistent CSP independent level of security that enables the use of commercially available Cloud Service Offerings (CSO) for hosting DoD mission applications operating at all DoD Information System Impact Levels (i.e. 2, 4, 5, & 6).” [https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf](https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf)
+This solution uses Terraform to launch a Single Tiered or Three Tier deployment of three NIC cloud-focused BIG-IP VE cluster(s) (Active/Standby) in Microsoft Azure. This is the standard cloud design where the BIG-IP VE instance is running with three interfaces, where both management and data plane traffic is segregated.
-## What is included in this template
+The BIG-IP VEs have the following features / modules enabled:
-The BIG-IP VE cluster is deployed with Local Traffic Manager (LTM), Application Security Manager (ASM), Advanced Firewall Manager (AFM), Protocol Security (APS), and IP Intelligence (IPI) features enabled by default.
+- [Local / Global Availability](https://f5.com/products/big-ip/local-traffic-manager-ltm)
-- Note that the PAYG version does not deploy IPS nor IPI feature sets. A paremeter has been created to allow modified module provisioning, but this can cause the default AS3 provided to fail to deploy.
+- [Firewall](https://www.f5.com/products/security/advanced-firewall-manager)
+ - Firewall with Intrusion Protection and IP Intelligence only available with BYOL deployments today.
-**Networking Stack Type:** This solution deploys into a new networking stack, which is created along with the solution.
+- [Web Application Firewall](https://www.f5.com/products/security/advanced-waf)
## Prerequisites
- **Important**: When you configure the admin password for the BIG-IP VE in the template, you cannot use the character **#**. Additionally, there are a number of other special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details.
-- **Licensing**: If using a BYOL license ensure that you have an **unused** VE Best with IPI and IPS addons. The system will not provision with this template without the proper license.
-
-## Important configuration notes **Read All**
-
-- All F5 ARM templates include Application Services 3 Extension (AS3) v3.16.0 on the BIG-IP VE. As of release 4.1.2, all supported templates give the option of including the URL of an AS3 declaration, which you can use to specify the BIG-IP configuration you want on your newly created BIG-IP VE(s). In templates such as autoscale, where an F5-recommended configuration is deployed by default, specifying an AS3 declaration URL will override the default configuration with your declaration. See the [AS3 documentation](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) for details on how to use AS3.
-- There are new options for BIG-IP license bundles, including Per App VE LTM, Advanced WAF, and Per App VE Advanced WAF. See the [the version matrix](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-bigip-version-matrix.md) for details and applicable templates.
-- You have the option of using a password or SSH public key for authentication. If you choose to use an SSH public key and want access to the BIG-IP web-based Configuration utility, you must first SSH into the jumphost, then the BIG-IP VE using the SSH key you provided in the template. You can then create a user account with admin-level permissions on the BIG-IP VE to allow access if necessary.
-- See the important note about [optionally changing the BIG-IP Management port](#changing-the-big-ip-configuration-utility-gui-port).
-- This template supports service discovery. See the [Service Discovery section](#service-discovery) for details.
-- This template can send non-identifiable statistical information to F5 Networks to help us improve our templates. See [Sending statistical information to F5](#sending-statistical-information-to-f5).
-- This template can be used to create the BIG-IP(s) using a local VHD or Microsoft.Compute image, please see the **customImage** parameter description for more details.
-- In order to pass traffic from your clients to the servers, after launching the template, you must create virtual server(s) on the BIG-IP VE. See [Creating a virtual server](#creating-virtual-servers-on-the-big-ip-ve).
-- F5 ARM templates now capture all deployment logs to the BIG-IP VE in **/var/log/cloud/azure**. Depending on which template you are using, this includes deployment logs (stdout/stderr), f5-cloud-libs execution logs, recurring solution logs (failover, metrics, and so on), and more.
-- Supported F5 ARM templates do not reconfigure existing Azure resources, such as network security groups. Depending on your configuration, you may need to configure these resources to allow the BIG-IP VE(s) to receive traffic for your application. Similarly, templates that deploy Azure load balancer(s) do not configure load balancing rules or probes on those resources to forward external traffic to the BIG-IP(s). You must create these resources after the deployment has succeeded.
-- See the **[Configuration Example](#configuration-example)** section for a configuration diagram and description for this solution.
-- This template has some optional post-deployment configuration. See the [Post-Deployment Configuration section](#post-deployment-configuration) for details.
-- **NEW:** Beginning with release 5.3.0.0, the BIG-IP image names have changed (previous options were Good, Better, and Best). Now you choose a BIG-IP VE image based on whether you need [LTM](https://www.f5.com/products/big-ip-services/local-traffic-manager) only (name starts with **LTM**) or All modules (image name starts with **All**) available (including [WAF](https://www.f5.com/products/security/advanced-waf), [AFM](https://www.f5.com/products/security/advanced-firewall-manager), etc.), and if you need 1 or 2 boot locations. Use 2 boot locations if you expect to upgrade the BIG-IP VE in the future. If you do not need room to upgrade (if you intend to create a new instance when a new version of BIG-IP VE is released), use an image with 1 boot location. See this [Matrix](https://clouddocs.f5.com/cloud/public/v1/matrix.html#microsoft-azure) for recommended Azure instance types. See the Supported BIG-IP Versions table for the available options for different BIG-IP versions.
-- **IMPORTANT:** If you customize the Management subnet, the ARM and the AS3 will need to be customized appropriately. The linux jumpbox automatically adds 50 to the start IP, and Windows Jumpbox adds 51. It is recommended that you fork the repo, edit the AS3, and point your ARM config to the new location. Or Deploy as is and change configuration after everything is up and running.
-
-## Security
-
-This ARM template downloads helper code to configure the BIG-IP system. If you want to verify the integrity of the template, you can open the template and ensure the following lines are present. See [Security Detail](#security-details) for the exact code.
-In the *variables* section:
-
-- In the *verifyHash* variable: **script-signature** and then a hashed signature.
-- In the *installCloudLibs* variable: **tmsh load sys config merge file /config/verifyHash**.
-- In the *installCloudLibs* variable: ensure this includes **tmsh run cli script verifyHash /config/cloud/f5-cloud-libs.tar.gz**.
-
-Additionally, F5 provides checksums for all of our supported templates. For instructions and the checksums to compare against, see [checksums-for-f5-supported-cft-and-arm-templates-on-github](https://devcentral.f5.com/codeshare/checksums-for-f5-supported-cft-and-arm-templates-on-github-1014).
-
-## Supported BIG-IP versions
-
-The following is a map that shows the available options for the template parameter **bigIpVersion** as it corresponds to the BIG-IP version itself. Only the latest version of BIG-IP VE is posted in the Azure Marketplace. For older versions, see downloads.f5.com.
-
-14.1.20000 is currently the default version.
-
-15.0.10000 is available as an option for customers that need HPVE or Accelerated Networking.
-
-## Supported instance types and hypervisors
-
-- For a list of supported Azure instance types for this solution, see the [Azure instances for BIG-IP VE](http://clouddocs.f5.com/cloud/public/v1/azure/Azure_singleNIC.html#azure-instances-for-big-ip-ve).
-
-- For a list of versions of the BIG-IP Virtual Edition (VE) and F5 licenses that are supported on specific hypervisors and Microsoft Azure, see [supported-hypervisor-matrix](https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ve-supported-hypervisor-matrix.html).
-
-### Community Help
-
-We encourage you to use our [Slack channel](https://f5cloudsolutions.herokuapp.com) for discussion and assistance on F5 ARM templates. There are F5 employees who are members of this community who typically monitor the channel Monday-Friday 9-5 PST and will offer best-effort assistance. This slack channel community support should **not** be considered a substitute for F5 Technical Support for supported templates. See the [Slack Channel Statement](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/slack-channel-statement.md) for guidelines on using this channel.
-
-## Installation
-
-You have three options for deploying this solution:
-
-- Using the Azure deploy buttons
-
-### SACAv2 Azure Government deploy buttons
-
-Use the appropriate button below to deploy:
-
-- **1 Tier** This deploys the 3-NIC 1 Tier use-case.
- - **BYOL** (bring your own license): This allows you to use an existing BIG-IP license.
-
- [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_1Tier_HA%2Fbyol%2FazureDeploy.json)
-
- - **PAYG** (Pay as you Go): This allows you to use marketplace licensing.
-
- [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_1Tier_HA%2Fpayg%2FazureDeploy.json)
-
- - **BIG-IQ** (BIG-IQ Licensed): This allows you to use BIG-IQ licensing.
-
- [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_1Tier_HA%2Fbigiq%2FazureDeploy.json)
-
-- **3 Tier** This deploys the standard F5 "Firewall Sandwich" use-case, with an IPS tier.
- - **BYOL** (bring your own license): This allows you to use an existing BIG-IP license.
-
- [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_3Tier_HA%2Fbyol%2FazureDeploy.json)
-
- - **PAYG** (Pay as you Go): This allows you to use marketplace licensing.
-
- [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_3Tier_HA%2Fpayg%2FazureDeploy.json)
-
- - **BIG-IQ** (BIG-IQ Licensed): This allows you to use BIG-IQ licensing.
-
- [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_3Tier_HA%2Fbigiq%2FazureDeploy.json)
-
-### SACAv2 Azure Commercial deploy buttons
-
-Use the appropriate button below to deploy:
-
-- **1 Tier** This deploys the 3-NIC 1 Tier use-case.
- - **BYOL** (bring your own license): This allows you to use an existing BIG-IP license.
-
- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_1Tier_HA%2Fbyol%2FazureDeploy.json)
-
- - **PAYG** (Pay as you Go): This allows you to use marketplace licensing.
-
- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_1Tier_HA%2Fpayg%2FazureDeploy.json)
-
- - **BIG-IQ** (BIG-IQ Licensed): This allows you to use BIG-IQ licensing.
-
- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_1Tier_HA%2Fbigiq%2FazureDeploy.json)
-
-- **3 Tier** This deploys the standard F5 "Firewall Sandwich" use-case, with an IPS tier.
- - **BYOL** (bring your own license): This allows you to use an existing BIG-IP license.
-
- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_3Tier_HA%2Fbyol%2FazureDeploy.json)
-
- - **PAYG** (Pay as you Go): This allows you to use marketplace licensing.
-
- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_3Tier_HA%2Fpayg%2FazureDeploy.json)
-
- - **BIG-IQ** (BIG-IQ Licensed): This allows you to use BIG-IQ licensing.
-
- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2FSACAv2%2F3NIC_3Tier_HA%2Fbigiq%2FazureDeploy.json)
-
-### Template parameters
-
-| Parameter | Required | Description |
-| --- | --- | --- |
-| adminUsername | Yes | User name for the Virtual Machine. |
-| authenticationType | Yes | Type of authentication to use on the Virtual Machine, password based authentication or key based authentication. |
-| adminPasswordOrKey | Yes | Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**. |
-| WindowsAdminPassword | Yes | Password to login to the Windows Virtual Machine. |
-| declarationUrl | Yes | URL for the AS3 [https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.5.1/](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.5.1/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration. |
-| dnsLabel | Yes | Unique DNS Name for the Public IP address used to access the Virtual Machine. |
-| instanceName | Yes | Name of the Virtual Machine. |
-| instanceType | Yes | Instance size of the Virtual Machine. |
-| licenseKey1 | Yes | The license token for the F5 BIG-IP VE (BYOL). |
-| licenseKey2 | Yes | The license token for the F5 BIG-IP VE (BYOL). This field is required when deploying two or more devices. |
-| ntpServer | Yes | Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use. |
-| numberOfExternalIps | Yes | The number of public/private IP addresses you want to deploy for the application traffic (external) NIC on the BIG-IP VE to be used for virtual servers. |
-| restrictedSrcAddress | Yes | This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources |
-| timeZone | Yes | If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore. |
-| vnetAddressPrefix | Yes | The start of the CIDR block the BIG-IP VEs use when creating the Vnet and subnets. You MUST type just the first two octets of the /16 virtual network that will be created, for example '10.0', '10.100', 192.168'. |
-
-### Programmatic deployments
+- This template requires a service principal, one will be created in the provided script at ./prepare/setupAzureGovVars_local.sh.
+ - **Important** For gov cloud deployments its important to run this script to prepare your environment, whether local or Azure Cloud CLI based. There are extra env variables that ned to be passed by TF to Gov Cloud Regions.
+- This deployment will be using the Terraform Azurerm provider to build out all the neccessary Azure objects. Therefore, Azure CLI is required. for installation, please follow this [Microsoft link](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view=azure-cli-latest)
+- If this is the first time to deploy the F5 image, the subscription used in this deployment needs to be enabled to programatically deploy. For more information, please refer to [Configure Programatic Deployment](https://azure.microsoft.com/en-us/blog/working-with-marketplace-images-on-azure-resource-manager/)
+- You need to set your region and log in to azure ahead of time, the scripts will map your authenitcation credentials and create a service principle, so you will not need to hardcode any credentials in the files.
+
+## Important configuration notes
+
+- All variables are configured in variables.tf
+- **MOST** STIG / SRG configurations settings have been addressed in the Declarative Onboarding and Application Services templates used in this example.
+- An Example application is optionally deployed with this template. The example appliation includes several apps running in docker on the host:
+ - Juiceshop on port 3000
+ - F5 Demo app by Eric Chen on ports 80 and 443
+ - rsyslogd with PimpMyLogs on port 808
+ - **Note** Juiceshop and PimpMyLogs URLS are part of the terraform output when deployed.
+- All Configuration should happen at the root level; auto.tfvars or variables.tf.
+
+## Variables
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 0.13 |
+| azurerm | ~> 2.30.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| azurerm | ~> 2.30.0 |
+
+## Inputs
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| projectPrefix | REQUIRED: Prefix to prepend to all objects created, minus Windows Jumpbox | `string` | `"bedfe9a3"` |
+| adminUserName | REQUIRED: Admin Username for All systems | `string` | `"xadmin"` |
+| adminPassword | REQUIRED: Admin Password for all systems | `string` | `"pleaseUseVault123!!"` |
+| location | REQUIRED: Azure Region: usgovvirginia, usgovarizona, etc | `string` | `"usgovvirginia"` |
+| region | Azure Region: US Gov Virginia, US Gov Arizona, etc | `string` | `"US Gov Virginia"` |
+| deploymentType | REQUIRED: This determines the type of deployment; one tier versus three tier: one\_tier, three\_tier | `string` | `"one_tier"` |
+| deployDemoApp | OPTIONAL: Deploy Demo Application with Stack. Recommended to show functionality. Options: deploy, anything else. | `string` | `"deploy"` |
+| sshPublicKey | OPTIONAL: ssh public key for instances | `string` | `""` |
+| sshPublicKeyPath | OPTIONAL: ssh public key path for instances | `string` | `"/mykey.pub"` |
+| cidr | REQUIRED: VNET Network CIDR | `string` | `"10.90.0.0/16"` |
+| subnets | REQUIRED: Subnet CIDRs | `map(string)` | { |
+| f5\_mgmt | F5 BIG-IP Management IPs. These must be in the management subnet. | `map(string)` | { |
+| f5\_t1\_ext | Tier 1 BIG-IP External IPs. These must be in the external subnet. | `map(string)` | { |
+| f5\_t1\_int | Tier 1 BIG-IP Internal IPs. These must be in the internal subnet. | `map(string)` | { |
+| f5\_t3\_ext | Tier 3 BIG-IP External IPs. These must be in the waf external subnet. | `map(string)` | { |
+| f5\_t3\_int | Tier 3 BIG-IP Internal IPs. These must be in the waf internal subnet. | `map(string)` | { |
+| internalILBIPs | REQUIRED: Used by One and Three Tier. Azure internal load balancer ips, these are used for ingress and egress. | `map(string)` | `{}` |
+| ilb01ip | REQUIRED: Used by One and Three Tier. Azure internal load balancer ip, this is used as egress, must be in internal subnet. | `string` | `"10.90.2.10"` |
+| ilb02ip | REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as egress, must be in waf\_ext subnet. | `string` | `"10.90.6.10"` |
+| ilb03ip | REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as ingress, must be in waf\_ext subnet. | `string` | `"10.90.6.13"` |
+| ilb04ip | REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as ingress, must be in inspect\_external subnet. | `string` | `"10.90.4.13"` |
+| app01ip | OPTIONAL: Example Application used by all use-cases to demonstrate functionality of deploymeny, must reside in the application subnet. | `string` | `"10.90.10.101"` |
+| ips01ext | Example IPS private ips | `string` | `"10.90.4.4"` |
+| ips01int | n/a | `string` | `"10.90.5.4"` |
+| ips01mgmt | n/a | `string` | `"10.90.0.8"` |
+| winjumpip | REQUIRED: Used by all use-cases for RDP/Windows Jumpbox, must reside in VDMS subnet. | `string` | `"10.90.3.98"` |
+| linuxjumpip | REQUIRED: Used by all use-cases for SSH/Linux Jumpbox, must reside in VDMS subnet. | `string` | `"10.90.3.99"` |
+| instanceType | BIGIP Instance Type, DS5\_v2 is a solid baseline for BEST | `string` | `"Standard_DS5_v2"` |
+| jumpinstanceType | Be careful which instance type selected, jump boxes currently use Premium\_LRS managed disks | `string` | `"Standard_B2s"` |
+| appInstanceType | Demo Application Instance Size | `string` | `"Standard_DS3_v2"` |
+| image\_name | REQUIRED: BIG-IP Image Name. 'az vm image list --output table --publisher f5-networks --location [region] --offer f5-big-ip --all' Default f5-bigip-virtual-edition-1g-best-hourly is PAYG Image. For BYOL use f5-big-all-2slot-byol | `string` | `"f5-bigip-virtual-edition-1g-best-hourly"` |
+| product | REQUIRED: BYOL = f5-big-ip-byol, PAYG = f5-big-ip-best | `string` | `"f5-big-ip-best"` |
+| bigip\_version | REQUIRED: BIG-IP Version, 14.1.2 for Compliance. Options: 12.1.502000, 13.1.304000, 14.1.206000, 15.0.104000, latest. Note: verify available versions before using as images can change. | `string` | `"14.1.202000"` |
+| licenses | BIGIP Setup Licenses are only needed when using BYOL images | `map(string)` | { |
+| hosts | n/a | `map(string)` | { |
+| dns\_server | REQUIRED: Default is set to Azure DNS. | `string` | `"168.63.129.16"` |
+| asm\_policy | REQUIRED: ASM Policy. Examples: https://github.com/f5devcentral/f5-asm-policy-templates. Default: OWASP Ready Autotuning | `string` | `"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml"` |
+| ntp\_server | n/a | `string` | `"time.nist.gov"` |
+| timezone | n/a | `string` | `"UTC"` |
+| onboard\_log | n/a | `string` | `"/var/log/startup-script.log"` |
+| tags | Environment tags for objects | `map(string)` | { |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| DemoApplication\_443 | Public IP for applications. Https for example app, RDP for Windows Jumpbox, SSH for Linux Jumpbox |
+| rSyslogdHttp\_8080 | Public IP for applications. Https for example app, RDP for Windows Jumpbox, SSH for Linux Jumpbox |
+| tier\_one | One Tier Outputs: VM IDs, VM Mgmt IPs, VM External Private IPs |
+| tier\_three | Three Tier Outputs: VM IDs, VM Mgmt IPs, VM External Private IPs |
+
+
+
+## Deployment
+
+For deployment you can do the traditional terraform commands or use the provided scripts.
-As an alternative to deploying through the Azure Portal (GUI) each solution provides example scripts to deploy the ARM template. The example commands can be found below along with the name of the script file, which exists in the current directory.
-
-#### PowerShell Script Example
-
-```powershell
-## Example Command: .\Deploy_via_PS.ps1 -adminUsername azureuser -authenticationType password -adminPasswordOrKey -dnsLabel -instanceName bigip -instanceType Standard_DS3_v2 -imageName AllTwoBootLocations -bigIpVersion 13.1.100000 -licenseKey1 -licenseKey2 -numberOfExternalIps 1 -vnetAddressPrefix 10.0 -enableNetworkFailover Yes -internalLoadBalancerType Per-protocol -internalLoadBalancerProbePort 3456 -declarationUrl NOT_SPECIFIED -ntpServer 0.pool.ntp.org -timeZone UTC -customImage OPTIONAL -allowUsageAnalytics Yes -resourceGroupName
+```bash
+terraform init
+terraform plan
+terraform apply
```
-=======
-
-#### Azure CLI (1.0) Script Example
+OR
```bash
-## Example Command: ./deploy_via_bash.sh --adminUsername azureuser --authenticationType password --adminPasswordOrKey --dnsLabel --instanceName bigip --instanceType Standard_DS3_v2 --imageName AllTwoBootLocations --bigIpVersion 13.1.100000 --licenseKey1 --licenseKey2 --numberOfExternalIps 1 --vnetAddressPrefix 10.0 --enableNetworkFailover Yes --internalLoadBalancerType Per-protocol --internalLoadBalancerProbePort 3456 --declarationUrl NOT_SPECIFIED --ntpServer 0.pool.ntp.org --timeZone UTC --customImage OPTIONAL --allowUsageAnalytics Yes --resourceGroupName --azureLoginUser --azureLoginPassword
+./demo.sh
```
-## Configuration Example
-
-The following is an example configuration diagram for this solution deployment. In this scenario, all access to the BIG-IP VE cluster (Active/Active) is through an ALB.
-
-
-
-## Post-Deployment Configuration
-
-Use this section for optional configuration changes after you have deployed the template.
-
-### Public IP addresses
-
-This ARM template supports using up to 1 public IP addresses. After you initially deployed the template, you can add desired number of Public IP addresses via the Azure Portal.
-
-### Service Discovery
-
-Once you launch your BIG-IP instance using the ARM template, you can use the Service Discovery iApp template on the BIG-IP VE to automatically update pool members based on auto-scaled cloud application hosts. In the iApp template, you enter information about your cloud environment, including the tag key and tag value for the pool members you want to include, and then the BIG-IP VE programmatically discovers (or removes) members using those tags. See our [Service Discovery video](https://www.youtube.com/watch?v=ig_pQ_tqvsI) to see this feature in action.
-
-#### Tagging
-
-In Microsoft Azure, you have three options for tagging objects that the Service Discovery iApp uses. Note that you select public or private IP addresses within the iApp.
-
-- *Tag a VM resource*
-# Chris Houseknecht,
-#
-# This file is part of Ansible
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible. If not, see F5 Cloud Logging and Analytics iApp
-
-This template creates a set of configuration objects to enable logging and analytics to external solutions
- }
- implementation {
- ## Define some proc(s) for use in implementation
- proc tmsh_exe { command } {
- puts $command
- exec /usr/bin/tmsh -c $command
- }
- proc format_jsonlist { input } {
- regsub -all "\"|\\\]|\\\[|\n" $input "" input
- regsub -all "," $input " " input
- return $input
- }
- proc format_poolmembers {input} {
- set poolmembers ""
- set dataset [split [format_jsonlist $input] " "]
- foreach item $dataset {
- set member [split $item ":"]
- # Check to see if this is an IP or FQDN
- if {[regexp {^((([2][5][0-5]|([2][0-4]|[1][0-9]|[0-9])?[0-9])\.){3})([2][5][0-5]|([2][0-4]|[1][0-9]|[0-9])?[0-9])$} [lindex $member 0]]} {
- append poolmembers "mbr-$item \{ address [lindex $member 0] \}"
- } else {
- # Must be FQDN - let tmsh do validation
- append poolmembers "mbr-$item \{ fqdn \{ autopopulate enabled name [lindex $member 0] \} \}"
- }
- }
- return $poolmembers
- }
- proc format_req_logging {input} {
- # Format the input as key/value pairs in the same format as "Splunk" on the BIG-IP
- set req_template EVENT_SOURCE=\\\"request_logging\\\",BIGIP_HOSTNAME=\\\"\$BIGIP_HOSTNAME\\\"
- foreach item $input {
- append req_template ,${item}=\\\"\$${item}\\\"
- }
- return $req_template
- }
-
- package require iapp 1.3.0
- iapp::template start
-
- ######## Start iRules Declaration ########
- ######## Format iRule ########
- set format_ir {
-proc format_msg msg {
- set mgmt_hostname
- set mgmt_port
- set date [clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]
- # If ASM strip up to ASM:unit from start
- if {[set asm [string first "ASM:unit" $msg]] >= 0}{
- set msg [string range $msg $asm [string length $msg]]
- set msg "\"${msg}"
- regsub -all "=\"" $msg "\":\"" msg
- regsub -all "\"," $msg "\",\"" msg
-
- # extract all the info we need to send
- if {[string first "support_id" $msg] >= 0} {
- set supportid [findstr $msg "support_id" 13 "\""]
- } else {
- set supportid "N/A"
- }
- # set remediation link if support ID exists
- set remediation_link "https://[expr { $supportid ne "N/A" ? "" : "N/A" }]"
-
- set final_msg "\[\{\"time\":\"$date\",\"host\":\"$static::tcl_platform(machine)\",\"logSource\":\"ASM\",\"bigipVersion\":\"$static::tcl_platform(osVersion)\",\"remediationLink\":\"$remediation_link\",$msg\}\]"
- } else {
- # Attempt to format message as JSON and send along
- set msg "\"${msg}"
- regsub -all "=\"" $msg "\":\"" msg
- regsub -all "\"," $msg "\",\"" msg
- set final_msg "\[\{\"time\":\"$date\",\"host\":\"$static::tcl_platform(machine)\",\"logSource\":\"BIGIP\",\"bigipVersion\":\"$static::tcl_platform(osVersion)\",$msg\}\]"
- }
-
- return $final_msg
-}
-proc configure_auth {final_msg key secret date host region} {
- # Handle Creation of Authentication Token
-
- return $signed_string
-}
-proc logger {msg level} {
- # Generic logger with level to determine what to log
- # If level is higher than what is set by user then log, otherwise not
- # Levels are 0=debug, 1=info, 2=error
- set loglevel
- if {$level < $loglevel} { return }
- # Syslog facility is limited to 1024 characters, anything longer is truncated in the logs
- # Loop through and log each chunk of the msg
- set max_chars 900
- set remaining $msg
- set count 1
- if {[string length $remaining] < $max_chars}{
- # no need to chunk if total msg is less than max_chars
- log local0.info "$msg"
- return
- }
- while {[string length $remaining] > $max_chars}{
- # Get the current chunk to log
- set current [string range $remaining 0 [expr { $max_chars - 1}]]
- log local0.info "chunk ${count}=${current}"
- # Get the next chunk to log
- set remaining [string range $remaining $max_chars end]
- incr count
- }
- if {[string length $remaining]}{
- log local0.info "chunk ${count}=${remaining}"
- }
- return
-}
-when RULE_INIT {
- # SOL14544 workaround
- upvar #0 tcl_platform static::tcl_platform
-}
-
-when CLIENT_ACCEPTED {
- # Base variables
- set ctx(log_type)
- # Construct full path to API endpoint
- set ctx(customer_id) ""
- set ctx(host) ""
- set ctx(full_path) ""
- # Need to put this somewhere less visible
- set ctx(key) ""
- set ctx(secret) ""
- set ctx(region) ""
- # Collect and process in CLIENT_DATA
- set buf "\n"
- TCP::collect
-}
-
-when CLIENT_DATA {
- if {[string length $buf] == 0} { set buf "\n" }
- append buf [TCP::payload]
-
- TCP::payload replace 0 [TCP::payload length] ""
- TCP::collect
- # Note: do NOT call TCP::release here, because that will reset
- # the TCP connection since we don't have a pool. If we just
- # keep calling TCP:::collect we can go on indefinitely
- while {[set dex [string first "\n" $buf]] >= 0 } {
- if {[set d2x [string first "\n" $buf [expr {$dex + 1}]]] < 0} {
- #unsure buf contains a complete message yet
- break
- }
- # Open HSL connection since we have a msg to send
- set hslpool [HSL::open -proto TCP -pool ""]
- #pull first complete msg from buf
- set rawmsg [string range $buf [expr {$dex +1 }] [expr {$d2x - 1}]]
- # remove this msg from buf
- set buf [string range $buf [expr {$d2x +1 }] end]
-
- set final_msg [call format_msg $rawmsg]
- set date
- # Handle Auth Token
- set auth_token [call configure_auth $final_msg $ctx(key) $ctx(secret) $date $ctx(host) $ctx(region)]
- # Compile full HTTP Post
- set fullPOST ""
-
- call logger "Full HTTP Post: $fullPOST" 0
- # Send message to Send VS
- catch {HSL::send $hslpool $fullPOST}
- }
- # any trailing partial message stays in buffer until next packet
- # arrives or incoming TCP connection is closed
-}
-
-when CLIENT_CLOSED {
- # deal with final message in buffer
- if {[set dex [string first "\n" $buf]] >= 1} {
- # Open HSL connection since we have a msg to send
- set hslpool [HSL::open -proto TCP -pool ""]
-
- set final_msg [call format_msg $buf]
- # Handle Auth
- set auth_token [call configure_auth $final_msg $ctx(key) $ctx(secret) $date $ctx(host) $ctx(region)]
- # Compile full HTTP Post
- set date [clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]
- set fullPOST ""
-
- call logger "Full HTTP Post: $fullPOST" 0
- # Send message to Send VS
- catch {HSL::send $hslpool $fullPOST}
- }
-}
- }
-
- ######## Send iRule ########
- set send_ir {
-when HTTP_REQUEST {
- call ::logger "Request: [HTTP::uri]" 1
- foreach header [HTTP::header names] {
- call ::logger "Header $header: [HTTP::header value $header]" 0
- }
-}
-when HTTP_RESPONSE {
- set status [HTTP::status]
- set content_length [HTTP::header Content-Length]
- if { $content_length > 0 }{
- HTTP::collect $content_length
- }
- call ::logger "Response: $status" 1
- foreach header [HTTP::header names] {
- call ::logger "Header $header: [HTTP::header value $header]" 0
- }
-}
-when HTTP_RESPONSE_DATA {
- set payload [HTTP::payload]
- HTTP::respond $status content $payload
- call ::logger "Payload Data $content_length: $payload" 0
-
-}
- }
- ######## End iRules Declaration ########
-
- set app $tmsh::app_name
- set dynamic_mgmt_port [tmsh::get_field_value [lindex [tmsh::get_config "sys httpd ssl-port"] 0] "ssl-port"]
- set is_v13_0 [iapp::tmos_version >= 13.0]
- set path [tmsh::pwd]
-
-
- # Keys: $analytics_solution
- array set key_arr {
- azure_oms { $::analytics_config__shared_key }
- aws_cw { $::analytics_config__access_key }
- * { not_required }
- }
- array set secret_arr {
- azure_oms { not_required }
- aws_cw { $::analytics_config__secret_key }
- * { not_required }
- }
-
- # Generic Variables
- set analytics_solution [expr { [info exists ::analytics_config__analytics_solution] ? "$::analytics_config__analytics_solution" : "azure_oms" }]
- set fqdn_suffix [expr { [iapp::is ::basic__advanced yes] && [iapp::is ::analytics_config__azure_env azureusgov] ? "us" : "com" }]
- set asm_log_choice [expr { [info exists ::logging_config__asm_log_choice] && [iapp::is ::logging_config__asm_log_choice yes] }]
- set dos_logs [expr { $asm_log_choice && [info exists ::logging_config__dos_logs] && [iapp::is ::logging_config__dos_logs yes] }]
- set apm_log_choice [expr { [info exists ::logging_config__apm_log_choice] && [iapp::is ::logging_config__apm_log_choice yes] }]
- set afm_log_choice [expr { [info exists ::logging_config__afm_log_choice] && [iapp::is ::logging_config__afm_log_choice yes] }]
- set ltm_req_log_choice [expr { [info exists ::logging_config__ltm_req_log_choice] && [iapp::is ::logging_config__ltm_req_log_choice yes] }]
- set mgmt_hostname [expr { [iapp::is ::internal_config__hostname custom] ? "$::internal_config__mgmt_hostname" : {$static::tcl_platform(machine)} }]
- set mgmt_port [expr { [iapp::is ::internal_config__port custom] ? "$::internal_config__mgmt_port" : "$dynamic_mgmt_port" }]
- set key [iapp::substa key_arr($analytics_solution)]
- set secret [iapp::substa secret_arr($analytics_solution)]
- set format_vs_port [expr { [iapp::is ::basic__advanced yes] && [info exists ::internal_config__format_vs_port] ? $::internal_config__format_vs_port : "1001" }]
- set send_vs_port [expr { [iapp::is ::basic__advanced yes] && [info exists ::internal_config__send_vs_port] ? $::internal_config__send_vs_port : "41001" }]
- set log_level [expr { [iapp::is ::basic__advanced yes] && [info exists ::internal_config__irule_log_level] ? "$::internal_config__irule_log_level" : "2" }]
- set remediation_link [expr { $is_v13_0 ? {${mgmt_hostname}:${mgmt_port}/dms/policy/requests_ng.php?popup\=1&supportId\=${supportid}} : {${mgmt_hostname}:${mgmt_port}/dms/policy/win_open_proxy_request.php?id\=&support_id\=${supportid}} }]
- # Azure OMS Variables
- set workspace [expr { [info exists ::analytics_config__workspace] ? "$::analytics_config__workspace" : "not_required" }]
- set log_type [expr { [info exists ::analytics_config__log_type] ? "$::analytics_config__log_type" : "F5CustomLogs" }]
- # AWS CloudWatch Variables
- set aws_region [expr { [info exists ::analytics_config__aws_region] ? "$::analytics_config__aws_region" : "not_required" }]
- set log_group_name [expr { [info exists ::analytics_config__log_group_name] ? "$::analytics_config__log_group_name" : "ASMLogs" }]
- set log_stream_name [expr { [info exists ::analytics_config__log_stream_name] ? "$::analytics_config__log_stream_name" : "ASMStream01" }]
-
- # create SSL cert for logging virtual server SSL
- catch { tmsh_exe "create sys crypto key ${app}_send_vs_cert gen-certificate common-name Cloud_Analytics_Logging country US lifetime 3650" }
-
- ## Account for uniqueness in the iRule(s) based on which analytics solution it is using
- # Keys: $analytics_solution
- array set host_arr {
- azure_oms { ${workspace}.ods.opinsights.azure.${fqdn_suffix} }
- aws_cw { logs.${aws_region}.amazonaws.com }
- * { not_required }
- }
- # Keys: $analytics_solution
- array set path_arr {
- azure_oms {/api/logs?api-version=2016-04-01}
- aws_cw {/}
- * {/}
- }
- # Keys: $analytics_solution
- array set post_arr {
- azure_oms {POST ${ctx(full_path)} HTTP/1.1\nHost: ${ctx(host)}\nContent-Length: [string length $final_msg]\nContent-Type: application/json\nx-ms-date: $date\nLog-Type: ${ctx(log_type)}\nAuthorization: SharedKey ${ctx(customer_id)}:$auth_token\n\n${final_msg}}
- aws_cw {POST ${ctx(full_path)} HTTP/1.1\nHost: ${ctx(host)}\nConnection: keep-alive\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-amz-json-1.1\nAuthorization: ${auth_token}\nX-Amz-Date: $date\nX-Amz-Target: Logs_20140328.PutLogEvents\nContent-Length: [string length $final_msg]\n\n${final_msg}}
- * {POST /}
- }
- # Keys: $analytics_solution
- array set extra_fmt_arr {
- aws_cw {set epoch_date [expr [clock seconds] * 1000]
- set log_group_name ""
- set log_stream_name ""
- # Account for this being JSON inside of JSON
- regsub -all "\"" $final_msg "\\\"" final_msg
- regsub -all "\\n" $final_msg "" final_msg
- regsub -all "\\r" $final_msg "" final_msg
- ## Handle Sequence Token
- # Check if token is available before using
- set seq_token ""
- set t 50
- #call logger "Seq Token Status: [table lookup seq_token_status]" 0
- for {set i 0} { $i < $t } {incr i} {
- if { [table lookup seq_token_status] == "busy" } {
- # Keep trying after delay
- after 10
- } else {
- # Sequence token is available, grab it and break from loop
- table set seq_token_status "busy"
- set seq_token [table lookup seq_token]
- break
- }
- }
- if { $seq_token equals "" } {
- set seq_token null
- } else {
- set seq_token \"$seq_token\"
- }
- set final_msg "\{\"sequenceToken\":${seq_token},\"logGroupName\":\"${log_group_name}\",\"logStreamName\":\"${log_stream_name}\",\"logEvents\":\[\{\"timestamp\":${epoch_date},\"message\":\"${final_msg}\"\}\]\}"}
- azure_oms {# Return final_msg
- }
- * {# Return final_msg
- }
- }
- # Keys: $analytics_solution
- array set auth_proc_arr {
- azure_oms {set str_to_sign "POST\n[string length $final_msg]\napplication/json\nx-ms-date:$date\n/api/logs"
- set decoded_key [b64decode $key]
- set token [CRYPTO::sign -alg hmac-sha256 -key $decoded_key $str_to_sign]
- set signed_string [b64encode ${token}]}
- aws_cw {set date_stamp [clock format [clock seconds] -format "%Y%m%d"]
- set signed_headers "content-type;host;x-amz-date;x-amz-target"
- set req_headers "content-type:application/x-amz-json-1.1\nhost:${host}\nx-amz-date:${date}\nx-amz-target:Logs_20140328.PutLogEvents\n"
- binary scan [CRYPTO::hash -alg sha256 $final_msg] H* payload_hash
- set request "POST\n/\n\n${req_headers}\n${signed_headers}\n${payload_hash}"
- set algorithm "AWS4-HMAC-SHA256"
- set service "logs"
- set cred_scope "${date_stamp}/${region}/${service}/aws4_request"
- binary scan [CRYPTO::hash -alg sha256 $request] H* request_hash
- set str_to_sign "${algorithm}\n${date}\n${cred_scope}\n${request_hash}"
-
- set kDate [CRYPTO::sign -alg hmac-sha256 -key AWS4${secret} $date_stamp]
- set kRegion [CRYPTO::sign -alg hmac-sha256 -key $kDate $region]
- set kService [CRYPTO::sign -alg hmac-sha256 -key $kRegion $service]
- set kSigning [CRYPTO::sign -alg hmac-sha256 -key $kService aws4_request]
- binary scan [CRYPTO::sign -alg hmac-sha256 -key $kSigning $str_to_sign] H* auth_token
- set signed_string "${algorithm} Credential=${key}/${cred_scope}, SignedHeaders=${signed_headers}, Signature=${auth_token}"}
- * {set signed_string ""}
- }
- # Keys: $analytics_solution
- array set seq_table_arr {
- azure_oms {# Event end
- }
- aws_cw {
- # Handle AWS Sequence Token
- if {[set seq_token_loc [string first \"nextSequenceToken\":\" $payload]] >= 0}{
- set seq_token [string range $payload [expr $seq_token_loc + 21] [expr [string first \" $payload [expr $seq_token_loc + 21]] -1]]
- } elseif {[set seq_token_loc [string first \"expectedSequenceToken\":\" $payload]] >= 0}{
- set seq_token [string range $payload [expr $seq_token_loc + 25] [expr [string first \",\" $payload $seq_token_loc] -1]]
- } else {
- set seq_token ""
- }
- table set seq_token $seq_token indefinite
- table set seq_token_status "free"
- }
- * {# Event end
- }
- }
- # Keys: $analytics_solution
- array set date_arr {
- azure_oms {[clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]}
- aws_cw {[clock format [clock seconds] -format "%Y%m%dT%H%M%SZ"]}
- * {[clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]}
- }
-
- ## Create iRules
- set map " $mgmt_hostname
- $mgmt_port
- ${app}_send_vs_pool
- [iapp::substa host_arr($analytics_solution)]
- \{$path_arr($analytics_solution)\}
- \{$post_arr($analytics_solution)\}
- $workspace
- $key
- $secret
- $log_type
- $log_level
- ${app}_format_ir
- \{$extra_fmt_arr($analytics_solution)\}
- \{$date_arr($analytics_solution)\}
- $aws_region
- \{$auth_proc_arr($analytics_solution)\}
- \{$seq_table_arr($analytics_solution)\}
- $log_group_name
- $log_stream_name
- \{$remediation_link\}
- "
-
- set extra_map " $log_group_name
- $log_stream_name
- "
- iapp::conf create ltm rule ${app}_format_ir \{ [string map $extra_map [string map $map $format_ir]] \}
- iapp::conf create ltm rule ${app}_send_ir \{ [string map $extra_map [string map $map $send_ir]] \}
-
- # TCP profile with a short idle time-out to force the last event message out of the Format VS iRule buffer
- iapp::conf create ltm profile tcp ${app}_logging_tcp \{ defaults-from tcp idle-timeout 15 \}
- # Create Server SSL profile for Send VS
- iapp::conf create ltm profile server-ssl ${app}_send_sssl \{ cert ${app}_send_vs_cert.crt defaults-from serverssl-insecure-compatible key ${app}_send_vs_cert.key \}
-
- # Point to send iRule virtual server via this pool
- iapp::conf create ltm pool ${app}_send_vs_pool \{ members replace-all-with \{ 255.255.255.254:${send_vs_port} \{ address 255.255.255.254 \} \} monitor tcp \}
- # create analytics solution pool
- # Keys: $analytics_solution
- array set pool_arr {
- azure_oms { [iapp::conf create ltm pool ${app}_logging_offbox \{ members replace-all-with \{ [format_poolmembers [string map {" " ""} [iapp::substa host_arr($analytics_solution)]:443]] \} monitor tcp \}] }
- aws_cw { [iapp::conf create ltm pool ${app}_logging_offbox \{ members replace-all-with \{ [format_poolmembers [string map {" " ""} [iapp::substa host_arr($analytics_solution)]:443]] \} monitor tcp \}] }
- * {}
- }
-
- # Create Format and Send VS
- iapp::conf create ltm virtual ${app}_format_vs \{ destination 255.255.255.254:${format_vs_port} ip-protocol tcp mask 255.255.255.255 source 0.0.0.0/0 profiles replace-all-with \{ ${app}_logging_tcp \} rules \{${app}_format_ir \}\}
- iapp::conf create ltm virtual ${app}_send_vs \{ destination 255.255.255.254:${send_vs_port} ip-protocol tcp mask 255.255.255.255 pool [iapp::substa pool_arr($analytics_solution)] profiles replace-all-with \{ http \{\} oneconnect \{\} ${app}_send_sssl \{ context serverside \} tcp \{ \} \} source 0.0.0.0/0 source-address-translation \{ type automap \} rules \{ ${app}_send_ir \}\}
-
-
- # Logging publisher(s) and pool(s) required for some log sources
- if { $dos_logs || $apm_log_choice || $ltm_req_log_choice || $afm_log_choice } {
- iapp::conf create ltm pool ${app}_format_pool \{ members replace-all-with \{ 255.255.255.254:${format_vs_port} \{ address 255.255.255.254 \} \} monitor tcp \}
-
- iapp::conf create sys log-config destination remote-high-speed-log ${path}/${app}_dest_logger \{ pool-name ${path}/${app}_format_pool \}
- iapp::conf create sys log-config destination splunk ${path}/${app}_fmt_logger \{ forward-to ${path}/${app}_dest_logger \}
- iapp::conf create sys log-config publisher /Common/${app}_publisher \{ destinations replace-all-with \{ ${path}/${app}_fmt_logger \{ \} \} \}
- }
-
- ## ASM/AFM can share the same remote logging profile, as such simply check what was selected
- ## in the iApp and append to a single security logging profile.
- # ASM logging profile
- # Keys: $::logging_config__asm_log_level
- array set asm_log_req_arr {
- log_illegal { illegal }
- log_illegal_plus_staged { illegal-including-staged-signatures }
- log_all { all }
- }
- # Keys: $asm_log_choice
- array set asm_log_arr {
- 1 { application replace-all-with \{ ${app}_remote_logging \{ local-storage disabled filter replace-all-with \{ protocol \{ values replace-all-with \{ all \} \} request-type \{ values replace-all-with \{ [iapp::substa asm_log_req_arr($::logging_config__asm_log_level)] \} \} search-all \{ \} \} maximum-entry-length 10k remote-storage splunk servers replace-all-with \{ 255.255.255.254:${format_vs_port} \{ \} \} \} \} }
- * { }
- }
- # Keys: $dos_logs
- array set dos_log_arr {
- 1 { dos-application replace-all-with \{ ${app}_remote_l7dos_logging \{ local-publisher none remote-publisher /Common/${app}_publisher \} \} }
- * { }
- }
- # AFM logging profile
- # Keys: $afm_log_choice
- array set afm_log_arr {
- 1 { network replace-all-with \{ ${app}_remote_logging \{ publisher /Common/${app}_publisher filter \{ log-acl-match-drop [expr {[lsearch $::logging_config__afm_log_level "match_drop"] != -1 ? "enabled" : "disabled" }] log-acl-match-reject [expr {[lsearch $::logging_config__afm_log_level "match_reject"] != -1 ? "enabled" : "disabled" }] log-acl-match-accept [expr {[lsearch $::logging_config__afm_log_level "match_accept"] != -1 ? "enabled" : "disabled" }] \} \} \} }
- * { }
- }
-
- # Create Security (ASM/AFM) logging profile
- if { $asm_log_choice || $afm_log_choice } {
- iapp::conf create security log profile ${app}_remote_logging [iapp::substa asm_log_arr($asm_log_choice)] [iapp::substa dos_log_arr($dos_logs)] [iapp::substa dos_log_arr($dos_logs)] [iapp::substa afm_log_arr($afm_log_choice)]
- }
- # Create APM logging profile
- if { $apm_log_choice } {
- set apm_lg_lvl $::logging_config__apm_log_level
- # Add some additional logging options available in v13.x and above
- if { $is_v13_0 } {
- set apm_opt_items "endpoint-management-system $apm_lg_lvl paa $apm_lg_lvl vdi $apm_lg_lvl"
- } else {
- set apm_opt_items ""
- }
- iapp::conf create apm log-setting ${app}_remote_logging access replace-all-with \{ access \{ log-level \{ access-control $apm_lg_lvl access-per-request $apm_lg_lvl apm-acl $apm_lg_lvl eca $apm_lg_lvl oauth $apm_lg_lvl sso $apm_lg_lvl swg $apm_lg_lvl $apm_opt_items \} publisher /Common/${app}_publisher \} \} url-filters replace-all-with \{ urlf \{ filter \{ log-allowed-url false log-blocked-url true log-confimed-url true \} publisher /Common/${app}_publisher \} \}
- }
- # Create LTM request logging profile
- if { $ltm_req_log_choice } {
- # Format what is sent as key/value pairs in the same format as "Splunk" on the BIG-IP is sent
- # that way it will be processed in the same manner
- # The list of request logging parameters are available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/3.html
- set ltm_req_log_template [format_req_logging $::logging_config__ltm_req_log_options]
- iapp::conf create ltm profile request-log ${app}_remote_logging defaults-from request-log request-log-pool ${path}/${app}_format_pool request-log-protocol mds-tcp request-log-template $ltm_req_log_template request-logging enabled
- }
-
- iapp::template stop
- }
- macro {
- }
- presentation {
- include "/Common/f5.apl_common"
-section intro {
- # APL choice values may be set even if the optional
- # clause is not true. This trick is useful for setting
- # values that APL otherwise would not have access to.
- # Here, system provisioning values are recalled, and later
- # used to customize messages displayed within the template.
- optional ( "HIDE" == "THIS" ) {
- choice asm_provisioned tcl {
- return [expr {[iapp::get_provisioned asm] ? "yes" : "no"}]
- }
- choice apm_provisioned tcl {
- return [expr {[iapp::get_provisioned apm] ? "yes" : "no"}]
- }
- choice afm_provisioned tcl {
- return [expr {[iapp::get_provisioned afm] ? "yes" : "no"}]
- }
- choice is_admin tcl {
- return [expr { [iapp::get_user -is_admin] ? "yes" : "no"}]
- }
- choice is_v13_0 tcl {
- return [expr {[iapp::tmos_version >= 13.0] ? "yes" : "no"}]
- }
- }
- message hello "This iApp will configure logging for BIG-IP modules to be sent to a specific set of cloud analytics solutions. The solution will create logging profiles which can be attached to the appropriate objects (VS, APM policy, etc.) required which will result in logs being sent to the selected cloud analaytics solution. Note: Please be aware that this may (depending on level of logging required) affect performance of the BIG-IP as a result of the processing happening to construct and send the log messages over HTTP to the cloud analytics solution."
- }
-section basic {
- choice advanced display "xxlarge" default "no" {
- "Basic - Use F5's recommended settings" => "no" ,
- "Advanced - Configure advanced options" => "yes"
- }
- choice help display "xxlarge" default "hide" {
- "Yes, show inline help" => "show" ,
- "No, do not show inline help" => "hide"
- }
- optional ( help == "show" ) {
- message help_max "Inline help is available to provide contextual descriptions to aid in the completion of this configuration. Select to show or hide the inline help in this template. Important notes and warnings are always visible, no matter which selection you make here. "
- }
-}
-section analytics_config {
- choice analytics_solution display "xlarge" default "azure_oms" {
- "Azure (OMS)" => "azure_oms" ,
- "AWS (CloudWatch)" => "aws_cw"
- }
- optional ( analytics_solution == "azure_oms" ) {
- optional ( basic.advanced == "yes" ) {
- choice azure_env display "xlarge" default "azure" {
- "Azure" => "azure",
- "Azure US Government" => "azureusgov"
- }
- optional ( basic.help == "show" ) {
- message azure_env_help "Select which Azure environment you are deploying into."
- }
- }
- string workspace display "xxlarge" required
- optional ( basic.help == "show" ) {
- message workspace_help "Enter the Azure OMS workspace ID."
- }
- password shared_key display "xxlarge" required
- optional ( basic.help == "show" ) {
- message shared_key_help "Enter the primary or secondary shared key for the OMS workspace."
- }
- string log_type display "large" default "F5CustomLog" required
- message log_type_value_help "The log type cannot contain special characters or numeric characters."
- optional ( basic.help == "show" ) {
- message log_type_help "The log type inputted here is used as the log type when submitting to Azure OMS, you can then search for logs based on the log type name plus '_CL', for example: F5CustomLog_CL"
- }
- }
- optional ( analytics_solution == "aws_cw" ) {
- choice aws_region display "large" default "us-west-1" {"us-west-1", "us-west-2", "us-east-1", "us-east-2", "ca-central-1", "ap-south-1", "ap-northeast-1", "ap-northeast-2", "ap-southeast-1", "ap-southeast-2", "eu-central-1", "eu-west-1", "eu-west-2", "sa-east-1"}
- optional ( basic.help == "show" ) {
- message aws_region_help "Select the AWS CloudWatch region to log to."
- }
- string log_group_name display "xlarge" required
- string log_stream_name display "xlarge" required
- string access_key display "xxlarge" required
- password secret_key display "xxlarge" required
- }
-}
-section logging_config {
- optional ( intro.asm_provisioned == "yes" ) {
- choice asm_log_choice display "xlarge" default "yes" {
- "Enable ASM logging" => "yes" ,
- "Don't enable ASM logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message asm_log_choice_help "Select whether you would like to enable ASM logging, you will need to attach the Security log profile created by this iApp to the virtual servers required (Security Tab)."
- }
- optional ( asm_log_choice == "yes" ) {
- choice asm_log_level display "xlarge" default "log_illegal" {
- "Log illegal requests only (recommended)" => "log_illegal",
- "Log illegal requests and staged signatures" => "log_illegal_plus_staged",
- "Log all requests (verbose)" => "log_all"
- }
- optional ( basic.help == "show" ) {
- message asm_log_level_help "Select what level of ASM logging you prefer, logging illegal requests only will result in the least number of log messages."
- }
- choice dos_logs display "xlarge" default "yes" {
- "Include DOS protection logging" => "yes",
- "Don't include DOS protection logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message dos_logs_help "Select whether you would like to include DOS logging within the ASM logging profile."
- }
- }
- }
- optional ( intro.apm_provisioned == "yes" ) {
- choice apm_log_choice display "xlarge" default "yes" {
- "Enable APM logging" => "yes" ,
- "Don't enable APM logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message apm_log_choice_help "Select whether you would like to enable APM logging, you will need to attach the APM log profile created by this iApp to the required APM policies."
- }
- optional ( apm_log_choice == "yes" ) {
- choice apm_log_level display "xlarge" default "crit" {
- "Emergency" => "emerg",
- "Alert" => "alert",
- "Critical" => "crit",
- "Error" => "err",
- "Warning" => "warn",
- "Notice" => "notice",
- "Informational" => "info",
- "Debug" => "debug"
- }
- optional ( basic.help == "show" ) {
- message apm_log_level_help "Select what level of APM logging you prefer, this will be applied to all policy options in the APM logging profile. Note: Choosing a higher criticality level will result in fewer log messages."
- }
- }
- }
- optional ( intro.afm_provisioned == "yes" ) {
- choice afm_log_choice display "xlarge" default "yes" {
- "Enable AFM logging" => "yes" ,
- "Don't enable AFM logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message afm_log_choice_help "Select whether you would like to enable AFM logging, you will need to attach the Security log profile created by this iApp to the virtual servers required (Security Tab)."
- }
- optional ( afm_log_choice == "yes" ) {
- multichoice afm_log_level display "xlarge" default { "match_drop", "match_reject" } {
- "Dropped Connections" => "match_drop",
- "Rejected Connections" => "match_reject",
- "Accepted Connections" => "match_accept"
- }
- optional ( basic.help == "show" ) {
- message afm_log_level_help "Select what level of AFM logging you prefer, logging dropped and rejected requests only is recommended and will result in the least number of log messages."
- }
- }
- }
- choice ltm_req_log_choice display "xlarge" default "no" {
- "Enable LTM request logging" => "yes" ,
- "Don't enable LTM request logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message ltm_req_log_choice_help "Select whether you would like to enable LTM request logging, you will need to attach the LTM request log profile created by this iApp to the virtual servers desired."
- }
- optional ( ltm_req_log_choice == "yes" ) {
- multichoice ltm_req_log_options display "xlarge" default { "CLIENT_IP", "SERVER_IP", "HTTP_METHOD", "HTTP_URI", "VIRTUAL_NAME" } {
- "CLIENT_IP" => "CLIENT_IP",
- "CLIENT_PORT" => "CLIENT_PORT",
- "SERVER_IP" => "SERVER_IP",
- "HTTP_METHOD" => "HTTP_METHOD",
- "HTTP_URI" => "HTTP_URI",
- "HTTP_QUERY" => "HTTP_QUERY",
- "HTTP_VERSION" => "HTTP_VERSION",
- "VIRTUAL_IP" => "VIRTUAL_IP",
- "VIRTUAL_PORT" => "VIRTUAL_PORT",
- "VIRTUAL_NAME" => "VIRTUAL_NAME",
- "VIRTUAL_POOL_NAME" => "VIRTUAL_POOL_NAME"
- }
- optional ( basic.help == "show" ) {
- message ltm_req_log_options_help "Select which request parameters to send in the log message. The complete list and descriptions can be found here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/3.html"
- }
- }
-}
-section internal_config {
- choice hostname display "xxlarge" default "yes" {
- "Use dynamic BIG-IP management hostname" => "yes" ,
- "Use custom BIG-IP management hostname" => "custom"
- }
- optional ( hostname == "custom" ) {
- string mgmt_hostname display "xxlarge" default "bigip.f5.com" required
- }
- choice port display "xxlarge" default "yes" {
- "Use dynamic BIG-IP management port" => "yes" ,
- "Use custom BIG-IP management port" => "custom"
- }
- optional ( port == "custom" ) {
- string mgmt_port display "small" validator "PortNumber" default "443" required
- }
- optional ( basic.advanced == "yes" ) {
- string format_vs_port display "small" validator "PortNumber" default "1001" required
- string send_vs_port display "small" validator "PortNumber" default "41001" required
- choice irule_log_level display "xlarge" default "2" {
- "Log debug messages" => "0" ,
- "Log info messages" => "1" ,
- "Log only errors" => "2"
- }
- }
-}
-text {
- intro "F5 cloud logging and analytics solution"
- intro.hello "Introduction"
-
- basic "Template Options"
- basic.advanced "Which configuration mode do you want to use?"
- basic.help "Do you want to see inline help?"
- basic.help_max "Help"
-
- analytics_config "Analytics Provider"
- analytics_config.analytics_solution "Which analytics solution are you using?"
- analytics_config.azure_env "Which Azure environment are you deploying into?"
- analytics_config.azure_env_help "Note:"
- analytics_config.workspace "What is the Azure OMS workspace ID?"
- analytics_config.workspace_help "Note:"
- analytics_config.shared_key "What is the shared access key (primary or secondary) for the Azure OMS workspace?"
- analytics_config.shared_key_help "Note:"
- analytics_config.log_type "What would you like the log type to be called?"
- analytics_config.log_type_value_help "Note:"
- analytics_config.log_type_help "Note:"
- analytics_config.aws_region "Which AWS region of the CloudWatch Logs provider would you like to send logs?"
- analytics_config.aws_region_help "Note:"
- analytics_config.log_group_name "What is the AWS CloudWatch Logs group name?"
- analytics_config.log_stream_name "What is the AWS CloudWatch Logs group's stream name?"
- analytics_config.access_key "What is the access key you would like to use for the API calls?"
- analytics_config.secret_key "What is the secret key you would like to use for the API calls?"
-
- logging_config "Log Selection"
- logging_config.asm_log_choice "Would you like to enable ASM logging?"
- logging_config.asm_log_choice_help "Note:"
- logging_config.asm_log_level "What ASM requests would you like to log?"
- logging_config.asm_log_level_help "Note:"
- logging_config.dos_logs "Would you like to include ASM DOS logging?"
- logging_config.dos_logs_help "Note:"
- logging_config.apm_log_choice "Would you like to enable APM logging?"
- logging_config.apm_log_choice_help "Note:"
- logging_config.apm_log_level "What level of APM logging do you prefer?"
- logging_config.apm_log_level_help "Note:"
- logging_config.afm_log_choice "Would you like to enable AFM logging?"
- logging_config.afm_log_choice_help "Note:"
- logging_config.afm_log_level "What AFM requests would you like to log?"
- logging_config.afm_log_level_help "Note:"
- logging_config.ltm_req_log_choice "Would you like to enable LTM Request logging?"
- logging_config.ltm_req_log_choice_help "Note:"
- logging_config.ltm_req_log_options "What Request parameters would you like to send in the log?"
- logging_config.ltm_req_log_options_help "Note:"
-
- internal_config "Solution Configuration"
- internal_config.hostname "Would you like to use the dynamic BIG-IP managment hostname?"
- internal_config.mgmt_hostname "What is the mgmt FQDN or IP you would like to use?"
- internal_config.port "Would you like to use the dynamic BIG-IP managment port?"
- internal_config.mgmt_port "What is the mgmt port you would like to use ?"
- internal_config.format_vs_port "What would you like the format VS port to be?"
- internal_config.send_vs_port "What would you like the send (HTTP Post) VS port to be?"
- internal_config.irule_log_level "What level of internal logging would you like this solution to use (debug/info during testing)?"
-}
- }
- role-acl { admin manager resource-admin }
- run-as none
- }
- }
- description none
- ignore-verification false
- requires-bigip-version-max none
- requires-bigip-version-min 12.1
- requires-modules none
- signing-key none
- tmpl-checksum none
- tmpl-signature none
-}
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/handlers/main.yml b/SACAv1/roles/f5-azure-scca-external-setup/handlers/main.yml
deleted file mode 100644
index 4b9477a..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# handlers file for f5-azure-scca-external-setup
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/meta/main.yml b/SACAv1/roles/f5-azure-scca-external-setup/meta/main.yml
deleted file mode 100644
index 7223799..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/meta/main.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-galaxy_info:
- author: your name
- description: your description
- company: your company (optional)
-
- # If the issue tracker for your role is not on github, uncomment the
- # next line and provide a value
- # issue_tracker_url: http://example.com/issue/tracker
-
- # Some suggested licenses:
- # - BSD (default)
- # - MIT
- # - GPLv2
- # - GPLv3
- # - Apache
- # - CC-BY
- license: license (GPLv2, CC-BY, etc)
-
- min_ansible_version: 1.2
-
- # If this a Container Enabled role, provide the minimum Ansible Container version.
- # min_ansible_container_version:
-
- # Optionally specify the branch Galaxy will use when accessing the GitHub
- # repo for this role. During role install, if no tags are available,
- # Galaxy will use this branch. During import Galaxy will access files on
- # this branch. If Travis integration is configured, only notifications for this
- # branch will be accepted. Otherwise, in all cases, the repo's default branch
- # (usually master) will be used.
- #github_branch:
-
- #
- # platforms is a list of platforms, and each platform has a name and a list of versions.
- #
- # platforms:
- # - name: Fedora
- # versions:
- # - all
- # - 25
- # - name: SomePlatform
- # versions:
- # - all
- # - 1.0
- # - 7
- # - 99.99
-
- galaxy_tags: []
- # List tags for your role here, one per line. A tag is a keyword that describes
- # and categorizes the role. Users find roles by searching for tags. Be sure to
- # remove the '[]' above, if you add tags to this list.
- #
- # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
- # Maximum 20 tags per role.
-
-dependencies: []
- # List your role dependencies here, one per line. Be sure to remove the '[]' above,
- # if you add dependencies to this list.
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/tasks/main.yml b/SACAv1/roles/f5-azure-scca-external-setup/tasks/main.yml
deleted file mode 100644
index ea8d326..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/tasks/main.yml
+++ /dev/null
@@ -1,152 +0,0 @@
----
-# tasks file for f5-azure-scca-external-setup
-- name: Provision modules
- bigip_provision:
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- module: "{{item.module}}"
- level: "{{item.level}}"
- with_items:
- "{{setup.modules}}"
-
-- name: Add iApp
- bigip_iapp_template:
- content: "{{ lookup('file','f5.cloud_logger.v1.0.0.tmpl') }}"
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- state: present
- with_items:
- "{{setup.oms}}"
-
-- name: Add iApp Service
- bigip_iapp_service:
- name: "OMS"
- template: "f5.cloud_logger.v1.0.0"
- parameters: "{{ lookup('template','f5.cloud_logger.params.json') }}"
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- state: present
- with_items:
- "{{setup.oms}}"
-
-
-- name: Add Routes
- bigip_static_route:
- destination: "{{item.destination}}"
- gateway_address: "{{item.gateway_address}}"
- name: "{{item.name}}"
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- with_items:
- "{{setup.routes}}"
-
-- name: Add iRules
- bigip_irule:
- content: "{{item.content}}"
- module: "ltm"
- name: "{{item.name}}"
- password: "{{f5_password}}"
- server: "{{item.server}}"
- state: "present"
- user: "{{f5_username}}"
- delegate_to: localhost
- with_items:
- "{{setup.irules}}"
-
-- name: Add Pools
- bigip_pool:
- name: "{{item.name}}"
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- with_items:
- "{{setup.pools}}"
-
-- name: Add Pool Members
- bigip_pool_member:
- name: "{{item.name}}"
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- pool: "{{item.pool}}"
- host: "{{item.host}}"
- port: "{{item.port}}"
- name: "{{item.name}}"
- with_items:
- "{{setup.pool_members}}"
-
-- name: Check commands
- bigip_command:
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- commands:
- - "{{item.check}}"
- with_items:
- "{{setup.commands}}"
- register: result
-- name: Run commands
- bigip_command:
- server: "{{item.item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- commands:
- - "{{item.item.command}}"
- with_items:
- "{{result.results}}"
- when:
- - '"was not found" in item.stdout|first'
-
-
-- name: Check virtuals
- bigip_command:
- server: "{{item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- commands:
- - tmsh show ltm virtual {{item.name}}
- with_items:
- "{{setup.virtuals}}"
- register: result
-
-- name: Create Virtuals
- bigip_command:
- server: "{{item.item.server}}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- commands:
- - tmsh {{item.item.command}}
- with_items:
- "{{result.results}}"
- when:
- - '"was not found" in item.stdout|first'
-
-- name: Check Route tags f5_ha
- command: az network route-table show --resource-group "{{item.resource_group}}" --name "{{item.name}}" --query tags.f5_ha
- with_items:
- "{{setup.route_tables}}"
- register: result
-
-- name: Update Route tags f5_ha
- command: az network route-table update --resource-group "{{item.item.resource_group}}" --name "{{item.item.name}}" --set tags.f5_ha={{item.item.f5_ha}}
- with_items:
- "{{result.results}}"
- when:
- - 'item.item.f5_ha != item.stdout[1:-1]'
-
-- name: Check Route tags f5_tg
- command: az network route-table show --resource-group "{{item.resource_group}}" --name "{{item.name}}" --query tags.f5_tg
- with_items:
- "{{setup.route_tables}}"
- register: result
-
-- name: Update Route tags f5_tg
- command: az network route-table update --resource-group "{{item.item.resource_group}}" --name "{{item.item.name}}" --set tags.f5_tg={{item.item.f5_tg}}
- with_items:
- "{{result.results}}"
- when:
- - 'item.item.f5_tg != item.stdout[1:-1]'
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/templates/f5.cloud_logger.params.json b/SACAv1/roles/f5-azure-scca-external-setup/templates/f5.cloud_logger.params.json
deleted file mode 100644
index 4afdfc9..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/templates/f5.cloud_logger.params.json
+++ /dev/null
@@ -1,93 +0,0 @@
-{
- "kind": "tm:sys:application:service:servicestate",
- "name": "OMS",
- "partition": "Common",
- "inheritedDevicegroup": "true",
- "inheritedTrafficGroup": "true",
- "strictUpdates": "enabled",
- "template": "/Common/f5.cloud_logger.v1.0.0",
- "trafficGroup": "none",
- "lists": [
- {
- "name": "logging_config__afm_log_level",
- "encrypted": "no",
- "value": [
- "match_drop",
- "match_reject",
- "match_accept"
- ]
- }
- ],
- "variables": [
- {
- "name": "analytics_config__analytics_solution",
- "encrypted": "no",
- "value": "azure_oms"
- },
- {
- "name": "analytics_config__azure_env",
- "encrypted": "no",
- "value": "azureusgov"
- },
- {
- "name": "analytics_config__log_type",
- "encrypted": "no",
- "value": "F5CustomLog"
- },
- {
- "name": "analytics_config__shared_key",
- "encrypted": "yes",
- "value": "{{item.key}}"
- },
- {
- "name": "analytics_config__workspace",
- "encrypted": "no",
- "value": "{{item.customer_id}}"
- },
- {
- "name": "basic__advanced",
- "encrypted": "no",
- "value": "yes"
- },
- {
- "name": "basic__help",
- "encrypted": "no",
- "value": "show"
- },
- {
- "name": "internal_config__format_vs_port",
- "encrypted": "no",
- "value": "1001"
- },
- {
- "name": "internal_config__hostname",
- "encrypted": "no",
- "value": "yes"
- },
- {
- "name": "internal_config__irule_log_level",
- "encrypted": "no",
- "value": "2"
- },
- {
- "name": "internal_config__port",
- "encrypted": "no",
- "value": "yes"
- },
- {
- "name": "internal_config__send_vs_port",
- "encrypted": "no",
- "value": "41001"
- },
- {
- "name": "logging_config__afm_log_choice",
- "encrypted": "no",
- "value": "yes"
- },
- {
- "name": "logging_config__ltm_req_log_choice",
- "encrypted": "no",
- "value": "no"
- }
- ]
-}
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/tests/inventory b/SACAv1/roles/f5-azure-scca-external-setup/tests/inventory
deleted file mode 100644
index 878877b..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/tests/inventory
+++ /dev/null
@@ -1,2 +0,0 @@
-localhost
-
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/tests/test.yml b/SACAv1/roles/f5-azure-scca-external-setup/tests/test.yml
deleted file mode 100644
index d0792bf..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/tests/test.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: localhost
- remote_user: root
- roles:
- - f5-azure-scca-external-setup
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external-setup/vars/main.yml b/SACAv1/roles/f5-azure-scca-external-setup/vars/main.yml
deleted file mode 100644
index 06310ef..0000000
--- a/SACAv1/roles/f5-azure-scca-external-setup/vars/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# vars file for f5-azure-scca-external-setup
-resource_group: "{{ansible_env.AZURE_RESOURCE_GROUP}}_F5_External"
-location: "{{ansible_env.location}}"
-f5_username: "{{ansible_env.f5_username}}"
-f5_password: "{{ansible_env.f5_password}}"
diff --git a/SACAv1/roles/f5-azure-scca-external/README.md b/SACAv1/roles/f5-azure-scca-external/README.md
deleted file mode 100644
index 225dd44..0000000
--- a/SACAv1/roles/f5-azure-scca-external/README.md
+++ /dev/null
@@ -1,38 +0,0 @@
-Role Name
-=========
-
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
-
-Role Variables
---------------
-
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
-
-Dependencies
-------------
-
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
- - hosts: servers
- roles:
- - { role: username.rolename, x: 42 }
-
-License
--------
-
-BSD
-
-Author Information
-------------------
-
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/SACAv1/roles/f5-azure-scca-external/defaults/main.yml b/SACAv1/roles/f5-azure-scca-external/defaults/main.yml
deleted file mode 100644
index 38242f7..0000000
--- a/SACAv1/roles/f5-azure-scca-external/defaults/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# defaults file for f5-azure-scca-external
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external/files/azuredeploy.json b/SACAv1/roles/f5-azure-scca-external/files/azuredeploy.json
deleted file mode 100644
index dbd9bb8..0000000
--- a/SACAv1/roles/f5-azure-scca-external/files/azuredeploy.json
+++ /dev/null
@@ -1,1225 +0,0 @@
-{
- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
- "contentVersion": "4.4.0.0",
- "parameters": {
- "adminUsername": {
- "defaultValue": "azureuser",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "adminPassword": {
- "metadata": {
- "description": "Password to login to the Virtual Machine."
- },
- "type": "securestring"
- },
- "dnsLabel": {
- "defaultValue": "REQUIRED",
- "metadata": {
- "description": "Unique DNS Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_A3",
- "Standard_A4",
- "Standard_A5",
- "Standard_A6",
- "Standard_A7",
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS3_v2",
- "metadata": {
- "description": "Azure instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "Good",
- "Better",
- "Best"
- ],
- "defaultValue": "Good",
- "metadata": {
- "description": "F5 SKU (IMAGE) to you want to deploy. Note: The disk size of the VM will be determined based on the option you select."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "13.1.007001",
- "13.0.0300",
- "12.1.2200",
- "latest"
- ],
- "defaultValue": "13.1.007001",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "licenseKey1": {
- "defaultValue": "REQUIRED",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL)."
- },
- "type": "string"
- },
- "licenseKey2": {
- "defaultValue": "REQUIRED",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL). This field is required when deploying two or more devices."
- },
- "type": "string"
- },
- "numberOfExternalIps": {
- "allowedValues": [
- 0,
- 1,
- 2,
- 3,
- 4,
- 5,
- 6,
- 7,
- 8,
- 9,
- 10,
- 11,
- 12,
- 13,
- 14,
- 15,
- 16,
- 17,
- 18,
- 19,
- 20
- ],
- "defaultValue": 1,
- "metadata": {
- "description": "The number of public/private IP addresses you want to deploy for the application traffic (external) NIC on the BIG-IP VE to be used for virtual servers."
- },
- "type": "int"
- },
- "vnetName": {
- "metadata": {
- "description": "The name of the existing virtual network to which you want to connect the BIG-IP VEs."
- },
- "type": "string"
- },
- "vnetResourceGroupName": {
- "metadata": {
- "description": "The name of the resource group that contains the Virtual Network where the BIG-IP VE will be placed."
- },
- "type": "string"
- },
- "mgmtSubnetName": {
- "metadata": {
- "description": "Name of the existing MGMT subnet - with external access to the Internet."
- },
- "type": "string"
- },
- "mgmtIpAddressRangeStart": {
- "metadata": {
- "description": "The static private IP address you want to assign to the management self IP of the first BIG-IP. The next contiguous address will be used for the second BIG-IP device."
- },
- "type": "string"
- },
- "externalSubnetName": {
- "metadata": {
- "description": "Name of the existing external subnet - with external access to Internet."
- },
- "type": "string"
- },
- "externalIpSelfAddressRangeStart": {
- "metadata": {
- "description": "The static private IP address you want to assign to the external self IP (primary) of the first BIG-IP VE. The next contiguous address will be used for the second BIG-IP device."
- },
- "type": "string"
- },
- "externalIpAddressRangeStart": {
- "metadata": {
- "description": "The static private IP address (secondary) you would like to assign to the first shared Azure public IP. An additional private IP address will be assigned for each public IP address you specified in numberOfExternalIps. For example, inputting 10.100.1.50 here and choosing 2 in numberOfExternalIps would result in 10.100.1.50 and 10.100.1.51 being configured as static private IP addresses for external virtual servers."
- },
- "type": "string"
- },
- "internalSubnetName": {
- "metadata": {
- "description": "Name of the existing internal subnet."
- },
- "type": "string"
- },
- "internalIpAddressRangeStart": {
- "metadata": {
- "description": "The static private IP address you would like to assign to the internal self IP of the first BIG-IP VE. The next contiguous address will be used for the second BIG-IP device."
- },
- "type": "string"
- },
- "tenantId": {
- "metadata": {
- "description": "Your Azure service principal application tenant ID."
- },
- "type": "string"
- },
- "clientId": {
- "metadata": {
- "description": "Your Azure service principal application client ID."
- },
- "type": "string"
- },
- "servicePrincipalSecret": {
- "metadata": {
- "description": "Your Azure service principal application secret."
- },
- "type": "securestring"
- },
- "managedRoutes": {
- "defaultValue": "NOT_SPECIFIED",
- "metadata": {
- "description": "A comma-delimited list of route destinations to be managed by this cluster. For example: 0.0.0.0/0,192.168.1.0/24. Specifying a comma-delimited list of managedRoutes and a routeTableTag in the template defines the UDRs to be updated. To have the UDRs managed by BIG-IP, you will now also need to create an Azure tag with key **f5_tg** and value **traffic-group-1**, or the name of a different traffic group you have configured on the BIG-IP VE. All UDRs with destinations matching managedRoutes and configured in Azure Route Tables tagged with 'f5_ha:' will use the active BIG-IP VE as the next hop for those routes."
- },
- "type": "string"
- },
- "routeTableTag": {
- "defaultValue": "NOT_SPECIFIED",
- "metadata": {
- "description": "Azure tag value to identify the route tables to be managed by this cluster. For example tag value: myRoute. Example Azure tag: f5_ha:myRoute."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo. Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "tagValues": {
- "defaultValue": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- },
- "metadata": {
- "description": "Default key/value resource tags will be added to the resources in this deployment, if you would like the values to be unique adjust them as needed for each key."
- },
- "type": "object"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "No",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- }
- },
- "variables": {
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpVersionPortMap": {
- "12.1.2200": {
- "Port": 443
- },
- "13.0.0300": {
- "Port": 8443
- },
- "13.1.007001": {
- "Port": 8443
- },
- "443": {
- "Port": 443
- },
- "latest": {
- "Port": 8443
- }
- },
- "apiVersion": "2015-06-15",
- "computeApiVersion": "2017-12-01",
- "networkApiVersion": "2017-11-01",
- "storageApiVersion": "2017-10-01",
- "location": "[resourceGroup().location]",
- "subscriptionID": "[subscription().subscriptionId]",
- "resourceGroupName": "[resourceGroup().name]",
- "singleQuote": "'",
- "f5CloudLibsTag": "v3.6.2",
- "f5CloudLibsAzureTag": "v1.5.0",
- "f5NetworksTag": "v4.4.0.0",
- "f5CloudIappsTag": "v1.2.1",
- "verifyHash": "[concat(variables('singleQuote'), 'cli script /Common/verifyHash {\nproc script::run {} {\n if {[catch {\n set hashes(f5-cloud-libs.tar.gz) 4cf5edb76d2e8dd0493f4892ff3679a58c8c79b1c02e550b55150d9002228c24c6d841095f1edd33fb49c5aaea518771252b4fb6d423a8a4ba8d94a0baf0f77a\n set hashes(f5-cloud-libs-aws.tar.gz) 1a4ba191e997b2cfaaee0104deccc0414a6c4cc221aedc65fbdec8e47a72f1d5258b047d6487a205fa043fdbd6c8fcb1b978cac36788e493e94a4542f90bd92b\n set hashes(f5-cloud-libs-azure.tar.gz) 5c256d017d0a57f5c96c2cb43f4d8b76297ae0b91e7a11c6d74e5c14268232f6a458bf0c16033b992040be076e934392c69f32fc8beffe070b5d84924ec7b947\n set hashes(f5-cloud-libs-gce.tar.gz) 6ef33cc94c806b1e4e9e25ebb96a20eb1fe5975a83b2cd82b0d6ccbc8374be113ac74121d697f3bfc26bf49a55e948200f731607ce9aa9d23cd2e81299a653c1\n set hashes(f5-cloud-libs-openstack.tar.gz) fb6d63771bf0c8d9cae9271553372f7fb50ce2e7a653bb3fb8b7d57330a18d72fa620e844b579fe79c8908a3873b2d33ee41803f23ea6c5dc9f7d7e943e68c3a\n set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0\n set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034\n set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe\n set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d\n set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d\n set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396\n set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f\n set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6\n set hashes(deploy_waf.sh) eebaf8593a29fa6e28bb65942d2b795edca0da08b357aa06277b0f4d2f25fe416da6438373f9955bdb231fa1de1a7c8d0ba7c224fa1f09bd852006070d887812\n set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620\n set hashes(f5.service_discovery.tmpl) acc7c482a1eb8787a371091f969801b422cb92830b46460a3313b6a8e1cda0759f8013380e0c46d5214a351a248c029ec3ff04220aaef3e42a66badf9804041f\n\n set file_path [lindex $tmsh::argv 1]\n set file_name [file tail $file_path]\n\n if {![info exists hashes($file_name)]} {\n tmsh::log err \"No hash found for $file_name\"\n exit 1\n }\n\n set expected_hash $hashes($file_name)\n set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]\n if { $expected_hash eq $computed_hash } {\n exit 0\n }\n tmsh::log err \"Hash does not match for $file_path\"\n exit 1\n }]} {\n tmsh::log err {Unexpected error in verifyHash}\n exit 1\n }\n }\n script-signature Kir5DhV/uRo0SwVRgPGrnNnAJBgHZ3XYraih5T90VbRZii5vPt0q3codJUdgoWiByQGpFREsa5Gy+v0+yYDAdYBzyZlThwRe+6RjWYfxP2+cKAC28wByJ0x6En1UD9kscj7ILUON5yv771izvIrxJ7x4Fd4RHcqB5++hWLvOLxXMiyJAYh2aUSOgdc+kx4lCHS6IU0aXtUxAQYpq510k4eS4UZJrfE7GPmpYkpRDJivR8UUyUWtuj0CAt3pWQEijKnC5zHhH6q5ikvQFn05PugcZO7RzOaA/a2gZw609wYAkXODMA6L49l+IKB31Y+/5ROB1w9/wf/H5RiP/kXC5/A==\n signing-key /Common/f5-irule\n}', variables('singleQuote'))]",
- "installCloudLibs": "[concat(variables('singleQuote'), '#!/bin/bash\necho about to execute\nchecks=0\nwhile [ $checks -lt 120 ]; do echo checking mcpd\n/usr/bin/tmsh -a show sys mcp-state field-fmt | grep -q running\nif [ $? == 0 ]; then\necho mcpd ready\nbreak\nfi\necho mcpd not ready yet\nlet checks=checks+1\nsleep 1\ndone\necho loading verifyHash script\n/usr/bin/tmsh load sys config merge file /config/verifyHash\nif [ $? != 0 ]; then\necho cannot validate signature of /config/verifyHash\nexit 1\nfi\necho loaded verifyHash\n\nconfig_loc=\"/config/cloud/\"\nhashed_file_list=\"${config_loc}f5-cloud-libs.tar.gz f5.service_discovery.tmpl ${config_loc}f5-cloud-libs-azure.tar.gz\"\nfor file in $hashed_file_list; do\necho \"verifying $file\"\n/usr/bin/tmsh run cli script verifyHash $file\nif [ $? != 0 ]; then\necho \"$file is not valid\"\nexit 1\nfi\necho \"verified $file\"\ndone\necho \"expanding $hashed_file_list\"\ntar xfz /config/cloud/f5-cloud-libs.tar.gz -C /config/cloud/azure/node_modules\ntar xfz /config/cloud/f5-cloud-libs-azure.tar.gz -C /config/cloud/azure/node_modules/f5-cloud-libs/node_modules\ntouch /config/cloud/cloudLibsReady', variables('singleQuote'))]",
- "dnsLabel": "[toLower(parameters('dnsLabel'))]",
- "imageNameToLower": "[toLower(parameters('imageName'))]",
- "skuToUse": "f5-big-all-2slot-byol",
- "offerToUse": "f5-big-ip-byol",
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "availabilitySetName": "[concat(variables('dnsLabel'), '-avset')]",
- "virtualNetworkName": "[parameters('vnetName')]",
- "vnetId": "[resourceId(parameters('vnetResourceGroupName'),'Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]",
- "publicIPAddressType": "Static",
- "mgmtPublicIPAddressName": "[concat(variables('dnsLabel'), '-mgmt-pip')]",
- "mgmtPublicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('mgmtPublicIPAddressName'))]",
- "mgmtNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabel'),'-mgmt-nsg'))]",
- "mgmtNicName": "[concat(variables('dnsLabel'), '-mgmt')]",
- "mgmtNicID": "[resourceId('Microsoft.Network/NetworkInterfaces', variables('mgmtNicName'))]",
- "mgmtSubnetName": "[parameters('mgmtSubnetName')]",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetPrivateAddressPrefixArray": "[split(parameters('mgmtIpAddressRangeStart'), '.')]",
- "mgmtSubnetPrivateAddressPrefix": "[concat(variables('mgmtSubnetPrivateAddressPrefixArray')[0], '.', variables('mgmtSubnetPrivateAddressPrefixArray')[1], '.', variables('mgmtSubnetPrivateAddressPrefixArray')[2], '.')]",
- "mgmtSubnetPrivateAddressSuffixInt": "[int(variables('mgmtSubnetPrivateAddressPrefixArray')[3])]",
- "mgmtSubnetPrivateAddressSuffix": "[add(variables('mgmtSubnetPrivateAddressSuffixInt'), 1)]",
- "mgmtSubnetPrivateAddress": "[parameters('mgmtIpAddressRangeStart')]",
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), variables('mgmtSubnetPrivateAddressSuffix'))]",
- "extSelfPublicIpAddressNamePrefix": "[concat(variables('dnsLabel'), '-self-pip')]",
- "extSelfPublicIpAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extSelfPublicIpAddressNamePrefix'))]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabel'), '-ext-pip')]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabel'),'-ext-nsg'))]",
- "extNicName": "[concat(variables('dnsLabel'), '-ext')]",
- "extSubnetName": "[parameters('externalSubnetName')]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetSelfPrivateAddressPrefixArray": "[split(parameters('externalIpSelfAddressRangeStart'), '.')]",
- "extSubnetSelfPrivateAddressPrefix": "[concat(variables('extSubnetSelfPrivateAddressPrefixArray')[0], '.', variables('extSubnetSelfPrivateAddressPrefixArray')[1], '.', variables('extSubnetSelfPrivateAddressPrefixArray')[2], '.')]",
- "extSubnetSelfPrivateAddressSuffixInt": "[int(variables('extSubnetSelfPrivateAddressPrefixArray')[3])]",
- "extSubnetSelfPrivateAddressSuffix": "[add(variables('extSubnetSelfPrivateAddressSuffixInt'), 1)]",
- "extSubnetPrivateAddress": "[parameters('externalIpSelfAddressRangeStart')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetSelfPrivateAddressPrefix'), variables('extSubnetSelfPrivateAddressSuffix'))]",
- "extSubnetPrivateAddressPrefixArray": "[split(parameters('externalIpAddressRangeStart'), '.')]",
- "extSubnetPrivateAddressPrefix": "[concat(variables('extSubnetPrivateAddressPrefixArray')[0], '.', variables('extSubnetPrivateAddressPrefixArray')[1], '.', variables('extSubnetPrivateAddressPrefixArray')[2], '.')]",
- "extSubnetPrivateAddressSuffixInt": "[int(variables('extSubnetPrivateAddressPrefixArray')[3])]",
- "extSubnetPrivateAddressSuffix0": "[add(variables('extSubnetPrivateAddressSuffixInt'), 1)]",
- "extSubnetPrivateAddressSuffix1": "[add(variables('extSubnetPrivateAddressSuffixInt'), 2)]",
- "intNicName": "[concat(variables('dnsLabel'), '-int')]",
- "intSubnetName": "[parameters('internalSubnetName')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetPrivateAddress": "[parameters('internalIpAddressRangeStart')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), variables('intSubnetPrivateAddressSuffix'))]",
- "intSubnetPrivateAddressPrefixArray": "[split(parameters('internalIpAddressRangeStart'), '.')]",
- "intSubnetPrivateAddressPrefix": "[concat(variables('intSubnetPrivateAddressPrefixArray')[0], '.', variables('intSubnetPrivateAddressPrefixArray')[1], '.', variables('intSubnetPrivateAddressPrefixArray')[2], '.')]",
- "intSubnetPrivateAddressSuffixInt": "[int(variables('intSubnetPrivateAddressPrefixArray')[3])]",
- "intSubnetPrivateAddressSuffix": "[add(variables('intSubnetPrivateAddressSuffixInt'), 1)]",
- "extSubnetRef": "[concat('/subscriptions/', variables('subscriptionID'), '/resourceGroups/', parameters('vnetResourceGroupName'), '/providers/Microsoft.Network/virtualNetworks/', parameters('vnetName'), '/subnets/', parameters('externalSubnetName'))]",
- "intSubnetRef": "[concat('/subscriptions/', variables('subscriptionID'), '/resourceGroups/', parameters('vnetResourceGroupName'), '/providers/Microsoft.Network/virtualNetworks/', parameters('vnetName'), '/subnets/', parameters('internalSubnetName'))]",
- "numberOfExternalIps": "[parameters('numberOfExternalIps')]",
- "mgmtRouteGw": "`tmsh list sys management-route default gateway | grep gateway | sed 's/gateway //;s/ //g'`",
- "routeCmdArray": {
- "12.1.2200": "[concat('tmsh create sys management-route waagent_route network 168.63.129.16/32 gateway ', variables('mgmtRouteGw'), '; tmsh save sys config')]",
- "13.0.0300": "route",
- "13.1.007001": "route",
- "latest": "route"
- },
- "failoverCmdArray": {
- "12.1.2200": "echo \"Failover db variable not required.\"",
- "13.0.0300": "echo \"Failover db variable not required.\"",
- "13.1.007001": "tmsh modify sys db failover.selinuxallowscripts value enable",
- "latest": "tmsh modify sys db failover.selinuxallowscripts value enable"
- },
- "instanceTypeMap": {
- "Standard_A3": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_A4": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_A5": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_A6": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_A7": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D11": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D11_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D12": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D12_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D13": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D13_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D14": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D14_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D15_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D2_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D3": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D3_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D4": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D4_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_D5_v2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_DS1": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS11": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS11_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS12": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS12_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS13": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS13_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS14": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS14_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS15_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS1_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS2_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS3": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS3_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS4": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS4_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_DS5_v2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_F2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_F4": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_G1": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_G2": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_G3": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_G4": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_G5": {
- "storageAccountTier": "Standard",
- "storageAccountType": "Standard_LRS"
- },
- "Standard_GS1": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_GS2": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_GS3": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_GS4": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- },
- "Standard_GS5": {
- "storageAccountTier": "Premium",
- "storageAccountType": "Premium_LRS"
- }
- },
- "tagValues": "[parameters('tagValues')]",
- "pipTagValues": {
- "copy": [
- {
- "count": 20,
- "input": {
- "f5_extSubnetId": "[variables('extSubnetId')]",
- "f5_privateIp": "[concat(split(parameters('externalIpAddressRangeStart'), '.')[0], '.', split(parameters('externalIpAddressRangeStart'), '.')[1], '.', split(parameters('externalIpAddressRangeStart'), '.')[2], '.', add(int(split(parameters('externalIpAddressRangeStart'), '.')[3]), copyIndex('values')))]",
- "f5_tg": "traffic-group-1"
- },
- "name": "values"
- }
- ]
- },
- "newStorageAccountName0": "[concat(uniqueString(variables('dnsLabel'), resourceGroup().id, deployment().name), 'stor0')]",
- "newStorageAccountName1": "[concat(uniqueString(variables('dnsLabel'), resourceGroup().id, deployment().name), 'stor1')]",
- "storageAccountType": "[variables('instanceTypeMap')[parameters('instanceType')].storageAccountType]",
- "storageAccountTier": "[variables('instanceTypeMap')[parameters('instanceType')].storageAccountTier]",
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabel'), resourceGroup().id, deployment().name), 'data000')]",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabel'))]",
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:ha-avset-existing_stack-chen,templateVersion:4.4.0.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:BYOL,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\nlocation=$(curl --interface mgmt -H metadata:true \"http://169.254.169.254/metadata/instance?api-version=2017-08-01\" --stderr /dev/null |jq .compute.location)\n#location=\"\"usgovvirginia\"\"\necho $location | grep -i -E \"(gov|dod)\" > /dev/null;\n#echo $?\nif [ $? == 0 ]\n then\n curl https://raw.githubusercontent.com/chen23/f5-cloud-libs-azure/chen-azureusgovernment-1.5/scripts/failoverProvider.js > /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js\n else\n curl https://raw.githubusercontent.com/chen23/f5-cloud-libs-azure/chen-1.5/scripts/failoverProvider.js > /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js\nfi\n\nf5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js\n",
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabel'), copyIndex(0))]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), union(json('{}'), variables('pipTagValues').values[copyIndex()]), union(variables('tagValues'), variables('pipTagValues').values[copyIndex()]))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgId')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgId')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "copy": [
- {
- "count": "[add(variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[if(equals(copyIndex('ipConfigurations'), 0), concat(variables('instanceName'), '-self-ipconfig'), concat(variables('resourceGroupName'), '-ext-ipconfig', sub(copyIndex('ipConfigurations'), 1)))]",
- "properties": {
- "primary": "[if(equals(copyIndex('ipConfigurations', 1), 1), 'True', 'False')]",
- "privateIPAddress": "[if(equals(copyIndex('ipConfigurations', 1), 1), variables('extSubnetPrivateAddress'), concat(variables('extSubnetPrivateAddressPrefix'), add(variables('extSubnetPrivateAddressSuffixInt'), sub(copyIndex('ipConfigurations', 1), 1))))]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- "name": "ipConfigurations"
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-mgmt-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "mgmt_allow_https",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "[variables('bigIpMgmtPort')]",
- "direction": "Inbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "allow_http",
- "properties": {
- "protocol": "Tcp",
- "sourcePortRange": "*",
- "destinationPortRange": "80",
- "sourceAddressPrefix": "*",
- "destinationAddressPrefix": "*",
- "access": "Allow",
- "priority": 1000,
- "direction": "Inbound"
- }
- },
- {
- "name": "allow_https",
- "properties": {
- "protocol": "Tcp",
- "sourcePortRange": "*",
- "destinationPortRange": "443",
- "sourceAddressPrefix": "*",
- "destinationAddressPrefix": "*",
- "access": "Allow",
- "priority": 1001,
- "direction": "Inbound"
- }
- },
- {
- "name": "allow_rdp",
- "properties": {
- "protocol": "Tcp",
- "sourcePortRange": "*",
- "destinationPortRange": "3389",
- "sourceAddressPrefix": "*",
- "destinationAddressPrefix": "*",
- "access": "Allow",
- "priority": 1002,
- "direction": "Inbound"
- }
- },
- {
- "name": "allow_ssh",
- "properties": {
- "protocol": "Tcp",
- "sourcePortRange": "*",
- "destinationPortRange": "22",
- "sourceAddressPrefix": "*",
- "destinationAddressPrefix": "*",
- "access": "Allow",
- "priority": 1003,
- "direction": "Inbound"
- }
- },
- {
- "name": "allow_moressh",
- "properties": {
- "protocol": "Tcp",
- "sourcePortRange": "*",
- "destinationPortRange": "2200-2299",
- "sourceAddressPrefix": "*",
- "destinationAddressPrefix": "*",
- "access": "Allow",
- "priority": 1004,
- "direction": "Inbound"
- }
- },
- {
- "name": "allow_morehttp",
- "properties": {
- "protocol": "Tcp",
- "sourcePortRange": "*",
- "destinationPortRange": "8000-9000",
- "sourceAddressPrefix": "*",
- "destinationAddressPrefix": "*",
- "access": "Allow",
- "priority": 1005,
- "direction": "Inbound"
- }
- }
- ]
- },
- "tags": {
- "application": "[parameters('tagValues').application]",
- "costCenter": "[parameters('tagValues').cost]",
- "environment": "[parameters('tagValues').environment]",
- "group": "[parameters('tagValues').group]",
- "owner": "[parameters('tagValues').owner]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName')]",
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newStorageAccountName0')]",
- "sku": {
- "name": "[variables('storageAccountType')]",
- "tier": "[variables('storageAccountTier')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newStorageAccountName1')]",
- "sku": {
- "name": "[variables('storageAccountType')]",
- "tier": "[variables('storageAccountTier')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[concat('Microsoft.Storage/storageAccounts/', variables('newStorageAccountName0'))]",
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "plan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('adminPassword')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]"
- },
- "storageProfile": {
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "osDisk": {
- "caching": "ReadWrite",
- "createOption": "FromImage",
- "name": "osdisk",
- "vhd": {
- "uri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newStorageAccountName0')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob, 'vhds/', variables('instanceName'),'0.vhd')]"
- }
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('apiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[concat('Microsoft.Storage/storageAccounts/', variables('newStorageAccountName1'))]",
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1')]",
- "plan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('adminPassword')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]"
- },
- "storageProfile": {
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "osDisk": {
- "caching": "ReadWrite",
- "createOption": "FromImage",
- "name": "osdisk",
- "vhd": {
- "uri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newStorageAccountName1')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob, 'vhds/', variables('instanceName'),'1.vhd')]"
- }
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('mkdir -p /config/cloud/azure/node_modules && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/log/cloud/azure; function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; }; TMP_DIR=/mnt/creds; TMP_CREDENTIALS_FILE=$TMP_DIR/.passwd; BIG_IP_CREDENTIALS_FILE=/config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; /usr/bin/install -b -m 400 /dev/null $BIG_IP_CREDENTIALS_FILE; /usr/bin/install -b -m 400 /dev/null /config/cloud/.azCredentials; /usr/bin/install -b -m 755 /dev/null /config/cloud/managedRoutes; /usr/bin/install -b -m 755 /dev/null /config/cloud/routeTableTag; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash'), ' > /config/verifyHash; echo -e ', variables('installCloudLibs'), ' > /config/installCloudLibs.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; echo ', variables('singleQuote'), '{\"clientId\": \"', parameters('clientId'), '\", \"tenantId\": \"', parameters('tenantId'), '\", \"secret\": \"', parameters('servicePrincipalSecret'), '\", \"subscriptionId\": \"', variables('subscriptionID'), '\", \"resourceGroupName\": \"', variables('resourceGroupName'), '\", \"uniqueLabel\": \"', variables('dnsLabel'), '\"}', variables('singleQuote'), ' > /config/cloud/.azCredentials; echo -e ', parameters('managedRoutes'), ' > /config/cloud/managedRoutes; echo -e ', parameters('routeTableTag'), ' > /config/cloud/routeTableTag; unset IFS; bash /config/installCloudLibs.sh; . /config/cloud/azure/node_modules/f5-cloud-libs/scripts/util.sh; create_temp_dir $TMP_DIR; echo ', variables('singleQuote'), parameters('adminPassword'), variables('singleQuote'), '|sha512sum|cut -d \" \" -f 1|tr -d \"\n\" > $TMP_CREDENTIALS_FILE; bash /config/cloud/azure/node_modules/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file $TMP_CREDENTIALS_FILE; f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/encryptDataToFile.js --data-file $TMP_CREDENTIALS_FILE --out-file $BIG_IP_CREDENTIALS_FILE; wipe_temp_dir $TMP_DIR;', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/onboard.js --output /var/log/cloud/azure/onboard.log --log-level debug --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', resourceGroup().location, '.cloudapp.azure.com'), ' --license ', parameters('licenseKey1'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, ' --module ltm:nominal --module afm:none; /usr/bin/f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', concat(take(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, add(lastIndexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.'), 1)), add(int(take(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], indexOf(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], '/'))), 1)), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), skip(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), skip(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:internal --log-level debug; echo ', variables('singleQuote'), '/usr/bin/f5-rest-node --use-strict /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js', variables('singleQuote'), ' >> /config/failover/tgactive; echo ', variables('singleQuote'), '/usr/bin/f5-rest-node --use-strict /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js', variables('singleQuote'), ' >> /config/failover/tgrefresh; tmsh modify cm device ', concat(variables('instanceName'), '0.', resourceGroup().location, '.cloudapp.azure.com'), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'), '; ', variables('failoverCmdArray')[parameters('bigIpVersion')], '; /usr/bin/f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level debug --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', resourceGroup().location, '.cloudapp.azure.com'), ' --network-failover --auto-sync --save-on-auto-sync', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; ', variables('routeCmdArray')[parameters('bigIpVersion')], '; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi')]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/', variables('f5CloudLibsTag'), '/dist/f5-cloud-libs.tar.gz')]",
- "[concat('https://raw.githubusercontent.com/F5Networks/f5-cloud-iapps/', variables('f5CloudIappsTag'), '/f5-service-discovery/f5.service_discovery.tmpl')]",
- "[concat('https://raw.githubusercontent.com/F5Networks/f5-cloud-libs-azure/', variables('f5CloudLibsAzureTag'), '/dist/f5-cloud-libs-azure.tar.gz')]"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('mkdir -p /config/cloud/azure/node_modules && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/log/cloud/azure; function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; }; TMP_DIR=/mnt/creds; TMP_CREDENTIALS_FILE=$TMP_DIR/.passwd; BIG_IP_CREDENTIALS_FILE=/config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; /usr/bin/install -b -m 400 /dev/null $BIG_IP_CREDENTIALS_FILE; /usr/bin/install -b -m 400 /dev/null /config/cloud/.azCredentials; /usr/bin/install -b -m 755 /dev/null /config/cloud/managedRoutes; /usr/bin/install -b -m 755 /dev/null /config/cloud/routeTableTag; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash'), ' > /config/verifyHash; echo -e ', variables('installCloudLibs'), ' > /config/installCloudLibs.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; echo ', variables('singleQuote'), '{\"clientId\": \"', parameters('clientId'), '\", \"tenantId\": \"', parameters('tenantId'), '\", \"secret\": \"', parameters('servicePrincipalSecret'), '\", \"subscriptionId\": \"', variables('subscriptionID'), '\", \"resourceGroupName\": \"', variables('resourceGroupName'), '\", \"uniqueLabel\": \"', variables('dnsLabel'), '\"}', variables('singleQuote'), ' > /config/cloud/.azCredentials; echo -e ', parameters('managedRoutes'), ' > /config/cloud/managedRoutes; echo -e ', parameters('routeTableTag'), ' > /config/cloud/routeTableTag; unset IFS; bash /config/installCloudLibs.sh; . /config/cloud/azure/node_modules/f5-cloud-libs/scripts/util.sh; create_temp_dir $TMP_DIR; echo ', variables('singleQuote'), parameters('adminPassword'), variables('singleQuote'), '|sha512sum|cut -d \" \" -f 1|tr -d \"\n\" > $TMP_CREDENTIALS_FILE; bash /config/cloud/azure/node_modules/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file $TMP_CREDENTIALS_FILE; f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/encryptDataToFile.js --data-file $TMP_CREDENTIALS_FILE --out-file $BIG_IP_CREDENTIALS_FILE; wipe_temp_dir $TMP_DIR;', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/onboard.js --output /var/log/cloud/azure/onboard.log --log-level debug --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', resourceGroup().location, '.cloudapp.azure.com'), ' --license ', parameters('licenseKey2'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, ' --module ltm:nominal --module afm:none; /usr/bin/f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', concat(take(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, add(lastIndexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.'), 1)), add(int(take(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], indexOf(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], '/'))), 1)), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), skip(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), skip(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:internal --log-level debug; echo ', variables('singleQuote'), '/usr/bin/f5-rest-node --use-strict /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js', variables('singleQuote'), ' >> /config/failover/tgactive; echo ', variables('singleQuote'), '/usr/bin/f5-rest-node --use-strict /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js', variables('singleQuote'), ' >> /config/failover/tgrefresh; tmsh modify cm device ', concat(variables('instanceName'), '1.', resourceGroup().location, '.cloudapp.azure.com'), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'), '; ', variables('failoverCmdArray')[parameters('bigIpVersion')], '; /usr/bin/f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level debug --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; ', variables('routeCmdArray')[parameters('bigIpVersion')], '; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi')]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/', variables('f5CloudLibsTag'), '/dist/f5-cloud-libs.tar.gz')]",
- "[concat('https://raw.githubusercontent.com/F5Networks/f5-cloud-iapps/', variables('f5CloudIappsTag'), '/f5-service-discovery/f5.service_discovery.tmpl')]",
- "[concat('https://raw.githubusercontent.com/F5Networks/f5-cloud-libs-azure/', variables('f5CloudLibsAzureTag'), '/dist/f5-cloud-libs-azure.tar.gz')]"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ],
- "outputs": {
- }
-}
diff --git a/SACAv1/roles/f5-azure-scca-external/handlers/main.yml b/SACAv1/roles/f5-azure-scca-external/handlers/main.yml
deleted file mode 100644
index 065fadc..0000000
--- a/SACAv1/roles/f5-azure-scca-external/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# handlers file for f5-azure-scca-external
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external/meta/main.yml b/SACAv1/roles/f5-azure-scca-external/meta/main.yml
deleted file mode 100644
index 7223799..0000000
--- a/SACAv1/roles/f5-azure-scca-external/meta/main.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-galaxy_info:
- author: your name
- description: your description
- company: your company (optional)
-
- # If the issue tracker for your role is not on github, uncomment the
- # next line and provide a value
- # issue_tracker_url: http://example.com/issue/tracker
-
- # Some suggested licenses:
- # - BSD (default)
- # - MIT
- # - GPLv2
- # - GPLv3
- # - Apache
- # - CC-BY
- license: license (GPLv2, CC-BY, etc)
-
- min_ansible_version: 1.2
-
- # If this a Container Enabled role, provide the minimum Ansible Container version.
- # min_ansible_container_version:
-
- # Optionally specify the branch Galaxy will use when accessing the GitHub
- # repo for this role. During role install, if no tags are available,
- # Galaxy will use this branch. During import Galaxy will access files on
- # this branch. If Travis integration is configured, only notifications for this
- # branch will be accepted. Otherwise, in all cases, the repo's default branch
- # (usually master) will be used.
- #github_branch:
-
- #
- # platforms is a list of platforms, and each platform has a name and a list of versions.
- #
- # platforms:
- # - name: Fedora
- # versions:
- # - all
- # - 25
- # - name: SomePlatform
- # versions:
- # - all
- # - 1.0
- # - 7
- # - 99.99
-
- galaxy_tags: []
- # List tags for your role here, one per line. A tag is a keyword that describes
- # and categorizes the role. Users find roles by searching for tags. Be sure to
- # remove the '[]' above, if you add tags to this list.
- #
- # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
- # Maximum 20 tags per role.
-
-dependencies: []
- # List your role dependencies here, one per line. Be sure to remove the '[]' above,
- # if you add dependencies to this list.
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external/tasks/main.yml b/SACAv1/roles/f5-azure-scca-external/tasks/main.yml
deleted file mode 100644
index 2876146..0000000
--- a/SACAv1/roles/f5-azure-scca-external/tasks/main.yml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-# tasks file for f5-azure-scca-external
-- name: Check if resource group exists
- azure_rm_resourcegroup_facts:
- name: "{{resource_group}}"
- register: output
-#- name: Debug External Parameters
-# debug:
-# msg: "{{parameters}}"
-# when: not output.ansible_facts.azure_resourcegroups
-- name: Deploy External Environnment
- azure_rm_deployment:
- state: present
- location: "{{ location }}"
- resource_group_name: "{{resource_group}}"
- template: "{{ lookup('file','azuredeploy.json') }}"
- wait_for_deployment_completion: no
-
- parameters:
- "{{parameters}}"
- register: output
- when: not output.ansible_facts.azure_resourcegroups
-
-# - name: Create a public ip address
-# azure_rm_publicipaddress:
-# resource_group: "{{resource_group}}"
-# name: f5-alb-ext-pip0
-# allocation_method: Static
-
-# - name: Create a public ip address #2
-# azure_rm_publicipaddress:
-# resource_group: "{{resource_group}}"
-# name: f5-alb-ext-pip1
-# allocation_method: Static
-
-# - name: Deploy ALB
-# azure_rm_loadbalancer:
-# name: f5-ext-alb
-# location: "{{ location }}"
-# resource_group: "{{resource_group}}"
-# probe_protocol: Http
-# probe_port: 80
-# probe_request_path: /
-# load_distribution: Default
-# idle_timeout: 4
-# public_ip_address: f5-alb-ext-pip0
diff --git a/SACAv1/roles/f5-azure-scca-external/tests/inventory b/SACAv1/roles/f5-azure-scca-external/tests/inventory
deleted file mode 100644
index 878877b..0000000
--- a/SACAv1/roles/f5-azure-scca-external/tests/inventory
+++ /dev/null
@@ -1,2 +0,0 @@
-localhost
-
diff --git a/SACAv1/roles/f5-azure-scca-external/tests/test.yml b/SACAv1/roles/f5-azure-scca-external/tests/test.yml
deleted file mode 100644
index 0a48f78..0000000
--- a/SACAv1/roles/f5-azure-scca-external/tests/test.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: localhost
- remote_user: root
- roles:
- - f5-azure-scca-external
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-external/vars/main.yml b/SACAv1/roles/f5-azure-scca-external/vars/main.yml
deleted file mode 100644
index 6dca4b4..0000000
--- a/SACAv1/roles/f5-azure-scca-external/vars/main.yml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-# vars file for f5-azure-scca-external
-resource_group: "{{ansible_env.AZURE_RESOURCE_GROUP}}_F5_External"
-location: "{{ansible_env.location}}"
-f5_username: "{{ansible_env.f5_username}}"
-f5_password: "{{ansible_env.f5_password}}"
-# parameters:
-# adminPassword:
-# value: "{{ansible_env.f5_username}}"
-# adminUsername:
-# value: "{{ansible_env.f5_password}}"
-# allowUsageAnalytics:
-# value: 'Yes'
-# bigIpVersion:
-# value: 13.0.0300
-# clientId:
-# value: "{{ansible_env.AZURE_CLIENT_ID}}"
-# dnsLabel:
-# value: f5xxxext
-# externalIpAddressRangeStart:
-# value: 192.168.2.6
-# externalIpSelfAddressRangeStart:
-# value: 192.168.2.4
-# externalSubnetName:
-# value: 'F5_Ext_Untrusted_Subnet'
-# imageName:
-# value: Best
-# instanceName:
-# value: f5xxxext
-# internalIpAddressRangeStart:
-# value: 192.168.3.4
-# internalSubnetName:
-# value: 'F5_Ext_Trusted_Subnet'
-# licenseKey1:
-# value: LicenseKey1
-# licenseKey2:
-# value: LicenseKey2
-# managedRoutes:
-# value: 0.0.0.0/0
-# mgmtIpAddressRangeStart:
-# value: 172.16.0.8
-# mgmtSubnetName:
-# value: 'Management_Subnet'
-# ntpServer:
-# value: 0.pool.ntp.org
-# restrictedSrcAddress:
-# value: '*'
-# routeTableTag:
-# value: f5xxxextRouteTag
-# servicePrincipalSecret:
-# value: "{{ansible_env.AZURE_SECRET}}"
-# tenantId:
-# value: "{{ansible_env.AZURE_TENANT}}"
diff --git a/SACAv1/roles/f5-azure-scca-internal-setup/README.md b/SACAv1/roles/f5-azure-scca-internal-setup/README.md
deleted file mode 100644
index 225dd44..0000000
--- a/SACAv1/roles/f5-azure-scca-internal-setup/README.md
+++ /dev/null
@@ -1,38 +0,0 @@
-Role Name
-=========
-
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
-
-Role Variables
---------------
-
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
-
-Dependencies
-------------
-
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
- - hosts: servers
- roles:
- - { role: username.rolename, x: 42 }
-
-License
--------
-
-BSD
-
-Author Information
-------------------
-
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/SACAv1/roles/f5-azure-scca-internal-setup/defaults/main.yml b/SACAv1/roles/f5-azure-scca-internal-setup/defaults/main.yml
deleted file mode 100644
index fbf36a1..0000000
--- a/SACAv1/roles/f5-azure-scca-internal-setup/defaults/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# defaults file for f5-azure-scca-internal-setup
\ No newline at end of file
diff --git a/SACAv1/roles/f5-azure-scca-internal-setup/files/basic-asm-apache.xml b/SACAv1/roles/f5-azure-scca-internal-setup/files/basic-asm-apache.xml
deleted file mode 100644
index 85cdfc8..0000000
--- a/SACAv1/roles/f5-azure-scca-internal-setup/files/basic-asm-apache.xml
+++ /dev/null
@@ -1,15216 +0,0 @@
-
-
- Security
-
- 2018-01-03T15:04:12Z
- chen
- /Common/basic-asm-apache
- Policy Server Technology Unix/Linux [add]: Server Technology was set to Unix/Linux. { audit: policy = /Common/basic-asm-apache, username = chen, client IP = 172.16.0.5 }
-
- utf-8
- Rapid Deployment Policy
- false
- false
- false
-
- as parameters
- true
- Disabled
- 7
-
-
- false
-
-
- 0
-
-
- 0
-
- false
-
- false
- false
- enforcing
- 0
-
- 400
- 401
- 404
- 407
- 417
- 503
-
- 100
- 500
- 2000
- false
- false
- false
- false
- false
- false
- true
- true
- 500
- 50
- 25
- 1800
- true
- 500
- 400
- 200
- 1800
- true
- true
- 3
- 600
- 2
- 600
- 1800
- true
- 120
- true
- false
- false
- true
- true
- 5
- 600
- true
- 300
- 30
- 120
- 30
- true
-
-
- blocking
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- true
- true
- true
- enabled
-
-
- true
- true
- true
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
-
- false
- false
- false
- enabled
-
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- disabled
- enabled
- enabled
- enabled
- disabled
- disabled
- enabled
- enabled
- enabled
- disabled
- enabled
- enabled
- enabled
- disabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- enabled
- 3
- 20
- 500
-
- default
- HTTP/1.1 200 OK
-Cache-Control: no-cache
-Pragma: no-cache
-Connection: close
- <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
- redirect
-
-
- soap fault
- HTTP/1.1 200 OK
-Cache-Control: no-cache
-Pragma: no-cache
-Content-type: text/xml
-Connection: close
- <?xml version='1.0' encoding='utf-8'?><soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>The requested operation was rejected. Please consult with your administrator.Your support ID is: <%TS.request.ID()%></faultstring><detail/></soap:Fault></soap:Body></soap:Envelope>
- redirect
-
-
- default
- HTTP/1.1 200 OK
-Cache-Control: no-cache
-Pragma: no-cache
-Connection: close
- <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
- alert_popup
- The requested URL was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>
-
-
- default
- HTTP/1.1 200 OK
-Cache-Control: no-cache
-Pragma: no-cache
-Connection: close
- <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
- alert_popup
- The requested URL was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>
-
-
- erase cookies
- HTTP/1.1 200 OK
-Cache-Control: no-cache
-Pragma: no-cache
-Connection: close
- <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a><%TS.script.erase_cookies%></body></html>
- redirect
-
-
- disabled
-
-
-
- false
- 900
- true
-
- 5
- 5
- 20
- false
- false
- false
-
-
- 7
- 7
- 30
- false
- false
- false
-
-
- 15
- 15
- 60
- false
- false
- false
-
-
- 5
- 5
- 20
- false
- false
- false
-
- 600
- 600
- 600
- true
- false
- false
- 4
-
-
-
-
-
-
-
- Default GWT Profile
- true
- false
- true
- false
- 10000
- 100
- 1
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- Default JSON Profile
- true
- false
- true
- false
- true
- 10000
- 100
- 10
- 1000
- 1
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- Default XML Profile
- false
- false
- false
- false
- true
- false
- false
- false
- true
- false
- false
- 1024000
- 65536
- 256
- 1024
- 32
- 1024
- 16
- 64
- 1
- 1
- 1
- 1
- 1
- 256
- 1
- 1
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- Default Plain Text Profile
- false
- false
- true
- 10000
- 100
- 0
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- 1
- Never
- 1024
- 8196
- 4096
- 4096
- false
- false
- 2018-01-03T15:04:09Z
- true
- true
- true
- true
-
-
-
-
- 1
- Never
- false
- false
- false
- false
- advanced
- true
- false
- false
- 2018-01-03T15:04:09Z
-
- false
- Never
-
- false
- false
- unmodified
- allow
- false
- 1800
- unmodified
- unmodified
- unmodified
- unmodified
- true
- true
-
- *
- *
- 0
- apply_value_signatures
- false
-
-
- Content-Type
- *form*
- 1
- http
- false
-
-
- Default
- Content-Type
- *xml*
- 3
- xml
- false
-
-
- Default
- Content-Type
- *json*
- 2
- json
- false
-
-
-
- 2
- Never
- false
- false
- false
- false
- advanced
- true
- false
- false
- 2018-01-03T15:04:09Z
-
- false
- Never
-
- false
- false
- unmodified
- allow
- false
- 1800
- unmodified
- unmodified
- unmodified
- unmodified
- true
- true
-
- *
- *
- 0
- apply_value_signatures
- false
-
-
- Content-Type
- *form*
- 1
- http
- false
-
-
- Default
- Content-Type
- *xml*
- 3
- xml
- false
-
-
- Default
- Content-Type
- *json*
- 2
- json
- false
-
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- allow
- disallow
- allow
- disallow
- disallow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- 1
- When Violation Detected
- advanced
- true
- false
- 2018-01-03T15:04:09Z
- false
- false
- unmodified
- true
- remove
- true
- true
- true
- 10000
- 10000
- 100
- Default
- Default
- true
- false
- false
- false
-
-
- 2
- When Violation Detected
- advanced
- true
- false
- 2018-01-03T15:04:09Z
- false
- false
- unmodified
- true
- remove
- true
- true
- true
- 10000
- 10000
- 100
- Default
- Default
- true
- false
- false
- false
-
-
-
-
- Never
- false
- true
- ignore
- 0
- 0
- 10
- false
- false
- 2018-01-03T15:04:05Z
-
- false
-
- false
- false
- false
- false
- false
- true
- false
-
-
- 1
- Never
- false
- true
- user input
- 0
- 0
- 0
- false
- false
- 2018-01-03T15:04:09Z
-
- true
-
- false
- true
- true
- true
- false
- true
- false
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- disallow
- allow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- password
-
-
-
- 0
-
- default
- HTTP/1.1 200 OK
-Cache-Control: no-cache
-Pragma: no-cache
-Connection: close
- <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%><br><br><a href='javascript:history.back();'>[Go Back]</a></body></html>
- redirect
-
-
-
-
-
- GET
- basic
-
-
- POST
- basic
-
-
- GET
- basic
-
-
-
-
- 1
- When Violation Detected
- true
- allow
- false
- false
- true
- false
-
-
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- disallow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
- allow
-
-
-
-
- true
- true
- true
-
-
-
- 1
- 1
- User-defined
- 1
- 0
- 0
- Apache/NCSA HTTP Server Server Technology Signatures
- 1
- 0
-
- 0
-
-
- Apache/NCSA HTTP Server
-
-
- true
- true
- true
-
-
-
- 1
- 1
- User-defined
- 1
- 0
- 0
- Unix/Linux Server Technology Signatures
- 1
- 0
-
- 0
-
-
- Unix/Linux
-
-
- true
- true
- true
-
- true
- true
- 2016-09-15 16:48:06
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
- true
- true
-
-
-
- false
- true
- true
- false
- true
- false
- false
- enforce_all_except_url_list
-
-
- Disabled
- false
-
-
- true
- 10
- 1200
- 604800
-
-
- true
- 1
- 0
- 604800
-
-
-
-
- 20
- 3600
- 604800
-
-
- 1
- 0
- 604800
-
-
-
- 15000
- 86400
- 50
-
- list
- false
- true
- 1xx
- 2xx
- 3xx
-
-
- When Violation Detected
- 100
- true
- 10
- true
-
-
- Never
- 100
-
-
- Never
- false
- 10000
-
- 10
- false
- false
- false
-
- global
- false
- 10
- false
-
-
- Never
- When Violation Detected
- 10000
- 100
- true
- 500
- 2
- false
- false
- true
- bmp
- gif
- ico
- jpeg
- jpg
- pcx
- pdf
- png
- swf
- wav
-
-
- true
-
-
- Never
- 100
-
-
- true
-
-
- false
-
-
-
- disallow
-
-
-
- false
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
- false
- false
-
-
-
- false
- APM Usernames and Session ID
-
-
- 1
- false
- true
- false
- true
- false
- false
- false
- true
-
-
- 0
- false
- true
- false
- true
- false
- false
- false
- true
-
-
- 0
- false
- false
- false
- false
- false
- false
- false
- true
-
-
- 0
- false
- true
- false
- false
- true
- false
- true
- true
-
-
- 1
- false
- Never
-
-
- false
-
-
- 0
- 5
- 600
- 60
- false
- true
- true
- 500
- 100
- 20
- 500
- 20
- false
- false
- true
- true
- false
- 0
- false
-
-
-
- Unix/Linux
-
-
- Apache/NCSA HTTP Server
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.cloud_logger.v1.0.0.tmpl b/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.cloud_logger.v1.0.0.tmpl
deleted file mode 100644
index b95148f..0000000
--- a/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.cloud_logger.v1.0.0.tmpl
+++ /dev/null
@@ -1,753 +0,0 @@
-sys application template f5.cloud_logger.v1.0.0 {
- actions {
- definition {
- html-help {
- F5 Cloud Logging and Analytics iApp
-
-This template creates a set of configuration objects to enable logging and analytics to external solutions
- }
- implementation {
- ## Define some proc(s) for use in implementation
- proc tmsh_exe { command } {
- puts $command
- exec /usr/bin/tmsh -c $command
- }
- proc format_jsonlist { input } {
- regsub -all "\"|\\\]|\\\[|\n" $input "" input
- regsub -all "," $input " " input
- return $input
- }
- proc format_poolmembers {input} {
- set poolmembers ""
- set dataset [split [format_jsonlist $input] " "]
- foreach item $dataset {
- set member [split $item ":"]
- # Check to see if this is an IP or FQDN
- if {[regexp {^((([2][5][0-5]|([2][0-4]|[1][0-9]|[0-9])?[0-9])\.){3})([2][5][0-5]|([2][0-4]|[1][0-9]|[0-9])?[0-9])$} [lindex $member 0]]} {
- append poolmembers "mbr-$item \{ address [lindex $member 0] \}"
- } else {
- # Must be FQDN - let tmsh do validation
- append poolmembers "mbr-$item \{ fqdn \{ autopopulate enabled name [lindex $member 0] \} \}"
- }
- }
- return $poolmembers
- }
- proc format_req_logging {input} {
- # Format the input as key/value pairs in the same format as "Splunk" on the BIG-IP
- set req_template EVENT_SOURCE=\\\"request_logging\\\",BIGIP_HOSTNAME=\\\"\$BIGIP_HOSTNAME\\\"
- foreach item $input {
- append req_template ,${item}=\\\"\$${item}\\\"
- }
- return $req_template
- }
-
- package require iapp 1.3.0
- iapp::template start
-
- ######## Start iRules Declaration ########
- ######## Format iRule ########
- set format_ir {
-proc format_msg msg {
- set mgmt_hostname
- set mgmt_port
- set date [clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]
- # If ASM strip up to ASM:unit from start
- if {[set asm [string first "ASM:unit" $msg]] >= 0}{
- set msg [string range $msg $asm [string length $msg]]
- set msg "\"${msg}"
- regsub -all "=\"" $msg "\":\"" msg
- regsub -all "\"," $msg "\",\"" msg
-
- # extract all the info we need to send
- if {[string first "support_id" $msg] >= 0} {
- set supportid [findstr $msg "support_id" 13 "\""]
- } else {
- set supportid "N/A"
- }
- # set remediation link if support ID exists
- set remediation_link "https://[expr { $supportid ne "N/A" ? "" : "N/A" }]"
-
- set final_msg "\[\{\"time\":\"$date\",\"host\":\"$static::tcl_platform(machine)\",\"logSource\":\"ASM\",\"bigipVersion\":\"$static::tcl_platform(osVersion)\",\"remediationLink\":\"$remediation_link\",$msg\}\]"
- } else {
- # Attempt to format message as JSON and send along
- set msg "\"${msg}"
- regsub -all "=\"" $msg "\":\"" msg
- regsub -all "\"," $msg "\",\"" msg
- set final_msg "\[\{\"time\":\"$date\",\"host\":\"$static::tcl_platform(machine)\",\"logSource\":\"BIGIP\",\"bigipVersion\":\"$static::tcl_platform(osVersion)\",$msg\}\]"
- }
-
- return $final_msg
-}
-proc configure_auth {final_msg key secret date host region} {
- # Handle Creation of Authentication Token
-
- return $signed_string
-}
-proc logger {msg level} {
- # Generic logger with level to determine what to log
- # If level is higher than what is set by user then log, otherwise not
- # Levels are 0=debug, 1=info, 2=error
- set loglevel
- if {$level < $loglevel} { return }
- # Syslog facility is limited to 1024 characters, anything longer is truncated in the logs
- # Loop through and log each chunk of the msg
- set max_chars 900
- set remaining $msg
- set count 1
- if {[string length $remaining] < $max_chars}{
- # no need to chunk if total msg is less than max_chars
- log local0.info "$msg"
- return
- }
- while {[string length $remaining] > $max_chars}{
- # Get the current chunk to log
- set current [string range $remaining 0 [expr { $max_chars - 1}]]
- log local0.info "chunk ${count}=${current}"
- # Get the next chunk to log
- set remaining [string range $remaining $max_chars end]
- incr count
- }
- if {[string length $remaining]}{
- log local0.info "chunk ${count}=${remaining}"
- }
- return
-}
-when RULE_INIT {
- # SOL14544 workaround
- upvar #0 tcl_platform static::tcl_platform
-}
-
-when CLIENT_ACCEPTED {
- # Base variables
- set ctx(log_type)
- # Construct full path to API endpoint
- set ctx(customer_id) ""
- set ctx(host) ""
- set ctx(full_path) ""
- # Need to put this somewhere less visible
- set ctx(key) ""
- set ctx(secret) ""
- set ctx(region) ""
- # Collect and process in CLIENT_DATA
- set buf "\n"
- TCP::collect
-}
-
-when CLIENT_DATA {
- if {[string length $buf] == 0} { set buf "\n" }
- append buf [TCP::payload]
-
- TCP::payload replace 0 [TCP::payload length] ""
- TCP::collect
- # Note: do NOT call TCP::release here, because that will reset
- # the TCP connection since we don't have a pool. If we just
- # keep calling TCP:::collect we can go on indefinitely
- while {[set dex [string first "\n" $buf]] >= 0 } {
- if {[set d2x [string first "\n" $buf [expr {$dex + 1}]]] < 0} {
- #unsure buf contains a complete message yet
- break
- }
- # Open HSL connection since we have a msg to send
- set hslpool [HSL::open -proto TCP -pool ""]
- #pull first complete msg from buf
- set rawmsg [string range $buf [expr {$dex +1 }] [expr {$d2x - 1}]]
- # remove this msg from buf
- set buf [string range $buf [expr {$d2x +1 }] end]
-
- set final_msg [call format_msg $rawmsg]
- set date
- # Handle Auth Token
- set auth_token [call configure_auth $final_msg $ctx(key) $ctx(secret) $date $ctx(host) $ctx(region)]
- # Compile full HTTP Post
- set fullPOST ""
-
- call logger "Full HTTP Post: $fullPOST" 0
- # Send message to Send VS
- catch {HSL::send $hslpool $fullPOST}
- }
- # any trailing partial message stays in buffer until next packet
- # arrives or incoming TCP connection is closed
-}
-
-when CLIENT_CLOSED {
- # deal with final message in buffer
- if {[set dex [string first "\n" $buf]] >= 1} {
- # Open HSL connection since we have a msg to send
- set hslpool [HSL::open -proto TCP -pool ""]
-
- set final_msg [call format_msg $buf]
- # Handle Auth
- set auth_token [call configure_auth $final_msg $ctx(key) $ctx(secret) $date $ctx(host) $ctx(region)]
- # Compile full HTTP Post
- set date [clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]
- set fullPOST ""
-
- call logger "Full HTTP Post: $fullPOST" 0
- # Send message to Send VS
- catch {HSL::send $hslpool $fullPOST}
- }
-}
- }
-
- ######## Send iRule ########
- set send_ir {
-when HTTP_REQUEST {
- call ::logger "Request: [HTTP::uri]" 1
- foreach header [HTTP::header names] {
- call ::logger "Header $header: [HTTP::header value $header]" 0
- }
-}
-when HTTP_RESPONSE {
- set status [HTTP::status]
- set content_length [HTTP::header Content-Length]
- if { $content_length > 0 }{
- HTTP::collect $content_length
- }
- call ::logger "Response: $status" 1
- foreach header [HTTP::header names] {
- call ::logger "Header $header: [HTTP::header value $header]" 0
- }
-}
-when HTTP_RESPONSE_DATA {
- set payload [HTTP::payload]
- HTTP::respond $status content $payload
- call ::logger "Payload Data $content_length: $payload" 0
-
-}
- }
- ######## End iRules Declaration ########
-
- set app $tmsh::app_name
- set dynamic_mgmt_port [tmsh::get_field_value [lindex [tmsh::get_config "sys httpd ssl-port"] 0] "ssl-port"]
- set is_v13_0 [iapp::tmos_version >= 13.0]
- set path [tmsh::pwd]
-
-
- # Keys: $analytics_solution
- array set key_arr {
- azure_oms { $::analytics_config__shared_key }
- aws_cw { $::analytics_config__access_key }
- * { not_required }
- }
- array set secret_arr {
- azure_oms { not_required }
- aws_cw { $::analytics_config__secret_key }
- * { not_required }
- }
-
- # Generic Variables
- set analytics_solution [expr { [info exists ::analytics_config__analytics_solution] ? "$::analytics_config__analytics_solution" : "azure_oms" }]
- set fqdn_suffix [expr { [iapp::is ::basic__advanced yes] && [iapp::is ::analytics_config__azure_env azureusgov] ? "us" : "com" }]
- set asm_log_choice [expr { [info exists ::logging_config__asm_log_choice] && [iapp::is ::logging_config__asm_log_choice yes] }]
- set dos_logs [expr { $asm_log_choice && [info exists ::logging_config__dos_logs] && [iapp::is ::logging_config__dos_logs yes] }]
- set apm_log_choice [expr { [info exists ::logging_config__apm_log_choice] && [iapp::is ::logging_config__apm_log_choice yes] }]
- set afm_log_choice [expr { [info exists ::logging_config__afm_log_choice] && [iapp::is ::logging_config__afm_log_choice yes] }]
- set ltm_req_log_choice [expr { [info exists ::logging_config__ltm_req_log_choice] && [iapp::is ::logging_config__ltm_req_log_choice yes] }]
- set mgmt_hostname [expr { [iapp::is ::internal_config__hostname custom] ? "$::internal_config__mgmt_hostname" : {$static::tcl_platform(machine)} }]
- set mgmt_port [expr { [iapp::is ::internal_config__port custom] ? "$::internal_config__mgmt_port" : "$dynamic_mgmt_port" }]
- set key [iapp::substa key_arr($analytics_solution)]
- set secret [iapp::substa secret_arr($analytics_solution)]
- set format_vs_port [expr { [iapp::is ::basic__advanced yes] && [info exists ::internal_config__format_vs_port] ? $::internal_config__format_vs_port : "1001" }]
- set send_vs_port [expr { [iapp::is ::basic__advanced yes] && [info exists ::internal_config__send_vs_port] ? $::internal_config__send_vs_port : "41001" }]
- set log_level [expr { [iapp::is ::basic__advanced yes] && [info exists ::internal_config__irule_log_level] ? "$::internal_config__irule_log_level" : "2" }]
- set remediation_link [expr { $is_v13_0 ? {${mgmt_hostname}:${mgmt_port}/dms/policy/requests_ng.php?popup\=1&supportId\=${supportid}} : {${mgmt_hostname}:${mgmt_port}/dms/policy/win_open_proxy_request.php?id\=&support_id\=${supportid}} }]
- # Azure OMS Variables
- set workspace [expr { [info exists ::analytics_config__workspace] ? "$::analytics_config__workspace" : "not_required" }]
- set log_type [expr { [info exists ::analytics_config__log_type] ? "$::analytics_config__log_type" : "F5CustomLogs" }]
- # AWS CloudWatch Variables
- set aws_region [expr { [info exists ::analytics_config__aws_region] ? "$::analytics_config__aws_region" : "not_required" }]
- set log_group_name [expr { [info exists ::analytics_config__log_group_name] ? "$::analytics_config__log_group_name" : "ASMLogs" }]
- set log_stream_name [expr { [info exists ::analytics_config__log_stream_name] ? "$::analytics_config__log_stream_name" : "ASMStream01" }]
-
- # create SSL cert for logging virtual server SSL
- catch { tmsh_exe "create sys crypto key ${app}_send_vs_cert gen-certificate common-name Cloud_Analytics_Logging country US lifetime 3650" }
-
- ## Account for uniqueness in the iRule(s) based on which analytics solution it is using
- # Keys: $analytics_solution
- array set host_arr {
- azure_oms { ${workspace}.ods.opinsights.azure.${fqdn_suffix} }
- aws_cw { logs.${aws_region}.amazonaws.com }
- * { not_required }
- }
- # Keys: $analytics_solution
- array set path_arr {
- azure_oms {/api/logs?api-version=2016-04-01}
- aws_cw {/}
- * {/}
- }
- # Keys: $analytics_solution
- array set post_arr {
- azure_oms {POST ${ctx(full_path)} HTTP/1.1\nHost: ${ctx(host)}\nContent-Length: [string length $final_msg]\nContent-Type: application/json\nx-ms-date: $date\nLog-Type: ${ctx(log_type)}\nAuthorization: SharedKey ${ctx(customer_id)}:$auth_token\n\n${final_msg}}
- aws_cw {POST ${ctx(full_path)} HTTP/1.1\nHost: ${ctx(host)}\nConnection: keep-alive\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-amz-json-1.1\nAuthorization: ${auth_token}\nX-Amz-Date: $date\nX-Amz-Target: Logs_20140328.PutLogEvents\nContent-Length: [string length $final_msg]\n\n${final_msg}}
- * {POST /}
- }
- # Keys: $analytics_solution
- array set extra_fmt_arr {
- aws_cw {set epoch_date [expr [clock seconds] * 1000]
- set log_group_name ""
- set log_stream_name ""
- # Account for this being JSON inside of JSON
- regsub -all "\"" $final_msg "\\\"" final_msg
- regsub -all "\\n" $final_msg "" final_msg
- regsub -all "\\r" $final_msg "" final_msg
- ## Handle Sequence Token
- # Check if token is available before using
- set seq_token ""
- set t 50
- #call logger "Seq Token Status: [table lookup seq_token_status]" 0
- for {set i 0} { $i < $t } {incr i} {
- if { [table lookup seq_token_status] == "busy" } {
- # Keep trying after delay
- after 10
- } else {
- # Sequence token is available, grab it and break from loop
- table set seq_token_status "busy"
- set seq_token [table lookup seq_token]
- break
- }
- }
- if { $seq_token equals "" } {
- set seq_token null
- } else {
- set seq_token \"$seq_token\"
- }
- set final_msg "\{\"sequenceToken\":${seq_token},\"logGroupName\":\"${log_group_name}\",\"logStreamName\":\"${log_stream_name}\",\"logEvents\":\[\{\"timestamp\":${epoch_date},\"message\":\"${final_msg}\"\}\]\}"}
- azure_oms {# Return final_msg
- }
- * {# Return final_msg
- }
- }
- # Keys: $analytics_solution
- array set auth_proc_arr {
- azure_oms {set str_to_sign "POST\n[string length $final_msg]\napplication/json\nx-ms-date:$date\n/api/logs"
- set decoded_key [b64decode $key]
- set token [CRYPTO::sign -alg hmac-sha256 -key $decoded_key $str_to_sign]
- set signed_string [b64encode ${token}]}
- aws_cw {set date_stamp [clock format [clock seconds] -format "%Y%m%d"]
- set signed_headers "content-type;host;x-amz-date;x-amz-target"
- set req_headers "content-type:application/x-amz-json-1.1\nhost:${host}\nx-amz-date:${date}\nx-amz-target:Logs_20140328.PutLogEvents\n"
- binary scan [CRYPTO::hash -alg sha256 $final_msg] H* payload_hash
- set request "POST\n/\n\n${req_headers}\n${signed_headers}\n${payload_hash}"
- set algorithm "AWS4-HMAC-SHA256"
- set service "logs"
- set cred_scope "${date_stamp}/${region}/${service}/aws4_request"
- binary scan [CRYPTO::hash -alg sha256 $request] H* request_hash
- set str_to_sign "${algorithm}\n${date}\n${cred_scope}\n${request_hash}"
-
- set kDate [CRYPTO::sign -alg hmac-sha256 -key AWS4${secret} $date_stamp]
- set kRegion [CRYPTO::sign -alg hmac-sha256 -key $kDate $region]
- set kService [CRYPTO::sign -alg hmac-sha256 -key $kRegion $service]
- set kSigning [CRYPTO::sign -alg hmac-sha256 -key $kService aws4_request]
- binary scan [CRYPTO::sign -alg hmac-sha256 -key $kSigning $str_to_sign] H* auth_token
- set signed_string "${algorithm} Credential=${key}/${cred_scope}, SignedHeaders=${signed_headers}, Signature=${auth_token}"}
- * {set signed_string ""}
- }
- # Keys: $analytics_solution
- array set seq_table_arr {
- azure_oms {# Event end
- }
- aws_cw {
- # Handle AWS Sequence Token
- if {[set seq_token_loc [string first \"nextSequenceToken\":\" $payload]] >= 0}{
- set seq_token [string range $payload [expr $seq_token_loc + 21] [expr [string first \" $payload [expr $seq_token_loc + 21]] -1]]
- } elseif {[set seq_token_loc [string first \"expectedSequenceToken\":\" $payload]] >= 0}{
- set seq_token [string range $payload [expr $seq_token_loc + 25] [expr [string first \",\" $payload $seq_token_loc] -1]]
- } else {
- set seq_token ""
- }
- table set seq_token $seq_token indefinite
- table set seq_token_status "free"
- }
- * {# Event end
- }
- }
- # Keys: $analytics_solution
- array set date_arr {
- azure_oms {[clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]}
- aws_cw {[clock format [clock seconds] -format "%Y%m%dT%H%M%SZ"]}
- * {[clock format [clock seconds] -format "%a, %d %b %Y %H:%M:%S GMT"]}
- }
-
- ## Create iRules
- set map " $mgmt_hostname
- $mgmt_port
- ${app}_send_vs_pool
- [iapp::substa host_arr($analytics_solution)]
- \{$path_arr($analytics_solution)\}
- \{$post_arr($analytics_solution)\}
- $workspace
- $key
- $secret
- $log_type
- $log_level
- ${app}_format_ir
- \{$extra_fmt_arr($analytics_solution)\}
- \{$date_arr($analytics_solution)\}
- $aws_region
- \{$auth_proc_arr($analytics_solution)\}
- \{$seq_table_arr($analytics_solution)\}
- $log_group_name
- $log_stream_name
- \{$remediation_link\}
- "
-
- set extra_map " $log_group_name
- $log_stream_name
- "
- iapp::conf create ltm rule ${app}_format_ir \{ [string map $extra_map [string map $map $format_ir]] \}
- iapp::conf create ltm rule ${app}_send_ir \{ [string map $extra_map [string map $map $send_ir]] \}
-
- # TCP profile with a short idle time-out to force the last event message out of the Format VS iRule buffer
- iapp::conf create ltm profile tcp ${app}_logging_tcp \{ defaults-from tcp idle-timeout 15 \}
- # Create Server SSL profile for Send VS
- iapp::conf create ltm profile server-ssl ${app}_send_sssl \{ cert ${app}_send_vs_cert.crt defaults-from serverssl-insecure-compatible key ${app}_send_vs_cert.key \}
-
- # Point to send iRule virtual server via this pool
- iapp::conf create ltm pool ${app}_send_vs_pool \{ members replace-all-with \{ 255.255.255.254:${send_vs_port} \{ address 255.255.255.254 \} \} monitor tcp \}
- # create analytics solution pool
- # Keys: $analytics_solution
- array set pool_arr {
- azure_oms { [iapp::conf create ltm pool ${app}_logging_offbox \{ members replace-all-with \{ [format_poolmembers [string map {" " ""} [iapp::substa host_arr($analytics_solution)]:443]] \} monitor tcp \}] }
- aws_cw { [iapp::conf create ltm pool ${app}_logging_offbox \{ members replace-all-with \{ [format_poolmembers [string map {" " ""} [iapp::substa host_arr($analytics_solution)]:443]] \} monitor tcp \}] }
- * {}
- }
-
- # Create Format and Send VS
- iapp::conf create ltm virtual ${app}_format_vs \{ destination 255.255.255.254:${format_vs_port} ip-protocol tcp mask 255.255.255.255 source 0.0.0.0/0 profiles replace-all-with \{ ${app}_logging_tcp \} rules \{${app}_format_ir \}\}
- iapp::conf create ltm virtual ${app}_send_vs \{ destination 255.255.255.254:${send_vs_port} ip-protocol tcp mask 255.255.255.255 pool [iapp::substa pool_arr($analytics_solution)] profiles replace-all-with \{ http \{\} oneconnect \{\} ${app}_send_sssl \{ context serverside \} tcp \{ \} \} source 0.0.0.0/0 source-address-translation \{ type automap \} rules \{ ${app}_send_ir \}\}
-
-
- # Logging publisher(s) and pool(s) required for some log sources
- if { $dos_logs || $apm_log_choice || $ltm_req_log_choice || $afm_log_choice } {
- iapp::conf create ltm pool ${app}_format_pool \{ members replace-all-with \{ 255.255.255.254:${format_vs_port} \{ address 255.255.255.254 \} \} monitor tcp \}
-
- iapp::conf create sys log-config destination remote-high-speed-log ${path}/${app}_dest_logger \{ pool-name ${path}/${app}_format_pool \}
- iapp::conf create sys log-config destination splunk ${path}/${app}_fmt_logger \{ forward-to ${path}/${app}_dest_logger \}
- iapp::conf create sys log-config publisher /Common/${app}_publisher \{ destinations replace-all-with \{ ${path}/${app}_fmt_logger \{ \} \} \}
- }
-
- ## ASM/AFM can share the same remote logging profile, as such simply check what was selected
- ## in the iApp and append to a single security logging profile.
- # ASM logging profile
- # Keys: $::logging_config__asm_log_level
- array set asm_log_req_arr {
- log_illegal { illegal }
- log_illegal_plus_staged { illegal-including-staged-signatures }
- log_all { all }
- }
- # Keys: $asm_log_choice
- array set asm_log_arr {
- 1 { application replace-all-with \{ ${app}_remote_logging \{ local-storage disabled filter replace-all-with \{ protocol \{ values replace-all-with \{ all \} \} request-type \{ values replace-all-with \{ [iapp::substa asm_log_req_arr($::logging_config__asm_log_level)] \} \} search-all \{ \} \} maximum-entry-length 10k remote-storage splunk servers replace-all-with \{ 255.255.255.254:${format_vs_port} \{ \} \} \} \} }
- * { }
- }
- # Keys: $dos_logs
- array set dos_log_arr {
- 1 { dos-application replace-all-with \{ ${app}_remote_l7dos_logging \{ local-publisher none remote-publisher /Common/${app}_publisher \} \} }
- * { }
- }
- # AFM logging profile
- # Keys: $afm_log_choice
- array set afm_log_arr {
- 1 { network replace-all-with \{ ${app}_remote_logging \{ publisher /Common/${app}_publisher filter \{ log-acl-match-drop [expr {[lsearch $::logging_config__afm_log_level "match_drop"] != -1 ? "enabled" : "disabled" }] log-acl-match-reject [expr {[lsearch $::logging_config__afm_log_level "match_reject"] != -1 ? "enabled" : "disabled" }] log-acl-match-accept [expr {[lsearch $::logging_config__afm_log_level "match_accept"] != -1 ? "enabled" : "disabled" }] \} \} \} }
- * { }
- }
-
- # Create Security (ASM/AFM) logging profile
- if { $asm_log_choice || $afm_log_choice } {
- iapp::conf create security log profile ${app}_remote_logging [iapp::substa asm_log_arr($asm_log_choice)] [iapp::substa dos_log_arr($dos_logs)] [iapp::substa dos_log_arr($dos_logs)] [iapp::substa afm_log_arr($afm_log_choice)]
- }
- # Create APM logging profile
- if { $apm_log_choice } {
- set apm_lg_lvl $::logging_config__apm_log_level
- # Add some additional logging options available in v13.x and above
- if { $is_v13_0 } {
- set apm_opt_items "endpoint-management-system $apm_lg_lvl paa $apm_lg_lvl vdi $apm_lg_lvl"
- } else {
- set apm_opt_items ""
- }
- iapp::conf create apm log-setting ${app}_remote_logging access replace-all-with \{ access \{ log-level \{ access-control $apm_lg_lvl access-per-request $apm_lg_lvl apm-acl $apm_lg_lvl eca $apm_lg_lvl oauth $apm_lg_lvl sso $apm_lg_lvl swg $apm_lg_lvl $apm_opt_items \} publisher /Common/${app}_publisher \} \} url-filters replace-all-with \{ urlf \{ filter \{ log-allowed-url false log-blocked-url true log-confimed-url true \} publisher /Common/${app}_publisher \} \}
- }
- # Create LTM request logging profile
- if { $ltm_req_log_choice } {
- # Format what is sent as key/value pairs in the same format as "Splunk" on the BIG-IP is sent
- # that way it will be processed in the same manner
- # The list of request logging parameters are available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/3.html
- set ltm_req_log_template [format_req_logging $::logging_config__ltm_req_log_options]
- iapp::conf create ltm profile request-log ${app}_remote_logging defaults-from request-log request-log-pool ${path}/${app}_format_pool request-log-protocol mds-tcp request-log-template $ltm_req_log_template request-logging enabled
- }
-
- iapp::template stop
- }
- macro {
- }
- presentation {
- include "/Common/f5.apl_common"
-section intro {
- # APL choice values may be set even if the optional
- # clause is not true. This trick is useful for setting
- # values that APL otherwise would not have access to.
- # Here, system provisioning values are recalled, and later
- # used to customize messages displayed within the template.
- optional ( "HIDE" == "THIS" ) {
- choice asm_provisioned tcl {
- return [expr {[iapp::get_provisioned asm] ? "yes" : "no"}]
- }
- choice apm_provisioned tcl {
- return [expr {[iapp::get_provisioned apm] ? "yes" : "no"}]
- }
- choice afm_provisioned tcl {
- return [expr {[iapp::get_provisioned afm] ? "yes" : "no"}]
- }
- choice is_admin tcl {
- return [expr { [iapp::get_user -is_admin] ? "yes" : "no"}]
- }
- choice is_v13_0 tcl {
- return [expr {[iapp::tmos_version >= 13.0] ? "yes" : "no"}]
- }
- }
- message hello "This iApp will configure logging for BIG-IP modules to be sent to a specific set of cloud analytics solutions. The solution will create logging profiles which can be attached to the appropriate objects (VS, APM policy, etc.) required which will result in logs being sent to the selected cloud analaytics solution. Note: Please be aware that this may (depending on level of logging required) affect performance of the BIG-IP as a result of the processing happening to construct and send the log messages over HTTP to the cloud analytics solution."
- }
-section basic {
- choice advanced display "xxlarge" default "no" {
- "Basic - Use F5's recommended settings" => "no" ,
- "Advanced - Configure advanced options" => "yes"
- }
- choice help display "xxlarge" default "hide" {
- "Yes, show inline help" => "show" ,
- "No, do not show inline help" => "hide"
- }
- optional ( help == "show" ) {
- message help_max "Inline help is available to provide contextual descriptions to aid in the completion of this configuration. Select to show or hide the inline help in this template. Important notes and warnings are always visible, no matter which selection you make here. "
- }
-}
-section analytics_config {
- choice analytics_solution display "xlarge" default "azure_oms" {
- "Azure (OMS)" => "azure_oms" ,
- "AWS (CloudWatch)" => "aws_cw"
- }
- optional ( analytics_solution == "azure_oms" ) {
- optional ( basic.advanced == "yes" ) {
- choice azure_env display "xlarge" default "azure" {
- "Azure" => "azure",
- "Azure US Government" => "azureusgov"
- }
- optional ( basic.help == "show" ) {
- message azure_env_help "Select which Azure environment you are deploying into."
- }
- }
- string workspace display "xxlarge" required
- optional ( basic.help == "show" ) {
- message workspace_help "Enter the Azure OMS workspace ID."
- }
- password shared_key display "xxlarge" required
- optional ( basic.help == "show" ) {
- message shared_key_help "Enter the primary or secondary shared key for the OMS workspace."
- }
- string log_type display "large" default "F5CustomLog" required
- message log_type_value_help "The log type cannot contain special characters or numeric characters."
- optional ( basic.help == "show" ) {
- message log_type_help "The log type inputted here is used as the log type when submitting to Azure OMS, you can then search for logs based on the log type name plus '_CL', for example: F5CustomLog_CL"
- }
- }
- optional ( analytics_solution == "aws_cw" ) {
- choice aws_region display "large" default "us-west-1" {"us-west-1", "us-west-2", "us-east-1", "us-east-2", "ca-central-1", "ap-south-1", "ap-northeast-1", "ap-northeast-2", "ap-southeast-1", "ap-southeast-2", "eu-central-1", "eu-west-1", "eu-west-2", "sa-east-1"}
- optional ( basic.help == "show" ) {
- message aws_region_help "Select the AWS CloudWatch region to log to."
- }
- string log_group_name display "xlarge" required
- string log_stream_name display "xlarge" required
- string access_key display "xxlarge" required
- password secret_key display "xxlarge" required
- }
-}
-section logging_config {
- optional ( intro.asm_provisioned == "yes" ) {
- choice asm_log_choice display "xlarge" default "yes" {
- "Enable ASM logging" => "yes" ,
- "Don't enable ASM logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message asm_log_choice_help "Select whether you would like to enable ASM logging, you will need to attach the Security log profile created by this iApp to the virtual servers required (Security Tab)."
- }
- optional ( asm_log_choice == "yes" ) {
- choice asm_log_level display "xlarge" default "log_illegal" {
- "Log illegal requests only (recommended)" => "log_illegal",
- "Log illegal requests and staged signatures" => "log_illegal_plus_staged",
- "Log all requests (verbose)" => "log_all"
- }
- optional ( basic.help == "show" ) {
- message asm_log_level_help "Select what level of ASM logging you prefer, logging illegal requests only will result in the least number of log messages."
- }
- choice dos_logs display "xlarge" default "yes" {
- "Include DOS protection logging" => "yes",
- "Don't include DOS protection logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message dos_logs_help "Select whether you would like to include DOS logging within the ASM logging profile."
- }
- }
- }
- optional ( intro.apm_provisioned == "yes" ) {
- choice apm_log_choice display "xlarge" default "yes" {
- "Enable APM logging" => "yes" ,
- "Don't enable APM logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message apm_log_choice_help "Select whether you would like to enable APM logging, you will need to attach the APM log profile created by this iApp to the required APM policies."
- }
- optional ( apm_log_choice == "yes" ) {
- choice apm_log_level display "xlarge" default "crit" {
- "Emergency" => "emerg",
- "Alert" => "alert",
- "Critical" => "crit",
- "Error" => "err",
- "Warning" => "warn",
- "Notice" => "notice",
- "Informational" => "info",
- "Debug" => "debug"
- }
- optional ( basic.help == "show" ) {
- message apm_log_level_help "Select what level of APM logging you prefer, this will be applied to all policy options in the APM logging profile. Note: Choosing a higher criticality level will result in fewer log messages."
- }
- }
- }
- optional ( intro.afm_provisioned == "yes" ) {
- choice afm_log_choice display "xlarge" default "yes" {
- "Enable AFM logging" => "yes" ,
- "Don't enable AFM logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message afm_log_choice_help "Select whether you would like to enable AFM logging, you will need to attach the Security log profile created by this iApp to the virtual servers required (Security Tab)."
- }
- optional ( afm_log_choice == "yes" ) {
- multichoice afm_log_level display "xlarge" default { "match_drop", "match_reject" } {
- "Dropped Connections" => "match_drop",
- "Rejected Connections" => "match_reject",
- "Accepted Connections" => "match_accept"
- }
- optional ( basic.help == "show" ) {
- message afm_log_level_help "Select what level of AFM logging you prefer, logging dropped and rejected requests only is recommended and will result in the least number of log messages."
- }
- }
- }
- choice ltm_req_log_choice display "xlarge" default "no" {
- "Enable LTM request logging" => "yes" ,
- "Don't enable LTM request logging" => "no"
- }
- optional ( basic.help == "show" ) {
- message ltm_req_log_choice_help "Select whether you would like to enable LTM request logging, you will need to attach the LTM request log profile created by this iApp to the virtual servers desired."
- }
- optional ( ltm_req_log_choice == "yes" ) {
- multichoice ltm_req_log_options display "xlarge" default { "CLIENT_IP", "SERVER_IP", "HTTP_METHOD", "HTTP_URI", "VIRTUAL_NAME" } {
- "CLIENT_IP" => "CLIENT_IP",
- "CLIENT_PORT" => "CLIENT_PORT",
- "SERVER_IP" => "SERVER_IP",
- "HTTP_METHOD" => "HTTP_METHOD",
- "HTTP_URI" => "HTTP_URI",
- "HTTP_QUERY" => "HTTP_QUERY",
- "HTTP_VERSION" => "HTTP_VERSION",
- "VIRTUAL_IP" => "VIRTUAL_IP",
- "VIRTUAL_PORT" => "VIRTUAL_PORT",
- "VIRTUAL_NAME" => "VIRTUAL_NAME",
- "VIRTUAL_POOL_NAME" => "VIRTUAL_POOL_NAME"
- }
- optional ( basic.help == "show" ) {
- message ltm_req_log_options_help "Select which request parameters to send in the log message. The complete list and descriptions can be found here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/3.html"
- }
- }
-}
-section internal_config {
- choice hostname display "xxlarge" default "yes" {
- "Use dynamic BIG-IP management hostname" => "yes" ,
- "Use custom BIG-IP management hostname" => "custom"
- }
- optional ( hostname == "custom" ) {
- string mgmt_hostname display "xxlarge" default "bigip.f5.com" required
- }
- choice port display "xxlarge" default "yes" {
- "Use dynamic BIG-IP management port" => "yes" ,
- "Use custom BIG-IP management port" => "custom"
- }
- optional ( port == "custom" ) {
- string mgmt_port display "small" validator "PortNumber" default "443" required
- }
- optional ( basic.advanced == "yes" ) {
- string format_vs_port display "small" validator "PortNumber" default "1001" required
- string send_vs_port display "small" validator "PortNumber" default "41001" required
- choice irule_log_level display "xlarge" default "2" {
- "Log debug messages" => "0" ,
- "Log info messages" => "1" ,
- "Log only errors" => "2"
- }
- }
-}
-text {
- intro "F5 cloud logging and analytics solution"
- intro.hello "Introduction"
-
- basic "Template Options"
- basic.advanced "Which configuration mode do you want to use?"
- basic.help "Do you want to see inline help?"
- basic.help_max "Help"
-
- analytics_config "Analytics Provider"
- analytics_config.analytics_solution "Which analytics solution are you using?"
- analytics_config.azure_env "Which Azure environment are you deploying into?"
- analytics_config.azure_env_help "Note:"
- analytics_config.workspace "What is the Azure OMS workspace ID?"
- analytics_config.workspace_help "Note:"
- analytics_config.shared_key "What is the shared access key (primary or secondary) for the Azure OMS workspace?"
- analytics_config.shared_key_help "Note:"
- analytics_config.log_type "What would you like the log type to be called?"
- analytics_config.log_type_value_help "Note:"
- analytics_config.log_type_help "Note:"
- analytics_config.aws_region "Which AWS region of the CloudWatch Logs provider would you like to send logs?"
- analytics_config.aws_region_help "Note:"
- analytics_config.log_group_name "What is the AWS CloudWatch Logs group name?"
- analytics_config.log_stream_name "What is the AWS CloudWatch Logs group's stream name?"
- analytics_config.access_key "What is the access key you would like to use for the API calls?"
- analytics_config.secret_key "What is the secret key you would like to use for the API calls?"
-
- logging_config "Log Selection"
- logging_config.asm_log_choice "Would you like to enable ASM logging?"
- logging_config.asm_log_choice_help "Note:"
- logging_config.asm_log_level "What ASM requests would you like to log?"
- logging_config.asm_log_level_help "Note:"
- logging_config.dos_logs "Would you like to include ASM DOS logging?"
- logging_config.dos_logs_help "Note:"
- logging_config.apm_log_choice "Would you like to enable APM logging?"
- logging_config.apm_log_choice_help "Note:"
- logging_config.apm_log_level "What level of APM logging do you prefer?"
- logging_config.apm_log_level_help "Note:"
- logging_config.afm_log_choice "Would you like to enable AFM logging?"
- logging_config.afm_log_choice_help "Note:"
- logging_config.afm_log_level "What AFM requests would you like to log?"
- logging_config.afm_log_level_help "Note:"
- logging_config.ltm_req_log_choice "Would you like to enable LTM Request logging?"
- logging_config.ltm_req_log_choice_help "Note:"
- logging_config.ltm_req_log_options "What Request parameters would you like to send in the log?"
- logging_config.ltm_req_log_options_help "Note:"
-
- internal_config "Solution Configuration"
- internal_config.hostname "Would you like to use the dynamic BIG-IP managment hostname?"
- internal_config.mgmt_hostname "What is the mgmt FQDN or IP you would like to use?"
- internal_config.port "Would you like to use the dynamic BIG-IP managment port?"
- internal_config.mgmt_port "What is the mgmt port you would like to use ?"
- internal_config.format_vs_port "What would you like the format VS port to be?"
- internal_config.send_vs_port "What would you like the send (HTTP Post) VS port to be?"
- internal_config.irule_log_level "What level of internal logging would you like this solution to use (debug/info during testing)?"
-}
- }
- role-acl { admin manager resource-admin }
- run-as none
- }
- }
- description none
- ignore-verification false
- requires-bigip-version-max none
- requires-bigip-version-min 12.1
- requires-modules none
- signing-key none
- tmpl-checksum none
- tmpl-signature none
-}
diff --git a/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.http.v1.2.0rc7.tmpl b/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.http.v1.2.0rc7.tmpl
deleted file mode 100644
index b0f66f6..0000000
--- a/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.http.v1.2.0rc7.tmpl
+++ /dev/null
@@ -1,4278 +0,0 @@
-# Copyright 2016. F5 Networks, Inc. See End User License Agreement (EULA) for
-# license terms. Notwithstanding anything to the contrary in the EULA, Licensee
-# may copy and modify this software product for its internal business purposes.
-# Further, Licensee may upload, publish and distribute the modified version of
-# the software product on devcentral.f5.com.
-
-cli script f5.iapp.1.5.2.cli {
-
-# Initialization proc for all templates.
-# Parameters "start" and "stop" or "end".
-proc iapp_template { action } {
- switch $action {
- start {
- catch { tmsh::modify sys scriptd log-level debug }
- set ::clock_clicks [clock clicks]
- puts "\nStarting iApp $tmsh::app_template_name [clock format \
- [clock seconds] -format {%m/%d/%Y %T}]\n"
- tmsh::log info "Starting iApp template $tmsh::app_template_name"
- }
- stop -
- end {
- if { [info exists ::substa_debug] } {
- puts $::substa_debug
- }
- puts "\nEnding iApp $tmsh::app_template_name [clock format \
- [clock seconds] -format {%m/%d/%Y %T}]\nRun time [expr \
- { ([clock clicks] - $::clock_clicks) / 1000 }] msec\n"
- tmsh::log info "Ending iApp template $tmsh::app_template_name"
- }
- }
- set ::HTTP_CONTENT_TYPES { application/(css\|css-stylesheet\|doc\|excel\|javascript\|json\|lotus123\|mdb\|mpp\|msaccess\|msexcel\|ms-excel\|mspowerpoint\|ms-powerpoint\|msproject\|msword\|ms-word\|photoshop\|postscript\|powerpoint\|ps\|psd\|quarkexpress\|rtf\|txt\|visio\|vnd\\.excel\|vnd\\.msaccess\|vnd\\.ms-access\|vnd\\.msexcel\|vnd\\.ms-excel\|vnd\\.mspowerpoint\|vnd\\.ms-powerpoint\|vnd\\.ms-pps\|vnd\\.ms-project\|vnd\\.msword\|vnd\\.ms-word\|vnd\\.ms-works\|vnd\\.ms-works-db\|vnd\\.powerpoint\|vnd\\.visio\|vnd\\.wap\\.cmlscriptc\|vnd\\.wap\\.wmlc\|vnd\\.wap\\.xhtml\\+xml\|vnd\\.word\|vsd\|winword\|wks\|word\|x-excel\|xhtml\\+xml\|x-java-jnlp-file\|x-javascript\|x-json\|x-lotus123\|xls\|x-mdb\|xml\|x-mscardfile\|x-msclip\|x-msexcel\|x-ms-excel\|x-mspowerpoint\|x-msproject\|x-ms-project\|x-msword\|x-msworks-db\|x-msworks-wps\|x-photoshop\|x-postscript\|x-powerpoint\|x-ps\|x-quark-express\|x-rtf\|x-vermeer-rpc\|x-visio\|x-vsd\|x-wks\|x-word\|x-xls\|x-xml) image/(photoshop\|psd\|x-photoshop\|x-vsd) text/(css\|html\|javascript\|json\|plain\|postscript\|richtext\|rtf\|vnd\\.wap\\.wml\|vnd\\.wap\\.wmlscript\|wap\|wml\|x-component\|xml\|x-vcalendar\|x-vcard) }
-}
-
-proc iapp_is { args } {
- set up_var [lindex $args 0]
- upvar $up_var var
- if { [info exists var] } {
- foreach val [lrange $args 1 end] {
- if { [subst $var] eq $val } {
- return 1
- }
- }
- }
- return 0
-}
-
-proc iapp_substa { args } {
- upvar substa_in argx \
- substa_out rval
- set argx $args
-
- # check the explicit value first.
- # multiple layers of variable substitution requires multiple subst.
- # error occurs here if any of the substituted variables do not exist
- # valid wildcard (*) array entries will fail here first.
- uplevel {
- append ::substa_debug "\n$substa_in"
- if { [info exists [set substa_in]] } {
- set substa_out [subst $$substa_in]
- set substa_out [subst $substa_out]
- } else {
- # since explicit value did not exist, try a wildcard value.
- # substitute "*" as the array key and repeat.
- set substa_tmp [split $substa_in "()"]
- set substa_in "[lindex $substa_tmp 0](*)"
- append ::substa_debug "*"
- if { [info exists [set substa_in]] } {
- set substa_out [subst $$substa_in]
- set substa_out [subst $substa_out]
- } else {
- error "substa \"$substa_in\" array value not found"
- }
- }
- }
- return $rval
-}
-
-proc iapp_conf { args } {
-
- # Return value $object_name is set to the first word in $arg that
- # contains an underscore, since the position of the object name in
- # tmsh syntax is not consistent.
- set args [join $args]
- set object_name [lindex $args [lsearch -glob $args "*_*"]]
-
- # Global array ::tmsh_history persists between calls to iapp_conf
- # in order to suppress duplicate commands.
- if { ![info exists ::tmsh_history($args)] } {
- set ::tmsh_history($args) 1
- iapp_debug $args
- switch -exact -- [string range $args 0 5] {
- create { tmsh::create [string range $args 7 end] }
- modify { tmsh::modify [string range $args 7 end] }
- delete { tmsh::delete [string range $args 7 end] }
- default { error "iapp_conf illegal parameter" }
- }
- }
- return $object_name
-}
-
-proc iapp_make_safe_password { password } {
- return [string map { \' \\\' \" \\\" \{ \\\{ \} \\\} \; \\\; \| \\\| \# \\\# \ \\\ \\ \\\\ } $password]
-}
-
-proc iapp_pull { loc items_list } {
- upvar $items_list items
- if { [set item [lindex $items $loc]] != "" } {
- set items [lreplace $items $loc $loc]
- }
- return $item
-}
-
-proc iapp_process_flags { flags_array args_list } {
- upvar $flags_array flags
- upvar $args_list args
-
- if { [set dubdash [lsearch $args "--"]] != -1 } {
- set args [lreplace $args $dubdash $dubdash];
- } else {
- set dubdash end
- }
-
- foreach flag [array names flags] {
- while { [set ptr [lsearch [lrange $args 0 $dubdash] $flag]] != -1 } {
- set args [lreplace $args $ptr $ptr];
-
- # we want to run the code in the flags_array at the calling
- # proc's level so that the variables that it sets up are
- # available there.
- set access_var [format "$%s(%s)" $flags_array $flag]
- set command [subst -nocommands { set ptr $ptr ; subst $access_var }]
-
- uplevel 1 $command
- }
- }
- return $args
-}
-
-proc iapp_tmos_version { args } {
- set cversion [tmsh::version]
- if { $cversion eq "" } {
- tmsh::log err "unable to determine TMOS version"
- error "unable to determine TMOS version"
- }
-
- # if no op+version was specified, just return the version
- if { $args eq "" } { return $cversion }
- if { [llength $args] > 2 } {
- error "Too many arguments"
- }
-
- set op [lindex $args 0]; # operator
- set NOTFOUND -1
- # constrain to valid operators - adding more is fine as long as
- # they are supported by [expr] (and makes sense)
- if { [lsearch -exact { < > <= >= == != } $op] == $NOTFOUND } {
- tmsh::log err "illegal operator: $op"
- error "illegal operator: $op"
- }
-
- set tversion [lindex $args 1]; # target version
- # one or two decimal digits, optionally followed by 0-2 complete groups of
- # dots followed by one or two decimal digits with nothing before or after
- set regex {^\d{1,2}(\.\d{1,2}){0,2}$}
- if { ! [regexp -- $regex $tversion] } {
- tmsh::log err "cannot parse version from: $tversion"
- error "cannot parse version from: $tversion"
- }
-
- # p=>prefix, c=>current, t=>target
- foreach p { c t } {
- # extract major/minor/point components
- scan [set [set p]version] "%d.%d.%d" [set p]mjr [set p]mnr [set p]pnt
- # ensure that these are each set to at least 0
- foreach level { mjr mnr pnt } {
- if { ! [info exists [set p]${level}] } { set [set p]${level} 0 }
- }
- # turn them into one big number that we can compare
- # leave room in-between just to be safe
- set [set p]num [expr {
- [set [set p]mjr]*1000000 +
- [set [set p]mnr]*10000 +
- [set [set p]pnt]*100
- }]
- }
- # a simple numeric comparison is all that is needed at this point
- return [eval expr $cnum $op $tnum ]
-}
-
-proc iapp_safe_display { args } {
- # strings sent to APL must be truncated to 65535 bytes, see BZ435592
- if { [string length [set [set args]]] > 65535 } {
- set last_newline [string last "\n" [set [set args]] 65500]
- return "[string range [set [set args]] 0 $last_newline]Error: Too many items for display"
- } else {
- return [set [set args]]
- }
-}
-
-proc iapp_get_items { args } {
-
- # Set default values.
- set error_msg "iapp_get_items $args:"
- set do_binary 0
- set nocomplain 0
- set items ""
- set join_char "\n"
- set recursive "recursive"
- set com_dir "/Common"
- set loc_dir "[tmsh::pwd]"
-
- # Set up flag-related work.
- array set flags {
- -exists { [set do_binary 1] }
- -nocomplain { [set nocomplain 1] }
- -list { [set join_char " "] }
- -norecursive { [set recursive ""] }
- -local { [set com_dir ""] }
- -dir { [set loc_dir [iapp_pull $ptr args]] }
- -filter { [set filter_field [iapp_pull $ptr args]] \
- [set filter_op [iapp_pull $ptr args]] \
- [set filter_value [iapp_pull $ptr args]] }
- }
- iapp_process_flags flags args
-
- # Get system object names in all requested directories.
- set save_dir [tmsh::pwd]
- foreach dir [lsort -unique "$com_dir $loc_dir"] {
- tmsh::cd $dir
- set tmsh_rval [catch {
- foreach obj [tmsh::get_config $args $recursive] {
-
- if { [info exists filter_field] } {
- if { $filter_field eq "NAME" } {
- set val [tmsh::get_name $obj]
- } else {
- # If get_field_value throws error, assume "none" value
- if { [catch {
- set val [tmsh::get_field_value $obj $filter_field]
- # strip quotes per BZ442531
- set val [string map {\" ""} $val]
- }]} { set val none }
- }
- # Non-Tcl operators =~ and !~ added for extra flexibility
- if { $filter_op eq "=~" } {
- set filter "\[regexp \"$filter_value\" \"$val\"\]"
- } elseif { $filter_op eq "!~" } {
- set filter "!\[regexp \"$filter_value\" \"$val\"\]"
- } else {
- set filter "\\\"$val\\\" $filter_op \\\"$filter_value\\\""
- }
- # If filter fails, skip to next object
- if { ![eval expr $filter] } {
- continue
- }
- }
- # string map catches /Common added by ltm profile ntlm,
- # which is unlike all other ltm profile return values.
- lappend items $dir/[string map {/Common/ ""} [tmsh::get_name $obj]]
- }
- } err ]
- }
- tmsh::cd $save_dir
-
- # array keys: $do_binary,$tmsh_rval,$nocomplain. Do not insert whitespace.
- array set rval {
- 0,0,0 {[join $items $join_char]}
- 0,0,1 {[join $items $join_char]}
- 0,1,0 {[error "$error_msg $err"]}
- 0,1,1 {}
- 1,0,0 {[llength $items]}
- 1,0,1 {[llength $items]}
- 1,1,0 {0}
- 1,1,1 {0}
- }
-
- return [subst $rval($do_binary,$tmsh_rval,$nocomplain)]
-}
-
-proc iapp_get_provisioned { args } {
-
- array set lnum {
- none 0
- minimum 1
- nominal 2
- dedicated 3
- }
-
- # Set defaults.
- set required minimum
- set do_binary 1
-
- # Set up flag-related work.
- array set flags {
- -is { [set required [iapp_pull $ptr args]] }
- -level { [set do_binary 0] }
- }
- iapp_process_flags flags args
- if { [llength $args] > 1 } {
- error "Too many arguments"
- }
-
- # If checking for AM provisioning on TMOS < 11.4,
- # check for WAM provisioning instead.
- if { $args eq "am" && [iapp_tmos_version < 11.4] } {
- set args "wam"
- }
-
- # Get the provisioning level. If blank, assume none.
- # Proc only checks 1 module at a time, so only 1 object is returned.
- if { [catch {
- set obj [tmsh::get_config sys provision $args]
- set level [tmsh::get_field_value [lindex $obj 0] level]
- }]} { set level none }
-
- if { $do_binary } {
- return [expr { $lnum($level) >= $lnum($required) }]
- } else {
- return $level
- }
-}
-
-proc iapp_get_user { args } {
-
- # Set defaults.
- set do_role 0
- set do_binary 0
-
- # Set up flag-related work.
- array set flags {
- -is_admin { [set do_binary 1] }
- }
- iapp_process_flags flags args
- if { [llength $args] > 1 } {
- error "Too many arguments"
- }
-
- # Show user auth was introduced in v11.6
- set user "unknown"
- catch {
- set user [tmsh::show auth user field-fmt]
- } err
- if { $do_binary } {
- return [expr { $user == "unknown"
- || [string first "role " $user] == -1
- || [string first "role admin" $user] != -1
- || [string first "role resource-admin" $user] != -1 }]
- } else {
- return $user
- }
-}
-
-proc iapp_destination { args } {
- # Set defaults. Flag actions may overwrite defaults later.
- set route_domain 0
- set do_mask 0
- set port 0
-
- # Set up flag-based actions.
- array set flags {
- -route_domain { [set route_domain [iapp_pull $ptr args]] }
- -mask { [set do_mask 1] }
- -length { [set cidr_bits [iapp_pull $ptr args]] }
- }
-
- if { [llength [set non_switches [iapp_process_flags flags args]]] > 2 } {
- error "Too many arguments"
- }
- if { [llength $non_switches] == 2 } { set port [lindex $non_switches 1] }
- set addr [lindex $non_switches 0]
-
-
- # Detect a CIDR mask and pull it off the addr string
- if { [set loc [string first "/" $addr end-4]] != -1 } {
- set cidr_bits [string range $addr [expr {$loc + 1}] end]
- set addr [string range $addr 0 [expr {$loc - 1}]]
- }
-
- # Pull the route-domain off the addr string, but only use it as the
- # route domain if it wasn't overridden by -route_domain flag.
- if { [string first "%" $addr] != -1 } {
- if { $route_domain == 0 } {
- # route-domain is still default, so use value from addr string
- set route_domain [lindex [split $addr "%"] 1]
- }
- set addr [lindex [split $addr "%"] 0]
- }
-
- if { $do_mask } {
-
- # Define the delta between ipv4 and ipv6.
- # length: ipv4 mask is 32 bits, ipv6 is 128 bits.
- # group: ipv4 is grouped in octets, ipv6 as 16 bit words.
- # format: ipv4 is decimal notation, ipv6 is hex.
- # format1 also has the delimiter, format2 does not.
- array set v {
- 0,length 32
- 0,group 8
- 0,format1 d.
- 0,format2 d
- 1,length 128
- 1,group 16
- 1,format1 .4x:
- 1,format2 .4x
- }
- set is_ipv6 [string match "*:*:*" $addr]
-
- # Soften result of an illegal -length parameter.
- if { ![info exists cidr_bits] || $cidr_bits > $v($is_ipv6,length) } {
- set cidr_bits $v($is_ipv6,length)
- } elseif { $cidr_bits < 0 } {
- set cidr_bits 0
- }
-
- # Loop on the full length of the mask: 32 bits for ipv4, 128 for ipv6
- for { set octet 0; set i 0 } { $i < $v($is_ipv6,length) } { incr i } {
-
- # Take a break at intervals to save the grouping and add delimiter.
- # Interval is 8 bits for ipv4 and 16 bits for ipv6.
- if { $i && ![expr {$i % $v($is_ipv6,group)}] } {
-
- # Add the grouping and delimiter to the mask, then reset.
- append mask [format %$v($is_ipv6,format1) $octet]
- set octet 0
- }
- # Shift the prior bits left by multiplying by 2.
- # Then add the current bit, which is 1 if part of the mask, 0 if not.
- # Current bit is part of the mask if $i < number of bits in the mask.
- set octet [expr { 2 * $octet + ($i < $cidr_bits) }]
- }
- # Add the final grouping, then return the finished mask.
- set ret_val [format $mask%$v($is_ipv6,format2) $octet]
-
- } else {
-
- # calculate a destination
- # the route domain might be a name and we need a number.
- if { ![string is integer $route_domain] } {
- set route_domains [tmsh::get_config "/ net route-domain $route_domain"]
- if { [llength $route_domains] != 1 } {
- error "no such route domain: $route_domain"
- }
- # since we have already determined that the list is 1 long,
- # this explicit reference to element 0 is safe
- set route_domain [tmsh::get_field_value [lindex $route_domains 0] "id"]
- }
-
- set route_domain [expr { $route_domain == 0 ? "" : "%$route_domain" }]
-
- # 0 and * represent wildcard port assignments in the GUI,
- # but TMSH requires the string 'any' to specify a wildcard.
- if { $port == 0 || $port == "*" } {
- set port any
- }
-
- # Build the final destination. Use ":" for node names even if ipv6.
- set is_ipv6_literal [string match "*:*:*" $addr]
- set addr_delimiter [expr { $is_ipv6_literal ? "." : ":" }]
- set ret_val ${addr}${route_domain}${addr_delimiter}${port}
- }
- return $ret_val
-}
-
-proc iapp_pool_members { args } {
-
- # Set defaults.
- array set fields {
- address addr
- port port
- port-secure port_secure
- connection-limit connection_limit
- priority-group priority
- ratio ratio
- }
- set route_domain ""
- set port_override -1
- set aaa_domain 0
- set aaa_priority -1
- set app_service ""
- # Set up flag-related work.
- array set flags {
- -fields { [array set fields [iapp_pull $ptr args]] }
- -route_domain { [set route_domain [iapp_pull $ptr args]] }
- -port { [set port_override [iapp_pull $ptr args]] }
- -aaa_domain { [set aaa_domain 1] }
- -aaa_pool { [set aaa_priority 0] }
- -noapp { [set app_service " app-service none"] }
- }
- iapp_process_flags flags args
-
- # Identify the non-address/non-port fields. These go inside braces in tmsh.
- set nonport_fields [lsearch -all -not -inline -regexp \
- [array names fields] {address|port|port-secure}]
-
- set members ""
- foreach row [join $args] {
-
- # Skip invalid table rows.
- if { [llength [join $row]] %2 == 1 } {
- continue
- }
-
- # Import APL table into an array for processing.
- array unset columns
- array set columns [join $row]
- set addr $columns($fields(address))
-
- # Identify the port number, either from table columns or by -port flag.
- if { $port_override != -1 } {
- set port $port_override
- } elseif { [info exists columns($fields(port))] } {
- set port $columns($fields(port))
- } elseif { [info exists columns($fields(port-secure))] } {
- set port $columns($fields(port-secure))
- } else {
- set port 80
- }
-
- # If specified, strip entered route domain and append the flag value.
- if { $route_domain != "" } {
- set addr [lindex [split $addr "%"] 0]
- set addr "$addr%$route_domain"
- }
-
- # If -aaa_domain, use domain controller format, otherwise use pool format
- if { $aaa_domain } {
- append members " $columns($fields(host)) \{ ip $addr $app_service \}"
- } else {
- append members " [iapp_destination $addr $port] \{"
-
- # Transfer non-port fields from the table to the tmsh string.
- foreach name $nonport_fields {
- if { [info exists columns($fields($name))] } {
- append members " $name $columns($fields($name))"
- }
- }
-
- # If -aaa_pool, add priority field with incrementing value.
- # This is required by APM.
- if { $aaa_priority >= 0 } {
- append members " priority-group [incr aaa_priority]$app_service"
- }
- append members " \}"
- }
- }
-
- return "[expr { $aaa_domain ? "" : "members " }][expr { $members eq "" \
- ? "none" : "replace-all-with \{ $members \}" }]"
-}
-
-proc iapp_debug { args } {
-
- # Passwords should be obscured in all logs. Fields shown here are handled
- # in this proc, but the global variable may be overwritten if alternate
- # fields should be obscured.
- if { ![info exists ::SENSITIVES] } {
- set ::SENSITIVES {
- account-password
- admin-encrypted-password
- bind-pw
- PASSWORD
- password
- passwd
- proxy-ca-passphrase
- secret
- }
- }
-
- # look for any of the sensitive words, and replace the word that follows it
- set regex "(\\m([join $::SENSITIVES |])\\M)\\s+\[^\\s\]*"
- regsub -all $regex [join $args] {\1 -OBSCURED-} args
- regsub -all "().*()" $args {\1-OBSCURED-\2} args
-
- set lev [tmsh::get_field_value [lindex [tmsh::get_config sys scriptd \
- log-level] 0] log-level]
- if { $lev eq {debug} } {
- puts $args
- }
-}
-
-# The apm_config proc provides a tmsh pre-processor for APM
-# configuration, which in most cases will drastically reduce
-# implementation code. To configure APM with this proc, pass
-# it an array of object names and associated meta-tag substitutions.
-# Each object must be categorized as a profile, a resource, or
-# a policy-item. APM agents and customization-groups are derived
-# from these 3 categories as needed.
-#
-# apm_config's return value is a list of the APM profiles defined
-# in the argument and instantiated by the proc. This allows the
-# procedure call to be embedded directly into a virtual server
-# definition.
-#
-# These universal meta-tags may be placed anywhere in the array:
-# - The object name, eg. apm_access
-#
The app name, including folder, eg. /Common/my_app.app/my_app
-#
-# Profile objects require the following meta-tags:
-# The tmsh object type, eg. "apm profile access"
-# The body of the object, eg.:
-# "access-policy
-# defaults-from /Common/access
-# eps-group _eps
-# errormap-group _errormap
-# general-ui-group _general_ui"
-#
-# apm_config will automatically create default customization-groups
-# for the "-group" lines specified in access profile definitions.
-# In the above example, there is no need to additionally specify a
-# customization-group for errormap and general-ui.
-#
-# is a catch-all for other APM types, eg:
-# apm_sso {
-# {apm sso kerberos}
-# "account-name
-# account-password
-# realm " }
-#
-# In the example above, and are
-# apm_config meta-tags, while , , and must
-# be substituted before calling apm_config, eg. if these tags are
-# defined in $pre_proc_map, they may be substituted with:
-# array set apm_map [string map [subst $pre_proc_map] [array get apm_map]]
-#
-# Resource objects require the following meta-tags:
-# The apm resource object type, eg. "webtop"
-# The body of the object, eg.:
-# "customization-group -
-# minimize-to-tray false
-# webtop-type full"
-#
-# In the above example, a customization-group is specified. Any
-# customization-group is assumed to be blank unless further defined by the
-#
meta-tag, eg. {type webtop}
-#
-# Policy-item objects are defined by the following meta-tags:
-# default "resource-assign"
-# default "customization-group - "
-#
default "agents { - _ag { type
}}"
-# default "- "
-#
default "1"
-# default "action"
-# defaults to a set of expressions/next-items where specified
-# default "fallback"
-# default "Successful"
-# default "successful"
-#
-# apm_config generates the APM agent and customization-group definitions
-# as required for each policy-item, but specific objects may be defined
-# by using the and meta-tags.
-# To suppress the formation of an APM agent, specify {}.
-
-proc iapp_apm_config { args } {
-
- set app_service ""
- array set flags {
- -noapp { [set app_service "app-service none\n "] }
- }
- iapp_process_flags flags args
-
- upvar [lindex $args 0] map_array
-
- # Pull $prefix from the array
- set prefix $map_array(prefix)
- unset map_array(prefix)
-
- # Stencils for creating apm objects
- set access_form \
- " apm policy access-policy - {\n \
- $app_service caption general\n \
- start-item
\n \
- default-ending \n \
- items replace-all-with {\n }\n}"
-
- set profile_form " - {\n \
- $app_service
\n}"
-
- set resource_form " apm resource - {\n \
- $app_service
\n}"
-
- set agent_form " apm policy agent - _ag {\n \
- $app_service
\n}"
-
- set group_form " apm policy customization-group - {\
- $app_service
}"
-
- set agent_group_form " apm policy customization-group - _ag {\
- $app_service
}"
-
- set policy_item_form " apm policy policy-item - {
- $app_service
caption
- color
-
- \n}"
-
- # 1st round apm string map
- set default_map_1 {
- {}
- "customization-group - _ag"
-
"agents replace-all-with {
- - _ag { type
}}\n "
- -
-
{1}
- "item-type action"
- "rules
- {[expr {[string first $map_array($item)] != -1 ? "{
- caption
- expression
- next-item ${prefix}_
- }":""}][expr {[string first $map_array($item)] != -1 ? "{
- caption
- expression
- next-item ${prefix}_
- }":""}]{
- caption
- next-item ${prefix}_
- }}"
- }
-
- # 2nd round apm string map
- set default_map_2 {
- - [expr { $item eq {default} ? "$prefix" : "${prefix}_$item" }]
-
$prefix
- [string map {/ :} $prefix]
- ""
- "resource-assign"
- "successful"
- "Successful"
- "fallback"
- }
-
- # Build APM access profile and access-policy from the access_form.
- # Tags and are picked up from
- # $map_array items. - and
are picked up from
- # $default_map_2.
- foreach item [lsort [array names map_array]] {
-
- # Pick up the tag. There should be just 1.
- set access_form [string map $map_array($item) $access_form]
-
- # Filter out items that do not belong in the access-policy.
- # Anything with an ITEM_xxx tag belongs
- if { [string first }\n"
- set access_items [string map $map_array($item) $access_items]
- set access_items [string map [subst $default_map_1] $access_items]
- }
-
- # Build APM resources, policy-items, agents, and customization-groups from
- # the policy_item_form and resource_form.
- foreach item [lsort [array names map_array]] {
-
- # Each item starts as a profile, a resource, or a policy-item.
- # Profiles are free-form, so other apm objects can use the profile form.
- # In most cases, a policy-item spawns an agent.
- # Any definition specifying a customization-group will spawn that group.
- if { [string first "" $map_array($item)] != -1 } {
-
- # Collect profile names for attachment to the virtual server
- if { [string first "apm profile " $map_array($item)] != -1 } {
- lappend profiles [expr { $item eq {default}
- ? "$prefix" : "${prefix}_$item" }]
- # When an access profile is found, built a policy of the same name
- if { [string first "apm profile access" $map_array($item)] != -1 } {
- set def [string map " {$access_items}" $access_form]
- append cmds "[string map [subst $default_map_2] $def]\n"
- }
- }
- set def $profile_form
- } elseif { [string first "" $map_array($item)] != -1 } {
- set def $resource_form
- } else {
- set def $policy_item_form
- if { [string first " {}" $map_array($item)] == -1 } {
- append def $agent_form
- }
- }
-
- # Apply 1st pass of string maps
- set def [string map $map_array($item) $def]
- set def [string map [subst $default_map_1] $def]
-
- # If a customization-group is specified, add its definition
- if { [string first "customization-group" $def] != -1 } {
- if { [string first "apm policy agent" $def] != -1 } {
- append def $agent_group_form
- } elseif { [string first "apm profile access" $def] == -1 } {
- append def $group_form
- }
- }
-
- # Apply 2nd pass of string maps
- set def [string map $map_array($item) $def]
- append cmds [string map [subst $default_map_2] $def]
- }
-
- # Divide and execute tmsh commands
- set tag ""
- set tag_length [string length $tag]
- set last [expr { [string first $tag $cmds] + $tag_length }]
- while { [set pos [string first $tag $cmds $last]] != -1 } {
- incr pos -1
- iapp_conf create [string range $cmds $last $pos]
- set last [expr { $pos + $tag_length + 1 }]
- }
- iapp_conf create [string range $cmds $last end]
- return $profiles
-}
-
-proc iapp_upgrade_template { upgrade_var upgrade_trans } {
- upvar $upgrade_var upgrade_var_arr
- upvar $upgrade_trans upgrade_trans_arr
-
- # create the new variables from the old
- foreach { var } [array names upgrade_var_arr] {
-
- # substitute old variable name for abbreviation "##"
- regsub -all {##} $upgrade_var_arr($var) \$$var map_cmd
-
- # run the mapping command from inside the array
- if { [catch { subst $map_cmd } err] } {
- if { [string first "no such variable" $err] == -1 } {
- puts "ERROR $err"
- }
- }
- }
-
- # move variables over and apply translations
- set var_mods ""
- set var_adds ""
- foreach var [array names vx] {
-
- # if the APL variable name is in the translation array,
- # then use the custom translation built for that variable.
- if { [info exists upgrade_trans_arr($var)] } {
- array set sub_arr [subst $upgrade_trans_arr($var)]
- if { [info exists sub_arr($vx($var))] } {
- set vx($var) $sub_arr($vx($var))
- }
- array unset sub_arr
- # else, if the APL variable value is in the translation array,
- # then use the generic translation of that value.
- } elseif { [info exists upgrade_trans_arr($vx($var))] } {
- set vx($var) [subst $upgrade_trans_arr($vx($var))]
- }
-
- # add to tmsh command string
- if { [info exists ::$var] } {
- append var_mods "\n $var \{ value \"$vx($var)\" \} "
- } else {
- append var_adds "\n $var \{ value \"$vx($var)\" \} "
- }
- }
-
- # move tables over
- set tbl_mods ""
- set tbl_adds ""
- foreach tbl [array names tx] {
-
- # convert table from APL format to TMSH format
- if { ![llength $tx($tbl)] } {
- set tbl_def "column-names none"
- } else {
- set rows_def ""
- foreach apl_row $tx($tbl) {
- array set row_arr [join $apl_row]
- append rows_def "\n \{ row \{ "
- foreach apl_col [array names row_arr] {
- append rows_def "$row_arr($apl_col) "
- }
- append rows_def "\}\}"
- }
- set tbl_def \
- "\n column-names \{ [array names row_arr] \} rows \{ $rows_def \}"
- array unset row_arr
- }
-
- # add to tmsh command string
- if { [info exists ::$tbl] } {
- append tbl_mods "\n $tbl \{ $tbl_def \} "
- } else {
- append tbl_adds "\n $tbl \{ $tbl_def \} "
- }
- }
-
- # construct the "tmsh modify" command
- set cmd "sys application service $tmsh::app_name "
- if { [llength $var_mods] } {
- append cmd "\nvariables modify { $var_mods }"
- }
- if { [llength $var_adds] } {
- append cmd "\nvariables add { $var_adds }"
- }
- if { [llength $tbl_mods] } {
- append cmd "\ntables modify { $tbl_mods }"
- }
- if { [llength $tbl_adds] } {
- append cmd "\ntables add { $tbl_adds }"
- }
-
- # Execute with debug output. This conversion takes place within the
- # existing ASO, so tmsh modify is used instead of tmsh create.
- iapp_debug "TEMPLATE UPGRADE"
- iapp_conf modify $cmd
- return
-}
-
-proc iapp_downgrade_template { pivot_var upgrade_var downgrade_table } {
- upvar $downgrade_table downgrade_tbl_arr
-
- # The ASO variable "offload_history" is used to recover the legacy
- # choice a user made about SSL offload. It should be present in all cases.
- # This conditional only handles the case where a user has deliberately
- # deleted it by manipulating the ASO directly from tmsh.
- if { ![info exists ::offload_history] } {
- set ::offload_history "No"
- }
-
- # BIG-IP erases table contents when the APL optional hides the table.
- # Since the prior data is not available, this downgrade must back-convert
- # existing table data. Unlike tables, variables remain intact from the
- # legacy ASO.
- set tbl_def ""
- foreach tbl [array names downgrade_tbl_arr] {
- # Check for existence of each table in the current context.
- # If not, skip to next.
- if { ![info exists [set tbl]] } {
- continue
- }
- # Check for existence of each table in the legacy context.
- # If not, add an empty table so "tmsh tables modify" does not fail.
- if { ![info exists ::$downgrade_tbl_arr($tbl)] } {
- iapp_conf modify sys app ser $tmsh::app_name tables add \{ $downgrade_tbl_arr($tbl) \}
- }
- append tbl_def "$downgrade_tbl_arr($tbl) \{ "
- if { [llength [subst $$tbl]] } {
- set rows_def ""
- foreach apl_row [subst $$tbl] {
- array set row_arr [join $apl_row]
- append rows_def "\n \{ row \{ "
- foreach apl_col [array names row_arr] {
- append rows_def "$row_arr($apl_col) "
- }
- append rows_def "\}\}"
- }
- append tbl_def \
- "column-names \{ [array names row_arr] \} rows \{ $rows_def \}"
- array unset row_arr
- } else {
- append tbl_def "rows none"
- }
- append tbl_def " \} "
- }
- regsub -all "\n" $tbl_def {} tbl_def
- set cmd "sys app ser $tmsh::app_name \
- variables modify \{ \
- $pivot_var \{ value $::offload_history \} \
- $upgrade_var \{ value No \} \
- \} \
- tables modify \{ $tbl_def \}"
- iapp_debug "TEMPLATE DOWNGRADE"
- iapp_conf modify $cmd
- return
-}
-
-proc iapp_get_ca_certs { args } {
- # Procedure formats and returns ca-bundle 509 certificates from ca-bundle.bak
- # (copy of tmos supplied ca-bundle.crt)
- # Returns backup files when using -files flag
- # Returns specified restore file certificates when using -restore -return flags
- # Returns specified restore file table certificates when using -restore -tablename
- # Returns selected certificates
- #
- # Set defaults. Flag actions may overwrite defaults later.
- set rest_files 0
- set do_restore 0
- set restore_return 0
- set restore_table_name 0
- set do_certs 0
- set user_get [iapp_get_user]
- set username [string range $user_get [expr {[string last user $user_get] +5 }] end-3 ]
- # Set up flag-based actions.
- array set flags {
- -files { [set rest_files 1] }
- -return { [set do_restore 1] [set restore_return 1] }
- -tablename { [set do_restore 1] [set restore_table_name 1] }
- -certs { [set do_certs 1] }
- }
- iapp_process_flags flags args
- set fn_ca_bundle "[lindex $args 0]"
- set cert_choices "[lindex $args 1]"
- set duplicate " "
- if { $rest_files eq 0 || $do_restore } {
- set fh_ca_bundle [open $fn_ca_bundle r]
- set ca_bundle_data [read $fh_ca_bundle]
- close $fh_ca_bundle
- set ca_bundle_split [split [string map "{-----END CERTIFICATE-----} \001" $ca_bundle_data] "\001"]
- set final ""
- # Grab Subject Name and Serial number from each certificate
- foreach subject $ca_bundle_split {
- if {$subject eq {}} {
- continue
- }
- set a [string first Subject: $subject]
- set b [string first \n $subject $a]
- set ab [string range $subject $a $b]
- set c [expr {[string first O= $ab] +2}]
- if { $c < 2 }{
- set c [expr {[string first CN= $ab] +2}]
- }
- set d [expr {[string first , $ab $c] -1}]
- # Deal with case were comma is not present after subject name
- if { $d < 0 }{
- set dc [string range $ab $c end-1]
- # Deal with case were text is not able to be located using common name, just grab the first 30 characters
- } elseif { $d > 2000 }{
- set dc [string range $ab $c 47]
- } else {
- set dc [string range $ab $c $d]
- }
- set f [expr {[string first Number: $subject] +7}]
- set g [expr {[string first Signature $subject $f] -1}]
- set fg [string range $subject $f $g]
- # Remove spaces and new line characters from serial number
- set fg_nospace [string map {" " "" "\n" "" ":" ""} $fg]
- set first_5 [string map {"(" ""} [string range $fg_nospace 0 4]]
- # -cert flag returns list of selected root certificates
- if { $do_certs }{
- foreach selection $cert_choices {
- if { $first_5 eq $selection }{
- # setup to remove duplicate root certificates - tmos supplied ca-bundle can have duplicates
- set i 0
- set duplicate_split [split [string map "{ } \001" $duplicate] "\001"]
- foreach dup $duplicate_split {
- if { $dup eq $first_5 }{
- incr i
- }
- }
- # add certificate if not a duplicate
- if { $i < 1 }{
- append final "${subject}-----END CERTIFICATE-----\n"
- puts [tmsh::log notice "User:'${username}' Modified CA-Bundle, adding the following Root CA:(SN) ${fg_nospace} Name:${dc}"]
- append duplicate "$first_5 "
- }
- }
- }
- } elseif { $dc !="" || $fg_nospace !="" || $restore_table_name eq 1 }{
- if { $restore_return eq 0 && $restore_table_name eq 0 }{
- append final "${dc},SN:${fg_nospace}\t${first_5}\n"
- } elseif { $restore_table_name eq 1 }{
- set table_cert [string first ### $subject]
- if { $table_cert > -1 && $table_cert < 500 } {
- set ending "$subject-----END CERTIFICATE-----"
- set table_certificate [string range $ending [string first -----BEGIN $ending] [ expr { [string first -----END $ending] +24 }]]
- append final "{ row { \"[string map {"\n" " "} $table_certificate]\" \"[string range $subject 4 [expr { [string first \n $subject 1] -1 }]]\" } }"
- }
-
- } else {
- set table_cert [string first ### $subject]
- if { $table_cert < 0 || $table_cert > 500 } {
- append final "${first_5} "
- }
- }
- }
- }
- if { $do_restore && $restore_table_name eq 0 }{
- set final [string map {"(" ""} $final]
- }
- return $final
- }
- if { $rest_files }{
- # Pull TMOS ca-bundle file into list
- catch { set fn_bak_ca_bundle [exec ls -t /config/ssl/ssl.crt/] } err
- if { $::errorCode != "" } {
- puts "Error during file lookup in ssl certificate directory: ${err}"
- error "Error during file lookup in ssl certificate directory: ${err}"
- }
- foreach bak [join "$fn_bak_ca_bundle"] {
- set full_path "/config/ssl/ssl.crt/$bak"
- if { [iapp_is full_path $fn_ca_bundle] }{
- set fn_bak_exists 1
- break
- } else {
- set fn_bak_exists 0
- }
- }
- if { $fn_bak_exists }{
- puts "Backup of factory TMOS ca-bundle /config/ssl/ssl.crt/ca-bundle.crt, at:${fn_ca_bundle}, already exists. No need to backup"
- } elseif { $fn_bak_exists eq 0 }{
- puts "Backing up factory TMOS ca-bundle /config/ssl/ssl.crt/ca-bundle.crt, to ${fn_ca_bundle}."
- catch { exec cp /config/ssl/ssl.crt/ca-bundle.crt ${fn_ca_bundle} } err
- if { $::errorCode != "" } {
- puts "Error creating backup file:${fn_ca_bundle}: ${err}"
- error "Error creating backup file:${fn_ca_bundle}: ${err}"
- }
- }
- set restore_list [lsearch -all -inline $fn_bak_ca_bundle *_bak*]
- set restore_final ""
- foreach res $restore_list {
- append restore_final "${res}\t${res}\n"
- }
- if { $restore_final == "" }{
- return "No restore files found"
- } else {
- return $restore_final
- }
- }
-}
-}
-
-
-
-sys application template f5.http.v1.2.0rc7 {
- actions {
- definition {
- html-help {
-web iApp Template
-
-This template creates a complete configuration optimized for managing web traffic.
-
- All of the help for this iApp template is found inline. Select Yes, show inline help from the inline help question.
- For a complete walkthrough of this web iApp, as well as detailed information and help, see http://www.f5.com/pdf/deployment-guides/iapp-http-dg.pdf
- Check System :: Resource Provisioning to ensure that LTM (Local Traffic Manager) is provisioned.
- Set up VLANs and Self IP addresses on the networks you use for client-side and server-side traffic.
- If configuring SSL Offload on the BIG-IP system, before running the iApp, import the proper SSL certificate(s) that corresponds to the DNS names used by the clients.
- If you plan to use the iApp to deploy any of the optional modules, the modules must be fully licensed and provisioned before running the iApp.
-
- }
- implementation {
-tmsh::include f5.iapp.1.5.2.cli
-iapp_template start
-
-set DEFAULT_ANSWER /#default#
-set DO_NOT_USE_ANSWER /#do_not_use#
-set CREATE_NEW_ANSWER /#create_new#
-
-proc v11_4_main {} {
- tmsh::include f5.iapp.1.5.2.cli
-
- # set defaults for non-UI deployments, e.g. REST, in order of appearance
- array set basic_vars {
- ::ssl_encryption_questions__version {2010}
- ::ifd__deploy_ifd {yes}
- ::net__v13_tcp {yes}
- ::net__client_mode {wan}
- ::net__server_mode {lan}
- ::apm__use_apm {no}
- ::apm__profile {/#create_new#}
- ::apm__auth {ntlm}
- ::apm__aaa_profile {/#create_new#}
- ::apm__credentials {no}
- ::apm__ad_monitor {ad_icmp}
- ::apm__policy {/#do_not_use#}
- ::ssl__cert {/Common/default.crt}
- ::ssl__key {/Common/default.key}
- ::asm__use_asm {/#do_not_use#}
- ::asm__asm_template {POLICY_TEMPLATE_RAPID_DEPLOYMENT}
- ::asm__security_logging {}
- ::asm__language {utf-8}
- ::afm__policy {/#do_not_use#}
- ::afm__restrict_by_addr {/#do_not_use#}
- ::afm__restrict_by_reputation {accept}
- ::afm__staging_policy {/#do_not_use#}
- ::afm__security_logging {/#do_not_use#}
- ::pool__port {80}
- ::pool__port_secure {443}
- ::pool__pool_to_use {/#create_new#}
- ::pool__pool_to_use_wom {/#do_not_use#}
- ::pool__use_icall {No}
- ::pool__encrypted {Yes}
- ::pool__fqdn_to_use {Yes}
- ::pool__uri_to_use {/SitePages/Home.aspx}
- ::pool__sp_port {No}
- ::pool__interval_to_use {60}
- ::pool__profiles {}
- ::client__http_compression {/#create_new#}
- ::monitor__monitor {/#create_new#}
- ::monitor__uri {/}
- ::monitor__response {}
- ::stats__analytics {/#do_not_use#}
- ::stats__tcp_analytics {/#do_not_use#}
- ::stats__request_logging {/#do_not_use#}
- }
-
- array set advanced_vars {
- ::net__vlan_mode {all}
- ::net__snat_type {automap}
- ::net__snatpool {/#create_new#}
- ::apm__ad_port_ssl {636}
- ::apm__ad_port_not_ssl {389}
- ::ssl__mode_apm {client_ssl}
- ::ssl__client_ssl_profile {/#create_new#}
- ::ssl__use_chain_cert {/#do_not_use#}
- ::ssl__server_ssl_profile {/#create_new#}
- ::afm__dos_security_profile {/#do_not_use#}
- ::afm__protocol_security_profile {/#do_not_use#}
- ::pool__mask {255.255.255.255}
- ::pool__mirror {disabled}
- ::pool__redirect_port {80}
- ::pool__http {/#create_new#}
- ::pool__persist {/#cookie#}
- ::pool__pass_thru_persist {/#source#}
- ::pool__discourage_persist {/#do_not_use#}
- ::pool__pass_thru_discourage_persist {/#do_not_use#}
- ::pool__fallback_persist {/#do_not_use#}
- ::pool__lb_method {round-robin}
- ::pool__min_active_members {0}
- ::client__standard_caching_with_wa {/#create_new#}
- ::client__standard_caching_without_wa {/#create_new#}
- ::client__x_wa_info_header {none}
- ::client__enable_perf_monitor {no}
- ::client__data_retention_period {30}
- ::client__policy {/Common/Generic Policy - Enhanced}
- ::client__tcp_lan_opt {/#create_new#}
- ::client__tcp_wan_opt {/#create_new#}
- ::client__isession_profile {/Common/isession}
- ::server__oneconnect {/#create_new#}
- ::server__ntlm {/#create_new#}
- ::server__discourage_ntlm {/#do_not_use#}
- ::server__tcp_lan_opt {/#create_new#}
- ::server__tcp_wan_opt {/#create_new#}
- ::server__tcp_queue_length {0}
- ::server__tcp_queue_timeout {0}
- ::server__slow_ramp_setvalue {300}
- ::monitor__frequency {30}
- ::monitor__post_body {}
- ::monitor__user {}
- ::monitor__passwd {}
- ::local_traffic__policies {}
- }
-
- # leftover from 11.3, the "ssl_encryption_questions" APL section remains for backwards compatibility
- set advanced [expr { [iapp_is ::ssl_encryption_questions__advanced yes] \
- || [iapp_is ::ssl_encryption_questions__legacy_advanced yes]}]
-
- foreach x [array names advanced_vars] {
- # force advanced config mode for any REST deployment that uses an advanced mode variable
- if { [info exists [set x]] } {
- # undefined ::ssl_encryption_questions__advanced implies a REST deployment
- if { ![info exists ::ssl_encryption_questions__advanced] } {
- set advanced 1
- }
- } else {
- set [set x] $advanced_vars($x)
- }
- }
-
- foreach x [array names basic_vars] {
- if { ![info exists [set x]] } {
- set [set x] $basic_vars($x)
- }
- }
-
- set app $tmsh::app_name
- set is_v11_4 [expr {[iapp_tmos_version >= 11.4]}]
- set is_v11_5 [expr {[iapp_tmos_version >= 11.5]}]
- set is_v11_6 [expr {[iapp_tmos_version >= 11.6]}]
- set is_v12_1 [expr {[iapp_tmos_version >= 12.1]}]
- set v13_tcp [expr {[iapp_tmos_version >= 13.0] && [iapp_is ::net__v13_tcp yes]}]
- set lb_lcm_licensed [expr {[string first ltm_lb_least_conn [tmsh::show sys license detail]] != -1}]
- set cookie_licensed [expr {[string first ltm_persist_cookie [tmsh::show sys license detail]] != -1}]
- set is_admin [iapp_get_user -is_admin]
- set use_apm [expr {[iapp_get_provisioned apm] && [iapp_is ::apm__use_apm yes]}]
-
- # API-only variable for Azure WAF. Independently redirects to a port other than the https virtual port
- set redirect_to_port [expr { [info exists ::pool__redirect_to_port] ? "$::pool__redirect_to_port" : "$::pool__port_secure" }]
-
- # CLIENT-SIDE VLAN SELECTION
- set select_vlans [iapp_is ::net__vlan_mode enabled disabled]
-
- # array keys: $advanced,$select_vlans
- array set vlan_arr {
- 1,1 { vlans-$::net__vlan_mode vlans replace-all-with \{ $::net__client_vlan \} }
- * { vlans-disabled vlans none }
- }
-
- # SNATPOOL PARAMETERS
- set do_snat [expr { [iapp_is ::net__same_subnet yes] \
- || ![iapp_is ::net__route_to_bigip yes] || !$advanced}]
- set do_automap [expr { [iapp_is ::net__snat_type automap] || !$advanced}]
- set new_snatpool [iapp_is ::net__snatpool $::CREATE_NEW_ANSWER]
-
- # array keys: $do_snat,$do_automap,$new_snatpool
- array set snatpool_arr {
- 1,1,1 { snat automap }
- 1,1,0 { snat automap }
- 1,0,1 { snatpool [iapp_conf create ltm snatpool ${app}_snatpool \
- members replace-all-with \{ [string map \
- {"addr " "" \{ "" \} ""} $::net__snatpool_members] \} ]}
- 1,0,0 { snatpool $::net__snatpool }
- * { snat none }
- }
-
- # CLIENT TCP OPTIMIZATION PROFILE
- # In order to show the correct recommendation per the chosen topology,
- # the presentation of client tcp optimization has a split presentation.
- # Only one of tcp_lan_opt or tcp_wan_opt contains the user's selection.
- # This statement identifies whether the user has selected the recommended
- # option from this split presentation.
-
- # array keys: $::net__client_mode,$::net__server_mode,$v13_tcp
- array set best_tcp_profile {
- lan,lan,0 tcp-lan-optimized
- lan,wan,0 tcp-lan-optimized
- wan,lan,0 tcp-wan-optimized
- wan,wan,0 tcp-wan-optimized
- lan,lan,1 f5-tcp-lan
- lan,wan,1 f5-tcp-lan
- wan,lan,1 f5-tcp-wan
- wan,wan,1 f5-tcp-wan
- lan,tunnel,0 wom-tcp-lan-optimized
- lan,tunnel,1 wom-tcp-lan-optimized
- * wom-tcp-wan-optimized
- }
-
- set new_client_tcp [expr { !$advanced || ( \
- [iapp_is ::net__client_mode lan] ? \
- [iapp_is ::client__tcp_lan_opt $::CREATE_NEW_ANSWER] : \
- [iapp_is ::client__tcp_wan_opt $::CREATE_NEW_ANSWER] )}]
-
- # array keys: $new_client_tcp,$::net__client_mode
- array set client_tcp_arr {
- 0,lan $::client__tcp_lan_opt
- 0,wan $::client__tcp_wan_opt
- 0,tunnel $::client__tcp_wan_opt
- * { [iapp_conf create ltm profile tcp ${app}_[iapp_substa \
- best_tcp_profile($::net__client_mode,$::net__server_mode,$v13_tcp)] \
- defaults-from [iapp_substa \
- best_tcp_profile($::net__client_mode,$::net__server_mode,$v13_tcp)] \
- ]}
- }
-
-
- # SERVER TCP OPTIMIZATION PROFILE
- # See above comments regarding the client tcp optimization array.
- set new_server_tcp [expr { !$advanced || ( \
- [iapp_is ::net__server_mode lan] ? \
- [iapp_is ::server__tcp_lan_opt $::CREATE_NEW_ANSWER] : \
- [iapp_is ::server__tcp_wan_opt $::CREATE_NEW_ANSWER] )}]
-
- # array keys: $new_server_tcp,$::net__server_mode
- array set server_tcp_arr {
- 0,lan $::server__tcp_lan_opt
- 0,wan $::server__tcp_wan_opt
- 0,tunnel $::server__tcp_wan_opt
- * { [iapp_conf create ltm profile tcp ${app}_[iapp_substa \
- best_tcp_profile($::net__server_mode,$::net__client_mode,$v13_tcp)] \
- defaults-from [iapp_substa \
- best_tcp_profile($::net__server_mode,$::net__client_mode,$v13_tcp)] \
- ]}
- }
-
- # CLIENT SSL
- set do_client_ssl [expr { $use_apm || [iapp_is ::ssl__mode client_ssl client_ssl_server_ssl] }]
- set ssl_pass_thru [expr { !$use_apm && [iapp_is ::ssl__mode pass_thru] }]
-
- set new_client_ssl [expr { !$advanced || [iapp_is \
- ::ssl__client_ssl_profile $::CREATE_NEW_ANSWER] }]
- set do_chain_cert [expr { $advanced && \
- ![iapp_is ::ssl__use_chain_cert $::DO_NOT_USE_ANSWER] }]
- set cssl_cmd \
- "ltm profile client-ssl ${app}_client-ssl defaults-from clientssl"
-
- # array keys: $do_client_ssl,$new_client_ssl,$do_chain_cert
- array set client_ssl_arr {
- 1,1,1 { [iapp_conf create $cssl_cmd key $::ssl__key cert $::ssl__cert \
- chain $::ssl__use_chain_cert] \{ context clientside \} }
- 1,1,0 { [iapp_conf create $cssl_cmd key $::ssl__key cert $::ssl__cert \
- chain none] \{ context clientside \} }
- 1,0,1 { $::ssl__client_ssl_profile \{ context clientside \} }
- 1,0,0 { $::ssl__client_ssl_profile \{ context clientside \} }
- * {}
- }
-
- # SERVER SSL PROFILE
- set do_server_ssl [expr { (!$use_apm && [iapp_is ::ssl__mode server_ssl client_ssl_server_ssl]) || ($use_apm && [iapp_is ::ssl__mode_apm client_ssl_server_ssl]) }]
-
- set default_server [expr { !$advanced || \
- [iapp_is ::ssl__server_ssl_profile $::DEFAULT_ANSWER] }]
-
- # array keys: $do_server_ssl,$default_server
- array set server_ssl_arr {
- 1,1 { [iapp_conf create ltm profile server-ssl ${app}_server-ssl \
- defaults-from serverssl] \{ context serverside \} }
- 1,0 { $::ssl__server_ssl_profile \{ context serverside \} }
- * {}
- }
-
- set apm_profiles ""
-
- # APM
- if { $use_apm } {
- set apm_profiles "$::apm__apm_profile /Common/websso /Common/rba"
- }
-
- # HTTP PROFILE
- set new_http [expr { !$advanced || \
- [iapp_is ::pool__http $::CREATE_NEW_ANSWER] }]
- set xff_cmd [expr { (!$advanced || [iapp_is ::pool__xff yes]) \
- ? "insert-xforwarded-for enabled" \
- : "insert-xforwarded-for disabled" }]
-
- # array keys: $ssl_pass_thru,$new_http,$do_client_ssl
- array set http_arr {
- 0,0,0 { $::pool__http }
- 0,0,1 { $::pool__http }
- 0,1,0 { [iapp_conf create ltm profile http ${app}_http \
- defaults-from http \
- redirect-rewrite none $xff_cmd] }
- 0,1,1 { [iapp_conf create ltm profile http ${app}_http \
- defaults-from http \
- redirect-rewrite matching $xff_cmd] }
- * { }
- }
-
- # COMPRESSION PROFILE
- set do_compress [expr { !$ssl_pass_thru && \
- ![iapp_is ::client__http_compression $::DO_NOT_USE_ANSWER] }]
- set new_compress [iapp_is ::client__http_compression $::CREATE_NEW_ANSWER]
-
- # array keys: $do_compress,$new_compress
- array set compress_arr {
- 1,1 { [iapp_conf create ltm profile http-compression \
- ${app}_wan-optimized-compression \
- defaults-from wan-optimized-compression \
- content-type-include replace-all-with \{ $::HTTP_CONTENT_TYPES \} \
- ] }
- 1,0 { $::client__http_compression }
- * {}
- }
-
- # AAM APPLICATION
- # The purpose of the embedded string map is to remove the table column names
- set perf_monitor [iapp_is ::client__enable_perf_monitor yes]
- set wam_cmd "wam application ${app}_aam hosts replace-all-with \{ \
- [string map {"name " ""} [join [join [expr { [info exists \
- ::pool__hosts] ? "$::pool__hosts" : ""}]]]] \}"
-
- # array keys: $advanced,$perf_monitor,$ssl_pass_thru
- # "do_configure_wa" need not be keyed here since this is called from
- # caching_arr, which is already keyed on "do_configure_wa".
- array set wam_arr {
- 1,1,0 { [iapp_conf create $wam_cmd policy \"$::client__policy\" \
- info-header $::client__x_wa_info_header \
- perf-monitor enabled \
- perf-monitor-data-retention-period \
- $::client__data_retention_period] }
- 1,0,0 { [iapp_conf create $wam_cmd policy \"$::client__policy\" \
- info-header $::client__x_wa_info_header \
- perf-monitor disabled \
- perf-monitor-data-retention-period 0] }
- 0,1,0 { [iapp_conf create $wam_cmd \
- policy \"/Common/Generic Policy - Enhanced\" \
- info-header none \
- perf-monitor enabled \
- perf-monitor-data-retention-period \
- $::client__data_retention_period] }
- 0,0,0 { [iapp_conf create $wam_cmd \
- policy \"/Common/Generic Policy - Enhanced\" \
- info-header none \
- perf-monitor disabled \
- perf-monitor-data-retention-period 0] }
- * {}
- }
-
- # CACHING PROFILE
- set do_configure_wa [expr { !$ssl_pass_thru && [iapp_get_provisioned am] && \
- [iapp_is ::client__use_wa yes] }]
- set do_caching [expr { !$ssl_pass_thru && ($do_configure_wa || \
- ![iapp_is ::client__standard_caching_without_wa $::DO_NOT_USE_ANSWER])}]
- set new_caching [expr { !$advanced || \
- ($do_configure_wa && \
- [iapp_is ::client__standard_caching_with_wa $::CREATE_NEW_ANSWER]) || \
- (!$do_configure_wa && \
- [iapp_is ::client__standard_caching_without_wa $::CREATE_NEW_ANSWER])}]
-
- # array keys: $do_caching,$new_caching,$do_configure_wa
- array set caching_arr {
- 1,1,1 { [iapp_conf create ltm profile web-acceleration \
- ${app}_optimized-acceleration \
- defaults-from optimized-acceleration \
- applications replace-all-with \{ [iapp_substa \
- wam_arr($advanced,$perf_monitor,$ssl_pass_thru)] \}] }
- 1,1,0 { [iapp_conf create ltm profile web-acceleration \
- ${app}_optimized-caching defaults-from optimized-caching \
- applications none cache-size 10 \
- cache-object-max-size 2000000] }
- 1,0,1 $::client__standard_caching_with_wa
- 1,0,0 $::client__standard_caching_without_wa
- * {}
- }
-
- # ONECONNECT PROFILE
- set do_oneconnect [expr { !$ssl_pass_thru && (!$advanced || \
- ![iapp_is ::server__oneconnect $::DO_NOT_USE_ANSWER])}]
- set new_oneconnect [expr { !$advanced || \
- [iapp_is ::server__oneconnect $::CREATE_NEW_ANSWER] }]
- set one_cmd "ltm profile one-connect ${app}_oneconnect \
- defaults-from oneconnect source-mask"
-
- # array keys: $do_oneconnect,$new_oneconnect,$do_snat
- array set oneconnect_arr {
- 1,1,1 { [iapp_conf create $one_cmd 255.255.255.255] }
- 1,1,0 { [iapp_conf create $one_cmd 0.0.0.0] }
- 1,0,1 $::server__oneconnect
- 1,0,0 $::server__oneconnect
- * {}
- }
-
- # NTLM PROFILE
- # array keys: $do_oneconnect,$discourage_ntlm,$advanced
- set discourage_ntlm 1
- array set ntlm_arr {
- 1,1,1 $::server__ntlm
- * /#do_not_use#
- }
-
- # Note: app-service is forced. See BZ448758.
- # array keys: $is_admin,$ntlm_arr($do_oneconnect,$discourage_ntlm,$advanced)
- array set ntlm_cmd {
- 0,/#create_new# { [error "Non-admin user cannot create an NTLM profile"] }
- 1,/#create_new# { [iapp_conf create ltm profile \
- ntlm [tmsh::pwd]/${app}_ntlm \
- defaults-from ntlm \
- app-service $app] }
- 0,/#do_not_use# { }
- 1,/#do_not_use# { }
- * { [iapp_substa ntlm_arr($do_oneconnect,$discourage_ntlm,$advanced)] }
-}
- # PERSISTENCE
- set discourage_persist [iapp_is ::ssl_encryption_questions__version 2013]
-
- # array keys: $discourage_persist,$advanced,$ssl_pass_thru,$cookie_licensed
- array set persist_arr {
- 0,0,0,0 /#source#
- 0,0,0,1 /#cookie#
- 0,0,1,0 /#source#
- 0,0,1,1 /#source#
- 0,1,0,0 $::pool__persist
- 0,1,0,1 $::pool__persist
- 0,1,1,0 $::pool__pass_thru_persist
- 0,1,1,1 $::pool__pass_thru_persist
- 1,1,0,0 $::pool__discourage_persist
- 1,1,0,1 $::pool__discourage_persist
- 1,1,1,0 $::pool__pass_thru_discourage_persist
- 1,1,1,1 $::pool__pass_thru_discourage_persist
- * /#do_not_use#
- }
-
- # array key: $persist_result
- array set persist_cmd {
- /#cookie# { replace-all-with \{ [iapp_conf create $cookie_cmd] \} }
- /#source# { replace-all-with \{ [iapp_conf create $source_cmd] \} }
- /#do_not_use# { none }
- * { replace-all-with \{ $persist_result \} }
- }
-
- # array keys: $advanced,$persist_result
- array set fallback_persist_arr {
- 0,/#cookie# /#source#
- 0,/#source# /#do_not_use#
- 0,/#do_not_use# /#do_not_use#
- 1,/#do_not_use# /#do_not_use#
- 1,/#source# /#do_not_use#
- * $::pool__fallback_persist
- }
-
- # array key: $fallback_persist_result
- array set fallback_persist_cmd {
- /#source# { [iapp_conf create $source_cmd] }
- /#do_not_use# { none }
- * { $fallback_persist_result }
- }
-
- set cm_sync_status_details [lindex [tmsh::get_status cm sync-status] 0]
- set cm_sync_status [tmsh::get_field_value $cm_sync_status_details status]
- set mirror_action [expr { $cm_sync_status ne "Standalone" && [iapp_is \
- ::pool__mirror enabled] ? "enabled" : "disabled" }]
- set source_cmd "ltm persistence source-addr \
- ${app}_source-addr-persistence mirror $mirror_action"
- set cookie_cmd "ltm persistence cookie ${app}_cookie-persistence "
- set persist_result [iapp_substa persist_arr($discourage_persist,$advanced,$ssl_pass_thru,$cookie_licensed)]
- set fallback_persist_result [iapp_substa fallback_persist_arr($advanced,$persist_result)]
-
- # ISESSION
- set do_isession [expr { [iapp_is ::net__server_mode tunnel]
- && [iapp_get_provisioned am] }]
- set new_isession [iapp_is ::client__isession_profile $::CREATE_NEW_ANSWER]
-
- # array keys: $do_isession,$advanced,$new_isession
- array set isession_arr {
- 1,1,1 { [iapp_conf create wom profile isession ${app}_isession \
- data-encryption $::client__isession__encryption \
- compression $::client__isession__compression \
- deduplication $::client__isession__deduplication] \
- \{ context serverside \} }
- 1,1,0 { $::client__isession_profile \{ context serverside \} }
- 1,0,1 { /Common/isession \{ context serverside \} }
- 1,0,0 { /Common/isession \{ context serverside \} }
- * {}
- }
-
- # IRULES
- set stats_irule {
-when HTTP_REQUEST {
- set reqtime [clock clicks]
-}
-when HTTP_RESPONSE {
- ISTATS::set "sys.application.service string app-rtt" [expr {[clock clicks] - $reqtime}]
- ISTATS::set "sys.application.service string tcp-rtt" [TCP::rtt]
-}
- }
-
- set irule_names [expr { !$ssl_pass_thru && [iapp_is ::rtt_stats enabled] \
- ? [iapp_conf create ltm rule ${app}_stats_irule \
- [string map " [tmsh::pwd]/$app" $stats_irule]] : "" }]
-
- append irule_names [expr { $advanced && [info exists ::irules__irules] \
- ? " $::irules__irules" : "" }]
-
- # array key: [llength $irule_names]
- array set irule_arr {
- 0 { rules none }
- * { rules \{ $irule_names \} }
- }
-
- if { $do_client_ssl || $ssl_pass_thru } {
- set redirect_rule [string map [list _PORT $redirect_to_port] {
-when HTTP_REQUEST {
- HTTP::redirect https://[getfield [HTTP::host] : 1]:_PORT[HTTP::uri]
-}}]
- }
-
- # array keys: $redirect_to_port
- array set redirect_irule {
- 443 { _sys_https_redirect }
- * { [iapp_conf create ltm rule ${app}_https_redirect $redirect_rule] }
- }
-
- # ASM and LTM POLICIES
- set do_asm [expr { [iapp_get_provisioned asm] && \
- !$ssl_pass_thru && ![iapp_is ::asm__use_asm "/#do_not_use#"] }]
- # keep check for /#do_not_use# for upgrade compatibility with 13.0
- set asm_security_logging [expr { $do_asm && $is_v11_4 &&
- ![iapp_is ::asm__security_logging ""] && ![iapp_is ::asm__security_logging "#/do_not_use#"]
- ? "\"[join $::asm__security_logging "\" \""]\"" : "" }]
- set create_asm_policy [expr { [iapp_is ::asm__use_asm "yes"] || [iapp_is ::asm__use_asm $::CREATE_NEW_ANSWER] }]
- set ltm_policies [expr { $advanced ? $::local_traffic__policies : "" }]
-
- # array key: $is_v11_4, $do_asm, $create_asm_policy
- array set local_traffic_policies {
- 1,1,1 { policies replace-all-with { \
- [iapp_conf create ltm policy ${app}_policy \
- requires replace-all-with \{ http \} \
- controls replace-all-with \{ asm \} \
- strategy first-match \
- rules replace-all-with \{ \
- default \{ \
- ordinal 1 \
- actions replace-all-with \{ \
- 1 \{ asm enable policy \
- [iapp_conf create asm policy \
- ${app}_policy \
- active \
- encoding $::asm__language \
- policy-template \
- ${::asm__asm_template}_[expr \
- { $do_client_ssl ? "HTTPS" : "HTTP" }]] \
- \} \
- \} \
- \} \
- \} [expr {$is_v12_1 ? "legacy" : "" }]] $ltm_policies } }
- 1,1,0 { policies replace-all-with { $::asm__use_asm $ltm_policies } }
- 1,0,1 { policies [expr { $ltm_policies ne "" ? "replace-all-with { $ltm_policies }" : "none" }] }
- 1,0,0 { policies [expr { $ltm_policies ne "" ? "replace-all-with { $ltm_policies }" : "none" }] }
- 0,1,1 { http-class \{ \
- [iapp_conf create asm httpclass-asm ${app}_httpclass \
- language $::asm__language \
- predefined-policy ${::asm__asm_template}_[expr \
- { $do_client_ssl ? "HTTPS" : "HTTP" }] \
- active-policy-name ${app}_asm_policy]
- [iapp_conf create ltm profile httpclass ${app}_httpclass \
- defaults-from httpclass \
- asm enabled \
- web-accelerator [expr {$do_configure_wa ? "enabled":"disabled" }]]\}}
- * { }
- }
-
- # FIREWALL (AFM) POLICY
- # beware: syntactically correct AFM commands fail when AFM is not provisioned
-
- set afm_allowed [expr { $is_v11_4 && $is_admin && [iapp_get_provisioned afm] }]
-
- set do_firewall [expr { $afm_allowed && ![iapp_is ::afm__policy $::DO_NOT_USE_ANSWER] }]
- set new_firewall [iapp_is ::afm__policy $::DEFAULT_ANSWER]
- set do_ip_intel [expr { $do_firewall && [iapp_is ::afm__restrict_by_reputation "warn" "reject" "select"] }]
- set new_ip_intel [iapp_is ::afm__restrict_by_reputation "warn" "reject"]
-
- set staging_policy [expr { $do_firewall && \
- ![iapp_is ::afm__staging_policy $::DO_NOT_USE_ANSWER] \
- ? "$::afm__staging_policy" : "none" }]
-
- set afm_security_logging [expr { $do_firewall && \
- ![iapp_is ::afm__security_logging $::DO_NOT_USE_ANSWER] \
- ? "\"$::afm__security_logging\"" : "" }]
- set security_logging [expr { $is_admin \
- ? "security-log-profiles replace-all-with \{ $asm_security_logging $afm_security_logging \}" : "" }]
-
- set do_dos_security [expr { $afm_allowed && $advanced && \
- ![iapp_is ::afm__dos_security_profile $::DO_NOT_USE_ANSWER] }]
- set do_protocol_security [expr { $afm_allowed && $advanced && !$ssl_pass_thru && \
- ![iapp_is ::afm__protocol_security_profile $::DO_NOT_USE_ANSWER] }]
-
- # array key: $afm_allowed,$do_firewall,$new_firewall
- array set firewall_arr {
- 1,1,1 { fw-enforced-policy \
- [iapp_conf create security firewall policy ${app}_firewall \
- rules replace-all-with \{ \
- acceptPackets \{ \
- action accept \
- log no \
- ip-protocol tcp \
- status enabled \
- source \{ [iapp_substa afm_restrict($::afm__restrict_by_addr)] \}\} \
- dropPackets \{ \
- action drop \
- log yes \
- ip-protocol tcp \
- status enabled \
- source \{ addresses replace-all-with \{ any/any \}\} \
- \}\}] \
- fw-staged-policy [subst $staging_policy] }
- 1,1,0 { fw-enforced-policy $::afm__policy \
- fw-staged-policy [subst $staging_policy] }
- 1,0,1 { fw-enforced-policy none \
- fw-staged-policy none }
- 1,0,0 { fw-enforced-policy none \
- fw-staged-policy none }
- * { }
- }
-
- # array key: $::afm__restrict_by_addr
- array set afm_restrict {
- /#create_new# {addresses replace-all-with \{ $::afm__allowed_addr \}}
- /#do_not_use# {addresses replace-all-with \{ any/any \}}
- * {address-lists replace-all-with \{ $::afm__restrict_by_addr \}}
- }
-
- # ip-intelligence was a profile in 11.4, is a policy in 11.5
- # array keys:
- # $afm_allowed,$do_ip_intel,$new_ip_intel,$is_v11_5,policy/profile
- array set ip_intelligence_arr {
- 1,1,1,0,profile { [iapp_conf create security ip-intelligence \
- profile ${app}_ip_intelligence \
- defaults-from ip-intelligence \
- botnets $::afm__restrict_by_reputation \
- denial-of-service $::afm__restrict_by_reputation \
- infected-sources $::afm__restrict_by_reputation \
- phishing $::afm__restrict_by_reputation \
- proxy $::afm__restrict_by_reputation \
- scanners $::afm__restrict_by_reputation \
- spam-sources $::afm__restrict_by_reputation \
- web-attacks $::afm__restrict_by_reputation \
- windows-exploits $::afm__restrict_by_reputation] }
- 1,0,0,1,policy { ip-intelligence-policy none }
- 1,0,1,1,policy { ip-intelligence-policy none }
- 1,1,0,1,policy { ip-intelligence-policy $::afm__ip_intelligence_policy }
- 1,1,1,1,policy { \
- ip-intelligence-policy [iapp_conf create security ip-intelligence \
- policy ${app}_ip_intelligence \
- default-action $action($::afm__restrict_by_reputation) \
- blacklist-categories replace-all-with \{ \
- botnets \{ action use-policy-setting \} \
- cloud_provider_networks \{ action use-policy-setting \} \
- denial_of_service \{ action use-policy-setting \} \
- illegal_websites \{ action use-policy-setting \} \
- infected_sources \{ action use-policy-setting \} \
- phishing \{ action use-policy-setting \} \
- proxy \{ action use-policy-setting \} \
- scanners \{ action use-policy-setting \} \
- spam_sources \{ action use-policy-setting \} \
- web_attacks \{ action use-policy-setting \} \
- windows_exploits \{ action use-policy-setting \}\}] }
- * { }
- }
-
- # array key: $::afm__restrict_by_reputation
- array set action {
- accept { accept default-log-blacklist-hit-only no }
- reject { drop default-log-blacklist-hit-only yes }
- warn { accept default-log-blacklist-hit-only yes }
- }
-
- # ANALYTICS (AVR) PROFILE
- set do_analytics [expr { $advanced && [iapp_get_provisioned avr] \
- && !$ssl_pass_thru && ![iapp_is ::stats__analytics $::DO_NOT_USE_ANSWER] }]
- set new_analytics [iapp_is ::stats__analytics $::CREATE_NEW_ANSWER]
-
- # array keys: $do_analytics,$new_analytics
- array set analytics_arr {
- 1,1 { [iapp_conf create ltm profile analytics ${app}_analytics \
- defaults-from analytics] }
- 1,0 $::stats__analytics
- * {}
- }
-
- # TCP-ANALYTICS (AVR) PROFILE
- set do_tcp_analytics [expr { $advanced && [iapp_get_provisioned avr] \
- && !$ssl_pass_thru && ![iapp_is ::stats__tcp_analytics $::DO_NOT_USE_ANSWER] }]
- set new_tcp_analytics [iapp_is ::stats__tcp_analytics $::CREATE_NEW_ANSWER]
-
- # array keys: $do_tcp_analytics,$new_tcp_analytics
- array set tcp_analytics_arr {
- 1,1 { [iapp_conf create ltm profile tcp-analytics ${app}_tcp_analytics \
- defaults-from tcp-analytics] }
- 1,0 $::stats__tcp_analytics
- * {}
- }
-
- # REQUEST LOGGING
- set do_logging [expr { $advanced && !$ssl_pass_thru && \
- ![iapp_is ::stats__request_logging $::DO_NOT_USE_ANSWER] }]
-
- # array keys: $do_logging
- array set logging_arr {
- 1 { $::stats__request_logging }
- 0 {}
- }
-
- # MONITOR SEND STRING
- # only the first FQDN in the hosts table is used for monitoring
- set hostname [lindex [join [join [expr { [info exists ::pool__hosts] \
- ? "$::pool__hosts" : "" }]]] 1]
- set http10 [expr {$advanced && [iapp_is ::monitor__http_version http10]}]
- set http_post [expr {$advanced && [iapp_is ::monitor__http_method POST]}]
- set ntlm_creds [iapp_is ::monitor__credentials ntlm]
-
- # array keys: $http10,$http_post,$ntlm_creds
- array set send_string_arr {
- 1,1,1 { 'POST $::monitor__uri HTTP/1.0\\r\\nContent-Length: [string length $::monitor__post_body]\\r\\nConnection: Keep-Alive\\r\\n\\r\\n$::monitor__post_body' }
- 1,1,0 { 'POST $::monitor__uri HTTP/1.0\\r\\nContent-Length: [string length $::monitor__post_body]\\r\\n\\r\\n$::monitor__post_body' }
- 1,0,1 { 'GET $::monitor__uri HTTP/1.0\\r\\nConnection: Keep-Alive\\r\\n\\r\\n' }
- 1,0,0 { 'GET $::monitor__uri HTTP/1.0\\r\\n\\r\\n' }
- 0,1,1 { 'POST $::monitor__uri HTTP/1.1\\r\\nHost: $hostname\\r\\nContent-Length: [string length $::monitor__post_body]\\r\\n$::monitor__post_body' }
- 0,1,0 { 'POST $::monitor__uri HTTP/1.1\\r\\nHost: $hostname\\r\\nContent-Length: [string length $::monitor__post_body]\\r\\nConnection: Close\\r\\n\\r\\n$::monitor__post_body' }
- 0,0,1 { 'GET $::monitor__uri HTTP/1.1\\r\\nHost: $hostname\\r\\n' }
- * { 'GET $::monitor__uri HTTP/1.1\\r\\nHost: $hostname\\r\\nConnection: Close\\r\\n\\r\\n'}
- }
-
- # MONITOR
- set new_pool [expr {( $::net__server_mode ne "tunnel" && \
- [iapp_is ::pool__pool_to_use $::CREATE_NEW_ANSWER] ) || \
- ( $::net__server_mode eq "tunnel" && \
- [iapp_is ::pool__pool_to_use_wom $::CREATE_NEW_ANSWER] )}]
- set new_monitor [iapp_is ::monitor__monitor $::CREATE_NEW_ANSWER]
- set http_or_https [expr { $do_server_ssl || $ssl_pass_thru ?{https}:{http} }]
- # Check for NTLM, then uppercase the username if it is NTLM
- if { [iapp_is ::monitor__credentials "ntlm"] } {
- set user_index [string first \\ $::monitor__user]
- set monitor_username [string toupper $::monitor__user 0 $user_index]
- } elseif { [iapp_is ::monitor__credentials "basic"] } {
- set monitor_username $::monitor__user
- }
- # array keys: $new_pool,$new_monitor,$advanced
- array set monitor_arr {
- 1,1,1 { monitor [iapp_conf create ltm monitor $http_or_https \
- ${app}_${http_or_https}_monitor \
- defaults-from $http_or_https \
- interval $::monitor__frequency \
- timeout [expr { $::monitor__frequency * 3 + 1 } ] \
- [expr { [iapp_is ::monitor__credentials "basic"] || \
- [iapp_is ::monitor__credentials "ntlm"] ? \
- "username $monitor_username \
- password [iapp_make_safe_password $::monitor__passwd]" : "" }] \
- send [iapp_substa send_string_arr($http10,$http_post,$ntlm_creds)]\
- recv '$::monitor__response'] }
- 1,1,0 { monitor [iapp_conf create ltm monitor $http_or_https \
- ${app}_${http_or_https}_monitor \
- defaults-from $http_or_https \
- interval 30 \
- timeout 91 \
- send [iapp_substa send_string_arr($http10,$http_post,$ntlm_creds)]\
- recv '$::monitor__response'] }
- 1,0,1 { monitor $::monitor__monitor }
- 1,0,0 { monitor $::monitor__monitor }
- * { monitor none }
- }
-
- # GENERAL POOL PARAMETERS 1
- set do_slow_ramp [iapp_is ::server__use_slow_ramp yes]
- set do_pga [iapp_is ::pool__use_pga yes]
-
- # array keys: $advanced,$do_slow_ramp,$do_pga
- array set pool_ramp_pga_arr {
- 1,1,1 { slow-ramp-time $::server__slow_ramp_setvalue \
- min-active-members $::pool__min_active_members }
- 1,1,0 { slow-ramp-time $::server__slow_ramp_setvalue \
- min-active-members 0 }
- 1,0,1 { slow-ramp-time 10 \
- min-active-members $::pool__min_active_members }
- 1,0,0 { slow-ramp-time 10 min-active-members 0 }
- * { slow-ramp-time 300 min-active-members 0 }
- }
-
- # GENERAL POOL PARAMETERS 2
- set tcp_queuing [iapp_is ::server__tcp_req_queueing yes]
-
- # array keys: $advanced,$lb_lcm_licensed,$tcp_queuing
- array set pool_lb_queue_arr {
- 1,1,1 { load-balancing-mode $::pool__lb_method \
- queue-on-connection-limit enabled \
- queue-depth-limit $::server__tcp_queue_length \
- queue-time-limit $::server__tcp_queue_timeout }
- 1,0,1 { load-balancing-mode $::pool__lb_method \
- queue-on-connection-limit enabled \
- queue-depth-limit $::server__tcp_queue_length \
- queue-time-limit $::server__tcp_queue_timeout }
- 1,1,0 { load-balancing-mode $::pool__lb_method \
- queue-on-connection-limit disabled }
- 1,0,0 { load-balancing-mode $::pool__lb_method \
- queue-on-connection-limit disabled }
- 0,0,1 { load-balancing-mode round-robin \
- queue-on-connection-limit disabled }
- 0,0,0 { load-balancing-mode round-robin \
- queue-on-connection-limit disabled }
- * { load-balancing-mode least-connections-member \
- queue-on-connection-limit disabled }
- }
-
- # POOL
- set no_pool [expr {( $::net__server_mode ne "tunnel" && \
- [iapp_is ::pool__pool_to_use $::DO_NOT_USE_ANSWER] ) || \
- ( $::net__server_mode eq "tunnel" && \
- [iapp_is ::pool__pool_to_use_wom $::DO_NOT_USE_ANSWER] )}]
-
- # array keys: $new_pool,$no_pool
- array set pool_arr {
- 1,0 { [iapp_conf create ltm pool ${app}_pool \
- [iapp_substa pool_ramp_pga_arr($advanced,$do_slow_ramp,$do_pga)] \
- [iapp_substa pool_lb_queue_arr($advanced,$lb_lcm_licensed,$tcp_queuing)] \
- [iapp_substa monitor_arr($new_pool,$new_monitor,$advanced)] \
- [iapp_pool_members $::pool__members]] \
- translate-address enabled }
- 0,0 { [expr { $::net__server_mode ne "tunnel" ? \
- $::pool__pool_to_use : $::pool__pool_to_use_wom }] \
- translate-address enabled }
- * { none translate-address [expr { $do_isession ? "disabled" : "enabled" }] }
- }
-
- # VIRTUAL SERVERS
- set secure_client [expr { $do_client_ssl || $ssl_pass_thru }]
- set do_redirect [expr { [iapp_is ::pool__redirect_to_https yes] || \
- !$advanced}]
- set mask [expr { $advanced && $::pool__mask ne "" \
- ? $::pool__mask : [iapp_destination -mask $::pool__addr] }]
-
- # array keys: $secure_client,$do_redirect
- array set vs_arr {
- 1,1 { [iapp_conf create ltm virtual ${app}_vs \
- destination [iapp_destination $::pool__addr $::pool__port_secure] \
- mask $mask \
- $vs_params \
- ip-protocol tcp \
- mirror $mirror_action \
- profiles replace-all-with \{ $vs_profiles \} [expr { $is_v11_6 ? "per-flow-request-access-policy [expr { $use_apm && $::apm__apm_policy != "/#do_not_use#" ? "$::apm__apm_policy" : "none" }]" : "" }]] \
- \
- [iapp_conf create ltm virtual ${app}_redir_vs \
- destination [iapp_destination $::pool__addr $::pool__redirect_port] \
- mask $mask \
- $redir_vs_params \
- ip-protocol tcp \
- mirror $mirror_action \
- profiles replace-all-with \{ $tcp_profiles http \} \
- rules \{ [iapp_substa redirect_irule($redirect_to_port)] \}]}
- 1,0 { [iapp_conf create ltm virtual ${app}_vs \
- destination [iapp_destination $::pool__addr $::pool__port_secure] \
- mask $mask \
- $vs_params \
- ip-protocol tcp \
- mirror $mirror_action \
- profiles replace-all-with \{ $vs_profiles \} [expr { $is_v11_6 ? "per-flow-request-access-policy [expr { $use_apm && $::apm__apm_policy != "/#do_not_use#" ? "$::apm__apm_policy" : "none" }]" : "" }]] }
- * { [iapp_conf create ltm virtual ${app}_vs \
- destination [iapp_destination $::pool__addr $::pool__port] \
- mask $mask \
- $vs_params \
- ip-protocol tcp \
- mirror $mirror_action \
- profiles replace-all-with \{ $vs_profiles \} [expr { $is_v11_6 ? "per-flow-request-access-policy [expr { $use_apm && $::apm__apm_policy != "/#do_not_use#" ? "$::apm__apm_policy" : "none" }]" : "" }]] }
- }
-
- # MAIN
- # Array contents (including TCL code) are evaluated during the
- # assignments below. TMSH parameters and profile names are collected
- # for use in subsequent calls including the creation of the virtual
- # server(s). Many parameters are shared between the redirect virtual
- # server and the main virtual server. This builds the redirect
- # parameters first, then re-uses them when constructing the main
- # virtual parameter list.
- set redir_vs_params \
- "[iapp_substa vlan_arr($advanced,$select_vlans)] \
- [iapp_substa snatpool_arr($do_snat,$do_automap,$new_snatpool)] \
- [iapp_substa firewall_arr($afm_allowed,$do_firewall,$new_firewall)] \
- [iapp_substa \
- ip_intelligence_arr($afm_allowed,$do_ip_intel,$new_ip_intel,$is_v11_5,policy)]"
-
- set vs_params "$redir_vs_params $security_logging \
- persist [iapp_substa persist_cmd($persist_result)] \
- fallback-persistence [iapp_substa fallback_persist_cmd($fallback_persist_result)] \
- pool [set pool_name [iapp_substa pool_arr($new_pool,$no_pool)]] \
- [iapp_substa irule_arr([llength $irule_names])] \
- [iapp_substa local_traffic_policies($is_v11_4,$do_asm,$create_asm_policy)]"
-
- # TMSH syntax dictates that a profile may only be mentioned once.
- # If the same profile is used in 2 contexts, then specify "context all".
- set client_tcp [iapp_substa \
- client_tcp_arr($new_client_tcp,$::net__client_mode)]
- set server_tcp [iapp_substa \
- server_tcp_arr($new_server_tcp,$::net__server_mode)]
-
- if { $client_tcp eq $server_tcp } {
- set tcp_profiles "$client_tcp \{ context all \} "
- } else {
- set tcp_profiles "$client_tcp \{ context clientside \} \
- $server_tcp \{ context serverside \} "
- }
-
- # Order is important to the "context clientside" and "context serverside"
- # parameters, so those parameters without context must come after those
- # with context. For example, HTTP must come after TCP and SSL.
- set http_name [iapp_substa http_arr($ssl_pass_thru,$new_http,$do_client_ssl)]
-
- set vs_profiles "[iapp_substa \
- client_ssl_arr($do_client_ssl,$new_client_ssl,$do_chain_cert)] \
- [iapp_substa server_ssl_arr($do_server_ssl,$default_server)] \
- [iapp_substa isession_arr($do_isession,$advanced,$new_isession)] \
- $tcp_profiles $http_name \
- [iapp_substa ip_intelligence_arr($afm_allowed,$do_ip_intel,$new_ip_intel,$is_v11_5,profile)] \
- [expr { $do_dos_security ? "$::afm__dos_security_profile" : "" }] \
- [expr { $do_protocol_security ? "$::afm__protocol_security_profile" : "" }] \
- [iapp_substa compress_arr($do_compress,$new_compress)] \
- [iapp_substa \
- caching_arr($do_caching,$new_caching,$do_configure_wa)] \
- [iapp_substa \
- oneconnect_arr($do_oneconnect,$new_oneconnect,$do_snat)] \
- [iapp_substa ntlm_cmd($is_admin,[iapp_substa ntlm_arr($do_oneconnect,$discourage_ntlm,$advanced)])] \
- [iapp_substa analytics_arr($do_analytics,$new_analytics)] \
- [iapp_substa tcp_analytics_arr($do_tcp_analytics,$new_tcp_analytics)] \
- [expr { $do_asm && $is_v11_4 ? "websecurity " : "" }] \
- [iapp_substa logging_arr($do_logging)] \
- $apm_profiles $::pool__profiles"
-
- set vs_name [iapp_substa vs_arr($secure_client,$do_redirect)]
-
- if { [iapp_is ::app_stats enabled] } {
- # START EMBEDDED ICALL SCRIPT
- set icall_script_tmpl {
-
- set app APP
- set folder FOLDER
- tmsh::cd $folder
-
- set aso "sys.application.service ${folder}/$app"
- set virtual_path "ltm virtual VS"
- set http_path "ltm profile http HTTP"
- set pool_path "ltm pool POOL"
-
- # these lists represent strings taken from "show ... field-fmt"
- set http_stats { get-reqs number-reqs post-reqs resp-5xx-cnt }
- set virtual_stats {
- clientside.bits-in clientside.bits-out clientside.cur-conns
- clientside.max-conns clientside.pkts-in clientside.pkts-out
- clientside.tot-conns status.availability-state status.enabled-state
- status.status-reason
- }
- set pool_stats {
- active-member-cnt serverside.bits-in serverside.bits-out
- serverside.cur-conns serverside.max-conns serverside.pkts-in
- serverside.pkts-out serverside.tot-conns
- }
-
- if { [catch {
- # loop over each type of object we want to look at, building the name
- # of the path and the stats for it as needed
- foreach type { HTYPE virtual PTYPE } {
- # making this its own variable made the Tcl validator stop throwing
- # a warning - though it _should_ be fine to move it inline w/its use
- set path [set ${type}_path]
- set objs [tmsh::get_status $path raw]
- if { [llength $objs] == 0 } {
- puts "no object found for: $type"
- continue
- }
- set obj [lindex $objs 0]
- foreach stat [set ${type}_stats] {
- set value [tmsh::get_field_value $obj $stat]
- # associate the iStat with the app service
- istats::set "$aso string $stat" $value
- }
- }
-
- # Set an additional iStat for the size of the pool, updated on
- # each iCall iteration in case the size of an external pool changes.
- # Check first that the pool is configured with at least one member.
- set pool_size 0
- if { "POOL" ne "none" && [string first "members" [tmsh::list $pool_path]] != -1 } {
- set pools [tmsh::get_config $pool_path]
- if { [llength $pools] == 1 } {
- set pool [lindex $pools 0]
- set pool_size [llength [tmsh::get_field_value $pool members]]
- }
- }
- istats::set "$aso string total-member-cnt" $pool_size
- } err] } {
- istats::set "$aso string app_stats.publish" "Failure in iCall script ${folder}/publish_stats while collecting application statistics: $err"
- } else {
- istats::set "$aso string app_stats.publish" "Published"
- }
- }; # END EMBEDDED ICALL SCRIPT
-
- # used to fill in variables within iCall script
- set script_map [list APP $tmsh::app_name \
- FOLDER [tmsh::pwd] \
- VS [lindex $vs_name 0] \
- HTTP [lindex $http_name 0] \
- POOL [lindex $pool_name 0] \
- HTYPE [expr { $ssl_pass_thru ? {} : {http} }] \
- PTYPE [expr { $no_pool ? {} : {pool} }]]
-
- set icall_script_src [string map $script_map $icall_script_tmpl]
- iapp_conf create sys icall script publish_stats \
- definition \{ $icall_script_src \}
- iapp_conf create sys icall handler periodic publish_stats \
- interval 60 script publish_stats
- set aso "sys.application.service ${app}.app/$app"
- catch { exec istats set "$aso string app_stats.publish" "Starting" } err
- }
-}
-
-# This array customizes the assignment of old variables to the vx and tx arrays,
-# which are used to construct the new variables in tmsh. Since the old variable
-# name is almost always used during this assignment, "##" may be used as an
-# abbreviation. The assignment of ssl_encryption_questions__legacy_advanced
-# is long, but it merely sets the new template context to "basic" or "advanced"
-# based on the complexity of the user's application.
-array set upgrade_var_arr {
- ::ssl_encryption_questions__offload_ssl { \
- [set vx(offload_history) ##] \
- [set vx(ssl_encryption_questions__offload_ssl) "legacy"] \
- [set vx(ssl_encryption_questions__legacy_advanced) [expr { \
- ( ![iapp_get_provisioned avr] || \
- [iapp_is ::analytics__add_analytics {No}] ) && \
- [iapp_is ::basic__snat {No}] && \
- [iapp_is ::basic__need_snatpool {No}] && \
- [iapp_is ::basic__using_ntlm {No}] && \
- [iapp_is ::server_pools__tcp_request_queuing_enable_question \
- {No}] && \
- ( [iapp_is ::server_pools__create_new_monitor {Use Monitor...}] || \
- ( [string equal -length 3 $::server_pools__monitor_send {GET}] && \
- [iapp_is ::server_pools__monitor_http_version {Version 1.0}] )) \
- ?no:yes}]]}
- ::ssl_encryption_questions__offload_ssl_1 {[set vx(ssl__mode) ##]}
- ::ssl_encryption_questions__offload_ssl_2 {[set vx(ssl__mode) ##]}
- ::ssl_encryption_questions__cert {[set vx(ssl__cert) ##]}
- ::ssl_encryption_questions__key {[set vx(ssl__key) ##]}
- ::analytics__add_analytics {[set vx(stats__analytics) \
- [expr { ## eq {No} ? {No} : \
- [expr { $::analytics__create_new_analytics eq {Yes} ? {Yes} : \
- $::analytics__analytics_profile }] }] ]}
- ::basic__addr {[set vx(pool__addr) ##]}
- ::basic__port {[set vx(pool__port) ##]}
- ::basic__secure_port {[set vx(pool__port_secure) ##]}
- ::basic__create_redir {[set vx(pool__redirect_to_https) ##]}
- ::basic__redir_port {[set vx(pool__redirect_port) ##]}
- ::basic__snat {[set vx(net__same_subnet) ##]}
- ::basic__need_snatpool {[set vx(net__snat_type) ##]\
- [set vx(net__snatpool) ##]}
- ::basic__snatpool_members {[set tx(net__snatpool_members) ##]}
- ::basic__using_ntlm {[set vx(server__ntlm) ##]}
- ::server_pools__create_new_pool {[set vx(pool__pool_to_use) ##]}
- ::server_pools__lb_method_choice {[set vx(pool__lb_method) ##]}
- ::server_pools__tcp_request_queuing_enable_question \
- {[set vx(server__tcp_req_queueing) ##]}
- ::server_pools__tcp_request_queue_length \
- {[set vx(server__tcp_queue_length) ##]}
- ::server_pools__tcp_request_queue_timeout \
- {[set vx(server__tcp_queue_timeout) ##]}
- ::server_pools__create_new_monitor {[set vx(monitor__monitor) \
- [expr { ## eq {Use Monitor...} ?$::server_pools__reuse_monitor_name:## }]]}
- ::server_pools__servers {[set tx(pool__members) ##]}
- ::server_pools__monitor_interval {[set vx(monitor__frequency) ##]}
- ::server_pools__monitor_send {[set vx(monitor__http_method) [lindex ## 0]]\
- [set vx(monitor__uri) [lrange ## 1 end]]}
- ::server_pools__monitor_http_version {[set vx(monitor__http_version) ##]}
- ::server_pools__monitor_dns_name { \
- [set tx(pool__hosts) [subst {{ name ## }}] ]}
- ::server_pools__monitor_recv {[set vx(monitor__response) ##]}
- ::optimizations__lan_or_wan {[set vx(net__client_mode) ##]\
- [set vx(client__tcp_lan_opt) ##]\
- [set vx(client__tcp_wan_opt) ##]\
- [set vx(client__http_compression) ##]}
- ::optimizations__use_wa { \
- [expr { [iapp_get_provisioned am] \
- && ![iapp_get_provisioned asm] \
- ? [set vx(client__use_wa) ##] : { }}]\
- [set vx(client__standard_caching_with_wa) ##]\
- [set vx(client__standard_caching_without_wa) ##]}
- ::optimizations__x_wa_info_header {[set vx(client__x_wa_info_header) ##]}
- ::optimizations__perf_monitor {[set vx(client__enable_perf_monitor) ##]}
- ::optimizations__policy {[set vx(client__policy) ##]}
- ::optimizations__use_asm {[expr { [iapp_get_provisioned asm] && \
- ![iapp_get_provisioned am] \
- ? [set vx(asm__use_asm) ##] : { }}]}
- ::optimizations__use_wa_or_asm { \
- [set vx(client__use_wa) \
- [expr { [iapp_get_provisioned am] && [iapp_get_provisioned asm]\
- && [iapp_is ::optimizations__use_wa_or_asm "Use WAM"] ?yes:no }]]\
- [set vx(client__standard_caching_with_wa) \
- [expr { [iapp_get_provisioned am] && [iapp_get_provisioned asm]\
- && [iapp_is ::optimizations__use_wa_or_asm "Use WAM"] ?yes:no }]]\
- [set vx(client__standard_caching_without_wa) \
- [expr { [iapp_get_provisioned am] && [iapp_get_provisioned asm]\
- && [iapp_is ::optimizations__use_wa_or_asm "Use WAM"] ?yes:no }]]\
- [set vx(asm__use_asm) \
- [expr { [iapp_get_provisioned am] && [iapp_get_provisioned asm]\
- && [iapp_is ::optimizations__use_wa_or_asm "Use ASM"] ?yes:no }]]}
- ::optimizations__language {[set vx(asm__language) ##]}
-}
-
-# Two types of translation are supported in this array. If the key is literal,
-# then the translation is applied to all ASO variables. If the key is a variable
-# name, then the translation is applied only to that variable.
-
-array set upgrade_trans_arr [subst {
- {Create New Pool} $CREATE_NEW_ANSWER
- {Create New Monitor} $CREATE_NEW_ANSWER
- {Use Default Profile} $::DEFAULT_ANSWER
- Yes yes
- No no
- enabled yes
- disabled no
- {Version 1.0} http10
- {Version 1.1} http11
- LAN lan
- WAN wan
- offload_history {
- Yes Yes
- No No
- }
- net__snat_type {
- Yes snatpool
- No automap
- }
- net__need_snatpool {
- Yes $CREATE_NEW_ANSWER
- No no
- }
- ssl__mode {
- Yes client_ssl
- No no_ssl
- }
- server__ntlm {
- Yes /Common/ntlm
- No $DO_NOT_USE_ANSWER
- }
- monitor__response {
- none { }
- }
- stats__analytics {
- Yes $CREATE_NEW_ANSWER
- No $DO_NOT_USE_ANSWER
- }
-}]
-
-array set downgrade_tbl_arr {
- ::pool__members server_pools__servers
- ::pool__hosts optimizations__hosts
- ::net__snatpool_members basic__snatpool_members
-}
-
-# ABOUT LEGACY MODE, UPGRADE, AND DOWNGRADE
-#
-# The variable ::ssl_encryption_questions__offload_ssl is inherited from the
-# v11.3 F5.HTTP template and is used to determine whether a template originated
-# in a prior release. The purpose is to maintain the user's original selections
-# while making the legacy option unavailable for new applications.
-#
-# Values of ::ssl_encryption_questions__offload_ssl:
-# - does not exist => template in v11.4 mode
-# - "Yes" or "No" => template in v11.3 mode
-# - "legacy" => template created v11.3, now in v11.4 mode
-#
-# The variable ssl_encryption_questions__advanced allows the user to select
-# the complexity of the options presented in the template. If the template
-# was originally created pre v11.3, then a different choice variable is used
-# which provides the additional option of returning to the legacy mode.
-#
-# Values of ::ssl_encryption_questions__advanced:
-# - "yes" => v11.4 advanced configuration mode
-# - "no" => v11.4 basic configuration mode
-#
-# Values of ::ssl_encryption_questions__legacy_advanced:
-# - "yes" => v11.4 advanced configuration mode
-# - "no" => v11.4 basic configuration mode
-# - "legacy" => v11.4 user chooses to return to v11.3 view.
-# This option is not available to virgin v11.4 applications.
-#
-# When a user upgrades this template from v11.3 to v11.4 mode, the value
-# of ::ssl_encryption_questions__offload_ssl is stored in ::offload_history.
-# This value is recovered if the user later opts to return to v11.3 mode.
-
-set do_v11_3 [expr { [iapp_is ssl_encryption_questions__offload_ssl Yes] \
- || [iapp_is ssl_encryption_questions__offload_ssl No] }]
-set upgrade [iapp_is ssl_encryption_questions__upgrade Yes]
-set downgrade [iapp_is ssl_encryption_questions__legacy_advanced legacy]
-
-# array keys: $do_v11_3,$upgrade,$downgrade
-array set main {
- 0,0,0 { [v11_4_main] }
- 0,1,0 { [v11_4_main] }
- 0,1,1 { [iapp_downgrade_template ssl_encryption_questions__offload_ssl \
- ssl_encryption_questions__upgrade downgrade_tbl_arr] }
- 0,0,1 { [iapp_downgrade_template ssl_encryption_questions__offload_ssl \
- ssl_encryption_questions__upgrade downgrade_tbl_arr] }
- 1,1,0 { [iapp_upgrade_template upgrade_var_arr upgrade_trans_arr] }
- 1,1,1 { [iapp_upgrade_template upgrade_var_arr upgrade_trans_arr] }
- * { [package require iapp_legacy 1.0.0] \
- [tmsh::include "f5.app_utils"] \
- [iapp_legacy::http::configure_http_deployment "POLICY_TEMPLATE_RAPID_DEPLOYMENT"] }
-}
-
-iapp_substa main($do_v11_3,$upgrade,$downgrade)
-iapp_template stop
-
- }
- presentation {
-
-include "/Common/f5.apl_common"
-
-section intro {
- message early_release "This template has not yet been fully tested at F5, and therefore has limited support. When testing is complete, it will move from the RELEASE CANDIDATE directory to parent directory of the iApp template package."
-
- # APL choice values may be set even if the optional
- # clause is not true. This trick is useful for setting
- # values that APL otherwise would not have access to.
- # Here, system provisioning values are recalled, and later
- # used to customize messages displayed within the template.
- optional ( "HIDE" == "THIS" ) {
- choice am_provisioned tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned am] ? "yes" : "no"}]
- }
- choice apm_provisioned tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned apm] ? "yes" : "no"}]
- }
- choice asm_provisioned tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned asm] ? "yes" : "no"}]
- }
- choice asm_policy tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain -filter controls =~ asm ltm policy] ne "" ? "yes" : "no"}]
- }
- choice afm_allowed tcl {
-
- return [expr { [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned afm] ? "yes" : "no"}]
- }
- choice analytics_provisioned tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned avr] ? "yes" : "no"}]
- }
- choice is_admin tcl {
-
- return [expr { [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_user -is_admin] ? "yes" : "no"}]
- }
- choice is_v11_4 tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_tmos_version >= 11.4] ? "yes" : "no"}]
- }
- choice is_v11_6 tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_tmos_version >= 11.6] ? "yes" : "no"}]
- }
- choice is_v13_0 tcl {
-
- return [expr {[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_tmos_version >= 13.0] ? "yes" : "no"}]
- }
- }
-
- message hello "Configure security, high availability, and acceleration for web applications. This template supports basic web services. For detailed information and configuration assistance, see http://www.f5.com/pdf/deployment-guides/iapp-http-dg.pdf."
- message check_for_updates "Check for new versions of this template on the AskF5 Knowledge Base website (http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13422.html)."
-
- optional ( am_provisioned == "no" ) {
- message am_not_provisioned "This system is not currently provisioned to run the BIG-IP Application Acceleration Manager (AAM). Provisioning AAM provides acceleration and optimization for your web applications."
- }
- optional ( analytics_provisioned == "no" ) {
- message analytics_not_provisioned "The system is not currently provisioned to run the BIG-IP Application Visibility Reporting Module (AVR). Activating this module provides rich application statistics and reporting for your deployment."
- }
- optional ( asm_provisioned == "no" ) {
- message asm_not_provisioned "This system is not currently provisioned to run the BIG-IP Application Security Module (ASM). Provisioning ASM can help to secure your web applications."
- }
- }
-
- section ssl_encryption_questions {
-
- # If this variable is present, then the user is re-parenting from
- # a v11.3 or earlier template. This condition causes the system
- # to display the old template along with an offer to upgrade.
- optional ( "HIDE" == "THIS" ) {
- choice offload_ssl default "no_legacy" { "Yes" , "No" , "legacy" , "no_legacy" }
- }
-
- # For v11.3 applications
- optional ( offload_ssl == "Yes" || offload_ssl == "No" ) {
- message deprecated "This template has been deprecated. It is highly recommended that you upgrade this deployment to the current template version. To upgrade, choose Yes below. Note that this process will temporarily take your application offline."
-
- choice upgrade default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
-
- message gap_1 ""
- message gap_2 ""
- message section_head ""
- }
- optional ( offload_ssl == "Yes" ) {
- choice offload_ssl_1 default "Yes" { "Yes" => "Yes" , "No" => "No" }
- }
- optional ( offload_ssl == "No" ) {
- choice offload_ssl_2 default "No" { "Yes" => "Yes" , "No" => "No" }
- }
- optional ((ssl_encryption_questions.offload_ssl == "Yes"
- && ssl_encryption_questions.offload_ssl_1 == "Yes" )
- || (ssl_encryption_questions.offload_ssl == "No"
- && ssl_encryption_questions.offload_ssl_2 == "Yes" )) {
-
- choice cert default "/Common/default.crt" display "xxlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
-
- choice key default "/Common/default.key" display "xxlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -norecursive sys file ssl-key]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
-
- # For v11.4 applications
- optional ( offload_ssl == "legacy" || offload_ssl == "no_legacy" ) {
-
- choice help display "xxlarge" default "hide" {
-
- "Yes, show inline help" => "max" ,
- "No, do not show inline help" => "hide"
- }
- optional ( help == "max" ) {
- message help_max "Inline help is available to provide contextual descriptions to aid in the completion of this configuration. Select to show or hide the inline help in this template. Important notes and warnings are always visible, no matter which selection you make here. "
- }
- optional ( offload_ssl == "legacy" ) {
- choice legacy_advanced display "xxlarge" default "no" {
-
- "Basic - Use F5's recommended settings" => "no" ,
- "Advanced - Configure advanced options" => "yes" ,
- "Legacy - Return to the deprecated template" => "legacy"
-
- }
- optional ( legacy_advanced == "legacy" ) {
- message legacy_warning "Downgrading to the legacy template will temporarily take your application offline and return all non-table entries to their pre-upgrade values. Any changes made after the upgrade will be lost. To complete the downgrade, click Finished, then Reconfigure, then Finished."
- }
- }
- optional ( offload_ssl == "no_legacy" ) {
- choice advanced display "xxlarge" default "no" {
- "Basic - Use F5's recommended settings" => "no" ,
- "Advanced - Configure advanced options" => "yes"
- }
- optional ( help == "max" ) {
- message conf_mode_max "This template supports basic and advanced configurations modes. Basic mode exposes the most commonly used settings, and automatically configures the rest of the options based on F5's recommended settings. Advanced mode allows you to review and change all settings. If you are unsure, select Basic."
- }
-
- }
- }
- }
-
- # For post-v11.4 applications
- optional ( ssl_encryption_questions.offload_ssl == "legacy"
- || ssl_encryption_questions.offload_ssl == "no_legacy" ) {
-
- section net {
- optional ( intro.is_v13_0 == "yes" ) {
- choice v13_tcp display "xxlarge" default "warn" {
- "Please select one" => "warn" ,
- "No, use the older profiles" => "no" ,
- "Yes, use the new profiles (recommended)" => "yes"
- }
- optional ( v13_tcp == "warn" ) {
- message v13_tcp_warning_1
- message v13_tcp_warning_2 "USING THE NEW TCP PROFILES MAY SIGNIFICANTLY IMPROVE PERFORMANCE"
- message v13_tcp_warning_3
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message v13_tcp_max "F5 has released new TCP profiles with significantly improved performance. Choose 'Yes' to use these faster profiles. Choose 'No' to use the profiles that were included in previous BIG-IP releases."
- }
- }
-
- choice client_mode display "xxlarge" default "wan" tcl {
-
-
- set rval "Local area network (LAN)\tlan\nWide area network (WAN)\twan\n"
- if { [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned am] } {
- append rval "WAN through another BIG-IP system\ttunnel\n"
- }
-
- return $rval
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message client_mode_max "Select the type of network that connects the clients to the BIG-IP system. This is used to determine the client-side TCP optimizations the system uses (in the case of WAN or LAN), or if the system will use an iSession tunnel (in the case of WAN through another BIG-IP system)."
- }
- optional ( client_mode == "tunnel" ) {
- message tunnel_max1 "Selecting 'WAN Network through another BIG-IP system' enables this iApp to create a secure and optimized iSession tunnel between this BIG-IP system and the remote BIG-IP system. Note that iSession tunnels are a shared BIG-IP system resource. And once configured, the settings in the iSession profile may overrule certain iApp encryption settings in order to avoid conflicts with the iSession tunnel encryption settings."
- message tunnel_max2 "To use this feature, you must have Local Endpoint and Listener objects created on both BIG-IP systems. See the deployment guide or BIG-IP documentation for information on creating these objects."
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice vlan_mode display "xxlarge" default "enabled" {
- "Enable traffic on all VLANs and Tunnels" => "all" ,
- "Yes, enable traffic only on the VLANs I specify" => "enabled" ,
- "Yes, disable traffic only on the VLANs I specify" => "disabled"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message vlan_max "You can optionally configure the BIG-IP system to accept or deny client traffic from specific VLANs you have configured. If you leave the default, the BIG-IP system accepts traffic from all VLANs configured on the system. If you select to enable or disable traffic on specific VLANs, you must specify the VLANs in the next question. The VLAN objects must already be configured on this BIG-IP system before you can select them."
- }
- optional ( vlan_mode != "all" ) {
- multichoice client_vlan default tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items net vlan]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- } tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items net vlan]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( vlan_mode == "disabled" ) {
- message disabled_vlan_max "By default, all VLANs on the box are in the Selected list. Because you selected to disable client traffic from specific VLANs, if you do not move any of the VLANs to the Options list, traffic will be denied from ALL VLANs, and this configuration will not pass any traffic."
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message client_vlan_max "Because you selected you want to enable or disable traffic on specific VLANs in the previous question, use this section to specify the VLANs. By default, all VLANs on the BIG-IP system appear in the Selected box. Click any applicable VLANs and then use the Move buttons (<<) and (>>) to adjust list membership. The Selected box lists the VLANs and tunnels that are specifically enabled or disabled."
- }
- }
- }
-
- choice server_mode display "xxlarge" default "lan" tcl {
-
-
- set rval "Local area network (LAN)\tlan\nWide area network (WAN)\twan\n"
- if { [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_provisioned am] } {
- append rval "WAN through another BIG-IP system\ttunnel\n"
- }
- return $rval
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message server_mode_max "Select the type of network that connects the servers to the BIG-IP system. This is used to determine the server-side TCP optimizations the system uses (in the case of WAN or LAN), or if the system will use an iSession tunnel (in the case of WAN through another BIG-IP system)."
- }
- optional ( server_mode == "tunnel" ) {
- message tunnel_max3 "Selecting 'WAN Network through another BIG-IP system' enables this iApp to create a secure and optimized iSession tunnel between this BIG-IP system and the remote BIG-IP system. Note that iSession tunnels are a shared BIG-IP system resource. And once configured, the settings in the iSession profile may overrule certain iApp encryption settings in order to avoid conflicts with the iSession tunnel encryption settings."
- message tunnel_max4 "To use this feature, you must have Local Endpoint and Listener objects created on both BIG-IP systems. See the deployment guide or BIG-IP documentation for information on creating these objects."
- }
-
- optional ( ssl_encryption_questions.legacy_advanced != "no"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice same_subnet display "xxlarge" default "no" {
- "BIG-IP virtual server IP and web servers are on different subnets" => "no" ,
- "BIG-IP virtual server IP and web servers are on the same subnet" => "yes"
- }
-
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message subnet_1_max "It is important to ensure that responses to client requests made using the BIG-IP virtual server address are returned through the BIG-IP system. If the client receives a response directly from the web server, the connection is dropped. The way the BIG-IP system handles this depends on your network topology."
- message subnet_2_max "For environments in which the virtual server IP address is on a subnet different from the web servers, select BIG-IP virtual server IP and the web servers are on different subnets."
- message subnet_3_max "For environments in which the virtual server IP address provided is on the same subnet as the web servers in the associated pool, select BIG-IP virtual server IP and the web servers are on the same subnet. This enables Secure Network Address Translation (SNAT Auto Map). This configuration results in the BIG-IP system replacing the client IP address of an incoming connection with its self IP address (using floating addresses when available), ensuring the server response returns through the BIG-IP system."
- }
-
- optional ( same_subnet == "no" ) {
- choice route_to_bigip display "xxlarge" default "no" {
- "Servers have a route to clients through the BIG-IP system" => "yes" ,
- "Servers do not have a route to clients through the BIG-IP system" => "no"
- }
-
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message def_rt_1_max "For environments in which the virtual server IP is on a subnet different from the web servers, information regarding the IP setting of the web servers is required to ensure the correct BIG-IP system configuration."
- message def_rt_2_max "If the web servers use the BIG-IP system as their default gateway, select Web servers have a route for clients through the BIG-IP system. In this scenario, no configuration is needed to support your environment to ensure correct server response handling."
- message def_rt_3_max "If the web servers do not have a route through the BIG-IP system, select Web servers do not have a route for clients through the BIG-IP system. This enables Secure Network Address Translation (SNAT Auto Map). This configuration results in the BIG-IP system replacing the client IP address of an incoming connection with its self IP address (using floating addresses when available) ensuring the server response returns through the BIG-IP system. "
- }
- }
-
- optional ( same_subnet == "yes"
- || ( same_subnet == "no"
- && route_to_bigip == "no" )) {
- choice snat_type display "xxlarge" default "automap" {
- "Fewer than 64,000 concurrent connections" => "automap" ,
- "More than 64,000 concurrent connections" => "snatpool"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message snat_max "For environments with fewer than 64,000 concurrent connections per server, the BIG-IP system enables SNAT Auto Map, which uses a unique IP:port combination for each client request it sends to the web server. For environments with more than 64,000 concurrent connections per web server, the BIG-IP system enables a SNAT pool, and additional IP addresses are reserved to ensure the system has enough unique combinations. If the system exhausts all combinations, new client connections are refused until one is available."
- }
- optional ( snat_type == "snatpool" ) {
- choice snatpool display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a new SNAT pool\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm snatpool]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message snatpool_max "Choose whether you want the iApp template to create a new SNAT Pool for this implementation. If you have already created a custom SNAT Pool, you can select it from the list."
- }
-
-
- optional ( snatpool == "/#create_new#" ) {
- table snatpool_members {
- string addr required validator "IpAddress"
- display "xlarge"
- }
-
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message snatpool_members_max "Type the IP addresses you want to use for the SNAT Pool. These addresses should be available IP addresses, not the self IP address(es) of the BIG-IP system."
- }
- }
-
- }
-
- }
- }
- }
-
- optional ( intro.apm_provisioned == "yes" ) {
- section apm {
- choice use_apm display "xxlarge" default "no" {
- "Yes, provide secure authentication using APM" => "yes" ,
- "No, do not provide secure authentication using APM" => "no"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message use_apm_help "If you have fully licensed and provisioned the BIG-IP Access Policy Manager, you have the option of using it to provide proxy authentication and secure remote access for web."
- }
- optional ( use_apm == "yes" ) {
- choice apm_profile display "xxlarge" tcl {
-
- set ::choices "[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain apm profile access]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message apm_profile_help "In order to use BIG-IP APM in this template, you must have manually created an APM Access Profile for your application. Select the Access Profile you created from the list, or exit the template and create an Access Profile manually. See Access Policy > Access Profiles > Access Profiles List to create a profile. For specific instructions, see the Help tab or the product documentation."
- }
- optional ( intro.is_v11_6 == "yes" ) {
- choice apm_policy display "xxlarge" default "/#do_not_use#" tcl {
-
- set ::choices "[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain -filter type eq per-rq-policy apm policy]\nDo not use a per-request Access Policy\t/#do_not_use#"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message apm_policy_help ""
- }
- }
- }
- }
- }
-
- section ssl {
-
- optional ( apm.use_apm == "no" ) {
- choice mode display "xxlarge" default "no_ssl" {
- "Terminate SSL from clients, plaintext to servers (SSL offload)" => "client_ssl" ,
- "Terminate SSL from clients, re-encrypt to servers (SSL bridging)"
- => "client_ssl_server_ssl" ,
- "Encrypted traffic is forwarded without decryption (SSL pass-through)"
- => "pass_thru" ,
- "Plaintext to and from clients, encrypt to servers" => "server_ssl" ,
- "Plaintext to and from both clients and servers" => "no_ssl"
- }
- }
- optional ( apm.use_apm == "yes" ) {
- choice mode_apm display "xxlarge" default "client_ssl" {
- "Encrypt to clients, plaintext to servers (SSL Offload)" => "client_ssl" ,
- "Terminate SSL from clients, re-encrypt to servers (SSL Bridging)"
- => "client_ssl_server_ssl"
- }
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message mode_1_max "SSL is a cryptographic protocol used to secure client to server communications. Select how you want the BIG-IP system to handle encrypted traffic. For encryption between client and BIG-IP system:"
- message mode_2_max "If your application requires encryption and session persistence (which ensures requests from a single user are always distributed to the server on which they started) , we recommend you configure the BIG-IP system for terminating SSL for client requests. This allows the system to more accurately persist connections based on granular protocol or application-specific variables."
- message mode_3_max "If security requirements do not allow the BIG-IP system to decrypt client connections, select to re-encrypt to the web servers. With this selection the system will use SSL ID or Client/Server IP to enforce session persistence. Because these parameters are less granular, using them may result in inconsistent distribution of client requests."
- message mode_7_max "If you do not want the BIG-IP system to do anything with encrypted traffic and simply send it to the web servers, select SSL pass-through. This differs from SSL re-encryption because the system is not decrypting and re-encrypting the traffic, only sending the traffic through without modification. "
- message mode_4_max "Encryption between BIG-IP system and web servers:"
- message mode_5_max "Encryption and decryption of SSL is computationally intensive and consumes server CPU resources. In environments that do not require encryption between the BIG-IP system and the web servers, select SSL Offload to terminate the SSL session from the client at the BIG-IP system and provide clear text communication from the BIG-IP system to the web servers."
- message mode_6_max "For environments that require encryption between the BIG-IP system and the web servers, select SSL re-encryption to terminate the SSL session from the client at the BIG-IP system and re-encrypt it for communication between the BIG-IP system and the web servers."
- }
-
- optional ( mode == "client_ssl" || mode == "client_ssl_server_ssl" || apm.use_apm == "yes" ) {
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice client_ssl_profile display "xxlarge"
- default "/#create_new#" tcl {
-
- set ::choices "Create a new Client SSL profile\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile client-ssl]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message client_ssl_profile_max "If you have already created an Client SSL profile that includes the appropriate certificate and key, you can select it from the list. Otherwise, the iApp creates a new Client SSL profile. "
- }
- }
- optional (( ssl_encryption_questions.legacy_advanced == "no"
- && ssl_encryption_questions.advanced == "no" )
- || client_ssl_profile == "/#create_new#" ) {
- choice cert default "/Common/default.crt" display "xxlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -norecursive -filter NAME !~ ca-bundle.crt|f5-irule.crt sys file ssl-cert]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message cert_max "To establish encrypted communication, a client and server negotiate security parameters that are used for the session. As part of this handshake, a certificate is provided by the server to the client to identify itself. The client can then validate the certificate with an authority for authenticity before sending data. When the BIG-IP system is decrypting communication between the client and server, an SSL certificate and key pair for each fully-qualified DNS name related to this application instance must be configured on the system."
- message cert1_max "Select the SSL certificate you imported for this deployment. Importing certificates and keys is not a part of this template, see System > File Management > SSL Certificate List. To select any new certificates and keys you import, you need to restart or reconfigure this template."
- }
- choice key default "/Common/default.key" display "xxlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -norecursive -filter security-type ne "password" sys file ssl-key]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message key_max "Select the associated SSL key you imported."
- }
- optional ( cert == "/Common/default.crt"
- || key == "/Common/default.key" ) {
- message ssl_warn_1 "The BIG-IP system's default certificate and key are not secure. For proper security, acquire a certificate and key from a trusted certificate authority, and then import it onto the BIG-IP system."
-
- }
- optional ( ssl_encryption_questions.legacy_advanced == "no"
- && ssl_encryption_questions.advanced == "no" ) {
- message ssl_warn_2 "If your key is password-protected, you must build a Client SSL profile outside the iApp, and then identify it in Advanced configuration mode."
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- message ssl_warn_3 "If your key is password-protected, you must manually create a Client SSL profile outside the iApp, and then select it from the list above."
- choice use_chain_cert display "xxlarge"
- default "/#do_not_use#" tcl {
-
- set ::choices "Do not use an intermediate certificate\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -norecursive sys file ssl-cert]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message use_chain_cert_1_max "Intermediate certificates, also called intermediate certificate chains or chain certificates, are used to help systems which depend on SSL certificates for peer identification. These certificates are intended to create a chain of trust between the CA that signed the certificate and the CA that is already trusted by the recipient of the certificate. This allows the recipient to verify the validity of the certificates presented, even when the signing CA is unknown."
- message use_chain_cert_2_max "Intermediate certificates must be created or imported onto this BIG-IP system prior to running this iApp. See http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html for help on creating an intermediate certificate chain."
- }
- }
- }
- }
-
-
- optional (( apm.use_apm == "no" &&
- ( ssl.mode == "server_ssl" || ssl.mode == "client_ssl_server_ssl" ))
- || (apm.use_apm == "yes" && ssl.mode_apm == "client_ssl_server_ssl")) {
- choice server_ssl_profile display "xxlarge" default "/#default#" tcl {
-
- set ::choices "Create a new Server SSL profile based on serverssl (recommended)\t/#default#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile server-ssl]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message server_ssl_profile_max "If you have already created an Server SSL profile on this BIG-IP system, you can select it from the list. Otherwise, the iApp creates a new Server SSL profile."
- }
- }
- }
-
- optional ( intro.asm_provisioned == "yes" && ( ssl.mode != "pass_thru" )) {
- section asm {
- choice use_asm default "/#do_not_use#" display "xxlarge" tcl {
-
-
- set ::choices "No, do not use Application Security Manager\t/#do_not_use#\nYes, use ASM and create a new ASM policy\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain -filter controls =~ asm ltm policy]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message asm_1_max "Choose whether you want to use BIG-IP ASM to help secure your web deployment. The BIG-IP Application Security Manager (ASM) module is an advanced web application firewall that significantly reduces and mitigates the risk of loss or damage to data, intellectual property, and web applications."
- }
- optional ( asm.use_asm == "/#create_new#" ) {
- choice asm_template default "POLICY_TEMPLATE_RAPID_DEPLOYMENT" display "xxlarge" tcl {
- set ::choices "POLICY_TEMPLATE_RAPID_DEPLOYMENT (recommended)\tPOLICY_TEMPLATE_RAPID_DEPLOYMENT\n"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message asm_2_max "Select the template you want the system to use to build the policy. Note that if you choose to use ASM, the iApp template sets the policy enforcement mode to transparent. In this mode, violations are logged but not blocked. Before changing the mode to blocking, review the log results and adjust the policy for your deployment if necessary."
- }
- }
-
- optional ( use_asm != "/#do_not_use#" ) {
-
- optional ( intro.is_admin == "yes" ) {
- multichoice security_logging display "xxlarge" tcl {
-
- # Menu should display all log profiles with "network none".
- # tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items will not filter security log profiles,
- # so the filter has been written inline here.
- set ::choices ""
- if { [catch {
- set profile_list [tmsh::list security log profile all-properties recursive]
- } err] } {
- set profile_list " "
- }
- array set profiles [string map {"security log profile" ""} $profile_list]
- foreach name [array names profiles] {
- array set subprofile $profiles($name)
- if { ([info exists subprofile(application)] && $subprofile(application) != "none") ||
- ([info exists subprofile(dos-application)] && $subprofile(dos-application) != "none") } {
- append ::choices "$name\n"
- }
- }
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message security_logging_max "The logging profile enables you to log detailed information about BIG-IP ASM events and store those logs on the BIG-IP system or a remote logging server (syslog or Splunk). If you want to use a logging profile, we recommend creating one outside this template. Only logging profiles with Application Security enabled appear in the list."
- }
- }
-
- language_choice language
- optional ( ssl_encryption_questions.help == "max" ) {
- message language_max "If using an language encoding other than utf-8, select it from the list."
- }
- }
- }
- }
-
- optional ( intro.afm_allowed == "yes" && intro.is_admin == "yes" && intro.is_v11_4 == "yes" ) {
- section afm {
- choice policy default "/#do_not_use#" display "xxlarge" tcl {
-
- set ::choices "Yes, use network firewall and IP Intelligence\t/#default#\nNo, do not use network firewall or IP Intelligence\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain security firewall policy]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message policy_max "BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols. BIG-IP AFM must be fully licensed and provisioned to use this functionality. If you have already created an AFM Network Firewall Policy on this BIG-IP system for this implementation, you can select it from the list."
- }
- optional ( policy == "/#default#" ) {
-
- choice restrict_by_addr default "/#do_not_use#" display "xxlarge" tcl {
-
- set ::choices "No, do not forbid client addresses (allow all)\t/#do_not_use#\nYes, forbid specific client addresses\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain security firewall address-list]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message restrict_max "You can use the BIG-IP AFM to restrict access to your application by either IP address or network address. If enabled, the system will only allow access to the virtual server from the address(es) you specify."
- }
- optional ( restrict_by_addr == "/#create_new#" ) {
- string allowed_addr display "xxlarge" required
- optional ( ssl_encryption_questions.help == "max" ) {
- message allowed_addr_max "Specify the IP or network address that should have access to the application. You can use a single IP address, a list of IP addresses separated by spaces, a range of IP addresses separated by a dash (for example 192.0.2.10-192.0.2.100), a single network address, such as 192.0.2.200/24, or any combination of these."
- }
- }
- }
- optional ( policy != "/#do_not_use#" ) {
- choice restrict_by_reputation default "accept" display "xxlarge" tcl {
-
- set choices "Accept all connections and log nothing\taccept\nReject connections from IP addresses with poor reputations\treject\nAccept all connections but log those from suspicious networks\twarn"
- if { [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_tmos_version >= 11.5] } {
- append choices "\nSelect an IP Intelligence policy\tselect"
- }
- return $choices
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message restrict_by_reputation_max "The BIG-IP AFM uses an IP intelligence database to categorize IP addresses coming into the system. Select the way you want the system to handle possibly malicious networks with a poor reputation score."
- }
- optional ( ssl_encryption_questions.help == "max" && restrict_by_reputation != "accept" ) {
- message restrict_by_reputation_log "By default, IP Intelligence events are logged to Security > Event Logs > Network > IP Intelligence. For the best performance, F5 recommends creating a remote logging profile to log IP Intelligence events. "
- }
- optional ( restrict_by_reputation == "select" ) {
- choice ip_intelligence_policy display "xxlarge" tcl {
-
- set ::choices "[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain security ip-intelligence policy]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message ip_intelligence_policy_max "Select the custom IP intelligence policy you created for this implementation."
- }
- }
- message restrict_by_reputation_warn "You must have an active IP Intelligence license for IP reputation-based access control to function correctly. "
-
- choice staging_policy default "/#do_not_use#" display "xxlarge" tcl {
-
- set ::choices "Do not apply a staging policy\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain security firewall policy]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- message staging_policy1_max "A policy in Staging mode does not block any traffic, and only logs what would be blocked if the policy were placed into production."
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message staging_policy_max "A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules. You must already have a policy on the system in order to select it from the list. For specific information on creating a staging policy, see the AFM documentation."
- }
- choice security_logging default "/#do_not_use#" display "xxlarge" tcl {
-
- # Menu should display all log profiles with "network none".
- # tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items will not filter security log profiles,
- # so the filter has been written inline here.
- set ::choices "Do not use a logging profile\t/#do_not_use#\n"
- if { [catch {
- set profile_list [tmsh::list security log profile all-properties recursive]
- } err] } {
- set profile_list " "
- }
- array set profiles \
- [string map {"security log profile" ""} $profile_list]
- foreach name [array names profiles] {
- array set subprofile $profiles($name)
- if { [info exists subprofile(network)] && \
- $subprofile(network) != "none" } {
- append ::choices "$name\n"
- }
- }
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message security_logging_max "The logging profile enables you to log detailed information about BIG-IP system Network Firewall events and store those logs on the BIG-IP system or a remote logging server (syslog or Splunk). If you want to use a logging profile, we recommend creating one outside this template. Only logging profiles with Network Firewall enabled appear in the list. "
- message security_logging1_max "If you are also using BIG-IP ASM, and the logging profile you created has both Application Security and Network Firewall enabled in the same profile, you must also select that profile here. See the BIG-IP AFM documentation for specific information on Logging profiles."
- }
- }
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice dos_security_profile default "/#do_not_use#" display "xxlarge" tcl {
-
- set ::choices "Do not use a DoS profile\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain security dos profile]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message dos_security_profile_max "The Denial-of-Service (DoS) profile can enable Layer 7 application DoS protection of HTTP traffic and Layer 7 DoS protection for SIP and DNS traffic. The iApp template does not create a DoS profile, if you want to use this functionality, you must create a custom DoS Profile outside the template."
- }
- optional ( ssl.mode != "pass_thru" ) {
- choice protocol_security_profile default "/#do_not_use#" display "xxlarge" tcl {
-
- set ::choices "Do not use an HTTP protocol security profile\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain security http profile]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message protocol_security_profile_max "The HTTP protocol security profile consists of many different security checks for the various components of HTTP traffic. The iApp template does not create a HTTP Security profile, if you want to use this functionality, you must create a custom HTTP Security profile outside the template."
- }
- }
- }
- }
- section pool {
- string addr display "xxlarge" required validator "IpAddress"
- optional ( ssl_encryption_questions.help == "max" ) {
- message addr_max "This IP address, combined with the port you specify below, becomes the BIG-IP virtual server address and port, which clients use to access the application. The system intercepts requests to this IP:Port and distributes them to the web servers."
- }
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- string mask display "xxlarge" validator "IpAddress"
- optional ( ssl_encryption_questions.help == "max" ) {
- message mask_max "If you specified a network address for the virtual server (allowing the virtual server to handle multiple IP addresses), you must enter the full network mask that represents the address range. If you specified a single address for the virtual server, you may leave this field blank."
- }
- }
-
- optional ( ssl.mode != "client_ssl" && ssl.mode != "pass_thru"
- && ssl.mode != "client_ssl_server_ssl" && apm.use_apm == "no" ) {
- string port display "medium" validator "PortNumber"
- default "80" required
- }
- optional ( ssl.mode == "client_ssl" || ssl.mode == "pass_thru"
- || ssl.mode == "client_ssl_server_ssl" || apm.use_apm == "yes" ) {
- string port_secure display "medium" validator "PortNumber"
- default "443" required
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message port_max "Specify the service port you want to use for the virtual server. The default value displayed here is based your answer to the question asking how the system should handle SSL traffic."
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- optional ( "HIDE" == "THIS" ) {
- choice is_ha tcl {
- set sync_status [lindex [tmsh::get_status cm sync-status] 0]
- set status [tmsh::get_field_value $sync_status status]
- return $status
- }
- }
-
- optional ( is_ha != "Standalone" ) {
- choice mirror display "xxlarge" default "disabled" {
- "Do not enable connection/persistence mirroring" => "disabled" ,
- "Enable connection/persistence mirroring" => "enabled"
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message mirror_max "Connection and persistence mirroring allows you to configure the BIG-IP system to duplicate connection and persistence information to the standby unit of a redundant pair. This setting provides higher reliability, but might affect system performance. For more information, see http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13478.html"
- }
- }
- }
-
- table hosts {
- string name required validator "FQDN" display "xlarge"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message fqdn_max "Clients can use the FQDN (Fully Qualified Domain Name) you enter here to access the web servers. For each FQDN, your DNS administrator must configure a DNS entry that resolves to the IP address you entered for the BIG-IP virtual server."
- }
-
- optional (( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" )
- && ( ssl.mode == "client_ssl"
- || ssl.mode == "client_ssl_server_ssl"
- || ssl.mode == "pass_thru" || apm.use_apm == "yes" )) {
-
- choice redirect_to_https display "xxlarge" default "yes" {
- "Redirect HTTP to HTTPS" => "yes" ,
- "Do not redirect HTTP to HTTPS" => "no"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message redirect_max "It is common for users to mistakenly attempt insecure access (HTTP) to a secure application (HTTPS). The BIG-IP system can automatically redirect these connections to use an encrypted connection."
- }
- optional ( redirect_to_https == "yes" ) {
- string redirect_port display "medium"
- validator "PortNumber" default "80"
- optional ( ssl_encryption_questions.help == "max" ) {
- message redirect_port_max "Specify the port from which you want users redirected. The most common port for HTTP is 80."
- }
- }
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
-
- optional ( ssl.mode != "pass_thru" || apm.use_apm == "yes" ) {
- choice http display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a new HTTP profile (recommended)\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile http]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message http_max "The HTTP profile contains settings that tell the BIG-IP system how to handle the HTTP protocol. If you have created a custom HTTP profile for this application, you can select it from the list."
- }
-
- optional ( http == "/#create_new#" ) {
- choice xff display "xxlarge" default "yes" {
- "Insert X-Forwarded-For HTTP header" => "yes" ,
- "Do not insert X-Forwarded-For HTTP header" => "no"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message xff_max "If you choose to insert the X-Forwarded-For header, the BIG-IP system inserts the original client IP address in the HTTP header for logging purposes. Additional configuration may be required on the web server to log the value of the X-Forwarded-For header."
- }
- }
- }
-
- optional ( ssl.mode != "pass_thru" ) {
- choice persist display "xxlarge" default "/#cookie#" tcl {
-
- if { [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -exists -local -norecursive ltm persistence cookie /Common/cookie] } {
- set ::choices "Use cookie persistence (recommended)\t/#cookie#\nUse source address persistence\t/#source#\nDo not use persistence\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence cookie]"
- } else {
- set ::choices "Use source address persistence\t/#source#\nDo not use persistence\t/#do_not_use#"
- }
- append ::choices "\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence source-addr]\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence ssl]\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence universal]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- optional ( ssl.mode == "pass_thru" ) {
- choice pass_thru_persist display "xxlarge" default "/#source#" tcl {
-
- set ::choices "Use source address persistence\t/#source#\nDo not use persistence\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence source-addr]\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence ssl]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- optional (( ssl.mode != "pass_thru" && persist != "/#do_not_use#" && persist != "/#source#" ) ||
- ( ssl.mode == "pass_thru" && pass_thru_persist != "/#do_not_use#" && pass_thru_persist != "/#source#" )) {
- choice fallback_persist display "xxlarge" default "/#source#" tcl {
-
- set ::choices "Use source address fallback-persistence\t/#source#\nDo not use fallback-persistence\t/#do_not_use#"
- append ::choices "\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm persistence source-addr]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
-
- optional ( ssl_encryption_questions.help == "max" && ssl.mode != "pass_thru" ) {
- message persist_max "With persistence, the BIG-IP system tracks and stores session data, such as the specific pool member that serviced a client request. The F5 recommended method is Cookie persistence, which inserts a cookie in the HTTP header of a client request after an initial load balancing decision is made. The BIG-IP system uses this cookie to direct all subsequent requests from a given client to the same web server in the configured pool. An alternative method is source address persistence, where the source address of the client is used for persistence. You can also choose not to use persistence, or to select a custom persistence profile you have already created. "
- }
- optional ( ssl_encryption_questions.help == "max" && ssl.mode == "pass_thru" ) {
- message pass_thru_persist_max "With persistence, the BIG-IP system tracks and stores session data, such as the specific pool member that serviced a client request. For SSL pass-through, the F5 recommended method is source address persistence, where the source address of the client is used for persistence. You can also choose not to use persistence, or to select a custom persistence profile you have already created."
- }
- }
-
- optional ( net.server_mode != "tunnel" ) {
- choice pool_to_use display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a new pool\t/#create_new#\nDo not use a pool\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm pool]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- optional ( net.server_mode == "tunnel" ) {
- choice pool_to_use_wom display "xxlarge" default "/#do_not_use#" tcl {
-
- set ::choices "Create a new pool\t/#create_new#\nDo not use a pool\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm pool]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
-
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message pool_max "A load balancing pool is a logical set of devices, such as web servers, grouped together to receive and process traffic. When clients attempt to access the application via the BIG-IP virtual server, the BIG-IP system distributes requests to any of the servers that are members of that pool."
- }
-
- optional (( net.server_mode != "tunnel" && pool_to_use == "/#create_new#" )
- || ( net.server_mode == "tunnel" && pool_to_use_wom == "/#create_new#" )) {
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- lb_method lb_method
- optional ( ssl_encryption_questions.help == "max" ) {
- message lb_method_max "A load balancing method is an algorithm that the BIG-IP system uses to select a pool member for processing a request. F5 recommends the Least Connections load balancing method, where new connections are routed to the node that has the least number of current connections. This is ideal for environments in which pool members have similar performance and capacity capabilities."
- }
-
- choice use_pga default "no" display "xxlarge" {
- "Do not use Priority Group Activation (recommended)" => "no" ,
- "Use Priority Group Activation" => "yes"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message pga_max "Priority Group Activation allows you to segment your servers into priority groups. With Priority Group Activation, the BIG-IP system load balances traffic according to the priority number you assign to the pool members. A higher number indicates higher priority. Traffic is only sent to the servers with the highest priority, unless the number of available servers in that priority group falls below the value you specify as the minimum. The BIG-IP system then sends traffic to the group of servers with the next highest priority, and so on. See the BIG-IP documentation for more details."
- }
- optional ( use_pga == "yes" ) {
- string min_active_members display "medium" default "0"
- required validator "NonNegativeNumber"
- optional ( ssl_encryption_questions.help == "max" ) {
- message min_active_members_max "Specify the minimum number of servers which must be available before the system sends traffic to servers with a lower priority."
- }
- }
- }
-
- table members {
- editchoice addr display "large" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm node]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
-
- optional ( ssl.mode == "client_ssl"
- || ssl.mode == "no_ssl" ) {
- string port display "small" required default "80"
- validator "PortNumber"
- }
- optional ( ssl.mode == "server_ssl"
- || ssl.mode == "client_ssl_server_ssl"
- || ssl.mode == "pass_thru" ) {
- string port_secure display "small" required
- default "443" validator "PortNumber"
- }
-
-
- string connection_limit display "small" required
- default "0" validator "NonNegativeNumber"
- optional ( lb_method == "ratio-member"
- || lb_method == "ratio-node"
- || lb_method == "ratio-session"
- || lb_method == "ratio-least-connections-member"
- || lb_method == "ratio-least-connections-node"
- || lb_method == "dynamic-ratio-member"
- || lb_method == "dynamic-ratio-node" ) {
- string ratio default "1" validator "NonNegativeNumber"
- display "small"
- }
-
- optional (( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" )
- && use_pga == "yes" ) {
- string priority default "0" required
- validator "NonNegativeNumber" display "small"
- }
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message members_max "Specify the IP address(es) of your web servers. If you have existing nodes on this BIG-IP system, you can select them from the list, otherwise type the addresses. Click Add to include additional servers."
- }
- }
- }
-
- optional (( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" )
- || ( ssl.mode != "pass_thru" || apm.use_apm == "yes" )) {
- section client {
- optional ( ssl.mode != "pass_thru" || apm.use_apm == "yes" ) {
- optional ( intro.am_provisioned == "yes" ) {
- # If the template user decides to use AAM, the Web
- # Acceleration question in the Virtual Server ( basic )
- # section are modified to disallow "Do not use" as an option.
- choice use_wa default "yes" display "xxlarge" {
- "Yes, use BIG-IP AAM (recommended)" => "yes" ,
- "No, do not use BIG-IP AAM" => "no"
- }
-
- optional ( ssl_encryption_questions.help == "max" && intro.am_provisioned == "yes" ) {
- message standard_caching_with_wa_max "You can use the BIG-IP Application Acceleration Manager (AAM, formerly WebAccelerator) to accelerate your application traffic."
- }
- }
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- # If the template user elects to use AAM in the
- # preceding section, the user must *not* be presented with
- # an option for "Do not use a Web Acceleration profile" here.
-
- optional ( intro.am_provisioned == "yes"
- && use_wa == "yes" ) {
-
- choice standard_caching_with_wa display "xxlarge"
- default "/#create_new#" tcl {
-
- set ::choices "Create a profile based on optimized-acceleration (recommended)\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -filter applications ne none ltm profile web-acceleration]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( standard_caching_with_wa != "/#create_new#" &&
- ssl_encryption_questions.help == "max" ) {
- message standard_caching_with_wa_not_default_max "You have selected a BIG-IP AAM enabled Web Acceleration profile with an AAM application already attached, so an AAM application will not be created by this template. If you would rather have this template produce the AAM application, then choose 'Use F5's recommended Web Acceleration profile' above."
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message about_custom_caching_max_1 "Caching is the local storage of data for re-use. Once an item is cached on the BIG-IP system, subsequent requests for the same data are served from local storage. This can improve client request response times and improve server scalability by reducing load associated with processing subsequent requests."
- }
- optional ( ssl_encryption_questions.help == "max" && use_wa == "yes") {
- message about_custom_caching_max_2 "If you want to select a custom Web Acceleration profile for caching you have already created, it must have an AAM application enabled, otherwise it does not appear in the list of caching profiles. If you want access to all Web Acceleration profiles on the box, then you must choose No to the use BIG-IP AAM question. Use a custom Web Acceleration profile only if you need to define specific URIs that should or should not be cached. "
- }
- }
-
- optional ( intro.am_provisioned == "no" || use_wa != "yes" ) {
- choice standard_caching_without_wa display "xxlarge" default "/#create_new#" tcl {
-
- set prof_list [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -filter applications eq none -list ltm profile web-acceleration]
- set purge_item [lsearch $prof_list "/Common/optimized-acceleration"]
- if { $purge_item != -1 } {
- set prof_list [lreplace $prof_list $purge_item $purge_item]
- }
- set ::choices "Create a profile based on optimized-caching (recommended)\t/#create_new#\nDo not use caching\t/#do_not_use#\n[join $prof_list \n]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message about_custom_caching_max_1a "Caching is the local storage of data for re-use. Once an item is cached on the BIG-IP system, subsequent requests for the same data are served from local storage. This can improve client request response times and improve server scalability by reducing load associated with processing subsequent requests."
- message about_custom_caching_max_3 "Use a custom Web Acceleration profile only if you need to define specific URIs that should or should not be cached."
- }
- }
- }
-
- optional ( intro.am_provisioned == "yes" && ( ssl.mode != "pass_thru" || apm.use_apm == "yes" )) {
- optional ( use_wa == "yes" && (
- ( ssl_encryption_questions.legacy_advanced == "no"
- && ssl_encryption_questions.advanced == "no" )
- || ( ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" )
- && standard_caching_with_wa == "/#create_new#" )) ) {
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice x_wa_info_header default "none" display "xxlarge" {
- "Do not insert the header (recommended)" => "none" ,
- "Insert the Standard header" => "standard" ,
- "Insert the Debug header" => "debug"
- }
-
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message x_wa_info_max "By default, the AAM X-WA-info header is not included in the response from the BIG-IP system. This header is useful for debugging AAM behavior. If you choose to enable this header, you have two options, Standard and Debug. In Standard mode, the BIG-IP system inserts an HTTP header that includes numeric codes which indicate if and how each object was cached. In Debug mode, the BIG-IP system includes additional information which may help for extended troubleshooting."
- }
-
- choice enable_perf_monitor display "xxlarge" default "no" {
- "Do not enable the legacy performance monitor (recommended)" => "no" ,
- "Enable the legacy performance monitor" => "yes"
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message enable_perf_monitor_max "Enabling the legacy AAM performance monitor can adversely affect system performance. This monitor is primarily used for legacy AAM performance monitoring and debugging purposes. The BIG-IP Dashboard provides performance graphs and statistics related to AAM."
- }
-
- optional ( enable_perf_monitor == "yes" ) {
- string data_retention_period default "30" required
- validator "NonNegativeNumber" display "medium"
- }
-
- optional ( use_wa == "yes" ) {
- choice policy display "xxlarge"
- default "/Common/Generic Policy - Enhanced" tcl {
-
- set ::choices "/Common/Generic Policy - Complete\n/Common/Generic Policy - Enhanced\n/Common/Generic Policy - Extension Based\n/Common/Generic Policy - Fundamental\n[string map {"\"" ""} [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain -norecursive -filter predefined == no wam policy predefined]]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
-
-
- optional ( ssl_encryption_questions.help == "max" ) {
- optional ( policy == "/Common/Generic Policy - Complete" ) {
- message policy_complete_about_max "In this predefined acceleration policy, HTML pages are cached and Intelligent Browser Referencing is enabled."
- }
-
- optional ( policy == "/Common/Generic Policy - Enhanced" ) {
- message policy_enhanced_about_max "In this predefined acceleration policy, HTML pages are cached and Intelligent Browser Referencing is enabled for includes."
- }
-
- optional ( policy == "/Common/Generic Policy - Extension Based" ) {
- message policy_extension_about_max "This predefined acceleration policy is ideal for High Performance policy for Ecommerce applications that use File Extensions instead of mime-types. This application policy is ideal if response-based matching is not required."
- }
-
- optional ( policy == "/Common/Generic Policy - Fundamental" ) {
- message policy_fundamental_about_max "In this predefined acceleration policy, HTML pages are always proxied and Intelligent Browser Referencing is disabled."
- }
-
- }
- }
- }
- }
-
- choice http_compression display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a profile based on wan-optimized-compression (recommended)\t/#create_new#\nDo not compress HTTP responses\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile http-compression]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message comp_max "Compression improves performance and end user experience for Web applications that suffer from WAN latency and throughput bottlenecks. Compression reduces the amount of traffic sent to the client to complete a transaction. "
- message comp1_max "To select a profile from the list, it must already be present on the BIG-IP system. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Services : HTTP Compression to create an HTTP Compression profile. To select any new profiles you create, you need to restart or reconfigure this template."
- }
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- optional ( net.client_mode == "lan" ) {
- choice tcp_lan_opt display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a profile for LAN optimization (recommended)\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile tcp]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( tcp_lan_opt == "/#create_new#" && intro.is_v13_0 == "yes" ) {
- optional ( net.v13_tcp == "yes" ) {
- message tcp_lan_note "The iApp will build a client-side TCP profile based on f5-tcp-lan."
- }
- optional ( net.v13_tcp != "yes" ) {
- message legacy_tcp_lan_note "The iApp will build a client-side TCP profile based on tcp-lan-optimized."
- }
- }
- }
-
- optional ( net.client_mode != "lan" ) {
- choice tcp_wan_opt display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a profile for WAN optimization (recommended)\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile tcp]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( tcp_wan_opt == "/#create_new#" && intro.is_v13_0 == "yes" ) {
- optional ( net.v13_tcp == "yes" ) {
- message tcp_wan_note "The iApp will build a client-side TCP profile based on f5-tcp-wan."
- }
- optional ( net.v13_tcp != "yes" ) {
- message legacy_tcp_wan_note "The iApp will build a client-side TCP profile based on tcp-wan-optimized."
- }
- }
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message tcp_max "The client-side TCP profile optimizes the communication between the BIG-IP system and the client by controlling the behavior of the traffic which results in higher transfer rates, improved connection reliability and increased bandwidth efficiency."
- }
- optional ( net.server_mode == "tunnel"
- && intro.am_provisioned == "yes" ) {
- choice isession_profile display "xxlarge" default "/Common/isession" tcl {
-
- set ::choices "New iSession profile\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain wom profile isession]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message isession_profile_max "The iSession profile contains the settings for the secure and optimized tunnel between this BIG-IP system and the remote BIG-IP system. Remember that iSession tunnels are a shared BIG-IP system resource. And once configured, the settings in the iSession profile may overrule certain iApp encryption settings in order to avoid conflicts with the iSession tunnel encryption settings. F5 recommends using the default 'isession' profile, unless you have already created one on this system. The iApp can also create a new iSession profile."
- }
- optional ( isession_profile == "/#create_new#" ) {
- row isession {
- choice encryption default "disabled" display "small"
- { "Yes" => "enabled" , "No" => "disabled" }
- choice compression default "enabled" display "small"
- { "Yes" => "enabled" , "No" => "disabled" }
- choice deduplication default "enabled" display "small"
- { "Yes" => "enabled" , "No" => "disabled" }
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message isession_max "The three major options of the iSession profile are WAN encryption, Adaptive Compression, and Deduplication. WAN encryption specifies whether the traffic on the outbound connection is encrypted. Adaptive Compression selects and adjusts the optimal compression algorithm for the current traffic, based on link speed. Deduplication specifies whether the system optimizes traffic using symmetric data deduplication (locating byte patterns that were previously sent over the WAN, and replacing them with references)."
- }
- }
- }
- }
- }
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- section server {
- optional ( ssl.mode != "pass_thru" || apm.use_apm == "yes" ) {
- choice oneconnect display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a profile based on the oneconnect parent (recommended)\t/#create_new#\nDo not use OneConnect\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile one-connect]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message oc_max "OneConnect (connection pooling or multiplexing) improves server scalability by reducing load associated with concurrent connections and connection rate to web servers. When enabled, the BIG-IP system maintains one connection to each web server which is used to send requests from multiple clients."
- }
-
- optional ( oneconnect != "/#do_not_use#" ) {
- choice ntlm display "xxlarge" default "/#do_not_use#" tcl {
-
- set ::choices "Create an NTLM profile\t/#create_new#\nDo not use NTLM (recommended)\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile ntlm]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message ntlm_max "In environments that use the NTLM security protocol with OneConnect, an NTLM profile is also required. This profile ensures a connection between the BIG-IP system and an application server is established and reused on a per-user basis, eliminating the possibility that user data is incorrectly accessible."
- }
- }
-
- }
-
- optional ( net.server_mode == "lan" ) {
- choice tcp_lan_opt display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a profile for LAN optimization (recommended)\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile tcp]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( tcp_lan_opt == "/#create_new#" && intro.is_v13_0 == "yes" ) {
- optional ( net.v13_tcp == "yes" ) {
- message tcp_lan_note "The iApp will build a server-side TCP profile based on f5-tcp-lan."
- }
- optional ( net.v13_tcp != "yes" ) {
- message legacy_tcp_lan_note "The iApp will build a server-side TCP profile based on tcp-lan-optimized."
- }
- }
- }
-
- optional ( net.server_mode != "lan" ) {
- choice tcp_wan_opt display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a profile for WAN optimization (recommended)\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile tcp]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( tcp_wan_opt == "/#create_new#" && intro.is_v13_0 == "yes" ) {
- optional ( net.v13_tcp == "yes" ) {
- message tcp_wan_note "The iApp will build a server-side TCP profile based on f5-tcp-wan."
- }
- optional ( net.v13_tcp != "yes" ) {
- message legacy_tcp_wan_note "The iApp will build a server-side TCP profile based on tcp-wan-optimized."
- }
- }
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message tcp_max "The server-side TCP profile optimizes the communication between the BIG-IP system and the server by controlling the behavior of the traffic which results in higher transfer rates, improved connection reliability and increased bandwidth efficiency."
- }
-
- choice tcp_req_queueing display "xxlarge" default "no" {
- "Yes, enable TCP request queuing" => "yes" ,
- "No, do not enable TCP request queuing (recommended) " => "no"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message tcp_request_queue_2_max "TCP request queuing provides the ability to queue connection requests that exceed the capacity of connections for a pool, pool member, or node, as determined by the connection limit. If you enable TCP request queuing, you must specify a queue length and timeout for queued requests based on server capability, load, and need for shared resources."
- }
- optional ( tcp_req_queueing == "yes" ) {
- message tcp_request_queue_1_max "Improper use or misconfiguration of TCP Request Queuing/Connection Limits can result in unwanted application behavior and poor performance of your BIG-IP system. For this reason we recommended you verify these settings impact prior to deployment in a production environment. You MUST add a Connection Limit to your pool members for TCP Request Queuing."
- string tcp_queue_length display "medium"
- validator "NonNegativeNumber" required
- optional ( ssl_encryption_questions.help == "max" ) {
- message tcp_queue_length_max "Specify a number for the length of the queue. You should not use a value of '0', which indicates an unlimited queue length, and is only constrained by available memory."
- }
- string tcp_queue_timeout display "medium"
- validator "NonNegativeNumber" required
- optional ( ssl_encryption_questions.help == "max" ) {
- message tcp_queue_timeout_max "Specify a number of milliseconds that requests should remain in the queue before timing out."
- }
- }
-
- optional ( pool.pool_to_use == "/#create_new#" ) {
- choice use_slow_ramp default "yes" display "xxlarge" {
- "Yes, use Slow Ramp (recommended) " => "yes" ,
- "No, do not use Slow Ramp" => "no"
- }
- optional ( use_slow_ramp == "yes" ) {
- optional ( ssl_encryption_questions.help == "max" ) {
- message slow_ramp_max "With Slow Ramp, the BIG-IP system gradually adds connections to a newly-enabled or newly-added HTTP server over a time period you specify, rather than sending a full proportion of the traffic immediately. Slow Ramp is essential when using load balancing methods like Least Connections, as the BIG-IP system would otherwise send all new connections to a new server immediately, potentially overwhelming that server. The time period you select for Slow Ramp is highly dependent on the speed of your server hardware and the behavior of your web services."
- }
-
- string slow_ramp_setvalue display "medium"
- default "300" required validator "NonNegativeNumber"
- optional ( ssl_encryption_questions.help == "max" ) {
- message slow_ramp_setvalue_max "Specify the duration (in seconds) for Slow Ramp time (the amount of time the system sends less traffic to a newly-enabled pool member). The default setting of 300 seconds (5 minutes) is very conservative in most cases. "
- }
- }
- }
- }
- }
-
- optional (( net.server_mode != "tunnel" && pool.pool_to_use == "/#create_new#" )
- || ( net.server_mode == "tunnel" && pool.pool_to_use_wom == "/#create_new#" )) {
- section monitor {
-
- choice monitor display "xxlarge" default "/#create_new#" tcl {
-
- set ::choices "Create a new health monitor\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm monitor http]\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm monitor https]\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -filter NAME != "external" ltm monitor external]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message monitor_max "Monitors are used to determine the health of the application on each web server. If an application instance does not respond or responds incorrectly, the system will cease to send client requests to that web server. The system will continue to monitor the instance and will begin sending requests once the application responds correctly."
- }
-
- optional ( monitor == "/#create_new#" ) {
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- string frequency display "medium" required default "30"
- optional ( ssl_encryption_questions.help == "max" ) {
- message freq_max "This is the duration, in seconds, of a single monitor cycle. At this interval, the system checks the health of the application instance on each web server configured in the web server pool."
- }
- choice http_method display "xxlarge" default "GET"
- { "GET" , "POST" }
- optional ( ssl_encryption_questions.help == "max" ) {
- message method_max "The HTTP request type determines which HTTP method the monitor sends to the web server. GET is the most common request type for web applications."
- }
- }
-
- string uri display "xxlarge" required default "/"
- optional ( ssl_encryption_questions.help == "max" ) {
- message uri_max "The HTTP URI is used to specify the resource on the web server for a given request. This parameter can be customized to request a specific part of an application, which can indicate the health of the application on a granular level."
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice http_version display "xxlarge" default "http11" {
- "HTTP/1.0" => "http10" ,
- "HTTP/1.1" => "http11"
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message version_max "The HTTP version can be customized so it matches what a typical client would be using, in order to detect failures in the most meaningful way. HTTP/1.0 and HTTP/1.1 are the most common. HTTP/1.0 is more simple, while HTTP/1.1 offers more features."
- }
-
-
- optional ( http_method == "POST" ) {
- string post_body display "xxlarge" required
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message body_max "POST requests require an HTTP POST body to send to the web server."
- }
- }
- }
- string response display "xxlarge"
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message response_max "When the HTTP response arrives for a monitor request, its contents are searched for the value specified here. If it is not found, the monitoring attempt fails."
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- choice credentials display "xxlarge" default "none" {
- "No, allow anonymous access" => "none" ,
- "Yes, require credentials for Basic authentication" => "basic" ,
- "Yes, require credentials for NTLM authentication" => "ntlm"
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message credentials_max "You can configure system to attempt to authenticate to the web implementation as a part of the health monitor. If you choose to require credentials, we recommend you create a user account specifically for this health monitor which has no other privileges, and has a password set to never expire."
- }
- optional ( credentials != "none" ) {
- string user required display "xxlarge"
- optional ( credentials == "basic" ) {
- message basic_cred_note "You must include your domain in front of the user name."
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message user_max "Specify the user name for the account you want to use as a part of the health monitor."
- }
- password passwd required display "xxlarge"
- optional ( ssl_encryption_questions.help == "max" ) {
- message passwd_max "Specify the associated password. The password for this account should be set to never expire, otherwise servers could be improperly marked as unavailable when the password expires."
- }
- }
- }
- }
- }
- }
-
- optional ( ssl_encryption_questions.legacy_advanced == "yes"
- || ssl_encryption_questions.advanced == "yes" ) {
- section local_traffic {
- message note "You cannot apply multiple policy rules referencing the same controls. Before applying one or more policies, ensure there are no policy rules with conflicting controls assigned. Note that improper use or misconfiguration of LTM policies can cause undesired results. We recommend verifying the impact of an LTM policy prior to deployment in a production environment."
- multichoice policies display "xlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm policy]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- optional ( ssl_encryption_questions.help == "max" ) {
- message policies_max "Local Traffic Policies comprise a prioritized list of rules that match defined conditions and run specific actions, which the BIG-IP system uses to direct traffic accordingly. You must have a manually created a local traffic policy to select it here. See the manual: BIG-IP Local Traffic Management: Getting Started with Policies (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0.html)."
- }
- }
-
- section irules {
- message note "Improper use or misconfiguration of an iRule can result in unwanted application behavior and poor performance of your BIG-IP system. For this reason we recommended you verify the impact of an iRule prior to deployment in a production environment."
- optional ( ssl_encryption_questions.help == "max" ) {
- message irule_2_max "The BIG-IP system supports a scripting language to allow an administrator to instruct the system to intercept, inspect, transform, direct and track inbound or outbound application traffic. An iRule contains the set of instructions the system uses to process data flowing through it, either in the header or payload of a packet."
- message irule_3_max "Correct event priority is critical when assigning multiple iRules. For more information about iRule event priority, see https://devcentral.f5.com/wiki/iRules.priority.ashx"
- }
-
- multichoice irules display "xlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -filter NAME !~ "^_sys" ltm rule]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
-
- optional ( ssl.mode != "pass_thru" || apm.use_apm == "yes" ) {
- section stats {
- optional ( intro.analytics_provisioned == "yes" ) {
- choice analytics display "xxlarge" default "/#do_not_use#" tcl {
-
- set ::choices "Do not use an analytics profile\t/#do_not_use#\nCreate a profile based on analytics\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain ltm profile analytics]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- choice tcp_analytics display "xxlarge" default "/#do_not_use#" tcl {
-
- set ::choices "Do not use a tcp-analytics profile\t/#do_not_use#\nCreate a profile based on tcp-analytics\t/#create_new#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain ltm profile tcp-analytics]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- message avr_1_max "Enabling Analytics may affect overall system performance. If you choose to enable Analytics, we recommend gathering statistics for a set time period, such as one week, and then re-entering this template and disabling Analytics while you process the data."
- optional ( ssl_encryption_questions.help == "max" ) {
- message avr_2_max "The Application Visibility Reporting (AVR) module allows you to view statistics specific to your web application. "
- message avr_3_max "While this template includes a default Analytics profile, for full functionality and flexibility, we recommend you create a custom Analytics profile for this application service. Creating a custom profile is not a part of this template; see Local Traffic >> Profiles : Analytics. Once you have created an Analytics profile, you can select it from the list below. To select any new profiles you create, you need to restart or reconfigure this template."
- }
- }
-
- choice request_logging display "xxlarge" default "/#do_not_use#" tcl {
-
- set ::choices "Do not enable HTTP request logging\t/#do_not_use#\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm profile request-log]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- message req_log_max "HTTP request logging enables customizable log messages to be sent to a syslog server for each HTTP request processed by this application. Successful usage of this feature requires creation and association of a request logging profile. Creating a request logging profile is not a part of this template. See Local Traffic>>Profiles: Other: Request Logging. To select any new profiles you create, you need to restart or reconfigure this template. The performance impact of using this feature should be thoroughly tested in a staging environment prior to enabling it on a production deployment."
- }
- }
- }
- }
-
- optional ( ssl_encryption_questions.help == "max" ) {
- section extra {
- message dns "You must configure a DNS entry for each fully qualified host name that the clients use to access the web servers. Each DNS record must resolve to the IP address you configured for the BIG-IP virtual server defined in the High Availability section."
- message web_servers "Depending on your web service and application software, you may have to perform additional steps on your web application to enable SSL Offloading. If you are performing SSL offload on the BIG-IP system, you may need to configure your web servers not to expect SSL to avoid redirect loops and needless redirects. Also, the web server software may need to be configured to handle any HTTP/1.1 Host headers you specified during monitor creation."
- optional (( ssl.mode == "client_ssl"
- || ssl.mode == "client_ssl_server_ssl" || apm.use_apm == "yes" )
- && ( ssl.cert == "/Common/default.crt"
- || ssl.cert == "/Common/ca-bundle.crt"
- || ssl.cert == "/Common/f5-irule.crt"
- || ssl.key == "/Common/default.key" )) {
- message critical "You have selected a default BIG-IP certificate and/or key. This application service configuration is incomplete and will not be secure until you import and assign a trusted certificate and key that are valid for all fully qualified domain names used to access the application. See Local Traffic >> SSL Certificate List for importing certificates and keys. To select any new certificates and keys you import, you need to restart or reconfigure this template."
- }
- }
- }
-}
-
-optional ( ssl_encryption_questions.offload_ssl == "Yes"
- || ssl_encryption_questions.offload_ssl == "No" ) {
- optional ( intro.analytics_provisioned == "yes" ) {
- section analytics {
- choice add_analytics default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
- optional ( add_analytics == "Yes" ) {
- message about_analytics_profiles "For full functionality and flexibility, we recommend that you create a custom Analytics profile for each iApp under Local Traffic > Profiles > Analytics. Once you have created an Analytics profile, you will be able to select it from the list below."
- choice create_new_analytics default "Select a Custom Profile" display "xlarge" {
- "Select a Custom Profile" => "Select a Custom Profile" ,
- "Use Default Profile" => "Use Default Profile"
- }
- optional ( create_new_analytics == "Select a Custom Profile" ) {
- choice analytics_profile display "xlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain ltm profile analytics]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- }
- }
- }
-
- section basic {
- string addr required validator "IpAddress"
- optional ((ssl_encryption_questions.offload_ssl == "Yes"
- && ssl_encryption_questions.offload_ssl_1 == "No" )
- || (ssl_encryption_questions.offload_ssl == "No"
- && ssl_encryption_questions.offload_ssl_2 == "No" )) {
- string port default "80" required validator "PortNumber" display "small"
- }
- optional ((ssl_encryption_questions.offload_ssl == "Yes"
- && ssl_encryption_questions.offload_ssl_1 == "Yes" )
- || (ssl_encryption_questions.offload_ssl == "No"
- && ssl_encryption_questions.offload_ssl_2 == "Yes" )) {
- string secure_port default "443" required validator "PortNumber" display "small"
-
- choice create_redir default "Yes" display "small" { "Yes" => "Yes" , "No" => "No" }
- optional ( create_redir == "Yes" ) {
- string redir_port default "80" required validator "PortNumber" display "small"
- }
- }
-
- choice snat default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
- optional ( snat == "No" ) {
- choice need_snatpool default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
- optional ( need_snatpool == "Yes" ) {
- table snatpool_members {
- string addr required validator "IpAddress"
- }
- }
- }
-choice using_ntlm default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
- }
-
- section server_pools {
- choice create_new_pool default "Create New Pool" display "large" {
- "Create New Pool" => "Create New Pool" ,
- "Use Pool..." => "Use Pool..."
- }
- optional ( create_new_pool == "Create New Pool" ) {
- lb_method lb_method_choice
- table servers {
- string addr required validator "IpAddress"
- string port default "80" required validator "PortNumber"
- display "small"
- string connection_limit default "0" required
- validator "NonNegativeNumber" display "small"
- optional ( lb_method_choice == "ratio-member" ||
- lb_method_choice == "ratio-node" ||
- lb_method_choice == "ratio-session" ||
- lb_method_choice == "ratio-least-connections-member" ||
- lb_method_choice == "ratio-least-connections-node" ||
- lb_method_choice == "dynamic-ratio-member" ||
- lb_method_choice == "dynamic-ratio-node" ) {
- string ratio default "1" validator "NonNegativeNumber"
- display "small"
- }
- }
-
- choice tcp_request_queuing_enable_question default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
- optional ( tcp_request_queuing_enable_question == "Yes" ) {
- message note "TCP request queuing requires you to have a Connection Limit on your pool members."
-
- string tcp_request_queue_length required
- validator "NonNegativeNumber" display "small"
- string tcp_request_queue_timeout required
- validator "NonNegativeNumber" display "small"
- }
-
- choice create_new_monitor default "Create New Monitor" display "xlarge" {
- "Create New Monitor" => "Create New Monitor" ,
- "Use Monitor..." => "Use Monitor..."
- }
- optional ( create_new_monitor == "Create New Monitor" ) {
- string monitor_interval default "30" required
- validator "NonNegativeNumber" display "small"
-
- string monitor_send default "GET /" required display "xlarge"
-
- choice monitor_http_version default "Version 1.0" { "Version 1.0" , "Version 1.1" }
- optional ( monitor_http_version == "Version 1.1" ) {
- string monitor_dns_name required validator "FQDN"
- display "large"
- }
-
- string monitor_recv display "xlarge"
- }
-
- optional ( create_new_monitor == "Use Monitor..." ) {
- choice reuse_monitor_name display "xlarge" tcl {
-
- set ::choices "[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm monitor http]\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm monitor https]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- }
-
- optional ( create_new_pool == "Use Pool..." ) {
- choice reuse_pool_name display "xlarge" tcl {
-
- set ::choices [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items ltm pool]
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- }
-
- section optimizations {
- choice lan_or_wan default "WAN" {
- "WAN" => "WAN" ,
- "LAN" => "LAN"
- }
-
- optional ( intro.am_provisioned == "yes" ) {
- choice use_wa default "No" display "small" { "Yes" => "Yes" , "No" => "No" }
- optional ( use_wa == "Yes" ) {
- table hosts {
- string host required validator "FQDN" display "xlarge"
- }
-
- choice x_wa_info_header default "none" {
- "None" => "none" ,
- "Standard" => "standard" ,
- "Debug" => "debug"
- }
- choice perf_monitor default "disabled" {
- "Enabled" => "enabled" ,
- "Disabled" => "disabled"
- }
- optional ( perf_monitor == "enabled" ) {
- string data_retention_period default "30" required
- validator "NonNegativeNumber"
- }
-
- choice policy display "xlarge"
- default "/Common/Generic Policy - Enhanced" tcl {
-
- set ::choices "/Common/Generic Policy - Complete\n/Common/Generic Policy - Enhanced\n/Common/Generic Policy - Extension Based\n/Common/Generic Policy - Fundamental\n[tmsh::run_proc f5.iapp.1.5.2.cli:iapp_get_items -nocomplain -norecursive -filter predefined == no wam policy predefined]"
- return [tmsh::run_proc f5.iapp.1.5.2.cli:iapp_safe_display ::choices]
- }
- }
- }
-
- }
-}
-
-text {
- intro "Welcome to the iApp template for web applications"
- intro.early_release "EARLY RELEASE"
- intro.hello "Introduction"
-
- intro.check_for_updates "Check for Updates"
-
- intro.am_not_provisioned "Additional features available"
-
- intro.analytics_not_provisioned "Additional features available"
-
- ssl_encryption_questions "Template Options"
-
- ssl_encryption_questions.help "Do you want to see inline help?"
-
- ssl_encryption_questions.help_max ""
-
- ssl_encryption_questions.legacy_advanced "Which configuration mode do you want to use?"
-
- ssl_encryption_questions.legacy_warning "NOTE"
-
- ssl_encryption_questions.advanced "Which configuration mode do you want to use?"
-
- ssl_encryption_questions.conf_mode_max ""
-
- net "Network"
- net.v13_tcp "Do you want to use the latest TCP profiles?"
- net.v13_tcp_warning_1 "" "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
- net.v13_tcp_warning_2 "IMPORTANT"
- net.v13_tcp_warning_3 "" "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
- net.v13_tcp_max ""
- net.client_mode "What type of network connects clients to the BIG-IP system?"
- net.client_mode_max ""
- net.vlan_mode "Do you want to restrict client traffic to specific VLANs?"
-
- net.vlan_max ""
-
- net.client_vlan "On which VLANs should traffic be enabled or disabled?"
-
- net.client_vlan_max ""
-
- net.disabled_vlan_max "WARNING"
-
- net.server_mode "What type of network connects servers to the BIG-IP system?"
- net.server_mode_max ""
-
- net.tunnel_max1 "NOTE"
-
- net.tunnel_max2 "IMPORTANT"
-
- net.tunnel_max3 "NOTE"
-
- net.tunnel_max4 "IMPORTANT"
-
- net.same_subnet "Where will the virtual servers be in relation to the web servers?"
-
- net.subnet_1_max ""
-
- net.subnet_2_max ""
-
- net.subnet_3_max ""
-
-
- net.route_to_bigip "How have you configured routing on your web servers?"
-
- net.def_rt_1_max ""
-
- net.def_rt_2_max ""
-
- net.def_rt_3_max ""
-
- net.snat_type "How many connections do you expect to each web server?"
-
- net.snat_max ""
-
- net.snatpool "Create a new SNAT pool or use an existing one?"
- net.snatpool_max ""
-
- net.snatpool_members "What are the IP addresses you want to use for the SNAT pool?"
-
- net.snatpool_members.addr "IP"
-
- net.snatpool_members_max ""
-
-
- ssl "SSL Encryption"
-
- ssl.mode "How should the BIG-IP system handle SSL traffic?"
-
- ssl.mode_1_max ""
-
- ssl.mode_2_max ""
-
- ssl.mode_3_max ""
-
- ssl.mode_4_max ""
-
- ssl.mode_5_max ""
-
- ssl.mode_6_max ""
-
- ssl.mode_7_max ""
-
- ssl.cert "Which SSL certificate do you want to use?"
- ssl.cert_max ""
- ssl.cert1_max ""
-
- ssl.key "Which SSL private key do you want to use?"
- ssl.key_max ""
-
- ssl.use_chain_cert "Which intermediate certificate do you want to use?"
- ssl.use_chain_cert_1_max ""
-
- ssl.use_chain_cert_2_max ""
-
- ssl.ssl_warn_1 "WARNING:"
- ssl.ssl_warn_2 "NOTE:"
- ssl.ssl_warn_3 "NOTE:"
-
- ssl.client_ssl_profile "Which Client SSL profile do you want to use?"
- ssl.client_ssl_profile_max ""
-
- ssl.server_ssl_profile "Which Server SSL profile do you want to use?"
- ssl.server_ssl_profile_max ""
-
- intro.asm_not_provisioned "Additional features available"
- asm "Application Security Manager (BIG-IP ASM)"
- asm.use_asm "Do you want to deploy BIG-IP Application Security Manager?"
- asm.asm_template "Which ASM template should be used to build the policy?"
- asm.asm_1_max ""
- asm.asm_2_max ""
- asm.language "Which language encoding is used for ASM?"
- asm.language_max ""
- asm.security_logging "Which logging profiles would you like to use?"
- asm.security_logging_max ""
-
- apm "Access Policy Manager (BIG-IP APM)"
- apm.use_apm "Provide secure authentication with BIG-IP APM?"
- apm.use_apm_help ""
-
- apm.apm_profile "Which Access Profile do you want to use?"
- apm.apm_profile_help ""
- apm.apm_policy "Which Per-Request Access Policy do you want to use?"
- apm.apm_policy_help ""
- ssl.mode_apm "How should the BIG-IP system handle SSL traffic?"
-
- afm "Advanced Firewall Manager (BIG-IP AFM)"
- afm.policy "Do you want to use AFM network firewall and IP Intelligence to protect your application?"
- afm.policy_max ""
- afm.restrict_by_addr "Do you want to forbid access to your application from specific networks or IP addresses?"
- afm.restrict_max ""
- afm.allowed_addr "What IP or network addresses should be allowed to access your application?"
- afm.allowed_addr_max ""
- afm.restrict_by_reputation "How should the system control connections from networks suspected of malicious activity?"
- afm.restrict_by_reputation_max ""
- afm.restrict_by_reputation_log ""
- afm.restrict_by_reputation_warn "IMPORTANT"
- afm.ip_intelligence_policy "Which IP Intelligence policy do you want to use?"
- afm.ip_intelligence_policy_max ""
- afm.staging_policy "Would you like to stage a policy for testing purposes?"
- afm.staging_policy_max ""
- afm.staging_policy1_max "CRITICAL"
- afm.security_logging "Which logging profile would you like to use?"
- afm.security_logging_max ""
- afm.security_logging1_max ""
- afm.dos_security_profile "Which Denial-of-Service profile do you want to use?"
- afm.dos_security_profile_max ""
- afm.protocol_security_profile "Which HTTP protocol security profile do you want to use?"
- afm.protocol_security_profile_max ""
-
- pool "Virtual Server and Pools"
- pool.addr "What IP address do you want to use for the virtual server?"
- pool.addr_max ""
- pool.mask "If using a network virtual address, what is the IP mask?"
- pool.mask_max ""
- pool.port "What port do you want to use for the virtual server?"
- pool.port_max ""
- pool.mirror "Do you want to enable connection and persistence mirroring?"
- pool.port_secure "What port do you want to use for the virtual server?"
- pool.hosts "What FQDNs will clients use to access the servers?"
- pool.hosts.name "Host"
-
- pool.redirect_to_https "Do you want to redirect inbound HTTP traffic to HTTPS?"
-
- pool.mirror_max ""
-
- pool.redirect_port "From which port should HTTP traffic be redirected?"
-
- pool.redirect_max ""
-
- pool.redirect_port_max ""
-
-
- pool.fqdn_max ""
-
- pool.http "Which HTTP profile do you want to use?"
- pool.http_max ""
-
- pool.xff "Should the BIG-IP system insert the X-Forwarded-For header?"
-
- pool.xff_max ""
-
- pool.persist "Which persistence profile do you want to use?"
- pool.pass_thru_persist "Which persistence profile do you want to use?"
-
- pool.pass_thru_persist_max ""
-
- pool.persist_max ""
-
- pool.fallback_persist "Would you like to add a fallback-persistence profile?"
-
- pool.pool_to_use "Do you want to create a new pool or use an existing one?"
- pool.pool_to_use_wom "Do you want to create a new pool or use an existing one?"
- pool.pool_max ""
-
- pool.members "Which web servers should be included in this pool?"
- pool.members_max ""
- pool.members.addr "Node/IP address"
- pool.members.port "Port"
- pool.members.port_secure "Port"
- pool.members.connection_limit "Connection limit"
- pool.members.ratio "Ratio"
- pool.members.priority "Priority"
- pool.lb_method "Which load balancing method do you want to use?"
- pool.lb_method_max ""
-
- pool.use_pga "Do you want to give priority to specific groups of servers?"
-
- pool.pga_max ""
-
- pool.min_active_members "What is the minimum number of active members in a group?"
- pool.min_active_members_max ""
-
- client "Delivery Optimization"
- client.use_wa "Use the BIG-IP Application Acceleration Manager?"
- client.x_wa_info_header "Do you want to insert the X-WA-Info header?"
- client.x_wa_info_max ""
- client.enable_perf_monitor "Do you want to use the legacy AAM performance monitor?"
- client.enable_perf_monitor_max ""
- client.data_retention_period "For how many days should the BIG-IP system retain the data?"
- client.policy "Which acceleration policy do you want to use?"
- client.policy_complete_about_max ""
- client.policy_enhanced_about_max ""
- client.policy_extension_about_max ""
- client.policy_fundamental_about_max ""
-
- client.http_compression "Which compression profile do you want to use?"
- client.standard_caching_with_wa "Which Web Acceleration profile do you want to use for caching?"
- client.standard_caching_with_wa_max ""
- client.standard_caching_with_wa_not_default_max ""
- client.standard_caching_without_wa "Which Web Acceleration profile do you want to use for caching?"
- client.about_custom_caching_max_1 ""
- client.about_custom_caching_max_1a ""
-
- client.about_custom_caching_max_2 ""
- client.about_custom_caching_max_3 ""
-
- client.tcp_lan_opt "How do you want to optimize client-side connections?"
- client.tcp_wan_opt "How do you want to optimize client-side connections?"
- client.tcp_lan_note ""
- client.tcp_wan_note ""
- client.legacy_tcp_lan_note ""
- client.legacy_tcp_wan_note ""
- client.comp_max ""
- client.comp1_max ""
-
- client.tcp_max ""
-
- client.isession_profile "Create a new iSession tunnel profile or use an existing one?"
- client.isession_profile_max ""
-
- client.isession "Which iSession features do you want to use?"
- client.isession_max ""
-
- client.isession.encryption "WAN encryption"
- client.isession.compression "Adaptive Compression"
- client.isession.deduplication "Deduplication"
-
- server "Server Offload"
- server.oneconnect "Which OneConnect profile do you want to use?"
- server.oc_max ""
-
- server.ntlm "Which NTLM profile do you want to use?"
- server.ntlm_max ""
-
- server.tcp_lan_opt "How do you want to optimize server-side connections?"
- server.tcp_wan_opt "How do you want to optimize server-side connections?"
- server.tcp_lan_note ""
- server.tcp_wan_note ""
- server.legacy_tcp_lan_note ""
- server.legacy_tcp_wan_note ""
- server.tcp_max ""
-
- server.tcp_req_queueing "Should the BIG-IP system queue TCP requests?"
-
- server.tcp_queue_length "What is the maximum number of TCP requests for the queue?"
-
- server.tcp_queue_length_max ""
-
- server.tcp_queue_timeout "How many milliseconds should requests stay in the queue?"
-
- server.tcp_queue_timeout_max ""
-
- server.tcp_request_queue_1_max "WARNING"
-
- server.tcp_request_queue_2_max ""
-
- server.use_slow_ramp "Use a Slow Ramp time for newly added servers?"
-
- server.slow_ramp_max ""
-
- server.slow_ramp_setvalue "How many seconds should Slow Ramp time last?"
- server.slow_ramp_setvalue_max ""
-
- monitor "Application Health"
- monitor.monitor_max ""
-
- monitor.monitor "Create a new health monitor or use an existing one?"
- monitor.http_method "What type of HTTP request should be sent to the servers?"
- monitor.uri "What HTTP URI should be sent to the servers?"
-
- monitor.http_version "Which HTTP version do your servers expect clients to use?"
- monitor.version_max ""
-
- monitor.frequency "How many seconds should pass between health checks?"
- monitor.freq_max ""
-
- monitor.response "What is the expected response to the HTTP request?"
- monitor.method_max ""
-
- monitor.uri_max ""
-
-
- monitor.post_body "What HTTP POST body do you want to use for this monitor?"
- monitor.body_max ""
- monitor.response_max ""
- monitor.credentials "Should the health monitor require credentials?"
- monitor.credentials_max ""
- monitor.basic_cred_note "NOTE"
- monitor.user "What user name should the monitor use?"
- monitor.user_max ""
- monitor.passwd "What is the associated password?"
- monitor.passwd_max ""
-
- local_traffic "Local Traffic Policies"
- local_traffic.note "WARNING:"
- local_traffic.policies "Do you want to add any custom LTM policies to this configuration?"
- local_traffic.policies_max ""
-
- irules "iRules"
- irules.irules "Do you want to add any custom iRules to this configuration?"
- irules.note "WARNING:"
- irules.irule_2_max ""
-
- irules.irule_3_max ""
-
- stats "Statistics and Logging"
- stats.analytics "Do you want to enable Analytics for application statistics?"
- stats.tcp_analytics "Do you want to enable TCP-Analytics for application statistics?"
- stats.request_logging "Which HTTP request logging profile do you want to use?"
- stats.avr_1_max "IMPORTANT"
- stats.avr_2_max ""
- stats.avr_3_max ""
-
-
- stats.req_log_max ""
-
- extra "Additional Steps"
- extra.dns "DNS"
- extra.web_servers "Web servers"
- extra.critical "Default SSL certificate and key"
-
-
- ssl_encryption_questions.deprecated "PLEASE UPGRADE"
- ssl_encryption_questions.upgrade "Do you want to upgrade this template?"
-
- ssl_encryption_questions.gap_1 " "
- ssl_encryption_questions.gap_2 " "
- ssl_encryption_questions.section_head "SSL Encryption Questions"
- ssl_encryption_questions.offload_ssl_1 "Do you want the BIG-IP system to offload SSL processing from the web servers?"
-
- ssl_encryption_questions.offload_ssl_2 "Do you want the BIG-IP system to offload SSL processing from the web servers?"
-
- ssl_encryption_questions.cert "Which certificate do you want the BIG-IP system to use to authenticate the server? (You may need to import a certificate before deploying this Template.)"
- ssl_encryption_questions.key "Which key do you want the BIG-IP system to use for encryption? (You may need to import a key before deploying this Template.)"
-
- analytics "Analytics"
- analytics.add_analytics "Do you want to enable Analytics so that you can view application statistics? (This may affect system performance.)"
-
- analytics.about_analytics_profiles "About creating your own Analytics profiles:"
- analytics.create_new_analytics "Do you want to use a default Analytics profile or select a custom profile?"
- analytics.analytics_profile "Which Analytics profile do you want to use?"
-
- basic "Virtual Server Questions"
- basic.addr "What IP address do you want to use for this virtual server?"
- basic.port "What port do you want to use for this virtual server?"
- basic.secure_port "What port do you want to use for this virtual server?"
- basic.create_redir "Do you want to redirect traffic that comes in as HTTP to HTTPS?"
-
- basic.redir_port "What port do you want to use for the redirect virtual server?"
- basic.snat "Do the web servers have a route back to application clients via this BIG-IP system?"
-
- basic.need_snatpool "Will you have more than 64,000 connections at one time? If so, you will need to enter at least one IP address for each 64,000 connections. "
-
- basic.snatpool_members "Enter IP addresses that can be used for a SNAT pool. Enter one IP address for each 64,000 connections "
- basic.snatpool_members.addr "Address: "
-
- basic.using_ntlm "Are the web servers configured to use NTLM authentication?"
-
-
-
- server_pools "HTTP Server Pool, Load Balancing, and Service Monitor Questions"
- server_pools.create_new_pool "Do you want to create a new pool or use an existing one?"
- server_pools.lb_method_choice "Which load balancing method do you want to use?"
- server_pools.servers "Which servers do you want this virtual server to reference? (The virtual server will not be available until at least one server is added.)"
- server_pools.servers.addr "Address"
- server_pools.servers.port "Port"
- server_pools.servers.ratio "Ratio"
- server_pools.servers.connection_limit "Connection Limit"
- server_pools.tcp_request_queuing_enable_question "Do you want the BIG-IP system to queue TCP requests?"
-
- server_pools.note "NOTE:"
- server_pools.tcp_request_queue_length "Specify the TCP request queue length. Choose 0 for unlimited."
- server_pools.tcp_request_queue_timeout "Specify a timeout for TCP request queuing in milliseconds. Choose 0 for unlimited."
- server_pools.reuse_pool_name "Choose a pool from the list of available pools."
- server_pools.create_new_monitor "Do you want to create a new health monitor or use an existing one?"
- server_pools.monitor_interval "How often (in seconds) do you want the BIG-IP system to check on the health of each web server? "
- server_pools.monitor_send "What HTTP request should be sent to check the health of each web server?"
-
- server_pools.monitor_http_version "What HTTP version do your web servers expect clients to use?"
-
-
- server_pools.monitor_dns_name "What fully qualified DNS name are HTTP 1.1 clients expected to use to access the web servers?"
- server_pools.monitor_recv "What string can the BIG-IP system expect to see within the health check response for the server to be considered healthy?"
- server_pools.reuse_monitor_name "Choose a monitor from the list of available monitors."
-
-
- optimizations "Protocol Optimization Questions"
- optimizations.lan_or_wan "Will clients be connecting to this virtual server primarily over a LAN or a WAN?"
-
- optimizations.use_wa "Do you want to use the BIG-IP AAM module to accelerate your traffic?"
-
- optimizations.hosts "What fully qualified DNS names will your end users use to access the web Virtual Server (e.g., site.f5.com)."
- optimizations.hosts.host "Host"
- optimizations.policy "Select the AAM policy to use."
- optimizations.x_wa_info_header "Do you want to insert the X-WA-Info Header?"
- optimizations.perf_monitor "Do you want to enable the AAM performance monitor?"
- optimizations.data_retention_period "How many days to you want to keep AAM performance data?"
-
-}
- }
- role-acl { admin manager resource-admin }
- run-as none
- }
- }
- requires-bigip-version-max none
- requires-bigip-version-min 11.5.0
- requires-modules { }
-}
diff --git a/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.policy_creator.tmpl b/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.policy_creator.tmpl
deleted file mode 100644
index f696f0e..0000000
--- a/SACAv1/roles/f5-azure-scca-internal-setup/files/f5.policy_creator.tmpl
+++ /dev/null
@@ -1,279 +0,0 @@
-sys application template /Common/f5.policy_creator {
- actions {
- definition {
- html-help {
- Deployment Helper iApp Template
-
-This template creates a set of configuration objects to be consumed
- }
- implementation {
-##################################################################################################################################################################################################
-## Example call to REST API to instantiate this iApp, there is no presentation so passing in specific ##
-## variables which are called at the start of the template ##
-## ##
-## curl -sku admin:admin-X POST -H "Content-Type: application/json" https://localhost/mgmt/tm/sys/application/service/ -d \ ##
-## '{"name":"'"$appname"'","partition":"Common","strictUpdates":"disabled","template":"/Common/f5.deploy_helper","trafficGroup":"none","lists":[],\ ##
-## "variables":[{"name":"variables__deployment","encrypted":"no","value":"'"$deployment"'"},{"name":"variables__type","encrypted":"no","value":"'"$type"'"},\ ##
-## {"name":"variables__level","encrypted":"no","value":"'"$level"'"},{"name":"variables__asm_policy_location","encrypted":"no","value":"'"$asm_policy_location"'"},\ ##
-## {"name":"variables__custom_asm_policy","encrypted":"no","value":"'"$custom_asm_policy"'"},{"name":"variables__l7dos_level","encrypted":"no","value":"'"$l7dos_level"'"}]}' | jq . ##
-## {"name":"variables__do_asm","encrypted":"no","value":"'"$do_asm"'"},{"name":"variables__do_l7dos","encrypted":"no","value":"'"$do_l7dos"'"},\ ##
-## {"name":"variables__do_uri_rewrite","encrypted":"no","value":"'"$do_uri_rewrite"'"} ##
-## ##
-##################################################################################################################################################################################################
-
- package require iapp 1.1.3
-
- proc tmsh_exe {command} {
- #this proc gives us the ability to do commands outside the context of the iApp
- exec /usr/bin/tmsh -c $command
- }
-
- proc deploy_asm {deployment type level asm_policy_location custom_asm_policy} {
- set asm_level "$level"
- if { $custom_asm_policy != "none" && [regexp -- {^(https?://[a-z0-9\-]+\.[a-z0-9\-\.]+(?:/|(?:/[a-zA-Z0-9!#\$%&'\*\+,\-\.:;=\?@\[\]_~]+)*))$} $custom_asm_policy match url] } {
- puts "Deploying... Custom URL Acceptable: $custom_asm_policy"
- set custom 1
- set asm_level "$custom_asm_policy"
- } else {
- puts "Deploying... Standard ASM policy from ${asm_policy_location}/asm-policy.tar.gz"
- exec /bin/tar xf ${asm_policy_location}/asm-policy.tar.gz -C $asm_policy_location
- set custom 0
- }
-
- foreach unique_level $asm_level {
- switch $unique_level {
- low { set blocking_mode "enabled" ; set asm_name $deployment-$type-$unique_level ; set asm_url "${asm_policy_location}/asm-policy-${type}-${unique_level}.xml" }
- medium { set blocking_mode "enabled" ; set asm_name $deployment-$type-$unique_level ; set asm_url "${asm_policy_location}/asm-policy-${type}-${unique_level}.xml" }
- high { set blocking_mode "enabled" ; set asm_name $deployment-$type-$unique_level ; set asm_url "${asm_policy_location}/asm-policy-${type}-${unique_level}.xml" }
- off { set blocking_mode "disabled" ; set asm_name $deployment-$type-$unique_level ; set asm_url "${asm_policy_location}/asm-policy-${type}-${unique_level}.xml" }
- default { set blocking_mode "enabled" ; set asm_name "$deployment-custom-asm-policy" ; set asm_url $custom_asm_policy }
- }
-
- if { $unique_level == "none" } { continue }
-
- #Download ASM asm_policy and load it
- puts "Deploying... Downloading ASM Policy: $asm_url"
-
- if { $custom } {
- if { [catch { exec /usr/bin/curl -s -k $asm_url --retry 3 -o /tmp/${asm_name}.xml } err] } {
- error "Unable to download ASM policy - URL: $asm_url Error: $err"
- }
- } else {
- if { [catch { exec cp $asm_url /tmp/${asm_name}.xml } err] } {
- error "Unable to copy ASM policy - location: $asm_url Error: $err"
- }
- }
-
- puts "Deploying... Creating ASM Policy: /Common/${asm_name}-security_policy Level: $unique_level"
-
- tmsh_exe "load asm policy /Common/${asm_name}-security_policy overwrite file /tmp/${asm_name}.xml"
-
- #Set asm asm_policy to active and blocking
- tmsh_exe "modify asm policy /Common/${asm_name}-security_policy active blocking-mode $blocking_mode"
- }
- }
-
- iapp::template start
- set ::L7DOS_FAIL {"You have entered an invalid answer for the question. Please, try again.What code is in the image\? %DOSL7.captcha.solution%What code is in the image\? %DOSL7.captcha.solution% /home/$USER/f5-azure-saca/sp.json < /home/$USER/f5-azure-saca/keys.txt < env.sh
-
-chown -R $USER /home/$USER/f5-azure-saca
diff --git a/SACAv1/scripts/MissionOwner.sh b/SACAv1/scripts/MissionOwner.sh
deleted file mode 100755
index 57dedce..0000000
--- a/SACAv1/scripts/MissionOwner.sh
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/bin/bash
-# Change Values in these Variables to match your environment!!!!!
-IL5MissionOwnerRGName="${AZURE_RESOURCE_GROUP}_IL5-1"
-location=$location
-SCCAinfrastructureRGname="$AZURE_RESOURCE_GROUP"
-SCCAinfrastructureVNetName='VDSS_VNet'
-F5_Ext_Trust_RouteTableName='F5_Ext_Trust_RouteTable'
-IPS_Trust_RouteTableName='IPS_Trust_RouteTable'
-Internal_Subnets_RouteTableName='Internal_Subnets_RouteTable'
-IPSUntrustedIP='192.168.2.5'
-#F5IntUntrustedIP='192.168.4.5'
-F5IntUntrustedIP=$(az network route-table route show -g $SCCAinfrastructureRGname --route-table-name $IPS_Trust_RouteTableName --name RouteToManagement --query "nextHopIpAddress"|sed s/\"//g)
-#F5IntTrustedIP='192.168.5.5'
-F5IntTrustedIP=$(az network route-table route show -g $SCCAinfrastructureRGname --route-table-name $Internal_Subnets_RouteTableName --name RouteToInternet --query "nextHopIpAddress"|sed s/\"//g)
-IL5MissionOwnerVNetName='IL5MissionOwner1VNet'
-IL5MissionOwnerVNetPrefix='10.0.0.0/22'
-IL5MissionOwnerSubnet1Name='ProductionSubnet'
-IL5MissionOwnerSubnet1Prefix='10.0.0.0/24'
-RouteToIL5MissionOwnerName='ToIL5MissionOwner'
-
-# These Variables will be used in the deployment tasks below... Don't change!!!
-SCCAvnet=$(az network vnet show -g $SCCAinfrastructureRGname -n $SCCAinfrastructureVNetName --query id|sed s/\"//g)
-F5extTrustRouteTable=$(az network route-table show -g $SCCAinfrastructureRGname -n $F5_Ext_Trust_RouteTableName --query id|sed s/\"//g)
-IPSTrustRouteTable=$(az network route-table show -g $SCCAinfrastructureRGname -n $IPS_Trust_RouteTableName --query id|sed s/\"//g)
-InternalSubnetsRouteTable=$(az network route-table show -g $SCCAinfrastructureRGname -n $Internal_Subnets_RouteTableName --query id|sed s/\"//g)
-
-case $1 in
-
- create) echo "Creating"
- # Create the MissionOwner resource group.
- az group create --location $location -n $IL5MissionOwnerRGName
-
- # Create IL5 VNet.
- az network vnet create -l $location -g $IL5MissionOwnerRGName -n $IL5MissionOwnerVNetName --address-prefixes $IL5MissionOwnerVNetPrefix
-
- #Set IL5 VNet Variable
- IL5vNet=$(az network vnet show -g $IL5MissionOwnerRGName -n $IL5MissionOwnerVNetName --query id|sed s/\"//g)
-
- #Create Subnet in IL5 VNet and assign Internal_Subnets_RouteTable
- echo "Create Subnet in IL5 VNet and assign Internal_Subnets_RouteTable"
- az network vnet subnet create -n $IL5MissionOwnerSubnet1Name --address-prefix $IL5MissionOwnerSubnet1Prefix -g $IL5MissionOwnerRGName --vnet-name $IL5MissionOwnerVNetName --route-table $InternalSubnetsRouteTable
-
- # Peer VNet1 to VNet2.
- echo "Peer VNet1 to VNet2."
- az network vnet peering create -n VDSStoIL5MissionOwner \
- --remote-vnet-id $IL5vNet \
- --resource-group $SCCAinfrastructureRGname \
- --vnet-name $SCCAinfrastructureVNetName \
- --allow-vnet-access
-
- # Peer VNet2 to VNet1.
- echo "Peer VNet2 to VNet1."
- az network vnet peering create -n IL5MissionOwnerToVDSS \
- --remote-vnet-id $SCCAvnet \
- --resource-group $IL5MissionOwnerRGName \
- --vnet-name $IL5MissionOwnerVNetName \
- --allow-vnet-access \
- --allow-forwarded-traffic
-
-
- #Add IL5MO Route to F5_Ext_Trust_RouteTable
- echo "Add IL5MO Route to F5_Ext_Trust_RouteTable"
- az network route-table route create --address-prefix $IL5MissionOwnerVNetPrefix \
- --name $RouteToIL5MissionOwnerName \
- --next-hop-type VirtualAppliance \
- --next-hop-ip-address $IPSUntrustedIP \
- --resource-group $SCCAinfrastructureRGname \
- --route-table-name $F5_Ext_Trust_RouteTableName
-
- #Add IL5MO Route to IPS_Trust_RouteTable
- echo "Add IL5MO Route to IPS_Trust_RouteTable"
- az network route-table route create --address-prefix $IL5MissionOwnerVNetPrefix \
- --name $RouteToIL5MissionOwnerName \
- --next-hop-type VirtualAppliance \
- --next-hop-ip-address $F5IntUntrustedIP \
- --resource-group $SCCAinfrastructureRGname \
- --route-table-name $IPS_Trust_RouteTableName
- #Add IL5MO Route to Internal_Subnets_RouteTable
- echo "Add IL5MO Route to Internal_Subnets_RouteTable"
- az network route-table route create --address-prefix $IL5MissionOwnerVNetPrefix \
- --name $RouteToIL5MissionOwnerName \
- --next-hop-type VirtualAppliance \
- --next-hop-ip-address $F5IntTrustedIP \
- --resource-group $SCCAinfrastructureRGname \
- --route-table-name $Internal_Subnets_RouteTableName
- az network public-ip create -g ${SCCAinfrastructureRGname} -n f5-ext-pip2 --allocation-method static
- az network lb frontend-ip create --name loadBalancerFrontEnd3 --lb-name f5-ext-alb -g ${SCCAinfrastructureRGname} --public-ip-address f5-ext-pip2
-
- az network lb rule create --backend-port 80 --frontend-port 80 --lb-name f5-ext-alb -g ${SCCAinfrastructureRGname} --name mo_http_vs --protocol Tcp --backend-pool-name LoadBalancerBackEnd --floating-ip true --frontend-ip-name loadBalancerFrontEnd3 --probe-name is_alive
-
- az network lb rule create --backend-port 443 --frontend-port 443 --lb-name f5-ext-alb -g ${SCCAinfrastructureRGname} --name mo_https_vs --protocol Tcp --backend-pool-name LoadBalancerBackEnd --floating-ip true --frontend-ip-name loadBalancerFrontEnd3 --probe-name is_alive
-
-
- ;;
- delete) echo "Deleting"
- #Delete IL5MO Route to F5_Ext_Trust_RouteTable
- echo "Delete IL5MO Route to F5_Ext_Trust_RouteTable"
- az network route-table route delete \
- --name $RouteToIL5MissionOwnerName \
- --resource-group $SCCAinfrastructureRGname \
- --route-table-name $F5_Ext_Trust_RouteTableName
-
- #Delete IL5MO Route to IPS_Trust_RouteTable
- echo "Delete IL5MO Route to IPS_Trust_RouteTable"
- az network route-table route delete \
- --name $RouteToIL5MissionOwnerName \
- --resource-group $SCCAinfrastructureRGname \
- --route-table-name $IPS_Trust_RouteTableName
- #Delete IL5MO Route to Internal_Subnets_RouteTable
- echo "Delete IL5MO Route to Internal_Subnets_RouteTable"
- az network route-table route delete \
- --name $RouteToIL5MissionOwnerName \
- --resource-group $SCCAinfrastructureRGname \
- --route-table-name $Internal_Subnets_RouteTableName
- # Delete VNet peering
- echo "Delete VNet Peering"
- az network vnet peering delete -n VDSStoIL5MissionOwner \
- --resource-group $SCCAinfrastructureRGname \
- --vnet-name $SCCAinfrastructureVNetName
-
- echo "delete rules"
- az network lb rule delete --lb-name f5-ext-alb -g ${SCCAinfrastructureRGname} --name mo_http_vs
- az network lb rule delete --lb-name f5-ext-alb -g ${SCCAinfrastructureRGname} --name mo_https_vs
- echo "delete frontend"
- az network lb frontend-ip delete --name loadBalancerFrontEnd3 --lb-name f5-ext-alb -g ${SCCAinfrastructureRGname}
- # Delete pip
- echo "delete pip"
- az network public-ip delete -g ${SCCAinfrastructureRGname} -n f5-ext-pip2
- # Delete Resource Group
- echo "delete group"
- az group delete --y --name $IL5MissionOwnerRGName --no-wait
-
- ;;
- *) echo "Invalid option"
- ;;
- esac
-exit
-
diff --git a/SACAv1/scripts/create-vm.sh b/SACAv1/scripts/create-vm.sh
deleted file mode 100644
index f97ef0f..0000000
--- a/SACAv1/scripts/create-vm.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-az vm create --image rhel --resource-group ${AZURE_RESOURCE_GROUP}_IL5-1 --name il5-mo-vm-1 --admin-username $f5_username --admin-password `base64 --decode .password.txt` --authentication-type password --vnet-name IL5MissionOwner1VNet --subnet ProductionSubnet --public-ip-address "" --nsg "" --private-ip-address 10.0.0.4
-
diff --git a/SACAv1/scripts/external.sh b/SACAv1/scripts/external.sh
deleted file mode 100644
index f946f69..0000000
--- a/SACAv1/scripts/external.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-# Create pools and configure vips for SCCA poc external pair
-
-SSL_VIS_POOL_NAME=ssl_visible_http_pool_3
-SSL_VIS_VIP_NAME=ssl_visible_http_pool_3
-HTTP_POOL_NAME=http_pool_3
-HTTP_VIP_NAME=http_pool_3
-
-# Populate iApp through tmsh
-# $1 create/delete
-# $2 = SSL VISIBLE VIP
-# $3 = SSL VISIBLE pool member IP (assumes port 80)
-# $4 = HTTP VIP
-# $5 = HTTP pool member IP (assumes port 80)
-
-if [ $# -lt 1 ]
-then
- echo "Usage : $0 [create]|[delete] "
- exit
-fi
-
-case $1 in
-
-create) tmsh create ltm pool $SSL_VIS_POOL_NAME { members add { $3:http { address $3 } } }
-
- tmsh create ltm virtual $SSL_VIS_VIP_NAME { destination $2:443 fw-enforced-policy log_all_afm ip-protocol tcp mask 255.255.255.255 pool $SSL_VIS_POOL_NAME profiles add { clientssl { context clientside } http { } tcp { } } security-log-profiles add { local-afm-log } source 0.0.0.0/0 translate-address enabled translate-port enabled }
-
- tmsh create ltm pool $HTTP_POOL_NAME { members add { $5:http { address $5 } } }
-
- tmsh create ltm virtual $HTTP_VIP_NAME { destination $4:http fw-enforced-policy log_all_afm ip-protocol tcp mask 255.255.255.255 pool $HTTP_POOL_NAME profiles add { http { } tcp { } } security-log-profiles add { local-afm-log } source 0.0.0.0/0 translate-address enabled translate-port enabled }
- ;;
-delete) tmsh delete ltm virtual $SSL_VIS_VIP_NAME
- tmsh delete ltm pool $SSL_VIS_POOL_NAME
- tmsh delete ltm virtual $HTTP_VIP_NAME
- tmsh delete ltm pool $HTTP_POOL_NAME
- ;;
-*) echo "Invalid option"
- ;;
-esac
diff --git a/SACAv1/scripts/internal.sh b/SACAv1/scripts/internal.sh
deleted file mode 100644
index a9e6b21..0000000
--- a/SACAv1/scripts/internal.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-# Create pool and configure iApp for SCCA poc on the internal pair
-
-APP_NAME=http_protected_3
-POOL_NAME=https_pool_3
-APP_HOSTNAME=www.f5demo.com
-
-# Populate iApp through tmsh
-# $1 create/delete
-# $2 = VIP
-# $3 = https pool member IP (assumes port 443)
-
-if [ $# -lt 1 ]
-then
- echo "Usage : $0 [create]|[delete] "
- exit
-fi
-
-case $1 in
-
-create) tmsh create ltm pool $POOL_NAME { members add { $3:http { address $3 } } }
-
- tmsh create sys application service $APP_NAME { device-group Sync lists add { asm__security_logging { value { \"Log all requests\" } } } tables add { basic__snatpool_members { } net__snatpool_members { } optimizations__hosts { } pool__hosts { column-names { name } rows { { row { $APP_HOSTNAME } } } } pool__members { } server_pools__servers { } } template f5.http.v1.2.0rc7 traffic-group none variables add { afm__policy { value /Common/log_all_afm } afm__restrict_by_reputation { value accept } afm__security_logging { value local-afm-log } afm__staging_policy { value \"/#do_not_use#\" } apm__use_apm { value no } asm__language { value utf-8 } asm__use_asm { value /Common/waf-basic-ltm_policy } client__http_compression { value \"/#do_not_use#\" } net__client_mode { value wan } net__server_mode { value lan } net__v13_tcp { value warn } pool__addr { value $2 } pool__pool_to_use { value /Common/$POOL_NAME } pool__port { value 80 } ssl__mode { value server_ssl } ssl__server_ssl_profile { value \"/#default#\" } ssl_encryption_questions__advanced { value no } ssl_encryption_questions__help { value hide } } }
- ;;
-delete) tmsh delete sys application service $APP_NAME.app/$APP_NAME
- tmsh delete ltm pool $POOL_NAME
- ;;
-*) echo "Invalid option"
- ;;
-esac
diff --git a/SACAv1/setup.yaml b/SACAv1/setup.yaml
deleted file mode 100644
index 12c5f1c..0000000
--- a/SACAv1/setup.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-- hosts: localhost
- tasks:
- - name: Get External variables
- command: python grab_vars.py --action external_setup
- register: ext_vars
- # - name: debug output
- # debug:
- # msg: "{{ext_vars.stdout|from_json }}"
- - name: Setup External F5
- import_role:
- name: f5-azure-scca-external-setup
- vars:
- resource_group: "{{ansible_env.AZURE_RESOURCE_GROUP}}_F5_External"
- location: "{{ansible_env.location}}"
- setup:
- "{{ext_vars.stdout|from_json }}"
-
- - name: Get Internal variables
- command: python grab_vars.py --action internal_setup
- register: int_vars
- # - name: debug output
- # debug:
- # msg: "{{int_vars.stdout|from_json }}"
- - name: Setup Internal F5
- import_role:
- name: f5-azure-scca-internal-setup
- vars:
- resource_group: "{{ansible_env.AZURE_RESOURCE_GROUP}}_F5_Internal"
- location: "{{ansible_env.location}}"
- setup:
- "{{int_vars.stdout|from_json }}"
-
diff --git a/SACAv1/update-vip-udr.yaml b/SACAv1/update-vip-udr.yaml
deleted file mode 100644
index 352430b..0000000
--- a/SACAv1/update-vip-udr.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-- name: Test the inventory script
- hosts: azure
- vars:
- f5_username: "{{ansible_env.f5_username}}"
- f5_password: "{{ansible_env.f5_password}}"
- connection: local
- gather_facts: yes
- tasks:
-# - debug: msg="{{ansible_host}}"
- - name: check failover status
- bigip_command:
- server: "{{ ansible_host }}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- commands:
- - show /sys failover
- register: failover
- delegate_to: localhost
-# - debug: msg="{{failover.stdout}}"
-# when:
-# - '"active" in failover.stdout|first'
- - name: Save the running configuration of the BIG-IP
- bigip_config:
- save: yes
- server: "{{ ansible_host }}"
- user: "{{ f5_username }}"
- password: "{{ f5_password }}"
- delegate_to: localhost
- - name: trigger failover
- bigip_command:
- server: "{{ ansible_host }}"
- user: "{{f5_username}}"
- password: "{{f5_password}}"
- commands:
- - run /sys failover standby traffic-group traffic-group-1
- when:
- - '"active" in failover.stdout|first'
- delegate_to: localhost
-# - debug: msg="{{ inventory_hostname }} has powerstate {{ powerstate }}"
-# - shell: "f5-rest-node /config/cloud/azure/node_modules/f5-cloud-libs/node_modules/f5-cloud-libs-azure/scripts/failoverProvider.js"
diff --git a/SACAv2/3NIC_1Tier_HA/bigiq/azureDeploy.json b/SACAv2/3NIC_1Tier_HA/bigiq/azureDeploy.json
deleted file mode 100644
index 784428e..0000000
--- a/SACAv2/3NIC_1Tier_HA/bigiq/azureDeploy.json
+++ /dev/null
@@ -1,1671 +0,0 @@
-{
- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
- "contentVersion": "7.2.0.0",
- "parameters": {
- "governmentCloudRegion": {
- "defaultValue": true,
- "metadata": {
- "description": "Type of cloud this template will deploy into, ensure to select false for commercial."
- },
- "type": "bool"
- },
- "adminUsername": {
- "defaultValue": "xadmin",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "authenticationType": {
- "allowedValues": [
- "password",
- "sshPublicKey"
- ],
- "defaultValue": "password",
- "metadata": {
- "description": "Type of authentication to use on the Virtual Machine, password based authentication or key based authentication."
- },
- "type": "string"
- },
- "adminPasswordOrKey": {
- "metadata": {
- "description": "Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**."
- },
- "type": "securestring"
- },
- "WindowsAdminPassword": {
- "metadata": {
- "description": "Password for the Windows Virtual Machine."
- },
- "type": "securestring"
- },
- "dnsLabel": {
- "defaultValue": "f5dns01",
- "metadata": {
- "description": "Unique DNS Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "type": "string"
- },
- "numberOfExternalIps": {
- "allowedValues": [
- 0,
- 1,
- 2,
- 3,
- 4,
- 5,
- 6,
- 7,
- 8,
- 9,
- 10,
- 11,
- 12,
- 13,
- 14,
- 15,
- 16,
- 17,
- 18,
- 19,
- 20
- ],
- "defaultValue": 1,
- "metadata": {
- "description": "The number of public/private IP addresses you want to deploy for the application traffic (external) NIC on the BIG-IP VE to be used for virtual servers."
- },
- "type": "int"
- },
- "enableNetworkFailover": {
- "allowedValues": [
- "No",
- "Yes"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "Enabling failover creates a traditional active/standby deployment with traffic groups and mirroring. When failover is disabled, all devices are active; use traffic group none."
- },
- "type": "string"
- },
- "internalLoadBalancerType": {
- "allowedValues": [
- "Per-protocol",
- "All-protocol",
- "DO_NOT_USE"
- ],
- "defaultValue": "Per-protocol",
- "metadata": {
- "description": "Specify a the type of internal Azure load balancer to deploy. Note: As of the initial release of this template, the all-protocol Azure load balancer is in public preview. Please ensure that this feature is enabled before selecting **All-protocol**."
- },
- "type": "string"
- },
- "internalLoadBalancerProbePort": {
- "defaultValue": "3456",
- "metadata": {
- "description": "Specify a TCP port for the internal load balancer to monitor. If you specified DO_NOT_USE for internal load balancer type, this setting has no effect."
- },
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_A3",
- "Standard_A4",
- "Standard_A5",
- "Standard_A6",
- "Standard_A7",
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS4_v2",
- "metadata": {
- "description": "Instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "LTMTwoBootLocations",
- "AllTwoBootLocations"
- ],
- "defaultValue": "AllTwoBootLocations",
- "metadata": {
- "description": "F5 SKU (image) you want to deploy. Note: The disk size of the VM will be determined based on the option you select. **Important**: If intending to provision multiple modules, ensure the appropriate value is selected, such as ****AllTwoBootLocations or AllOneBootLocation****."
- },
- "type": "string"
- },
- "bigIqAddress": {
- "metadata": {
- "description": "The IP address (or hostname) for the BIG-IQ to be used when licensing the BIG-IP. Note: The BIG-IP will make a REST call to the BIG-IQ (already existing) to let it know a BIG-IP needs to be licensed. It will then license the BIG-IP using the provided BIG-IQ credentials and license pool."
- },
- "type": "string"
- },
- "bigIqUsername": {
- "metadata": {
- "description": "The BIG-IQ username to use during BIG-IP licensing via BIG-IQ."
- },
- "type": "string"
- },
- "bigIqPassword": {
- "metadata": {
- "description": "The BIG-IQ password to use during BIG-IP licensing via BIG-IQ."
- },
- "type": "securestring"
- },
- "bigIqLicensePoolName": {
- "metadata": {
- "description": "The BIG-IQ license pool to use during BIG-IP licensing via BIG-IQ."
- },
- "type": "string"
- },
- "bigIqLicenseSkuKeyword1": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "The BIG-IQ license filter (based on SKU keyword) you want to use for licensing the BIG-IPs from the BIG-IQ, for example **F5-BIG-MSP-LTM-25M**, **F5-BIG-MSP-BR-200M**, **F5-BIG-MSP-BT-1G** or **F5-BIG-MSP-ASM-1G**. ***Important***: This is only required when licensing with an ELA/subscription (utility) pool on the BIG-IQ, if not using this pool type leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "bigIqLicenseUnitOfMeasure": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "The BIG-IQ license unit of measure to use during BIG-IP licensing via BIG-IQ, for example **yearly**, **monthly**, **daily** or **hourly**. ***Important***: This is only required when licensing with an ELA/subscription (utility) pool on the BIG-IQ, if not using this pool type leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "15.0.100000",
- "14.1.200000",
- "latest"
- ],
- "defaultValue": "14.1.200000",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "bigIpModules": {
- "defaultValue": "ltm:nominal,asm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },"STIGDevice": {
- "defaultValue": true,
- "metadata": {
- "description": "This setting will determine whether STIGS/SRGS will be applied at Onboarding."
- },
- "type": "bool"
- },
-"NorthTrustedAddressStartIP": {
- "defaultValue": "192.168.3.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthTrustedAddressSubnet": {
- "defaultValue": "192.168.3.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressStartIP": {
- "defaultValue": "192.168.2.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressSubnet": {
- "defaultValue": "192.168.2.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "VDMSAddressSubnet": {
- "defaultValue": "192.168.4.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the VDSS Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "declarationUrl": {
- "defaultValue": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/arm/3.16.0/sccaBaseline.json",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "customImage": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "If you would like to deploy using a local BIG-IP image, provide either the full URL to the VHD in Azure storage **or** the full resource ID to an existing Microsoft.Compute image resource. **Note**: Unless specifically required, leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "tagValues": {
- "defaultValue": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- },
- "metadata": {
- "description": "Default key/value resource tags will be added to the resources in this deployment, if you would like the values to be unique adjust them as needed for each key."
- },
- "type": "object"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- }
- },
- "variables": {
- "cloudRegion": {
- "false": ".cloudapp.azure.com",
- "true": ".cloudapp.usgovcloudapi.net"
- },
- "cloudPath": "[if(parameters('governmentCloudRegion'), variables('cloudRegion').true, variables('cloudRegion').false)]",
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpVersionPortMap": {
- "443": {
- "Port": 443
- },
- "15.0.100000": {
- "Port": 8443
- },
- "14.1.200000": {
- "Port": 8443
- },
- "latest": {
- "Port": 8443
- }
- },
- "computeApiVersion": "2017-12-01",
- "networkApiVersion": "2017-11-01",
- "storageApiVersion": "2017-10-01",
- "dnsLabelPrefix": "[toLower(parameters('dnsLabel'))]",
- "customImage": "[replace(parameters('customImage'), 'OPTIONAL', '')]",
- "useCustomImage": "[not(empty(variables('customImage')))]",
- "isAcceleratedNetworkingSupported": "[if(not(contains(parameters('bigIpVersion'), '14.1.200000')), bool('true'), bool('false'))]",
- "createNewCustomImage": "[contains(variables('customImage'), 'https://')]",
- "newCustomImageName": "[concat(variables('dnsLabel'), 'image')]",
- "storageProfileArray": {
- "customImage": {
- "imageReference": {
- "id": "[if(variables('createNewCustomImage'), resourceId('Microsoft.Compute/images', variables('newCustomImageName')), variables('customImage'))]"
- }
- },
- "platformImage": {
- "imageReference": "[variables('imageReference')]",
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "premiumInstanceArray": [
- "Standard_DS2",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_DS2_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F2S",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_GS2",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "location": "[resourceGroup().location]",
- "adminPasswordOrKey": "[replace(parameters('adminPasswordOrKey'),'\\n', '\n')]",
- "linuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[variables('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "subscriptionID": "[subscription().subscriptionId]",
- "resourceGroupName": "[resourceGroup().name]",
- "singleQuote": "'",
- "f5CloudLibsTag": "v4.13.5",
- "f5CloudIappsLoggerTag": "v1.0.0",
- "f5CloudIappsSdTag": "v2.3.2",
- "f5AS3Build": "f5-appsvcs-3.16.0-6.noarch.rpm",
-
- "verifyHash64": "Y2xpIHNjcmlwdCAvQ29tbW9uL3ZlcmlmeUhhc2ggewpwcm9jIHNjcmlwdDo6cnVuIHt9IHsKICAgICAgICBpZiB7W2NhdGNoIHsKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LWxpbnV4LnRhci5neikgNjNiNWMyYTUxY2EwOWM0M2JkODlhZjM3NzNiYmFiODdjNzFhNmU3ZjZhZDk0MTBiMjI5YjRlMGExYzQ4M2Q0NmYxYTlmZmYzOWQ5OTQ0MDQxYjAyZWU5MjYwNzI0MDI3NDE0ZGU1OTJlOTlmNGMyNDc1NDE1MzIzZTE4YTcyZTAKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5odHRwLnYxLjIuMHJjNC50bXBsKSA0N2MxOWE4M2ViZmM3YmQxZTllOWMzNWYzNDI0OTQ1ZWY4Njk0YWE0MzdlZWRkMTdiNmEzODc3ODhkNGRiMTM5NmZlZmU0NDUxOTliNDk3MDY0ZDc2OTY3YjBkNTAyMzgxNTQxOTBjYTBiZDczOTQxMjk4ZmMyNTdkZjRkYzAzNAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1Lmh0dHAudjEuMi4wcmM2LnRtcGwpIDgxMWIxNGJmZmFhYjVlZDAzNjVmMDEwNmJiNWNlNWU0ZWMyMjM4NTY1NWVhM2FjMDRkZTJhMzliZDk5NDRmNTFlMzcxNDYxOWRhZTdjYTQzNjYyYzk1NmI1MjEyMjI4ODU4ZjA1OTI2NzJhMjU3OWQ0YTg3NzY5MTg2ZTJjYmZlCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuaHR0cC52MS4yLjByYzcudG1wbCkgMjFmNDEzMzQyZTlhN2EyODFhMGYwZTEzMDFlNzQ1YWE4NmFmMjFhNjk3ZDJlNmZkYzIxZGQyNzk3MzQ5MzY2MzFlOTJmMzRiZjFjMmQyNTA0YzIwMWY1NmNjZDc1YzVjMTNiYWEyZmU3NjUzMjEzNjg5ZWMzYzllMjdkZmY3N2QKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuMy4wcmMxLnRtcGwpIDllNTUxNDljMDEwYzFkMzk1YWJkYWUzYzNkMmNiODNlYzEzZDMxZWQzOTQyNDY5NWU4ODY4MGNmM2VkNWEwMTNkNjI2YjMyNjcxMWQzZDQwZWYyZGY0NmI3MmQ0MTRiNGNiOGU0ZjQ0NWVhMDczOGRjYmQyNWM0Yzg0M2FjMzlkCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjMS50bXBsKSBkZTA2ODQ1NTI1NzQxMmE5NDlmMWVhZGNjYWVlODUwNjM0N2UwNGZkNjliZmI2NDUwMDFiNzZmMjAwMTI3NjY4ZTRhMDZiZTJiYmI5NGUxMGZlZmMyMTVjZmMzNjY1YjA3OTQ1ZTZkNzMzY2JlMWE0ZmExYjg4ZTg4MTU5MDM5NgogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzIudG1wbCkgNmFiMGJmZmM0MjZkZjdkMzE5MTNmOWE0NzRiMWEwNzg2MDQzNWUzNjZiMDdkNzdiMzIwNjRhY2ZiMjk1MmMxZjIwN2JlYWVkNzcwMTNhMTVlNDRkODBkNzRmMzI1M2U3Y2Y5ZmJiZTEyYTkwZWM3MTI4ZGU2ZmFjZDA5N2Q2OGYKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuNC4wcmMzLnRtcGwpIDJmMjMzOWI0YmMzYTIzYzljZmQ0MmFhZTJhNmRlMzliYTA2NTgzNjZmMjU5ODVkZTJlYTUzNDEwYTc0NWYwZjE4ZWVkYzQ5MWIyMGY0YThkYmE4ZGI0ODk3MDA5NmUyZWZkY2E3YjhlZmZmYTFhODNhNzhlNWFhZGYyMThiMTM0CiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjNC50bXBsKSAyNDE4YWM4YjFmMTg4NGM1YzA5NmNiYWM2YTk0ZDQwNTlhYWFmMDU5MjdhNmE0NTA4ZmQxZjI1YjhjYzYwNzc0OTg4MzlmYmRkYTgxNzZkMmNmMmQyNzRhMjdlNmExZGFlMmExZTNhMGE5OTkxYmM2NWZjNzRmYzBkMDJjZTk2MwogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzUudG1wbCkgNWU1ODIxODdhZTFhNjMyM2UwOTVkNDFlZGRkNDExNTFkNmJkMzhlYjgzYzYzNDQxMGQ0NTI3YTNkMGUyNDZhOGZjNjI2ODVhYjA4NDlkZTJhZGU2MmIwMjc1ZjUxMjY0ZDJkZWFjY2JjMTZiNzczNDE3Zjg0N2E0YTFlYTliYzQKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LnRhci5neikgMmQzOWVjNjBkMDA2ZDA1ZDhhMTU2N2ExZDhhYWU3MjI0MTllOGIwNjJhZDc3ZDZkOWEzMTY1Mjk3MWU1ZTY3YmM0MDQzZDgxNjcxYmEyYThiMTJkZDIyOWVhNDZkMjA1MTQ0Zjc1Mzc0ZWQ0Y2FlNThjZWZhOGY5YWI2NTMzZTYKICAgICAgICAgICAgc2V0IGhhc2hlcyhkZXBsb3lfd2FmLnNoKSAxYTNhM2M2Mjc0YWIwOGE3ZGMyY2I3M2FlZGM4ZDJiMmEyM2NkOWUwZWIwNmEyZTE1MzRiMzYzMmYyNTBmMWQ4OTcwNTZmMjE5ZDViMzVkM2VlZDEyMDcwMjZlODk5ODlmNzU0ODQwZmQ5Mjk2OWM1MTVhZTRkODI5MjE0ZmI3NAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LnBvbGljeV9jcmVhdG9yLnRtcGwpIDA2NTM5ZTA4ZDExNWVmYWZlNTVhYTUwN2VjYjRlNDQzZTgzYmRiMWY1ODI1YTk1MTQ5NTRlZjZjYTU2ZDI0MGVkMDBjN2I1ZDY3YmQ4ZjY3YjgxNWVlOWRkNDY0NTE5ODQ3MDFkMDU4Yzg5ZGFlMjQzNGM4OTcxNWQzNzVhNjIwCgogICAgICAgICAgICBzZXQgZmlsZV9wYXRoIFtsaW5kZXggJHRtc2g6OmFyZ3YgMV0KICAgICAgICAgICAgc2V0IGZpbGVfbmFtZSBbZmlsZSB0YWlsICRmaWxlX3BhdGhdCgogICAgICAgICAgICBpZiB7IVtpbmZvIGV4aXN0cyBoYXNoZXMoJGZpbGVfbmFtZSldfSB7CiAgICAgICAgICAgICAgICB0bXNoOjpsb2cgZXJyICJObyBoYXNoIGZvdW5kIGZvciAkZmlsZV9uYW1lIgogICAgICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHNldCBleHBlY3RlZF9oYXNoICRoYXNoZXMoJGZpbGVfbmFtZSkKICAgICAgICAgICAgc2V0IGNvbXB1dGVkX2hhc2ggW2xpbmRleCBbZXhlYyAvdXNyL2Jpbi9vcGVuc3NsIGRnc3QgLXIgLXNoYTUxMiAkZmlsZV9wYXRoXSAwXQogICAgICAgICAgICBpZiB7ICRleHBlY3RlZF9oYXNoIGVxICRjb21wdXRlZF9oYXNoIH0gewogICAgICAgICAgICAgICAgZXhpdCAwCiAgICAgICAgICAgIH0KICAgICAgICAgICAgdG1zaDo6bG9nIGVyciAiSGFzaCBkb2VzIG5vdCBtYXRjaCBmb3IgJGZpbGVfcGF0aCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgfV19IHsKICAgICAgICAgICAgdG1zaDo6bG9nIGVyciB7VW5leHBlY3RlZCBlcnJvciBpbiB2ZXJpZnlIYXNofQogICAgICAgICAgICBleGl0IDEKICAgICAgICB9CiAgICB9Cn0=",
-
- "installCloudLibs64": "IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5",
-
-"routeTableName": "BasicUDR",
- "routeCmd": "route",
- "stigCmdArray": {
- "true": "bash ./bigipstig.sh;",
- "false": ""
- },
- "cmdConfigStig": "[if(parameters('STIGDevice'), variables('stigCmdArray').true, variables('stigCmdArray').false)]",
-
- "createFWLogArray": {
- "true": "tmsh create security log profile local-afm-log { network replace-all-with { local-afm-log { publisher local-db-publisher filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } } } };",
- "false": ""
- },
- "cmdcreateFWLog": "[if(contains(parameters('bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
-
- "createFWPolicyArray": {
- "true": "tmsh create security firewall policy log_all_afm rules add { allow_all { action accept log yes place-before first } deny_all { action reject log yes place-after allow_all } };",
- "false": ""
- },
- "cmdcreateFWPolicy": "[if(contains(parameters('bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
-
- "installDODRootCA": "unzip Certificates_PKCS7_v5.5_DoD.zip; openssl pkcs7 -print_certs -in ./Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b -out DoD_Root_CA.cer; tmsh install sys crypto cert DODRoots from-local-file DoD_Root_CA.cer;",
-
- "firewallConfig": "[concat(variables('cmdcreateFWLog'), variables('cmdcreateFWPolicy'))]",
- "sacaConfig": "[variables('cmdConfigStig')]",
- "dnsLabel": "[toLower(parameters('dnsLabel'))]",
-
- "skuToUse": "[concat('f5-', variables('imageNameSub'),'-byol')]",
- "offerToUse": "[concat('f5-big-ip-', variables('imageNameArray').offerPostfix[variables('imageNameSub')])]",
-
- "jbimageOffer": "UbuntuServer",
- "jbimagePublisher": "Canonical",
- "jblinuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[parameters('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "jbubuntuOSVersion": "18.04-LTS",
- "jbvmName": "[concat(variables('dnsLabelPrefix'), '-linux-jump')]",
- "jbvmSize": "Standard_A1",
- "WinvmName": "Bastion-Win-JB",
- "windowsOSVersion": "2019-Datacenter",
-
- "availabilitySetName": "[concat(variables('dnsLabelPrefix'), '-avset')]",
- "availabilitySet2Name": "[concat(variables('dnsLabelPrefix'), '-avset2')]",
- "availabilitySet3Name": "[concat(variables('dnsLabelPrefix'), '-avset3')]",
- "imagePlan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "internalLoadBalancerName": "[concat(variables('dnsLabel'),'-int-ilb')]",
- "intLbId": "[resourceId('Microsoft.Network/loadBalancers',variables('internalLoadBalancerName'))]",
- "failoverCmdArray": {
- "No": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address none')]"
- },
- "Yes": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'))]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'))]"
- }
- },
- "vdmsSubnetName": "VDMS",
- "publicIPAddressType": "Static",
- "virtualNetworkName": "[concat(variables('dnsLabelPrefix'), '-scca-vnet')]",
-
- "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
-
- "ManagementAddressStartIP": "192.168.1.4",
- "ManagementAddressSubnet": "192.168.1.0/24",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetName": "management",
- "mgmtSubnetPrivateAddress": "[variables('ManagementAddressStartIP')]",
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]",
- "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 50))]",
- "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 51))]",
- "mgmtSubnetPrivateAddressPrefix": "[substring(variables('ManagementAddressStartIP'), 0, lastindexOf(variables('ManagementAddressStartIP'), '.'))]",
- "mgmtSubnetStartDirty": "[substring(variables('ManagementAddressStartIP'), lastIndexOf(variables('ManagementAddressStartIP'), '.'), sub(length(variables('ManagementAddressStartIP')), lastIndexOf(variables('ManagementAddressStartIP'), '.') ))]",
- "mgmtSubnetStartInt": "[replace(variables('mgmtSubnetStartDirty'), '.','')]",
-
- "mgmtPublicIPAddressName": "[concat(variables('dnsLabel'), '-mgmt-pip')]",
- "mgmtPublicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('mgmtPublicIPAddressName'))]",
-
- "mgmtNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabel'),'-mgmt-nsg'))]",
- "mgmtNicName": "[concat(variables('dnsLabel'), '-mgmt')]",
-
- "commandArgs": "[concat('-o ', parameters('declarationUrl'), ' -u svc_user')]",
- "appScript": "IyEvYmluL2Jhc2gKZnVuY3Rpb24gcGFzc3dkKCkgewogIGVjaG8gfCBmNS1yZXN0LW5vZGUgL2NvbmZpZy9jbG91ZC9henVyZS9ub2RlX21vZHVsZXMvQGY1ZGV2Y2VudHJhbC9mNS1jbG91ZC1saWJzL3NjcmlwdHMvZGVjcnlwdERhdGFGcm9tRmlsZS5qcyAtLWRhdGEtZmlsZSAvY29uZmlnL2Nsb3VkLy5wYXNzd2QgfCBhd2sgJ3twcmludCAkMX0nCn0KCndoaWxlIGdldG9wdHMgbzp1OiBvcHRpb24KZG8gY2FzZSAiJG9wdGlvbiIgIGluCiAgICAgICAgbykgZGVjbGFyYXRpb25Vcmw9JE9QVEFSRzs7CiAgICAgICAgdSkgdXNlcj0kT1BUQVJHOzsKICAgIGVzYWMKZG9uZQoKZGVwbG95ZWQ9Im5vIgpmaWxlX2xvYz0iL2NvbmZpZy9jbG91ZC9jdXN0b21fY29uZmlnIgpkZmxfbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAp1cmxfcmVnZXg9IihodHRwOlwvXC98aHR0cHM6XC9cLyk/W2EtejAtOV0rKFtcLVwuXXsxfVthLXowLTldKykqXC5bYS16XXsyLDV9KDpbMC05XXsxLDV9KT8oXC8uKik/JCIKCmlmIFtbICRkZWNsYXJhdGlvblVybCA9fiAkdXJsX3JlZ2V4IF1dOyB0aGVuCiAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtLWludGVyZmFjZSBtZ210IC1zayAtdyAiJXtodHRwX2NvZGV9IiAkZGVjbGFyYXRpb25VcmwgLW8gJGZpbGVfbG9jKQogICAgaWYgW1sgJHJlc3BvbnNlX2NvZGUgPT0gMjAwIF1dOyB0aGVuCiAgICAgICAgIGVjaG8gIkN1c3RvbSBjb25maWcgZG93bmxvYWQgY29tcGxldGU7IGNoZWNraW5nIGZvciB2YWxpZCBKU09OLiIKICAgICAgICAgY2F0ICRmaWxlX2xvYyB8IGpxIC5jbGFzcwogICAgICAgICBpZiBbWyAkPyA9PSAwIF1dOyB0aGVuCiAgICAgICAgICAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtc2t2dnUgJHVzZXI6JChwYXNzd2QpIC13ICIle2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1kICJAJGZpbGVfbG9jIiBodHRwczovL2xvY2FsaG9zdDokZGZsX21nbXRfcG9ydC9tZ210L3NoYXJlZC9hcHBzdmNzL2RlY2xhcmUgLW8gL2Rldi9udWxsKQoKICAgICAgICAgICAgIGlmIFtbICRyZXNwb25zZV9jb2RlID09IDIwMCB8fCAkcmVzcG9uc2VfY29kZSA9PSAyMDcgfHwgJHJlc3BvbnNlX2NvZGUgPT0gNTAyIF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgIGVjaG8gIkRlcGxveW1lbnQgb2YgYXBwbGljYXRpb24gc3VjY2VlZGVkLiAkcmVzcG9uc2VfY29kZSIKICAgICAgICAgICAgICAgICAgZGVwbG95ZWQ9InllcyIKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICBlY2hvICJGYWlsZWQgdG8gZGVwbG95IGFwcGxpY2F0aW9uOyBjb250aW51aW5nIHdpdGggcmVzcG9uc2UgY29kZSAnIiRyZXNwb25zZV9jb2RlIiciCiAgICAgICAgICAgICBmaQogICAgICAgICBlbHNlCiAgICAgICAgICAgICBlY2hvICJDdXN0b20gY29uZmlnIHdhcyBub3QgdmFsaWQgSlNPTiwgY29udGludWluZyIKICAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJGYWlsZWQgdG8gZG93bmxvYWQgY3VzdG9tIGNvbmZpZzsgY29udGludWluZyB3aXRoIHJlc3BvbnNlIGNvZGUgJyIkcmVzcG9uc2VfY29kZSInIgogICAgZmkKZWxzZQogICAgIGVjaG8gIkN1c3RvbSBjb25maWcgd2FzIG5vdCBhIFVSTCwgY29udGludWluZy4iCmZpCgppZiBbWyAkZGVwbG95ZWQgPT0gIm5vIiAmJiAkZGVjbGFyYXRpb25VcmwgPT0gIk5PVF9TUEVDSUZJRUQiIF1dOyB0aGVuCiAgICBlY2hvICJBcHBsaWNhdGlvbiBkZXBsb3ltZW50IGZhaWxlZCBvciBjdXN0b20gVVJMIHdhcyBub3Qgc3BlY2lmaWVkLiIKZmkKCmVjaG8gIkRlcGxveW1lbnQgY29tcGxldGUuIgpleGl0",
-
- "extNicName": "[concat(variables('dnsLabelPrefix'), '-ext')]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabelPrefix'),'-ext-nsg'))]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetName": "external",
- "extSubnetPrivateAddress": "[parameters('NorthUntrustedAddressStartIP')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',add(int(variables('extSubnetStartInt')), 1))]",
-
- "extSubnetPrivateAddressPrefix": "[substring(parameters('NorthUntrustedAddressStartIP'), 0, lastindexOf(parameters('NorthUntrustedAddressStartIP'), '.'))]",
- "extSubnetStartDirty": "[substring(parameters('NorthUntrustedAddressStartIP'), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.'), sub(length(parameters('NorthUntrustedAddressStartIP')), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.')))]",
- "extSubnetStartInt": "[replace(variables('extSubnetStartDirty'), '.','')]",
- "externalLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-ext-alb')]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabelPrefix'), '-ext-pip')]",
- "extLbId": "[resourceId('Microsoft.Network/loadBalancers',variables('externalLoadBalancerName'))]",
-
- "intNicName": "[concat(variables('dnsLabelPrefix'), '-int')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetName": "internal",
- "intSubnetPrivateAddress": "[parameters('NorthTrustedAddressStartIP')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 1))]",
- "intSubnetPrivateAddress2": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 10))]",
- "intSubnetPrivateAddress3": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 11))]",
- "intSubnetPrivateAddressPrefix": "[substring(parameters('NorthTrustedAddressStartIP'), 0, lastindexOf(parameters('NorthTrustedAddressStartIP'), '.'))]",
- "intSubnetStartDirty": "[substring(parameters('NorthTrustedAddressStartIP'), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.'), sub(length(parameters('NorthTrustedAddressStartIP')), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.') ))]",
- "intSubnetStartInt": "[replace(variables('intSubnetStartDirty'), '.', '')]",
-
- "internalLoadBalancerAddress": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 65))]",
-
- "availabilitySetId": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName'))]"
- },
-
- "tmmRouteGw": "[concat(variables('intSubnetPrivateAddressPrefix'), '.1')]",
-
- "numberOfExternalIps": "[parameters('numberOfExternalIps')]",
- "backEndAddressPoolArray": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- {
- "id": "[concat(variables('intLbId'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- }
- ],
- "imageNameSub": "[variables('imageNameArray')[parameters('bigIpVersion')][parameters('imageName')]]",
- "imageNameArray": {
- "15.0.100000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "14.1.200000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "latest": {
- "AllOneBootLocation": "big-all-2slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-2slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "offerPostfix": {
- "big-all-1slot": "byol",
- "big-all-2slot": "byol",
- "big-ltm-1slot": "byol",
- "big-ltm-2slot": "byol",
- "bigip-virtual-edition-best": "best",
- "bigip-virtual-edition-good": "good"
- }
- },
-
- "tagValues": "[parameters('tagValues')]",
- "failovertagValues": {
- "f5_cloud_failover_label": "mydeployment",
- "f5_cloud_failover_nic_map": "external"
- },
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabel'), resourceGroup().id, deployment().name), 'data000')]",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabel'))]",
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:failover_3nic-new-stack-saca-bigiq,templateVersion:7.2.0.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:bigiq,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "osProfiles": {
- "password": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[json('null')]"
- },
- "sshPublicKey": {
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[variables('linuxConfiguration')]"
- }
- },
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabel'), copyIndex(0))]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('routeTableName')]",
- "properties": {
- "routes": [
- {
- "name": "Default",
- "properties": {
- "addressPrefix": "0.0.0.0/0",
- "nextHopIpAddress": "[variables('internalLoadBalancerAddress')]",
- "nextHopType": "VirtualAppliance"
- }
- }
- ]
- },
- "type": "Microsoft.Network/routeTables"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('routeTableName')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('virtualNetworkName')]",
- "properties": {
- "addressSpace": {
- "addressPrefixes": [
- "[parameters('NorthUntrustedAddressSubnet')]",
- "[parameters('NorthTrustedAddressSubnet')]",
- "[variables('ManagementAddressSubnet')]",
- "[parameters('VDMSAddressSubnet')]"
- ]
- },
- "subnets": [
- {
- "name": "[variables('mgmtSubnetName')]",
- "properties": {
- "addressPrefix": "[variables('ManagementAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('vdmsSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('VDMSAddressSubnet')]",
- "routeTable": {
- "id": "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/virtualNetworks"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('externalLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('externalLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '2')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '3')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig0')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('extLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig0')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(variables('numberOfExternalIps'), 0), take(variables('backEndAddressPoolArray'), 0), take(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAllocationMethod": "Static",
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 10)]",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgID'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('extLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig1')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(variables('numberOfExternalIps'), 0), take(variables('backEndAddressPoolArray'), 0), take(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAllocationMethod": "Static",
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 11)]",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgID'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('intLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "primary": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('internalLoadBalancerType'), 'DO_NOT_USE'), take(variables('backEndAddressPoolArray'), 0), skip(variables('backEndAddressPoolArray'), 1))]",
- "privateIPAddress": "[variables('intSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('intLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "primary": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('internalLoadBalancerType'), 'DO_NOT_USE'), take(variables('backEndAddressPoolArray'), 0), skip(variables('backEndAddressPoolArray'), 1))]",
- "privateIPAddress": "[variables('intSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-mgmt-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "https_allow_443",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "[variables('bigIpMgmtPort')]",
- "direction": "Outbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "rdp_allow_3389",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 103,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('externalLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- },
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "copy": [
- {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[concat('loadBalancerFrontEnd', copyIndex('frontendIPConfigurations', 1))]",
- "properties": {
- "publicIPAddress": {
- "id": "[concat(variables('extPublicIPAddressIdPrefix'), sub(copyIndex('frontendIPConfigurations', 1), 1))]"
- }
- }
- },
- "name": "frontendIPConfigurations"
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": 3389,
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 3389,
- "idleTimeoutInMinutes": 4,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/probes/rdp_alive')]"
- },
- "protocol": "Tcp"
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": 22,
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 22,
- "idleTimeoutInMinutes": 4,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/probes/ssh_alive')]"
- },
- "protocol": "Tcp"
- }
- },
- {
- "Name": "management_outbound",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "backendPort": 8443,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 8443,
- "idleTimeoutInMinutes": 15,
- "probe": {
- "id": "[concat(variables('extLbId'),'/probes/https_alive')]"
- },
- "protocol": "Tcp"
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 22,
- "protocol": "Tcp"
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 3389,
- "protocol": "Tcp"
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 80,
- "protocol": "Http",
- "requestPath": "/"
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "sku": {
- "name": "Standard"
- },
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(parameters('internalLoadBalancerType'),'DO_NOT_USE'))]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('internalLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "LoadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "LoadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[variables('internalLoadBalancerAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), concat('lbRule-', parameters('internalLoadBalancerProbePort')), 'allProtocolLbRule')]",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), parameters('internalLoadBalancerProbePort'), 0)]",
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), parameters('internalLoadBalancerProbePort'), 0)]",
- "idleTimeoutInMinutes": 15,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/probes/tcp-probe-', parameters('internalLoadBalancerProbePort'))]"
- },
- "protocol": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), 'Tcp', 'All')]"
- }
- }
- ],
- "probes": [
- {
- "name": "[concat('tcp-probe-', parameters('internalLoadBalancerProbePort'))]",
- "properties": {
- "intervalInSeconds": 5,
- "numberOfProbes": 2,
- "port": "[parameters('internalLoadBalancerProbePort')]",
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "sku": {
- "name": "Standard"
- },
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName')]",
- "sku": {
- "name": "Aligned"
- },
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },{
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySet2Name')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySet3Name')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "properties": {
- "supportsHttpsTrafficOnly": true
- },
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[and(variables('useCustomImage'), variables('createNewCustomImage'))]",
- "location": "[variables('location')]",
- "name": "[variables('newCustomImageName')]",
- "properties": {
- "storageProfile": {
- "osDisk": {
- "blobUri": "[variables('customImage')]",
- "osState": "Generalized",
- "osType": "Linux",
- "storageAccountType": "[if(contains(variables('premiumInstanceArray'), parameters('instanceType')), 'Premium_LRS', 'Standard_LRS')]"
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/images"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[variables('newCustomImageName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[variables('newCustomImageName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '2'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('jbvmName')]",
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySet2Name'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[variables('jbvmSize')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '2'))]"
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('jbvmName')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "dataDisks": [
- {
- "createOption": "Empty",
- "diskSizeGB": 1023,
- "lun": 0
- }
- ],
- "imageReference": {
- "offer": "[variables('jbimageOffer')]",
- "publisher": "[variables('jbimagePublisher')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '3'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('WinvmName')]",
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySet3Name'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "Standard_A2"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '3'))]"
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('WindowsAdminPassword')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('WinvmName')]"
- },
- "storageProfile": {
- "dataDisks": [
- {
- "createOption": "Empty",
- "diskSizeGB": 1023,
- "lun": 0
- }
- ],
- "imageReference": {
- "offer": "WindowsServer",
- "publisher": "MicrosoftWindowsServer",
- "sku": "[variables('windowsOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; /usr/bin/install -m 400 /dev/null /config/cloud/.bigIqPasswd; encrypt_secret ', variables('singleQuote'), parameters('bigIqPassword'), variables('singleQuote'), ' \"/config/cloud/.bigIqPasswd\"; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license-pool --big-iq-host ', parameters('bigIqAddress'), ' --big-iq-user ', parameters('bigIqUsername'), ' --big-iq-password-uri file:///config/cloud/.bigIqPasswd --big-iq-password-encrypted --license-pool-name ', parameters('bigIqLicensePoolName'), ' $(format_args sku-keyword-1:', parameters('bigIqLicenseSkuKeyWord1'), ',unit-of-measure:', parameters('bigIqLicenseUnitOfMeasure'), ') --big-ip-mgmt-address ', variables('mgmtSubnetPrivateAddress'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[parameters('enableNetworkFailover')].first, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; rm -f /config/cloud/.bigIqPasswd; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; /usr/bin/install -m 400 /dev/null /config/cloud/.bigIqPasswd; encrypt_secret ', variables('singleQuote'), parameters('bigIqPassword'), variables('singleQuote'), ' \"/config/cloud/.bigIqPasswd\"; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license-pool --big-iq-host ', parameters('bigIqAddress'), ' --big-iq-user ', parameters('bigIqUsername'), ' --big-iq-password-uri file:///config/cloud/.bigIqPasswd --big-iq-password-encrypted --license-pool-name ', parameters('bigIqLicensePoolName'), ' $(format_args sku-keyword-1:', parameters('bigIqLicenseSkuKeyWord1'), ',unit-of-measure:', parameters('bigIqLicenseUnitOfMeasure'), ') --big-ip-mgmt-address ', variables('mgmtSubnetPrivateAddress'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[parameters('enableNetworkFailover')].second, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; rm -f /config/cloud/.bigIqPasswd; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ],
- "outputs": {
- }
-}
diff --git a/SACAv2/3NIC_1Tier_HA/byol/azureDeploy.json b/SACAv2/3NIC_1Tier_HA/byol/azureDeploy.json
deleted file mode 100644
index f95008a..0000000
--- a/SACAv2/3NIC_1Tier_HA/byol/azureDeploy.json
+++ /dev/null
@@ -1,1662 +0,0 @@
-{
- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
- "contentVersion": "7.2.0.0",
- "outputs": {
- "RDP-URL": {
- "type": "string",
- "value": "[concat('rdp://',reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- },
- "SSH-URL": {
- "type": "string",
- "value": "[concat('ssh://', parameters('adminUsername'), '@', reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- }
- },
- "parameters": {
- "governmentCloudRegion": {
- "defaultValue": true,
- "metadata": {
- "description": "Type of cloud this template will deploy into, ensure to select false for commercial."
- },
- "type": "bool"
- },
- "adminUsername": {
- "defaultValue": "xadmin",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "authenticationType": {
- "allowedValues": [
- "password",
- "sshPublicKey"
- ],
- "defaultValue": "password",
- "metadata": {
- "description": "Type of authentication to use on the Virtual Machine, password based authentication or key based authentication."
- },
- "type": "string"
- },
- "adminPasswordOrKey": {
- "metadata": {
- "description": "Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**."
- },
- "type": "securestring"
- },
- "WindowsAdminPassword": {
- "metadata": {
- "description": "Password for the Windows Virtual Machine."
- },
- "type": "securestring"
- },
- "dnsLabel": {
- "defaultValue": "f5dns01",
- "metadata": {
- "description": "Unique DNS Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "type": "string"
- },
- "numberOfExternalIps": {
- "allowedValues": [
- 0,
- 1,
- 2,
- 3,
- 4,
- 5,
- 6,
- 7,
- 8,
- 9,
- 10,
- 11,
- 12,
- 13,
- 14,
- 15,
- 16,
- 17,
- 18,
- 19,
- 20
- ],
- "defaultValue": 1,
- "metadata": {
- "description": "The number of public/private IP addresses you want to deploy for the application traffic (external) NIC on the BIG-IP VE to be used for virtual servers."
- },
- "type": "int"
- },
- "enableNetworkFailover": {
- "allowedValues": [
- "No",
- "Yes"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "Enabling failover creates a traditional active/standby deployment with traffic groups and mirroring. When failover is disabled, all devices are active; use traffic group none."
- },
- "type": "string"
- },
- "internalLoadBalancerType": {
- "allowedValues": [
- "Per-protocol",
- "All-protocol",
- "DO_NOT_USE"
- ],
- "defaultValue": "Per-protocol",
- "metadata": {
- "description": "Specify a the type of internal Azure load balancer to deploy. Note: As of the initial release of this template, the all-protocol Azure load balancer is in public preview. Please ensure that this feature is enabled before selecting **All-protocol**."
- },
- "type": "string"
- },
- "internalLoadBalancerProbePort": {
- "defaultValue": "3456",
- "metadata": {
- "description": "Specify a TCP port for the internal load balancer to monitor. If you specified DO_NOT_USE for internal load balancer type, this setting has no effect."
- },
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_A3",
- "Standard_A4",
- "Standard_A5",
- "Standard_A6",
- "Standard_A7",
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS4_v2",
- "metadata": {
- "description": "Instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "LTMTwoBootLocations",
- "AllTwoBootLocations"
- ],
- "defaultValue": "AllTwoBootLocations",
- "metadata": {
- "description": "F5 SKU (image) you want to deploy. Note: The disk size of the VM will be determined based on the option you select. **Important**: If intending to provision multiple modules, ensure the appropriate value is selected, such as ****AllTwoBootLocations or AllOneBootLocation****."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "15.0.100000",
- "14.1.200000",
- "latest"
- ],
- "defaultValue": "14.1.200000",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "bigIpModules": {
- "defaultValue": "ltm:nominal,asm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "licenseKey1": {
- "defaultValue": "",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL)."
- },
- "type": "string"
- },
- "licenseKey2": {
- "defaultValue": "",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL). This field is required when deploying two or more devices."
- },
- "type": "string"
- },
- "STIGDevice": {
- "defaultValue": true,
- "metadata": {
- "description": "This setting will determine whether STIGS/SRGS will be applied at Onboarding."
- },
- "type": "bool"
- },
- "NorthTrustedAddressStartIP": {
- "defaultValue": "192.168.3.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthTrustedAddressSubnet": {
- "defaultValue": "192.168.3.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressStartIP": {
- "defaultValue": "192.168.2.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressSubnet": {
- "defaultValue": "192.168.2.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "VDMSAddressSubnet": {
- "defaultValue": "192.168.4.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the VDSS Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "declarationUrl": {
- "defaultValue": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/arm/3.16.0/byolsccaBaseline.json",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "customImage": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "If you would like to deploy using a local BIG-IP image, provide either the full URL to the VHD in Azure storage **or** the full resource ID to an existing Microsoft.Compute image resource. **Note**: Unless specifically required, leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "tagValues": {
- "defaultValue": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- },
- "metadata": {
- "description": "Default key/value resource tags will be added to the resources in this deployment, if you would like the values to be unique adjust them as needed for each key."
- },
- "type": "object"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- }
- },
- "variables": {
- "cloudRegion": {
- "false": ".cloudapp.azure.com",
- "true": ".cloudapp.usgovcloudapi.net"
- },
- "cloudPath": "[if(parameters('governmentCloudRegion'), variables('cloudRegion').true, variables('cloudRegion').false)]",
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpVersionPortMap": {
- "443": {
- "Port": 443
- },
- "15.0.100000": {
- "Port": 443
- },
- "14.1.200000": {
- "Port": 443
- },
- "latest": {
- "Port": 443
- }
- },
- "computeApiVersion": "2017-12-01",
- "networkApiVersion": "2017-11-01",
- "storageApiVersion": "2017-10-01",
-
- "f5CloudLibsTag": "v4.13.5",
- "f5CloudIappsLoggerTag": "v1.0.0",
- "f5CloudIappsSdTag": "v2.3.2",
-
- "f5AS3Build": "f5-appsvcs-3.16.0-6.noarch.rpm",
-
- "vdmsSubnetName": "VDMS",
-
- "dnsLabelPrefix": "[toLower(parameters('dnsLabel'))]",
- "customImage": "[replace(parameters('customImage'), 'OPTIONAL', '')]",
- "useCustomImage": "[not(empty(variables('customImage')))]",
- "isAcceleratedNetworkingSupported": "[if(not(contains(parameters('bigIpVersion'), '14.1.200000')), bool('true'), bool('false'))]",
- "createNewCustomImage": "[contains(variables('customImage'), 'https://')]",
- "newCustomImageName": "[concat(variables('dnsLabelPrefix'), 'image')]",
- "storageProfileArray": {
- "customImage": {
- "imageReference": {
- "id": "[if(variables('createNewCustomImage'), resourceId('Microsoft.Compute/images', variables('newCustomImageName')), variables('customImage'))]"
- }
- },
- "platformImage": {
- "imageReference": "[variables('imageReference')]",
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "premiumInstanceArray": [
- "Standard_DS2",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_DS2_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F2S",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_GS2",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "location": "[resourceGroup().location]",
- "adminPasswordOrKey": "[replace(parameters('adminPasswordOrKey'),'\\n', '\n')]",
- "linuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[variables('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "subscriptionID": "[subscription().subscriptionId]",
- "resourceGroupName": "[resourceGroup().name]",
- "singleQuote": "'",
-
- "verifyHash64": "Y2xpIHNjcmlwdCAvQ29tbW9uL3ZlcmlmeUhhc2ggewpwcm9jIHNjcmlwdDo6cnVuIHt9IHsKICAgICAgICBpZiB7W2NhdGNoIHsKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LWxpbnV4LnRhci5neikgNjNiNWMyYTUxY2EwOWM0M2JkODlhZjM3NzNiYmFiODdjNzFhNmU3ZjZhZDk0MTBiMjI5YjRlMGExYzQ4M2Q0NmYxYTlmZmYzOWQ5OTQ0MDQxYjAyZWU5MjYwNzI0MDI3NDE0ZGU1OTJlOTlmNGMyNDc1NDE1MzIzZTE4YTcyZTAKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5odHRwLnYxLjIuMHJjNC50bXBsKSA0N2MxOWE4M2ViZmM3YmQxZTllOWMzNWYzNDI0OTQ1ZWY4Njk0YWE0MzdlZWRkMTdiNmEzODc3ODhkNGRiMTM5NmZlZmU0NDUxOTliNDk3MDY0ZDc2OTY3YjBkNTAyMzgxNTQxOTBjYTBiZDczOTQxMjk4ZmMyNTdkZjRkYzAzNAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1Lmh0dHAudjEuMi4wcmM2LnRtcGwpIDgxMWIxNGJmZmFhYjVlZDAzNjVmMDEwNmJiNWNlNWU0ZWMyMjM4NTY1NWVhM2FjMDRkZTJhMzliZDk5NDRmNTFlMzcxNDYxOWRhZTdjYTQzNjYyYzk1NmI1MjEyMjI4ODU4ZjA1OTI2NzJhMjU3OWQ0YTg3NzY5MTg2ZTJjYmZlCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuaHR0cC52MS4yLjByYzcudG1wbCkgMjFmNDEzMzQyZTlhN2EyODFhMGYwZTEzMDFlNzQ1YWE4NmFmMjFhNjk3ZDJlNmZkYzIxZGQyNzk3MzQ5MzY2MzFlOTJmMzRiZjFjMmQyNTA0YzIwMWY1NmNjZDc1YzVjMTNiYWEyZmU3NjUzMjEzNjg5ZWMzYzllMjdkZmY3N2QKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuMy4wcmMxLnRtcGwpIDllNTUxNDljMDEwYzFkMzk1YWJkYWUzYzNkMmNiODNlYzEzZDMxZWQzOTQyNDY5NWU4ODY4MGNmM2VkNWEwMTNkNjI2YjMyNjcxMWQzZDQwZWYyZGY0NmI3MmQ0MTRiNGNiOGU0ZjQ0NWVhMDczOGRjYmQyNWM0Yzg0M2FjMzlkCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjMS50bXBsKSBkZTA2ODQ1NTI1NzQxMmE5NDlmMWVhZGNjYWVlODUwNjM0N2UwNGZkNjliZmI2NDUwMDFiNzZmMjAwMTI3NjY4ZTRhMDZiZTJiYmI5NGUxMGZlZmMyMTVjZmMzNjY1YjA3OTQ1ZTZkNzMzY2JlMWE0ZmExYjg4ZTg4MTU5MDM5NgogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzIudG1wbCkgNmFiMGJmZmM0MjZkZjdkMzE5MTNmOWE0NzRiMWEwNzg2MDQzNWUzNjZiMDdkNzdiMzIwNjRhY2ZiMjk1MmMxZjIwN2JlYWVkNzcwMTNhMTVlNDRkODBkNzRmMzI1M2U3Y2Y5ZmJiZTEyYTkwZWM3MTI4ZGU2ZmFjZDA5N2Q2OGYKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuNC4wcmMzLnRtcGwpIDJmMjMzOWI0YmMzYTIzYzljZmQ0MmFhZTJhNmRlMzliYTA2NTgzNjZmMjU5ODVkZTJlYTUzNDEwYTc0NWYwZjE4ZWVkYzQ5MWIyMGY0YThkYmE4ZGI0ODk3MDA5NmUyZWZkY2E3YjhlZmZmYTFhODNhNzhlNWFhZGYyMThiMTM0CiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjNC50bXBsKSAyNDE4YWM4YjFmMTg4NGM1YzA5NmNiYWM2YTk0ZDQwNTlhYWFmMDU5MjdhNmE0NTA4ZmQxZjI1YjhjYzYwNzc0OTg4MzlmYmRkYTgxNzZkMmNmMmQyNzRhMjdlNmExZGFlMmExZTNhMGE5OTkxYmM2NWZjNzRmYzBkMDJjZTk2MwogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzUudG1wbCkgNWU1ODIxODdhZTFhNjMyM2UwOTVkNDFlZGRkNDExNTFkNmJkMzhlYjgzYzYzNDQxMGQ0NTI3YTNkMGUyNDZhOGZjNjI2ODVhYjA4NDlkZTJhZGU2MmIwMjc1ZjUxMjY0ZDJkZWFjY2JjMTZiNzczNDE3Zjg0N2E0YTFlYTliYzQKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LnRhci5neikgMmQzOWVjNjBkMDA2ZDA1ZDhhMTU2N2ExZDhhYWU3MjI0MTllOGIwNjJhZDc3ZDZkOWEzMTY1Mjk3MWU1ZTY3YmM0MDQzZDgxNjcxYmEyYThiMTJkZDIyOWVhNDZkMjA1MTQ0Zjc1Mzc0ZWQ0Y2FlNThjZWZhOGY5YWI2NTMzZTYKICAgICAgICAgICAgc2V0IGhhc2hlcyhkZXBsb3lfd2FmLnNoKSAxYTNhM2M2Mjc0YWIwOGE3ZGMyY2I3M2FlZGM4ZDJiMmEyM2NkOWUwZWIwNmEyZTE1MzRiMzYzMmYyNTBmMWQ4OTcwNTZmMjE5ZDViMzVkM2VlZDEyMDcwMjZlODk5ODlmNzU0ODQwZmQ5Mjk2OWM1MTVhZTRkODI5MjE0ZmI3NAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LnBvbGljeV9jcmVhdG9yLnRtcGwpIDA2NTM5ZTA4ZDExNWVmYWZlNTVhYTUwN2VjYjRlNDQzZTgzYmRiMWY1ODI1YTk1MTQ5NTRlZjZjYTU2ZDI0MGVkMDBjN2I1ZDY3YmQ4ZjY3YjgxNWVlOWRkNDY0NTE5ODQ3MDFkMDU4Yzg5ZGFlMjQzNGM4OTcxNWQzNzVhNjIwCgogICAgICAgICAgICBzZXQgZmlsZV9wYXRoIFtsaW5kZXggJHRtc2g6OmFyZ3YgMV0KICAgICAgICAgICAgc2V0IGZpbGVfbmFtZSBbZmlsZSB0YWlsICRmaWxlX3BhdGhdCgogICAgICAgICAgICBpZiB7IVtpbmZvIGV4aXN0cyBoYXNoZXMoJGZpbGVfbmFtZSldfSB7CiAgICAgICAgICAgICAgICB0bXNoOjpsb2cgZXJyICJObyBoYXNoIGZvdW5kIGZvciAkZmlsZV9uYW1lIgogICAgICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHNldCBleHBlY3RlZF9oYXNoICRoYXNoZXMoJGZpbGVfbmFtZSkKICAgICAgICAgICAgc2V0IGNvbXB1dGVkX2hhc2ggW2xpbmRleCBbZXhlYyAvdXNyL2Jpbi9vcGVuc3NsIGRnc3QgLXIgLXNoYTUxMiAkZmlsZV9wYXRoXSAwXQogICAgICAgICAgICBpZiB7ICRleHBlY3RlZF9oYXNoIGVxICRjb21wdXRlZF9oYXNoIH0gewogICAgICAgICAgICAgICAgZXhpdCAwCiAgICAgICAgICAgIH0KICAgICAgICAgICAgdG1zaDo6bG9nIGVyciAiSGFzaCBkb2VzIG5vdCBtYXRjaCBmb3IgJGZpbGVfcGF0aCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgfV19IHsKICAgICAgICAgICAgdG1zaDo6bG9nIGVyciB7VW5leHBlY3RlZCBlcnJvciBpbiB2ZXJpZnlIYXNofQogICAgICAgICAgICBleGl0IDEKICAgICAgICB9CiAgICB9Cn0=",
-
- "installCloudLibs64": "IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5",
-
- "routeCmd": "route",
- "stigCmdArray": {
- "true": "bash ./bigipstig.sh;",
- "false": ""
- },
- "cmdConfigStig": "[if(parameters('STIGDevice'), variables('stigCmdArray').true, variables('stigCmdArray').false)]",
-
- "createFWLogArray": {
- "true": "tmsh create security log profile local-afm-log { network replace-all-with { local-afm-log { publisher local-db-publisher filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } } } };",
- "false": ""
- },
- "cmdcreateFWLog": "[if(contains(parameters('bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
-
- "createFWPolicyArray": {
- "true": "tmsh create security firewall policy log_all_afm rules add { allow_all { action accept log yes place-before first } deny_all { action reject log yes place-after allow_all } };",
- "false": ""
- },
- "cmdcreateFWPolicy": "[if(contains(parameters('bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
-
- "installDODRootCA": "unzip Certificates_PKCS7_v5.5_DoD.zip; openssl pkcs7 -print_certs -in ./Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b -out DoD_Root_CA.cer; tmsh install sys crypto cert DODRoots from-local-file DoD_Root_CA.cer;",
-
- "firewallConfig": "[concat(variables('cmdcreateFWLog'), variables('cmdcreateFWPolicy'))]",
- "sacaConfig": "[variables('cmdConfigStig')]",
-
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
-
- "dnsLabel": "[toLower(variables('dnsLabelPrefix'))]",
-
- "skuToUse": "[concat('f5-', variables('imageNameSub'),'-byol')]",
- "offerToUse": "[concat('f5-big-ip-', variables('imageNameArray').offerPostfix[variables('imageNameSub')])]",
- "imagePlan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "internalLoadBalancerName": "[concat(variables('dnsLabel'),'-int-ilb')]",
- "intLbId": "[resourceId('Microsoft.Network/loadBalancers',variables('internalLoadBalancerName'))]",
-
- "failoverCmdArray": {
- "No": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address none')]"
- },
- "Yes": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'))]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'))]"
- }
- },
- "virtualNetworkName": "[concat(variables('dnsLabelPrefix'), '-scca-vnet')]",
-
- "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
-
- "ManagementAddressStartIP": "192.168.1.4",
- "ManagementAddressSubnet": "192.168.1.0/24",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetName": "management",
- "mgmtSubnetPrivateAddress": "[variables('ManagementAddressStartIP')]",
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]",
- "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 50))]",
- "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 51))]",
- "mgmtSubnetPrivateAddressPrefix": "[substring(variables('ManagementAddressStartIP'), 0, lastindexOf(variables('ManagementAddressStartIP'), '.'))]",
- "mgmtSubnetStartDirty": "[substring(variables('ManagementAddressStartIP'), lastIndexOf(variables('ManagementAddressStartIP'), '.'), sub(length(variables('ManagementAddressStartIP')), lastIndexOf(variables('ManagementAddressStartIP'), '.') ))]",
- "mgmtSubnetStartInt": "[replace(variables('mgmtSubnetStartDirty'), '.','')]",
-
- "commandArgs": "[concat('-o ', parameters('declarationUrl'), ' -u svc_user')]",
- "appScript": "IyEvYmluL2Jhc2gKZnVuY3Rpb24gcGFzc3dkKCkgewogIGVjaG8gfCBmNS1yZXN0LW5vZGUgL2NvbmZpZy9jbG91ZC9henVyZS9ub2RlX21vZHVsZXMvQGY1ZGV2Y2VudHJhbC9mNS1jbG91ZC1saWJzL3NjcmlwdHMvZGVjcnlwdERhdGFGcm9tRmlsZS5qcyAtLWRhdGEtZmlsZSAvY29uZmlnL2Nsb3VkLy5wYXNzd2QgfCBhd2sgJ3twcmludCAkMX0nCn0KCndoaWxlIGdldG9wdHMgbzp1OiBvcHRpb24KZG8gY2FzZSAiJG9wdGlvbiIgIGluCiAgICAgICAgbykgZGVjbGFyYXRpb25Vcmw9JE9QVEFSRzs7CiAgICAgICAgdSkgdXNlcj0kT1BUQVJHOzsKICAgIGVzYWMKZG9uZQoKZGVwbG95ZWQ9Im5vIgpmaWxlX2xvYz0iL2NvbmZpZy9jbG91ZC9jdXN0b21fY29uZmlnIgpkZmxfbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAp1cmxfcmVnZXg9IihodHRwOlwvXC98aHR0cHM6XC9cLyk/W2EtejAtOV0rKFtcLVwuXXsxfVthLXowLTldKykqXC5bYS16XXsyLDV9KDpbMC05XXsxLDV9KT8oXC8uKik/JCIKCmlmIFtbICRkZWNsYXJhdGlvblVybCA9fiAkdXJsX3JlZ2V4IF1dOyB0aGVuCiAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtLWludGVyZmFjZSBtZ210IC1zayAtdyAiJXtodHRwX2NvZGV9IiAkZGVjbGFyYXRpb25VcmwgLW8gJGZpbGVfbG9jKQogICAgaWYgW1sgJHJlc3BvbnNlX2NvZGUgPT0gMjAwIF1dOyB0aGVuCiAgICAgICAgIGVjaG8gIkN1c3RvbSBjb25maWcgZG93bmxvYWQgY29tcGxldGU7IGNoZWNraW5nIGZvciB2YWxpZCBKU09OLiIKICAgICAgICAgY2F0ICRmaWxlX2xvYyB8IGpxIC5jbGFzcwogICAgICAgICBpZiBbWyAkPyA9PSAwIF1dOyB0aGVuCiAgICAgICAgICAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtc2t2dnUgJHVzZXI6JChwYXNzd2QpIC13ICIle2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1kICJAJGZpbGVfbG9jIiBodHRwczovL2xvY2FsaG9zdDokZGZsX21nbXRfcG9ydC9tZ210L3NoYXJlZC9hcHBzdmNzL2RlY2xhcmUgLW8gL2Rldi9udWxsKQoKICAgICAgICAgICAgIGlmIFtbICRyZXNwb25zZV9jb2RlID09IDIwMCB8fCAkcmVzcG9uc2VfY29kZSA9PSAyMDcgfHwgJHJlc3BvbnNlX2NvZGUgPT0gNTAyIF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgIGVjaG8gIkRlcGxveW1lbnQgb2YgYXBwbGljYXRpb24gc3VjY2VlZGVkLiAkcmVzcG9uc2VfY29kZSIKICAgICAgICAgICAgICAgICAgZGVwbG95ZWQ9InllcyIKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICBlY2hvICJGYWlsZWQgdG8gZGVwbG95IGFwcGxpY2F0aW9uOyBjb250aW51aW5nIHdpdGggcmVzcG9uc2UgY29kZSAnIiRyZXNwb25zZV9jb2RlIiciCiAgICAgICAgICAgICBmaQogICAgICAgICBlbHNlCiAgICAgICAgICAgICBlY2hvICJDdXN0b20gY29uZmlnIHdhcyBub3QgdmFsaWQgSlNPTiwgY29udGludWluZyIKICAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJGYWlsZWQgdG8gZG93bmxvYWQgY3VzdG9tIGNvbmZpZzsgY29udGludWluZyB3aXRoIHJlc3BvbnNlIGNvZGUgJyIkcmVzcG9uc2VfY29kZSInIgogICAgZmkKZWxzZQogICAgIGVjaG8gIkN1c3RvbSBjb25maWcgd2FzIG5vdCBhIFVSTCwgY29udGludWluZy4iCmZpCgppZiBbWyAkZGVwbG95ZWQgPT0gIm5vIiAmJiAkZGVjbGFyYXRpb25VcmwgPT0gIk5PVF9TUEVDSUZJRUQiIF1dOyB0aGVuCiAgICBlY2hvICJBcHBsaWNhdGlvbiBkZXBsb3ltZW50IGZhaWxlZCBvciBjdXN0b20gVVJMIHdhcyBub3Qgc3BlY2lmaWVkLiIKZmkKCmVjaG8gIkRlcGxveW1lbnQgY29tcGxldGUuIgpleGl0",
-
- "routeTableName": "BasicUDR",
-
- "extNicName": "[concat(variables('dnsLabelPrefix'), '-ext')]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabelPrefix'),'-ext-nsg'))]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetName": "external",
- "extSubnetPrivateAddress": "[parameters('NorthUntrustedAddressStartIP')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',add(int(variables('extSubnetStartInt')), 1))]",
- "extSubnetPrivateAddressPrefix": "[substring(parameters('NorthUntrustedAddressStartIP'), 0, lastindexOf(parameters('NorthUntrustedAddressStartIP'), '.'))]",
- "extSubnetStartDirty": "[substring(parameters('NorthUntrustedAddressStartIP'), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.'), sub(length(parameters('NorthUntrustedAddressStartIP')), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.')))]",
- "extSubnetStartInt": "[replace(variables('extSubnetStartDirty'), '.','')]",
- "externalLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-ext-alb')]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabelPrefix'), '-ext-pip')]",
- "extLbId": "[resourceId('Microsoft.Network/loadBalancers',variables('externalLoadBalancerName'))]",
-
- "intNicName": "[concat(variables('dnsLabelPrefix'), '-int')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetName": "internal",
- "intSubnetPrivateAddress": "[parameters('NorthTrustedAddressStartIP')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 1))]",
- "intSubnetPrivateAddress2": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 10))]",
- "intSubnetPrivateAddress3": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 11))]",
- "intSubnetPrivateAddressPrefix": "[substring(parameters('NorthTrustedAddressStartIP'), 0, lastindexOf(parameters('NorthTrustedAddressStartIP'), '.'))]",
- "intSubnetStartDirty": "[substring(parameters('NorthTrustedAddressStartIP'), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.'), sub(length(parameters('NorthTrustedAddressStartIP')), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.') ))]",
- "intSubnetStartInt": "[replace(variables('intSubnetStartDirty'), '.', '')]",
- "internalLoadBalancerAddress": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 65))]",
-
- "jbimageOffer": "UbuntuServer",
- "jbimagePublisher": "Canonical",
- "jblinuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[parameters('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "jbubuntuOSVersion": "18.04-LTS",
- "jbvmName": "[concat(variables('dnsLabelPrefix'), '-linux-jump')]",
- "jbvmSize": "Standard_A1",
- "WinvmName": "Bastion-Win-JB",
- "windowsOSVersion": "2019-Datacenter",
-
- "availabilitySetName": "[concat(variables('dnsLabelPrefix'), '-avset')]",
- "availabilitySet2Name": "[concat(variables('dnsLabelPrefix'), '-avset2')]",
- "availabilitySet3Name": "[concat(variables('dnsLabelPrefix'), '-avset3')]",
-
- "availabilitySetId": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName'))]"
- },
-
- "tmmRouteGw": "[concat(variables('intSubnetPrivateAddressPrefix'), '.1')]",
-
- "numberOfExternalIps": "[parameters('numberOfExternalIps')]",
- "backEndAddressPoolArray": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- {
- "id": "[concat(variables('intLbId'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- }
- ],
- "imageNameSub": "[variables('imageNameArray')[parameters('bigIpVersion')][parameters('imageName')]]",
- "imageNameArray": {
- "15.0.100000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "14.1.200000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "latest": {
- "AllOneBootLocation": "big-all-2slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-2slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "offerPostfix": {
- "big-all-1slot": "byol",
- "big-all-2slot": "byol",
- "big-ltm-1slot": "byol",
- "big-ltm-2slot": "byol",
- "bigip-virtual-edition-best": "best",
- "bigip-virtual-edition-good": "good"
- }
- },
-
- "publicIPAddressType": "Static",
-
- "mgmtNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabel'),'-mgmt-nsg'))]",
- "mgmtNicName": "[concat(variables('dnsLabel'), '-mgmt')]",
-
- "tagValues": "[parameters('tagValues')]",
- "failovertagValues": {
- "f5_cloud_failover_label": "scca",
- "f5_cloud_failover_nic_map": "external"
- },
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabel'), resourceGroup().id, deployment().name), 'data000')]",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabel'))]",
-
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:failover_3nic-new-stack-saca-byol,templateVersion:7.2.0.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:byol,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "osProfiles": {
- "password": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[json('null')]"
- },
- "sshPublicKey": {
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[variables('linuxConfiguration')]"
- }
- },
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabel'), copyIndex(0))]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('routeTableName')]",
- "properties": {
- "routes": [
- {
- "name": "Default",
- "properties": {
- "addressPrefix": "0.0.0.0/0",
- "nextHopIpAddress": "[variables('internalLoadBalancerAddress')]",
- "nextHopType": "VirtualAppliance"
- }
- }
- ]
- },
- "type": "Microsoft.Network/routeTables"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('routeTableName')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('virtualNetworkName')]",
- "properties": {
- "addressSpace": {
- "addressPrefixes": [
- "[parameters('NorthUntrustedAddressSubnet')]",
- "[parameters('NorthTrustedAddressSubnet')]",
- "[variables('ManagementAddressSubnet')]",
- "[parameters('VDMSAddressSubnet')]"
- ]
- },
- "subnets": [
- {
- "name": "[variables('mgmtSubnetName')]",
- "properties": {
- "addressPrefix": "[variables('ManagementAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('vdmsSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('VDMSAddressSubnet')]",
- "routeTable": {
- "id": "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/virtualNetworks"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('externalLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('externalLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '2')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '3')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig0')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('extLbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig0')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(variables('numberOfExternalIps'), 0), take(variables('backEndAddressPoolArray'), 0), take(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('extLbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig1')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(variables('numberOfExternalIps'), 0), take(variables('backEndAddressPoolArray'), 0), take(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('intLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "primary": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('internalLoadBalancerType'), 'DO_NOT_USE'), take(variables('backEndAddressPoolArray'), 0), skip(variables('backEndAddressPoolArray'), 1))]",
- "privateIPAddress": "[variables('intSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('intLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "primary": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('internalLoadBalancerType'), 'DO_NOT_USE'), take(variables('backEndAddressPoolArray'), 0), skip(variables('backEndAddressPoolArray'), 1))]",
- "privateIPAddress": "[variables('intSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "https_allow_443",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "[variables('bigIpMgmtPort')]",
- "direction": "Outbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "rdp_allow_3389",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 103,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('externalLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- },
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "copy": [
- {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[concat('loadBalancerFrontEnd', copyIndex('frontendIPConfigurations', 1))]",
- "properties": {
- "publicIPAddress": {
- "id": "[concat(variables('extPublicIPAddressIdPrefix'), sub(copyIndex('frontendIPConfigurations', 1), 1))]"
- }
- }
- },
- "name": "frontendIPConfigurations"
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": 3389,
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 3389,
- "idleTimeoutInMinutes": 4,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/probes/rdp_alive')]"
- },
- "protocol": "Tcp"
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": 22,
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 22,
- "idleTimeoutInMinutes": 4,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/probes/ssh_alive')]"
- },
- "protocol": "Tcp"
- }
- },
- {
- "Name": "management_outbound",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "backendPort": 8443,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 8443,
- "idleTimeoutInMinutes": 15,
- "probe": {
- "id": "[concat(variables('extLbId'),'/probes/https_alive')]"
- },
- "protocol": "Tcp"
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 22,
- "protocol": "Tcp"
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 3389,
- "protocol": "Tcp"
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 80,
- "protocol": "Http",
- "requestPath": "/"
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "sku": {
- "name": "Standard"
- },
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(parameters('internalLoadBalancerType'),'DO_NOT_USE'))]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('internalLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "LoadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "LoadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[variables('internalLoadBalancerAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), concat('lbRule-', parameters('internalLoadBalancerProbePort')), 'allProtocolLbRule')]",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), parameters('internalLoadBalancerProbePort'), 0)]",
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), parameters('internalLoadBalancerProbePort'), 0)]",
- "idleTimeoutInMinutes": 15,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/probes/tcp-probe-', parameters('internalLoadBalancerProbePort'))]"
- },
- "protocol": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), 'Tcp', 'All')]"
- }
- }
- ],
- "probes": [
- {
- "name": "[concat('tcp-probe-', parameters('internalLoadBalancerProbePort'))]",
- "properties": {
- "intervalInSeconds": 5,
- "numberOfProbes": 2,
- "port": "[parameters('internalLoadBalancerProbePort')]",
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "sku": {
- "name": "Standard"
- },
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName')]",
- "sku": {
- "name": "Aligned"
- },
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySet2Name')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySet3Name')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "properties": {
- "supportsHttpsTrafficOnly": true
- },
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[and(variables('useCustomImage'), variables('createNewCustomImage'))]",
- "location": "[variables('location')]",
- "name": "[variables('newCustomImageName')]",
- "properties": {
- "storageProfile": {
- "osDisk": {
- "blobUri": "[variables('customImage')]",
- "osState": "Generalized",
- "osType": "Linux",
- "storageAccountType": "[if(contains(variables('premiumInstanceArray'), parameters('instanceType')), 'Premium_LRS', 'Standard_LRS')]"
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/images"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[variables('newCustomImageName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[variables('newCustomImageName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '2'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('jbvmName')]",
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySet2Name'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[variables('jbvmSize')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '2'))]"
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('jbvmName')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "dataDisks": [
- {
- "createOption": "Empty",
- "diskSizeGB": 1023,
- "lun": 0
- }
- ],
- "imageReference": {
- "offer": "[variables('jbimageOffer')]",
- "publisher": "[variables('jbimagePublisher')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '3'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('WinvmName')]",
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySet3Name'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "Standard_A2"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '3'))]"
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('WindowsAdminPassword')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('WinvmName')]"
- },
- "storageProfile": {
- "dataDisks": [
- {
- "createOption": "Empty",
- "diskSizeGB": 1023,
- "lun": 0
- }
- ],
- "imageReference": {
- "offer": "WindowsServer",
- "publisher": "MicrosoftWindowsServer",
- "sku": "[variables('windowsOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license ', parameters('licenseKey1'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[parameters('enableNetworkFailover')].first, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license ', parameters('licenseKey2'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[parameters('enableNetworkFailover')].second, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ]
-}
diff --git a/SACAv2/3NIC_1Tier_HA/payg/azureDeploy.json b/SACAv2/3NIC_1Tier_HA/payg/azureDeploy.json
deleted file mode 100644
index 812a32c..0000000
--- a/SACAv2/3NIC_1Tier_HA/payg/azureDeploy.json
+++ /dev/null
@@ -1,1706 +0,0 @@
-{
- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
- "contentVersion": "7.2.0.0",
- "parameters": {
- "governmentCloudRegion": {
- "defaultValue": true,
- "metadata": {
- "description": "Type of cloud this template will deploy into, ensure to select false for commercial."
- },
- "type": "bool"
- },
- "adminUsername": {
- "defaultValue": "xadmin",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "authenticationType": {
- "allowedValues": [
- "password",
- "sshPublicKey"
- ],
- "defaultValue": "password",
- "metadata": {
- "description": "Type of authentication to use on the Virtual Machine, password based authentication or key based authentication."
- },
- "type": "string"
- },
- "adminPasswordOrKey": {
- "metadata": {
- "description": "Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**."
- },
- "type": "securestring"
- },
- "WindowsAdminPassword": {
- "metadata": {
- "description": "Password for the Windows Virtual Machine."
- },
- "type": "securestring"
- },
- "dnsLabel": {
- "defaultValue": "f5dns01",
- "metadata": {
- "description": "Unique DNS Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "type": "string"
- },
- "numberOfExternalIps": {
- "allowedValues": [
- 0,
- 1,
- 2,
- 3,
- 4,
- 5,
- 6,
- 7,
- 8,
- 9,
- 10,
- 11,
- 12,
- 13,
- 14,
- 15,
- 16,
- 17,
- 18,
- 19,
- 20
- ],
- "defaultValue": 1,
- "metadata": {
- "description": "The number of public/private IP addresses you want to deploy for the application traffic (external) NIC on the BIG-IP VE to be used for virtual servers."
- },
- "type": "int"
- },
- "enableNetworkFailover": {
- "allowedValues": [
- "No",
- "Yes"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "Enabling failover creates a traditional active/standby deployment with traffic groups and mirroring. When failover is disabled, all devices are active; use traffic group none."
- },
- "type": "string"
- },
- "internalLoadBalancerType": {
- "allowedValues": [
- "Per-protocol",
- "All-protocol",
- "DO_NOT_USE"
- ],
- "defaultValue": "Per-protocol",
- "metadata": {
- "description": "Specify a the type of internal Azure load balancer to deploy. Note: As of the initial release of this template, the all-protocol Azure load balancer is in public preview. Please ensure that this feature is enabled before selecting **All-protocol**."
- },
- "type": "string"
- },
- "internalLoadBalancerProbePort": {
- "defaultValue": "3456",
- "metadata": {
- "description": "Specify a TCP port for the internal load balancer to monitor. If you specified DO_NOT_USE for internal load balancer type, this setting has no effect."
- },
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_A3",
- "Standard_A4",
- "Standard_A5",
- "Standard_A6",
- "Standard_A7",
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS4_v2",
- "metadata": {
- "description": "Instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "Best25Mbps",
- "Best200Mbps",
- "Best1Gbps",
- "Best10Gbps",
- "Better25Mbps",
- "Better200Mbps",
- "Better1Gbps",
- "Better10Gbps",
- "Good25Mbps",
- "Good200Mbps",
- "Good1Gbps",
- "Good10Gbps",
- "AdvancedWaf25Mbps",
- "AdvancedWaf200Mbps",
- "AdvancedWaf1Gbps"
- ],
- "defaultValue": "Best1Gbps",
- "metadata": {
- "description": "F5 SKU (image) you want to deploy. Note: The disk size of the VM will be determined based on the option you select. **Important**: 10Gbps SKUs are supported only with BIGIP VE v15 or later. If intending to provision multiple modules, ensure the appropriate value is selected, such as **Best** instead of **Good**."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "15.0.100000",
- "14.1.200000",
- "latest"
- ],
- "defaultValue": "14.1.200000",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "bigIpModules": {
- "defaultValue": "ltm:nominal,asm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "STIGDevice": {
- "defaultValue": true,
- "metadata": {
- "description": "This setting will determine whether STIGS/SRGS will be applied at Onboarding."
- },
- "type": "bool"
- },
- "NorthTrustedAddressStartIP": {
- "defaultValue": "192.168.3.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthTrustedAddressSubnet": {
- "defaultValue": "192.168.3.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressStartIP": {
- "defaultValue": "192.168.2.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressSubnet": {
- "defaultValue": "192.168.2.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "VDMSAddressSubnet": {
- "defaultValue": "192.168.4.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the VDSS Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "declarationUrl": {
- "defaultValue": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/arm/3.16.0/paygsccaBaseline.json",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "customImage": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "If you would like to deploy using a local BIG-IP image, provide either the full URL to the VHD in Azure storage **or** the full resource ID to an existing Microsoft.Compute image resource. **Note**: Unless specifically required, leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "tagValues": {
- "defaultValue": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- },
- "metadata": {
- "description": "Default key/value resource tags will be added to the resources in this deployment, if you would like the values to be unique adjust them as needed for each key."
- },
- "type": "object"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- }
- },
- "variables": {
- "cloudRegion": {
- "false": ".cloudapp.azure.com",
- "true": ".cloudapp.usgovcloudapi.net"
- },
- "cloudPath": "[if(parameters('governmentCloudRegion'), variables('cloudRegion').true, variables('cloudRegion').false)]",
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpVersionPortMap": {
- "443": {
- "Port": 443
- },
- "15.0.100000": {
- "Port": 8443
- },
- "14.1.200000": {
- "Port": 8443
- },
- "latest": {
- "Port": 8443
- }
- },
- "computeApiVersion": "2017-12-01",
- "networkApiVersion": "2017-11-01",
- "storageApiVersion": "2017-10-01",
- "customImage": "[replace(parameters('customImage'), 'OPTIONAL', '')]",
- "useCustomImage": "[not(empty(variables('customImage')))]",
- "isAcceleratedNetworkingSupported": "[if(not(contains(parameters('bigIpVersion'), '14.1.200000')), bool('true'), bool('false'))]",
- "createNewCustomImage": "[contains(variables('customImage'), 'https://')]",
- "newCustomImageName": "[concat(variables('dnsLabel'), 'image')]",
- "storageProfileArray": {
- "customImage": {
- "imageReference": {
- "id": "[if(variables('createNewCustomImage'), resourceId('Microsoft.Compute/images', variables('newCustomImageName')), variables('customImage'))]"
- }
- },
- "platformImage": {
- "imageReference": "[variables('imageReference')]",
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "premiumInstanceArray": [
- "Standard_DS2",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_DS2_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F2S",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_GS2",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "location": "[resourceGroup().location]",
- "adminPasswordOrKey": "[replace(parameters('adminPasswordOrKey'),'\\n', '\n')]",
- "linuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[variables('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "subscriptionID": "[subscription().subscriptionId]",
- "resourceGroupName": "[resourceGroup().name]",
- "singleQuote": "'",
-
- "f5CloudLibsTag": "v4.13.5",
- "f5CloudIappsLoggerTag": "v1.0.0",
- "f5CloudIappsSdTag": "v2.3.2",
- "f5AS3Build": "f5-appsvcs-3.16.0-6.noarch.rpm",
-
- "verifyHash64": "Y2xpIHNjcmlwdCAvQ29tbW9uL3ZlcmlmeUhhc2ggewpwcm9jIHNjcmlwdDo6cnVuIHt9IHsKICAgICAgICBpZiB7W2NhdGNoIHsKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LWxpbnV4LnRhci5neikgNjNiNWMyYTUxY2EwOWM0M2JkODlhZjM3NzNiYmFiODdjNzFhNmU3ZjZhZDk0MTBiMjI5YjRlMGExYzQ4M2Q0NmYxYTlmZmYzOWQ5OTQ0MDQxYjAyZWU5MjYwNzI0MDI3NDE0ZGU1OTJlOTlmNGMyNDc1NDE1MzIzZTE4YTcyZTAKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5odHRwLnYxLjIuMHJjNC50bXBsKSA0N2MxOWE4M2ViZmM3YmQxZTllOWMzNWYzNDI0OTQ1ZWY4Njk0YWE0MzdlZWRkMTdiNmEzODc3ODhkNGRiMTM5NmZlZmU0NDUxOTliNDk3MDY0ZDc2OTY3YjBkNTAyMzgxNTQxOTBjYTBiZDczOTQxMjk4ZmMyNTdkZjRkYzAzNAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1Lmh0dHAudjEuMi4wcmM2LnRtcGwpIDgxMWIxNGJmZmFhYjVlZDAzNjVmMDEwNmJiNWNlNWU0ZWMyMjM4NTY1NWVhM2FjMDRkZTJhMzliZDk5NDRmNTFlMzcxNDYxOWRhZTdjYTQzNjYyYzk1NmI1MjEyMjI4ODU4ZjA1OTI2NzJhMjU3OWQ0YTg3NzY5MTg2ZTJjYmZlCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuaHR0cC52MS4yLjByYzcudG1wbCkgMjFmNDEzMzQyZTlhN2EyODFhMGYwZTEzMDFlNzQ1YWE4NmFmMjFhNjk3ZDJlNmZkYzIxZGQyNzk3MzQ5MzY2MzFlOTJmMzRiZjFjMmQyNTA0YzIwMWY1NmNjZDc1YzVjMTNiYWEyZmU3NjUzMjEzNjg5ZWMzYzllMjdkZmY3N2QKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuMy4wcmMxLnRtcGwpIDllNTUxNDljMDEwYzFkMzk1YWJkYWUzYzNkMmNiODNlYzEzZDMxZWQzOTQyNDY5NWU4ODY4MGNmM2VkNWEwMTNkNjI2YjMyNjcxMWQzZDQwZWYyZGY0NmI3MmQ0MTRiNGNiOGU0ZjQ0NWVhMDczOGRjYmQyNWM0Yzg0M2FjMzlkCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjMS50bXBsKSBkZTA2ODQ1NTI1NzQxMmE5NDlmMWVhZGNjYWVlODUwNjM0N2UwNGZkNjliZmI2NDUwMDFiNzZmMjAwMTI3NjY4ZTRhMDZiZTJiYmI5NGUxMGZlZmMyMTVjZmMzNjY1YjA3OTQ1ZTZkNzMzY2JlMWE0ZmExYjg4ZTg4MTU5MDM5NgogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzIudG1wbCkgNmFiMGJmZmM0MjZkZjdkMzE5MTNmOWE0NzRiMWEwNzg2MDQzNWUzNjZiMDdkNzdiMzIwNjRhY2ZiMjk1MmMxZjIwN2JlYWVkNzcwMTNhMTVlNDRkODBkNzRmMzI1M2U3Y2Y5ZmJiZTEyYTkwZWM3MTI4ZGU2ZmFjZDA5N2Q2OGYKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuNC4wcmMzLnRtcGwpIDJmMjMzOWI0YmMzYTIzYzljZmQ0MmFhZTJhNmRlMzliYTA2NTgzNjZmMjU5ODVkZTJlYTUzNDEwYTc0NWYwZjE4ZWVkYzQ5MWIyMGY0YThkYmE4ZGI0ODk3MDA5NmUyZWZkY2E3YjhlZmZmYTFhODNhNzhlNWFhZGYyMThiMTM0CiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjNC50bXBsKSAyNDE4YWM4YjFmMTg4NGM1YzA5NmNiYWM2YTk0ZDQwNTlhYWFmMDU5MjdhNmE0NTA4ZmQxZjI1YjhjYzYwNzc0OTg4MzlmYmRkYTgxNzZkMmNmMmQyNzRhMjdlNmExZGFlMmExZTNhMGE5OTkxYmM2NWZjNzRmYzBkMDJjZTk2MwogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzUudG1wbCkgNWU1ODIxODdhZTFhNjMyM2UwOTVkNDFlZGRkNDExNTFkNmJkMzhlYjgzYzYzNDQxMGQ0NTI3YTNkMGUyNDZhOGZjNjI2ODVhYjA4NDlkZTJhZGU2MmIwMjc1ZjUxMjY0ZDJkZWFjY2JjMTZiNzczNDE3Zjg0N2E0YTFlYTliYzQKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LnRhci5neikgMmQzOWVjNjBkMDA2ZDA1ZDhhMTU2N2ExZDhhYWU3MjI0MTllOGIwNjJhZDc3ZDZkOWEzMTY1Mjk3MWU1ZTY3YmM0MDQzZDgxNjcxYmEyYThiMTJkZDIyOWVhNDZkMjA1MTQ0Zjc1Mzc0ZWQ0Y2FlNThjZWZhOGY5YWI2NTMzZTYKICAgICAgICAgICAgc2V0IGhhc2hlcyhkZXBsb3lfd2FmLnNoKSAxYTNhM2M2Mjc0YWIwOGE3ZGMyY2I3M2FlZGM4ZDJiMmEyM2NkOWUwZWIwNmEyZTE1MzRiMzYzMmYyNTBmMWQ4OTcwNTZmMjE5ZDViMzVkM2VlZDEyMDcwMjZlODk5ODlmNzU0ODQwZmQ5Mjk2OWM1MTVhZTRkODI5MjE0ZmI3NAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LnBvbGljeV9jcmVhdG9yLnRtcGwpIDA2NTM5ZTA4ZDExNWVmYWZlNTVhYTUwN2VjYjRlNDQzZTgzYmRiMWY1ODI1YTk1MTQ5NTRlZjZjYTU2ZDI0MGVkMDBjN2I1ZDY3YmQ4ZjY3YjgxNWVlOWRkNDY0NTE5ODQ3MDFkMDU4Yzg5ZGFlMjQzNGM4OTcxNWQzNzVhNjIwCgogICAgICAgICAgICBzZXQgZmlsZV9wYXRoIFtsaW5kZXggJHRtc2g6OmFyZ3YgMV0KICAgICAgICAgICAgc2V0IGZpbGVfbmFtZSBbZmlsZSB0YWlsICRmaWxlX3BhdGhdCgogICAgICAgICAgICBpZiB7IVtpbmZvIGV4aXN0cyBoYXNoZXMoJGZpbGVfbmFtZSldfSB7CiAgICAgICAgICAgICAgICB0bXNoOjpsb2cgZXJyICJObyBoYXNoIGZvdW5kIGZvciAkZmlsZV9uYW1lIgogICAgICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHNldCBleHBlY3RlZF9oYXNoICRoYXNoZXMoJGZpbGVfbmFtZSkKICAgICAgICAgICAgc2V0IGNvbXB1dGVkX2hhc2ggW2xpbmRleCBbZXhlYyAvdXNyL2Jpbi9vcGVuc3NsIGRnc3QgLXIgLXNoYTUxMiAkZmlsZV9wYXRoXSAwXQogICAgICAgICAgICBpZiB7ICRleHBlY3RlZF9oYXNoIGVxICRjb21wdXRlZF9oYXNoIH0gewogICAgICAgICAgICAgICAgZXhpdCAwCiAgICAgICAgICAgIH0KICAgICAgICAgICAgdG1zaDo6bG9nIGVyciAiSGFzaCBkb2VzIG5vdCBtYXRjaCBmb3IgJGZpbGVfcGF0aCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgfV19IHsKICAgICAgICAgICAgdG1zaDo6bG9nIGVyciB7VW5leHBlY3RlZCBlcnJvciBpbiB2ZXJpZnlIYXNofQogICAgICAgICAgICBleGl0IDEKICAgICAgICB9CiAgICB9Cn0=",
-
- "installCloudLibs64": "IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5",
-
- "routeCmd": "route",
- "stigCmdArray": {
- "true": "bash ./bigipstig.sh;",
- "false": ""
- },
- "cmdConfigStig": "[if(parameters('STIGDevice'), variables('stigCmdArray').true, variables('stigCmdArray').false)]",
-
- "createFWLogArray": {
- "true": "tmsh create security log profile local-afm-log { network replace-all-with { local-afm-log { publisher local-db-publisher filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } } } };",
- "false": ""
- },
- "cmdcreateFWLog": "[if(contains(parameters('bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
-
- "createFWPolicyArray": {
- "true": "tmsh create security firewall policy log_all_afm rules add { allow_all { action accept log yes place-before first } deny_all { action reject log yes place-after allow_all } };",
- "false": ""
- },
- "cmdcreateFWPolicy": "[if(contains(parameters('bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
-
- "installDODRootCA": "unzip Certificates_PKCS7_v5.5_DoD.zip; openssl pkcs7 -print_certs -in ./Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b -out DoD_Root_CA.cer; tmsh install sys crypto cert DODRoots from-local-file DoD_Root_CA.cer;",
-
- "firewallConfig": "[concat(variables('cmdcreateFWLog'), variables('cmdcreateFWPolicy'))]",
- "sacaConfig": "[variables('cmdConfigStig')]",
-
- "dnsLabel": "[toLower(parameters('dnsLabel'))]",
- "vdmsSubnetName": "VDMS",
-
- "dnsLabelPrefix": "[toLower(parameters('dnsLabel'))]",
-
- "imageNameToLower": "[toLower(parameters('imageName'))]",
- "skuToUse": "[variables('paygImageMap')[variables('imageNameToLower')]['sku']]",
- "offerToUse": "[variables('paygImageMap')[variables('imageNameToLower')]['offer']]",
- "imagePlan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "internalLoadBalancerName": "[concat(variables('dnsLabel'),'-int-ilb')]",
- "intLbId": "[resourceId('Microsoft.Network/loadBalancers',variables('internalLoadBalancerName'))]",
-
- "failoverCmdArray": {
- "No": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address none')]"
- },
- "Yes": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'))]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'))]"
- }
- },
- "virtualNetworkName": "[concat(variables('dnsLabelPrefix'), '-scca-vnet')]",
-
- "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
-
- "ManagementAddressStartIP": "192.168.1.4",
- "ManagementAddressSubnet": "192.168.1.0/24",
- "mgmtNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabel'),'-mgmt-nsg'))]",
- "mgmtNicName": "[concat(variables('dnsLabel'), '-mgmt')]",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetName": "management",
- "mgmtSubnetPrivateAddress": "[variables('ManagementAddressStartIP')]",
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]",
- "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 50))]",
- "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 51))]",
- "mgmtSubnetPrivateAddressPrefix": "[substring(variables('ManagementAddressStartIP'), 0, lastindexOf(variables('ManagementAddressStartIP'), '.'))]",
- "mgmtSubnetStartDirty": "[substring(variables('ManagementAddressStartIP'), lastIndexOf(variables('ManagementAddressStartIP'), '.'), sub(length(variables('ManagementAddressStartIP')), lastIndexOf(variables('ManagementAddressStartIP'), '.') ))]",
- "mgmtSubnetStartInt": "[replace(variables('mgmtSubnetStartDirty'), '.','')]",
-
- "commandArgs": "[concat('-o ', parameters('declarationUrl'), ' -u svc_user')]",
- "appScript": "IyEvYmluL2Jhc2gKZnVuY3Rpb24gcGFzc3dkKCkgewogIGVjaG8gfCBmNS1yZXN0LW5vZGUgL2NvbmZpZy9jbG91ZC9henVyZS9ub2RlX21vZHVsZXMvQGY1ZGV2Y2VudHJhbC9mNS1jbG91ZC1saWJzL3NjcmlwdHMvZGVjcnlwdERhdGFGcm9tRmlsZS5qcyAtLWRhdGEtZmlsZSAvY29uZmlnL2Nsb3VkLy5wYXNzd2QgfCBhd2sgJ3twcmludCAkMX0nCn0KCndoaWxlIGdldG9wdHMgbzp1OiBvcHRpb24KZG8gY2FzZSAiJG9wdGlvbiIgIGluCiAgICAgICAgbykgZGVjbGFyYXRpb25Vcmw9JE9QVEFSRzs7CiAgICAgICAgdSkgdXNlcj0kT1BUQVJHOzsKICAgIGVzYWMKZG9uZQoKZGVwbG95ZWQ9Im5vIgpmaWxlX2xvYz0iL2NvbmZpZy9jbG91ZC9jdXN0b21fY29uZmlnIgpkZmxfbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAp1cmxfcmVnZXg9IihodHRwOlwvXC98aHR0cHM6XC9cLyk/W2EtejAtOV0rKFtcLVwuXXsxfVthLXowLTldKykqXC5bYS16XXsyLDV9KDpbMC05XXsxLDV9KT8oXC8uKik/JCIKCmlmIFtbICRkZWNsYXJhdGlvblVybCA9fiAkdXJsX3JlZ2V4IF1dOyB0aGVuCiAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtLWludGVyZmFjZSBtZ210IC1zayAtdyAiJXtodHRwX2NvZGV9IiAkZGVjbGFyYXRpb25VcmwgLW8gJGZpbGVfbG9jKQogICAgaWYgW1sgJHJlc3BvbnNlX2NvZGUgPT0gMjAwIF1dOyB0aGVuCiAgICAgICAgIGVjaG8gIkN1c3RvbSBjb25maWcgZG93bmxvYWQgY29tcGxldGU7IGNoZWNraW5nIGZvciB2YWxpZCBKU09OLiIKICAgICAgICAgY2F0ICRmaWxlX2xvYyB8IGpxIC5jbGFzcwogICAgICAgICBpZiBbWyAkPyA9PSAwIF1dOyB0aGVuCiAgICAgICAgICAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtc2t2dnUgJHVzZXI6JChwYXNzd2QpIC13ICIle2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1kICJAJGZpbGVfbG9jIiBodHRwczovL2xvY2FsaG9zdDokZGZsX21nbXRfcG9ydC9tZ210L3NoYXJlZC9hcHBzdmNzL2RlY2xhcmUgLW8gL2Rldi9udWxsKQoKICAgICAgICAgICAgIGlmIFtbICRyZXNwb25zZV9jb2RlID09IDIwMCB8fCAkcmVzcG9uc2VfY29kZSA9PSAyMDcgfHwgJHJlc3BvbnNlX2NvZGUgPT0gNTAyIF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgIGVjaG8gIkRlcGxveW1lbnQgb2YgYXBwbGljYXRpb24gc3VjY2VlZGVkLiAkcmVzcG9uc2VfY29kZSIKICAgICAgICAgICAgICAgICAgZGVwbG95ZWQ9InllcyIKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICBlY2hvICJGYWlsZWQgdG8gZGVwbG95IGFwcGxpY2F0aW9uOyBjb250aW51aW5nIHdpdGggcmVzcG9uc2UgY29kZSAnIiRyZXNwb25zZV9jb2RlIiciCiAgICAgICAgICAgICBmaQogICAgICAgICBlbHNlCiAgICAgICAgICAgICBlY2hvICJDdXN0b20gY29uZmlnIHdhcyBub3QgdmFsaWQgSlNPTiwgY29udGludWluZyIKICAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJGYWlsZWQgdG8gZG93bmxvYWQgY3VzdG9tIGNvbmZpZzsgY29udGludWluZyB3aXRoIHJlc3BvbnNlIGNvZGUgJyIkcmVzcG9uc2VfY29kZSInIgogICAgZmkKZWxzZQogICAgIGVjaG8gIkN1c3RvbSBjb25maWcgd2FzIG5vdCBhIFVSTCwgY29udGludWluZy4iCmZpCgppZiBbWyAkZGVwbG95ZWQgPT0gIm5vIiAmJiAkZGVjbGFyYXRpb25VcmwgPT0gIk5PVF9TUEVDSUZJRUQiIF1dOyB0aGVuCiAgICBlY2hvICJBcHBsaWNhdGlvbiBkZXBsb3ltZW50IGZhaWxlZCBvciBjdXN0b20gVVJMIHdhcyBub3Qgc3BlY2lmaWVkLiIKZmkKCmVjaG8gIkRlcGxveW1lbnQgY29tcGxldGUuIgpleGl0",
-
- "routeTableName": "BasicUDR",
-
- "extNicName": "[concat(variables('dnsLabelPrefix'), '-ext')]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabelPrefix'),'-ext-nsg'))]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetName": "external",
- "extSubnetPrivateAddress": "[parameters('NorthUntrustedAddressStartIP')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',add(int(variables('extSubnetStartInt')), 1))]",
- "extSubnetPrivateAddressPrefix": "[substring(parameters('NorthUntrustedAddressStartIP'), 0, lastindexOf(parameters('NorthUntrustedAddressStartIP'), '.'))]",
- "extSubnetStartDirty": "[substring(parameters('NorthUntrustedAddressStartIP'), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.'), sub(length(parameters('NorthUntrustedAddressStartIP')), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.')))]",
- "extSubnetStartInt": "[replace(variables('extSubnetStartDirty'), '.','')]",
- "externalLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-ext-alb')]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabelPrefix'), '-ext-pip')]",
- "extLbId": "[resourceId('Microsoft.Network/loadBalancers',variables('externalLoadBalancerName'))]",
-
- "intNicName": "[concat(variables('dnsLabelPrefix'), '-int')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetName": "internal",
- "intSubnetPrivateAddress": "[parameters('NorthTrustedAddressStartIP')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 1))]",
- "intSubnetPrivateAddress2": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 10))]",
- "intSubnetPrivateAddress3": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 11))]",
- "intSubnetPrivateAddressPrefix": "[substring(parameters('NorthTrustedAddressStartIP'), 0, lastindexOf(parameters('NorthTrustedAddressStartIP'), '.'))]",
- "intSubnetStartDirty": "[substring(parameters('NorthTrustedAddressStartIP'), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.'), sub(length(parameters('NorthTrustedAddressStartIP')), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.') ))]",
- "intSubnetStartInt": "[replace(variables('intSubnetStartDirty'), '.', '')]",
- "internalLoadBalancerAddress": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 65))]",
-
- "jbimageOffer": "UbuntuServer",
- "jbimagePublisher": "Canonical",
- "jblinuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[parameters('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "jbubuntuOSVersion": "18.04-LTS",
- "jbvmName": "[concat(parameters('instanceName'), '-linux-jump')]",
- "jbvmSize": "Standard_A1",
- "WinvmName": "Bastion-Win-JB",
- "windowsOSVersion": "2019-Datacenter",
-
- "availabilitySetName": "[concat(variables('dnsLabel'), '-avset')]",
- "availabilitySet2Name": "[concat(variables('dnsLabelPrefix'), '-avset2')]",
- "availabilitySet3Name": "[concat(variables('dnsLabelPrefix'), '-avset3')]",
-
- "availabilitySetId": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName'))]"
- },
-
- "tmmRouteGw": "[concat(variables('intSubnetPrivateAddressPrefix'), '.1')]",
-
- "numberOfExternalIps": "[parameters('numberOfExternalIps')]",
- "backEndAddressPoolArray": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- {
- "id": "[concat(variables('intLbId'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- }
- ],
- "paygImageMap": {
- "advancedwaf1gbps": {
- "offer": "f5-big-ip-advanced-waf",
- "sku": "f5-bigip-virtual-edition-1g-waf-hourly"
- },
- "advancedwaf200mbps": {
- "offer": "f5-big-ip-advanced-waf",
- "sku": "f5-bigip-virtual-edition-200m-waf-hourly"
- },
- "advancedwaf25mbps": {
- "offer": "f5-big-ip-advanced-waf",
- "sku": "f5-bigip-virtual-edition-25m-waf-hourly"
- },
- "best1gbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-1g-best-hourly"
- },
- "best10gbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-10g-best-hourly"
- },
- "best200mbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-200m-best-hourly"
- },
- "best25mbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-25m-best-hourly"
- },
- "better1gbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-1g-better-hourly"
- },
- "better10gbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-10g-better-hourly"
- },
- "better200mbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-200m-better-hourly"
- },
- "better25mbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-25m-better-hourly"
- },
- "good1gbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-1g-good-hourly"
- },
- "good10gbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-10g-good-hourly"
- },
- "good200mbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-200m-good-hourly"
- },
- "good25mbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-25m-good-hourly"
- },
- "perappveadvancedwaf200mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-awf-200m-hourly"
- },
- "perappveadvancedwaf25mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-awf-25m-hourly"
- },
- "perappveltm200mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-ltm-200m-hourly"
- },
- "perappveltm25mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-ltm-25m-hourly"
- }
- },
-
- "publicIPAddressType": "Static",
-
- "tagValues": "[parameters('tagValues')]",
- "failovertagValues": {
- "f5_cloud_failover_label": "mydeployment",
- "f5_cloud_failover_nic_map": "external"
- },
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabel'), resourceGroup().id, deployment().name), 'data000')]",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabel'))]",
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:failover_3nic-new-stack-saca-payg,templateVersion:7.2.0.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:payg,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "osProfiles": {
- "password": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[json('null')]"
- },
- "sshPublicKey": {
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[variables('linuxConfiguration')]"
- }
- },
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabel'), copyIndex(0))]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('routeTableName')]",
- "properties": {
- "routes": [
- {
- "name": "Default",
- "properties": {
- "addressPrefix": "0.0.0.0/0",
- "nextHopIpAddress": "[variables('internalLoadBalancerAddress')]",
- "nextHopType": "VirtualAppliance"
- }
- }
- ]
- },
- "type": "Microsoft.Network/routeTables"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('routeTableName')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('virtualNetworkName')]",
- "properties": {
- "addressSpace": {
- "addressPrefixes": [
- "[parameters('NorthUntrustedAddressSubnet')]",
- "[parameters('NorthTrustedAddressSubnet')]",
- "[variables('ManagementAddressSubnet')]",
- "[parameters('VDMSAddressSubnet')]"
- ]
- },
- "subnets": [
- {
- "name": "[variables('mgmtSubnetName')]",
- "properties": {
- "addressPrefix": "[variables('ManagementAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('vdmsSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('VDMSAddressSubnet')]",
- "routeTable": {
- "id": "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/virtualNetworks"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('externalLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('externalLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- {
- "id": "[concat(variables('extLbId'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '2')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('mgmtNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '3')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig0')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('extLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig0')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(variables('numberOfExternalIps'), 0), take(variables('backEndAddressPoolArray'), 0), take(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAllocationMethod": "Static",
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',10)]",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgID'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('extLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig1')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(variables('numberOfExternalIps'), 0), take(variables('backEndAddressPoolArray'), 0), take(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAllocationMethod": "Static",
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 11)]",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgID'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('intLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "primary": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('internalLoadBalancerType'), 'DO_NOT_USE'), take(variables('backEndAddressPoolArray'), 0), skip(variables('backEndAddressPoolArray'), 1))]",
- "privateIPAddress": "[variables('intSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('intLbId')]",
- "[variables('vnetId')]",
- "extpipcopy",
- "[variables('extNsgID')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "primary": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabel'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('internalLoadBalancerType'), 'DO_NOT_USE'), take(variables('backEndAddressPoolArray'), 0), skip(variables('backEndAddressPoolArray'), 1))]",
- "privateIPAddress": "[variables('intSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-mgmt-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "mgmt_allow_https",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "[variables('bigIpMgmtPort')]",
- "direction": "Inbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "rdp_allow_3389",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 103,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('externalLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- },
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "copy": [
- {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[concat('loadBalancerFrontEnd', copyIndex('frontendIPConfigurations', 1))]",
- "properties": {
- "publicIPAddress": {
- "id": "[concat(variables('extPublicIPAddressIdPrefix'), sub(copyIndex('frontendIPConfigurations', 1), 1))]"
- }
- }
- },
- "name": "frontendIPConfigurations"
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": 3389,
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 3389,
- "idleTimeoutInMinutes": 4,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/probes/rdp_alive')]"
- },
- "protocol": "Tcp"
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": 22,
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 22,
- "idleTimeoutInMinutes": 4,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/probes/ssh_alive')]"
- },
- "protocol": "Tcp"
- }
- },
- {
- "Name": "management_outbound",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "backendPort": 8443,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('externalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 8443,
- "idleTimeoutInMinutes": 15,
- "probe": {
- "id": "[concat(variables('extLbId'),'/probes/https_alive')]"
- },
- "protocol": "Tcp"
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 22,
- "protocol": "Tcp"
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 3389,
- "protocol": "Tcp"
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 2,
- "port": 80,
- "protocol": "Http",
- "requestPath": "/"
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "sku": {
- "name": "Standard"
- },
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[not(equals(parameters('internalLoadBalancerType'),'DO_NOT_USE'))]",
- "dependsOn": [
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('internalLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "LoadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "LoadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[variables('internalLoadBalancerAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), concat('lbRule-', parameters('internalLoadBalancerProbePort')), 'allProtocolLbRule')]",
- "properties": {
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "backendPort": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), parameters('internalLoadBalancerProbePort'), 0)]",
- "enableFloatingIP": false,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), parameters('internalLoadBalancerProbePort'), 0)]",
- "idleTimeoutInMinutes": 15,
- "loadDistribution": "Default",
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName')), '/probes/tcp-probe-', parameters('internalLoadBalancerProbePort'))]"
- },
- "protocol": "[if(equals(parameters('internalLoadBalancerType'),'Per-protocol'), 'Tcp', 'All')]"
- }
- }
- ],
- "probes": [
- {
- "name": "[concat('tcp-probe-', parameters('internalLoadBalancerProbePort'))]",
- "properties": {
- "intervalInSeconds": 5,
- "numberOfProbes": 2,
- "port": "[parameters('internalLoadBalancerProbePort')]",
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "sku": {
- "name": "Standard"
- },
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName')]",
- "sku": {
- "name": "Aligned"
- },
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySet2Name')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySet3Name')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "properties": {
- "supportsHttpsTrafficOnly": true
- },
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[and(variables('useCustomImage'), variables('createNewCustomImage'))]",
- "location": "[variables('location')]",
- "name": "[variables('newCustomImageName')]",
- "properties": {
- "storageProfile": {
- "osDisk": {
- "blobUri": "[variables('customImage')]",
- "osState": "Generalized",
- "osType": "Linux",
- "storageAccountType": "[if(contains(variables('premiumInstanceArray'), parameters('instanceType')), 'Premium_LRS', 'Standard_LRS')]"
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/images"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[variables('newCustomImageName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]",
- "[variables('newCustomImageName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '2'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('jbvmName')]",
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySet2Name'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[variables('jbvmSize')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '2'))]"
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('jbvmName')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "dataDisks": [
- {
- "createOption": "Empty",
- "diskSizeGB": 1023,
- "lun": 0
- }
- ],
- "imageReference": {
- "offer": "[variables('jbimageOffer')]",
- "publisher": "[variables('jbimagePublisher')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '3'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('WinvmName')]",
- "properties": {
- "availabilitySet": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySet3Name'))]"
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "Standard_A2"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '3'))]"
- }
- ]
- },
- "osProfile": {
- "adminPassword": "[parameters('WindowsAdminPassword')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('WinvmName')]"
- },
- "storageProfile": {
- "dataDisks": [
- {
- "createOption": "Empty",
- "diskSizeGB": 1023,
- "lun": 0
- }
- ],
- "imageReference": {
- "offer": "WindowsServer",
- "publisher": "MicrosoftWindowsServer",
- "sku": "[variables('windowsOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[parameters('enableNetworkFailover')].first, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabel'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabel'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[parameters('enableNetworkFailover')].second, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ],
- "outputs": {
- "RDP-URL": {
- "type": "string",
- "value": "[concat('rdp://',reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- },
- "SSH-URL": {
- "type": "string",
- "value": "[concat('ssh://', parameters('adminUsername'), '@', reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- }
- }
-}
diff --git a/SACAv2/3NIC_1Tier_HA/payg/deploymentParameters.json b/SACAv2/3NIC_1Tier_HA/payg/deploymentParameters.json
deleted file mode 100644
index 5959313..0000000
--- a/SACAv2/3NIC_1Tier_HA/payg/deploymentParameters.json
+++ /dev/null
@@ -1,92 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "adminUsername": {
- "value": "xadmin"
- },
- "authenticationType": {
- "value": "password"
- },
- "adminPasswordOrKey": {
- "value": "2018F5@Networks!!"
- },
- "windowsAdminPassword": {
- "value": "2018F5@Networks!!"
- },
- "dnsLabel": {
- "value": "f5dns014"
- },
- "instanceName": {
- "value": "bigip4"
- },
- "numberOfExternalIps": {
- "value": 1
- },
- "enableNetworkFailover": {
- "value": "Yes"
- },
- "internalLoadBalancerType": {
- "value": "Per-protocol"
- },
- "internalLoadBalancerProbePort": {
- "value": "3456"
- },
- "instanceType": {
- "value": "Standard_DS3_v2"
- },
- "imageName": {
- "value": "Best1Gbps"
- },
- "bigIpVersion": {
- "value": "14.1.200000"
- },
- "bigIpModules": {
- "value": "ltm:nominal,asm:nominal,afm:nominal"
- },
- "stigDevice": {
- "value": true
- },
- "northTrustedAddressStartIP": {
- "value": "192.168.3.4"
- },
- "northTrustedAddressSubnet": {
- "value": "192.168.3.0/24"
- },
- "northUntrustedAddressStartIP": {
- "value": "192.168.2.4"
- },
- "northUntrustedAddressSubnet": {
- "value": "192.168.2.0/24"
- },
- "vdmsAddressSubnet": {
- "value": "192.168.4.0/24"
- },
- "declarationUrl": {
- "value": "https://raw.githubusercontent.com/Mikej81/f5-azure-saca/2.6.1/SACAv2/AS3/paygsccaBaseline.json"
- },
- "ntpServer": {
- "value": "0.pool.ntp.org"
- },
- "timeZone": {
- "value": "UTC"
- },
- "customImage": {
- "value": "OPTIONAL"
- },
- "restrictedSrcAddress": {
- "value": "*"
- },
- "tagValues": {
- "value": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- }
- },
- "allowUsageAnalytics": {
- "value": "Yes"
- }
- }
\ No newline at end of file
diff --git a/SACAv2/3NIC_1Tier_HA/payg/deploymentTest.script b/SACAv2/3NIC_1Tier_HA/payg/deploymentTest.script
deleted file mode 100644
index 88449ec..0000000
--- a/SACAv2/3NIC_1Tier_HA/payg/deploymentTest.script
+++ /dev/null
@@ -1,2 +0,0 @@
-az group create --name arm_deployment_test --location usgovvirginia
-az group deployment validate --resource-group arm_deployment_test --template-file azureDeploy.json --parameters @deploymentParameters.json
\ No newline at end of file
diff --git a/SACAv2/3NIC_3Tier_HA/bigiq/azureDeploy.json b/SACAv2/3NIC_3Tier_HA/bigiq/azureDeploy.json
deleted file mode 100644
index 961dece..0000000
--- a/SACAv2/3NIC_3Tier_HA/bigiq/azureDeploy.json
+++ /dev/null
@@ -1,2900 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
- "contentVersion": "6.0.2.0",
- "parameters": {
- "governmentCloudRegion": {
- "defaultValue": true,
- "metadata": {
- "description": "Type of cloud this template will deploy into, ensure to select false for commercial."
- },
- "type": "bool"
- },
- "adminUsername": {
- "defaultValue": "xadmin",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "authenticationType": {
- "allowedValues": [
- "password",
- "sshPublicKey"
- ],
- "defaultValue": "password",
- "metadata": {
- "description": "Type of authentication to use on the Virtual Machine, password based authentication or key based authentication."
- },
- "type": "string"
- },
- "adminPasswordOrKey": {
- "metadata": {
- "description": "Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**."
- },
- "type": "securestring"
- },
- "WindowsAdminPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for the Windows Virtual Machine."
- }
- },
- "Tier1bigIpModules": {
- "defaultValue": "ltm:nominal,asm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "Tier1DeclarationUrl": {
- "defaultValue": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/arm/3.16.0/sccaBaseline.json",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "Tier3bigIpModules": {
- "defaultValue": "ltm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "Tier3DeclarationUrl": {
- "defaultValue": "NOT_SPECIFIED",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.5.1/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "dnsLabelPrefix": {
- "defaultValue": "f5dns",
- "metadata": {
- "description": "Unique DNS HOST Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "maxLength": 7,
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS4_v2",
- "metadata": {
- "description": "Instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "15.0.100000",
- "14.1.200000",
- "latest"
- ],
- "defaultValue": "14.1.200000",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "LTMTwoBootLocations",
- "AllTwoBootLocations"
- ],
- "defaultValue": "AllTwoBootLocations",
- "metadata": {
- "description": "F5 SKU (image) you want to deploy. Note: The disk size of the VM will be determined based on the option you select. **Important**: If intending to provision multiple modules, ensure the appropriate value is selected, such as ****AllTwoBootLocations or AllOneBootLocation****."
- },
- "type": "string"
- },
-
- "bigIqAddress": {
- "metadata": {
- "description": "The IP address (or hostname) for the BIG-IQ to be used when licensing the BIG-IP. Note: The BIG-IP will make a REST call to the BIG-IQ (already existing) to let it know a BIG-IP needs to be licensed. It will then license the BIG-IP using the provided BIG-IQ credentials and license pool."
- },
- "type": "string"
- },
- "bigIqUsername": {
- "metadata": {
- "description": "The BIG-IQ username to use during BIG-IP licensing via BIG-IQ."
- },
- "type": "string"
- },
- "bigIqPassword": {
- "metadata": {
- "description": "The BIG-IQ password to use during BIG-IP licensing via BIG-IQ."
- },
- "type": "securestring"
- },
- "bigIqLicensePoolName": {
- "metadata": {
- "description": "The BIG-IQ license pool to use during BIG-IP licensing via BIG-IQ."
- },
- "type": "string"
- },
- "bigIqLicenseSkuKeyword1": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "The BIG-IQ license filter (based on SKU keyword) you want to use for licensing the BIG-IPs from the BIG-IQ, for example **F5-BIG-MSP-LTM-25M**, **F5-BIG-MSP-BR-200M**, **F5-BIG-MSP-BT-1G** or **F5-BIG-MSP-ASM-1G**. ***Important***: This is only required when licensing with an ELA/subscription (utility) pool on the BIG-IQ, if not using this pool type leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "bigIqLicenseUnitOfMeasure": {
- "defaultValue": "OPTIONAL",
- "metadata": {
- "description": "The BIG-IQ license unit of measure to use during BIG-IP licensing via BIG-IQ, for example **yearly**, **monthly**, **daily** or **hourly**. ***Important***: This is only required when licensing with an ELA/subscription (utility) pool on the BIG-IQ, if not using this pool type leave the default of **OPTIONAL**."
- },
- "type": "string"
- },
- "STIGDevice": {
- "defaultValue": true,
- "metadata": {
- "description": "This setting will determine whether STIGS/SRGS will be applied at Onboarding."
- },
- "type": "bool"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "NorthboundLoadBalancerType": {
- "allowedValues": [
- "Public-alb",
- "Private-ilb"
- ],
- "defaultValue": "Public-alb",
- "metadata": {
- "description": "Specify a the type of Northbound Azure load balancer to deploy. Note: As of the initial release of this template, it is default to Public-alb"
- },
- "type": "string"
- },
- "NorthUntrustedAddressSubnet": {
- "defaultValue": "192.168.2.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressStartIP": {
- "defaultValue": "192.168.2.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.2.100",
- "metadata": {
- "description": "The static address of the North Bound LB IP to be used for deployment. This is use ONLY IF the NorthboundLoadBalancerType is 'Private-ilb' type. You MUST type the full IP Address '192.168.2.100'."
- },
- "type": "string"
- },
- "NorthTrustedAddressSubnet": {
- "defaultValue": "192.168.3.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthTrustedAddressStartIP": {
- "defaultValue": "192.168.3.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "VDMSAddressSubnet": {
- "defaultValue": "192.168.4.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the VDSS Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSTier": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "Specify whether IPS Tier would deploy from this template. If 'Yes', then this is a 3-teirs architecture, otherwise it is 2-tiers architecture"
- },
- "type": "string"
- },
- "IPSUntrustedAddressSubnet": {
- "defaultValue": "192.168.5.0/24",
- "metadata": {
- "description": "The CIDR block the IPS VEs use when creating the Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSUntrustedAddressStartIP": {
- "defaultValue": "192.168.5.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "IPSUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.5.100",
- "metadata": {
- "description": "The static address of the IPS LB IP to be used for deployment. You MUST type the full IP Address '192.168.5.100'."
- },
- "type": "string"
- },
- "IPSTrustedAddressSubnet": {
- "defaultValue": "192.168.6.0/24",
- "metadata": {
- "description": "The CIDR block the IPS VEs use when creating the South Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSTrustedAddressStartIP": {
- "defaultValue": "192.168.6.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "SouthUntrustedAddressSubnet": {
- "defaultValue": "192.168.7.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the South Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "SouthUntrustedAddressStartIP": {
- "defaultValue": "192.168.7.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "SouthUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.7.100",
- "metadata": {
- "description": "The static address of the South Bound LB IP to be used for deployment. You MUST type the full IP Address '192.168.7.100'."
- },
- "type": "string"
- },
- "SouthTrustedAddressSubnet": {
- "defaultValue": "192.168.8.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the South Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "SouthTrustedAddressStartIP": {
- "defaultValue": "192.168.8.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- }
- },
- "variables": {
- "cloudRegion": {
- "false": ".cloudapp.azure.com",
- "true": ".cloudapp.usgovcloudapi.net"
- },
- "cloudPath": "[if(parameters('governmentCloudRegion'), variables('cloudRegion').true, variables('cloudRegion').false)]",
- "tagValues": "",
- "adminPasswordOrKey": "[replace(parameters('adminPasswordOrKey'),'\\n', '\n')]",
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:failover-lb_3nic-new-stack-saca,templateVersion:6.0.2.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:bigiq,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "appScript": "IyEvYmluL2Jhc2gKZnVuY3Rpb24gcGFzc3dkKCkgewogIGVjaG8gfCBmNS1yZXN0LW5vZGUgL2NvbmZpZy9jbG91ZC9henVyZS9ub2RlX21vZHVsZXMvQGY1ZGV2Y2VudHJhbC9mNS1jbG91ZC1saWJzL3NjcmlwdHMvZGVjcnlwdERhdGFGcm9tRmlsZS5qcyAtLWRhdGEtZmlsZSAvY29uZmlnL2Nsb3VkLy5wYXNzd2QgfCBhd2sgJ3twcmludCAkMX0nCn0KCndoaWxlIGdldG9wdHMgbzp1OiBvcHRpb24KZG8gY2FzZSAiJG9wdGlvbiIgIGluCiAgICAgICAgbykgZGVjbGFyYXRpb25Vcmw9JE9QVEFSRzs7CiAgICAgICAgdSkgdXNlcj0kT1BUQVJHOzsKICAgIGVzYWMKZG9uZQoKZGVwbG95ZWQ9Im5vIgpmaWxlX2xvYz0iL2NvbmZpZy9jbG91ZC9jdXN0b21fY29uZmlnIgpkZmxfbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAp1cmxfcmVnZXg9IihodHRwOlwvXC98aHR0cHM6XC9cLyk/W2EtejAtOV0rKFtcLVwuXXsxfVthLXowLTldKykqXC5bYS16XXsyLDV9KDpbMC05XXsxLDV9KT8oXC8uKik/JCIKCmlmIFtbICRkZWNsYXJhdGlvblVybCA9fiAkdXJsX3JlZ2V4IF1dOyB0aGVuCiAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtLWludGVyZmFjZSBtZ210IC1zayAtdyAiJXtodHRwX2NvZGV9IiAkZGVjbGFyYXRpb25VcmwgLW8gJGZpbGVfbG9jKQogICAgaWYgW1sgJHJlc3BvbnNlX2NvZGUgPT0gMjAwIF1dOyB0aGVuCiAgICAgICAgIGVjaG8gIkN1c3RvbSBjb25maWcgZG93bmxvYWQgY29tcGxldGU7IGNoZWNraW5nIGZvciB2YWxpZCBKU09OLiIKICAgICAgICAgY2F0ICRmaWxlX2xvYyB8IGpxIC5jbGFzcwogICAgICAgICBpZiBbWyAkPyA9PSAwIF1dOyB0aGVuCiAgICAgICAgICAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtc2t2dnUgJHVzZXI6JChwYXNzd2QpIC13ICIle2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1kICJAJGZpbGVfbG9jIiBodHRwczovL2xvY2FsaG9zdDokZGZsX21nbXRfcG9ydC9tZ210L3NoYXJlZC9hcHBzdmNzL2RlY2xhcmUgLW8gL2Rldi9udWxsKQoKICAgICAgICAgICAgIGlmIFtbICRyZXNwb25zZV9jb2RlID09IDIwMCB8fCAkcmVzcG9uc2VfY29kZSA9PSAyMDcgfHwgJHJlc3BvbnNlX2NvZGUgPT0gNTAyIF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgIGVjaG8gIkRlcGxveW1lbnQgb2YgYXBwbGljYXRpb24gc3VjY2VlZGVkLiAkcmVzcG9uc2VfY29kZSIKICAgICAgICAgICAgICAgICAgZGVwbG95ZWQ9InllcyIKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICBlY2hvICJGYWlsZWQgdG8gZGVwbG95IGFwcGxpY2F0aW9uOyBjb250aW51aW5nIHdpdGggcmVzcG9uc2UgY29kZSAnIiRyZXNwb25zZV9jb2RlIiciCiAgICAgICAgICAgICBmaQogICAgICAgICBlbHNlCiAgICAgICAgICAgICBlY2hvICJDdXN0b20gY29uZmlnIHdhcyBub3QgdmFsaWQgSlNPTiwgY29udGludWluZyIKICAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJGYWlsZWQgdG8gZG93bmxvYWQgY3VzdG9tIGNvbmZpZzsgY29udGludWluZyB3aXRoIHJlc3BvbnNlIGNvZGUgJyIkcmVzcG9uc2VfY29kZSInIgogICAgZmkKZWxzZQogICAgIGVjaG8gIkN1c3RvbSBjb25maWcgd2FzIG5vdCBhIFVSTCwgY29udGludWluZy4iCmZpCgppZiBbWyAkZGVwbG95ZWQgPT0gIm5vIiAmJiAkZGVjbGFyYXRpb25VcmwgPT0gIk5PVF9TUEVDSUZJRUQiIF1dOyB0aGVuCiAgICBlY2hvICJBcHBsaWNhdGlvbiBkZXBsb3ltZW50IGZhaWxlZCBvciBjdXN0b20gVVJMIHdhcyBub3Qgc3BlY2lmaWVkLiIKZmkKCmVjaG8gIkRlcGxveW1lbnQgY29tcGxldGUuIgpleGl0",
- "verifyHash64": "Y2xpIHNjcmlwdCAvQ29tbW9uL3ZlcmlmeUhhc2ggewpwcm9jIHNjcmlwdDo6cnVuIHt9IHsKICAgICAgICBpZiB7W2NhdGNoIHsKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LWxpbnV4LnRhci5neikgNjNiNWMyYTUxY2EwOWM0M2JkODlhZjM3NzNiYmFiODdjNzFhNmU3ZjZhZDk0MTBiMjI5YjRlMGExYzQ4M2Q0NmYxYTlmZmYzOWQ5OTQ0MDQxYjAyZWU5MjYwNzI0MDI3NDE0ZGU1OTJlOTlmNGMyNDc1NDE1MzIzZTE4YTcyZTAKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5odHRwLnYxLjIuMHJjNC50bXBsKSA0N2MxOWE4M2ViZmM3YmQxZTllOWMzNWYzNDI0OTQ1ZWY4Njk0YWE0MzdlZWRkMTdiNmEzODc3ODhkNGRiMTM5NmZlZmU0NDUxOTliNDk3MDY0ZDc2OTY3YjBkNTAyMzgxNTQxOTBjYTBiZDczOTQxMjk4ZmMyNTdkZjRkYzAzNAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1Lmh0dHAudjEuMi4wcmM2LnRtcGwpIDgxMWIxNGJmZmFhYjVlZDAzNjVmMDEwNmJiNWNlNWU0ZWMyMjM4NTY1NWVhM2FjMDRkZTJhMzliZDk5NDRmNTFlMzcxNDYxOWRhZTdjYTQzNjYyYzk1NmI1MjEyMjI4ODU4ZjA1OTI2NzJhMjU3OWQ0YTg3NzY5MTg2ZTJjYmZlCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuaHR0cC52MS4yLjByYzcudG1wbCkgMjFmNDEzMzQyZTlhN2EyODFhMGYwZTEzMDFlNzQ1YWE4NmFmMjFhNjk3ZDJlNmZkYzIxZGQyNzk3MzQ5MzY2MzFlOTJmMzRiZjFjMmQyNTA0YzIwMWY1NmNjZDc1YzVjMTNiYWEyZmU3NjUzMjEzNjg5ZWMzYzllMjdkZmY3N2QKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuMy4wcmMxLnRtcGwpIDllNTUxNDljMDEwYzFkMzk1YWJkYWUzYzNkMmNiODNlYzEzZDMxZWQzOTQyNDY5NWU4ODY4MGNmM2VkNWEwMTNkNjI2YjMyNjcxMWQzZDQwZWYyZGY0NmI3MmQ0MTRiNGNiOGU0ZjQ0NWVhMDczOGRjYmQyNWM0Yzg0M2FjMzlkCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjMS50bXBsKSBkZTA2ODQ1NTI1NzQxMmE5NDlmMWVhZGNjYWVlODUwNjM0N2UwNGZkNjliZmI2NDUwMDFiNzZmMjAwMTI3NjY4ZTRhMDZiZTJiYmI5NGUxMGZlZmMyMTVjZmMzNjY1YjA3OTQ1ZTZkNzMzY2JlMWE0ZmExYjg4ZTg4MTU5MDM5NgogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzIudG1wbCkgNmFiMGJmZmM0MjZkZjdkMzE5MTNmOWE0NzRiMWEwNzg2MDQzNWUzNjZiMDdkNzdiMzIwNjRhY2ZiMjk1MmMxZjIwN2JlYWVkNzcwMTNhMTVlNDRkODBkNzRmMzI1M2U3Y2Y5ZmJiZTEyYTkwZWM3MTI4ZGU2ZmFjZDA5N2Q2OGYKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuNC4wcmMzLnRtcGwpIDJmMjMzOWI0YmMzYTIzYzljZmQ0MmFhZTJhNmRlMzliYTA2NTgzNjZmMjU5ODVkZTJlYTUzNDEwYTc0NWYwZjE4ZWVkYzQ5MWIyMGY0YThkYmE4ZGI0ODk3MDA5NmUyZWZkY2E3YjhlZmZmYTFhODNhNzhlNWFhZGYyMThiMTM0CiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjNC50bXBsKSAyNDE4YWM4YjFmMTg4NGM1YzA5NmNiYWM2YTk0ZDQwNTlhYWFmMDU5MjdhNmE0NTA4ZmQxZjI1YjhjYzYwNzc0OTg4MzlmYmRkYTgxNzZkMmNmMmQyNzRhMjdlNmExZGFlMmExZTNhMGE5OTkxYmM2NWZjNzRmYzBkMDJjZTk2MwogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzUudG1wbCkgNWU1ODIxODdhZTFhNjMyM2UwOTVkNDFlZGRkNDExNTFkNmJkMzhlYjgzYzYzNDQxMGQ0NTI3YTNkMGUyNDZhOGZjNjI2ODVhYjA4NDlkZTJhZGU2MmIwMjc1ZjUxMjY0ZDJkZWFjY2JjMTZiNzczNDE3Zjg0N2E0YTFlYTliYzQKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LnRhci5neikgMmQzOWVjNjBkMDA2ZDA1ZDhhMTU2N2ExZDhhYWU3MjI0MTllOGIwNjJhZDc3ZDZkOWEzMTY1Mjk3MWU1ZTY3YmM0MDQzZDgxNjcxYmEyYThiMTJkZDIyOWVhNDZkMjA1MTQ0Zjc1Mzc0ZWQ0Y2FlNThjZWZhOGY5YWI2NTMzZTYKICAgICAgICAgICAgc2V0IGhhc2hlcyhkZXBsb3lfd2FmLnNoKSAxYTNhM2M2Mjc0YWIwOGE3ZGMyY2I3M2FlZGM4ZDJiMmEyM2NkOWUwZWIwNmEyZTE1MzRiMzYzMmYyNTBmMWQ4OTcwNTZmMjE5ZDViMzVkM2VlZDEyMDcwMjZlODk5ODlmNzU0ODQwZmQ5Mjk2OWM1MTVhZTRkODI5MjE0ZmI3NAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LnBvbGljeV9jcmVhdG9yLnRtcGwpIDA2NTM5ZTA4ZDExNWVmYWZlNTVhYTUwN2VjYjRlNDQzZTgzYmRiMWY1ODI1YTk1MTQ5NTRlZjZjYTU2ZDI0MGVkMDBjN2I1ZDY3YmQ4ZjY3YjgxNWVlOWRkNDY0NTE5ODQ3MDFkMDU4Yzg5ZGFlMjQzNGM4OTcxNWQzNzVhNjIwCgogICAgICAgICAgICBzZXQgZmlsZV9wYXRoIFtsaW5kZXggJHRtc2g6OmFyZ3YgMV0KICAgICAgICAgICAgc2V0IGZpbGVfbmFtZSBbZmlsZSB0YWlsICRmaWxlX3BhdGhdCgogICAgICAgICAgICBpZiB7IVtpbmZvIGV4aXN0cyBoYXNoZXMoJGZpbGVfbmFtZSldfSB7CiAgICAgICAgICAgICAgICB0bXNoOjpsb2cgZXJyICJObyBoYXNoIGZvdW5kIGZvciAkZmlsZV9uYW1lIgogICAgICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHNldCBleHBlY3RlZF9oYXNoICRoYXNoZXMoJGZpbGVfbmFtZSkKICAgICAgICAgICAgc2V0IGNvbXB1dGVkX2hhc2ggW2xpbmRleCBbZXhlYyAvdXNyL2Jpbi9vcGVuc3NsIGRnc3QgLXIgLXNoYTUxMiAkZmlsZV9wYXRoXSAwXQogICAgICAgICAgICBpZiB7ICRleHBlY3RlZF9oYXNoIGVxICRjb21wdXRlZF9oYXNoIH0gewogICAgICAgICAgICAgICAgZXhpdCAwCiAgICAgICAgICAgIH0KICAgICAgICAgICAgdG1zaDo6bG9nIGVyciAiSGFzaCBkb2VzIG5vdCBtYXRjaCBmb3IgJGZpbGVfcGF0aCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgfV19IHsKICAgICAgICAgICAgdG1zaDo6bG9nIGVyciB7VW5leHBlY3RlZCBlcnJvciBpbiB2ZXJpZnlIYXNofQogICAgICAgICAgICBleGl0IDEKICAgICAgICB9CiAgICB9Cn0=",
-
- "installCloudLibs64": "IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5",
-
- "availabilitySetName0": "[concat(variables('dnsLabelPrefix'), '-avset0')]",
- "availabilitySetName1": "[concat(variables('dnsLabelPrefix'), '-avset1')]",
- "availabilitySetName2": "[concat(variables('dnsLabelPrefix'), '-avset2')]",
- "availabilitySetName3": "[concat(variables('dnsLabelPrefix'), '-avset3')]",
- "availabilitySetId0": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName0'))]"
- },
- "availabilitySetId1": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName1'))]"
- },
- "availabilitySetId2": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName2'))]"
- },
- "backEndAddressPoolArray": [
- {
- "id": "[concat(variables('nbALBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- {
- "id": "[concat(variables('nbILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- }
- ],
- "backEndMgmtPoolArray": [
- {
- "id": "[concat(variables('nbALBid'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- },
- {
- "id": "[concat(variables('mgmtALBid'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "SBBackEndAddressPool": {
- "id": "[concat(variables('sbILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- "IPSBackEndAddressPool": {
- "id": "[concat(variables('IPSILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
- "bigIpVersionPortMap": {
- "443": {
- "Port": 443
- },
- "15.0.100000": {
- "Port": 8443
- },
- "14.1.200000": {
- "Port": 8443
- },
- "latest": {
- "Port": 8443
- }
- },
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
- "commandArgs": "[concat('-o ', parameters('Tier1DeclarationUrl'), ' -u svc_user')]",
- "commandArgs2": "[concat('-o ', parameters('Tier3DeclarationUrl'), ' -u svc_user')]",
- "computeApiVersion": "2017-12-01",
- "createNewCustomImage": "[contains(variables('customImage'), 'https://')]",
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
- "customImage": "",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabelPrefix'))]",
-
- "dnsLabelPrefix": "[toLower(parameters('dnsLabelPrefix'))]",
- "dnsLabel": "[toLower(variables('dnsLabelPrefix'))]",
-
- "enableNetworkFailover": "Yes",
-
- "f5AS3Build": "f5-appsvcs-3.16.0-6.noarch.rpm",
- "f5CloudIappsLoggerTag": "v1.0.0",
- "f5CloudIappsSdTag": "v2.3.2",
- "f5CloudLibsTag": "v4.9.1",
-
- "failoverCmdArray": {
- "No": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "third": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '2.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "fourth": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '3.', variables('location'), variables('cloudPath')), ' unicast-address none')]"
- },
- "Yes": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'))]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'))]",
- "third": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '2.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnet2PrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnet2PrivateAddress'))]",
- "fourth": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '3.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnet2PrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnet2PrivateAddress1'))]"
- }
- },
-
- "imageNameSub": "[variables('imageNameArray')[parameters('bigIpVersion')][parameters('imageName')]]",
- "imageNameArray": {
- "15.0.100000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "14.1.200000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "latest": {
- "AllOneBootLocation": "big-all-2slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-2slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "offerPostfix": {
- "big-all-1slot": "byol",
- "big-all-2slot": "byol",
- "big-ltm-1slot": "byol",
- "big-ltm-2slot": "byol",
- "bigip-virtual-edition-best": "best",
- "bigip-virtual-edition-good": "good"
- }
- },
- "imagePlan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
-
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "nbALBid": "[resourceId('Microsoft.Network/loadBalancers',variables('NorthboundLoadBalancerName'))]",
- "extNicName": "[concat(variables('dnsLabelPrefix'), '-ext')]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabelPrefix'),'-ext-nsg'))]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetName": "external",
- "extSubnetPrivateAddressPrefix": "[substring(parameters('NorthUntrustedAddressStartIP'), 0, lastindexOf(parameters('NorthUntrustedAddressStartIP'), '.'))]",
- "extSubnetStartDirty": "[substring(parameters('NorthUntrustedAddressStartIP'), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.'), sub(length(parameters('NorthUntrustedAddressStartIP')), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.')))]",
- "extSubnetStartInt": "[replace(variables('extSubnetStartDirty'), '.','')]",
- "extSubnetPrivateAddress": "[parameters('NorthUntrustedAddressStartIP')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',add(int(variables('extSubnetStartInt')), 1))]",
- "NorthboundLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-nb-alb')]",
- "mgmtLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-mgmt-alb')]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabelPrefix'), '-ext-pip')]",
-
- "nbILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('NorthboundLoadBalancerNameb'))]",
- "intNicName": "[concat(variables('dnsLabelPrefix'), '-int')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetName": "internal",
- "intSubnetPrivateAddressPrefix": "[substring(parameters('NorthTrustedAddressStartIP'), 0, lastindexOf(parameters('NorthTrustedAddressStartIP'), '.'))]",
- "intSubnetStartDirty": "[substring(parameters('NorthTrustedAddressStartIP'), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.'), sub(length(parameters('NorthTrustedAddressStartIP')), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.') ))]",
- "intSubnetStartInt": "[replace(variables('intSubnetStartDirty'), '.', '')]",
- "intSubnetPrivateAddress": "[parameters('NorthTrustedAddressStartIP')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 1))]",
- "intSubnetPrivateAddress2": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 10))]",
- "intSubnetPrivateAddress3": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 11))]",
-
- "NorthboundLoadBalancerNameb": "[concat(variables('dnsLabelPrefix'),'-nb-ilb')]",
-
- "tmmRouteGw": "[concat(variables('intSubnetPrivateAddressPrefix'), '.1')]",
-
- "mgmtALBid": "[resourceId('Microsoft.Network/loadBalancers',variables('mgmtLoadBalancerName'))]",
- "sbILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('SouthboundLoadBalancerName'))]",
- "SouthboundLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-sb-ilb')]",
- "extSubnet2Name": "external2",
- "extSubnet2PrivateAddressPrefix": "[substring(parameters('SouthUntrustedAddressStartIP'), 0, lastindexOf(parameters('SouthUntrustedAddressStartIP'), '.'))]",
- "ext2SubnetStartDirty": "[substring(parameters('SouthUntrustedAddressStartIP'), lastIndexOf(parameters('SouthUntrustedAddressStartIP'), '.'), sub(length(parameters('SouthUntrustedAddressStartIP')), lastIndexOf(parameters('SouthUntrustedAddressStartIP'), '.')))]",
- "extSubnet2StartInt": "[replace(variables('ext2SubnetStartDirty'), '.','')]",
- "extSubnet2PrivateAddress": "[parameters('SouthUntrustedAddressStartIP')]",
- "extSubnet2PrivateAddress1": "[concat(variables('extSubnet2PrivateAddressPrefix'), '.',add(int(variables('extSubnet2StartInt')), 1))]",
- "extSubnet2Id": "[concat(variables('vnetId'), '/subnets/', variables('extSubnet2Name'))]",
- "intSubnet2Name": "internal2",
- "intSubnet2Id": "[concat(variables('vnetId'), '/subnets/', variables('intSubnet2Name'))]",
- "intSubnet2PrivateAddressPrefix": "[substring(parameters('SouthTrustedAddressStartIP'), 0, lastindexOf(parameters('SouthTrustedAddressStartIP'), '.'))]",
- "intSubnet2StartDirty": "[substring(parameters('SouthTrustedAddressStartIP'), lastIndexOf(parameters('SouthTrustedAddressStartIP'), '.'), sub(length(parameters('SouthTrustedAddressStartIP')), lastIndexOf(parameters('SouthTrustedAddressStartIP'), '.') ))]",
- "intSubnet2StartInt": "[replace(variables('intSubnet2StartDirty'), '.', '')]",
- "intSubnet2PrivateAddress": "[parameters('SouthTrustedAddressStartIP')]",
- "intSubnet2PrivateAddress1": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('IntSubnet2StartInt')), 1))]",
- "intSubnet2PrivateAddress2": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('IntSubnet2StartInt')), 10))]",
- "intSubnet2PrivateAddress3": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('IntSubnet2StartInt')), 11))]",
-
- "tmmRouteGw2": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.1')]",
-
- "IPSILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('IPSLoadBalancerName'))]",
- "IPSLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-ips-ilb')]",
- "IPSFirewallName": "[concat(variables('dnsLabelPrefix'),'-ips-fw')]",
- "IPSExtNicName": "[concat(variables('dnsLabelPrefix'), '-IPSExt')]",
- "IPSExtSubnetName": "ips-external",
- "IPSExtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('IPSExtSubnetName'))]",
- "IPSExtSubnetPrivateAddressPrefix": "[substring(parameters('IPSUntrustedAddressStartIP'), 0, lastindexOf(parameters('IPSUntrustedAddressStartIP'), '.'))]",
- "IPSExtSubnetStartDirty": "[substring(parameters('IPSUntrustedAddressStartIP'), lastIndexOf(parameters('IPSUntrustedAddressStartIP'), '.'), sub(length(parameters('IPSUntrustedAddressStartIP')), lastIndexOf(parameters('IPSUntrustedAddressStartIP'), '.')))]",
- "IPSExtSubnetStartInt": "[replace(variables('IPSExtSubnetStartDirty'), '.','')]",
- "IPSExtSubnetPrivateAddress": "[parameters('IPSUntrustedAddressStartIP')]",
- "IPSExtSubnetPrivateAddress1": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 1))]",
- "IPSExtSubnetPrivateAddress2": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 10))]",
- "IPSExtSubnetPrivateAddress3": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 11))]",
- "IPSIntNicName": "[concat(variables('dnsLabelPrefix'), '-IPSInt')]",
- "IPSIntSubnetName": "ips-internal",
- "IPSIntSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('IPSIntSubnetName'))]",
- "IPSIntSubnetPrivateAddressPrefix": "[substring(parameters('IPSTrustedAddressStartIP'), 0, lastindexOf(parameters('IPSTrustedAddressStartIP'), '.'))]",
- "IPSIntSubnetStartDirty": "[substring(parameters('IPSTrustedAddressStartIP'), lastIndexOf(parameters('IPSTrustedAddressStartIP'), '.'), sub(length(parameters('IPSTrustedAddressStartIP')), lastIndexOf(parameters('IPSTrustedAddressStartIP'), '.')))]",
- "IPSIntSubnetStartInt": "[replace(variables('IPSIntSubnetStartDirty'), '.','')]",
- "IPSIntSubnetPrivateAddress": "[parameters('IPSTrustedAddressStartIP')]",
- "IPSIntSubnetPrivateAddress1": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 1))]",
- "IPSIntSubnetPrivateAddress2": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 10))]",
- "IPSIntSubnetPrivateAddress3": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 11))]",
-
- "isAcceleratedNetworkingSupported": "[if(not(contains(parameters('bigIpVersion'), '14.1.200000')), bool('true'), bool('false'))]",
-
- "mgmtNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabel'),'-mgmt-nsg'))]",
-
- "mgmtNicName": "[concat(variables('dnsLabelPrefix'), '-mgmt')]",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetName": "management",
- "ManagementAddressSubnet": "192.168.1.0/24",
- "ManagementAddressStartIP": "192.168.1.4",
-
- "mgmtPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('mgmtPublicIPAddressName'))]",
- "mgmtPublicIPAddressName": "[concat(variables('dnsLabelPrefix'), '-mgmt-pip')]",
-
- "mgmtSubnetPrivateAddress": "[variables('ManagementAddressStartIP')]",
- "mgmtSubnetPrivateAddressPrefix": "[substring(variables('ManagementAddressStartIP'), 0, lastindexOf(variables('ManagementAddressStartIP'), '.'))]",
- "mgmtSubnetStartDirty": "[substring(variables('ManagementAddressStartIP'), lastIndexOf(variables('ManagementAddressStartIP'), '.'), sub(length(variables('ManagementAddressStartIP')), lastIndexOf(variables('ManagementAddressStartIP'), '.') ))]",
- "mgmtSubnetStartInt": "[replace(variables('mgmtSubnetStartDirty'), '.','')]",
-
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]",
- "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 6))]",
- "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 7))]",
- "mgmtSubnetPrivateAddress4": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 50))]",
- "mgmtSubnetPrivateAddress5": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 51))]",
- "mgmtSubnetPrivateAddress6": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 61))]",
- "mgmtSubnetPrivateAddress7": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 62))]",
-
- "stigCmdArray": {
- "true": "bash ./bigipstig.sh;",
- "false": ""
- },
- "cmdConfigStig": "[if(parameters('STIGDevice'), variables('stigCmdArray').true, variables('stigCmdArray').false)]",
- "createFWLogArray": {
- "true": "tmsh create security log profile local-afm-log { network replace-all-with { local-afm-log { publisher local-db-publisher filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } } } };",
- "false": ""
- },
- "cmdcreateFWLog": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
- "cmdcreateFWLog2": "[if(contains(parameters('Tier3bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
- "createFWPolicyArray": {
- "true": "tmsh create security firewall policy log_all_afm rules add { allow_all { action accept log yes place-before first } deny_all { action reject log yes place-after allow_all } };",
- "false": ""
- },
- "cmdcreateFWPolicy": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
- "cmdcreateFWPolicy2": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
- "installDODRootCA": "unzip Certificates_PKCS7_v5.5_DoD.zip; openssl pkcs7 -print_certs -in ./Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b -out DoD_Root_CA.cer; tmsh install sys crypto cert DODRoots from-local-file DoD_Root_CA.cer;",
- "firewallConfig": "[concat(variables('cmdcreateFWLog'), variables('cmdcreateFWPolicy'))]",
- "firewallConfig2": "[concat(variables('cmdcreateFWLog2'), variables('cmdcreateFWPolicy2'))]",
-
- "sacaConfig": "[variables('cmdConfigStig')]",
-
- "vdmsSubnetName": "VDMS",
- "windowsOSVersion": "2019-Datacenter",
- "WinvmName": "Bastion-Win-JB",
- "jbimageOffer": "UbuntuServer",
- "jbimagePublisher": "Canonical",
- "jblinuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[parameters('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "jbubuntuOSVersion": "18.04-LTS",
- "jbvmName": "[concat(parameters('instanceName'), '-linux-jump')]",
- "jbvmSize": "Standard_A1",
- "linuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[variables('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "location": "[resourceGroup().location]",
-
- "networkApiVersion": "2017-11-01",
- "newCustomImageName": "[concat(variables('dnsLabelPrefix'), 'image')]",
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabelPrefix'), resourceGroup().id, deployment().name), 'data000')]",
- "numberOfExternalIps": 1,
- "offerToUse": "[concat('f5-big-ip-', variables('imageNameArray').offerPostfix[variables('imageNameSub')])]",
- "osProfiles": {
- "password": {
- "one": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '0')]",
- "linuxConfiguration": "[json('null')]"
- },
- "two": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '1')]",
- "linuxConfiguration": "[json('null')]"
- },
- "three": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '2')]",
- "linuxConfiguration": "[json('null')]"
- },
- "four": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '3')]",
- "linuxConfiguration": "[json('null')]"
- }
-
- },
- "sshPublicKey": {
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[variables('linuxConfiguration')]"
- }
- },
- "premiumInstanceArray": [
- "Standard_DS2",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_DS2_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F2S",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_GS2",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "publicIPAddressType": "Static",
- "resourceGroupName": "[resourceGroup().name]",
-
- "routeCmd": "route",
- "singleQuote": "'",
- "skuToUse": "[concat('f5-', variables('imageNameSub'),'-byol')]",
- "storageApiVersion": "2017-10-01",
- "storageProfileArray": {
- "customImage": {
- "imageReference": {
- "id": "[if(variables('createNewCustomImage'), resourceId('Microsoft.Compute/images', variables('newCustomImageName')), variables('customImage'))]"
- }
- },
- "platformImage": {
- "imageReference": "[variables('imageReference')]",
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "subscriptionID": "[subscription().subscriptionId]",
- "useCustomImage": "[not(empty(variables('customImage')))]",
-
- "virtualNetworkName": "SCCA_VNet",
- "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]",
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabelPrefix'), '-0')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "location": "[variables('location')]",
- "name": "[variables('mgmtPublicIPAddressName')]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabelPrefix'), '-1')]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('virtualNetworkName')]",
- "properties": {
- "addressSpace": {
- "addressPrefixes": [
- "[parameters('NorthUntrustedAddressSubnet')]",
- "[parameters('NorthTrustedAddressSubnet')]",
- "[variables('ManagementAddressSubnet')]",
- "[parameters('SouthUntrustedAddressSubnet')]",
- "[parameters('SouthTrustedAddressSubnet')]",
- "[parameters('IPSUntrustedAddressSubnet')]",
- "[parameters('IPSTrustedAddressSubnet')]",
- "[parameters('VDMSAddressSubnet')]"
- ]
- },
- "subnets": [
- {
- "name": "[variables('mgmtSubnetName')]",
- "properties": {
- "addressPrefix": "[variables('ManagementAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnet2Name')]",
- "properties": {
- "addressPrefix": "[parameters('SouthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnet2Name')]",
- "properties": {
- "addressPrefix": "[parameters('SouthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('IPSExtSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('IPSUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('IPSIntSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('IPSTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('vdmsSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('VDMSAddressSubnet')]"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/virtualNetworks"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '2')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '3')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '4')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress4')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '5')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress5')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '6')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress6')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '7')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress7')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[variables('mgmtNsgID')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('nbALbId')]",
- "[variables('nbILbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig0')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndAddressPoolArray'), 1), skip(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('nbALbId')]",
- "[variables('nbILbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig1')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndAddressPoolArray'), 1), skip(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '2')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnet2PrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig2')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('SBBackEndAddressPool')]"
- ],
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnet2PrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '3')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnet2PrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig3')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('SBBackEndAddressPool')]"
- ],
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnet2PrivateAddressPrefix'), '.',11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '2')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnet2PrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnet2PrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '3')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnet2PrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnet2PrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('IPSILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSExtNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('IPSBackEndAddressPool')]"
- ],
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('IPSILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSExtNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('IPSBackEndAddressPool')]"
- ],
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSIntNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSIntNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "https_allow_443",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "[variables('bigIpMgmtPort')]",
- "direction": "Outbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "rdp_allow_3389",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 103,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Public-alb')]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('NorthboundLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- },
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "copy": [
- {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[concat('loadBalancerFrontEnd', copyIndex('frontendIPConfigurations', 1))]",
- "properties": {
- "publicIPAddress": {
- "id": "[concat(variables('extPublicIPAddressIdPrefix'), sub(copyIndex('frontendIPConfigurations', 1), 1))]"
- }
- }
- },
- "name": "frontendIPConfigurations"
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- },
- {
- "Name": "management_outbound",
- "properties": {
- "backendPort": 8443,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 8443,
- "idleTimeoutInMinutes": 15,
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/https_alive')]"
- },
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('NorthboundLoadBalancerNameb')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('NorthUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('SouthboundLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('SouthUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('IPSLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('IPSUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "dependsOn": [
- "[concat('Microsoft.Network/publicIPAddresses/', variables('mgmtPublicIPAddressName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('mgmtLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAllocationMethod": "Dynamic",
- "publicIPAddress": {
- "id": "[variables('mgmtPublicIPAddressIdPrefix')]"
- },
- "privateIPAddressVersion": "IPv4"
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "for_outbound",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 1234,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName0')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName1')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName2')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName3')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "properties": {
- "supportsHttpsTrafficOnly": true
- },
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[and(variables('useCustomImage'), variables('createNewCustomImage'))]",
- "location": "[variables('location')]",
- "name": "[variables('newCustomImageName')]",
- "properties": {
- "storageProfile": {
- "osDisk": {
- "blobUri": "[variables('customImage')]",
- "osState": "Generalized",
- "osType": "Linux",
- "storageAccountType": "[if(contains(variables('premiumInstanceArray'), parameters('instanceType')), 'Premium_LRS', 'Standard_LRS')]"
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/images"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName0'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId0')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].one]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName0'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId0')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].two]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName1'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '2')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '2')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '2')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId1')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '2'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '2'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '2'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].three]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName1'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '3')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '3')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId1')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '3'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '3'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '3'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].four]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[concat(variables('IPSFirewallName'), '0')]",
- "location": "[variables('location')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName2'))]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '6')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSExtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSIntNicName'), '0')]"
- ],
- "properties": {
- "availabilitySet": "[variables('availabilitySetId2')]",
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "osProfile": {
- "computerName": "[concat(variables('IPSFirewallName'), '0')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '6'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSExtNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSIntNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[concat(variables('IPSFirewallName'), '1')]",
- "location": "[variables('location')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName2'))]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '7')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSExtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSIntNicName'), '1')]"
- ],
- "properties": {
- "availabilitySet": "[variables('availabilitySetId2')]",
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "osProfile": {
- "computerName": "[concat(variables('IPSFirewallName'), '1')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '7'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSExtNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSIntNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[variables('jbvmName')]",
- "location": "[variables('location')]",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '4'))]"
- ],
- "properties": {
- "hardwareProfile": {
- "vmSize": "[variables('jbvmSize')]"
- },
- "osProfile": {
- "computerName": "[variables('jbvmName')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '4'))]"
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[variables('WinvmName')]",
- "location": "[variables('location')]",
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '5'))]"
- ],
- "properties": {
- "hardwareProfile": {
- "vmSize": "Standard_A2"
- },
- "osProfile": {
- "computerName": "[variables('WinvmName')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('WindowsAdminPassword')]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "MicrosoftWindowsServer",
- "offer": "WindowsServer",
- "sku": "[variables('windowsOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '5'))]"
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))).primaryEndpoints.blob]"
- }
- }
- }
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; /usr/bin/install -m 400 /dev/null /config/cloud/.bigIqPasswd; encrypt_secret ', variables('singleQuote'), parameters('bigIqPassword'), variables('singleQuote'), ' \"/config/cloud/.bigIqPasswd\"; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license-pool --big-iq-host ', parameters('bigIqAddress'), ' --big-iq-user ', parameters('bigIqUsername'), ' --big-iq-password-uri file:///config/cloud/.bigIqPasswd --big-iq-password-encrypted --license-pool-name ', parameters('bigIqLicensePoolName'), ' $(format_args sku-keyword-1:', parameters('bigIqLicenseSkuKeyWord1'), ',unit-of-measure:', parameters('bigIqLicenseUnitOfMeasure'), ') --big-ip-mgmt-address ', variables('mgmtSubnetPrivateAddress'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier1bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].first, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; rm -f /config/cloud/.bigIqPasswd; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; /usr/bin/install -m 400 /dev/null /config/cloud/.bigIqPasswd; encrypt_secret ', variables('singleQuote'), parameters('bigIqPassword'), variables('singleQuote'), ' \"/config/cloud/.bigIqPasswd\"; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license-pool --big-iq-host ', parameters('bigIqAddress'), ' --big-iq-user ', parameters('bigIqUsername'), ' --big-iq-password-uri file:///config/cloud/.bigIqPasswd --big-iq-password-encrypted --license-pool-name ', parameters('bigIqLicensePoolName'), ' $(format_args sku-keyword-1:', parameters('bigIqLicenseSkuKeyWord1'), ',unit-of-measure:', parameters('bigIqLicenseUnitOfMeasure'), ') --big-ip-mgmt-address ', variables('mgmtSubnetPrivateAddress1'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier1bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].second, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; rm -f /config/cloud/.bigIqPasswd; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '2/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; /usr/bin/install -m 400 /dev/null /config/cloud/.bigIqPasswd; encrypt_secret ', variables('singleQuote'), parameters('bigIqPassword'), variables('singleQuote'), ' \"/config/cloud/.bigIqPasswd\"; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '2.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license-pool --big-iq-host ', parameters('bigIqAddress'), ' --big-iq-user ', parameters('bigIqUsername'), ' --big-iq-password-uri file:///config/cloud/.bigIqPasswd --big-iq-password-encrypted --license-pool-name ', parameters('bigIqLicensePoolName'), ' $(format_args sku-keyword-1:', parameters('bigIqLicenseSkuKeyWord1'), ',unit-of-measure:', parameters('bigIqLicenseUnitOfMeasure'), ') --big-ip-mgmt-address ', variables('mgmtSubnetPrivateAddress2'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier3bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw2'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnet2PrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnet2PrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].third, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnet2PrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '2.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig2'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs2'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; rm -f /config/cloud/.bigIqPasswd; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '3/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; /usr/bin/install -m 400 /dev/null /config/cloud/.bigIqPasswd; encrypt_secret ', variables('singleQuote'), parameters('bigIqPassword'), variables('singleQuote'), ' \"/config/cloud/.bigIqPasswd\"; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '3.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license-pool --big-iq-host ', parameters('bigIqAddress'), ' --big-iq-user ', parameters('bigIqUsername'), ' --big-iq-password-uri file:///config/cloud/.bigIqPasswd --big-iq-password-encrypted --license-pool-name ', parameters('bigIqLicensePoolName'), ' $(format_args sku-keyword-1:', parameters('bigIqLicenseSkuKeyWord1'), ',unit-of-measure:', parameters('bigIqLicenseUnitOfMeasure'), ') --big-ip-mgmt-address ', variables('mgmtSubnetPrivateAddress3'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier3bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw2'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnet2PrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnet2PrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].fourth, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnet2PrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress2'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; rm -f /config/cloud/.bigIqPasswd; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ],
- "outputs": {
- }
-}
\ No newline at end of file
diff --git a/SACAv2/3NIC_3Tier_HA/byol/azureDeploy.json b/SACAv2/3NIC_3Tier_HA/byol/azureDeploy.json
deleted file mode 100644
index 232a028..0000000
--- a/SACAv2/3NIC_3Tier_HA/byol/azureDeploy.json
+++ /dev/null
@@ -1,2895 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
- "contentVersion": "6.0.2.0",
- "parameters": {
- "governmentCloudRegion": {
- "defaultValue": true,
- "metadata": {
- "description": "Type of cloud this template will deploy into, ensure to select false for commercial."
- },
- "type": "bool"
- },
- "adminUsername": {
- "defaultValue": "xadmin",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "authenticationType": {
- "allowedValues": [
- "password",
- "sshPublicKey"
- ],
- "defaultValue": "password",
- "metadata": {
- "description": "Type of authentication to use on the Virtual Machine, password based authentication or key based authentication."
- },
- "type": "string"
- },
- "adminPasswordOrKey": {
- "metadata": {
- "description": "Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**."
- },
- "type": "securestring"
- },
- "WindowsAdminPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for the Windows Virtual Machine."
- }
- },
- "Tier1bigIpModules": {
- "defaultValue": "ltm:nominal,asm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "Tier1DeclarationUrl": {
- "defaultValue": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/arm/3.16.0/byolsccaBaseline.json",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "Tier3bigIpModules": {
- "defaultValue": "ltm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "Tier3DeclarationUrl": {
- "defaultValue": "NOT_SPECIFIED",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.5.1/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "dnsLabelPrefix": {
- "defaultValue": "f5dns",
- "metadata": {
- "description": "Unique DNS HOST Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "maxLength": 7,
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS4_v2",
- "metadata": {
- "description": "Instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "15.0.100000",
- "14.1.200000",
- "latest"
- ],
- "defaultValue": "14.1.200000",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "LTMTwoBootLocations",
- "AllTwoBootLocations"
- ],
- "defaultValue": "AllTwoBootLocations",
- "metadata": {
- "description": "F5 SKU (image) you want to deploy. Note: The disk size of the VM will be determined based on the option you select. **Important**: If intending to provision multiple modules, ensure the appropriate value is selected, such as ****AllTwoBootLocations or AllOneBootLocation****."
- },
- "type": "string"
- },
- "licenseKey1": {
- "defaultValue": "",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL)."
- },
- "type": "string"
- },
- "licenseKey2": {
- "defaultValue": "",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL). This field is required when deploying two or more devices."
- },
- "type": "string"
- },
- "licenseKey3": {
- "defaultValue": "",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL)."
- },
- "type": "string"
- },
- "licenseKey4": {
- "defaultValue": "",
- "metadata": {
- "description": "The license token for the F5 BIG-IP VE (BYOL)."
- },
- "type": "string"
- },
- "STIGDevice": {
- "defaultValue": true,
- "metadata": {
- "description": "This setting will determine whether STIGS/SRGS will be applied at Onboarding."
- },
- "type": "bool"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "NorthboundLoadBalancerType": {
- "allowedValues": [
- "Public-alb",
- "Private-ilb"
- ],
- "defaultValue": "Public-alb",
- "metadata": {
- "description": "Specify a the type of Northbound Azure load balancer to deploy. Note: As of the initial release of this template, it is default to Public-alb"
- },
- "type": "string"
- },
- "NorthUntrustedAddressSubnet": {
- "defaultValue": "192.168.2.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressStartIP": {
- "defaultValue": "192.168.2.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.2.100",
- "metadata": {
- "description": "The static address of the North Bound LB IP to be used for deployment. This is use ONLY IF the NorthboundLoadBalancerType is 'Private-ilb' type. You MUST type the full IP Address '192.168.2.100'."
- },
- "type": "string"
- },
- "NorthTrustedAddressSubnet": {
- "defaultValue": "192.168.3.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthTrustedAddressStartIP": {
- "defaultValue": "192.168.3.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "VDMSAddressSubnet": {
- "defaultValue": "192.168.4.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the VDSS Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSTier": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "Specify whether IPS Tier would deploy from this template. If 'Yes', then this is a 3-teirs architecture, otherwise it is 2-tiers architecture"
- },
- "type": "string"
- },
- "IPSUntrustedAddressSubnet": {
- "defaultValue": "192.168.5.0/24",
- "metadata": {
- "description": "The CIDR block the IPS VEs use when creating the Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSUntrustedAddressStartIP": {
- "defaultValue": "192.168.5.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "IPSUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.5.100",
- "metadata": {
- "description": "The static address of the IPS LB IP to be used for deployment. You MUST type the full IP Address '192.168.5.100'."
- },
- "type": "string"
- },
- "IPSTrustedAddressSubnet": {
- "defaultValue": "192.168.6.0/24",
- "metadata": {
- "description": "The CIDR block the IPS VEs use when creating the South Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSTrustedAddressStartIP": {
- "defaultValue": "192.168.6.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "SouthUntrustedAddressSubnet": {
- "defaultValue": "192.168.7.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the South Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "SouthUntrustedAddressStartIP": {
- "defaultValue": "192.168.7.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "SouthUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.7.100",
- "metadata": {
- "description": "The static address of the South Bound LB IP to be used for deployment. You MUST type the full IP Address '192.168.7.100'."
- },
- "type": "string"
- },
- "SouthTrustedAddressSubnet": {
- "defaultValue": "192.168.8.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the South Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "SouthTrustedAddressStartIP": {
- "defaultValue": "192.168.8.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- },
- "tagValues": {
- "defaultValue": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- },
- "metadata": {
- "description": "Default key/value resource tags will be added to the resources in this deployment, if you would like the values to be unique adjust them as needed for each key."
- },
- "type": "object"
- }
- },
- "variables": {
- "cloudRegion": {
- "false": ".cloudapp.azure.com",
- "true": ".cloudapp.usgovcloudapi.net"
- },
- "cloudPath": "[if(parameters('governmentCloudRegion'), variables('cloudRegion').true, variables('cloudRegion').false)]",
- "tagValues": "[parameters('tagValues')]",
- "adminPasswordOrKey": "[replace(parameters('adminPasswordOrKey'),'\\n', '\n')]",
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:failover_3nic-new-stack-saca-byol,templateVersion:7.2.0.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:byol,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "failovertagValues": {
- "f5_cloud_failover_label": "scca",
- "f5_cloud_failover_nic_map": "external"
- },
- "appScript": "IyEvYmluL2Jhc2gKZnVuY3Rpb24gcGFzc3dkKCkgewogIGVjaG8gfCBmNS1yZXN0LW5vZGUgL2NvbmZpZy9jbG91ZC9henVyZS9ub2RlX21vZHVsZXMvQGY1ZGV2Y2VudHJhbC9mNS1jbG91ZC1saWJzL3NjcmlwdHMvZGVjcnlwdERhdGFGcm9tRmlsZS5qcyAtLWRhdGEtZmlsZSAvY29uZmlnL2Nsb3VkLy5wYXNzd2QgfCBhd2sgJ3twcmludCAkMX0nCn0KCndoaWxlIGdldG9wdHMgbzp1OiBvcHRpb24KZG8gY2FzZSAiJG9wdGlvbiIgIGluCiAgICAgICAgbykgZGVjbGFyYXRpb25Vcmw9JE9QVEFSRzs7CiAgICAgICAgdSkgdXNlcj0kT1BUQVJHOzsKICAgIGVzYWMKZG9uZQoKZGVwbG95ZWQ9Im5vIgpmaWxlX2xvYz0iL2NvbmZpZy9jbG91ZC9jdXN0b21fY29uZmlnIgpkZmxfbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAp1cmxfcmVnZXg9IihodHRwOlwvXC98aHR0cHM6XC9cLyk/W2EtejAtOV0rKFtcLVwuXXsxfVthLXowLTldKykqXC5bYS16XXsyLDV9KDpbMC05XXsxLDV9KT8oXC8uKik/JCIKCmlmIFtbICRkZWNsYXJhdGlvblVybCA9fiAkdXJsX3JlZ2V4IF1dOyB0aGVuCiAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtLWludGVyZmFjZSBtZ210IC1zayAtdyAiJXtodHRwX2NvZGV9IiAkZGVjbGFyYXRpb25VcmwgLW8gJGZpbGVfbG9jKQogICAgaWYgW1sgJHJlc3BvbnNlX2NvZGUgPT0gMjAwIF1dOyB0aGVuCiAgICAgICAgIGVjaG8gIkN1c3RvbSBjb25maWcgZG93bmxvYWQgY29tcGxldGU7IGNoZWNraW5nIGZvciB2YWxpZCBKU09OLiIKICAgICAgICAgY2F0ICRmaWxlX2xvYyB8IGpxIC5jbGFzcwogICAgICAgICBpZiBbWyAkPyA9PSAwIF1dOyB0aGVuCiAgICAgICAgICAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtc2t2dnUgJHVzZXI6JChwYXNzd2QpIC13ICIle2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1kICJAJGZpbGVfbG9jIiBodHRwczovL2xvY2FsaG9zdDokZGZsX21nbXRfcG9ydC9tZ210L3NoYXJlZC9hcHBzdmNzL2RlY2xhcmUgLW8gL2Rldi9udWxsKQoKICAgICAgICAgICAgIGlmIFtbICRyZXNwb25zZV9jb2RlID09IDIwMCB8fCAkcmVzcG9uc2VfY29kZSA9PSAyMDcgfHwgJHJlc3BvbnNlX2NvZGUgPT0gNTAyIF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgIGVjaG8gIkRlcGxveW1lbnQgb2YgYXBwbGljYXRpb24gc3VjY2VlZGVkLiAkcmVzcG9uc2VfY29kZSIKICAgICAgICAgICAgICAgICAgZGVwbG95ZWQ9InllcyIKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICBlY2hvICJGYWlsZWQgdG8gZGVwbG95IGFwcGxpY2F0aW9uOyBjb250aW51aW5nIHdpdGggcmVzcG9uc2UgY29kZSAnIiRyZXNwb25zZV9jb2RlIiciCiAgICAgICAgICAgICBmaQogICAgICAgICBlbHNlCiAgICAgICAgICAgICBlY2hvICJDdXN0b20gY29uZmlnIHdhcyBub3QgdmFsaWQgSlNPTiwgY29udGludWluZyIKICAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJGYWlsZWQgdG8gZG93bmxvYWQgY3VzdG9tIGNvbmZpZzsgY29udGludWluZyB3aXRoIHJlc3BvbnNlIGNvZGUgJyIkcmVzcG9uc2VfY29kZSInIgogICAgZmkKZWxzZQogICAgIGVjaG8gIkN1c3RvbSBjb25maWcgd2FzIG5vdCBhIFVSTCwgY29udGludWluZy4iCmZpCgppZiBbWyAkZGVwbG95ZWQgPT0gIm5vIiAmJiAkZGVjbGFyYXRpb25VcmwgPT0gIk5PVF9TUEVDSUZJRUQiIF1dOyB0aGVuCiAgICBlY2hvICJBcHBsaWNhdGlvbiBkZXBsb3ltZW50IGZhaWxlZCBvciBjdXN0b20gVVJMIHdhcyBub3Qgc3BlY2lmaWVkLiIKZmkKCmVjaG8gIkRlcGxveW1lbnQgY29tcGxldGUuIgpleGl0",
- "availabilitySetName0": "[concat(variables('dnsLabelPrefix'), '-avset0')]",
- "availabilitySetName1": "[concat(variables('dnsLabelPrefix'), '-avset1')]",
- "availabilitySetName2": "[concat(variables('dnsLabelPrefix'), '-avset2')]",
- "availabilitySetName3": "[concat(variables('dnsLabelPrefix'), '-avset3')]",
- "availabilitySetId0": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName0'))]"
- },
- "availabilitySetId1": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName1'))]"
- },
- "availabilitySetId2": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName2'))]"
- },
- "backEndAddressPoolArray": [
- {
- "id": "[concat(variables('nbALBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- {
- "id": "[concat(variables('nbILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- }
- ],
- "backEndMgmtPoolArray": [
- {
- "id": "[concat(variables('nbALBid'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- },
- {
- "id": "[concat(variables('mgmtALBid'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "SBBackEndAddressPool": {
- "id": "[concat(variables('sbILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- "IPSBackEndAddressPool": {
- "id": "[concat(variables('IPSILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
-
- "bigIpVersionPortMap": {
- "443": {
- "Port": 443
- },
- "15.0.100000": {
- "Port": 8443
- },
- "14.1.200000": {
- "Port": 8443
- },
- "latest": {
- "Port": 8443
- }
- },
-
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
-
- "commandArgs": "[concat('-o ', parameters('Tier1DeclarationUrl'), ' -u svc_user')]",
- "commandArgs2": "[concat('-o ', parameters('Tier3DeclarationUrl'), ' -u svc_user')]",
- "computeApiVersion": "2017-12-01",
- "createNewCustomImage": "[contains(variables('customImage'), 'https://')]",
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
- "customImage": "",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabelPrefix'))]",
- "dnsLabelPrefix": "[toLower(parameters('dnsLabelPrefix'))]",
- "enableNetworkFailover": "Yes",
- "f5AS3Build": "f5-appsvcs-3.16.0-6.noarch.rpm",
- "f5CloudIappsLoggerTag": "v1.0.0",
- "f5CloudIappsSdTag": "v2.3.2",
- "f5CloudLibsTag": "v4.9.1",
- "failoverCmdArray": {
- "No": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "third": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '2.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "fourth": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '3.', variables('location'), variables('cloudPath')), ' unicast-address none')]"
- },
- "Yes": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'))]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'))]",
- "third": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '2.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnet2PrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnet2PrivateAddress'))]",
- "fourth": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '3.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnet2PrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnet2PrivateAddress1'))]"
- }
- },
-
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "nbALBid": "[resourceId('Microsoft.Network/loadBalancers',variables('NorthboundLoadBalancerName'))]",
- "extNicName": "[concat(variables('dnsLabelPrefix'), '-ext')]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabelPrefix'),'-ext-nsg'))]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetName": "external",
- "extSubnetPrivateAddressPrefix": "[substring(parameters('NorthUntrustedAddressStartIP'), 0, lastindexOf(parameters('NorthUntrustedAddressStartIP'), '.'))]",
- "extSubnetStartDirty": "[substring(parameters('NorthUntrustedAddressStartIP'), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.'), sub(length(parameters('NorthUntrustedAddressStartIP')), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.')))]",
- "extSubnetStartInt": "[replace(variables('extSubnetStartDirty'), '.','')]",
- "extSubnetPrivateAddress": "[parameters('NorthUntrustedAddressStartIP')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',add(int(variables('extSubnetStartInt')), 1))]",
- "NorthboundLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-nb-alb')]",
- "mgmtLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-mgmt-alb')]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabelPrefix'), '-ext-pip')]",
-
- "mgmtPublicIPAddressName": "[concat(variables('dnsLabelPrefix'), '-mgmt-pip')]",
- "mgmtPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('mgmtPublicIPAddressName'))]",
-
- "nbILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('NorthboundLoadBalancerNameb'))]",
-
- "intNicName": "[concat(variables('dnsLabelPrefix'), '-int')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetName": "internalNorth",
- "intSubnetPrivateAddressPrefix": "[substring(parameters('NorthTrustedAddressStartIP'), 0, lastindexOf(parameters('NorthTrustedAddressStartIP'), '.'))]",
- "intSubnetStartDirty": "[substring(parameters('NorthTrustedAddressStartIP'), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.'), sub(length(parameters('NorthTrustedAddressStartIP')), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.') ))]",
- "intSubnetStartInt": "[replace(variables('intSubnetStartDirty'), '.', '')]",
- "intSubnetPrivateAddress": "[parameters('NorthTrustedAddressStartIP')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 1))]",
- "intSubnetPrivateAddress2": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 10))]",
- "intSubnetPrivateAddress3": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 11))]",
-
- "intSubnet2Name": "internalSouth",
- "intSubnet2Id": "[concat(variables('vnetId'), '/subnets/', variables('intSubnet2Name'))]",
- "intSubnet2PrivateAddressPrefix": "[substring(parameters('SouthTrustedAddressStartIP'), 0, lastindexOf(parameters('SouthTrustedAddressStartIP'), '.'))]",
- "intSubnet2StartDirty": "[substring(parameters('SouthTrustedAddressStartIP'), lastIndexOf(parameters('SouthTrustedAddressStartIP'), '.'), sub(length(parameters('SouthTrustedAddressStartIP')), lastIndexOf(parameters('SouthTrustedAddressStartIP'), '.') ))]",
- "intSubnet2StartInt": "[replace(variables('intSubnet2StartDirty'), '.', '')]",
- "intSubnet2PrivateAddress": "[parameters('SouthTrustedAddressStartIP')]",
- "intSubnet2PrivateAddress1": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('intSubnet2StartInt')), 1))]",
- "intSubnet2PrivateAddress2": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('intSubnet2StartInt')), 10))]",
- "intSubnet2PrivateAddress3": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('intSubnet2StartInt')), 11))]",
-
- "NorthboundLoadBalancerNameb": "[concat(variables('dnsLabelPrefix'),'-nb-ilb')]",
-
- "tmmRouteGw": "[concat(variables('extSubnetPrivateAddressPrefix'), '.1')]",
-
- "mgmtALBid": "[resourceId('Microsoft.Network/loadBalancers',variables('mgmtLoadBalancerName'))]",
- "sbILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('SouthboundLoadBalancerName'))]",
- "SouthboundLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-sb-ilb')]",
- "extSubnet2Name": "external2",
- "extSubnet2PrivateAddressPrefix": "[substring(parameters('SouthUntrustedAddressStartIP'), 0, lastindexOf(parameters('SouthUntrustedAddressStartIP'), '.'))]",
- "extSubnet2StartDirty": "[substring(parameters('SouthUntrustedAddressStartIP'), lastIndexOf(parameters('SouthUntrustedAddressStartIP'), '.'), sub(length(parameters('SouthUntrustedAddressStartIP')), lastIndexOf(parameters('SouthUntrustedAddressStartIP'), '.')))]",
- "extSubnet2StartInt": "[replace(variables('extSubnet2StartDirty'), '.','')]",
- "extSubnet2PrivateAddress": "[parameters('SouthUntrustedAddressStartIP')]",
- "extSubnet2PrivateAddress1": "[concat(variables('extSubnet2PrivateAddressPrefix'), '.',add(int(variables('extSubnet2StartInt')), 1))]",
- "extSubnet2Id": "[concat(variables('vnetId'), '/subnets/', variables('extSubnet2Name'))]",
-
- "tmmRoute2Gw": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.1')]",
- "IPSILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('IPSLoadBalancerName'))]",
- "IPSLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-ips-ilb')]",
- "IPSFirewallName": "[concat(variables('dnsLabelPrefix'),'-ips-fw')]",
- "IPSExtNicName": "[concat(variables('dnsLabelPrefix'), '-IPSExt')]",
- "IPSExtSubnetName": "ips-external",
- "IPSExtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('IPSExtSubnetName'))]",
- "IPSExtSubnetPrivateAddressPrefix": "[substring(parameters('IPSUntrustedAddressStartIP'), 0, lastindexOf(parameters('IPSUntrustedAddressStartIP'), '.'))]",
- "IPSExtSubnetStartDirty": "[substring(parameters('IPSUntrustedAddressStartIP'), lastIndexOf(parameters('IPSUntrustedAddressStartIP'), '.'), sub(length(parameters('IPSUntrustedAddressStartIP')), lastIndexOf(parameters('IPSUntrustedAddressStartIP'), '.')))]",
- "IPSExtSubnetStartInt": "[replace(variables('IPSExtSubnetStartDirty'), '.','')]",
- "IPSExtSubnetPrivateAddress": "[parameters('IPSUntrustedAddressStartIP')]",
- "IPSExtSubnetPrivateAddress1": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 1))]",
- "IPSExtSubnetPrivateAddress2": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 10))]",
- "IPSExtSubnetPrivateAddress3": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 11))]",
- "IPSIntNicName": "[concat(variables('dnsLabelPrefix'), '-IPSInt')]",
- "IPSIntSubnetName": "ips-internal",
- "IPSIntSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('IPSIntSubnetName'))]",
- "IPSIntSubnetPrivateAddressPrefix": "[substring(parameters('IPSTrustedAddressStartIP'), 0, lastindexOf(parameters('IPSTrustedAddressStartIP'), '.'))]",
- "IPSIntSubnetStartDirty": "[substring(parameters('IPSTrustedAddressStartIP'), lastIndexOf(parameters('IPSTrustedAddressStartIP'), '.'), sub(length(parameters('IPSTrustedAddressStartIP')), lastIndexOf(parameters('IPSTrustedAddressStartIP'), '.')))]",
- "IPSIntSubnetStartInt": "[replace(variables('IPSIntSubnetStartDirty'), '.','')]",
- "IPSIntSubnetPrivateAddress": "[parameters('IPSTrustedAddressStartIP')]",
- "IPSIntSubnetPrivateAddress1": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 1))]",
- "IPSIntSubnetPrivateAddress2": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 10))]",
- "IPSIntSubnetPrivateAddress3": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 11))]",
-
- "isAcceleratedNetworkingSupported": "[if(not(contains(parameters('bigIpVersion'), '14.1.200000')), bool('true'), bool('false'))]",
-
- "mgmtNicName": "[concat(variables('dnsLabelPrefix'), '-mgmt')]",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetName": "management",
- "ManagementAddressSubnet": "192.168.1.0/24",
- "ManagementAddressStartIP": "192.168.1.4",
-
- "mgmtSubnetPrivateAddress": "[variables('ManagementAddressStartIP')]",
- "mgmtSubnetPrivateAddressPrefix": "[substring(variables('ManagementAddressStartIP'), 0, lastindexOf(variables('ManagementAddressStartIP'), '.'))]",
- "mgmtSubnetStartDirty": "[substring(variables('ManagementAddressStartIP'), lastIndexOf(variables('ManagementAddressStartIP'), '.'), sub(length(variables('ManagementAddressStartIP')), lastIndexOf(variables('ManagementAddressStartIP'), '.') ))]",
- "mgmtSubnetStartInt": "[replace(variables('mgmtSubnetStartDirty'), '.','')]",
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]",
- "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 6))]",
- "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 7))]",
- "mgmtSubnetPrivateAddress4": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 50))]",
- "mgmtSubnetPrivateAddress5": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 51))]",
- "mgmtSubnetPrivateAddress6": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 61))]",
- "mgmtSubnetPrivateAddress7": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 62))]",
-
- "stigCmdArray": {
- "true": "bash ./bigipstig.sh;",
- "false": ""
- },
- "cmdConfigStig": "[if(parameters('STIGDevice'), variables('stigCmdArray').true, variables('stigCmdArray').false)]",
- "createFWLogArray": {
- "true": "tmsh create security log profile local-afm-log { network replace-all-with { local-afm-log { publisher local-db-publisher filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } } } };",
- "false": ""
- },
- "cmdcreateFWLog": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
- "cmdcreateFWLog2": "[if(contains(parameters('Tier3bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
- "createFWPolicyArray": {
- "true": "tmsh create security firewall policy log_all_afm rules add { allow_all { action accept log yes place-before first } deny_all { action reject log yes place-after allow_all } };",
- "false": ""
- },
- "cmdcreateFWPolicy": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
- "cmdcreateFWPolicy2": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
- "installDODRootCA": "unzip Certificates_PKCS7_v5.5_DoD.zip; openssl pkcs7 -print_certs -in ./Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b -out DoD_Root_CA.cer; tmsh install sys crypto cert DODRoots from-local-file DoD_Root_CA.cer;",
- "firewallConfig": "[concat(variables('cmdcreateFWLog'), variables('cmdcreateFWPolicy'))]",
- "firewallConfig2": "[concat(variables('cmdcreateFWLog2'), variables('cmdcreateFWPolicy2'))]",
-
- "sacaConfig": "[variables('cmdConfigStig')]",
-
- "vdmsSubnetName": "VDMS",
- "windowsOSVersion": "2019-Datacenter",
- "WinvmName": "Bastion-Win-JB",
- "jbimageOffer": "UbuntuServer",
- "jbimagePublisher": "Canonical",
- "jblinuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[parameters('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "jbubuntuOSVersion": "18.04-LTS",
- "jbvmName": "[concat(variables('dnsLabelPrefix'), '-linux-jump')]",
- "jbvmSize": "Standard_A1",
- "linuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[variables('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "location": "[resourceGroup().location]",
-
- "networkApiVersion": "2017-11-01",
- "newCustomImageName": "[concat(variables('dnsLabelPrefix'), 'image')]",
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabelPrefix'), resourceGroup().id, deployment().name), 'data000')]",
- "numberOfExternalIps": 1,
-
- "osProfiles": {
- "password": {
- "one": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '0')]",
- "linuxConfiguration": "[json('null')]"
- },
- "two": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '1')]",
- "linuxConfiguration": "[json('null')]"
- },
- "three": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '2')]",
- "linuxConfiguration": "[json('null')]"
- },
- "four": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[concat(variables('instanceName'), '3')]",
- "linuxConfiguration": "[json('null')]"
- }
-
- },
- "sshPublicKey": {
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[variables('linuxConfiguration')]"
- }
- },
- "premiumInstanceArray": [
- "Standard_DS2",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_DS2_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F2S",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_GS2",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "publicIPAddressType": "Static",
- "resourceGroupName": "[resourceGroup().name]",
-
- "routeCmd": "route",
- "singleQuote": "'",
-
- "imageNameToLower": "[toLower(parameters('imageName'))]",
-
- "skuToUse": "[concat('f5-', variables('imageNameSub'),'-byol')]",
- "offerToUse": "[concat('f5-big-ip-', variables('imageNameArray').offerPostfix[variables('imageNameSub')])]",
- "imageNameSub": "[variables('imageNameArray')[parameters('bigIpVersion')][parameters('imageName')]]",
- "imageNameArray": {
- "15.0.100000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "14.1.200000": {
- "AllOneBootLocation": "big-all-1slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-1slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "latest": {
- "AllOneBootLocation": "big-all-2slot",
- "AllTwoBootLocations": "big-all-2slot",
- "LTMOneBootLocation": "big-ltm-2slot",
- "LTMTwoBootLocations": "big-ltm-2slot"
- },
- "offerPostfix": {
- "big-all-1slot": "byol",
- "big-all-2slot": "byol",
- "big-ltm-1slot": "byol",
- "big-ltm-2slot": "byol",
- "bigip-virtual-edition-best": "best",
- "bigip-virtual-edition-good": "good"
- }
- },
- "imagePlan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "storageApiVersion": "2017-10-01",
- "storageProfileArray": {
- "customImage": {
- "imageReference": {
- "id": "[if(variables('createNewCustomImage'), resourceId('Microsoft.Compute/images', variables('newCustomImageName')), variables('customImage'))]"
- }
- },
- "platformImage": {
- "imageReference": "[variables('imageReference')]",
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "subscriptionID": "[subscription().subscriptionId]",
- "useCustomImage": "[not(empty(variables('customImage')))]",
- "verifyHash64": "Y2xpIHNjcmlwdCAvQ29tbW9uL3ZlcmlmeUhhc2ggewpwcm9jIHNjcmlwdDo6cnVuIHt9IHsKICAgICAgICBpZiB7W2NhdGNoIHsKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LWxpbnV4LnRhci5neikgNjNiNWMyYTUxY2EwOWM0M2JkODlhZjM3NzNiYmFiODdjNzFhNmU3ZjZhZDk0MTBiMjI5YjRlMGExYzQ4M2Q0NmYxYTlmZmYzOWQ5OTQ0MDQxYjAyZWU5MjYwNzI0MDI3NDE0ZGU1OTJlOTlmNGMyNDc1NDE1MzIzZTE4YTcyZTAKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5odHRwLnYxLjIuMHJjNC50bXBsKSA0N2MxOWE4M2ViZmM3YmQxZTllOWMzNWYzNDI0OTQ1ZWY4Njk0YWE0MzdlZWRkMTdiNmEzODc3ODhkNGRiMTM5NmZlZmU0NDUxOTliNDk3MDY0ZDc2OTY3YjBkNTAyMzgxNTQxOTBjYTBiZDczOTQxMjk4ZmMyNTdkZjRkYzAzNAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1Lmh0dHAudjEuMi4wcmM2LnRtcGwpIDgxMWIxNGJmZmFhYjVlZDAzNjVmMDEwNmJiNWNlNWU0ZWMyMjM4NTY1NWVhM2FjMDRkZTJhMzliZDk5NDRmNTFlMzcxNDYxOWRhZTdjYTQzNjYyYzk1NmI1MjEyMjI4ODU4ZjA1OTI2NzJhMjU3OWQ0YTg3NzY5MTg2ZTJjYmZlCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuaHR0cC52MS4yLjByYzcudG1wbCkgMjFmNDEzMzQyZTlhN2EyODFhMGYwZTEzMDFlNzQ1YWE4NmFmMjFhNjk3ZDJlNmZkYzIxZGQyNzk3MzQ5MzY2MzFlOTJmMzRiZjFjMmQyNTA0YzIwMWY1NmNjZDc1YzVjMTNiYWEyZmU3NjUzMjEzNjg5ZWMzYzllMjdkZmY3N2QKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuMy4wcmMxLnRtcGwpIDllNTUxNDljMDEwYzFkMzk1YWJkYWUzYzNkMmNiODNlYzEzZDMxZWQzOTQyNDY5NWU4ODY4MGNmM2VkNWEwMTNkNjI2YjMyNjcxMWQzZDQwZWYyZGY0NmI3MmQ0MTRiNGNiOGU0ZjQ0NWVhMDczOGRjYmQyNWM0Yzg0M2FjMzlkCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjMS50bXBsKSBkZTA2ODQ1NTI1NzQxMmE5NDlmMWVhZGNjYWVlODUwNjM0N2UwNGZkNjliZmI2NDUwMDFiNzZmMjAwMTI3NjY4ZTRhMDZiZTJiYmI5NGUxMGZlZmMyMTVjZmMzNjY1YjA3OTQ1ZTZkNzMzY2JlMWE0ZmExYjg4ZTg4MTU5MDM5NgogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzIudG1wbCkgNmFiMGJmZmM0MjZkZjdkMzE5MTNmOWE0NzRiMWEwNzg2MDQzNWUzNjZiMDdkNzdiMzIwNjRhY2ZiMjk1MmMxZjIwN2JlYWVkNzcwMTNhMTVlNDRkODBkNzRmMzI1M2U3Y2Y5ZmJiZTEyYTkwZWM3MTI4ZGU2ZmFjZDA5N2Q2OGYKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuNC4wcmMzLnRtcGwpIDJmMjMzOWI0YmMzYTIzYzljZmQ0MmFhZTJhNmRlMzliYTA2NTgzNjZmMjU5ODVkZTJlYTUzNDEwYTc0NWYwZjE4ZWVkYzQ5MWIyMGY0YThkYmE4ZGI0ODk3MDA5NmUyZWZkY2E3YjhlZmZmYTFhODNhNzhlNWFhZGYyMThiMTM0CiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjNC50bXBsKSAyNDE4YWM4YjFmMTg4NGM1YzA5NmNiYWM2YTk0ZDQwNTlhYWFmMDU5MjdhNmE0NTA4ZmQxZjI1YjhjYzYwNzc0OTg4MzlmYmRkYTgxNzZkMmNmMmQyNzRhMjdlNmExZGFlMmExZTNhMGE5OTkxYmM2NWZjNzRmYzBkMDJjZTk2MwogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzUudG1wbCkgNWU1ODIxODdhZTFhNjMyM2UwOTVkNDFlZGRkNDExNTFkNmJkMzhlYjgzYzYzNDQxMGQ0NTI3YTNkMGUyNDZhOGZjNjI2ODVhYjA4NDlkZTJhZGU2MmIwMjc1ZjUxMjY0ZDJkZWFjY2JjMTZiNzczNDE3Zjg0N2E0YTFlYTliYzQKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LnRhci5neikgMmQzOWVjNjBkMDA2ZDA1ZDhhMTU2N2ExZDhhYWU3MjI0MTllOGIwNjJhZDc3ZDZkOWEzMTY1Mjk3MWU1ZTY3YmM0MDQzZDgxNjcxYmEyYThiMTJkZDIyOWVhNDZkMjA1MTQ0Zjc1Mzc0ZWQ0Y2FlNThjZWZhOGY5YWI2NTMzZTYKICAgICAgICAgICAgc2V0IGhhc2hlcyhkZXBsb3lfd2FmLnNoKSAxYTNhM2M2Mjc0YWIwOGE3ZGMyY2I3M2FlZGM4ZDJiMmEyM2NkOWUwZWIwNmEyZTE1MzRiMzYzMmYyNTBmMWQ4OTcwNTZmMjE5ZDViMzVkM2VlZDEyMDcwMjZlODk5ODlmNzU0ODQwZmQ5Mjk2OWM1MTVhZTRkODI5MjE0ZmI3NAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LnBvbGljeV9jcmVhdG9yLnRtcGwpIDA2NTM5ZTA4ZDExNWVmYWZlNTVhYTUwN2VjYjRlNDQzZTgzYmRiMWY1ODI1YTk1MTQ5NTRlZjZjYTU2ZDI0MGVkMDBjN2I1ZDY3YmQ4ZjY3YjgxNWVlOWRkNDY0NTE5ODQ3MDFkMDU4Yzg5ZGFlMjQzNGM4OTcxNWQzNzVhNjIwCgogICAgICAgICAgICBzZXQgZmlsZV9wYXRoIFtsaW5kZXggJHRtc2g6OmFyZ3YgMV0KICAgICAgICAgICAgc2V0IGZpbGVfbmFtZSBbZmlsZSB0YWlsICRmaWxlX3BhdGhdCgogICAgICAgICAgICBpZiB7IVtpbmZvIGV4aXN0cyBoYXNoZXMoJGZpbGVfbmFtZSldfSB7CiAgICAgICAgICAgICAgICB0bXNoOjpsb2cgZXJyICJObyBoYXNoIGZvdW5kIGZvciAkZmlsZV9uYW1lIgogICAgICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHNldCBleHBlY3RlZF9oYXNoICRoYXNoZXMoJGZpbGVfbmFtZSkKICAgICAgICAgICAgc2V0IGNvbXB1dGVkX2hhc2ggW2xpbmRleCBbZXhlYyAvdXNyL2Jpbi9vcGVuc3NsIGRnc3QgLXIgLXNoYTUxMiAkZmlsZV9wYXRoXSAwXQogICAgICAgICAgICBpZiB7ICRleHBlY3RlZF9oYXNoIGVxICRjb21wdXRlZF9oYXNoIH0gewogICAgICAgICAgICAgICAgZXhpdCAwCiAgICAgICAgICAgIH0KICAgICAgICAgICAgdG1zaDo6bG9nIGVyciAiSGFzaCBkb2VzIG5vdCBtYXRjaCBmb3IgJGZpbGVfcGF0aCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgfV19IHsKICAgICAgICAgICAgdG1zaDo6bG9nIGVyciB7VW5leHBlY3RlZCBlcnJvciBpbiB2ZXJpZnlIYXNofQogICAgICAgICAgICBleGl0IDEKICAgICAgICB9CiAgICB9Cn0=",
- "installCloudLibs64": "IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5",
- "virtualNetworkName": "SCCA_VNet",
- "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]",
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabelPrefix'), '-0')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "location": "[variables('location')]",
- "name": "[variables('mgmtPublicIPAddressName')]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabelPrefix'), '-1')]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('virtualNetworkName')]",
- "properties": {
- "addressSpace": {
- "addressPrefixes": [
- "[parameters('NorthUntrustedAddressSubnet')]",
- "[parameters('NorthTrustedAddressSubnet')]",
- "[variables('ManagementAddressSubnet')]",
- "[parameters('SouthUntrustedAddressSubnet')]",
- "[parameters('SouthTrustedAddressSubnet')]",
- "[parameters('IPSUntrustedAddressSubnet')]",
- "[parameters('IPSTrustedAddressSubnet')]",
- "[parameters('VDMSAddressSubnet')]"
- ]
- },
- "subnets": [
- {
- "name": "[variables('mgmtSubnetName')]",
- "properties": {
- "addressPrefix": "[variables('ManagementAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnet2Name')]",
- "properties": {
- "addressPrefix": "[parameters('SouthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnet2Name')]",
- "properties": {
- "addressPrefix": "[parameters('SouthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('IPSExtSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('IPSUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('IPSIntSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('IPSTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('vdmsSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('VDMSAddressSubnet')]"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/virtualNetworks"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '2')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '3')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '4')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress4')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '5')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress5')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '6')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress6')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '7')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress7')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('nbALbId')]",
- "[variables('nbILbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig0')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndAddressPoolArray'), 1), skip(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('nbALbId')]",
- "[variables('nbILbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig1')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndAddressPoolArray'), 1), skip(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '2')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnet2PrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig2')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('SBBackEndAddressPool')]"
- ],
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnet2PrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '3')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnet2PrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig3')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('SBBackEndAddressPool')]"
- ],
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnet2PrivateAddressPrefix'), '.',11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), union(variables('tagValues'),variables('failovertagValues')))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '2')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnet2PrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnet2PrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '3')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnet2PrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnet2PrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('IPSILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSExtNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('IPSBackEndAddressPool')]"
- ],
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('IPSILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSExtNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('IPSBackEndAddressPool')]"
- ],
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSIntNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSIntNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "ext_allow_https",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "443",
- "direction": "Inbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "rdp_allow_3389",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 103,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Public-alb')]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('NorthboundLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- },
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "copy": [
- {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[concat('loadBalancerFrontEnd', copyIndex('frontendIPConfigurations', 1))]",
- "properties": {
- "publicIPAddress": {
- "id": "[concat(variables('extPublicIPAddressIdPrefix'), sub(copyIndex('frontendIPConfigurations', 1), 1))]"
- }
- }
- },
- "name": "frontendIPConfigurations"
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- },
- {
- "Name": "management_outbound",
- "properties": {
- "backendPort": 8443,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 8443,
- "idleTimeoutInMinutes": 15,
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/https_alive')]"
- },
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('NorthboundLoadBalancerNameb')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('NorthUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('SouthboundLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('SouthUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnet2Id')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('IPSLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('IPSUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "dependsOn": [
- "[concat('Microsoft.Network/publicIPAddresses/', variables('mgmtPublicIPAddressName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('mgmtLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAllocationMethod": "Dynamic",
- "publicIPAddress": {
- "id": "[variables('mgmtPublicIPAddressIdPrefix')]"
- },
- "privateIPAddressVersion": "IPv4"
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "for_outbound",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 1234,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName0')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName1')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName2')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName3')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "properties": {
- "supportsHttpsTrafficOnly": true
- },
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[and(variables('useCustomImage'), variables('createNewCustomImage'))]",
- "location": "[variables('location')]",
- "name": "[variables('newCustomImageName')]",
- "properties": {
- "storageProfile": {
- "osDisk": {
- "blobUri": "[variables('customImage')]",
- "osState": "Generalized",
- "osType": "Linux",
- "storageAccountType": "[if(contains(variables('premiumInstanceArray'), parameters('instanceType')), 'Premium_LRS', 'Standard_LRS')]"
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/images"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName0'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId0')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].one]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName0'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId0')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].two]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName1'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '2')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '2')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId1')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '2'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '2'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '2'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].three]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName1'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '3')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '3')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '3')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId1')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '3'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '3'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '3'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')].four]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[concat(variables('IPSFirewallName'), '0')]",
- "location": "[variables('location')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName2'))]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '6')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSExtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSIntNicName'), '0')]"
- ],
- "properties": {
- "availabilitySet": "[variables('availabilitySetId2')]",
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "osProfile": {
- "computerName": "[concat(variables('IPSFirewallName'), '0')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '6'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSExtNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSIntNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[concat(variables('IPSFirewallName'), '1')]",
- "location": "[variables('location')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName2'))]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '7')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSExtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSIntNicName'), '1')]"
- ],
- "properties": {
- "availabilitySet": "[variables('availabilitySetId2')]",
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "osProfile": {
- "computerName": "[concat(variables('IPSFirewallName'), '1')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '7'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSExtNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSIntNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[variables('jbvmName')]",
- "location": "[variables('location')]",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '4'))]"
- ],
- "properties": {
- "hardwareProfile": {
- "vmSize": "[variables('jbvmSize')]"
- },
- "osProfile": {
- "computerName": "[variables('jbvmName')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '4'))]"
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[variables('WinvmName')]",
- "location": "[variables('location')]",
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '5'))]"
- ],
- "properties": {
- "hardwareProfile": {
- "vmSize": "Standard_A2"
- },
- "osProfile": {
- "computerName": "[variables('WinvmName')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('WindowsAdminPassword')]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "MicrosoftWindowsServer",
- "offer": "WindowsServer",
- "sku": "[variables('windowsOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '5'))]"
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))).primaryEndpoints.blob]"
- }
- }
- }
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license ', parameters('licenseKey1'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier1bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].first, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license ', parameters('licenseKey2'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier1bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].second, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '2/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '2.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license ', parameters('licenseKey3'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier3bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRoute2Gw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnet2PrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnet2PrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].third, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnet2PrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '2.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig2'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs2'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '3/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted;', variables('allowUsageAnalytics')['No'].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '3.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --license ', parameters('licenseKey4'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, ' --modules ', parameters('Tier3bigIpModules'), '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRoute2Gw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnet2PrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnet2PrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].fourth, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnet2PrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress2'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ],
- "outputs": {
- "RDP-URL": {
- "type": "string",
- "value": "[concat('rdp://',reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- },
- "SSH-URL": {
- "type": "string",
- "value": "[concat('ssh://', parameters('adminUsername'), '@', reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- }
- }
-}
\ No newline at end of file
diff --git a/SACAv2/3NIC_3Tier_HA/payg/azureDeploy.json b/SACAv2/3NIC_3Tier_HA/payg/azureDeploy.json
deleted file mode 100644
index dce2357..0000000
--- a/SACAv2/3NIC_3Tier_HA/payg/azureDeploy.json
+++ /dev/null
@@ -1,2905 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
- "contentVersion": "6.0.2.0",
- "parameters": {
- "governmentCloudRegion": {
- "defaultValue": true,
- "metadata": {
- "description": "Type of cloud this template will deploy into, ensure to select false for commercial."
- },
- "type": "bool"
- },
- "adminUsername": {
- "defaultValue": "xadmin",
- "metadata": {
- "description": "User name for the Virtual Machine."
- },
- "type": "string"
- },
- "authenticationType": {
- "allowedValues": [
- "password",
- "sshPublicKey"
- ],
- "defaultValue": "password",
- "metadata": {
- "description": "Type of authentication to use on the Virtual Machine, password based authentication or key based authentication."
- },
- "type": "string"
- },
- "adminPasswordOrKey": {
- "metadata": {
- "description": "Password or SSH public key to login to the Virtual Machine. Note: There are a number of special characters that you should avoid using for F5 product user accounts. See [K2873](https://support.f5.com/csp/article/K2873) for details. Note: If using key-based authentication, this should be the public key as a string, typically starting with **---- BEGIN SSH2 PUBLIC KEY ----** and ending with **---- END SSH2 PUBLIC KEY ----**."
- },
- "type": "securestring"
- },
- "WindowsAdminPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for the Windows Virtual Machine."
- }
- },
- "Tier1bigIpModules": {
- "defaultValue": "ltm:nominal,asm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "Tier1DeclarationUrl": {
- "defaultValue": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.16.0/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "Tier3bigIpModules": {
- "defaultValue": "ltm:nominal,afm:nominal",
- "metadata": {
- "description": "Comma separated list of modules and levels to provision, for example, ltm:nominal,asm:nominal"
- },
- "type": "string"
- },
- "Tier3DeclarationUrl": {
- "defaultValue": "NOT_SPECIFIED",
- "metadata": {
- "description": "URL for the AS3 (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.5.1/) declaration JSON file to be deployed. Leave as **NOT_SPECIFIED** to deploy without a service configuration."
- },
- "type": "string"
- },
- "dnsLabelPrefix": {
- "defaultValue": "f5dns",
- "metadata": {
- "description": "Unique DNS HOST Name for the Public IP address used to access the Virtual Machine."
- },
- "type": "string"
- },
- "instanceName": {
- "defaultValue": "bigip",
- "metadata": {
- "description": "Name of the Virtual Machine."
- },
- "maxLength": 7,
- "type": "string"
- },
- "instanceType": {
- "allowedValues": [
- "Standard_D3",
- "Standard_D4",
- "Standard_D11",
- "Standard_D12",
- "Standard_D13",
- "Standard_D14",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_D3_v2",
- "Standard_D4_v2",
- "Standard_D5_v2",
- "Standard_D11_v2",
- "Standard_D12_v2",
- "Standard_D13_v2",
- "Standard_D14_v2",
- "Standard_D15_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F4",
- "Standard_F8",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_G3",
- "Standard_G4",
- "Standard_G5",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "defaultValue": "Standard_DS4_v2",
- "metadata": {
- "description": "Instance size of the Virtual Machine."
- },
- "type": "string"
- },
- "bigIpVersion": {
- "allowedValues": [
- "15.0.100000",
- "14.1.200000",
- "latest"
- ],
- "defaultValue": "14.1.200000",
- "metadata": {
- "description": "F5 BIG-IP version you want to use."
- },
- "type": "string"
- },
- "imageName": {
- "allowedValues": [
- "Best25Mbps",
- "Best200Mbps",
- "Best1Gbps",
- "Best10Gbps",
- "Better25Mbps",
- "Better200Mbps",
- "Better1Gbps",
- "Better10Gbps",
- "Good25Mbps",
- "Good200Mbps",
- "Good1Gbps",
- "Good10Gbps",
- "AdvancedWaf25Mbps",
- "AdvancedWaf200Mbps",
- "AdvancedWaf1Gbps"
- ],
- "defaultValue": "Best1Gbps",
- "metadata": {
- "description": "F5 SKU (image) you want to deploy. Note: The disk size of the VM will be determined based on the option you select. **Important**: 10Gbps SKUs are supported only with BIGIP VE v15 or later. If intending to provision multiple modules, ensure the appropriate value is selected, such as **Best** instead of **Good**."
- },
- "type": "string"
- },
- "STIGDevice": {
- "defaultValue": true,
- "metadata": {
- "description": "This setting will determine whether STIGS/SRGS will be applied at Onboarding."
- },
- "type": "bool"
- },
- "restrictedSrcAddress": {
- "defaultValue": "*",
- "metadata": {
- "description": "This field restricts management access to a specific network or address. Enter an IP address or address range in CIDR notation, or asterisk for all sources"
- },
- "type": "string"
- },
- "NorthboundLoadBalancerType": {
- "allowedValues": [
- "Public-alb",
- "Private-ilb"
- ],
- "defaultValue": "Public-alb",
- "metadata": {
- "description": "Specify a the type of Northbound Azure load balancer to deploy. Note: As of the initial release of this template, it is default to Public-alb"
- },
- "type": "string"
- },
- "NorthUntrustedAddressSubnet": {
- "defaultValue": "192.168.2.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthUntrustedAddressStartIP": {
- "defaultValue": "192.168.2.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "NorthUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.2.100",
- "metadata": {
- "description": "The static address of the North Bound LB IP to be used for deployment. This is use ONLY IF the NorthboundLoadBalancerType is 'Private-ilb' type. You MUST type the full IP Address '192.168.2.100'."
- },
- "type": "string"
- },
- "NorthTrustedAddressSubnet": {
- "defaultValue": "192.168.3.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the North Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "NorthTrustedAddressStartIP": {
- "defaultValue": "192.168.3.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "VDMSAddressSubnet": {
- "defaultValue": "192.168.4.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the VDSS Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSTier": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "Specify whether IPS Tier would deploy from this template. If 'Yes', then this is a 3-teirs architecture, otherwise it is 2-tiers architecture"
- },
- "type": "string"
- },
- "IPSUntrustedAddressSubnet": {
- "defaultValue": "192.168.5.0/24",
- "metadata": {
- "description": "The CIDR block the IPS VEs use when creating the Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSUntrustedAddressStartIP": {
- "defaultValue": "192.168.5.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "IPSUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.5.100",
- "metadata": {
- "description": "The static address of the IPS LB IP to be used for deployment. You MUST type the full IP Address '192.168.5.100'."
- },
- "type": "string"
- },
- "IPSTrustedAddressSubnet": {
- "defaultValue": "192.168.6.0/24",
- "metadata": {
- "description": "The CIDR block the IPS VEs use when creating the South Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "IPSTrustedAddressStartIP": {
- "defaultValue": "192.168.6.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "SouthUntrustedAddressSubnet": {
- "defaultValue": "192.168.7.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the South Untrusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "SouthUntrustedAddressStartIP": {
- "defaultValue": "192.168.7.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "SouthUntrustedLBPrivateAddress": {
- "defaultValue": "192.168.7.100",
- "metadata": {
- "description": "The static address of the South Bound LB IP to be used for deployment. You MUST type the full IP Address '192.168.7.100'."
- },
- "type": "string"
- },
- "SouthTrustedAddressSubnet": {
- "defaultValue": "192.168.8.0/24",
- "metadata": {
- "description": "The CIDR block the BIG-IP VEs use when creating the South Trusted Subnet. You MUST type the full CIDR address, for example '10.0.0.0/24', '10.100.0.0/16', '192.168.0.0/24'."
- },
- "type": "string"
- },
- "SouthTrustedAddressStartIP": {
- "defaultValue": "192.168.8.4",
- "metadata": {
- "description": "The starting address of the IPs to be used for deployment. You MUST type the full IP Address '10.0.0.10', '10.100.0.40', '192.168.1.5'."
- },
- "type": "string"
- },
- "ntpServer": {
- "defaultValue": "0.pool.ntp.org",
- "metadata": {
- "description": "Leave the default NTP server the BIG-IP uses, or replace the default NTP server with the one you want to use."
- },
- "type": "string"
- },
- "timeZone": {
- "defaultValue": "UTC",
- "metadata": {
- "description": "If you would like to change the time zone the BIG-IP uses, enter the time zone you want to use. This is based on the tz database found in /usr/share/zoneinfo (see the full list [here](https://github.com/F5Networks/f5-azure-arm-templates/blob/master/azure-timezone-list.md)). Example values: UTC, US/Pacific, US/Eastern, Europe/London or Asia/Singapore."
- },
- "type": "string"
- },
- "allowUsageAnalytics": {
- "allowedValues": [
- "Yes",
- "No"
- ],
- "defaultValue": "Yes",
- "metadata": {
- "description": "This deployment can send anonymous statistics to F5 to help us determine how to improve our solutions. If you select **No** statistics are not sent."
- },
- "type": "string"
- },
- "tagValues": {
- "defaultValue": {
- "application": "APP",
- "cost": "COST",
- "environment": "ENV",
- "group": "GROUP",
- "owner": "OWNER"
- },
- "metadata": {
- "description": "Default key/value resource tags will be added to the resources in this deployment, if you would like the values to be unique adjust them as needed for each key."
- },
- "type": "object"
- }
- },
- "variables": {
- "cloudRegion": {
- "false": ".cloudapp.azure.com",
- "true": ".cloudapp.usgovcloudapi.net"
- },
- "cloudPath": "[if(parameters('governmentCloudRegion'), variables('cloudRegion').true, variables('cloudRegion').false)]",
- "tagValues": "[parameters('tagValues')]",
- "adminPasswordOrKey": "[replace(parameters('adminPasswordOrKey'),'\\n', '\n')]",
- "allowUsageAnalytics": {
- "No": {
- "hashCmd": "echo AllowUsageAnalytics:No",
- "metricsCmd": ""
- },
- "Yes": {
- "hashCmd": "[concat('custId=`echo \"', variables('subscriptionId'), '\"|sha512sum|cut -d \" \" -f 1`; deployId=`echo \"', variables('deploymentId'), '\"|sha512sum|cut -d \" \" -f 1`')]",
- "metricsCmd": "[concat(' --metrics customerId:${custId},deploymentId:${deployId},templateName:failover_3nic-new-stack-saca-payg,templateVersion:7.2.0.0,region:', variables('location'), ',bigIpVersion:', parameters('bigIpVersion') ,',licenseType:payg,cloudLibsVersion:', variables('f5CloudLibsTag'), ',cloudName:azure')]"
- }
- },
- "failovertagValues": {
- "f5_cloud_failover_label": "scca",
- "f5_cloud_failover_nic_map": "external"
- },
- "appScript": "IyEvYmluL2Jhc2gKZnVuY3Rpb24gcGFzc3dkKCkgewogIGVjaG8gfCBmNS1yZXN0LW5vZGUgL2NvbmZpZy9jbG91ZC9henVyZS9ub2RlX21vZHVsZXMvQGY1ZGV2Y2VudHJhbC9mNS1jbG91ZC1saWJzL3NjcmlwdHMvZGVjcnlwdERhdGFGcm9tRmlsZS5qcyAtLWRhdGEtZmlsZSAvY29uZmlnL2Nsb3VkLy5wYXNzd2QgfCBhd2sgJ3twcmludCAkMX0nCn0KCndoaWxlIGdldG9wdHMgbzp1OiBvcHRpb24KZG8gY2FzZSAiJG9wdGlvbiIgIGluCiAgICAgICAgbykgZGVjbGFyYXRpb25Vcmw9JE9QVEFSRzs7CiAgICAgICAgdSkgdXNlcj0kT1BUQVJHOzsKICAgIGVzYWMKZG9uZQoKZGVwbG95ZWQ9Im5vIgpmaWxlX2xvYz0iL2NvbmZpZy9jbG91ZC9jdXN0b21fY29uZmlnIgpkZmxfbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAp1cmxfcmVnZXg9IihodHRwOlwvXC98aHR0cHM6XC9cLyk/W2EtejAtOV0rKFtcLVwuXXsxfVthLXowLTldKykqXC5bYS16XXsyLDV9KDpbMC05XXsxLDV9KT8oXC8uKik/JCIKCmlmIFtbICRkZWNsYXJhdGlvblVybCA9fiAkdXJsX3JlZ2V4IF1dOyB0aGVuCiAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtLWludGVyZmFjZSBtZ210IC1zayAtdyAiJXtodHRwX2NvZGV9IiAkZGVjbGFyYXRpb25VcmwgLW8gJGZpbGVfbG9jKQogICAgaWYgW1sgJHJlc3BvbnNlX2NvZGUgPT0gMjAwIF1dOyB0aGVuCiAgICAgICAgIGVjaG8gIkN1c3RvbSBjb25maWcgZG93bmxvYWQgY29tcGxldGU7IGNoZWNraW5nIGZvciB2YWxpZCBKU09OLiIKICAgICAgICAgY2F0ICRmaWxlX2xvYyB8IGpxIC5jbGFzcwogICAgICAgICBpZiBbWyAkPyA9PSAwIF1dOyB0aGVuCiAgICAgICAgICAgICByZXNwb25zZV9jb2RlPSQoL3Vzci9iaW4vY3VybCAtc2t2dnUgJHVzZXI6JChwYXNzd2QpIC13ICIle2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1kICJAJGZpbGVfbG9jIiBodHRwczovL2xvY2FsaG9zdDokZGZsX21nbXRfcG9ydC9tZ210L3NoYXJlZC9hcHBzdmNzL2RlY2xhcmUgLW8gL2Rldi9udWxsKQoKICAgICAgICAgICAgIGlmIFtbICRyZXNwb25zZV9jb2RlID09IDIwMCB8fCAkcmVzcG9uc2VfY29kZSA9PSAyMDcgfHwgJHJlc3BvbnNlX2NvZGUgPT0gNTAyIF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgIGVjaG8gIkRlcGxveW1lbnQgb2YgYXBwbGljYXRpb24gc3VjY2VlZGVkLiAkcmVzcG9uc2VfY29kZSIKICAgICAgICAgICAgICAgICAgZGVwbG95ZWQ9InllcyIKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICBlY2hvICJGYWlsZWQgdG8gZGVwbG95IGFwcGxpY2F0aW9uOyBjb250aW51aW5nIHdpdGggcmVzcG9uc2UgY29kZSAnIiRyZXNwb25zZV9jb2RlIiciCiAgICAgICAgICAgICBmaQogICAgICAgICBlbHNlCiAgICAgICAgICAgICBlY2hvICJDdXN0b20gY29uZmlnIHdhcyBub3QgdmFsaWQgSlNPTiwgY29udGludWluZyIKICAgICAgICAgZmkKICAgIGVsc2UKICAgICAgICBlY2hvICJGYWlsZWQgdG8gZG93bmxvYWQgY3VzdG9tIGNvbmZpZzsgY29udGludWluZyB3aXRoIHJlc3BvbnNlIGNvZGUgJyIkcmVzcG9uc2VfY29kZSInIgogICAgZmkKZWxzZQogICAgIGVjaG8gIkN1c3RvbSBjb25maWcgd2FzIG5vdCBhIFVSTCwgY29udGludWluZy4iCmZpCgppZiBbWyAkZGVwbG95ZWQgPT0gIm5vIiAmJiAkZGVjbGFyYXRpb25VcmwgPT0gIk5PVF9TUEVDSUZJRUQiIF1dOyB0aGVuCiAgICBlY2hvICJBcHBsaWNhdGlvbiBkZXBsb3ltZW50IGZhaWxlZCBvciBjdXN0b20gVVJMIHdhcyBub3Qgc3BlY2lmaWVkLiIKZmkKCmVjaG8gIkRlcGxveW1lbnQgY29tcGxldGUuIgpleGl0",
- "availabilitySetName0": "[concat(variables('dnsLabelPrefix'), '-avset0')]",
- "availabilitySetName1": "[concat(variables('dnsLabelPrefix'), '-avset1')]",
- "availabilitySetName2": "[concat(variables('dnsLabelPrefix'), '-avset2')]",
- "availabilitySetName3": "[concat(variables('dnsLabelPrefix'), '-avset3')]",
- "availabilitySetId0": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName0'))]"
- },
- "availabilitySetId1": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName1'))]"
- },
- "availabilitySetId2": {
- "id": "[resourceId('Microsoft.Compute/availabilitySets',variables('availabilitySetName2'))]"
- },
- "backEndAddressPoolArray": [
- {
- "id": "[concat(variables('nbALBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- {
- "id": "[concat(variables('nbILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- }
- ],
- "backEndMgmtPoolArray": [
- {
- "id": "[concat(variables('nbALBid'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- },
- {
- "id": "[concat(variables('mgmtALBid'), '/backendAddressPools/', 'loadBalancerMgmtBackEnd')]"
- }
- ],
- "SBBackEndAddressPool": {
- "id": "[concat(variables('sbILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- "IPSBackEndAddressPool": {
- "id": "[concat(variables('IPSILBid'), '/backendAddressPools/', 'loadBalancerBackEnd')]"
- },
- "bigIpNicPortMap": {
- "1": {
- "Port": "[parameters('bigIpVersion')]"
- },
- "2": {
- "Port": "443"
- },
- "3": {
- "Port": "443"
- },
- "4": {
- "Port": "443"
- },
- "5": {
- "Port": "443"
- },
- "6": {
- "Port": "443"
- }
- },
- "bigIpNicPortValue": "[variables('bigIpNicPortMap')['3'].Port]",
- "bigIpVersionPortMap": {
- "443": {
- "Port": 443
- },
- "15.0.100000": {
- "Port": 8443
- },
- "14.1.200000": {
- "Port": 8443
- },
- "latest": {
- "Port": 8443
- }
- },
- "bigIpMgmtPort": "[variables('bigIpVersionPortMap')[variables('bigIpNicPortValue')].Port]",
- "commandArgs": "[concat('-o ', parameters('Tier1DeclarationUrl'), ' -u svc_user')]",
- "commandArgs2": "[concat('-o ', parameters('Tier3DeclarationUrl'), ' -u svc_user')]",
- "computeApiVersion": "2017-12-01",
- "createNewCustomImage": "[contains(variables('customImage'), 'https://')]",
- "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
- "customImage": "",
- "dataStorageAccountType": "Standard_LRS",
- "deploymentId": "[concat(variables('subscriptionId'), resourceGroup().id, deployment().name, variables('dnsLabelPrefix'))]",
- "dnsLabelPrefix": "[toLower(parameters('dnsLabelPrefix'))]",
- "enableNetworkFailover": "Yes",
- "f5AS3Build": "f5-appsvcs-3.16.0-6.noarch.rpm",
- "f5CloudIappsLoggerTag": "v1.0.0",
- "f5CloudIappsSdTag": "v2.3.2",
- "f5CloudLibsTag": "v4.9.1",
- "failoverCmdArray": {
- "No": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "third": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '2.', variables('location'), variables('cloudPath')), ' unicast-address none')]",
- "fourth": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '3.', variables('location'), variables('cloudPath')), ' unicast-address none')]"
- },
- "Yes": {
- "first": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '0.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress'))]",
- "second": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'))]",
- "third": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '2.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnet2PrivateAddress'), ' port 1026 } } mirror-ip ', variables('intSubnet2PrivateAddress'))]",
- "fourth": "[concat('tmsh modify cm device ', concat(variables('instanceName'), '3.', variables('location'), variables('cloudPath')), ' unicast-address { { ip ', variables('intSubnet2PrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnet2PrivateAddress1'))]"
- }
- },
-
- "paygImageMap": {
- "advancedwaf1gbps": {
- "offer": "f5-big-ip-advanced-waf",
- "sku": "f5-bigip-virtual-edition-1g-waf-hourly"
- },
- "advancedwaf200mbps": {
- "offer": "f5-big-ip-advanced-waf",
- "sku": "f5-bigip-virtual-edition-200m-waf-hourly"
- },
- "advancedwaf25mbps": {
- "offer": "f5-big-ip-advanced-waf",
- "sku": "f5-bigip-virtual-edition-25m-waf-hourly"
- },
- "best1gbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-1g-best-hourly"
- },
- "best10gbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-10g-best-hourly"
- },
- "best200mbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-200m-best-hourly"
- },
- "best25mbps": {
- "offer": "f5-big-ip-best",
- "sku": "f5-bigip-virtual-edition-25m-best-hourly"
- },
- "better1gbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-1g-better-hourly"
- },
- "better10gbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-10g-better-hourly"
- },
- "better200mbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-200m-better-hourly"
- },
- "better25mbps": {
- "offer": "f5-big-ip-better",
- "sku": "f5-bigip-virtual-edition-25m-better-hourly"
- },
- "good1gbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-1g-good-hourly"
- },
- "good10gbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-10g-good-hourly"
- },
- "good200mbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-200m-good-hourly"
- },
- "good25mbps": {
- "offer": "f5-big-ip-good",
- "sku": "f5-bigip-virtual-edition-25m-good-hourly"
- },
- "perappveadvancedwaf200mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-awf-200m-hourly"
- },
- "perappveadvancedwaf25mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-awf-25m-hourly"
- },
- "perappveltm200mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-ltm-200m-hourly"
- },
- "perappveltm25mbps": {
- "offer": "f5-big-ip-per-app-ve",
- "sku": "f5-big-ip-per-app-ve-ltm-25m-hourly"
- }
- },
-
- "installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]",
- "instanceName": "[toLower(parameters('instanceName'))]",
- "nbALBid": "[resourceId('Microsoft.Network/loadBalancers',variables('NorthboundLoadBalancerName'))]",
- "extNicName": "[concat(variables('dnsLabelPrefix'), '-ext')]",
- "extNsgID": "[resourceId('Microsoft.Network/networkSecurityGroups/',concat(variables('dnsLabelPrefix'),'-ext-nsg'))]",
- "extPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('extPublicIPAddressNamePrefix'))]",
- "extSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('extsubnetName'))]",
- "extSubnetName": "external",
- "extSubnetPrivateAddressPrefix": "[substring(parameters('NorthUntrustedAddressStartIP'), 0, lastindexOf(parameters('NorthUntrustedAddressStartIP'), '.'))]",
- "extSubnetStartDirty": "[substring(parameters('NorthUntrustedAddressStartIP'), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.'), sub(length(parameters('NorthUntrustedAddressStartIP')), lastIndexOf(parameters('NorthUntrustedAddressStartIP'), '.')))]",
- "extSubnetStartInt": "[replace(variables('extSubnetStartDirty'), '.','')]",
- "extSubnetPrivateAddress": "[parameters('NorthUntrustedAddressStartIP')]",
- "extSubnetPrivateAddress1": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',add(int(variables('extSubnetStartInt')), 1))]",
- "NorthboundLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-nb-alb')]",
- "mgmtLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-mgmt-alb')]",
- "extpublicIPAddressNamePrefix": "[concat(variables('dnsLabelPrefix'), '-ext-pip')]",
-
- "mgmtPublicIPAddressName": "[concat(variables('dnsLabelPrefix'), '-mgmt-pip')]",
- "mgmtPublicIPAddressIdPrefix": "[resourceId('Microsoft.Network/publicIPAddresses', variables('mgmtPublicIPAddressName'))]",
-
- "nbILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('NorthboundLoadBalancerNameb'))]",
-
- "intNicName": "[concat(variables('dnsLabelPrefix'), '-int')]",
- "intSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('intsubnetName'))]",
- "intSubnetName": "internalNorth",
- "intSubnetPrivateAddressPrefix": "[substring(parameters('NorthTrustedAddressStartIP'), 0, lastindexOf(parameters('NorthTrustedAddressStartIP'), '.'))]",
- "intSubnetStartDirty": "[substring(parameters('NorthTrustedAddressStartIP'), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.'), sub(length(parameters('NorthTrustedAddressStartIP')), lastIndexOf(parameters('NorthTrustedAddressStartIP'), '.') ))]",
- "intSubnetStartInt": "[replace(variables('intSubnetStartDirty'), '.', '')]",
- "intSubnetPrivateAddress": "[parameters('NorthTrustedAddressStartIP')]",
- "intSubnetPrivateAddress1": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 1))]",
- "intSubnetPrivateAddress2": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 10))]",
- "intSubnetPrivateAddress3": "[concat(variables('intSubnetPrivateAddressPrefix'), '.', add(int(variables('IntSubnetStartInt')), 11))]",
-
- "intSubnet2Name": "internalSouth",
- "intSubnet2Id": "[concat(variables('vnetId'), '/subnets/', variables('intSubnet2Name'))]",
- "intSubnet2PrivateAddressPrefix": "[substring(parameters('SouthTrustedAddressStartIP'), 0, lastindexOf(parameters('SouthTrustedAddressStartIP'), '.'))]",
- "intSubnet2StartDirty": "[substring(parameters('SouthTrustedAddressStartIP'), lastIndexOf(parameters('SouthTrustedAddressStartIP'), '.'), sub(length(parameters('SouthTrustedAddressStartIP')), lastIndexOf(parameters('SouthTrustedAddressStartIP'), '.') ))]",
- "intSubnet2StartInt": "[replace(variables('intSubnet2StartDirty'), '.', '')]",
- "intSubnet2PrivateAddress": "[parameters('SouthTrustedAddressStartIP')]",
- "intSubnet2PrivateAddress1": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('intSubnet2StartInt')), 1))]",
- "intSubnet2PrivateAddress2": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('intSubnet2StartInt')), 10))]",
- "intSubnet2PrivateAddress3": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.', add(int(variables('intSubnet2StartInt')), 11))]",
-
- "NorthboundLoadBalancerNameb": "[concat(variables('dnsLabelPrefix'),'-nb-ilb')]",
-
- "tmmRouteGw": "[concat(variables('extSubnetPrivateAddressPrefix'), '.1')]",
-
- "mgmtALBid": "[resourceId('Microsoft.Network/loadBalancers',variables('mgmtLoadBalancerName'))]",
- "sbILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('SouthboundLoadBalancerName'))]",
- "SouthboundLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-sb-ilb')]",
- "ext2SubnetName": "external2",
- "ext2SubnetPrivateAddressPrefix": "[substring(parameters('SouthUntrustedAddressStartIP'), 0, lastindexOf(parameters('SouthUntrustedAddressStartIP'), '.'))]",
- "ext2SubnetStartDirty": "[substring(parameters('SouthUntrustedAddressStartIP'), lastIndexOf(parameters('SouthUntrustedAddressStartIP'), '.'), sub(length(parameters('SouthUntrustedAddressStartIP')), lastIndexOf(parameters('SouthUntrustedAddressStartIP'), '.')))]",
- "ext2SubnetStartInt": "[replace(variables('ext2SubnetStartDirty'), '.','')]",
- "ext2SubnetPrivateAddress": "[parameters('SouthUntrustedAddressStartIP')]",
- "ext2SubnetPrivateAddress1": "[concat(variables('ext2SubnetPrivateAddressPrefix'), '.',add(int(variables('ext2SubnetStartInt')), 1))]",
- "ext2SubnetId": "[concat(variables('vnetId'), '/subnets/', variables('ext2subnetName'))]",
-
- "tmmRoute2Gw": "[concat(variables('intSubnet2PrivateAddressPrefix'), '.1')]",
- "IPSILBid": "[resourceId('Microsoft.Network/loadBalancers',variables('IPSLoadBalancerName'))]",
- "IPSLoadBalancerName": "[concat(variables('dnsLabelPrefix'),'-ips-ilb')]",
- "IPSFirewallName": "[concat(variables('dnsLabelPrefix'),'-ips-fw')]",
- "IPSExtNicName": "[concat(variables('dnsLabelPrefix'), '-IPSExt')]",
- "IPSExtSubnetName": "ips-external",
- "IPSExtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('IPSExtSubnetName'))]",
- "IPSExtSubnetPrivateAddressPrefix": "[substring(parameters('IPSUntrustedAddressStartIP'), 0, lastindexOf(parameters('IPSUntrustedAddressStartIP'), '.'))]",
- "IPSExtSubnetStartDirty": "[substring(parameters('IPSUntrustedAddressStartIP'), lastIndexOf(parameters('IPSUntrustedAddressStartIP'), '.'), sub(length(parameters('IPSUntrustedAddressStartIP')), lastIndexOf(parameters('IPSUntrustedAddressStartIP'), '.')))]",
- "IPSExtSubnetStartInt": "[replace(variables('IPSExtSubnetStartDirty'), '.','')]",
- "IPSExtSubnetPrivateAddress": "[parameters('IPSUntrustedAddressStartIP')]",
- "IPSExtSubnetPrivateAddress1": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 1))]",
- "IPSExtSubnetPrivateAddress2": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 10))]",
- "IPSExtSubnetPrivateAddress3": "[concat(variables('IPSExtSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSExtSubnetStartInt')), 11))]",
- "IPSIntNicName": "[concat(variables('dnsLabelPrefix'), '-IPSInt')]",
- "IPSIntSubnetName": "ips-internal",
- "IPSIntSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('IPSIntSubnetName'))]",
- "IPSIntSubnetPrivateAddressPrefix": "[substring(parameters('IPSTrustedAddressStartIP'), 0, lastindexOf(parameters('IPSTrustedAddressStartIP'), '.'))]",
- "IPSIntSubnetStartDirty": "[substring(parameters('IPSTrustedAddressStartIP'), lastIndexOf(parameters('IPSTrustedAddressStartIP'), '.'), sub(length(parameters('IPSTrustedAddressStartIP')), lastIndexOf(parameters('IPSTrustedAddressStartIP'), '.')))]",
- "IPSIntSubnetStartInt": "[replace(variables('IPSIntSubnetStartDirty'), '.','')]",
- "IPSIntSubnetPrivateAddress": "[parameters('IPSTrustedAddressStartIP')]",
- "IPSIntSubnetPrivateAddress1": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 1))]",
- "IPSIntSubnetPrivateAddress2": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 10))]",
- "IPSIntSubnetPrivateAddress3": "[concat(variables('IPSIntSubnetPrivateAddressPrefix'), '.', add(int(variables('IPSIntSubnetStartInt')), 11))]",
-
- "isAcceleratedNetworkingSupported": "[if(not(contains(parameters('bigIpVersion'), '14.1.200000')), bool('true'), bool('false'))]",
-
- "mgmtNicName": "[concat(variables('dnsLabelPrefix'), '-mgmt')]",
- "mgmtSubnetId": "[concat(variables('vnetId'), '/subnets/', variables('mgmtSubnetName'))]",
- "mgmtSubnetName": "management",
- "ManagementAddressSubnet": "192.168.1.0/24",
- "ManagementAddressStartIP": "192.168.1.4",
-
- "mgmtSubnetPrivateAddress": "[variables('ManagementAddressStartIP')]",
- "mgmtSubnetPrivateAddressPrefix": "[substring(variables('ManagementAddressStartIP'), 0, lastindexOf(variables('ManagementAddressStartIP'), '.'))]",
- "mgmtSubnetStartDirty": "[substring(variables('ManagementAddressStartIP'), lastIndexOf(variables('ManagementAddressStartIP'), '.'), sub(length(variables('ManagementAddressStartIP')), lastIndexOf(variables('ManagementAddressStartIP'), '.') ))]",
- "mgmtSubnetStartInt": "[replace(variables('mgmtSubnetStartDirty'), '.','')]",
- "mgmtSubnetPrivateAddress1": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 5))]",
- "mgmtSubnetPrivateAddress2": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 6))]",
- "mgmtSubnetPrivateAddress3": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 7))]",
- "mgmtSubnetPrivateAddress4": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 50))]",
- "mgmtSubnetPrivateAddress5": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 51))]",
- "mgmtSubnetPrivateAddress6": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 61))]",
- "mgmtSubnetPrivateAddress7": "[concat(variables('mgmtSubnetPrivateAddressPrefix'), '.',add(int(variables('mgmtSubnetStartInt')), 62))]",
-
- "stigCmdArray": {
- "true": "bash ./bigipstig.sh;",
- "false": ""
- },
- "cmdConfigStig": "[if(parameters('STIGDevice'), variables('stigCmdArray').true, variables('stigCmdArray').false)]",
- "createFWLogArray": {
- "true": "tmsh create security log profile local-afm-log { network replace-all-with { local-afm-log { publisher local-db-publisher filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } } } };",
- "false": ""
- },
- "cmdcreateFWLog": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
- "cmdcreateFWLog2": "[if(contains(parameters('Tier3bigIpModules'), 'afm'), variables('createFWLogArray').true, variables('createFWLogArray').false)]",
- "createFWPolicyArray": {
- "true": "tmsh create security firewall policy log_all_afm rules add { allow_all { action accept log yes place-before first } deny_all { action reject log yes place-after allow_all } };",
- "false": ""
- },
- "cmdcreateFWPolicy": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
- "cmdcreateFWPolicy2": "[if(contains(parameters('Tier1bigIpModules'), 'afm'), variables('createFWPolicyArray').true, variables('createFWPolicyArray').false)]",
- "installDODRootCA": "unzip Certificates_PKCS7_v5.5_DoD.zip; openssl pkcs7 -print_certs -in ./Certificates_PKCS7_v5.5_DoD/Certificates_PKCS7_v5.5_DoD.pem.p7b -out DoD_Root_CA.cer; tmsh install sys crypto cert DODRoots from-local-file DoD_Root_CA.cer;",
- "firewallConfig": "[concat(variables('cmdcreateFWLog'), variables('cmdcreateFWPolicy'))]",
- "firewallConfig2": "[concat(variables('cmdcreateFWLog2'), variables('cmdcreateFWPolicy2'))]",
-
- "sacaConfig": "[variables('cmdConfigStig')]",
-
- "vdmsSubnetName": "VDMS",
- "windowsOSVersion": "2019-Datacenter",
- "WinvmName": "Bastion-Win-JB",
- "jbimageOffer": "UbuntuServer",
- "jbimagePublisher": "Canonical",
- "jblinuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[parameters('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "jbubuntuOSVersion": "18.04-LTS",
- "jbvmName": "[concat(variables('dnsLabelPrefix'), '-linux-jump')]",
- "jbvmSize": "Standard_A1",
- "linuxConfiguration": {
- "disablePasswordAuthentication": true,
- "ssh": {
- "publicKeys": [
- {
- "keyData": "[variables('adminPasswordOrKey')]",
- "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]"
- }
- ]
- }
- },
- "location": "[resourceGroup().location]",
-
- "networkApiVersion": "2017-11-01",
- "newCustomImageName": "[concat(variables('dnsLabelPrefix'), 'image')]",
- "newDataStorageAccountName": "[concat(uniqueString(variables('dnsLabelPrefix'), resourceGroup().id, deployment().name), 'data000')]",
- "numberOfExternalIps": 1,
-
- "osProfiles": {
- "password": {
- "adminPassword": "[variables('adminPasswordOrKey')]",
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[json('null')]"
- },
- "sshPublicKey": {
- "adminUsername": "[parameters('adminUsername')]",
- "computerName": "[variables('instanceName')]",
- "linuxConfiguration": "[variables('linuxConfiguration')]"
- }
- },
- "premiumInstanceArray": [
- "Standard_DS2",
- "Standard_DS3",
- "Standard_DS4",
- "Standard_DS11",
- "Standard_DS12",
- "Standard_DS13",
- "Standard_DS14",
- "Standard_DS2_v2",
- "Standard_DS3_v2",
- "Standard_DS4_v2",
- "Standard_DS5_v2",
- "Standard_DS11_v2",
- "Standard_DS12_v2",
- "Standard_DS13_v2",
- "Standard_DS14_v2",
- "Standard_DS15_v2",
- "Standard_F2S",
- "Standard_F4S",
- "Standard_F8S",
- "Standard_F16S",
- "Standard_GS2",
- "Standard_GS3",
- "Standard_GS4",
- "Standard_GS5"
- ],
- "publicIPAddressType": "Static",
- "resourceGroupName": "[resourceGroup().name]",
-
- "routeCmd": "route",
- "singleQuote": "'",
-
- "imageNameToLower": "[toLower(parameters('imageName'))]",
- "skuToUse": "[variables('paygImageMap')[variables('imageNameToLower')]['sku']]",
- "offerToUse": "[variables('paygImageMap')[variables('imageNameToLower')]['offer']]",
- "imagePlan": {
- "name": "[variables('skuToUse')]",
- "product": "[variables('offerToUse')]",
- "publisher": "f5-networks"
- },
- "imageReference": {
- "offer": "[variables('offerToUse')]",
- "publisher": "f5-networks",
- "sku": "[variables('skuToUse')]",
- "version": "[parameters('bigIpVersion')]"
- },
- "storageApiVersion": "2017-10-01",
- "storageProfileArray": {
- "customImage": {
- "imageReference": {
- "id": "[if(variables('createNewCustomImage'), resourceId('Microsoft.Compute/images', variables('newCustomImageName')), variables('customImage'))]"
- }
- },
- "platformImage": {
- "imageReference": "[variables('imageReference')]",
- "osDisk": {
- "createOption": "FromImage"
- }
- }
- },
- "subscriptionID": "[subscription().subscriptionId]",
- "useCustomImage": "[not(empty(variables('customImage')))]",
- "verifyHash64": "Y2xpIHNjcmlwdCAvQ29tbW9uL3ZlcmlmeUhhc2ggewpwcm9jIHNjcmlwdDo6cnVuIHt9IHsKICAgICAgICBpZiB7W2NhdGNoIHsKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LWxpbnV4LnRhci5neikgNjNiNWMyYTUxY2EwOWM0M2JkODlhZjM3NzNiYmFiODdjNzFhNmU3ZjZhZDk0MTBiMjI5YjRlMGExYzQ4M2Q0NmYxYTlmZmYzOWQ5OTQ0MDQxYjAyZWU5MjYwNzI0MDI3NDE0ZGU1OTJlOTlmNGMyNDc1NDE1MzIzZTE4YTcyZTAKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5odHRwLnYxLjIuMHJjNC50bXBsKSA0N2MxOWE4M2ViZmM3YmQxZTllOWMzNWYzNDI0OTQ1ZWY4Njk0YWE0MzdlZWRkMTdiNmEzODc3ODhkNGRiMTM5NmZlZmU0NDUxOTliNDk3MDY0ZDc2OTY3YjBkNTAyMzgxNTQxOTBjYTBiZDczOTQxMjk4ZmMyNTdkZjRkYzAzNAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1Lmh0dHAudjEuMi4wcmM2LnRtcGwpIDgxMWIxNGJmZmFhYjVlZDAzNjVmMDEwNmJiNWNlNWU0ZWMyMjM4NTY1NWVhM2FjMDRkZTJhMzliZDk5NDRmNTFlMzcxNDYxOWRhZTdjYTQzNjYyYzk1NmI1MjEyMjI4ODU4ZjA1OTI2NzJhMjU3OWQ0YTg3NzY5MTg2ZTJjYmZlCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuaHR0cC52MS4yLjByYzcudG1wbCkgMjFmNDEzMzQyZTlhN2EyODFhMGYwZTEzMDFlNzQ1YWE4NmFmMjFhNjk3ZDJlNmZkYzIxZGQyNzk3MzQ5MzY2MzFlOTJmMzRiZjFjMmQyNTA0YzIwMWY1NmNjZDc1YzVjMTNiYWEyZmU3NjUzMjEzNjg5ZWMzYzllMjdkZmY3N2QKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuMy4wcmMxLnRtcGwpIDllNTUxNDljMDEwYzFkMzk1YWJkYWUzYzNkMmNiODNlYzEzZDMxZWQzOTQyNDY5NWU4ODY4MGNmM2VkNWEwMTNkNjI2YjMyNjcxMWQzZDQwZWYyZGY0NmI3MmQ0MTRiNGNiOGU0ZjQ0NWVhMDczOGRjYmQyNWM0Yzg0M2FjMzlkCiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjMS50bXBsKSBkZTA2ODQ1NTI1NzQxMmE5NDlmMWVhZGNjYWVlODUwNjM0N2UwNGZkNjliZmI2NDUwMDFiNzZmMjAwMTI3NjY4ZTRhMDZiZTJiYmI5NGUxMGZlZmMyMTVjZmMzNjY1YjA3OTQ1ZTZkNzMzY2JlMWE0ZmExYjg4ZTg4MTU5MDM5NgogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzIudG1wbCkgNmFiMGJmZmM0MjZkZjdkMzE5MTNmOWE0NzRiMWEwNzg2MDQzNWUzNjZiMDdkNzdiMzIwNjRhY2ZiMjk1MmMxZjIwN2JlYWVkNzcwMTNhMTVlNDRkODBkNzRmMzI1M2U3Y2Y5ZmJiZTEyYTkwZWM3MTI4ZGU2ZmFjZDA5N2Q2OGYKICAgICAgICAgICAgc2V0IGhhc2hlcyhmNS5hd3NfYWR2YW5jZWRfaGEudjEuNC4wcmMzLnRtcGwpIDJmMjMzOWI0YmMzYTIzYzljZmQ0MmFhZTJhNmRlMzliYTA2NTgzNjZmMjU5ODVkZTJlYTUzNDEwYTc0NWYwZjE4ZWVkYzQ5MWIyMGY0YThkYmE4ZGI0ODk3MDA5NmUyZWZkY2E3YjhlZmZmYTFhODNhNzhlNWFhZGYyMThiMTM0CiAgICAgICAgICAgIHNldCBoYXNoZXMoZjUuYXdzX2FkdmFuY2VkX2hhLnYxLjQuMHJjNC50bXBsKSAyNDE4YWM4YjFmMTg4NGM1YzA5NmNiYWM2YTk0ZDQwNTlhYWFmMDU5MjdhNmE0NTA4ZmQxZjI1YjhjYzYwNzc0OTg4MzlmYmRkYTgxNzZkMmNmMmQyNzRhMjdlNmExZGFlMmExZTNhMGE5OTkxYmM2NWZjNzRmYzBkMDJjZTk2MwogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LmF3c19hZHZhbmNlZF9oYS52MS40LjByYzUudG1wbCkgNWU1ODIxODdhZTFhNjMyM2UwOTVkNDFlZGRkNDExNTFkNmJkMzhlYjgzYzYzNDQxMGQ0NTI3YTNkMGUyNDZhOGZjNjI2ODVhYjA4NDlkZTJhZGU2MmIwMjc1ZjUxMjY0ZDJkZWFjY2JjMTZiNzczNDE3Zjg0N2E0YTFlYTliYzQKICAgICAgICAgICAgc2V0IGhhc2hlcyhhc20tcG9saWN5LnRhci5neikgMmQzOWVjNjBkMDA2ZDA1ZDhhMTU2N2ExZDhhYWU3MjI0MTllOGIwNjJhZDc3ZDZkOWEzMTY1Mjk3MWU1ZTY3YmM0MDQzZDgxNjcxYmEyYThiMTJkZDIyOWVhNDZkMjA1MTQ0Zjc1Mzc0ZWQ0Y2FlNThjZWZhOGY5YWI2NTMzZTYKICAgICAgICAgICAgc2V0IGhhc2hlcyhkZXBsb3lfd2FmLnNoKSAxYTNhM2M2Mjc0YWIwOGE3ZGMyY2I3M2FlZGM4ZDJiMmEyM2NkOWUwZWIwNmEyZTE1MzRiMzYzMmYyNTBmMWQ4OTcwNTZmMjE5ZDViMzVkM2VlZDEyMDcwMjZlODk5ODlmNzU0ODQwZmQ5Mjk2OWM1MTVhZTRkODI5MjE0ZmI3NAogICAgICAgICAgICBzZXQgaGFzaGVzKGY1LnBvbGljeV9jcmVhdG9yLnRtcGwpIDA2NTM5ZTA4ZDExNWVmYWZlNTVhYTUwN2VjYjRlNDQzZTgzYmRiMWY1ODI1YTk1MTQ5NTRlZjZjYTU2ZDI0MGVkMDBjN2I1ZDY3YmQ4ZjY3YjgxNWVlOWRkNDY0NTE5ODQ3MDFkMDU4Yzg5ZGFlMjQzNGM4OTcxNWQzNzVhNjIwCgogICAgICAgICAgICBzZXQgZmlsZV9wYXRoIFtsaW5kZXggJHRtc2g6OmFyZ3YgMV0KICAgICAgICAgICAgc2V0IGZpbGVfbmFtZSBbZmlsZSB0YWlsICRmaWxlX3BhdGhdCgogICAgICAgICAgICBpZiB7IVtpbmZvIGV4aXN0cyBoYXNoZXMoJGZpbGVfbmFtZSldfSB7CiAgICAgICAgICAgICAgICB0bXNoOjpsb2cgZXJyICJObyBoYXNoIGZvdW5kIGZvciAkZmlsZV9uYW1lIgogICAgICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHNldCBleHBlY3RlZF9oYXNoICRoYXNoZXMoJGZpbGVfbmFtZSkKICAgICAgICAgICAgc2V0IGNvbXB1dGVkX2hhc2ggW2xpbmRleCBbZXhlYyAvdXNyL2Jpbi9vcGVuc3NsIGRnc3QgLXIgLXNoYTUxMiAkZmlsZV9wYXRoXSAwXQogICAgICAgICAgICBpZiB7ICRleHBlY3RlZF9oYXNoIGVxICRjb21wdXRlZF9oYXNoIH0gewogICAgICAgICAgICAgICAgZXhpdCAwCiAgICAgICAgICAgIH0KICAgICAgICAgICAgdG1zaDo6bG9nIGVyciAiSGFzaCBkb2VzIG5vdCBtYXRjaCBmb3IgJGZpbGVfcGF0aCIKICAgICAgICAgICAgZXhpdCAxCiAgICAgICAgfV19IHsKICAgICAgICAgICAgdG1zaDo6bG9nIGVyciB7VW5leHBlY3RlZCBlcnJvciBpbiB2ZXJpZnlIYXNofQogICAgICAgICAgICBleGl0IDEKICAgICAgICB9CiAgICB9Cn0=",
- "installCloudLibs64": "IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5",
- "virtualNetworkName": "SCCA_VNet",
- "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
- },
- "resources": [
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[not(equals(variables('numberOfExternalIps'),0))]",
- "copy": {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "name": "extpipcopy"
- },
- "location": "[variables('location')]",
- "name": "[concat(variables('extPublicIPAddressNamePrefix'), copyIndex())]",
- "properties": {
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]",
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabelPrefix'), '-0')]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "location": "[variables('location')]",
- "name": "[variables('mgmtPublicIPAddressName')]",
- "properties": {
- "dnsSettings": {
- "domainNameLabel": "[concat(variables('dnsLabelPrefix'), '-1')]"
- },
- "idleTimeoutInMinutes": 30,
- "publicIPAllocationMethod": "[variables('publicIPAddressType')]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/publicIPAddresses"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('virtualNetworkName')]",
- "properties": {
- "addressSpace": {
- "addressPrefixes": [
- "[parameters('NorthUntrustedAddressSubnet')]",
- "[parameters('NorthTrustedAddressSubnet')]",
- "[variables('ManagementAddressSubnet')]",
- "[parameters('SouthUntrustedAddressSubnet')]",
- "[parameters('SouthTrustedAddressSubnet')]",
- "[parameters('IPSUntrustedAddressSubnet')]",
- "[parameters('IPSTrustedAddressSubnet')]",
- "[parameters('VDMSAddressSubnet')]"
- ]
- },
- "subnets": [
- {
- "name": "[variables('mgmtSubnetName')]",
- "properties": {
- "addressPrefix": "[variables('ManagementAddressSubnet')]"
- }
- },
- {
- "name": "[variables('extSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('ext2SubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('SouthUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('NorthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('intSubnet2Name')]",
- "properties": {
- "addressPrefix": "[parameters('SouthTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('IPSExtSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('IPSUntrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('IPSIntSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('IPSTrustedAddressSubnet')]"
- }
- },
- {
- "name": "[variables('vdmsSubnetName')]",
- "properties": {
- "addressPrefix": "[parameters('VDMSAddressSubnet')]"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/virtualNetworks"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '0')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '1')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '2')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "[variables('nbALbId')]",
- "[concat('Microsoft.Network/loadBalancers/', variables('mgmtLoadBalancerName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '3')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndMgmtPoolArray'), 1), skip(variables('backEndMgmtPoolArray'), 1))]",
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '4')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress4')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '5')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress5')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '6')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress6')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('mgmtNicName'), '7')]",
- "properties": {
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-mgmt-ipconfig')]",
- "properties": {
- "privateIPAddress": "[variables('mgmtSubnetPrivateAddress7')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('mgmtSubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('nbALbId')]",
- "[variables('nbILbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '0')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig0')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndAddressPoolArray'), 1), skip(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy",
- "[variables('nbALbId')]",
- "[variables('nbILbId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '1')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('extSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig1')]",
- "properties": {
- "loadBalancerBackendAddressPools": "[if(equals(parameters('NorthboundLoadBalancerType'),'Public-alb'), take(variables('backEndAddressPoolArray'), 1), skip(variables('backEndAddressPoolArray'), 1))]",
- "primary": false,
- "privateIPAddress": "[concat(variables('extSubnetPrivateAddressPrefix'), '.', 11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "networkSecurityGroup": {
- "id": "[concat(variables('extNsgId'))]"
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '2')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('ext2SubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('ext2SubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig2')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('SBBackEndAddressPool')]"
- ],
- "primary": false,
- "privateIPAddress": "[concat(variables('ext2SubnetPrivateAddressPrefix'), '.',10)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('ext2SubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('extNicName'), '3')]",
- "properties": {
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('instanceName'), '-self-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('ext2SubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('ext2SubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('resourceGroupName'), '-ext-ipconfig3')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('SBBackEndAddressPool')]"
- ],
- "primary": false,
- "privateIPAddress": "[concat(variables('ext2SubnetPrivateAddressPrefix'), '.',11)]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('ext2SubnetId')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('extNsgID')]",
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '2')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnet2PrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnet2PrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('sbILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('intNicName'), '3')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": "[variables('isAcceleratedNetworkingSupported')]",
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('intSubnet2PrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('intSubnet2PrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('intSubnet2Id')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('IPSILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSExtNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('IPSBackEndAddressPool')]"
- ],
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]",
- "[variables('IPSILBid')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSExtNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "loadBalancerBackendAddressPools": [
- "[variables('IPSBackEndAddressPool')]"
- ],
- "privateIPAddress": "[variables('IPSExtSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSIntNicName'), '0')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress2')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('IPSIntNicName'), '1')]",
- "properties": {
- "enableIPForwarding": true,
- "enableAcceleratedNetworking": true,
- "ipConfigurations": [
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig')]",
- "properties": {
- "primary": true,
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress1')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- },
- {
- "name": "[concat(variables('dnsLabelPrefix'), '-int-ipconfig-secondary')]",
- "properties": {
- "privateIPAddress": "[variables('IPSIntSubnetPrivateAddress3')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSIntSubnetId')]"
- }
- }
- }
- ],
- "primary": true
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkInterfaces"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-ext-nsg')]",
- "properties": {
- "securityRules": [
- {
- "name": "ext_allow_https",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "443",
- "direction": "Inbound",
- "priority": 101,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "ssh_allow_22",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "22",
- "direction": "Inbound",
- "priority": 102,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- },
- {
- "name": "rdp_allow_3389",
- "properties": {
- "access": "Allow",
- "description": "",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 103,
- "protocol": "Tcp",
- "sourceAddressPrefix": "[parameters('restrictedSrcAddress')]",
- "sourcePortRange": "*"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/networkSecurityGroups"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Public-alb')]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('NorthboundLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- },
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "copy": [
- {
- "count": "[if(not(equals(variables('numberOfExternalIps'), 0)), variables('numberOfExternalIps'), 1)]",
- "input": {
- "name": "[concat('loadBalancerFrontEnd', copyIndex('frontendIPConfigurations', 1))]",
- "properties": {
- "publicIPAddress": {
- "id": "[concat(variables('extPublicIPAddressIdPrefix'), sub(copyIndex('frontendIPConfigurations', 1), 1))]"
- }
- }
- },
- "name": "frontendIPConfigurations"
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- },
- {
- "Name": "management_outbound",
- "properties": {
- "backendPort": 8443,
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd1')]"
- },
- "frontendPort": 8443,
- "idleTimeoutInMinutes": 15,
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerName')), '/probes/https_alive')]"
- },
- "protocol": "Tcp"
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "dependsOn": [
- "extpipcopy"
- ],
- "location": "[variables('location')]",
- "name": "[variables('NorthboundLoadBalancerNameb')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('NorthUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('extSubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('NorthboundLoadBalancerNameb')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('SouthboundLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('SouthUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('ext2SubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('SouthboundLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[variables('vnetId')]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('IPSLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAddress": "[parameters('IPSUntrustedLBPrivateAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('IPSExtSubnetId')]"
- }
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "rdp_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 3389,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "http_alive",
- "properties": {
- "protocol": "Http",
- "port": 80,
- "requestPath": "/",
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- },
- {
- "name": "https_alive",
- "properties": {
- "intervalInSeconds": 15,
- "numberOfProbes": 3,
- "port": 443,
- "protocol": "Tcp"
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "rdp_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 3389,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/probes/rdp_alive')]"
- }
- }
- },
- {
- "name": "ssh_vs",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 22,
- "backendPort": 22,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/backendAddressPools/loadBalancerBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('IPSLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('networkApiVersion')]",
- "sku": {
- "name": "Standard"
- },
- "condition": "[equals(parameters('NorthboundLoadBalancerType'),'Private-ilb')]",
- "dependsOn": [
- "[concat('Microsoft.Network/publicIPAddresses/', variables('mgmtPublicIPAddressName'))]"
- ],
- "location": "[variables('location')]",
- "name": "[variables('mgmtLoadBalancerName')]",
- "properties": {
- "backendAddressPools": [
- {
- "name": "loadBalancerMgmtBackEnd"
- }
- ],
- "frontendIPConfigurations": [
- {
- "name": "loadBalancerFrontEnd",
- "properties": {
- "privateIPAllocationMethod": "Dynamic",
- "publicIPAddress": {
- "id": "[variables('mgmtPublicIPAddressIdPrefix')]"
- },
- "privateIPAddressVersion": "IPv4"
- }
- }
- ],
- "probes": [
- {
- "name": "ssh_alive",
- "properties": {
- "protocol": "Tcp",
- "port": 22,
- "intervalInSeconds": 15,
- "numberOfProbes": 2
- }
- }
- ],
- "loadBalancingRules": [
- {
- "name": "for_outbound",
- "properties": {
- "frontendIPConfiguration": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/frontendIpConfigurations/loadBalancerFrontEnd')]"
- },
- "frontendPort": 1234,
- "backendPort": 3389,
- "enableFloatingIP": false,
- "idleTimeoutInMinutes": 4,
- "protocol": "Tcp",
- "loadDistribution": "Default",
- "backendAddressPool": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/backendAddressPools/loadBalancerMgmtBackEnd')]"
- },
- "probe": {
- "id": "[concat(resourceId('Microsoft.Network/loadBalancers', variables('mgmtLoadBalancerName')), '/probes/ssh_alive')]"
- }
- }
- }
- ]
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Network/loadBalancers"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName0')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName1')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName2')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "location": "[variables('location')]",
- "name": "[variables('availabilitySetName3')]",
- "properties": {
- "PlatformFaultDomainCount": 2,
- "PlatformUpdateDomainCount": 2
- },
- "sku": {
- "name": "Aligned"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/availabilitySets"
- },
- {
- "apiVersion": "[variables('storageApiVersion')]",
- "kind": "Storage",
- "location": "[variables('location')]",
- "name": "[variables('newDataStorageAccountName')]",
- "properties": {
- "supportsHttpsTrafficOnly": true
- },
- "sku": {
- "name": "[variables('dataStorageAccountType')]",
- "tier": "Standard"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Storage/storageAccounts"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "condition": "[and(variables('useCustomImage'), variables('createNewCustomImage'))]",
- "location": "[variables('location')]",
- "name": "[variables('newCustomImageName')]",
- "properties": {
- "storageProfile": {
- "osDisk": {
- "blobUri": "[variables('customImage')]",
- "osState": "Generalized",
- "osType": "Linux",
- "storageAccountType": "[if(contains(variables('premiumInstanceArray'), parameters('instanceType')), 'Premium_LRS', 'Standard_LRS')]"
- }
- }
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/images"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName0'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '0')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId0')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '0'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName0'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId0')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '1'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName1'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '2')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '2')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId1')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '2'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '2'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '2'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName1'))]",
- "[variables('newCustomImageName')]",
- "[variables('WinvmName')]",
- "[variables('jbvmName')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '3')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('extNicName'), '3')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('intNicName'), '3')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]",
- "plan": "[if(variables('useCustomImage'), json('null'), variables('imagePlan'))]",
- "properties": {
- "availabilitySet": "[variables('availabilitySetId1')]",
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).primaryEndpoints.blob]"
- }
- },
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '3'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('extNicName'), '3'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('intNicName'), '3'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "osProfile": "[variables('osProfiles')[parameters('authenticationType')]]",
- "storageProfile": "[if(variables('useCustomImage'), variables('storageProfileArray').customImage, variables('storageProfileArray').platformImage)]"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines"
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[concat(variables('IPSFirewallName'), '0')]",
- "location": "[variables('location')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName2'))]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '6')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSExtNicName'), '0')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSIntNicName'), '0')]"
- ],
- "properties": {
- "availabilitySet": "[variables('availabilitySetId2')]",
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "osProfile": {
- "computerName": "[concat(variables('IPSFirewallName'), '0')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '6'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSExtNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSIntNicName'), '0'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[concat(variables('IPSFirewallName'), '1')]",
- "location": "[variables('location')]",
- "condition": "[equals(parameters('IPSTier'),'Yes')]",
- "dependsOn": [
- "[concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[concat('Microsoft.Compute/availabilitySets/', variables('availabilitySetName2'))]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('mgmtNicName'), '7')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSExtNicName'), '1')]",
- "[concat('Microsoft.Network/networkInterfaces/', variables('IPSIntNicName'), '1')]"
- ],
- "properties": {
- "availabilitySet": "[variables('availabilitySetId2')]",
- "hardwareProfile": {
- "vmSize": "[parameters('instanceType')]"
- },
- "osProfile": {
- "computerName": "[concat(variables('IPSFirewallName'), '1')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '7'))]",
- "properties": {
- "primary": true
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSExtNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- },
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('IPSIntNicName'), '1'))]",
- "properties": {
- "primary": false
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "apiVersion": "2018-10-01",
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[variables('jbvmName')]",
- "location": "[variables('location')]",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '4'))]"
- ],
- "properties": {
- "hardwareProfile": {
- "vmSize": "[variables('jbvmSize')]"
- },
- "osProfile": {
- "computerName": "[variables('jbvmName')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('adminPasswordOrKey')]",
- "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('jblinuxConfiguration'))]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "[variables('jbimagePublisher')]",
- "offer": "[variables('jbimageOffer')]",
- "sku": "[variables('jbubuntuOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '4'))]"
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName')), '2016-01-01').primaryEndpoints.blob)]"
- }
- }
- }
- },
- {
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[variables('WinvmName')]",
- "location": "[variables('location')]",
- "apiVersion": "2018-10-01",
- "dependsOn": [
- "[resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))]",
- "[resourceId('Microsoft.Network/networkInterfaces/', concat(variables('mgmtNicName'), '5'))]"
- ],
- "properties": {
- "hardwareProfile": {
- "vmSize": "Standard_A2"
- },
- "osProfile": {
- "computerName": "[variables('WinvmName')]",
- "adminUsername": "[parameters('adminUsername')]",
- "adminPassword": "[parameters('WindowsAdminPassword')]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "MicrosoftWindowsServer",
- "offer": "WindowsServer",
- "sku": "[variables('windowsOSVersion')]",
- "version": "latest"
- },
- "osDisk": {
- "createOption": "FromImage"
- },
- "dataDisks": [
- {
- "diskSizeGB": 1023,
- "lun": 0,
- "createOption": "Empty"
- }
- ]
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('mgmtNicName'), '5'))]"
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('newDataStorageAccountName'))).primaryEndpoints.blob]"
- }
- }
- }
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '0/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier1bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].first, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '0.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '1/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier1bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRouteGw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].second, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '2/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '2.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier3bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRoute2Gw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('ext2SubnetPrivateAddress'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnet2PrivateAddress'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].third, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress2'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnet2PrivateAddress'), ' --create-group --device-group Sync --sync-type sync-failover --device ', concat(variables('instanceName'), '2.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --network-failover --auto-sync --save-on-auto-sync;', variables('firewallConfig2'), ' bash /config/cloud/deploy_app.sh ', variables('commandArgs2'), '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('installDODRootCA'), variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh",
- "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/working/asm/15.1/sccaBaselineASMPolicy.xml"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- },
- {
- "apiVersion": "[variables('computeApiVersion')]",
- "dependsOn": [
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '0')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '1')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '2')]",
- "[concat('Microsoft.Compute/virtualMachines/', variables('dnsLabelPrefix'), '-', variables('instanceName'), '3')]"
- ],
- "location": "[variables('location')]",
- "name": "[concat(variables('dnsLabelPrefix'), '-', variables('instanceName'), '3/start')]",
- "properties": {
- "autoUpgradeMinorVersion": "true",
- "protectedSettings": {
- "commandToExecute": "[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash64'), ' | base64 -d > /config/verifyHash; echo -e ', variables('installCloudLibs64'), ' | base64 -d > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '3.', variables('location'), '.cloudapp.usgovcloudapi.net'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('Tier3bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', variables('tmmRoute2Gw'), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 --self-ip name:self_2nic,address:', variables('ext2SubnetPrivateAddress1'), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnet2PrivateAddress1'), ',vlan:internal --log-level info; ', variables('failoverCmdArray')[variables('enableNetworkFailover')].fourth, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress3'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnet2PrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress2'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi', ';', variables('sacaConfig'))]"
- },
- "publisher": "Microsoft.Azure.Extensions",
- "settings": {
- "fileUris": [
- "[concat('https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/resources/', variables('f5AS3Build'))]",
- "https://raw.githubusercontent.com/F5Networks/f5-cloud-libs/master/dist/f5-cloud-libs.tar.gz",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-service-discovery/', variables('f5CloudIappsSdTag'), '/f5.service_discovery.tmpl')]",
- "[concat('https://cdn.f5.com/product/cloudsolutions/iapps/common/f5-cloud-logger/', variables('f5CloudIappsLoggerTag'), '/f5.cloud_logger.v1.0.0.tmpl')]",
- "https://raw.githubusercontent.com/f5devcentral/f5-azure-saca/master/SACAv2/STIG/bigipstig.sh"
- ]
- },
- "type": "CustomScript",
- "typeHandlerVersion": "2.0"
- },
- "tags": "[if(empty(variables('tagValues')), json('null'), variables('tagValues'))]",
- "type": "Microsoft.Compute/virtualMachines/extensions"
- }
- ],
- "outputs": {
- "RDP-URL": {
- "type": "string",
- "value": "[concat('rdp://',reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- },
- "SSH-URL": {
- "type": "string",
- "value": "[concat('ssh://', parameters('adminUsername'), '@', reference(concat(variables('extPublicIPAddressNamePrefix'), '0')).dnsSettings.fqdn)]"
- }
- }
-}
\ No newline at end of file
diff --git a/SACAv2/LICENSE b/SACAv2/LICENSE
deleted file mode 100644
index 3ecc6ba..0000000
--- a/SACAv2/LICENSE
+++ /dev/null
@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2019 Mikej81
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
\ No newline at end of file
diff --git a/SACAv2/STIG/bigipstig.sh b/SACAv2/STIG/bigipstig.sh
deleted file mode 100644
index 4511464..0000000
--- a/SACAv2/STIG/bigipstig.sh
+++ /dev/null
@@ -1,80 +0,0 @@
-################################################
-## BashSRG - Bash STIG/SRG configuration Script
-## Michael Coleman. M.Coleman@F5.com
-## Modified by r.eastman@f5.com
-
-################################################
-#!/bin/sh
-###change 1
-
-echo
-echo "###############################################"
-echo " BASHSRG - Bash STIG/SRG Configuration Script"
-echo " Michael Coleman. M.Coleman@F5.com. Modified by r.eastman@f5.com"
-
-echo "###############################################"
-tmsh modify sys sshd inactivity-timeout 900
-tmsh modify sys sshd banner enabled
-tmsh modify sys sshd banner-text "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-tmsh modify sys sshd include '"Protocol 2
-MaxAuthTries 3
-Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes256-cbc
-MACs hmac-sha1,hmac-ripemd160
-LoginGraceTime 60
-MaxStartups 5"'
-tmsh modify sys ntp timezone UTC
-tmsh modify sys global-settings gui-security-banner enabled
-tmsh modify sys global-settings gui-security-banner-text "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-tmsh modify sys db ui.advisory.enabled value true
-tmsh modify sys db ui.advisory.color value green
-tmsh modify sys db ui.advisory.text value "//UNCLASSIFIED//"
-tmsh modify sys db ui.system.preferences.advancedselection value advanced
-tmsh modify sys db ui.system.preferences.recordsperscreen value 100
-tmsh modify sys db ui.system.preferences.startscreen value network_map
-tmsh modify sys db ui.users.redirectsuperuserstoauthsummary value true
-tmsh modify sys db dns.cache value enable
-tmsh modify sys httpd auth-pam-dashboard-timeout on
-tmsh modify sys httpd max-clients 10
-tmsh modify sys httpd auth-pam-idle-timeout 900
-tmsh modify sys httpd ssl-ciphersuite 'DEFAULT:!aNULL:!eNULL:!EXPORT:!EXP:!ADH:!DES:!RC4:!RSA:!LOW:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE'
-tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3 -TLSv1'
-tmsh modify sys httpd redirect-http-to-https enabled
-tmsh modify sys software update auto-check disabled
-tmsh modify sys software update auto-phonehome disabled
-tmsh modify sys snmp communities delete { comm-public }
-tmsh modify sys daemon-log-settings tmm os-log-level informational
-tmsh modify sys daemon-log-settings tmm ssl-log-level informational
-tmsh modify sys daemon-log-settings mcpd audit enabled
-tmsh modify sys daemon-log-settings mcpd log-level notice
-tmsh modify auth password-policy expiration-warning 7
-tmsh modify auth password-policy max-duration 90
-tmsh modify auth password-policy max-login-failures 3
-tmsh modify auth password-policy min-duration 1
-tmsh modify auth password-policy minimum-length 8
-tmsh modify auth password-policy password-memory 3
-tmsh modify auth password-policy policy-enforcement enabled
-tmsh modify auth password-policy required-lowercase 2
-tmsh modify auth password-policy required-numeric 2
-tmsh modify auth password-policy required-special 2
-tmsh modify auth password-policy required-uppercase 2
-tmsh modify sys httpd include '"
-# File ETAG CVE
-FileETag MTime Size
-
-# CVE-2020-5902
-
- Redirect 404 /
-
-
- Redirect 404 /
- "'
-tmsh save sys config
-bigstart restart httpd
-#tmsh modify sys dns name-servers add { x.x.x.x x.x.x.x }
-#tmsh modify sys ntp servers add { x.x.x.x x.x.x.x }
-#tmsh modify sys dns search add { demo.local demo.f5demo.local }
-#tmsh modify ltm profile client-ssl clientssl ciphers HIGH:!RSA:!DES:!TLSv1:!TLSv1_1:!SSLv3:!ECDHE-RSA-AES256-CBC-SHA:@STRENGTH
-#tmsh modify ltm profile server-ssl serverssl ciphers HIGH:!RSA:!DES:!TLSv1:!TLSv1_1:!SSLv3:!ECDHE-RSA-AES256-CBC-SHA:@STRENGTH
-#tmsh create sys management-route ntpservers network x.x.x.x/255.255.0.0 gateway x.x.x.x
-#tmsh list sys management-route
-echo "Configuration Complete"
\ No newline at end of file
diff --git a/SACAv2/irules/health_monitor.tcl b/SACAv2/irules/health_monitor.tcl
deleted file mode 100644
index b3c1d6a..0000000
--- a/SACAv2/irules/health_monitor.tcl
+++ /dev/null
@@ -1 +0,0 @@
-when HTTP_REQUEST {\n HTTP::respond 200 content {\n \n \n Health Check \n \n \n System is online.\n \n \n }\n}
diff --git a/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip b/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip
deleted file mode 100644
index 799aff4..0000000
Binary files a/SACAv2/resources/Certificates_PKCS7_v5.5_DoD.zip and /dev/null differ
diff --git a/SACAv2/resources/f5-appsvcs-3.13.1-1.noarch.rpm b/SACAv2/resources/f5-appsvcs-3.13.1-1.noarch.rpm
deleted file mode 100644
index d1d7a0d..0000000
Binary files a/SACAv2/resources/f5-appsvcs-3.13.1-1.noarch.rpm and /dev/null differ
diff --git a/SACAv2/resources/f5-appsvcs-3.16.0-6.noarch.rpm b/SACAv2/resources/f5-appsvcs-3.16.0-6.noarch.rpm
deleted file mode 100644
index 6780ce8..0000000
Binary files a/SACAv2/resources/f5-appsvcs-3.16.0-6.noarch.rpm and /dev/null differ
diff --git a/SACAv2/resources/f5-cloud-libs-4.15.0.tar.gz b/SACAv2/resources/f5-cloud-libs-4.15.0.tar.gz
deleted file mode 100644
index 5d5721e..0000000
Binary files a/SACAv2/resources/f5-cloud-libs-4.15.0.tar.gz and /dev/null differ
diff --git a/SACAv2/resources/f5-cloud-libs.tar.gz b/SACAv2/resources/f5-cloud-libs.tar.gz
deleted file mode 100644
index d23acd0..0000000
Binary files a/SACAv2/resources/f5-cloud-libs.tar.gz and /dev/null differ
diff --git a/SACAv2/scripts/atc_install.sh b/SACAv2/scripts/atc_install.sh
deleted file mode 100644
index b71bb57..0000000
--- a/SACAv2/scripts/atc_install.sh
+++ /dev/null
@@ -1,163 +0,0 @@
-#!/bin/bash
-# expects
-# https://github.com/F5Networks/f5-declarative-onboarding/raw/master/dist/f5-declarative-onboarding-1.5.0-11.noarch.rpm
-# https://github.com/F5Networks/f5-declarative-onboarding/raw/master/dist/f5-declarative-onboarding-1.5.0-11.noarch.rpm.sha256
-# https://github.com/F5Networks/f5-appsvcs-extension/raw/master/dist/latest/f5-appsvcs-3.12.0-5.noarch.rpm
-# https://github.com/F5Networks/f5-appsvcs-extension/raw/master/dist/latest/f5-appsvcs-3.12.0-5.noarch.rpm.sha256
-# https://github.com/F5Networks/f5-telemetry-streaming/raw/master/dist/f5-telemetry-1.4.0-1.noarch.rpm
-# https://github.com/F5Networks/f5-telemetry-streaming/raw/master/dist/f5-telemetry-1.4.0-1.noarch.rpm.sha256
-#
-# examples
-# rpm latest
-# curl --interface mgmt https://api.github.com/users/F5Networks/repos | grep releases_url
-#
-# rpm
-# curl -s --interface mgmt https://raw.githubusercontent.com/F5Networks/f5-declarative-onboarding/master/dist/f5-declarative-onboarding-1.5.0-11.noarch.rpm -o /shared/vadc/azure/waagent/custom-script/download/0/f5-declarative-onboarding-1.5.0-11.noarch.rpm
-# curl -s --interface mgmt https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/dist/latest/f5-appsvcs-3.12.0-5.noarch.rpm -o /shared/vadc/azure/waagent/custom-script/download/0/f5-appsvcs-3.12.0-5.noarch.rpm
-# curl -s --interface mgmt https://raw.githubusercontent.com/F5Networks/f5-telemetry-streaming/master/dist/f5-telemetry-1.4.0-1.noarch.rpm -o /shared/vadc/azure/waagent/custom-script/download/0/f5-telemetry-1.4.0-1.noarch.rpm
-# hash
-# curl -s --interface mgmt https://raw.githubusercontent.com/F5Networks/f5-declarative-onboarding/master/dist/f5-declarative-onboarding-1.5.0-11.noarch.rpm.sha256 -o /shared/vadc/azure/waagent/custom-script/download/0/f5-declarative-onboarding-1.5.0-11.noarch.rpm.sha256
-# curl -s --interface mgmt https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/dist/latest/f5-appsvcs-3.12.0-5.noarch.rpm.sha256 -o /shared/vadc/azure/waagent/custom-script/download/0/f5-appsvcs-3.12.0-5.noarch.rpm.sha256
-# curl -s --interface mgmt https://raw.githubusercontent.com/F5Networks/f5-telemetry-streaming/master/dist/f5-telemetry-1.4.0-1.noarch.rpm.sha256 -o /shared/vadc/azure/waagent/custom-script/download/0/f5-telemetry-1.4.0-1.noarch.rpm.sha256
-#
-#
-# download latest DO
-files=$(curl -s --interface mgmt https://api.github.com/repos/F5Networks/f5-declarative-onboarding/releases/latest | grep "browser_download_url.*rpm" | cut -d : -f 2,3 | tr -d \")
-for file in $files
-do
- name=$(echo "${file##*/}")
- result=$(/usr/bin/curl -kvv -w "%{http_code}" $file -o /var/config/rest/downloads/$name)
-done
-# download latest As3
-files=$(curl -s --interface mgmt https://api.github.com/repos/F5Networks/f5-appsvcs-extension/releases/latest | grep "browser_download_url.*rpm" | cut -d : -f 2,3 | tr -d \")
-for file in $files
-do
- name=$(echo "${file##*/}")
- result=$(/usr/bin/curl -kvv -w "%{http_code}" $file -o /var/config/rest/downloads/$name)
-done
-# download latest ts
-files=$(curl -s --interface mgmt https://api.github.com/repos/F5Networks/f5-telemetry-streaming/releases/latest | grep "browser_download_url.*rpm" | cut -d : -f 2,3 | tr -d \")
-for file in $files
-do
- name=$(echo "${file##*/}")
- result=$(/usr/bin/curl -kvv -w "%{http_code}" $file -o /var/config/rest/downloads/$name)
-done
-#
-# vars
-#
-dfl_mgmt_port=`tmsh list sys httpd ssl-port | grep ssl-port | sed 's/ssl-port //;s/ //g'`
-host="localhost"
-authUrl="/mgmt/shared/authn/login"
-rpmInstallUrl="/mgmt/shared/iapp/package-management-tasks"
-rpmFileUrl="/var/config/rest/downloads/"
-# do
-doUrl="/mgmt/shared/declarative-onboarding"
-doCheckUrl="/mgmt/shared/declarative-onboarding/available"
-# as3
-as3Url="/mgmt/shared/appsvcs/declare"
-as3CheckUrl="/mgmt/shared/appsvcs/info"
-# ts
-tsUrl="/mgmt/shared/telemetry/declare"
-tsCheckUrl="/mgmt/shared/telemetry/available"
-#copy rpms from downloads to rest downloads
-# /shared/vadc/azure/waagent/custom-script/download/0/ /var/config/rest/downloads/
-# rpms
-cp /shared/vadc/azure/waagent/custom-script/download/0/f5-*.rpm /var/config/rest/downloads/
-# checksums
-cp /shared/vadc/azure/waagent/custom-script/download/0/f5-*.rpm.sha256 /var/config/rest/downloads/
-# validate checksums
-#
-# find ...stuff... -exec sh -c '
-find $rpmFileUrl -name *.rpm -type f -exec sh -c '
- cd /var/config/rest/downloads
- for filename do
- # echo $filename
- FN=$filename
- #echo $FN
- RESULT=$(cat $FN.sha256 | sha256sum --check )
- #echo "result $RESULT"
- case "$RESULT" in
- *OK*)
- # valid checksum
- echo "continue $FN"
- ;;
- *)
- # invalid checksum
- echo "check $FN"
- ;;
- esac
- done' sh {} +
-#
-# functions
-#
-function passwd() {
- echo | f5-rest-node /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/decryptDataFromFile.js --data-file /config/cloud/.passwd | awk '{print $1}'
-}
-
-function getToken() {
- token=$(/usr/bin/curl -sk -w "%{http_code}" -X POST -H "Content-Type: application/json" -d "{"username":"svc_user","password":"$(passwd)","loginProviderName":"tmos"}" https://$host:$dfl_mgmt_port$authUrl | jq --raw-output '.token.token')
- echo $token
-}
-# test token
-#echo "token: $(getToken)"
-#
-# install each RPM
-#
-rpms=$(find $rpmFileUrl -name "*.rpm" -type f)
-for rpm in $rpms
-do
- filename=$(echo "${rpm##*/}")
- echo "installing $name"
- install=$(/usr/bin/curl -skv -w "%{http_code}" -X POST -H "Content-Type: application/json" -H "X-F5-Auth-Token: $(getToken)" -o /dev/null -d "{"operation":"INSTALL","packageFilePath":"$filename"}" https://$host:$dfl_mgmt_port$rpmInstallUrl)
- echo "status code $install"
- case "$install" in
- 200)
- # valid checksum
- echo "install started $name status: $install "
- ;;
- 401)
- # credentials
- echo "check credentials status: $install"
- ;;
- *)
- # invalid checksum
- echo "failed $name"
- ;;
- esac
-done
-
-# check for status
-# echo status
-#
-
-#
-# check for as3
-#
-# curl -s -o /dev/null -I -w "%{http_code}" http://www.example.org/
-function checkService() {
- status=$(/usr/bin/curl -skv -w "%{http_code}" -H "X-F5-Auth-Token: $(getToken)" -o /dev/null https://$host:$dfl_mgmt_port$1)
- echo $status
-}
-# set status
-doStatus=$(checkService $doCheckUrl)
-as3Status=$(checkService $as3CheckUrl)
-tsStatus=$(checkService $tsCheckUrl)
-
-# report status
-if [[ $doStatus == 200 ]]; then
- echo "do is up. $response_code"
-else
- echo "do is not ready $response_code"
-fi
-
-if [[ $as3Status == 200 ]]; then
- echo "as3 is up. $response_code"
-else
- echo "as3 is not ready $response_code"
-fi
-
-if [[ $tsStatus == 200 ]]; then
- echo "ts is up. $response_code"
-else
- echo "ts is not ready $response_code"
-fi
\ No newline at end of file
diff --git a/SACAv2/scripts/deploy_app.sh b/SACAv2/scripts/deploy_app.sh
deleted file mode 100644
index 434eb88..0000000
--- a/SACAv2/scripts/deploy_app.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-function passwd() {
- echo | f5-rest-node /config/cloud/azure/node_modules/@f5devcentral/f5-cloud-libs/scripts/decryptDataFromFile.js --data-file /config/cloud/.passwd | awk '{print $1}'
-}
-
-while getopts o:u: option
-do case "$option" in
- o) declarationUrl=$OPTARG;;
- u) user=$OPTARG;;
- esac
-done
-
-deployed="no"
-file_loc="/config/cloud/custom_config"
-dfl_mgmt_port=`tmsh list sys httpd ssl-port | grep ssl-port | sed 's/ssl-port //;s/ //g'`
-url_regex="(http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$"
-
-if [[ $declarationUrl =~ $url_regex ]]; then
- response_code=$(/usr/bin/curl --interface mgmt -sk -w "%{http_code}" $declarationUrl -o $file_loc)
- if [[ $response_code == 200 ]]; then
- echo "Custom config download complete; checking for valid JSON."
- cat $file_loc | jq .class
- if [[ $? == 0 ]]; then
- response_code=$(/usr/bin/curl -skvvu $user:$(passwd) -w "%{http_code}" -X POST -H "Content-Type: application/json" -H 'Expect:' -d "@$file_loc" https://localhost:$dfl_mgmt_port/mgmt/shared/appsvcs/declare -o /dev/null)
-
- if [[ $response_code == 200 || $response_code == 207 || $response_code == 502 ]]; then
- echo "Deployment of application succeeded. $response_code"
- deployed="yes"
- else
- echo "Failed to deploy application; continuing with response code '"$response_code"'"
- fi
- else
- echo "Custom config was not valid JSON, continuing"
- fi
- else
- echo "Failed to download custom config; continuing with response code '"$response_code"'"
- fi
-else
- echo "Custom config was not a URL, continuing."
-fi
-
-if [[ $deployed == "no" && $declarationUrl == "NOT_SPECIFIED" ]]; then
- echo "Application deployment failed or custom URL was not specified."
-fi
-
-echo "Deployment complete."
-exit
\ No newline at end of file
diff --git a/SACAv2/scripts/installCloudLibs.sh b/SACAv2/scripts/installCloudLibs.sh
deleted file mode 100644
index 1799f27..0000000
--- a/SACAv2/scripts/installCloudLibs.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-echo about to execute
-checks=0
-while [ $checks -lt 120 ]; do echo checking mcpd
-mcpdServiceState=$(bigstart status mcpd | awk '{print $2}')
-tmshMcpState=$(/usr/bin/tmsh show sys mcp-state field-fmt | grep phase | awk '{print $2}')
-#/usr/bin/tmsh -a show sys mcp-state field-fmt | grep -q running
-if [ "$tmshMcpState" == "running" ]; then
-echo mcpd ready
-break
-fi
-echo mcpd not ready yet service: $mcpdServiceState state: $tmshMcpState
-let checks=checks+1
-sleep 1
-done
-echo loading verifyHash script
-/usr/bin/tmsh load sys config merge file /config/verifyHash
-if [ $? != 0 ]; then
-echo cannot validate signature of /config/verifyHash
-exit 1
-fi
-echo loaded verifyHash
-
-config_loc="/config/cloud/"
-hashed_file_list="${config_loc}f5-cloud-libs.tar.gz f5-appsvcs-3.5.1-5.noarch.rpm f5.service_discovery.tmpl f5.cloud_logger.v1.0.0.tmpl"
-for file in $hashed_file_list; do
-echo "verifying $file"
-/usr/bin/tmsh run cli script verifyHash $file
-if [ $? != 0 ]; then
-echo "$file is not valid"
-exit 1
-fi
-echo "verified $file"
-done
-echo "expanding $hashed_file_list"
-tar xfz /config/cloud/f5-cloud-libs.tar.gz --warning=no-unknown-keyword -C /config/cloud/azure/node_modules/@f5devcentral
-touch /config/cloud/cloudLibsReady
diff --git a/SACAv2/scripts/mcinstallCloudLibs.b64 b/SACAv2/scripts/mcinstallCloudLibs.b64
deleted file mode 100644
index 5d0fdee..0000000
--- a/SACAv2/scripts/mcinstallCloudLibs.b64
+++ /dev/null
@@ -1 +0,0 @@
-IyEvYmluL2Jhc2gKZWNobyAgYWJvdXQgdG8gZXhlY3V0ZQpjaGVja3M9MAp3aGlsZSBbICRjaGVja3MgLWx0IDEyMCBdOyBkbyBlY2hvIGNoZWNraW5nIG1jcGQKICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyBtY3BkIHJlYWR5CiAgICAgICBicmVhawogICBmaQogICBlY2hvIG1jcGQgbm90IHJlYWR5IHlldAogICBsZXQgY2hlY2tzPWNoZWNrcysxCiAgIHNsZWVwIDEwCmRvbmUgCgplY2hvICBleHBhbmRpbmcgZjUtY2xvdWQtbGlicy50YXIuZ3oKdGFyIHh2ZnogL2NvbmZpZy9jbG91ZC9mNS1jbG91ZC1saWJzLnRhci5neiAtQyAvY29uZmlnL2Nsb3VkL2F6dXJlL25vZGVfbW9kdWxlcy9AZjVkZXZjZW50cmFsCmVjaG8gIGNsb3VkIGxpYnMgaW5zdGFsbCBjb21wbGV0ZQp0b3VjaCAvY29uZmlnL2Nsb3VkL2Nsb3VkTGlic1JlYWR5
\ No newline at end of file
diff --git a/SACAv2/scripts/mcinstallCloudLibs.sh b/SACAv2/scripts/mcinstallCloudLibs.sh
deleted file mode 100644
index 04ad201..0000000
--- a/SACAv2/scripts/mcinstallCloudLibs.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-echo about to execute
-checks=0
-while [ $checks -lt 120 ]; do echo checking mcpd
- tmsh -a show sys mcp-state field-fmt | grep -q running
- if [ $? == 0 ]; then
- echo mcpd ready
- break
- fi
- echo mcpd not ready yet
- let checks=checks+1
- sleep 10
-done
-
-echo expanding f5-cloud-libs.tar.gz
-tar xvfz /config/cloud/f5-cloud-libs.tar.gz -C /config/cloud/azure/node_modules/@f5devcentral
-echo cloud libs install complete
-touch /config/cloud/cloudLibsReady
\ No newline at end of file
diff --git a/SACAv2/scripts/verifyHash b/SACAv2/scripts/verifyHash
deleted file mode 100644
index 9768523..0000000
--- a/SACAv2/scripts/verifyHash
+++ /dev/null
@@ -1,38 +0,0 @@
-cli script /Common/verifyHash {
-proc script::run {} {
- if {[catch {
- set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0
- set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034
- set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe
- set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d
- set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d
- set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396
- set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f
- set hashes(f5.aws_advanced_ha.v1.4.0rc3.tmpl) 2f2339b4bc3a23c9cfd42aae2a6de39ba0658366f25985de2ea53410a745f0f18eedc491b20f4a8dba8db48970096e2efdca7b8efffa1a83a78e5aadf218b134
- set hashes(f5.aws_advanced_ha.v1.4.0rc4.tmpl) 2418ac8b1f1884c5c096cbac6a94d4059aaaf05927a6a4508fd1f25b8cc6077498839fbdda8176d2cf2d274a27e6a1dae2a1e3a0a9991bc65fc74fc0d02ce963
- set hashes(f5.aws_advanced_ha.v1.4.0rc5.tmpl) 5e582187ae1a6323e095d41eddd41151d6bd38eb83c634410d4527a3d0e246a8fc62685ab0849de2ade62b0275f51264d2deaccbc16b773417f847a4a1ea9bc4
- set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6
- set hashes(deploy_waf.sh) 1a3a3c6274ab08a7dc2cb73aedc8d2b2a23cd9e0eb06a2e1534b3632f250f1d897056f219d5b35d3eed1207026e89989f754840fd92969c515ae4d829214fb74
- set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620
-
- set file_path [lindex $tmsh::argv 1]
- set file_name [file tail $file_path]
-
- if {![info exists hashes($file_name)]} {
- tmsh::log err "No hash found for $file_name"
- exit 1
- }
-
- set expected_hash $hashes($file_name)
- set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]
- if { $expected_hash eq $computed_hash } {
- exit 0
- }
- tmsh::log err "Hash does not match for $file_path"
- exit 1
- }]} {
- tmsh::log err {Unexpected error in verifyHash}
- exit 1
- }
- }
-}
\ No newline at end of file
diff --git a/SACAv2/scripts/windowsExtension.json b/SACAv2/scripts/windowsExtension.json
deleted file mode 100644
index 5d38d9a..0000000
--- a/SACAv2/scripts/windowsExtension.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
- "apiVersion": "2015-06-15",
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat([variables('WinvmName')], '-Disable-ieESC')]",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "[variables('WinvmName')]"
- ],
- "tags": {
- "displayName": "[concat([variables('WinvmName')], '-Disable-ieESC')]"
- },
- "properties": {
- "publisher": "Microsoft.Azure.Extensions",
- "type": "CustomScriptExtension",
- "typeHandlerVersion": "1.9",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "fileUris": [
- "https://raw.githubusercontent.com/Mikej81/f5-azure-saca/master/SACAv2/scripts/Disable-ieESC.ps1"
- ]
- },
- "protectedSettings": {
- "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File Disable-ieESC.ps1"
- }
- }
-}
\ No newline at end of file
diff --git a/admin.auto.tfvars.example b/admin.auto.tfvars.example
new file mode 100644
index 0000000..03119d2
--- /dev/null
+++ b/admin.auto.tfvars.example
@@ -0,0 +1,65 @@
+# azure
+# gov
+location = "usgovvirginia"
+region = "USGov Virginia"
+# commercial
+#location = "eastus2"
+#region = "East US 2"
+# project
+projectPrefix = "scca"
+# deployment
+#deploymentType = "three_tier"
+deploymentType = "one_tier"
+# admin
+adminUserName = "xadmin"
+adminPassword = "pleaseUseVault123!!"
+# networks
+subnets = {
+ "management" = "10.90.0.0/24" #f5 management mgmtip
+ "external" = "10.90.1.0/24" #untrusted-virutal-network selip
+ "internal" = "10.90.2.0/24" #trusted-egress-virtual-network
+ "vdms" = "10.90.3.0/24" #management interfaces? or management devices that can access management interfaces?
+ "inspect_ext" = "10.90.4.0/24"
+ "inspect_int" = "10.90.5.0/24"
+ "waf_ext" = "10.90.6.0/24"
+ "waf_int" = "10.90.7.0/24"
+}
+## bigips
+instanceType = "Standard_DS5_v2"
+# big-ip BYOL licenses
+licenses = {
+ "license1" = ""
+ "license2" = ""
+ "license3" = ""
+ "license4" = ""
+}
+# single tier
+# 01
+f5vm01mgmt = "10.90.0.4"
+f5vm01ext = "10.90.1.4"
+f5vm01ext_sec = "10.90.1.11"
+f5vm01int = "10.90.2.4"
+# 02
+f5vm02mgmt = "10.90.0.5"
+f5vm02ext = "10.90.1.5"
+f5vm02ext_sec = "10.90.1.12"
+f5vm02int = "10.90.2.5"
+## three tier
+# 03
+f5vm03mgmt = "10.90.0.6"
+f5vm03ext = "10.90.6.4"
+f5vm03ext_sec = "10.90.6.11"
+f5vm03int = "10.90.7.4"
+# 04
+f5vm04mgmt = "10.90.0.7"
+f5vm04ext = "10.90.6.5"
+f5vm04ext_sec = "10.90.6.12"
+f5vm04int = "10.90.7.5"
+## app
+app01ip = "10.90.2.101"
+## jump boxes
+jumpinstanceType = "Standard_B2s"
+# win jump
+winjumpip = "10.90.3.98"
+# linux jump
+linuxjumpip = "10.90.3.99"
diff --git a/analytics/analytics.tf b/analytics/analytics.tf
new file mode 100644
index 0000000..cd10b13
--- /dev/null
+++ b/analytics/analytics.tf
@@ -0,0 +1,18 @@
+# Create Log Analytic Workspace
+resource "azurerm_log_analytics_workspace" "law" {
+ name = "${var.prefix}-law"
+ sku = "PerNode"
+ retention_in_days = 300
+ resource_group_name = var.resourceGroup.name
+ location = var.location
+}
+
+data "template_file" "ts_json" {
+ template = file("./templates/ts.json")
+
+ vars = {
+ region = var.location
+ law_id = azurerm_log_analytics_workspace.law.workspace_id
+ law_primkey = azurerm_log_analytics_workspace.law.primary_shared_key
+ }
+}
diff --git a/analytics/variables.tf b/analytics/variables.tf
new file mode 100644
index 0000000..ad31567
--- /dev/null
+++ b/analytics/variables.tf
@@ -0,0 +1,18 @@
+
+variable prefix {}
+variable resourceGroup {}
+variable location {}
+variable region {}
+variable securityGroup {
+ default = "none"
+}
+
+variable subnet {
+ default = "none"
+}
+
+variable adminUserName {}
+variable adminPassword {}
+
+# TAGS
+variable tags {}
diff --git a/azure.tf b/azure.tf
new file mode 100644
index 0000000..06f8c9f
--- /dev/null
+++ b/azure.tf
@@ -0,0 +1,319 @@
+# Create a Resource Group for the new Virtual Machines
+resource azurerm_resource_group main {
+ name = "${var.projectPrefix}_rg"
+ location = var.location
+}
+
+
+# Create Availability Set
+resource azurerm_availability_set avset {
+ name = "${var.projectPrefix}-avset"
+ location = azurerm_resource_group.main.location
+ resource_group_name = azurerm_resource_group.main.name
+ platform_fault_domain_count = 2
+ platform_update_domain_count = 2
+ managed = true
+}
+
+# Create Availability Set 2 only for 3 tier tho
+resource azurerm_availability_set avset2 {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "${var.projectPrefix}-avset-2"
+ location = azurerm_resource_group.main.location
+ resource_group_name = azurerm_resource_group.main.name
+ platform_fault_domain_count = 2
+ platform_update_domain_count = 2
+ managed = true
+}
+
+# Create Azure LB
+resource azurerm_lb lb {
+ name = "${var.projectPrefix}-alb"
+ location = azurerm_resource_group.main.location
+ resource_group_name = azurerm_resource_group.main.name
+ sku = "Standard"
+
+ frontend_ip_configuration {
+ name = "Public-LoadBalancerFrontEnd"
+ public_ip_address_id = azurerm_public_ip.lbpip.id
+ }
+}
+
+resource azurerm_lb_backend_address_pool backend_pool {
+ name = "IngressBackendPool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+}
+
+resource azurerm_lb_backend_address_pool management_pool {
+ name = "EgressManagementPool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+}
+
+resource azurerm_lb_backend_address_pool primary_pool {
+ name = "EgressPrimaryPool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+}
+
+resource azurerm_lb_probe https_probe {
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ name = "443Probe"
+ protocol = "Tcp"
+ port = 443
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_probe http_probe {
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ name = "8080Probe"
+ protocol = "Tcp"
+ port = 8080
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_probe ssh_probe {
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ name = "sshProbe"
+ protocol = "Tcp"
+ port = 22
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_probe rdp_probe {
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ name = "rdpProbe"
+ protocol = "Tcp"
+ port = 3389
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_rule https_rule {
+ name = "HTTPS_Rule"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ protocol = "Tcp"
+ frontend_port = 443
+ backend_port = 443
+ frontend_ip_configuration_name = "Public-LoadBalancerFrontEnd"
+ enable_floating_ip = false
+ disable_outbound_snat = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.backend_pool.id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.https_probe.id
+ depends_on = [azurerm_lb_probe.https_probe]
+}
+
+resource azurerm_lb_rule http_rule {
+ name = "HTTPRule"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ protocol = "Tcp"
+ frontend_port = 8080
+ backend_port = 8080
+ frontend_ip_configuration_name = "Public-LoadBalancerFrontEnd"
+ enable_floating_ip = false
+ disable_outbound_snat = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.backend_pool.id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.http_probe.id
+ depends_on = [azurerm_lb_probe.http_probe]
+}
+
+resource azurerm_lb_rule ssh_rule {
+ name = "SSH_Rule"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ protocol = "Tcp"
+ frontend_port = 22
+ backend_port = 22
+ frontend_ip_configuration_name = "Public-LoadBalancerFrontEnd"
+ enable_floating_ip = false
+ disable_outbound_snat = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.backend_pool.id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.ssh_probe.id
+ depends_on = [azurerm_lb_probe.ssh_probe]
+}
+resource azurerm_lb_rule rdp_rule {
+ name = "RDP_Rule"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ protocol = "Tcp"
+ frontend_port = 3389
+ backend_port = 3389
+ frontend_ip_configuration_name = "Public-LoadBalancerFrontEnd"
+ enable_floating_ip = false
+ disable_outbound_snat = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.backend_pool.id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.rdp_probe.id
+ depends_on = [azurerm_lb_probe.rdp_probe]
+}
+
+resource azurerm_lb_outbound_rule egress_rule {
+ name = "egress_rule"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.lb.id
+ protocol = "All"
+ backend_address_pool_id = azurerm_lb_backend_address_pool.primary_pool.id
+ allocated_outbound_ports = "9136"
+ enable_tcp_reset = true
+ frontend_ip_configuration {
+ name = "Public-LoadBalancerFrontEnd"
+ }
+}
+
+# Create the ILB for South LB and Egress
+resource azurerm_lb internalLoadBalancer {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "${var.projectPrefix}-internal-loadbalancer"
+ location = var.location
+ resource_group_name = azurerm_resource_group.main.name
+ sku = "Standard"
+
+ frontend_ip_configuration {
+ name = "Internal_LoadBalancerFrontEnd"
+ subnet_id = azurerm_subnet.internal.id
+ private_ip_address = var.ilb01ip
+ private_ip_address_allocation = "Static"
+ private_ip_address_version = "IPv4"
+ }
+
+ frontend_ip_configuration {
+ name = "IDS_LoadBalancerFrontEnd"
+ subnet_id = azurerm_subnet.inspect_external[0].id
+ private_ip_address = var.ilb04ip
+ private_ip_address_allocation = "Static"
+ private_ip_address_version = "IPv4"
+ }
+
+ frontend_ip_configuration {
+ name = "waf_ext_LoadBalancerFrontEnd_Egress"
+ subnet_id = azurerm_subnet.waf_external[0].id
+ private_ip_address = var.ilb02ip
+ private_ip_address_allocation = "Static"
+ private_ip_address_version = "IPv4"
+ }
+
+ frontend_ip_configuration {
+ name = "waf_ext_LoadBalancerFrontEnd_Ingress"
+ subnet_id = azurerm_subnet.waf_external[0].id
+ private_ip_address = var.ilb03ip
+ private_ip_address_allocation = "Static"
+ private_ip_address_version = "IPv4"
+ }
+}
+
+# Create the LB Pool for Internal Egress
+resource azurerm_lb_backend_address_pool internal_backend_pool {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "internal_egress_pool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+}
+
+# Create the LB Pool for Inspect Ingress
+resource azurerm_lb_backend_address_pool ips_backend_pool {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "ips_ingress_pool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+}
+
+# Create the LB Pool for WAF Ingress
+resource azurerm_lb_backend_address_pool waf_ingress_pool {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "waf_ingress_pool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+}
+# Create the LB Pool for WAF Egress
+resource azurerm_lb_backend_address_pool waf_egress_pool {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "waf_egress_pool"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+}
+
+resource azurerm_lb_probe internal_Tcp_probe {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+ name = "${var.projectPrefix}-internal-Tcp-probe"
+ protocol = "Tcp"
+ port = 34568
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_probe waf_probe {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+ name = "${var.projectPrefix}-waf-Tcp-probe"
+ protocol = "Tcp"
+ port = 8080
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_rule internal_all_rule {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "internal-all-protocol-ilb-egress"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+ protocol = "All"
+ frontend_port = 0
+ backend_port = 0
+ load_distribution = "SourceIPProtocol"
+ frontend_ip_configuration_name = "Internal_LoadBalancerFrontEnd"
+ enable_floating_ip = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.internal_backend_pool[0].id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.internal_Tcp_probe[0].id
+ depends_on = [azurerm_lb_probe.internal_Tcp_probe[0]]
+}
+
+resource azurerm_lb_rule waf_ext_all_rule {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "waf-ext-all-protocol-ilb-egress"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+ protocol = "All"
+ frontend_port = 0
+ backend_port = 0
+ load_distribution = "SourceIPProtocol"
+ frontend_ip_configuration_name = "waf_ext_LoadBalancerFrontEnd_Egress"
+ enable_floating_ip = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.waf_egress_pool[0].id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.internal_Tcp_probe[0].id
+ depends_on = [azurerm_lb_probe.internal_Tcp_probe[0]]
+}
+
+resource azurerm_lb_rule waf_ext_ingress_rule {
+ count = var.deploymentType == "three_tier" ? 1 : 0
+ name = "waf-ext-all-protocol-ilb-ingress"
+ resource_group_name = azurerm_resource_group.main.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer[0].id
+ protocol = "All"
+ frontend_port = 0
+ backend_port = 0
+ load_distribution = "SourceIPProtocol"
+ frontend_ip_configuration_name = "waf_ext_LoadBalancerFrontEnd_Ingress"
+ enable_floating_ip = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.waf_ingress_pool[0].id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.waf_probe[0].id
+ depends_on = [azurerm_lb_probe.waf_probe[0]]
+}
diff --git a/cleanup.sh b/cleanup.sh
new file mode 100755
index 0000000..1ad826e
--- /dev/null
+++ b/cleanup.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "destroying demo"
+read -r -p "Are you sure? [y/N] " response
+if [[ "$response" =~ ^([yY][eE][sS]|[yY])$ ]]
+then
+ terraform destroy --auto-approve
+ while [ $? -ne 0 ]; do
+ terraform destroy --auto-approve
+ done
+else
+ echo "canceling"
+fi
diff --git a/cloud-libs-notes.sh b/cloud-libs-notes.sh
new file mode 100644
index 0000000..2acc541
--- /dev/null
+++ b/cloud-libs-notes.sh
@@ -0,0 +1,103 @@
+# variables
+"singleQuote": "'",
+"f5CloudLibsTag": "v4.13.5",
+"f5CloudLibsAzureTag": "v2.12.0",
+"f5NetworksTag": "v7.2.0.0",
+"f5CloudIappsLoggerTag": "v1.0.0",
+"f5CloudIappsSdTag": "v2.3.2",
+"f5AS3Build": "f5-appsvcs-3.5.1-5.noarch.rpm",
+"f5AS3Tag": "v3.6.0",
+# verify hash
+"verifyHash": "[concat(variables('singleQuote'), 'cli script /Common/verifyHash {\nproc script::run {} {\n if {[catch {\n set hashes(f5-cloud-libs.tar.gz) 79ed63787ebad177fbd052da1571095884b7d598fec44568f99bb5ae66cd6635f2fdd35c5e4f582c5d42929d68a4e2115c81834920939b0a6da0e3f16da0ac67\n set hashes(f5-cloud-libs-aws.tar.gz) 2b934307477faf772e1558ab3636716981215d6b15f2a184750473911d1d38bfbd6a2dc79614b1d1575dce8f3824ed805daa3d9ca48c7e94c6692f03b9e4ed7a\n set hashes(f5-cloud-libs-azure.tar.gz) f6d10347181a101b974478cc7c0d44c9c8cfd7705a6bccc9d48b2e8af175066f52612b28e9a0faa257675b9a979803952a31d9d0cf2cc5ff18231fbb42e786c9\n set hashes(f5-cloud-libs-gce.tar.gz) a5cfaed1fe33da677b3f10dc1a7ca82f5739ff24e45e91b3a8f7b06d6b2e280e5f1eaf5fe2d33009b2cc67c10f2d906aab26f942d591b68fa8a7fddfd54a0efe\n set hashes(f5-cloud-libs-openstack.tar.gz) 5c83fe6a93a6fceb5a2e8437b5ed8cc9faf4c1621bfc9e6a0779f6c2137b45eab8ae0e7ed745c8cf821b9371245ca29749ca0b7e5663949d77496b8728f4b0f9\n set hashes(f5-cloud-libs-consul.tar.gz) a32aab397073df92cbbba5067e5823e9b5fafca862a258b60b6b40aa0975c3989d1e110f706177b2ffbe4dde65305a260a5856594ce7ad4ef0c47b694ae4a513\n set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0\n set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034\n set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe\n set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d\n set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d\n set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396\n set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f\n set hashes(f5.aws_advanced_ha.v1.4.0rc3.tmpl) 2f2339b4bc3a23c9cfd42aae2a6de39ba0658366f25985de2ea53410a745f0f18eedc491b20f4a8dba8db48970096e2efdca7b8efffa1a83a78e5aadf218b134\n set hashes(f5.aws_advanced_ha.v1.4.0rc4.tmpl) 2418ac8b1f1884c5c096cbac6a94d4059aaaf05927a6a4508fd1f25b8cc6077498839fbdda8176d2cf2d274a27e6a1dae2a1e3a0a9991bc65fc74fc0d02ce963\n set hashes(f5.aws_advanced_ha.v1.4.0rc5.tmpl) 5e582187ae1a6323e095d41eddd41151d6bd38eb83c634410d4527a3d0e246a8fc62685ab0849de2ade62b0275f51264d2deaccbc16b773417f847a4a1ea9bc4\n set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6\n set hashes(deploy_waf.sh) 1a3a3c6274ab08a7dc2cb73aedc8d2b2a23cd9e0eb06a2e1534b3632f250f1d897056f219d5b35d3eed1207026e89989f754840fd92969c515ae4d829214fb74\n set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620\n set hashes(f5.service_discovery.tmpl) 4811a95372d1dbdbb4f62f8bcc48d4bc919fa492cda012c81e3a2fe63d7966cc36ba8677ed049a814a930473234f300d3f8bced2b0db63176d52ac99640ce81b\n set hashes(f5.cloud_logger.v1.0.0.tmpl) 64a0ed3b5e32a037ba4e71d460385fe8b5e1aecc27dc0e8514b511863952e419a89f4a2a43326abb543bba9bc34376afa114ceda950d2c3bd08dab735ff5ad20\n set hashes(f5-appsvcs-3.5.1-5.noarch.rpm) ba71c6e1c52d0c7077cdb25a58709b8fb7c37b34418a8338bbf67668339676d208c1a4fef4e5470c152aac84020b4ccb8074ce387de24be339711256c0fa78c8\n\n set file_path [lindex $tmsh::argv 1]\n set file_name [file tail $file_path]\n\n if {![info exists hashes($file_name)]} {\n tmsh::log err \"No hash found for $file_name\"\n exit 1\n }\n\n set expected_hash $hashes($file_name)\n set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]\n if { $expected_hash eq $computed_hash } {\n exit 0\n }\n tmsh::log err \"Hash does not match for $file_path\"\n exit 1\n }]} {\n tmsh::log err {Unexpected error in verifyHash}\n exit 1\n }\n }\n script-signature SS6PAR2vcK8Oy+Zq/Af8bWS6mj3ipoRgNVkzbnf59wUo/8mTzWFuVTF2H1YSXDRjW8gJmZfIQrOasv01Ayqjzl8IZ5AQ5aBQd2OKTZNCpsoalTX1iar4Ds82YdJ8Z0EuWwy9UByclFYouM4wMmGts5NqDia6W+kAUcTJxOkcxkzuurUXYaVR3Yx6sWZZyNTI3mUqZ84TEZXWjEw1Qi7S6xODmryw2sH5APWpAxQ8Ip6c8JsuBm1B7A24couv9aedeoCbNZdmCPjMfWG1vBDVRqvou0SQd8kbHa+36LbkzNqyXWLamK3HTYJAN9BMUx+syXEc4F/sJgpKeHKGHFowYg==\n signing-key /Common/f5-irule\n}', variables('singleQuote'))]",
+#
+'cli script /Common/verifyHash {\nproc script::run {} {\n if {[catch {\n set hashes(f5-cloud-libs.tar.gz) 79ed63787ebad177fbd052da1571095884b7d598fec44568f99bb5ae66cd6635f2fdd35c5e4f582c5d42929d68a4e2115c81834920939b0a6da0e3f16da0ac67\n set hashes(f5-cloud-libs-aws.tar.gz) 2b934307477faf772e1558ab3636716981215d6b15f2a184750473911d1d38bfbd6a2dc79614b1d1575dce8f3824ed805daa3d9ca48c7e94c6692f03b9e4ed7a\n set hashes(f5-cloud-libs-azure.tar.gz) f6d10347181a101b974478cc7c0d44c9c8cfd7705a6bccc9d48b2e8af175066f52612b28e9a0faa257675b9a979803952a31d9d0cf2cc5ff18231fbb42e786c9\n set hashes(f5-cloud-libs-gce.tar.gz) a5cfaed1fe33da677b3f10dc1a7ca82f5739ff24e45e91b3a8f7b06d6b2e280e5f1eaf5fe2d33009b2cc67c10f2d906aab26f942d591b68fa8a7fddfd54a0efe\n set hashes(f5-cloud-libs-openstack.tar.gz) 5c83fe6a93a6fceb5a2e8437b5ed8cc9faf4c1621bfc9e6a0779f6c2137b45eab8ae0e7ed745c8cf821b9371245ca29749ca0b7e5663949d77496b8728f4b0f9\n set hashes(f5-cloud-libs-consul.tar.gz) a32aab397073df92cbbba5067e5823e9b5fafca862a258b60b6b40aa0975c3989d1e110f706177b2ffbe4dde65305a260a5856594ce7ad4ef0c47b694ae4a513\n set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0\n set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034\n set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe\n set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d\n set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d\n set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396\n set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f\n set hashes(f5.aws_advanced_ha.v1.4.0rc3.tmpl) 2f2339b4bc3a23c9cfd42aae2a6de39ba0658366f25985de2ea53410a745f0f18eedc491b20f4a8dba8db48970096e2efdca7b8efffa1a83a78e5aadf218b134\n set hashes(f5.aws_advanced_ha.v1.4.0rc4.tmpl) 2418ac8b1f1884c5c096cbac6a94d4059aaaf05927a6a4508fd1f25b8cc6077498839fbdda8176d2cf2d274a27e6a1dae2a1e3a0a9991bc65fc74fc0d02ce963\n set hashes(f5.aws_advanced_ha.v1.4.0rc5.tmpl) 5e582187ae1a6323e095d41eddd41151d6bd38eb83c634410d4527a3d0e246a8fc62685ab0849de2ade62b0275f51264d2deaccbc16b773417f847a4a1ea9bc4\n set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6\n set hashes(deploy_waf.sh) 1a3a3c6274ab08a7dc2cb73aedc8d2b2a23cd9e0eb06a2e1534b3632f250f1d897056f219d5b35d3eed1207026e89989f754840fd92969c515ae4d829214fb74\n set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620\n set hashes(f5.service_discovery.tmpl) 4811a95372d1dbdbb4f62f8bcc48d4bc919fa492cda012c81e3a2fe63d7966cc36ba8677ed049a814a930473234f300d3f8bced2b0db63176d52ac99640ce81b\n set hashes(f5.cloud_logger.v1.0.0.tmpl) 64a0ed3b5e32a037ba4e71d460385fe8b5e1aecc27dc0e8514b511863952e419a89f4a2a43326abb543bba9bc34376afa114ceda950d2c3bd08dab735ff5ad20\n set hashes(f5-appsvcs-3.5.1-5.noarch.rpm) ba71c6e1c52d0c7077cdb25a58709b8fb7c37b34418a8338bbf67668339676d208c1a4fef4e5470c152aac84020b4ccb8074ce387de24be339711256c0fa78c8\n\n set file_path [lindex $tmsh::argv 1]\n set file_name [file tail $file_path]\n\n if {![info exists hashes($file_name)]} {\n tmsh::log err \"No hash found for $file_name\"\n exit 1\n }\n\n set expected_hash $hashes($file_name)\n set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]\n if { $expected_hash eq $computed_hash } {\n exit 0\n }\n tmsh::log err \"Hash does not match for $file_path\"\n exit 1\n }]} {\n tmsh::log err {Unexpected error in verifyHash}\n exit 1\n }\n }\n script-signature SS6PAR2vcK8Oy+Zq/Af8bWS6mj3ipoRgNVkzbnf59wUo/8mTzWFuVTF2H1YSXDRjW8gJmZfIQrOasv01Ayqjzl8IZ5AQ5aBQd2OKTZNCpsoalTX1iar4Ds82YdJ8Z0EuWwy9UByclFYouM4wMmGts5NqDia6W+kAUcTJxOkcxkzuurUXYaVR3Yx6sWZZyNTI3mUqZ84TEZXWjEw1Qi7S6xODmryw2sH5APWpAxQ8Ip6c8JsuBm1B7A24couv9aedeoCbNZdmCPjMfWG1vBDVRqvou0SQd8kbHa+36LbkzNqyXWLamK3HTYJAN9BMUx+syXEc4F/sJgpKeHKGHFowYg==\n signing-key /Common/f5-irule\n}'
+cli script /Common/verifyHash {
+proc script::run {} {
+ if {[catch {
+ set hashes(f5-cloud-libs.tar.gz) 79ed63787ebad177fbd052da1571095884b7d598fec44568f99bb5ae66cd6635f2fdd35c5e4f582c5d42929d68a4e2115c81834920939b0a6da0e3f16da0ac67
+ set hashes(f5-cloud-libs-aws.tar.gz) 2b934307477faf772e1558ab3636716981215d6b15f2a184750473911d1d38bfbd6a2dc79614b1d1575dce8f3824ed805daa3d9ca48c7e94c6692f03b9e4ed7a
+ set hashes(f5-cloud-libs-azure.tar.gz) f6d10347181a101b974478cc7c0d44c9c8cfd7705a6bccc9d48b2e8af175066f52612b28e9a0faa257675b9a979803952a31d9d0cf2cc5ff18231fbb42e786c9
+ set hashes(f5-cloud-libs-gce.tar.gz) a5cfaed1fe33da677b3f10dc1a7ca82f5739ff24e45e91b3a8f7b06d6b2e280e5f1eaf5fe2d33009b2cc67c10f2d906aab26f942d591b68fa8a7fddfd54a0efe
+ set hashes(f5-cloud-libs-openstack.tar.gz) 5c83fe6a93a6fceb5a2e8437b5ed8cc9faf4c1621bfc9e6a0779f6c2137b45eab8ae0e7ed745c8cf821b9371245ca29749ca0b7e5663949d77496b8728f4b0f9
+ set hashes(f5-cloud-libs-consul.tar.gz) a32aab397073df92cbbba5067e5823e9b5fafca862a258b60b6b40aa0975c3989d1e110f706177b2ffbe4dde65305a260a5856594ce7ad4ef0c47b694ae4a513
+ set hashes(asm-policy-linux.tar.gz) 63b5c2a51ca09c43bd89af3773bbab87c71a6e7f6ad9410b229b4e0a1c483d46f1a9fff39d9944041b02ee9260724027414de592e99f4c2475415323e18a72e0
+ set hashes(f5.http.v1.2.0rc4.tmpl) 47c19a83ebfc7bd1e9e9c35f3424945ef8694aa437eedd17b6a387788d4db1396fefe445199b497064d76967b0d50238154190ca0bd73941298fc257df4dc034
+ set hashes(f5.http.v1.2.0rc6.tmpl) 811b14bffaab5ed0365f0106bb5ce5e4ec22385655ea3ac04de2a39bd9944f51e3714619dae7ca43662c956b5212228858f0592672a2579d4a87769186e2cbfe
+ set hashes(f5.http.v1.2.0rc7.tmpl) 21f413342e9a7a281a0f0e1301e745aa86af21a697d2e6fdc21dd279734936631e92f34bf1c2d2504c201f56ccd75c5c13baa2fe7653213689ec3c9e27dff77d
+ set hashes(f5.aws_advanced_ha.v1.3.0rc1.tmpl) 9e55149c010c1d395abdae3c3d2cb83ec13d31ed39424695e88680cf3ed5a013d626b326711d3d40ef2df46b72d414b4cb8e4f445ea0738dcbd25c4c843ac39d
+ set hashes(f5.aws_advanced_ha.v1.4.0rc1.tmpl) de068455257412a949f1eadccaee8506347e04fd69bfb645001b76f200127668e4a06be2bbb94e10fefc215cfc3665b07945e6d733cbe1a4fa1b88e881590396
+ set hashes(f5.aws_advanced_ha.v1.4.0rc2.tmpl) 6ab0bffc426df7d31913f9a474b1a07860435e366b07d77b32064acfb2952c1f207beaed77013a15e44d80d74f3253e7cf9fbbe12a90ec7128de6facd097d68f
+ set hashes(f5.aws_advanced_ha.v1.4.0rc3.tmpl) 2f2339b4bc3a23c9cfd42aae2a6de39ba0658366f25985de2ea53410a745f0f18eedc491b20f4a8dba8db48970096e2efdca7b8efffa1a83a78e5aadf218b134
+ set hashes(f5.aws_advanced_ha.v1.4.0rc4.tmpl) 2418ac8b1f1884c5c096cbac6a94d4059aaaf05927a6a4508fd1f25b8cc6077498839fbdda8176d2cf2d274a27e6a1dae2a1e3a0a9991bc65fc74fc0d02ce963
+ set hashes(f5.aws_advanced_ha.v1.4.0rc5.tmpl) 5e582187ae1a6323e095d41eddd41151d6bd38eb83c634410d4527a3d0e246a8fc62685ab0849de2ade62b0275f51264d2deaccbc16b773417f847a4a1ea9bc4
+ set hashes(asm-policy.tar.gz) 2d39ec60d006d05d8a1567a1d8aae722419e8b062ad77d6d9a31652971e5e67bc4043d81671ba2a8b12dd229ea46d205144f75374ed4cae58cefa8f9ab6533e6
+ set hashes(deploy_waf.sh) 1a3a3c6274ab08a7dc2cb73aedc8d2b2a23cd9e0eb06a2e1534b3632f250f1d897056f219d5b35d3eed1207026e89989f754840fd92969c515ae4d829214fb74
+ set hashes(f5.policy_creator.tmpl) 06539e08d115efafe55aa507ecb4e443e83bdb1f5825a9514954ef6ca56d240ed00c7b5d67bd8f67b815ee9dd46451984701d058c89dae2434c89715d375a620
+ set hashes(f5.service_discovery.tmpl) 4811a95372d1dbdbb4f62f8bcc48d4bc919fa492cda012c81e3a2fe63d7966cc36ba8677ed049a814a930473234f300d3f8bced2b0db63176d52ac99640ce81b
+ set hashes(f5.cloud_logger.v1.0.0.tmpl) 64a0ed3b5e32a037ba4e71d460385fe8b5e1aecc27dc0e8514b511863952e419a89f4a2a43326abb543bba9bc34376afa114ceda950d2c3bd08dab735ff5ad20
+ set hashes(f5-appsvcs-3.5.1-5.noarch.rpm) ba71c6e1c52d0c7077cdb25a58709b8fb7c37b34418a8338bbf67668339676d208c1a4fef4e5470c152aac84020b4ccb8074ce387de24be339711256c0fa78c8
+
+ set file_path [lindex $tmsh::argv 1]
+ set file_name [file tail $file_path]
+
+ if {![info exists hashes($file_name)]} {
+ tmsh::log err "No hash found for $file_name"
+ exit 1
+ }
+
+ set expected_hash $hashes($file_name)
+ set computed_hash [lindex [exec /usr/bin/openssl dgst -r -sha512 $file_path] 0]
+ if { $expected_hash eq $computed_hash } {
+ exit 0
+ }
+ tmsh::log err "Hash does not match for $file_path"
+ exit 1
+ }]} {
+ tmsh::log err {Unexpected error in verifyHash}
+ exit 1
+ }
+ }
+ script-signature SS6PAR2vcK8Oy+Zq/Af8bWS6mj3ipoRgNVkzbnf59wUo/8mTzWFuVTF2H1YSXDRjW8gJmZfIQrOasv01Ayqjzl8IZ5AQ5aBQd2OKTZNCpsoalTX1iar4Ds82YdJ8Z0EuWwy9UByclFYouM4wMmGts5NqDia6W+kAUcTJxOkcxkzuurUXYaVR3Yx6sWZZyNTI3mUqZ84TEZXWjEw1Qi7S6xODmryw2sH5APWpAxQ8Ip6c8JsuBm1B7A24couv9aedeoCbNZdmCPjMfWG1vBDVRqvou0SQd8kbHa+36LbkzNqyXWLamK3HTYJAN9BMUx+syXEc4F/sJgpKeHKGHFowYg==
+ signing-key /Common/f5-irule
+}
+
+#
+# install cloud libs
+"installCloudLibs": "[concat(variables('singleQuote'), '#!/bin/bash\necho about to execute\nchecks=0\nwhile [ $checks -lt 120 ]; do echo checking mcpd\n/usr/bin/tmsh -a show sys mcp-state field-fmt | grep -q running\nif [ $? == 0 ]; then\necho mcpd ready\nbreak\nfi\necho mcpd not ready yet\nlet checks=checks+1\nsleep 1\ndone\necho loading verifyHash script\n/usr/bin/tmsh load sys config merge file /config/verifyHash\nif [ $? != 0 ]; then\necho cannot validate signature of /config/verifyHash\nexit 1\nfi\necho loaded verifyHash\n\nconfig_loc=\"/config/cloud/\"\nhashed_file_list=\"${config_loc}f5-cloud-libs.tar.gz f5-appsvcs-3.5.1-5.noarch.rpm f5.service_discovery.tmpl f5.cloud_logger.v1.0.0.tmpl ${config_loc}f5-cloud-libs-azure.tar.gz\"\nfor file in $hashed_file_list; do\necho \"verifying $file\"\n/usr/bin/tmsh run cli script verifyHash $file\nif [ $? != 0 ]; then\necho \"$file is not valid\"\nexit 1\nfi\necho \"verified $file\"\ndone\necho \"expanding $hashed_file_list\"\ntar xfz /config/cloud/f5-cloud-libs.tar.gz --warning=no-unknown-keyword -C /config/cloud/azure/node_modules/@f5devcentral\ntar xfz /config/cloud/f5-cloud-libs-azure.tar.gz --warning=no-unknown-keyword -C /config/cloud/azure/node_modules/@f5devcentral\ntouch /config/cloud/cloudLibsReady', variables('singleQuote'))]",
+#
+'#!/bin/bash\necho about to execute\nchecks=0\nwhile [ $checks -lt 120 ]; do echo checking mcpd\n/usr/bin/tmsh -a show sys mcp-state field-fmt | grep -q running\nif [ $? == 0 ]; then\necho mcpd ready\nbreak\nfi\necho mcpd not ready yet\nlet checks=checks+1\nsleep 1\ndone\necho loading verifyHash script\n/usr/bin/tmsh load sys config merge file /config/verifyHash\nif [ $? != 0 ]; then\necho cannot validate signature of /config/verifyHash\nexit 1\nfi\necho loaded verifyHash\n\nconfig_loc=\"/config/cloud/\"\nhashed_file_list=\"${config_loc}f5-cloud-libs.tar.gz f5-appsvcs-3.5.1-5.noarch.rpm f5.service_discovery.tmpl f5.cloud_logger.v1.0.0.tmpl ${config_loc}f5-cloud-libs-azure.tar.gz\"\nfor file in $hashed_file_list; do\necho \"verifying $file\"\n/usr/bin/tmsh run cli script verifyHash $file\nif [ $? != 0 ]; then\necho \"$file is not valid\"\nexit 1\nfi\necho \"verified $file\"\ndone\necho \"expanding $hashed_file_list\"\ntar xfz /config/cloud/f5-cloud-libs.tar.gz --warning=no-unknown-keyword -C /config/cloud/azure/node_modules/@f5devcentral\ntar xfz /config/cloud/f5-cloud-libs-azure.tar.gz --warning=no-unknown-keyword -C /config/cloud/azure/node_modules/@f5devcentral\ntouch /config/cloud/cloudLibsReady'
+#
+#
+"dnsLabel": "[toLower(parameters('dnsLabel'))]",
+"installCustomConfig": "[concat(variables('singleQuote'), '#!/bin/bash\n', variables('customConfig'), variables('singleQuote'))]"
+ "customConfig": "### START (INPUT) CUSTOM CONFIGURATION HERE\n",
+# parameters
+"managedRoutes": {
+ "defaultValue": "NOT_SPECIFIED",
+ "metadata": {
+ "description": "A comma-delimited list of route destinations to be managed by this cluster. For example: 0.0.0.0/0,192.168.1.0/24. Specifying a comma-delimited list of managedRoutes and creating f5_ha and f5_tg tags on the Azure Route Table defines the UDRs to be updated. To have the UDRs managed by BIG-IP, you will need to create an Azure tag with key **f5_ha** and value **self_2nic**, or the name of a different self IP address configured on the BIG-IP VE. All UDRs with destinations matching managedRoutes and configured in Azure Route Tables tagged with 'f5_ha:' will use the corresponding self IP address on the active BIG-IP VE as the next hop for those routes. You must also associate the route table with a traffic group by creating an Azure tag with key **f5_tg** and value **traffic-group-1**, or the name of a different traffic group configured on the BIG-IP VE."
+ },
+ "type": "string"
+},
+# install script
+#"[concat('function cp_logs() { cd /var/lib/waagent/custom-script/download && cp `ls -r | head -1`/std* /var/log/cloud/azure; cd /var/log/cloud/azure && cat stdout stderr > install.log; }; CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral; mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud; mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads; mkdir -p /var/log/cloud/azure; /usr/bin/install -m 400 /dev/null /config/cloud/.passwd; /usr/bin/install -m 400 /dev/null /config/cloud/.azCredentials; /usr/bin/install -b -m 755 /dev/null /config/verifyHash; /usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh; /usr/bin/install -b -m 755 /dev/null /config/cloud/managedRoutes; IFS=', variables('singleQuote'), '%', variables('singleQuote'), '; echo -e ', variables('verifyHash'), ' > /config/verifyHash; echo -e ', variables('installCloudLibs'), ' > /config/installCloudLibs.sh; echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh; echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh; echo -e ', parameters('managedRoutes'), ' > /config/cloud/managedRoutes; unset IFS; bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), '{\"clientId\": \"', parameters('clientId'), '\", \"tenantId\": \"', parameters('tenantId'), '\", \"secret\": \"', parameters('servicePrincipalSecret'), '\", \"subscriptionId\": \"', variables('subscriptionID'), '\", \"storageAccount\": \"', variables('newDataStorageAccountName'), '\", \"storageKey\": \"', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('newDataStorageAccountName')), variables('storageApiVersion')).keys[0].value, '\", \"resourceGroupName\": \"', variables('resourceGroupName'), '\", \"uniqueLabel\": \"', variables('dnsLabel'), '\", \"location\": \"', variables('location'), '\"}', variables('singleQuote'), ' \"/config/cloud/.azCredentials\" \"\" true; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.azure.com'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', concat(take(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, add(lastIndexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.'), 1)), add(int(take(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], indexOf(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], '/'))), 1)), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 ', variables('netCmd'), ' --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), skip(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), skip(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:internal --log-level info; echo \"/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs-azure/scripts/failoverProvider.js\" >> /config/failover/tgactive; echo \"/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs-azure/scripts/failoverProvider.js\" >> /config/failover/tgrefresh; tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.azure.com'), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'), '; ', variables('failoverCmdArray')[parameters('bigIpVersion')], '; /usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; base=', variables('extSubnetPrivateAddressPrefix'), variables('extSubnetPrivateAddressSuffixInt'), '; f3=$(echo $base | cut -d. -f1-3); last=$(echo $base | cut -d. -f4); for i in $(seq 1 ', variables('numberOfExternalIps'), '); do addr=${f3}.${last}; last=$((last+1)); tmsh create ltm virtual-address $addr address $addr; done; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; $(nohup bash /config/failover/tgactive &>/dev/null &); bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi')]"
+CLOUD_LIB_DIR=/config/cloud/azure/node_modules/@f5devcentral;
+mkdir -p $CLOUD_LIB_DIR && cp f5-cloud-libs*.tar.gz* /config/cloud;
+mkdir -p /var/config/rest/downloads && cp ', variables('f5AS3Build'), ' /var/config/rest/downloads;
+mkdir -p /var/log/cloud/azure;
+/usr/bin/install -m 400 /dev/null /config/cloud/.passwd;
+/usr/bin/install -m 400 /dev/null /config/cloud/.azCredentials;
+/usr/bin/install -b -m 755 /dev/null /config/verifyHash;
+/usr/bin/install -b -m 755 /dev/null /config/installCloudLibs.sh;
+/usr/bin/install -b -m 755 /dev/null /config/cloud/managedRoutes;
+IFS=', variables('singleQuote'), '%', variables('singleQuote'), ';
+ echo -e ', variables('verifyHash'), ' > /config/verifyHash;
+ echo -e ', variables('installCloudLibs'), ' > /config/installCloudLibs.sh;
+ echo -e ', variables('appScript'), ' | /usr/bin/base64 -d > /config/cloud/deploy_app.sh; chmod +x /config/cloud/deploy_app.sh;
+ echo -e ', variables('installCustomConfig'), ' >> /config/customConfig.sh;
+ echo -e ', parameters('managedRoutes'), ' > /config/cloud/managedRoutes;
+ unset IFS;
+ bash /config/installCloudLibs.sh; source $CLOUD_LIB_DIR/f5-cloud-libs/scripts/util.sh; encrypt_secret ', variables('singleQuote'), '{\"clientId\": \"', parameters('clientId'), '\", \"tenantId\": \"', parameters('tenantId'), '\", \"secret\": \"', parameters('servicePrincipalSecret'), '\", \"subscriptionId\": \"', variables('subscriptionID'), '\", \"storageAccount\": \"', variables('newDataStorageAccountName'), '\", \"storageKey\": \"', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('newDataStorageAccountName')), variables('storageApiVersion')).keys[0].value, '\", \"resourceGroupName\": \"', variables('resourceGroupName'), '\", \"uniqueLabel\": \"', variables('dnsLabel'), '\", \"location\": \"', variables('location'), '\"}', variables('singleQuote'), ' \"/config/cloud/.azCredentials\" \"\" true; encrypt_secret ', variables('singleQuote'), variables('adminPasswordOrKey'), variables('singleQuote'), ' \"/config/cloud/.passwd\" true; $CLOUD_LIB_DIR/f5-cloud-libs/scripts/createUser.sh --user svc_user --password-file /config/cloud/.passwd --password-encrypted; ', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].hashCmd, ';
+/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/onboard.js --no-reboot --output /var/log/cloud/azure/onboard.log --signal ONBOARD_DONE --log-level info --cloud azure --install-ilx-package file:///var/config/rest/downloads/', variables('f5AS3Build'), ' --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' --ssl-port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --hostname ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.azure.com'), ' --ntp ', parameters('ntpServer'), ' --tz ', parameters('timeZone'), ' --modules ', parameters('bigIpModules'), ' --db tmm.maxremoteloglength:2048', variables('allowUsageAnalytics')[parameters('allowUsageAnalytics')].metricsCmd, ';
+/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/network.js --output /var/log/cloud/azure/network.log --wait-for ONBOARD_DONE --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --default-gw ', concat(take(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, add(lastIndexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.'), 1)), add(int(take(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], indexOf(split(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '.')[3], '/'))), 1)), ' --vlan name:external,nic:1.1 --vlan name:internal,nic:1.2 ', variables('netCmd'), ' --self-ip name:self_2nic,address:', variables('extSubnetPrivateAddress1'), skip(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('extSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:external --self-ip name:self_3nic,address:', variables('intSubnetPrivateAddress1'), skip(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, indexOf(reference(variables('intSubnetRef'), variables('networkApiVersion')).addressPrefix, '/')), ',vlan:internal --log-level info; echo \"/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs-azure/scripts/failoverProvider.js\" >> /config/failover/tgactive; echo \"/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs-azure/scripts/failoverProvider.js\" >> /config/failover/tgrefresh; tmsh modify cm device ', concat(variables('instanceName'), '1.', variables('location'), '.cloudapp.azure.com'), ' unicast-address { { ip ', variables('intSubnetPrivateAddress1'), ' port 1026 } } mirror-ip ', variables('intSubnetPrivateAddress1'), '; ', variables('failoverCmdArray')[parameters('bigIpVersion')], ';
+/usr/bin/f5-rest-node $CLOUD_LIB_DIR/f5-cloud-libs/scripts/cluster.js --output /var/log/cloud/azure/cluster.log --log-level info --host ', variables('mgmtSubnetPrivateAddress1'), ' --port ', variables('bigIpMgmtPort'), ' -u svc_user --password-url file:///config/cloud/.passwd --password-encrypted --config-sync-ip ', variables('intSubnetPrivateAddress1'), ' --join-group --device-group Sync --sync --remote-host ', variables('mgmtSubnetPrivateAddress'), ' --remote-user svc_user --remote-password-url file:///config/cloud/.passwd', '; if [[ $? == 0 ]]; then tmsh load sys application template f5.service_discovery.tmpl; tmsh load sys application template f5.cloud_logger.v1.0.0.tmpl; base=', variables('extSubnetPrivateAddressPrefix'), variables('extSubnetPrivateAddressSuffixInt'), '; f3=$(echo $base | cut -d. -f1-3); last=$(echo $base | cut -d. -f4); for i in $(seq 1 ', variables('numberOfExternalIps'), '); do addr=${f3}.${last}; last=$((last+1)); tmsh create ltm virtual-address $addr address $addr; done; ', variables('routeCmd'), '; echo -e ', variables('routeCmd'), ' >> /config/startup; $(nohup bash /config/failover/tgactive &>/dev/null &); bash /config/customConfig.sh; $(cp_logs); else $(cp_logs); exit 1; fi', '; if grep -i \"PUT failed\" /var/log/waagent.log -q; then echo \"Killing waagent exthandler, daemon should restart it\"; pkill -f \"python -u /usr/sbin/waagent -run-exthandlers\"; fi')
diff --git a/demo.sh b/demo.sh
new file mode 100755
index 0000000..8ea26e1
--- /dev/null
+++ b/demo.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+start=$SECONDS
+terraform init
+terraform fmt
+terraform validate
+terraform plan
+# apply
+read -p "Press enter to continue"
+terraform apply --auto-approve
+duration=$(( SECONDS - start ))
+echo "Operation took $duration seconds"
diff --git a/demo_app/app.tf b/demo_app/app.tf
new file mode 100644
index 0000000..dab14bb
--- /dev/null
+++ b/demo_app/app.tf
@@ -0,0 +1,69 @@
+# network interface for app vm
+resource azurerm_network_interface app01-nic {
+ name = "${var.prefix}-app01-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnet.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.app01ip
+ primary = true
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association app-nsg {
+ network_interface_id = azurerm_network_interface.app01-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# app01-VM
+resource azurerm_virtual_machine app01-vm {
+ count = 1
+ name = "${var.prefix}-app01-vm"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ network_interface_ids = [azurerm_network_interface.app01-nic.id]
+ vm_size = var.instanceType
+
+ storage_os_disk {
+ name = "${var.prefix}-appOsDisk"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ managed_disk_type = "Premium_LRS"
+ }
+
+ storage_image_reference {
+ publisher = "Canonical"
+ offer = "UbuntuServer"
+ sku = "16.04.0-LTS"
+ version = "latest"
+ }
+
+ os_profile {
+ computer_name = "app01"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ custom_data = <<-EOF
+ #!/bin/bash
+ apt-get update -y;
+ apt-get install -y docker.io;
+ # demo app
+ docker run -d -p 443:443 -p 80:80 --restart unless-stopped -e F5DEMO_APP=website -e F5DEMO_NODENAME='F5 Azure' -e F5DEMO_COLOR=ffd734 -e F5DEMO_NODENAME_SSL='F5 Azure (SSL)' -e F5DEMO_COLOR_SSL=a0bf37 chen23/f5-demo-app:ssl;
+ # juice shop
+ docker run -d --restart always -p 3000:3000 bkimminich/juice-shop
+ # rsyslogd with PimpMyLogs
+ docker run -d -e SYSLOG_USERNAME=${var.adminUserName} -e SYSLOG_PASSWORD=${var.adminPassword} -p 8080:80 -p 514:514/udp pbertera/syslogserver
+ EOF
+ }
+
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+
+ tags = var.tags
+}
diff --git a/demo_app/variables.tf b/demo_app/variables.tf
new file mode 100644
index 0000000..29ebd5e
--- /dev/null
+++ b/demo_app/variables.tf
@@ -0,0 +1,21 @@
+
+variable prefix {}
+variable resourceGroup {}
+variable location {}
+variable region {}
+variable securityGroup {
+ default = "none"
+}
+
+variable subnet {}
+
+variable app01ip {}
+variable adminUserName {}
+variable adminPassword {}
+
+variable instanceType {}
+
+# TAGS
+variable tags {}
+
+variable timezone {}
diff --git a/dockerfile b/dockerfile
new file mode 100644
index 0000000..dee36a4
--- /dev/null
+++ b/dockerfile
@@ -0,0 +1,37 @@
+# Setup build arguments with default versions
+ARG TERRAFORM_VERSION=0.13.4
+ARG AZURE_CLI_VERSION=latest
+
+# Download Terraform binary
+FROM debian:stretch-20190506-slim as terraform
+ENV DEBIAN_FRONTEND="noninteractive"
+ARG TERRAFORM_VERSION
+RUN apt-get update
+RUN apt-get install -y apt-utils
+RUN apt-get install -y curl
+RUN apt-get install -y unzip
+RUN apt-get install -y gnupg
+RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS
+RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip
+RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig
+COPY hashicorp.asc hashicorp.asc
+RUN gpg --import hashicorp.asc
+RUN gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRAFORM_VERSION}_SHA256SUMS
+RUN grep terraform_${TERRAFORM_VERSION}_linux_amd64.zip terraform_${TERRAFORM_VERSION}_SHA256SUMS | sha256sum -c -
+RUN unzip -j terraform_${TERRAFORM_VERSION}_linux_amd64.zip
+
+# Build final image
+FROM debian:stretch-20190506-slim
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+ ca-certificates \
+ python3=3.5.3-1 \
+ curl \
+ jq \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* \
+ && ln -s /usr/bin/python3 /usr/bin/python \
+ && curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+COPY --from=terraform /terraform /usr/local/bin/terraform
+WORKDIR /workspace
+CMD ["bash"]
diff --git a/docs/Makefile b/docs/Makefile
deleted file mode 100644
index 7a06a91..0000000
--- a/docs/Makefile
+++ /dev/null
@@ -1,20 +0,0 @@
-# Minimal makefile for Sphinx documentation
-#
-
-# You can set these variables from the command line.
-SPHINXOPTS =
-SPHINXBUILD = sphinx-build
-SPHINXPROJ = F5AgilityLabs
-SOURCEDIR = .
-BUILDDIR = _build
-
-# Put it first so that "make" without argument is like "make help".
-help:
- @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
-
-.PHONY: help Makefile
-
-# Catch-all target: route all unknown targets to Sphinx using the new
-# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
-%: Makefile
- @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
\ No newline at end of file
diff --git a/docs/_static/app-registrations-create.png b/docs/_static/app-registrations-create.png
deleted file mode 100644
index 232196c..0000000
Binary files a/docs/_static/app-registrations-create.png and /dev/null differ
diff --git a/docs/_static/app-registrations-detail.png b/docs/_static/app-registrations-detail.png
deleted file mode 100644
index a75a494..0000000
Binary files a/docs/_static/app-registrations-detail.png and /dev/null differ
diff --git a/docs/_static/app-registrations-list.png b/docs/_static/app-registrations-list.png
deleted file mode 100644
index 0e968d9..0000000
Binary files a/docs/_static/app-registrations-list.png and /dev/null differ
diff --git a/docs/_static/app-registrations.png b/docs/_static/app-registrations.png
deleted file mode 100644
index c4f8440..0000000
Binary files a/docs/_static/app-registrations.png and /dev/null differ
diff --git a/docs/_static/asm-simulated-attack-postman.png b/docs/_static/asm-simulated-attack-postman.png
deleted file mode 100644
index c8d5289..0000000
Binary files a/docs/_static/asm-simulated-attack-postman.png and /dev/null differ
diff --git a/docs/_static/asm-simulated-attack.png b/docs/_static/asm-simulated-attack.png
deleted file mode 100644
index 615cbb0..0000000
Binary files a/docs/_static/asm-simulated-attack.png and /dev/null differ
diff --git a/docs/_static/azure-active-directory.png b/docs/_static/azure-active-directory.png
deleted file mode 100644
index d22089e..0000000
Binary files a/docs/_static/azure-active-directory.png and /dev/null differ
diff --git a/docs/_static/azure-alb-menu.png b/docs/_static/azure-alb-menu.png
deleted file mode 100644
index 39a758e..0000000
Binary files a/docs/_static/azure-alb-menu.png and /dev/null differ
diff --git a/docs/_static/azure-alb-rule-detail.png b/docs/_static/azure-alb-rule-detail.png
deleted file mode 100644
index 5c2c353..0000000
Binary files a/docs/_static/azure-alb-rule-detail.png and /dev/null differ
diff --git a/docs/_static/azure-alb-rules.png b/docs/_static/azure-alb-rules.png
deleted file mode 100644
index 43b1751..0000000
Binary files a/docs/_static/azure-alb-rules.png and /dev/null differ
diff --git a/docs/_static/azure-rg-lb-list.png b/docs/_static/azure-rg-lb-list.png
deleted file mode 100644
index 5a2ef95..0000000
Binary files a/docs/_static/azure-rg-lb-list.png and /dev/null differ
diff --git a/docs/_static/back_cover.png b/docs/_static/back_cover.png
deleted file mode 100644
index 1e9aeac..0000000
Binary files a/docs/_static/back_cover.png and /dev/null differ
diff --git a/docs/_static/big-afm-custom-search-port.png b/docs/_static/big-afm-custom-search-port.png
deleted file mode 100644
index d6d146b..0000000
Binary files a/docs/_static/big-afm-custom-search-port.png and /dev/null differ
diff --git a/docs/_static/bigip-afm-custom-search.png b/docs/_static/bigip-afm-custom-search.png
deleted file mode 100644
index c4e0cf5..0000000
Binary files a/docs/_static/bigip-afm-custom-search.png and /dev/null differ
diff --git a/docs/_static/bigip-afm-logs-ip.png b/docs/_static/bigip-afm-logs-ip.png
deleted file mode 100644
index a96e08e..0000000
Binary files a/docs/_static/bigip-afm-logs-ip.png and /dev/null differ
diff --git a/docs/_static/bigip-asm-logs-details.png b/docs/_static/bigip-asm-logs-details.png
deleted file mode 100644
index 6599970..0000000
Binary files a/docs/_static/bigip-asm-logs-details.png and /dev/null differ
diff --git a/docs/_static/bigip-asm-logs-menu.png b/docs/_static/bigip-asm-logs-menu.png
deleted file mode 100644
index 7d83514..0000000
Binary files a/docs/_static/bigip-asm-logs-menu.png and /dev/null differ
diff --git a/docs/_static/bigip-asm-logs-no-requests.png b/docs/_static/bigip-asm-logs-no-requests.png
deleted file mode 100644
index d699867..0000000
Binary files a/docs/_static/bigip-asm-logs-no-requests.png and /dev/null differ
diff --git a/docs/_static/bigip-external-active.png b/docs/_static/bigip-external-active.png
deleted file mode 100644
index 3251122..0000000
Binary files a/docs/_static/bigip-external-active.png and /dev/null differ
diff --git a/docs/_static/bigip-idle-timeout.png b/docs/_static/bigip-idle-timeout.png
deleted file mode 100644
index 7471336..0000000
Binary files a/docs/_static/bigip-idle-timeout.png and /dev/null differ
diff --git a/docs/_static/bigip-logs-firewall-menu.png b/docs/_static/bigip-logs-firewall-menu.png
deleted file mode 100644
index e47d8eb..0000000
Binary files a/docs/_static/bigip-logs-firewall-menu.png and /dev/null differ
diff --git a/docs/_static/bigip-ltm-vs-list.png b/docs/_static/bigip-ltm-vs-list.png
deleted file mode 100644
index e0281d5..0000000
Binary files a/docs/_static/bigip-ltm-vs-list.png and /dev/null differ
diff --git a/docs/_static/bigip-ltm-vs-menu.png b/docs/_static/bigip-ltm-vs-menu.png
deleted file mode 100644
index 2ce043e..0000000
Binary files a/docs/_static/bigip-ltm-vs-menu.png and /dev/null differ
diff --git a/docs/_static/cost-and-billing.png b/docs/_static/cost-and-billing.png
deleted file mode 100644
index eac9c09..0000000
Binary files a/docs/_static/cost-and-billing.png and /dev/null differ
diff --git a/docs/_static/css/custom.css b/docs/_static/css/custom.css
deleted file mode 100644
index 5896d21..0000000
--- a/docs/_static/css/custom.css
+++ /dev/null
@@ -1,65 +0,0 @@
-img {
- margin-bottom: 12px;
-}
-
-table {
- margin-bottom: 12px;
-}
-
-.section ol.loweralpha > li {
- list-style: lower-alpha;
- padding-bottom: 5px;
-}
-
-.section ol.upperalpha > li {
- list-style: upper-alpha;
- padding-bottom: 5px;
-}
-
-.section ol.arabic > li {
- list-style: decimal;
- padding-bottom: 5px;
-}
-
-.section ol.lowerroman > li {
- list-style: lower-roman;
- padding-bottom: 5px;
-}
-
-.section ol.upperroman > li {
- list-style: upper-roman;
- padding-bottom: 5px;
-}
-
-.align-center {
- display: block;
- margin-left: auto;
- margin-right: auto;
-}
-
-.align-right {
- display: block;
- margin-left: auto;
- margin-right: 0;
-}
-
-.red {
- color: rgb(192, 0, 0);
-}
-
-.bred {
- color: rgb(192, 0, 0);
- font-weight: bold;
-}
-
-ul {
- padding-left: 20px;
- padding-top: 5px;
- padding-bottom: 5px;
-}
-
-ul.simple {
- padding-left: 20px;
- padding-top: 5px;
- padding-bottom: 5px;
-}
diff --git a/docs/_static/custom-deployment-complete.png b/docs/_static/custom-deployment-complete.png
deleted file mode 100644
index b70f533..0000000
Binary files a/docs/_static/custom-deployment-complete.png and /dev/null differ
diff --git a/docs/_static/custom-deployment-f5-info.png b/docs/_static/custom-deployment-f5-info.png
deleted file mode 100644
index fb512f6..0000000
Binary files a/docs/_static/custom-deployment-f5-info.png and /dev/null differ
diff --git a/docs/_static/custom-deployment-tandc.png b/docs/_static/custom-deployment-tandc.png
deleted file mode 100644
index 21bf70b..0000000
Binary files a/docs/_static/custom-deployment-tandc.png and /dev/null differ
diff --git a/docs/_static/custom-deployment-user-pass-1.png b/docs/_static/custom-deployment-user-pass-1.png
deleted file mode 100644
index e062f9d..0000000
Binary files a/docs/_static/custom-deployment-user-pass-1.png and /dev/null differ
diff --git a/docs/_static/custom-deployment-user-pass-2.png b/docs/_static/custom-deployment-user-pass-2.png
deleted file mode 100644
index 62aeca5..0000000
Binary files a/docs/_static/custom-deployment-user-pass-2.png and /dev/null differ
diff --git a/docs/_static/custom-deployment.png b/docs/_static/custom-deployment.png
deleted file mode 100644
index 0944d6e..0000000
Binary files a/docs/_static/custom-deployment.png and /dev/null differ
diff --git a/docs/_static/demo-http.png b/docs/_static/demo-http.png
deleted file mode 100644
index 34dedcf..0000000
Binary files a/docs/_static/demo-http.png and /dev/null differ
diff --git a/docs/_static/demo-https.png b/docs/_static/demo-https.png
deleted file mode 100644
index c4e2f6d..0000000
Binary files a/docs/_static/demo-https.png and /dev/null differ
diff --git a/docs/_static/deployed-topology.png b/docs/_static/deployed-topology.png
deleted file mode 100644
index 1f9741a..0000000
Binary files a/docs/_static/deployed-topology.png and /dev/null differ
diff --git a/docs/_static/enable-programattic.png b/docs/_static/enable-programattic.png
deleted file mode 100644
index 39c02fb..0000000
Binary files a/docs/_static/enable-programattic.png and /dev/null differ
diff --git a/docs/_static/expected-resource-groups.png b/docs/_static/expected-resource-groups.png
deleted file mode 100644
index f461024..0000000
Binary files a/docs/_static/expected-resource-groups.png and /dev/null differ
diff --git a/docs/_static/expected-resources.png b/docs/_static/expected-resources.png
deleted file mode 100644
index 208246a..0000000
Binary files a/docs/_static/expected-resources.png and /dev/null differ
diff --git a/docs/_static/f5-azure-scca-ha.png b/docs/_static/f5-azure-scca-ha.png
deleted file mode 100644
index f5d0539..0000000
Binary files a/docs/_static/f5-azure-scca-ha.png and /dev/null differ
diff --git a/docs/_static/f5-azure-scca-integrated.png b/docs/_static/f5-azure-scca-integrated.png
deleted file mode 100644
index 2b0e046..0000000
Binary files a/docs/_static/f5-azure-scca-integrated.png and /dev/null differ
diff --git a/docs/_static/f5-azure-scca-overview.png b/docs/_static/f5-azure-scca-overview.png
deleted file mode 100644
index afbee50..0000000
Binary files a/docs/_static/f5-azure-scca-overview.png and /dev/null differ
diff --git a/docs/_static/f5-azure-scca-security.png b/docs/_static/f5-azure-scca-security.png
deleted file mode 100644
index 6c8adbf..0000000
Binary files a/docs/_static/f5-azure-scca-security.png and /dev/null differ
diff --git a/docs/_static/f5-azure-scca-ssl-visibility.png b/docs/_static/f5-azure-scca-ssl-visibility.png
deleted file mode 100644
index 1539e7e..0000000
Binary files a/docs/_static/f5-azure-scca-ssl-visibility.png and /dev/null differ
diff --git a/docs/_static/front_cover.png b/docs/_static/front_cover.png
deleted file mode 100644
index 7a05163..0000000
Binary files a/docs/_static/front_cover.png and /dev/null differ
diff --git a/docs/_static/iam-add-permissions.png b/docs/_static/iam-add-permissions.png
deleted file mode 100644
index 07ecdc2..0000000
Binary files a/docs/_static/iam-add-permissions.png and /dev/null differ
diff --git a/docs/_static/iam.png b/docs/_static/iam.png
deleted file mode 100644
index aeaf371..0000000
Binary files a/docs/_static/iam.png and /dev/null differ
diff --git a/docs/_static/ie-bigip-login.png b/docs/_static/ie-bigip-login.png
deleted file mode 100644
index 89f8e31..0000000
Binary files a/docs/_static/ie-bigip-login.png and /dev/null differ
diff --git a/docs/_static/ie-bigip-tabs.png b/docs/_static/ie-bigip-tabs.png
deleted file mode 100644
index 8a6dc70..0000000
Binary files a/docs/_static/ie-bigip-tabs.png and /dev/null differ
diff --git a/docs/_static/ie-cert-error.png b/docs/_static/ie-cert-error.png
deleted file mode 100644
index cfbbbd8..0000000
Binary files a/docs/_static/ie-cert-error.png and /dev/null differ
diff --git a/docs/_static/ie-default-settings.png b/docs/_static/ie-default-settings.png
deleted file mode 100644
index 4f0e653..0000000
Binary files a/docs/_static/ie-default-settings.png and /dev/null differ
diff --git a/docs/_static/ie-security-settings-disable.png b/docs/_static/ie-security-settings-disable.png
deleted file mode 100644
index f29db1e..0000000
Binary files a/docs/_static/ie-security-settings-disable.png and /dev/null differ
diff --git a/docs/_static/ie-security-settings.png b/docs/_static/ie-security-settings.png
deleted file mode 100644
index b4909b9..0000000
Binary files a/docs/_static/ie-security-settings.png and /dev/null differ
diff --git a/docs/_static/image001.png b/docs/_static/image001.png
deleted file mode 100644
index 11bd2ce..0000000
Binary files a/docs/_static/image001.png and /dev/null differ
diff --git a/docs/_static/image002.png b/docs/_static/image002.png
deleted file mode 100644
index e9c92ac..0000000
Binary files a/docs/_static/image002.png and /dev/null differ
diff --git a/docs/_static/local-server-menu.png b/docs/_static/local-server-menu.png
deleted file mode 100644
index 9356c8e..0000000
Binary files a/docs/_static/local-server-menu.png and /dev/null differ
diff --git a/docs/_static/marketplace-f5-byol.png b/docs/_static/marketplace-f5-byol.png
deleted file mode 100644
index 23336b5..0000000
Binary files a/docs/_static/marketplace-f5-byol.png and /dev/null differ
diff --git a/docs/_static/marketplace-want-to-deploy.png b/docs/_static/marketplace-want-to-deploy.png
deleted file mode 100644
index 635ded6..0000000
Binary files a/docs/_static/marketplace-want-to-deploy.png and /dev/null differ
diff --git a/docs/_static/marketplace.png b/docs/_static/marketplace.png
deleted file mode 100644
index 9521deb..0000000
Binary files a/docs/_static/marketplace.png and /dev/null differ
diff --git a/docs/_static/public-ip-address-detail.png b/docs/_static/public-ip-address-detail.png
deleted file mode 100644
index 1044f85..0000000
Binary files a/docs/_static/public-ip-address-detail.png and /dev/null differ
diff --git a/docs/_static/rdp-client-login.png b/docs/_static/rdp-client-login.png
deleted file mode 100644
index 0736684..0000000
Binary files a/docs/_static/rdp-client-login.png and /dev/null differ
diff --git a/docs/_static/rdp-client.png b/docs/_static/rdp-client.png
deleted file mode 100644
index 9c50e54..0000000
Binary files a/docs/_static/rdp-client.png and /dev/null differ
diff --git a/docs/_static/rdp-desktop.png b/docs/_static/rdp-desktop.png
deleted file mode 100644
index e50a202..0000000
Binary files a/docs/_static/rdp-desktop.png and /dev/null differ
diff --git a/docs/_static/resource-group-f5-external-pip-detail.png b/docs/_static/resource-group-f5-external-pip-detail.png
deleted file mode 100644
index 8d74c83..0000000
Binary files a/docs/_static/resource-group-f5-external-pip-detail.png and /dev/null differ
diff --git a/docs/_static/resource-group-f5-external-pips.png b/docs/_static/resource-group-f5-external-pips.png
deleted file mode 100644
index 632f37b..0000000
Binary files a/docs/_static/resource-group-f5-external-pips.png and /dev/null differ
diff --git a/docs/_static/resource-group-f5-external.png b/docs/_static/resource-group-f5-external.png
deleted file mode 100644
index fa575c2..0000000
Binary files a/docs/_static/resource-group-f5-external.png and /dev/null differ
diff --git a/docs/_templates/breadcrumb.html b/docs/_templates/breadcrumb.html
deleted file mode 100644
index 74026f7..0000000
--- a/docs/_templates/breadcrumb.html
+++ /dev/null
@@ -1,23 +0,0 @@
-
-
- {%- if master_doc == pagename %}
- F5 Community Training & Labs
- {%- else %}
- {{ project|striptags|e }}
- {%- endif %}
- {%- if parents|length > 0 %}
- {%- for parent in parents %}
- > {{ parents[loop.index0].title|striptags|e }}
- {%- endfor %}
- {%- endif %}
-
-
- {%- if show_source and has_source and sourcename %}
- Source |
- {%- endif %}
- {%- if github_url is defined %}
- Edit on
- {%- endif %}
-
-
-
diff --git a/docs/_templates/header.html b/docs/_templates/header.html
deleted file mode 100644
index e6694b9..0000000
--- a/docs/_templates/header.html
+++ /dev/null
@@ -1,137 +0,0 @@
-
-
-
-
-
-
-
diff --git a/docs/class1/architecture.rst b/docs/class1/architecture.rst
deleted file mode 100644
index 942b9e7..0000000
--- a/docs/class1/architecture.rst
+++ /dev/null
@@ -1,65 +0,0 @@
-F5 Azure SCCA - Architecture
-----------------------------
-
-Overview
-********
-
-The following is a diagram of the traffic flow of the template that was deployed.
-
-.. image:: /_static/f5-azure-scca-overview.png
- :scale: 50%
-
-
-Traffic originates from the Client through a Cloud Access Point. This would be an Express Route connection, but in the previous template the Public Internet can be used for demonstration purposes.
-
-As traffic enters the environment it is first inspected by an External pair of F5 devices. These External devices are responsible for providing edge filtering protection of traffic at L3/L4, address translation of egress traffic, and terminating SSL connections for later inspection by the "IPS" device and F5 Internal devices (WAF). For demonstration purposes a generic Linux server has been deployed to emulate an IPS device.
-
-High Availability
-*****************
-
-The resources are deployed in an Active/Standby pair to provide High Availability.
-
-.. image:: /_static/f5-azure-scca-ha.png
- :scale: 50%
-
-Depending on the protocol and security requirements this can be also done in an Active/Active manner.
-
-In this example template, an Azure Load Balancer is utilized to reduce failover time, but this can be deployed without an Azure Load Balancer.
-
-This example also has a single point of failure with a single IPS device. In a production environment it would be expected to deploy an IPS solution in an HA configuration similar to the F5 Internal devices.
-
-Traffic Visibility
-******************
-
-The F5 External/Internal devices are both configured to collect Network Firewall event logs. For demonstration purposes these are being stored locally, but they can also send logs to external ArcSight, Splunk, IPFIX, Remote Syslog, or Azure OMS logging destinations.
-
-The F5 Internal device is also configured with a Web Application Firewall (WAF) and is capable of logging HTTP traffic. In this example template the Internal devices are configured to capture HTTP request logs locally. Similar to the Network Firewall, the WAF can be configured for external logging destinations.
-
-This architecture also provides the original Client IP to the destination Application through the use of Azure User Defined Routes (UDR). Using UDR, all egress Application traffic is also sent through the F5 devices.
-
-The F5 External devices can also be utilized to terminate SSL connections to provide SSL Visibility to the IPS and F5 Internal devices.
-
-.. image:: /_static/f5-azure-scca-ssl-visibility.png
- :scale: 50%
-
-The F5 Internal devices can re-encrypt SSL connections before the traffic is sent to Management or Mission Owner networks.
-
-Security
-********
-
-The F5 External/Internal devices are tiered to provide mutiple levels of protections.
-
-.. image:: /_static/f5-azure-scca-security.png
- :scale: 50%
-
-The F5 External devices and IPS device are capable of deflecting L3/L4 based attacks; while the F5 Internal device can address L7 based attacks.
-
-Integration
-***********
-
-Behind the scenes this sample environment is employing Azure services.
-
-.. image:: /_static/f5-azure-scca-integrated.png
- :scale: 50%
-
-Availability Sets ensure that the F5 Device pairs are scheduled for maintenance at appropriate times. The Azure SDK is utilized to failover Azure Route Table entries that provides the visiblity of Client IP address and ensures that all egress traffic traverses the F5 devices. The template itself is using Azure Resource Management templates to automate the process of deploying Azure resources. Azure Load Balancer is used to improve failover times and Azure OMS can be used for external logging where available.
diff --git a/docs/class1/class1.rst b/docs/class1/class1.rst
deleted file mode 100644
index 8abda1b..0000000
--- a/docs/class1/class1.rst
+++ /dev/null
@@ -1,25 +0,0 @@
-F5 Azure SACA - Index
-=======================
-
-Welcome
--------
-
-Welcome to the |classbold| guide.
-
-The content contained here provides a Notional SCCA Deployment
-based on: https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf
-
-Source code can be found in the GitHub repository at https://github.com/f5devcentral/f5-azure-scca.
-
-This is `F5 Contributed Software `__
-
-.. toctree::
- :maxdepth: 2
- :numbered:
- :caption: Contents:
- :glob:
-
- overview*
- intro*
- architecture*
- details*
diff --git a/docs/class1/details.rst b/docs/class1/details.rst
deleted file mode 100644
index 6098eb0..0000000
--- a/docs/class1/details.rst
+++ /dev/null
@@ -1,307 +0,0 @@
-SCCA Details
-------------
-
-Topology
-~~~~~~~~
-
-After the template completes deploying there will be the following devices deployed.
-
-* External F5 Devices (x2)
-* IPS Device (Linux host)
-* Internal F5 Devices (x2)
-* Linux Jumpbox
-* Windows Jumpbox
-
-.. image:: /_static/deployed-topology.png
- :scale: 30%
-
-SCCA VDSS
-~~~~~~~~~
-
-As part of VDSS Security Requirements the Jumpbox is separated into its own subnet (SCCA Req. ID 2.1.2.1) access is also limited to SSH/RDP (w/ TLS) (Req. ID 2.1.2.2).
-
-The F5 BIG-IP acts as a reverse proxy (Req. ID 2.1.2.3). Use of the F5 BIG-IP AFM (network firewall) and ASM (web application firewall) modules can be used in relation to limit/inspect/enforce application traffic (SCCA Req. ID 2.1.2.4, 2.1.2.5, 2.1.2.6, 2.1.2.7, 2.1.2.8, 2.1.2.11). Event data capture on F5 BIG-IP can be sent to external log sources (2.1.2.12).
-
-By performing SSL termination of application traffic BIG-IP can support requirements around break and inspect of SSL/TLS traffic (Req. ID 2.1.2.9) and also support sending traffic inline or out-of-band to additional IPS/IDS devices in support of SCCA VDSS requirements.
-
-Verifying a complete deployment
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The template will create
-
-* VDSS VNet
-* VDSS Route Tables
-* VDSS Management Hosts (Windows/Linux)
-* IPS Host (Linux)
-* Azure Load Balancers
-* F5 External Resource Group
-* F5 Internal Resource Group
-
-Verify that you see the expected resource groups (should appear within ~10 minutes of launch). You should see
-
-* [original resource group]
-* [original resource group]_F5_External
-* [original resource group]_F5_Internal
-
-.. image:: /_static/expected-resource-groups.png
- :scale: 30%
-
-Resources
-~~~~~~~~~
-
-Clicking on the [original resource group] name you should see a set of resources including.
-
-* Virtual Network
-* Azure Load Balancers
-* Public IP Addresses
-* Virtual Machines
-
-.. image:: /_static/expected-resources.png
- :scale: 30%
-
-Public IP Addresses
-~~~~~~~~~~~~~~~~~~~
-
-You should see 3 Public IP Addresses. The "linux-VDSSJumpBox-ip" can be used to access the Linux jumpbox via SSH while the automation deployment is launching. Once the deployment completes you will no longer be able to access the environment via this IP Address.
-
-Record the Public IP Addresses for "f5-ext-pip0" and "f5-ext-pip1". Click on the resource and copy down the IP address.
-
-.. image:: /_static/public-ip-address-detail.png
- :scale: 30%
-
-.. note:: Your IP Address will differ than the example screenshot.
-
-Troubleshooting the Deployment
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-If you do not see the "_F5_" resource groups you can log onto the linux jumpbox to check on the status of the deployment or look for errors. SSH to the "linux-VDSSJumpBox-ip" host.
-
-.. code-block:: none
-
- % tail -f /var/log/cloud-init-output.log
- PLAY [localhost] ********************************************************************************************
- ******************************************************************************************************
-
- TASK [Gathering Facts] **************************************************************************************
- ******************************************************************************************************
- ok: [localhost]
-
- TASK [f5-azure-scca : Check if resource group exists] *******************************************************
- ******************************************************************************************************
- ok: [localhost]
-
- TASK [f5-azure-scca : Deploy SCCA Environnment] *************************************************************
- ******************************************************************************************************
- skipping: [localhost]
- ...
-
-
-Demo Sites
-~~~~~~~~~~
-
-Using a web browser try to access the IP Address of "f5-ext-pip1" via HTTPS. i.e. https\://[ip_address].
-
-.. image:: /_static/demo-https.png
- :scale: 50%
-
-.. tip:: You may need to click past certificate errors
-
-Also verify you can connect to http\://[ip address].
-
-.. image:: /_static/demo-http.png
- :scale: 50%
-
-Access Windows Jumpbox
-~~~~~~~~~~~~~~~~~~~~~~
-
-The Windows Jumpbox can be used to access resources in the environment. The following will guide you through connecting to the jumpbox and configuring it to access internal resources.
-
-Using a Windows RDP client create an RDP connection to the Public IP Address "f5-ext-pip0".
-
-.. image:: /_static/rdp-client.png
- :scale: 30%
-
-When prompted select the option to "Use a different account". Specify the username/password entered for the VDMSS jumpbox username/password in the ARM template.
-
-.. image:: /_static/rdp-client-login.png
- :scale: 30%
-
-Once you connect you should see the Server Manager Dashboard.
-
-.. image:: /_static/rdp-desktop.png
- :scale: 30%
-
-Click on "Local Server" in the menu.
-
-.. image:: /_static/local-server-menu.png
- :scale: 50%
-
-Click on "IE Enhanced Security Configuration" -> "On".
-
-.. image:: /_static/ie-security-settings.png
- :scale: 50%
-
-Change the settings to Off (This is not recommended for production, but used for demonstration purposes).
-
-.. image:: /_static/ie-security-settings-disable.png
- :scale: 50%
-
-Open up Internet Explorer and accept default settings.
-
-.. image:: /_static/ie-default-settings.png
- :scale: 50%
-
-Login to F5 BIG-IP Devices
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The F5 BIG-IP Devices are configured to only allow connections from the jumpbox devices.
-
-From the Windows jumpbox:
-
-Browse to "https://172.16.0.11".
-
-Click past certificate warnings (recommended to install CA signed certificates for production use).
-
-.. image:: /_static/ie-cert-error.png
- :scale: 50%
-
-You should see the login for the F5 BIG-IP.
-
-.. image:: /_static/ie-bigip-login.png
- :scale: 50%
-
-Login using the same credentials to access the RDP host.
-
-Repeat for:
-
-* https://172.16.0.12
-* https://172.16.0.13
-* https://172.16.0.14
-
-.. image:: /_static/ie-bigip-tabs.png
- :scale: 50%
-
-Extend Idle Timeout (Optional)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-By default the session will timeout after 20 minutes. To change the timeout to 1 day. Go to "System -> Preferences". Change the value to "86400".
-
-.. image:: /_static/bigip-idle-timeout.png
- :scale: 50%
-
-Active Device
-~~~~~~~~~~~~~
-
-The F5 BIG-IP devices are deployed in an Active/Standby configuration. They can also be deployed in an Active/Active mode, but Active/Standby is used for this environment to ease the process of identifying the device that is processing traffic.
-
-To determine the "Active" device take note of the top left of the page.
-
-.. image:: /_static/bigip-external-active.png
- :scale: 50%
-
-Firewall Logs
-~~~~~~~~~~~~~
-
-The F5 BIG-IP AFM modules provides network firewall capabilities and DDoS protection.
-
-Find the Active device of the External F5 Devices. It will be either:
-
-* https://172.16.0.11
-* https://172.16.0.12
-
-From the menu on the left of the screen access "Security -> Event Logs -> Network -> Firewall"
-
-.. image:: /_static/bigip-logs-firewall-menu.png
- :scale: 75%
-
-An example of filtering the log output is to click on "Custom Search" then click and drag "Port" from the column to the top of the page.
-
-.. image:: /_static/bigip-afm-custom-search.png
- :scale: 75%
-
-Enter the port "3389" and click search
-
-.. image:: /_static/big-afm-custom-search-port.png
- :scale: 100%
-
-Note that you should see your connecting IP address as well as the destination address of the RDP connection. Normally you be unable to log the original destination IP address, but we are using the Azure Load Balancer to make this information visible. We'll take a look at the Azure Load Balancer in the next section.
-
-.. image:: /_static/bigip-afm-logs-ip.png
- :scale: 100%
-
-On the same BIG-IP device browse to "Local Traffic -> Virtual Servers".
-
-.. image:: /_static/bigip-ltm-vs-menu.png
- :scale: 75%
-
-You'll see that the external IP Address is configured on the BIG-IP.
-
-.. image:: /_static/bigip-ltm-vs-list.png
- :scale: 100%
-
-
-Azure Load Balancer - External
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Go back to the Azure Portal and click on the Resource Group and find the Azure Load Balancers (this is the same Resource Group where you found the Public IP Address).
-
-.. image:: /_static/azure-rg-lb-list.png
- :scale: 50%
-
-Click on "f5-ext-alb" and click on "Load balancing rules"
-
-.. image:: /_static/azure-alb-menu.png
- :scale: 50%
-
-Then click on "rdp_vs"
-
-.. image:: /_static/azure-alb-rules.png
- :scale: 50%
-
-Note that "Floating IP (direct server return)" is set to "Enabled"
-
-.. image:: /_static/azure-alb-rule-detail.png
- :scale: 50%
-
-WAF logs
-~~~~~~~~
-
-In addition to providing network firewall capabilities, F5 BIG-IP ASM module provides a web application firewall that can deter L7 attacks. Unlike a traditional firewall; a WAF is capable of providing a mixture of positive/negative security policies as well as intercept and modify response data as needed (DLP / BOT mitigation).
-
-
-Find the Active device of the Internal F5 Devices. It will be either:
-
-* https://172.16.0.13
-* https://172.16.0.14
-
-From the menu on the left of the screen access "Security -> Event Logs -> Application -> Requests"
-
-.. image:: /_static/bigip-asm-logs-menu.png
- :scale: 50%
-
-Initially you will see no data. Click on the "X" next to Illegal Requests to show all results.
-
-.. image:: /_static/bigip-asm-logs-no-requests.png
- :scale: 50%
-
-You can browse through the requests to see more data.
-
-.. image:: /_static/bigip-asm-logs-details.png
- :scale: 50%
-
-Simulated L7 Attack (optional)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The following will simulate an attack that will trigger a WAF policy.
-
-First make a request to https\://[f5-ext-pip1]/txt.
-
-.. image:: /_static/asm-simulated-attack-postman.png
- :scale: 50%
-
-Change the method to "propfind" and submit.
-
-.. image:: /_static/asm-simulated-attack.png
- :scale: 50%
-
-This will trigger a block for an illegal method. This type of attack can be used when an attacker is trying to find insecure webdav file shares.
diff --git a/docs/class1/intro.rst b/docs/class1/intro.rst
deleted file mode 100644
index e34206c..0000000
--- a/docs/class1/intro.rst
+++ /dev/null
@@ -1,274 +0,0 @@
-Deploying F5 Azure SACA ARM Template
-------------------------------------
-
-To complete this guide requires that you have an Azure US Government account.
-
-The guide will go through the steps of launching an Azure ARM template to create a VNet that
-represents a VDSS and VDMS network. It will also create "jumpbox" resources (Windows/Linux) that will be
-used for Management access and F5 devices that will be used to secure ingress and egress traffic.
-
-Connect to Azure Portal
-~~~~~~~~~~~~~~~~~~~~~~~
-
-First login to the Azure Portal at: https://portal.azure.us (US Government) OR https://portal.azure.com (Commercial)
-
-.. note:: This requires a Azure Government Subscription OR Azure Subscription
-
-Enable Programmatic Access to F5 Resources
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Before you launch the template; you will need to enable programmatic deployment for your F5 devices.
-
-Go to Marketplace
-*****************
-
-From the top search field in the Azure Portal search for “marketplace”
-
- .. image:: /_static/marketplace.png
- :scale: 50%
-
-Find F5 BIG-IP
-**************
-
-In the Market place search enter “f5 byol all” and hit the “enter” key.
-
- .. image:: /_static/marketplace-f5-byol.png
- :scale: 50%
-
-Click on "F5 BIG-IP VE – ALL (BYOL, 2 Boot Locations)"
-
-Verify that you have the correct version by looking at the description and you should see "..version: **13.1**..".
-
-At the very bottom of the page click on “Want to deploy programmatically?”
-
- .. figure:: /_static/marketplace-want-to-deploy.png
- :scale: 50%
-
-
-Enable Programmatic Deployment
-******************************
-Click on “Enable” next to the Subscription
-
- .. figure:: /_static/enable-programattic.png
- :scale: 50%
-
-Create a Service Principal
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-A Service Principal will be used to deploy F5 BIG-IP devices and be used by the BIG-IP's to dynamically update Azure User Defined Routes (UDR).
-
-The following steps are how to create a Service Principal via the Azure Portal.
-
-You will need to retrieve the following three pieces of information that will be used later.
-
-#. Application ID (a.k.a. Client ID)
-#. Application Key (a.k.a. Client Secret)
-#. Tenant ID
-
-It is recommended to create a text file (i.e. using Notepad) that contains:
-
-.. code-block:: none
-
- tenant id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
- client id: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
- secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
-
-The following will guide you on how to retrieve this information via the Azure Portal OR Azure CLI (choose one method)
-
-Create Service Principal via Azure CLI
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Use this method if you prefer using a command line interface or have access to Cloud Shell (available in Azure Cloud, not available in Microsoft Azure Government).
-
-To access Azure Cloud Shell see: https://docs.microsoft.com/en-us/azure/cloud-shell/overview
-
-First verify the subscription.
-
-.. code-block:: shell
-
- student01@Azure:~$ az account show
- {
- "environmentName": "AzureCloud",
- "id": "XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX",
- "isDefault": true,
- "name": "my_subscription",
- "state": "Enabled",
- "tenantId": "YYYYY-YYYY-YYYY-YYYY-YYYYYYYYYY",
- "user": { "name": "studnt01@example.com",
- "type": "user"
- }}
-
-If you do not see the correct subscription run to view subscriptions
-
-.. code-block:: shell
-
- student01@Azure:~$ az account list
-
-Then set the default to the correct subscription.
-
-.. code-block:: shell
-
- student01@Azure:~$ az account set -s XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX
-
-To create your service principal run (replace "student01" with a unique value or "bigip")
-
-.. code-block:: shell
-
- student01@Azure:~$ az ad sp create-for-rbac -n "student01-sp"
- Retrying role assignment creation: 1/36
- {
- "appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
- "displayName": "student01-sp",
- "name": "http://student01-sp",
- "password": "SSSSSSSS-SSSS-SSSS-SSSS-SSSSSSSSSSSS",
- "tenant": "TTTTTTTT-TTTT-TTTT-TTTT-TTTTTTTTTTTT"
- }
-
-.. tip:: When using Azure Cloud Shell you will need to highlight the text in your browser and "right-click" and select "copy" to copy and paste the text from the browser.
-
-Save the values of "tenant", "password", and "appId" to your text file that you created earlier.
-
-Create Service Principal via Azure Portal
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-If you used the Azure CLI to create your Service Principal you can skip the following.
-
-.. note:: The following is adapted from: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#create-an-azure-active-directory-application
-
-Click on Azure Active Directory
-*******************************
-
-In the menu on the left click on "Azure Active Directory".
-
- .. figure:: /_static/azure-active-directory.png
- :scale: 50%
-
-Create App Registration
-************************
-
-Next click on "App Registrations"
-
- .. figure:: /_static/app-registrations.png
- :scale: 50%
-
-And click on "New application registration".
-
-Enter a name (i.e. "bigipsp") and a Sign-on URL (i.e. "http://bigipsp").
-
- .. figure:: /_static/app-registrations-create.png
- :scale: 50%
-
-.. note:: If you are using a shared subscription; please use a unique identifier i.e. "student01-bigipsp"
-
-Retrieve App ID
-****************
-
-Next you will need to retrieve the Application ID and authentication key.
-
-
-Under "App Registrations" find the App that you created in the previous step.
-
- .. figure:: /_static/app-registrations-list.png
- :scale: 50%
-
-Copy the Application ID. You will need this value later. This is the first piece of information that you will need.
-
-.. tip:: A "Click to Copy" button will appear when you hover on the right side of the ID
-
-.. figure:: /_static/app-registrations-detail.png
- :scale: 50%
-
-Generate Key
-*************
-
-To the right of the Application ID click on the "Keys" link.
-
-Provide a description (i.e. "bigip key") and duration.
-
-After saving the key be sure to save the "value". This is the secret key and will not be retrievable again. This is the second piece of information that you will need.
-
-Grant Role
-**********
-
-The Service Principal will need to have "Contributor" access to create BIG-IP devices and manage UDR routes. The following steps will guide you in granting this role to your Azure Subscription. You can later opt to limit access to specific Resource Groups.
-
-Under "Cost Management + Billing" find your Azure Subscription.
-
-.. figure:: /_static/cost-and-billing.png
- :scale: 30%
-
-Click on "Access control (IAM)"
-
-.. figure:: /_static/iam.png
- :scale: 50%
-
-Under "Role" select "Contributor".
-
-Under "Select" type the name of the principal that you previously created (i.e. "bigipsp"). Select that principal. Click "Save"
-
-.. figure:: /_static/iam-add-permissions.png
- :scale: 50%
-
-Get Directory ID
-****************
-
-The third piece of information that you will need is the "Tenant ID".
-
-Under Azure Active Directory retrieve the "Directory ID".
-
-.. note:: Please see: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-tenant-id
-
-Launch Deployment
-~~~~~~~~~~~~~~~~~
-
-Custom Deployment
-*****************
-
-Click on the following link:
-
-**Azure Government**
-
-* https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2Froles%2Ff5-azure-scca%2Ffiles%2Fazuredeploy.json
-
-**Azure Cloud**
-
-* https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ff5devcentral%2Ff5-azure-saca%2Fmaster%2Froles%2Ff5-azure-scca%2Ffiles%2Fazuredeploy.json
-
-You should see.
-
-.. figure:: /_static/custom-deployment.png
- :scale: 30%
-
-Username and Password
-*********************
-
-Fill in the required username/password for the VDSS Jump Boxes. These devices will be used for administrative access to the environment.
-
-.. figure:: /_static/custom-deployment-user-pass-1.png
- :scale: 50%
-
-F5 Information
-**************
-Next fill in the three pieces of information that was previously collected for the Service Principal and F5 license keys.
-
-.. figure:: /_static/custom-deployment-f5-info.png
- :scale: 50%
-
-Terms and Conditions
-********************
-
-Accept the Terms and Conditions and click Purchase.
-
-.. figure:: /_static/custom-deployment-tandc.png
- :scale: 50%
-
-Verify Template Complete
-************************
-
-It will take ~40 - ~60 minutes for the template to complete.
-
-Under Resource Groups find the "Deployments" item and verify that you see "Succeeded".
-
-.. figure:: /_static/custom-deployment-complete.png
- :scale: 30%
diff --git a/docs/class1/overview.rst b/docs/class1/overview.rst
deleted file mode 100644
index 041db56..0000000
--- a/docs/class1/overview.rst
+++ /dev/null
@@ -1,35 +0,0 @@
-About F5 Azure SACA
--------------------
-
-The following is a guide of some of the terms that will be used in this document as well as a reference to resources for additional information.
-
-SACA
-~~~~
-
-Secure Azure Computing Architecture for DoD (SACA) is a notional deployment of SCCA.
-
-SCCA
-~~~~
-
-SCCA is an abrievation for Secure Cloud Computing Architecture that is outlined in the following document: https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf
-
-This architecture provides guidance on requirements for securing Cloud Computing Environments based on US DoD experience.
-
-It outlines recommended components including a Cloud Access Point (CAP), Virtual Datacenter Security Stack (VDSS), Virtual Datacenter Managed Service (VDMS), and Trusted Cloud Credential Manager (TCCM).
-
-Azure
-~~~~~
-
-Microsoft Azure is a leading provider of Cloud Computing resources and provides both a US Government and US DoD Cloud Computing Environments.
-
-F5
-~~
-
-F5 Networks provides products and solutions for high availability, security, and performance optimization of Cloud Computing environments.
-
-F5 Azure SCCA
-~~~~~~~~~~~~~
-
-This document will focus on the deployment of virtual resources in support of an SCCA environment. SCCA can be a combination of physical and virtual resources.
-
-The deployed example architecture can be utilized to aid fulfilling requirements around segmentation of traffic, visibility of encrypted traffic, and security of application protocols that are outlined in the SCCA document.
diff --git a/docs/conf.py b/docs/conf.py
deleted file mode 100644
index 6d93a4d..0000000
--- a/docs/conf.py
+++ /dev/null
@@ -1,317 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-#
-# BEGIN CONFIG
-# ------------
-#
-# REQUIRED: Your class/lab name
-classname = "F5 Azure SACA"
-
-# OPTIONAL: The URL to the GitHub Repository for this class
-github_repo = "https://github.com/f5devcentral/f5-azure-saca"
-
-# OPTIONAL: Google Analytics
-# googleanalytics_id = 'UA-85156643-4'
-
-#
-# END CONFIG
-# ----------
-
-import os
-import sys
-import time
-import re
-import pkgutil
-import string
-sys.path.insert(0, os.path.abspath('.'))
-import f5_sphinx_theme
-
-year = time.strftime("%Y")
-eventname = "Agility %s Hands-on Lab Guide" % (year)
-
-rst_prolog = """
-.. |classname| replace:: %s
-.. |classbold| replace:: **%s**
-.. |classitalic| replace:: *%s*
-.. |ltm| replace:: Local Traffic Manager
-.. |adc| replace:: Application Delivery Controller
-.. |gtm| replace:: Global Traffic Manager
-.. |dns| replace:: DNS
-.. |asm| replace:: Application Security Manager
-.. |afm| replace:: Advanced Firewall Manager
-.. |apm| replace:: Access Policy Manager
-.. |pem| replace:: Policy Enforcement Manager
-.. |ipi| replace:: IP Intelligence
-.. |iwf| replace:: iWorkflow
-.. |biq| replace:: BIG-IQ
-.. |bip| replace:: BIG-IP
-.. |aiq| replace:: APP-IQ
-.. |ve| replace:: Virtual Edition
-.. |icr| replace:: iControl REST API
-.. |ics| replace:: iControl SOAP API
-.. |f5| replace:: F5 Networks
-.. |f5i| replace:: F5 Networks, Inc.
-.. |year| replace:: %s
-.. |github_repo| replace:: %s
-""" % (classname,
- classname,
- classname,
- year,
- github_repo)
-
-if 'github_repo' in locals() and len(github_repo) > 0:
- rst_prolog += """
-.. |repoinfo| replace:: The content contained here leverages a full DevOps CI/CD
- pipeline and is sourced from the GitHub repository at %s.
- Bugs and Requests for enhancements can be made by
- opening an Issue within the repository.
-""" % (github_repo)
-else:
- rst_prolog += ".. |repoinfo| replace:: \ \n"
-
-on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
-on_snops = os.environ.get('SNOPS_ISALIVE', None) == 'True'
-
-print "on_rtd = %s" % on_rtd
-print "on_snops = %s" % on_snops
-
-branch_map = {
- "stable":"master",
- "latest":"master"
-}
-
-try:
- if not on_rtd:
- from git import Repo
- repo = Repo("%s/../" % os.getcwd())
- git_branch = repo.active_branch
- git_branch_name = git_branch.name
- else:
- git_branch_name = os.environ.get('READTHEDOCS_VERSION', None)
-except:
- git_branch_name = 'master'
-
-print "guessed git branch: %s" % git_branch_name
-
-if git_branch_name in branch_map:
- git_branch_name = branch_map[git_branch_name]
- print " remapped to git branch: %s" % git_branch_name
-
-# -- General configuration ------------------------------------------------
-
-# If your documentation needs a minimal Sphinx version, state it here.
-#
-# needs_sphinx = '1.0'
-
-# Add any Sphinx extension module names here, as strings. They can be
-# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
-# ones.
-
-extensions = [
- 'sphinx.ext.todo',
- 'sphinx.ext.extlinks',
- 'sphinx.ext.graphviz',
- 'sphinxcontrib.nwdiag',
- 'sphinxcontrib.blockdiag'
- #'sphinx.ext.autosectionlabel'
-]
-
-if 'googleanalytics_id' in locals() and len(googleanalytics_id) > 0:
- extensions += ['sphinxcontrib.googleanalytics']
- googleanalytics_enabled = True
-
-graphviz_output_format = 'svg'
-graphviz_font = 'DejaVu Sans:style=Book'
-graphviz_dot_args = [
- "-Gfontname='%s'" % graphviz_font,
- "-Nfontname='%s'" % graphviz_font,
- "-Efontname='%s'" % graphviz_font
-]
-
-html_context = {
- "github_url":github_repo,
- "github_branch":git_branch_name
-}
-
-diag_fontpath = '/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf'
-diag_html_image_format = 'SVG'
-diag_latex_image_format = 'PNG'
-diag_antialias = False
-
-blockdiag_fontpath = nwdiag_fontpath = diag_fontpath
-blockdiag_html_image_format = nwdiag_html_image_format = diag_html_image_format
-blockdiag_latex_image_format = nwdiag_latex_image_format = diag_latex_image_format
-blockdiag_antialias = nwdiag_antialias = diag_antialias
-
-eggs_loader = pkgutil.find_loader('sphinxcontrib.spelling')
-found = eggs_loader is not None
-
-if found:
- extensions += ['sphinxcontrib.spelling']
- spelling_lang='en_US'
- spelling_word_list_filename='../wordlist'
- spelling_show_suggestions=True
- spelling_ignore_pypi_package_names=False
- spelling_ignore_wiki_words=True
- spelling_ignore_acronyms=True
- spelling_ignore_python_builtins=True
- spelling_ignore_importable_modules=True
- spelling_filters=[]
-
-source_parsers = {
- '.md': 'recommonmark.parser.CommonMarkParser',
-}
-
-# Add any paths that contain templates here, relative to this directory.
-templates_path = ['_templates']
-
-# The suffix(es) of source filenames.
-# You can specify multiple suffix as a list of string:
-#
-source_suffix = ['.rst', '.md']
-
-# The master toctree document.
-master_doc = 'index'
-
-# General information about the project.
-project = classname
-copyright = u'2019, F5 Networks, Inc.'
-author = u'F5 Networks, Inc.'
-
-# The version info for the project you're documenting, acts as replacement for
-# |version| and |release|, also used in various other places throughout the
-# built documents.
-#
-# The short X.Y version.
-version = u''
-# The full version, including alpha/beta/rc tags.
-release = u''
-
-# The language for content autogenerated by Sphinx. Refer to documentation
-# for a list of supported languages.
-#
-# This is also used if you do content translation via gettext catalogs.
-# Usually you set "language" from the command line for these cases.
-language = None
-
-# List of patterns, relative to source directory, that match files and
-# directories to ignore when looking for source files.
-# This patterns also effect to html_static_path and html_extra_path
-exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
-
-# The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
-
-# If true, `todo` and `todoList` produce output, else they produce nothing.
-todo_emit_warnings = True
-todo_include_todos = True
-
-# -- Options for HTML output ----------------------------------------------
-
-# The theme to use for HTML and HTML Help pages. See the documentation for
-# a list of builtin themes.
-
-html_theme = 'f5_sphinx_theme'
-html_theme_path = f5_sphinx_theme.get_html_theme_path()
-html_sidebars = {'**': ['searchbox.html', 'localtoc.html', 'globaltoc.html','relations.html']}
-html_theme_options = {
- 'site_name': 'Community Training Classes & Labs',
- 'next_prev_link': True
- }
-html_last_updated_fmt = '%Y-%m-%d %I:%M:%S'
-
-def setup(app):
- app.add_stylesheet('css/f5_agility_theme.css')
-
-if on_rtd:
- templates_path = ['_templates']
-
-extlinks = {
- 'issues':( ("%s/issues/%%s" % github_repo), 'issue ' )
-}
-
-# Theme options are theme-specific and customize the look and feel of a theme
-# further. For a list of options available for each theme, see the
-# documentation.
-#
-# html_theme_options = {}
-
-# Add any paths that contain custom static files (such as style sheets) here,
-# relative to this directory. They are copied after the builtin static files,
-# so a file named "default.css" will overwrite the builtin "default.css".
-html_static_path = ['_static']
-
-
-# -- Options for HTMLHelp output ------------------------------------------
-
-cleanname = re.sub('\W+','',classname)
-
-# Output file base name for HTML help builder.
-htmlhelp_basename = cleanname + 'doc'
-
-# -- Options for LaTeX output ---------------------------------------------
-
-front_cover_image = 'front_cover'
-back_cover_image = 'back_cover'
-
-front_cover_image_path = os.path.join('_static', front_cover_image + '.png')
-back_cover_image_path = os.path.join('_static', back_cover_image + '.png')
-
-latex_additional_files = [front_cover_image_path, back_cover_image_path]
-
-template = string.Template(open('preamble.tex').read())
-
-latex_contents = r"""
-\frontcoverpage
-\contentspage
-"""
-
-backcover_latex_contents = r"""
-\backcoverpage
-"""
-
-latex_elements = {
- 'papersize': 'letterpaper',
- 'pointsize': '10pt',
- 'fncychap': r'\usepackage[Bjornstrup]{fncychap}',
- 'preamble': template.substitute(eventname=eventname,
- project=project,
- author=author,
- frontcoverimage=front_cover_image,
- backcoverimage=back_cover_image),
-
- 'tableofcontents': latex_contents,
- 'printindex': backcover_latex_contents
-}
-
-# Grouping the document tree into LaTeX files. List of tuples
-# (source start file, target name, title,
-# author, documentclass [howto, manual, or own class]).
-latex_documents = [
- (master_doc, '%s.tex' % cleanname, u'%s Documentation' % classname,
- u'F5 Networks, Inc.', 'manual', True),
-]
-
-# -- Options for manual page output ---------------------------------------
-
-# One entry per manual page. List of tuples
-# (source start file, name, description, authors, manual section).
-man_pages = [
- (master_doc, cleanname.lower(), u'%s Documentation' % classname,
- [author], 1)
-]
-
-
-# -- Options for Texinfo output -------------------------------------------
-
-# Grouping the document tree into Texinfo files. List of tuples
-# (source start file, target name, title, author,
-# dir menu entry, description, category)
-texinfo_documents = [
- (master_doc, classname, u'%s Documentation' % classname,
- author, classname, classname,
- 'Training'),
-]
-
-
-
diff --git a/docs/index.rst b/docs/index.rst
deleted file mode 100644
index 61b0370..0000000
--- a/docs/index.rst
+++ /dev/null
@@ -1,21 +0,0 @@
-F5 Azure SACA - Index
-=======================
-
-Welcome
--------
-
-Welcome to the |classbold| guide.
-
-The content contained here provides a Notional SCCA Deployment
-based on: https://iasecontent.disa.mil/stigs/pdf/SCCA_FRD_v2-9.pdf
-
-Source code can be found in the GitHub repository at https://github.com/f5devcentral/f5-azure-scca.
-
-This is `F5 Contributed Software `__
-
-.. toctree::
- :maxdepth: 2
- :caption: Contents:
- :glob:
-
- class*/class*
diff --git a/docs/make.bat b/docs/make.bat
deleted file mode 100644
index 191034d..0000000
--- a/docs/make.bat
+++ /dev/null
@@ -1,36 +0,0 @@
-@ECHO OFF
-
-pushd %~dp0
-
-REM Command file for Sphinx documentation
-
-if "%SPHINXBUILD%" == "" (
- set SPHINXBUILD=sphinx-build
-)
-set SOURCEDIR=.
-set BUILDDIR=_build
-set SPHINXPROJ=F5AgilityLabs
-
-if "%1" == "" goto help
-
-%SPHINXBUILD% >NUL 2>NUL
-if errorlevel 9009 (
- echo.
- echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
- echo.installed, then set the SPHINXBUILD environment variable to point
- echo.to the full path of the 'sphinx-build' executable. Alternatively you
- echo.may add the Sphinx directory to PATH.
- echo.
- echo.If you don't have Sphinx installed, grab it from
- echo.http://sphinx-doc.org/
- exit /b 1
-)
-
-%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
-goto end
-
-:help
-%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS%
-
-:end
-popd
diff --git a/docs/preamble.tex b/docs/preamble.tex
deleted file mode 100644
index 9cd3d85..0000000
--- a/docs/preamble.tex
+++ /dev/null
@@ -1,68 +0,0 @@
-%% LaTeX preamble.
-
-\usepackage{type1cm}
-\usepackage{helvet}
-\usepackage{wallpaper}
-
-% Bypass unicode character not supported errors
-\usepackage[utf8]{inputenc}
-
-\makeatletter
-\def\UTFviii@defined#1{%
- \ifx#1\relax
- ?%
- \else\expandafter
- #1%
- \fi
-}
-\makeatother
-
-\pagestyle{plain}
-\pagenumbering{arabic}
-
-\renewcommand{\familydefault}{\sfdefault}
-
-\definecolor{f5red}{RGB}{235, 28, 35}
-
-\def\frontcoverpage{
- \begin{titlepage}
- \ThisURCornerWallPaper{1.0}{${frontcoverimage}}
- \vspace*{2.5cm}
- \hspace{4.5cm}
- {\color{f5red} \text{\Large ${eventname}}\par}
- \vspace{.5cm}
- \hspace{4.5cm}
- {\color{white} \text{\huge ${project}}\par}
- \vspace{0.5cm}
- \hspace{4.5cm}
- {\color{white} \text{\large ${author}}\par}
- \vfill
- \end{titlepage}
- \newpage
-}
-
-\def\backcoverpage{
- \newpage
- \thispagestyle{empty}
- \phantom{100}
- \ThisURCornerWallPaper{1.0}{${backcoverimage}}
-}
-
-\def\contentspage{
- \tableofcontents
-}
-
-%% Disable standard title (but keep PDF info).
-\renewcommand{\maketitle}{
- \begingroup
- % These \defs are required to deal with multi-line authors; it
- % changes \\ to ', ' (comma-space), making it pass muster for
- % generating document info in the PDF file.
- \def\\{, }
- \def\and{and }
- \pdfinfo{
- /Title (${project})
- /Author (${author})
- }
- \endgroup
-}
diff --git a/firewall.tf b/firewall.tf
new file mode 100644
index 0000000..f83e7b5
--- /dev/null
+++ b/firewall.tf
@@ -0,0 +1,73 @@
+# Create a Network Security Group with some rules
+resource azurerm_network_security_group main {
+ name = "${var.projectPrefix}-nsg"
+ location = azurerm_resource_group.main.location
+ resource_group_name = azurerm_resource_group.main.name
+
+ security_rule {
+ name = "allow_SSH"
+ description = "Allow SSH access"
+ priority = 100
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "22"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ }
+
+ security_rule {
+ name = "allow_HTTP"
+ description = "Allow HTTP access"
+ priority = 110
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "8080"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ }
+
+ security_rule {
+ name = "allow_HTTPS"
+ description = "Allow HTTPS access"
+ priority = 120
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "443"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ }
+
+ security_rule {
+ name = "allow_RDP"
+ description = "Allow RDP access"
+ priority = 130
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "3389"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ }
+
+ security_rule {
+ name = "allow_APP_HTTPS"
+ description = "Allow HTTPS access"
+ priority = 140
+ direction = "Inbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "8443"
+ source_address_prefix = "*"
+ destination_address_prefix = "*"
+ }
+
+ tags = var.tags
+}
diff --git a/gitleaks.sh b/gitleaks.sh
new file mode 100644
index 0000000..0bf44fa
--- /dev/null
+++ b/gitleaks.sh
@@ -0,0 +1 @@
+docker run --rm --name=gitleaks -v $(pwd):/code/ zricethezav/gitleaks -v --repo-path=/code/
diff --git a/hashicorp.asc b/hashicorp.asc
new file mode 100644
index 0000000..010c927
--- /dev/null
+++ b/hashicorp.asc
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
+W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
+fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
+3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
+KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
+SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
+cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
+Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
+SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
+psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
+sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
+klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
+WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
+wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
+2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
+skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
+mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
+0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
+CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
+z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
+0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
+unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
+EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
+oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
+=LYpS
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/images/azure-example-diagram.png b/images/azure-example-diagram.png
deleted file mode 100644
index 80f71b2..0000000
Binary files a/images/azure-example-diagram.png and /dev/null differ
diff --git a/SACAv2/scripts/Disable-ieESC.ps1 b/jumpboxes/DisableInternetExplorer-ESC.ps1
similarity index 65%
rename from SACAv2/scripts/Disable-ieESC.ps1
rename to jumpboxes/DisableInternetExplorer-ESC.ps1
index a26f599..ffae763 100644
--- a/SACAv2/scripts/Disable-ieESC.ps1
+++ b/jumpboxes/DisableInternetExplorer-ESC.ps1
@@ -1,9 +1,8 @@
-function Disable-ieESC {
+function Disable-InternetExplorerESC {
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
$UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
- Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
- Stop-Process -Name Explorer -Force
- Write-Host "IE Enhanced Security Configuration (ESC) has been disabled." -ForegroundColor Green
+ Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
+ Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0
+ Stop-Process -Name Explorer
}
-Disable-ieESC
\ No newline at end of file
+Disable-InternetExplorerESC
diff --git a/jumpboxes/linux.tf b/jumpboxes/linux.tf
new file mode 100644
index 0000000..a7295c9
--- /dev/null
+++ b/jumpboxes/linux.tf
@@ -0,0 +1,66 @@
+# linuxJump
+resource azurerm_network_interface linuxJump-ext-nic {
+ name = "${var.prefix}-linuxJump-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ #network_security_group_id = var.securityGroup.id
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnet.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.linuxjumpip
+ primary = true
+ }
+
+ tags = var.tags
+}
+
+resource "azurerm_network_interface_security_group_association" "linuxJump-ext-nsg" {
+ network_interface_id = azurerm_network_interface.linuxJump-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_virtual_machine linuxJump {
+ name = "${var.prefix}-linuxJump"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ network_interface_ids = [azurerm_network_interface.linuxJump-ext-nic.id]
+ vm_size = var.instanceType
+
+ storage_os_disk {
+ name = "${var.prefix}-linuxJumpOsDisk"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ managed_disk_type = "Premium_LRS"
+ }
+
+ storage_image_reference {
+ publisher = "Canonical"
+ offer = "UbuntuServer"
+ sku = "16.04.0-LTS"
+ version = "latest"
+ }
+
+ os_profile {
+ computer_name = "linuxJump"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ custom_data = <<-EOF
+ #!/bin/bash
+ apt-get update -y;
+ apt-get install -y docker.io;
+ # demo app
+ docker run -d -p 80:80 --net=host --restart unless-stopped -e F5DEMO_APP=website -e F5DEMO_NODENAME='F5 Azure' -e F5DEMO_COLOR=ffd734 -e F5DEMO_NODENAME_SSL='F5 Azure (SSL)' -e F5DEMO_COLOR_SSL=a0bf37 chen23/f5-demo-app:ssl;
+ # juice shop
+ docker run -d --restart always -p 3000:3000 bkimminich/juice-shop
+ EOF
+ }
+
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+
+ tags = var.tags
+}
diff --git a/jumpboxes/variables.tf b/jumpboxes/variables.tf
new file mode 100644
index 0000000..fb7c1d7
--- /dev/null
+++ b/jumpboxes/variables.tf
@@ -0,0 +1,29 @@
+# Instance Type
+
+variable instanceType {}
+
+# winjump
+variable winjumpip {}
+
+# linuxjump
+variable linuxjumpip {}
+
+variable timezone { default = "UTC" }
+
+# cloud
+variable location {}
+variable region {}
+variable prefix {}
+variable resourceGroup {}
+variable securityGroup { default = "none" }
+
+# network
+variable subnet {}
+
+# creds
+variable adminUserName {}
+variable adminPassword {}
+variable sshPublicKey {}
+
+# TAGS
+variable tags {}
diff --git a/jumpboxes/windows.tf b/jumpboxes/windows.tf
new file mode 100644
index 0000000..30389ee
--- /dev/null
+++ b/jumpboxes/windows.tf
@@ -0,0 +1,73 @@
+resource azurerm_network_interface winjump-ext-nic {
+ name = "${var.prefix}-winjump-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnet.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.winjumpip
+ primary = true
+ }
+
+ tags = var.tags
+}
+
+resource "azurerm_network_interface_security_group_association" "winjump-ext-nsg" {
+ network_interface_id = azurerm_network_interface.winjump-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_virtual_machine winJump {
+ name = "${var.prefix}-winJump"
+ resource_group_name = var.resourceGroup.name
+ location = var.resourceGroup.location
+ vm_size = var.instanceType
+ network_interface_ids = [azurerm_network_interface.winjump-ext-nic.id] #Front-End Network
+
+ os_profile_windows_config {
+ provision_vm_agent = true
+ timezone = var.timezone
+ }
+
+ storage_image_reference {
+ publisher = "MicrosoftWindowsServer"
+ offer = "WindowsServer"
+ sku = "2016-Datacenter"
+ version = "latest"
+ }
+
+ storage_os_disk {
+ name = "${var.prefix}-winJump-os"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ os_type = "Windows"
+ }
+
+ os_profile {
+ computer_name = "winJump"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ custom_data = filebase64("./jumpboxes/DisableInternetExplorer-ESC.ps1")
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_virtual_machine_extension winJump-run-startup-cmd {
+ name = "${var.prefix}-winJump-run-startup-cmd"
+ depends_on = [azurerm_virtual_machine.winJump]
+ virtual_machine_id = azurerm_virtual_machine.winJump.id
+ publisher = "Microsoft.Compute"
+ type = "CustomScriptExtension"
+ type_handler_version = "1.9"
+ auto_upgrade_minor_version = true
+
+ protected_settings = <> ./startup.sh && cat ./startup.sh | base64 -d >> ./startup-script.sh && chmod +x ./startup-script.sh && rm ./startup.sh && bash ./startup-script.sh 1"
+ }
+ SETTINGS
+
+ tags = var.tags
+}
+
+resource azurerm_virtual_machine_extension f5vm02-run-startup-cmd {
+ name = "${var.prefix}-f5vm02-run-startup-cmd"
+ depends_on = [azurerm_virtual_machine.f5vm01, azurerm_virtual_machine.f5vm02, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02]
+ virtual_machine_id = azurerm_virtual_machine.f5vm02.id
+ publisher = "Microsoft.Azure.Extensions"
+ type = "CustomScript"
+ type_handler_version = "2.0"
+
+ settings = <> ./startup.sh && cat ./startup.sh | base64 -d >> ./startup-script.sh && chmod +x ./startup-script.sh && rm ./startup.sh && bash ./startup-script.sh 2"
+ }
+ SETTINGS
+
+ tags = var.tags
+}
+
+
+# Debug Template Outputs
+resource local_file vm01_do_file {
+ content = data.template_file.vm01_do_json.rendered
+ filename = "${path.module}/vm01_do_data.json"
+}
+
+resource local_file vm02_do_file {
+ content = data.template_file.vm02_do_json.rendered
+ filename = "${path.module}/vm02_do_data.json"
+}
+
+resource local_file vm_as3_file {
+ content = data.template_file.as3_json.rendered
+ filename = "${path.module}/vm_as3_data.json"
+}
+
+resource local_file onboard_file {
+ content = data.template_file.vm_onboard.rendered
+ filename = "${path.module}/onboard.sh"
+}
diff --git a/one_tier/firewall/ilb.tf b/one_tier/firewall/ilb.tf
new file mode 100644
index 0000000..714a0aa
--- /dev/null
+++ b/one_tier/firewall/ilb.tf
@@ -0,0 +1,61 @@
+# Create the ILB for South LB and Egress
+resource azurerm_lb internalLoadBalancer {
+ name = "${var.prefix}-internalloadbalancer"
+ location = var.location
+ resource_group_name = var.resourceGroup.name
+ sku = "Standard"
+
+ frontend_ip_configuration {
+ name = "internalLoadBalancerFrontEnd"
+ subnet_id = var.subnetInternal.id
+ private_ip_address = var.ilb01ip
+ private_ip_address_allocation = "Static"
+ private_ip_address_version = "IPv4"
+ }
+}
+
+# Create the LB Pool for ILB
+resource azurerm_lb_backend_address_pool internal_backend_pool {
+ name = "InternalBackendPool1"
+ resource_group_name = var.resourceGroup.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer.id
+}
+
+# attach interfaces to backend pool
+resource azurerm_network_interface_backend_address_pool_association int_bpool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm01-int-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = azurerm_lb_backend_address_pool.internal_backend_pool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association int_bpool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm02-int-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = azurerm_lb_backend_address_pool.internal_backend_pool.id
+}
+
+resource azurerm_lb_probe internal_tcp_probe {
+ resource_group_name = var.resourceGroup.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer.id
+ name = "${var.prefix}-internal-tcp-probe"
+ protocol = "tcp"
+ port = 34568
+ interval_in_seconds = 5
+ number_of_probes = 2
+}
+
+resource azurerm_lb_rule internal_all_rule {
+ name = "all-protocol-ilb"
+ resource_group_name = var.resourceGroup.name
+ loadbalancer_id = azurerm_lb.internalLoadBalancer.id
+ protocol = "all"
+ frontend_port = 0
+ backend_port = 0
+ load_distribution = "SourceIPProtocol"
+ frontend_ip_configuration_name = "internalLoadBalancerFrontEnd"
+ enable_floating_ip = true
+ backend_address_pool_id = azurerm_lb_backend_address_pool.internal_backend_pool.id
+ idle_timeout_in_minutes = 5
+ probe_id = azurerm_lb_probe.internal_tcp_probe.id
+ depends_on = [azurerm_lb_probe.internal_tcp_probe]
+}
diff --git a/one_tier/firewall/outputs.tf b/one_tier/firewall/outputs.tf
new file mode 100644
index 0000000..0ae24e8
--- /dev/null
+++ b/one_tier/firewall/outputs.tf
@@ -0,0 +1,21 @@
+# data azurerm_public_ip f5vmpip01 {
+# name = azurerm_public_ip.f5vmpip01.name
+# resource_group_name = var.resourceGroup.name
+# depends_on = [azurerm_public_ip.f5vmpip01, azurerm_virtual_machine.f5vm01]
+# }
+# data azurerm_public_ip f5vmpip02 {
+# name = azurerm_public_ip.f5vmpip02.name
+# resource_group_name = var.resourceGroup.name
+# depends_on = [azurerm_public_ip.f5vmpip02, azurerm_virtual_machine.f5vm02]
+# }
+
+
+output f5vm01_id { value = azurerm_virtual_machine.f5vm01.id }
+output f5vm01_mgmt_private_ip { value = azurerm_network_interface.vm01-mgmt-nic.private_ip_address }
+#output f5vm01_mgmt_public_ip { value = data.azurerm_public_ip.f5vmpip01.ip_address }
+output f5vm01_ext_private_ip { value = azurerm_network_interface.vm01-ext-nic.private_ip_address }
+
+output f5vm02_id { value = azurerm_virtual_machine.f5vm02.id }
+output f5vm02_mgmt_private_ip { value = azurerm_network_interface.vm02-mgmt-nic.private_ip_address }
+#output f5vm02_mgmt_public_ip { value = data.azurerm_public_ip.f5vmpip02.ip_address }
+output f5vm02_ext_private_ip { value = azurerm_network_interface.vm02-ext-nic.private_ip_address }
diff --git a/one_tier/firewall/variables.tf b/one_tier/firewall/variables.tf
new file mode 100644
index 0000000..942be11
--- /dev/null
+++ b/one_tier/firewall/variables.tf
@@ -0,0 +1,69 @@
+variable resourceGroup {}
+# admin credentials
+variable adminUserName {}
+variable adminPassword {}
+variable sshPublicKey {}
+# cloud info
+variable location {}
+variable region {}
+variable securityGroup {
+ default = "none"
+}
+variable availabilitySet {}
+variable availabilitySet2 {}
+
+variable subnets {}
+
+variable prefix {}
+# bigip network
+variable subnetMgmt {}
+variable subnetExternal {}
+variable subnetInternal {}
+variable backendPool {}
+variable managementPool {}
+variable primaryPool {}
+
+variable app01ip {}
+
+variable ilb01ip {}
+
+variable f5_mgmt {}
+variable f5_t1_ext {}
+variable f5_t1_int {}
+
+# winjump
+variable winjumpip {}
+
+# linuxjump
+variable linuxjumpip {}
+
+# device
+variable instanceType {}
+
+
+# BIGIP Image
+variable image_name {}
+variable product {}
+variable bigip_version {}
+
+variable cidr {}
+
+# BIGIP Setup
+variable licenses {
+ type = map(string)
+ default = {
+ "license1" = ""
+ "license2" = ""
+ "license3" = ""
+ "license4" = ""
+ }
+}
+variable hosts {}
+variable dns_server {}
+variable ntp_server {}
+variable timezone {}
+variable onboard_log { default = "/var/log/startup-script.log" }
+variable asm_policy {}
+
+# TAGS
+variable tags {}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..924756d
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,68 @@
+## OUTPUTS ###
+
+# output sg_id {
+# value = azurerm_network_security_group.main.id
+# description = "Network Security Group ID"
+# }
+# output sg_name {
+# value = azurerm_network_security_group.main.name
+# description = "Network Security Group Name"
+# }
+
+output DemoApplication_443 {
+ value = "https://${azurerm_public_ip.lbpip.ip_address}"
+ description = "Public IP for applications. Https for example app, RDP for Windows Jumpbox, SSH for Linux Jumpbox"
+}
+output rSyslogdHttp_8080 {
+ value = "http://${azurerm_public_ip.lbpip.ip_address}:8080"
+ description = "Public IP for applications. Https for example app, RDP for Windows Jumpbox, SSH for Linux Jumpbox"
+}
+
+locals {
+ one_tier = var.deploymentType == "one_tier" ? try({
+ #f5vm01_id = try(module.firewall_one[0].f5vm01_id, "none")
+ f5vm01_mgmt_private_ip = try(module.firewall_one[0].f5vm01_mgmt_private_ip, "none")
+ f5vm01_mgmt_public_ip = "https://${try(module.firewall_one[0].f5vm01_mgmt_public_ip, "none")}"
+ f5vm01_ext_private_ip = try(module.firewall_one[0].f5vm01_ext_private_ip, "none")
+ #
+ #f5vm02_id = try(module.firewall_one[0].f5vm02_id, "none")
+ f5vm02_mgmt_private_ip = try(module.firewall_one[0].f5vm02_mgmt_private_ip, "none")
+ f5vm02_mgmt_public_ip = "https://${try(module.firewall_one[0].f5vm02_mgmt_public_ip, "none")}"
+ f5vm02_ext_private_ip = try(module.firewall_one[0].f5vm02_ext_private_ip, "none")
+ }) : { none = "none" }
+ three_tier = var.deploymentType == "three_tier" ? try(
+ {
+ #f5vm01_id = try(module.firewall_three[0].f5vm01_id, "none")
+ f5vm01_mgmt_private_ip = try(module.firewall_three[0].f5vm01_mgmt_private_ip, "none")
+ f5vm01_mgmt_public_ip = "https://${try(module.firewall_three[0].f5vm01_mgmt_public_ip, "none")}"
+ f5vm01_ext_private_ip = try(module.waf_three[0].f5vm01_ext_private_ip, "none")
+ #
+ #f5vm02_id = try(module.firewall_three[0].f5vm02_id, "none")
+ f5vm02_mgmt_private_ip = try(module.firewall_three[0].f5vm02_mgmt_private_ip, "none")
+ f5vm02_mgmt_public_ip = "https://${try(module.firewall_three[0].f5vm02_mgmt_public_ip, "none")}"
+ f5vm02_ext_private_ip = try(module.waf_three[0].f5vm02_ext_private_ip, "none")
+ #
+ #f5vm03_id = try(module.waf_three[0].f5vm03_id, "none")
+ f5vm03_mgmt_private_ip = try(module.waf_three[0].f5vm03_mgmt_private_ip, "none")
+ f5vm03_mgmt_public_ip = "https://${try(module.waf_three[0].f5vm03_mgmt_public_ip, "none")}"
+ f5vm03_ext_private_ip = try(module.waf_three[0].f5vm03_ext_private_ip, "none")
+ #
+ #f5vm04_id = try(module.waf_three[0].f5vm04_id, "none")
+ f5vm04_mgmt_private_ip = try(module.waf_three[0].f5vm04_mgmt_private_ip, "none")
+ f5vm04_mgmt_public_ip = "https://${try(module.waf_three[0].f5vm04_mgmt_public_ip, "none")}"
+ f5vm04_ext_private_ip = try(module.waf_three[0].f5vm04_ext_private_ip, "none")
+
+ #"${try(odule.waf_three[0].f5vm04_mgmt_public_ip , "none")}"
+ }) : { none = "none" }
+}
+
+# single tier
+output tier_one {
+ value = local.one_tier
+ description = "One Tier Outputs: VM IDs, VM Mgmt IPs, VM External Private IPs"
+}
+# three tier
+output tier_three {
+ value = local.three_tier
+ description = "Three Tier Outputs: VM IDs, VM Mgmt IPs, VM External Private IPs"
+}
diff --git a/prepare/setupAzureGovVars_local.sh b/prepare/setupAzureGovVars_local.sh
new file mode 100755
index 0000000..3734ab2
--- /dev/null
+++ b/prepare/setupAzureGovVars_local.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+#Need to check OS / Platform
+osName=`uname -s`
+case $osName in
+ Linux*) export machine="Linux" ;;
+ Darwin*) export machine="Mac" ;;
+ *) export machine="UNKNOWN:$osName" ;;
+esac
+
+echo $machine
+
+if [[ "$machine" == "Mac" ]]; then
+ echo "OSX Detected, need to Install / Update Brew and jq..."
+ #Need to update brew and make sure jq is installed to process json
+ echo "updating & upgrading brew..."
+ brew update || brew update
+ brew upgrade
+
+ if brew ls --versions jq > /dev/null; then
+ # The package is installed
+ echo "jq installed proceeding..."
+ else
+ echo "installing jq..."
+ brew install jq
+ fi
+elif [[ "$machine" == "Linux" ]]; then
+ if [ -f /etc/redhat-release ]; then
+ yum -y update
+ yum -y install jq
+ fi
+ if [ -f /etc/lsb-release ]; then
+ apt-get --assume-yes update
+ apt-get --assume-yes install jq
+ fi
+fi
+
+#Map Subscription
+export ARM_SUBSCRIPTION_ID=`az account show | jq -r '.id'`
+
+#Create ServicePrincipal for ClientID and Secret
+spn=`az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID" --name http://sccaServicePrincipalName`
+
+echo "Setting environment variables for Terraform"
+export ARM_CLIENT_ID=`echo $spn | jq -r '.appId'`
+echo $spn | jq -r '.appId'
+export ARM_CLIENT_SECRET=`echo $spn | jq -r '.password'`
+echo $spn | jq -r '.password'
+export ARM_TENANT_ID=`az account show | jq -r '.tenantId'`
+az account show | jq -r '.tenantId'
+
+# Not needed for public, required for usgovernment, german, china
+#export ARM_ENVIRONMENT=`az account show | jq -r '.environmentName'`
+export ARM_ENVIRONMENT="usgovernment"
diff --git a/prepare/setupAzureGovVars_vault.sh b/prepare/setupAzureGovVars_vault.sh
new file mode 100755
index 0000000..1b58ec5
--- /dev/null
+++ b/prepare/setupAzureGovVars_vault.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Change these variables according to your needs
+ RESOURCE_GROUP_NAME=tfstate
+ STORAGE_ACCOUNT_NAME=tfstate$RANDOM
+ CONTAINER_NAME=tfstate
+ VAULT_NAME=sccaKeyVault$RANDOM
+ SECRET_NAME=sccaSecret
+
+#Map Subscription
+export ARM_SUBSCRIPTION_ID=`az account show | jq -r '.id'`
+
+#Create ServicePrincipal for ClientID and Secret
+ spn=`az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID" --name http://sccaServicePrincipalName`
+
+# Create resource group
+ az group create --name $RESOURCE_GROUP_NAME --location usgovvirginia
+
+# Create storage account
+ az storage account create --resource-group $RESOURCE_GROUP_NAME --name $STORAGE_ACCOUNT_NAME --sku Standard_LRS --encryption-services blob
+
+# Get storage account key
+ ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query [0].value -o tsv)
+
+# Create blob container
+ az storage container create --name $CONTAINER_NAME --account-name $STORAGE_ACCOUNT_NAME --account-key $ACCOUNT_KEY
+
+# Create Azure KeyVault
+ az keyvault create -g $RESOURCE_GROUP_NAME --name $VAULT_NAME
+
+# Set Azure KeyVault Secret value to storage account key
+ az keyvault secret set --vault-name $VAULT_NAME --name $SECRET_NAME --value $ACCOUNT_KEY
+
+echo "Setting environment variables for Terraform"
+export ARM_SUBSCRIPTION_ID=$ARM_SUBSCRIPTION_ID
+export ARM_CLIENT_ID=`echo $spn | jq -r '.appId'`
+export ARM_CLIENT_SECRET=`echo $spn | jq -r '.password'`
+export ARM_TENANT_ID=`az account show | jq -r '.tenantId'`
+export ARM_ACCESS_KEY=$(az keyvault secret show --name $SECRET_NAME --vault-name $VAULT_NAME --query value -o tsv)
+
+# Not needed for public, required for usgovernment, german, china
+#export ARM_ENVIRONMENT=`az account show | jq -r '.environmentName'`
+export ARM_ENVIRONMENT="usgovernment"
diff --git a/prepare/setupAzureVars.sh b/prepare/setupAzureVars.sh
new file mode 100755
index 0000000..eab80d0
--- /dev/null
+++ b/prepare/setupAzureVars.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+#Need to check OS / Platform
+osName=`uname -s`
+case $osName in
+ Linux*) export machine=Linux;;
+ Darwin*) export machine=Mac;;
+ *) export machine="UNKNOWN:$osName"
+esac
+
+if [ $machine == "Mac" ]; then
+ echo "OSX Detected, need to Install / Update Brew and jq..."
+ #Need to update brew and make sure jq is installed to process json
+ echo "updating & upgrading brew..."
+ brew update || brew update
+ brew upgrade
+
+ if brew ls --versions jq > /dev/null; then
+ # The package is installed
+ echo "jq installed proceeding..."
+ else
+ echo "installing jq..."
+ brew install jq
+ fi
+elif [ $machine == "Linux" ]; then
+ if [ -f /etc/redhat-release ]; then
+ yum -y update
+ yum -y install jq
+ fi
+ if [ -f /etc/lsb-release ]; then
+ apt-get --assume-yes update
+ apt-get --assume-yes install jq
+ fi
+fi
+
+#Create ServicePrincipal for ClientID and Secret
+spn=`az ad sp create-for-rbac --name scaServicePrincipalName`
+
+echo "Setting environment variables for Terraform"
+export ARM_SUBSCRIPTION_ID=`az account show | jq -r '.id'`
+export ARM_CLIENT_ID=`echo $spn | jq -r '.appId'`
+export ARM_CLIENT_SECRET=`echo $spn | jq -r '.password'`
+export ARM_TENANT_ID=`az account show | jq -r '.tenantId'`
+
+# Not needed for public, required for usgovernment, german, china
+export ARM_ENVIRONMENT=`az account show | jq -r '.environmentName'`
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..2bdfac9
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = "~> 0.13"
+}
+
+provider azurerm {
+ version = "~> 2.30.0"
+ features {}
+}
+
+provider http {}
diff --git a/releases/v1.0.0.zip b/releases/v1.0.0.zip
new file mode 100644
index 0000000..2f72ded
Binary files /dev/null and b/releases/v1.0.0.zip differ
diff --git a/SACAv2/resources/f5-appsvcs-3.5.1-5.noarch.rpm b/releases/v2.6.1.zip
similarity index 56%
rename from SACAv2/resources/f5-appsvcs-3.5.1-5.noarch.rpm
rename to releases/v2.6.1.zip
index 462503b..4c8f4d2 100644
Binary files a/SACAv2/resources/f5-appsvcs-3.5.1-5.noarch.rpm and b/releases/v2.6.1.zip differ
diff --git a/scripts/convertdocx.sh b/scripts/convertdocx.sh
deleted file mode 100755
index fff8ef7..0000000
--- a/scripts/convertdocx.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-
-set -x
-
-
-DOCNAME=${1%.docx}
-echo $1
-echo $DOCNAME
-
-pandoc -f docx $1 -t rst -o $DOCNAME.rst
-mkdir -p tmp media
-cd tmp
-unzip ../$1
-cp -Rf ./word/media/* ../media
-cd ..
-rm -Rf tmp
-
diff --git a/scripts/server b/scripts/server
deleted file mode 100755
index 11b8f85..0000000
--- a/scripts/server
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-if [ $# -eq 0 ]; then
- PORT=8000
-else
- PORT=$1
-fi
-
-if [ -d _build ]; then
- echo "Starting server on TCP/$PORT..."
- echo "Enter to stop the server..."
- cd _build
- for i in `cat ../../server-dependencies`
- do
- ../../containthedocs-wget $i;
- done
- python -mSimpleHTTPServer $PORT
-else
- echo "The _build directory doesn't exist... try running 'script/setup'"
- exit 1
-fi
diff --git a/templates/ips-cloud-init.yaml b/templates/ips-cloud-init.yaml
new file mode 100644
index 0000000..37644a9
--- /dev/null
+++ b/templates/ips-cloud-init.yaml
@@ -0,0 +1,133 @@
+#cloud-config
+
+write_files:
+ - path: /etc/rsyslog.d/10-rsyslog.conf
+ content: |
+ *.* @${log_destination}:514
+ - path: /etc/networkd-dispatcher/routable.d/10-ifup-hooks
+ content: |
+ #!/bin/sh
+ # ifconfig $IFACE 0.0.0.0 up
+ # ip link set $IFACE promisc on
+ sudo iptables -I FORWARD -i eth1 -o eth2 -j NFQUEUE --queue-num=4
+ sudo iptables -I FORWARD -i eth2 -o eth1 -j NFQUEUE --queue-num=4
+ exit 0
+ - path: /etc/networkd-dispatcher/routable.d/50-postup-hooks
+ content: |
+ #!/bin/sh
+ if [ $IFACE != "eth0"]
+ ethtool -K $IFACE gro off lro off
+ fi
+ exit 0
+ - path: /etc/networkd-dispatcher/dormant.d/promisc_bridge
+ content: |
+ #!/bin/sh
+ set -e
+ if [ $IFACE != "eth0"]
+ ip link set eth1 up promisc on
+ ip link set eth2 up promisc on
+ fi
+ exit 0
+ - path: /etc/networkd-dispatcher/off.d/50-ifdown-hooks
+ content: |
+ #!/bin/sh
+ ip link set $IFACE promisc off
+ ifconfig $IFACE down
+ exit 0
+ - path: /lib/systemd/system/snort.service
+ content: |
+ [Unit]
+ Description=Snort NIDS Daemon
+ After=syslog.target network.target
+ [Service]
+ Type=simple
+ ExecStart=/usr/sbin/snort -D -c /etc/snort/snort.conf -Q
+ [Install]
+ WantedBy=multi-user.target
+
+apt:
+ primary:
+ - arches: [default]
+ search_dns: True
+package_upgrade: true
+packages:
+ - build-essential
+ - bridge-utils
+ - libpcap-dev
+ - libpcre3-dev
+ - libdumbnet-dev
+ - bison
+ - flex
+ - zlib1g-dev
+ - liblzma-dev
+ - openssl
+ - libssl-dev
+ - ethtool
+ - autoconf
+ - libtool
+ - libtool-bin
+ - pkg-config
+ - gcc
+ - zlib1g-dev
+ - libluajit-5.1-dev
+ - libnghttp2-dev
+ - libdnet
+ - git
+ - libcrypt-ssleay-perl
+ - liblwp-useragent-determined-perl
+ - libnetfilter-queue-dev
+
+runcmd:
+ - sudo chmod +x /etc/networkd-dispatcher/routable.d/10-ifup-hooks
+ - sudo chmod +x /etc/networkd-dispatcher/routable.d/50-postup-hooks
+ - sudo chmod +x /etc/networkd-dispatcher/dormant.d/promisc_bridge
+ - sudo chmod +x /etc/networkd-dispatcher/off.d/50-ifdown-hooks
+ - sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+ - sudo apt autoremove -y
+ - sudo mkdir -p /etc/snort/rules
+ - sudo chmod -R 5775 /etc/snort
+ - sudo mkdir /var/log/snort
+ - sudo chmod -R 5775 /var/log/snort
+ - sudo mkdir -p /home/root/snort_src
+ - cd /home/root/snort_src
+ - [wget, "https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz"]
+ - [wget, "https://www.snort.org/downloads/snort/snort-2.9.16.1.tar.gz"]
+ - [wget, "https://www.snort.org/downloads/community/community-rules.tar.gz"]
+ - git clone https://github.com/John-Lin/docker-snort.git
+ - tar -xvzf daq-2.0.7.tar.gz
+ - tar -xvzf snort-2.9.16.1.tar.gz
+ - tar -xvzf community-rules.tar.gz
+ - cd /home/root/snort_src/daq-2.0.7
+ - autoreconf -f -i
+ - ./configure
+ - make
+ - sudo make install
+ - cd /home/root/snort_src/snort-2.9.16.1
+ - autoreconf -f -i
+ - ./configure --enable-sourcefire
+ - make
+ - sudo make install
+ - sudo ldconfig
+ - sudo ln -s /usr/local/bin/snort /usr/sbin/snort
+ - sudo mkdir -p /usr/local/lib/snort_dynamicrules
+ - sudo cp /home/root/snort_src/snort-2.9.16.1/etc/* /etc/snort/
+ - sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
+ - sudo cp /home/root/snort_src/docker-snort/snortrules-snapshot-2972/rules/* /etc/snort/rules
+ - sudo echo "config policy_mode:inline" >> /etc/snort/snort.conf
+ - sudo sed -i 's/..\/rules/\/etc\/snort\/rules/g' /etc/snort/snort.conf
+ - "sudo sed -i 's/# config daq: /config daq: nfq/g' /etc/snort/snort.conf"
+ - "sudo sed -i 's/# config daq_mode: /config daq_mode: inline/g' /etc/snort/snort.conf"
+ - "sudo sed -i 's/# config daq_var: /config daq_var: queue=4/g' /etc/snort/snort.conf"
+ - sudo echo 'alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)' >> /home/root/local.rules
+ - sudo rm -rf /etc/snort/rules/local.rules
+ - sudo cp /home/root/local.rules /etc/snort/rules/local.rules
+ - sudo sysctl -p
+ - sudo route add -net ${wafSubnetPrefix} netmask ${internalMask} gw ${wafGateway}
+ - sudo route add -net ${internalSubnetPrefix} netmask ${wafMask} gw ${internalGateway}
+ - sudo iptables -I FORWARD -i eth1 -o eth2 -j NFQUEUE --queue-num=4
+ - sudo iptables -I FORWARD -i eth2 -o eth1 -j NFQUEUE --queue-num=4
+ - sudo systemctl enable snort
+ - sudo systemctl start snort
+ #- sudo snort -D -c /etc/snort/snort.conf -Q
+
+final_message: "The system is finally up, after $UPTIME seconds"
diff --git a/templates/onboard.tpl b/templates/onboard.tpl
new file mode 100644
index 0000000..ec0ca66
--- /dev/null
+++ b/templates/onboard.tpl
@@ -0,0 +1,694 @@
+#!/bin/bash
+#
+# vars
+#
+# get device id for do
+deviceId=$1
+#
+admin_username='${uname}'
+admin_password='${upassword}'
+CREDS="$admin_username:$admin_password"
+LOG_FILE=${onboard_log}
+# constants
+mgmt_port=`tmsh list sys httpd ssl-port | grep ssl-port | sed 's/ssl-port //;s/ //g'`
+authUrl="/mgmt/shared/authn/login"
+rpmInstallUrl="/mgmt/shared/iapp/package-management-tasks"
+rpmFilePath="/var/config/rest/downloads"
+local_host="http://localhost:8100"
+# do
+doUrl="/mgmt/shared/declarative-onboarding"
+doCheckUrl="/mgmt/shared/declarative-onboarding/info"
+doTaskUrl="/mgmt/shared/declarative-onboarding/task"
+# as3
+as3Url="/mgmt/shared/appsvcs/declare"
+as3CheckUrl="/mgmt/shared/appsvcs/info"
+as3TaskUrl="/mgmt/shared/appsvcs/task/"
+# ts
+tsUrl="/mgmt/shared/telemetry/declare"
+tsCheckUrl="/mgmt/shared/telemetry/info"
+# cloud failover ext
+cfUrl="/mgmt/shared/cloud-failover/declare"
+cfCheckUrl="/mgmt/shared/cloud-failover/info"
+# fast
+fastCheckUrl="/mgmt/shared/fast/info"
+# declaration content
+cat > /config/do1.json < /config/do2.json < /config/as3.json <>$LOG_FILE
+else
+ #if file exists, exit as only want to run once
+ exit
+fi
+
+exec 1>$LOG_FILE 2>&1
+
+startTime=$(date +%s)
+echo "start device ID:$deviceId date: $(date)"
+function timer () {
+ echo "Time Elapsed: $(( ${1} / 3600 ))h $(( (${1} / 60) % 60 ))m $(( ${1} % 60 ))s"
+}
+waitMcpd () {
+checks=0
+while [[ "$checks" -lt 120 ]]; do
+ tmsh -a show sys mcp-state field-fmt | grep -q running
+ if [ $? == 0 ]; then
+ echo "[INFO: mcpd ready]"
+ break
+ fi
+ echo "[WARN: mcpd not ready yet]"
+ let checks=checks+1
+ sleep 10
+done
+}
+waitActive () {
+checks=0
+while [[ "$checks" -lt 30 ]]; do
+ tmsh -a show sys ready | grep -q no
+ if [ $? == 1 ]; then
+ echo "[INFO: system ready]"
+ break
+ fi
+ echo "[WARN: system not ready yet count: $checks]"
+ tmsh -a show sys ready | grep no
+ let checks=checks+1
+ sleep 10
+done
+}
+# CHECK TO SEE NETWORK IS READY
+count=0
+while true
+do
+ STATUS=$(curl -s -k -I example.com | grep HTTP)
+ if [[ $STATUS == *"200"* ]]; then
+ echo "[INFO: internet access check passed]"
+ break
+ elif [ $count -le 6 ]; then
+ echo "Status code: $STATUS Not done yet..."
+ count=$[$count+1]
+ else
+ echo "[WARN: GIVE UP...]"
+ break
+ fi
+ sleep 10
+done
+# download latest atc tools
+toolsList=$(cat -</dev/null 2>&1 <<<"$code"; then
+ echo "Parsed JSON successfully and got something other than false/null count: $taskCount"
+ status=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)
+ sleep 1
+ echo "status: $status code: $code"
+ # 200,202,422,400,404,500,422
+ echo "DO: $task response:$code status:$status"
+ sleep 1
+ #FINISHED,STARTED,RUNNING,ROLLING_BACK,FAILED,ERROR,NULL
+ case $status in
+ FINISHED)
+ # finished
+ echo " $task status: $status "
+ # bigstart start dhclient
+ break 2
+ ;;
+ STARTED)
+ # started
+ echo " $filename status: $status "
+ sleep 30
+ ;;
+ RUNNING)
+ # running
+ echo "DO Status: $status task: $task Not done yet...count:$taskCount"
+ # wait for active-online-state
+ waitMcpd
+ if [[ "$taskCount" -le 5 ]]; then
+ sleep 60
+ fi
+ waitActive
+ #sleep 120
+ taskCount=$[$taskCount+1]
+ ;;
+ FAILED)
+ # failed
+ error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)
+ echo "failed $task, $error"
+ #count=$[$count+1]
+ break
+ ;;
+ ERROR)
+ # error
+ error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)
+ echo "Error $task, $error"
+ #count=$[$count+1]
+ break
+ ;;
+ ROLLING_BACK)
+ # Rolling back
+ echo "Rolling back failed status: $status task: $task"
+ break
+ ;;
+ OK)
+ # complete no change
+ echo "Complete no change status: $status task: $task"
+ break 2
+ ;;
+ *)
+ # other
+ echo "other: $status"
+ echo "other task: $task count: $taskCount"
+ debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)
+ echo "other debug: $debug"
+ case $debug in
+ *not*registered*)
+ # restnoded response DO api is unresponsive
+ echo "DO endpoint not avaliable waiting..."
+ sleep 30
+ ;;
+ *resterrorresponse*)
+ # restnoded response DO api is unresponsive
+ echo "DO endpoint not avaliable waiting..."
+ sleep 30
+ ;;
+ *start-limit*)
+ # dhclient issue hit
+ echo " do dhclient starting issue hit start another task"
+ break
+ ;;
+ esac
+ sleep 30
+ taskCount=$[$taskCount+1]
+ ;;
+ esac
+ else
+ echo "Failed to parse JSON, or got false/null"
+ echo "DO status code: $code"
+ debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)
+ echo "debug DO code: $debug"
+ count=$[$count+1]
+ fi
+ done
+done
+}
+# mgmt
+echo "set management"
+echo -e "create cli transaction;
+modify sys global-settings mgmt-dhcp disabled;
+submit cli transaction" | tmsh -q
+tmsh save /sys config
+# get as3 values
+externalVip=$(curl -sf --retry 20 -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface?api-version=2017-08-01" | jq -r '.[1].ipv4.ipAddress[1].privateIpAddress')
+
+# end get values
+
+# run DO
+echo "----run do----"
+count=0
+while [ $count -le 4 ]
+ do
+ doStatus=$(checkDO)
+ echo "DO check status: $doStatus"
+ if [ $deviceId == 1 ] && [[ "$doStatus" = *"online"* ]]; then
+ echo "running do for id:$deviceId"
+ bigstart stop dhclient
+ runDO do1.json
+ if [ "$?" == 0 ]; then
+ echo "done with do"
+ bigstart start dhclient
+ results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')
+ echo "do results: $results"
+ break
+ fi
+ elif [ $deviceId == 2 ] && [[ "$doStatus" = *"online"* ]]; then
+ echo "running do for id:$deviceId"
+ bigstart stop dhclient
+ runDO do2.json
+ if [ "$?" == 0 ]; then
+ echo "done with do"
+ bigstart start dhclient
+ results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')
+ echo "do results: $results"
+ break
+ fi
+ elif [ $count -le 2 ]; then
+ echo "DeviceID: $deviceId Status code: $doStatus DO not ready yet..."
+ count=$[$count+1]
+ sleep 30
+ else
+ echo "DO not online status: $doStatus"
+ break
+ fi
+done
+function runAS3 () {
+ count=0
+ while [ $count -le 4 ]
+ do
+ # wait for do to finish
+ waitActive
+ # make task
+ task=$(curl -s -u $CREDS -H "Content-Type: Application/json" -H 'Expect:' -X POST $local_host$as3Url?async=true -d @/config/as3.json | jq -r .id)
+ echo "===== starting as3 task: $task ====="
+ sleep 1
+ count=$[$count+1]
+ # check task code
+ taskCount=0
+ while [ $taskCount -le 3 ]
+ do
+ as3CodeType=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r type )
+ if [[ "$as3CodeType" == "object" ]]; then
+ code=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .)
+ tenants=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .results[].tenant)
+ echo "object: $code"
+ elif [ "$as3CodeType" == "array" ]; then
+ echo "array $code check task, breaking"
+ break
+ else
+ echo "unknown type:$as3CodeType"
+ fi
+ sleep 1
+ if jq -e . >/dev/null 2>&1 <<<"$code"; then
+ echo "Parsed JSON successfully and got something other than false/null"
+ status=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r .items[].results[].message)
+ case $status in
+ *progress)
+ # in progress
+ echo -e "Running: $task status: $status tenants: $tenants count: $taskCount "
+ sleep 120
+ taskCount=$[$taskCount+1]
+ ;;
+ *Error*)
+ # error
+ echo -e "Error Task: $task status: $status tenants: $tenants "
+ if [[ "$status" = *"progress"* ]]; then
+ sleep 180
+ break
+ else
+ break
+ fi
+ ;;
+ *failed*)
+ # failed
+ echo -e "failed: $task status: $status tenants: $tenants "
+ break
+ ;;
+ *success*)
+ # successful!
+ echo -e "success: $task status: $status tenants: $tenants "
+ break 3
+ ;;
+ no*change)
+ # finished
+ echo -e "no change: $task status: $status tenants: $tenants "
+ break 4
+ ;;
+ *)
+ # other
+ echo "status: $status"
+ debug=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task)
+ echo "debug: $debug"
+ error=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r '.results[].message')
+ echo "Other: $task, $error"
+ break
+ ;;
+ esac
+ else
+ echo "Failed to parse JSON, or got false/null"
+ echo "AS3 status code: $code"
+ debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)
+ echo "debug AS3 code: $debug"
+ count=$[$count+1]
+ fi
+ done
+ done
+}
+
+# modify as3
+#sdToken=$(echo "$token" | base64)
+sed -i "s/-external-virtual-address-/$externalVip/g" /config/as3.json
+#sed -i "s/-sd-sa-token-b64-/$token/g" /config/as3.json
+# end modify as3
+
+# metadata route
+echo -e 'create cli transaction;
+modify sys db config.allow.rfc3927 value enable;
+create sys management-route metadata-route network 169.254.169.254/32 gateway ${mgmtGateway};
+submit cli transaction' | tmsh -q
+tmsh save /sys config
+# add management route with metric 0 for the win
+route add -net default gw ${mgmtGateway} netmask 0.0.0.0 dev mgmt metric 0
+# run as3
+count=0
+while [ $count -le 4 ]
+do
+ as3Status=$(checkAS3)
+ echo "AS3 check status: $as3Status"
+ if [[ "$as3Status" == *"online"* ]]; then
+ if [ $deviceId == 1 ]; then
+ echo "running as3"
+ runAS3
+ echo "done with as3"
+ results=$(restcurl -u $CREDS $as3TaskUrl | jq '.items[] | .id, .results')
+ echo "as3 results: $results"
+ break
+ else
+ echo "Not posting as3 device $deviceid not primary"
+ break
+ fi
+ elif [ $count -le 2 ]; then
+ echo "Status code: $as3Status As3 not ready yet..."
+ count=$[$count+1]
+ else
+ echo "As3 API Status $as3Status"
+ break
+ fi
+done
+#
+#
+# cleanup
+## remove declarations
+# rm -f /config/do1.json
+# rm -f /config/do2.json
+# rm -f /config/as3.json
+## disable/replace default admin account
+# echo -e "create cli transaction;
+# modify /sys db systemauth.primaryadminuser value $admin_username;
+# submit cli transaction" | tmsh -q
+tmsh save sys config
+echo "timestamp end: $(date)"
+echo "setup complete $(timer "$(($(date +%s) - $startTime))")"
+exit
diff --git a/templates/telemetry_dashboard.omsview b/templates/telemetry_dashboard.omsview
new file mode 100644
index 0000000..79518e2
--- /dev/null
+++ b/templates/telemetry_dashboard.omsview
@@ -0,0 +1,329 @@
+{
+"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+"contentVersion": "1.0.0.0",
+"parameters": {
+"location": {
+"type": "string",
+"defaultValue": ""
+},
+"resourcegroup": {
+"type": "string",
+"defaultValue": ""
+},
+"subscriptionId": {
+"type": "string",
+"defaultValue": ""
+},
+"workspace": {
+"type": "string",
+"defaultValue": ""
+},
+"workspaceapiversion": {
+"type": "string",
+"defaultValue": ""
+}
+},
+"resources": [
+{
+"apiVersion": "[parameters('workspaceapiversion')]",
+"name": "[parameters('workspace')]",
+"type": "Microsoft.OperationalInsights/workspaces",
+"location": "[parameters('location')]",
+"id": "[Concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourcegroup'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]",
+"resources": [
+{
+"apiVersion": "2015-11-01-preview",
+"name": "Devices",
+"type": "views",
+"location": "[parameters('location')]",
+"id": "[Concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourcegroup'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspace'),'/views/Devices')]",
+"dependson": [
+"[Concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourcegroup'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]"
+],
+"properties": {
+"Id": "Devices",
+"Name": "Devices",
+"Author": null,
+"Source": "Local",
+"Version": 2,
+"Dashboard": [
+{
+"Id": "LineChartCalloutStackedBuilderBlade",
+"Type": "Blade",
+"Version": 0,
+"Configuration": {
+"General": {
+"title": "Violations",
+"newGroup": false
+},
+"charts": [
+{
+"Header": {
+"Title": "ASM Violations over time",
+"Subtitle": ""
+},
+"LineChart": {
+"Query": "F5Telemetry_ASM_CL | where isnotempty(attack_type_s)",
+"yAxis": {
+"isLogarithmic": false,
+"units": {
+"baseUnitType": "",
+"baseUnit": "",
+"displayUnit": ""
+},
+"customLabel": ""
+},
+"NavigationSelect": {}
+}
+},
+{
+"Header": {
+"Title": "Requests over time",
+"Subtitle": ""
+},
+"LineChart": {
+"Query": "F5Telemetry_LTM_CL | where event_source_s == \"request_logging\"",
+"yAxis": {
+"isLogarithmic": false,
+"units": {
+"baseUnitType": "",
+"baseUnit": "",
+"displayUnit": ""
+},
+"customLabel": ""
+},
+"NavigationSelect": {}
+}
+},
+{
+"Header": {
+"Title": "Empty",
+"Subtitle": ""
+},
+"LineChart": {
+"Query": "",
+"yAxis": {
+"isLogarithmic": false,
+"units": {
+"baseUnitType": "",
+"baseUnit": "",
+"displayUnit": ""
+},
+"customLabel": ""
+},
+"NavigationSelect": {}
+}
+}
+]
+}
+},
+{
+"Id": "NumberTileListBuilderBlade",
+"Type": "Blade",
+"Version": 0,
+"Configuration": {
+"General": {
+"title": "Source IP's triggering violations",
+"newGroup": false,
+"icon": "",
+"useIcon": false
+},
+"Tile": {
+"Query": "F5Telemetry_ASM_CL | where isnotempty(attack_type_s) | summarize AggregatedValue = count() by ip_client_s | count",
+"Legend": "Count of Unique Source IP's",
+"NavigationSelect": {}
+},
+"List": {
+"Query": "F5Telemetry_ASM_CL | where isnotempty(attack_type_s) | summarize AggregatedValue = count() by ip_client_s | sort by AggregatedValue desc",
+"HideGraph": false,
+"enableSparklines": false,
+"operation": "Summary",
+"ColumnsTitle": {
+"Name": "IP",
+"Value": "Count"
+},
+"Color": "#0072c6",
+"thresholds": {
+"isEnabled": false,
+"values": [
+{
+"name": "Normal",
+"threshold": "Default",
+"color": "#009e49",
+"isDefault": true
+},
+{
+"name": "Warning",
+"threshold": "60",
+"color": "#fcd116",
+"isDefault": false
+},
+{
+"name": "Error",
+"threshold": "90",
+"color": "#ba141a",
+"isDefault": false
+}
+]
+},
+"NameDSVSeparator": "",
+"NavigationQuery": "search {selected item} | sort by TimeGenerated desc",
+"NavigationSelect": {
+"NavigationQuery": "search {selected item} | sort by TimeGenerated desc"
+}
+}
+}
+},
+{
+"Id": "NumberTileListBuilderBlade",
+"Type": "Blade",
+"Version": 0,
+"Configuration": {
+"General": {
+"title": "Attack Types",
+"newGroup": false,
+"icon": "",
+"useIcon": false
+},
+"Tile": {
+"Query": "F5Telemetry_ASM_CL | where isnotempty(attack_type_s) | summarize AggregatedValue = count() by attack_type_s | count",
+"Legend": "Count of attack types",
+"NavigationSelect": {}
+},
+"List": {
+"Query": "F5Telemetry_ASM_CL | where isnotempty(attack_type_s) | summarize AggregatedValue = count() by attack_type_s | sort by AggregatedValue desc",
+"HideGraph": false,
+"enableSparklines": false,
+"operation": "Summary",
+"ColumnsTitle": {
+"Name": "Computer",
+"Value": "Count"
+},
+"Color": "#0072c6",
+"thresholds": {
+"isEnabled": false,
+"values": [
+{
+"name": "Normal",
+"threshold": "Default",
+"color": "#009e49",
+"isDefault": true
+},
+{
+"name": "Warning",
+"threshold": "60",
+"color": "#fcd116",
+"isDefault": false
+},
+{
+"name": "Error",
+"threshold": "90",
+"color": "#ba141a",
+"isDefault": false
+}
+]
+},
+"NameDSVSeparator": "",
+"NavigationQuery": "search {selected item} | sort by TimeGenerated desc",
+"NavigationSelect": {
+"NavigationQuery": "search {selected item} | sort by TimeGenerated desc"
+}
+}
+}
+},
+{
+"Id": "LineChartCalloutStackedBuilderBlade",
+"Type": "Blade",
+"Version": 0,
+"Configuration": {
+"General": {
+"title": "Device Info",
+"newGroup": false
+},
+"charts": [
+{
+"Header": {
+"Title": "CPU",
+"Subtitle": ""
+},
+"LineChart": {
+"Query": "F5Telemetry_system_CL | summarize AggregatedValue = avg(cpu_d) by hostname_s | sort by AggregatedValue desc",
+"yAxis": {
+"isLogarithmic": false,
+"units": {
+"baseUnitType": "",
+"baseUnit": "",
+"displayUnit": ""
+},
+"customLabel": ""
+},
+"NavigationSelect": {}
+}
+},
+{
+"Header": {
+"Title": "Memory",
+"Subtitle": ""
+},
+"LineChart": {
+"Query": "F5Telemetry_system_CL | summarize AggregatedValue = avg(memory_d) by hostname_s | sort by AggregatedValue desc",
+"yAxis": {
+"isLogarithmic": false,
+"units": {
+"baseUnitType": "",
+"baseUnit": "",
+"displayUnit": ""
+},
+"customLabel": ""
+},
+"NavigationSelect": {}
+}
+},
+{
+"Header": {
+"Title": "TMM Memory",
+"Subtitle": ""
+},
+"LineChart": {
+"Query": "F5Telemetry_system_CL | summarize AggregatedValue = avg(tmmMemory_d) by hostname_s | sort by AggregatedValue desc",
+"yAxis": {
+"isLogarithmic": false,
+"units": {
+"baseUnitType": "",
+"baseUnit": "",
+"displayUnit": ""
+},
+"customLabel": ""
+},
+"NavigationSelect": {}
+}
+}
+]
+}
+}
+],
+"Filters": [],
+"OverviewTile": {
+"Id": "SingleNumberBuilderTile",
+"Type": "OverviewTile",
+"Version": 2,
+"Configuration": {
+"Tile": {
+"Legend": "Count",
+"Query": "F5Telemetry_system_CL | summarize dcount(hostname_s) "
+},
+"Advanced": {
+"DataFlowVerification": {
+"Enabled": false,
+"Query": "search * | limit 1 | project TimeGenerated",
+"Message": ""
+}
+}
+}
+}
+}
+}
+]
+}
+]
+}
diff --git a/templates/ts.json b/templates/ts.json
new file mode 100644
index 0000000..8ce0726
--- /dev/null
+++ b/templates/ts.json
@@ -0,0 +1,23 @@
+{
+ "class": "Telemetry",
+ "My_System": {
+ "class": "Telemetry_System",
+ "systemPoller": {
+ "interval": 60
+ }
+ },
+ "My_Listener": {
+ "class": "Telemetry_Listener",
+ "port": 6514
+ },
+ "My_Consumer": {
+ "class": "Telemetry_Consumer",
+ "type": "Azure_Log_Analytics",
+ "workspaceId": "${law_id}",
+ "passphrase": {
+ "cipherText": "${law_primkey}"
+ },
+ "useManagedIdentity": false,
+ "region": "${region}"
+ }
+ }
diff --git a/terraform.tfstate b/terraform.tfstate
new file mode 100644
index 0000000..80abb49
--- /dev/null
+++ b/terraform.tfstate
@@ -0,0 +1,8 @@
+{
+ "version": 4,
+ "terraform_version": "0.13.4",
+ "serial": 8085,
+ "lineage": "b59086b0-52c3-273e-6b73-c05f0f7a5251",
+ "outputs": {},
+ "resources": []
+}
diff --git a/terraform.tfstate.backup b/terraform.tfstate.backup
new file mode 100644
index 0000000..afb3ef2
--- /dev/null
+++ b/terraform.tfstate.backup
@@ -0,0 +1,3128 @@
+{
+ "version": 4,
+ "terraform_version": "0.13.4",
+ "serial": 8008,
+ "lineage": "b59086b0-52c3-273e-6b73-c05f0f7a5251",
+ "outputs": {
+ "DemoApplication_443": {
+ "value": "https://20.140.184.5",
+ "type": "string"
+ },
+ "rSyslogdHttp_8080": {
+ "value": "http://20.140.184.5:8080",
+ "type": "string"
+ },
+ "tier_one": {
+ "value": {
+ "f5vm01_ext_private_ip": "10.90.1.4",
+ "f5vm01_mgmt_private_ip": "10.90.0.4",
+ "f5vm01_mgmt_public_ip": "https://none",
+ "f5vm02_ext_private_ip": "10.90.1.5",
+ "f5vm02_mgmt_private_ip": "10.90.0.5",
+ "f5vm02_mgmt_public_ip": "https://none"
+ },
+ "type": [
+ "map",
+ "string"
+ ]
+ },
+ "tier_three": {
+ "value": {
+ "none": "none"
+ },
+ "type": [
+ "map",
+ "string"
+ ]
+ }
+ },
+ "resources": [
+ {
+ "mode": "managed",
+ "type": "azurerm_availability_set",
+ "name": "avset",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/availabilitySets/bedfe9a3-avset",
+ "location": "usgovvirginia",
+ "managed": true,
+ "name": "bedfe9a3-avset",
+ "platform_fault_domain_count": 2,
+ "platform_update_domain_count": 2,
+ "proximity_placement_group_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": null,
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb",
+ "name": "lb",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "frontend_ip_configuration": [
+ {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/frontendIPConfigurations/Public-LoadBalancerFrontEnd",
+ "inbound_nat_rules": [],
+ "load_balancer_rules": [],
+ "name": "Public-LoadBalancerFrontEnd",
+ "outbound_rules": [],
+ "private_ip_address": "",
+ "private_ip_address_allocation": "Dynamic",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/publicIPAddresses/bedfe9a3-lb-pip",
+ "public_ip_prefix_id": "",
+ "subnet_id": "",
+ "zones": null
+ }
+ ],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-alb",
+ "private_ip_address": "",
+ "private_ip_addresses": [],
+ "resource_group_name": "bedfe9a3_rg",
+ "sku": "Standard",
+ "tags": null,
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_backend_address_pool",
+ "name": "backend_pool",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_ip_configurations": [],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "load_balancing_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "IngressBackendPool",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_backend_address_pool",
+ "name": "management_pool",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_ip_configurations": [],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressManagementPool",
+ "load_balancing_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "EgressManagementPool",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_backend_address_pool",
+ "name": "primary_pool",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_ip_configurations": [],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "load_balancing_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "EgressPrimaryPool",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_outbound_rule",
+ "name": "egress_rule",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "allocated_outbound_ports": 9136,
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "enable_tcp_reset": true,
+ "frontend_ip_configuration": [
+ {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/frontendIPConfigurations/Public-LoadBalancerFrontEnd",
+ "name": "Public-LoadBalancerFrontEnd"
+ }
+ ],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/outboundRules/egress_rule",
+ "idle_timeout_in_minutes": 4,
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "egress_rule",
+ "protocol": "All",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_probe",
+ "name": "http_probe",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/8080Probe",
+ "interval_in_seconds": 5,
+ "load_balancer_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "8080Probe",
+ "number_of_probes": 2,
+ "port": 8080,
+ "protocol": "Tcp",
+ "request_path": "",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_probe",
+ "name": "https_probe",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/443Probe",
+ "interval_in_seconds": 5,
+ "load_balancer_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "443Probe",
+ "number_of_probes": 2,
+ "port": 443,
+ "protocol": "Tcp",
+ "request_path": "",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_probe",
+ "name": "rdp_probe",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/rdpProbe",
+ "interval_in_seconds": 5,
+ "load_balancer_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "rdpProbe",
+ "number_of_probes": 2,
+ "port": 3389,
+ "protocol": "Tcp",
+ "request_path": "",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_probe",
+ "name": "ssh_probe",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/sshProbe",
+ "interval_in_seconds": 5,
+ "load_balancer_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "sshProbe",
+ "number_of_probes": 2,
+ "port": 22,
+ "protocol": "Tcp",
+ "request_path": "",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_rule",
+ "name": "http_rule",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "backend_port": 8080,
+ "disable_outbound_snat": true,
+ "enable_floating_ip": false,
+ "enable_tcp_reset": false,
+ "frontend_ip_configuration_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/frontendIPConfigurations/Public-LoadBalancerFrontEnd",
+ "frontend_ip_configuration_name": "Public-LoadBalancerFrontEnd",
+ "frontend_port": 8080,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/loadBalancingRules/HTTPRule",
+ "idle_timeout_in_minutes": 5,
+ "load_distribution": "Default",
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "HTTPRule",
+ "probe_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/8080Probe",
+ "protocol": "Tcp",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.backend_pool",
+ "azurerm_lb_probe.http_probe",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_rule",
+ "name": "https_rule",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "backend_port": 443,
+ "disable_outbound_snat": true,
+ "enable_floating_ip": false,
+ "enable_tcp_reset": false,
+ "frontend_ip_configuration_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/frontendIPConfigurations/Public-LoadBalancerFrontEnd",
+ "frontend_ip_configuration_name": "Public-LoadBalancerFrontEnd",
+ "frontend_port": 443,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/loadBalancingRules/HTTPS_Rule",
+ "idle_timeout_in_minutes": 5,
+ "load_distribution": "Default",
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "HTTPS_Rule",
+ "probe_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/443Probe",
+ "protocol": "Tcp",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.backend_pool",
+ "azurerm_lb_probe.https_probe",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_rule",
+ "name": "rdp_rule",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "backend_port": 3389,
+ "disable_outbound_snat": true,
+ "enable_floating_ip": false,
+ "enable_tcp_reset": false,
+ "frontend_ip_configuration_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/frontendIPConfigurations/Public-LoadBalancerFrontEnd",
+ "frontend_ip_configuration_name": "Public-LoadBalancerFrontEnd",
+ "frontend_port": 3389,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/loadBalancingRules/RDP_Rule",
+ "idle_timeout_in_minutes": 5,
+ "load_distribution": "Default",
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "RDP_Rule",
+ "probe_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/rdpProbe",
+ "protocol": "Tcp",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.backend_pool",
+ "azurerm_lb_probe.rdp_probe",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_lb_rule",
+ "name": "ssh_rule",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "backend_port": 22,
+ "disable_outbound_snat": true,
+ "enable_floating_ip": false,
+ "enable_tcp_reset": false,
+ "frontend_ip_configuration_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/frontendIPConfigurations/Public-LoadBalancerFrontEnd",
+ "frontend_ip_configuration_name": "Public-LoadBalancerFrontEnd",
+ "frontend_port": 22,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/loadBalancingRules/SSH_Rule",
+ "idle_timeout_in_minutes": 5,
+ "load_distribution": "Default",
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb",
+ "name": "SSH_Rule",
+ "probe_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/probes/sshProbe",
+ "protocol": "Tcp",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.backend_pool",
+ "azurerm_lb_probe.ssh_probe",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_network_security_group",
+ "name": "main",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-nsg",
+ "resource_group_name": "bedfe9a3_rg",
+ "security_rule": [
+ {
+ "access": "Allow",
+ "description": "Allow HTTP access",
+ "destination_address_prefix": "*",
+ "destination_address_prefixes": [],
+ "destination_application_security_group_ids": [],
+ "destination_port_range": "8080",
+ "destination_port_ranges": [],
+ "direction": "Inbound",
+ "name": "allow_HTTP",
+ "priority": 110,
+ "protocol": "Tcp",
+ "source_address_prefix": "*",
+ "source_address_prefixes": [],
+ "source_application_security_group_ids": [],
+ "source_port_range": "*",
+ "source_port_ranges": []
+ },
+ {
+ "access": "Allow",
+ "description": "Allow HTTPS access",
+ "destination_address_prefix": "*",
+ "destination_address_prefixes": [],
+ "destination_application_security_group_ids": [],
+ "destination_port_range": "443",
+ "destination_port_ranges": [],
+ "direction": "Inbound",
+ "name": "allow_HTTPS",
+ "priority": 120,
+ "protocol": "Tcp",
+ "source_address_prefix": "*",
+ "source_address_prefixes": [],
+ "source_application_security_group_ids": [],
+ "source_port_range": "*",
+ "source_port_ranges": []
+ },
+ {
+ "access": "Allow",
+ "description": "Allow HTTPS access",
+ "destination_address_prefix": "*",
+ "destination_address_prefixes": [],
+ "destination_application_security_group_ids": [],
+ "destination_port_range": "8443",
+ "destination_port_ranges": [],
+ "direction": "Inbound",
+ "name": "allow_APP_HTTPS",
+ "priority": 140,
+ "protocol": "Tcp",
+ "source_address_prefix": "*",
+ "source_address_prefixes": [],
+ "source_application_security_group_ids": [],
+ "source_port_range": "*",
+ "source_port_ranges": []
+ },
+ {
+ "access": "Allow",
+ "description": "Allow RDP access",
+ "destination_address_prefix": "*",
+ "destination_address_prefixes": [],
+ "destination_application_security_group_ids": [],
+ "destination_port_range": "3389",
+ "destination_port_ranges": [],
+ "direction": "Inbound",
+ "name": "allow_RDP",
+ "priority": 130,
+ "protocol": "Tcp",
+ "source_address_prefix": "*",
+ "source_address_prefixes": [],
+ "source_application_security_group_ids": [],
+ "source_port_range": "*",
+ "source_port_ranges": []
+ },
+ {
+ "access": "Allow",
+ "description": "Allow SSH access",
+ "destination_address_prefix": "*",
+ "destination_address_prefixes": [],
+ "destination_application_security_group_ids": [],
+ "destination_port_range": "22",
+ "destination_port_ranges": [],
+ "direction": "Inbound",
+ "name": "allow_SSH",
+ "priority": 100,
+ "protocol": "Tcp",
+ "source_address_prefix": "*",
+ "source_address_prefixes": [],
+ "source_application_security_group_ids": [],
+ "source_port_range": "*",
+ "source_port_ranges": []
+ }
+ ],
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_public_ip",
+ "name": "lbpip",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "allocation_method": "Static",
+ "domain_name_label": "bedfe9a3lbpip",
+ "fqdn": "bedfe9a3lbpip.usgovvirginia.cloudapp.usgovcloudapi.net",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/publicIPAddresses/bedfe9a3-lb-pip",
+ "idle_timeout_in_minutes": 4,
+ "ip_address": "20.140.184.5",
+ "ip_version": "IPv4",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-lb-pip",
+ "public_ip_prefix_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "reverse_fqdn": "",
+ "sku": "Standard",
+ "tags": null,
+ "timeouts": null,
+ "zones": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_resource_group",
+ "name": "main",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3_rg",
+ "tags": null,
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo1NDAwMDAwMDAwMDAwLCJkZWxldGUiOjU0MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjo1NDAwMDAwMDAwMDAwfX0="
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_route",
+ "name": "vdms_default",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "0.0.0.0/0",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/routeTables/bedfe9a3_vdms_user_defined_route_table/routes/default",
+ "name": "default",
+ "next_hop_in_ip_address": "10.90.2.10",
+ "next_hop_type": "VirtualAppliance",
+ "resource_group_name": "bedfe9a3_rg",
+ "route_table_name": "bedfe9a3_vdms_user_defined_route_table",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_route_table.vdms_udr"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_route",
+ "name": "vdms_to_outbound",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "10.90.2.0/24",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/routeTables/bedfe9a3_vdms_user_defined_route_table/routes/vdms_default_route",
+ "name": "vdms_default_route",
+ "next_hop_in_ip_address": "10.90.2.10",
+ "next_hop_type": "VirtualAppliance",
+ "resource_group_name": "bedfe9a3_rg",
+ "route_table_name": "bedfe9a3_vdms_user_defined_route_table",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_route_table.vdms_udr"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_route_table",
+ "name": "vdms_udr",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "disable_bgp_route_propagation": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/routeTables/bedfe9a3_vdms_user_defined_route_table",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3_vdms_user_defined_route_table",
+ "resource_group_name": "bedfe9a3_rg",
+ "route": [],
+ "subnets": [],
+ "tags": null,
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_subnet",
+ "name": "application",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "index_key": 0,
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "10.90.10.0/24",
+ "address_prefixes": [
+ "10.90.10.0/24"
+ ],
+ "delegation": [],
+ "enforce_private_link_endpoint_network_policies": false,
+ "enforce_private_link_service_network_policies": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/application",
+ "name": "application",
+ "resource_group_name": "bedfe9a3_rg",
+ "service_endpoints": null,
+ "timeouts": null,
+ "virtual_network_name": "bedfe9a3-network"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_subnet",
+ "name": "external",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "10.90.1.0/24",
+ "address_prefixes": [
+ "10.90.1.0/24"
+ ],
+ "delegation": [],
+ "enforce_private_link_endpoint_network_policies": false,
+ "enforce_private_link_service_network_policies": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/external",
+ "name": "external",
+ "resource_group_name": "bedfe9a3_rg",
+ "service_endpoints": null,
+ "timeouts": null,
+ "virtual_network_name": "bedfe9a3-network"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_subnet",
+ "name": "internal",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "10.90.2.0/24",
+ "address_prefixes": [
+ "10.90.2.0/24"
+ ],
+ "delegation": [],
+ "enforce_private_link_endpoint_network_policies": false,
+ "enforce_private_link_service_network_policies": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/internal",
+ "name": "internal",
+ "resource_group_name": "bedfe9a3_rg",
+ "service_endpoints": null,
+ "timeouts": null,
+ "virtual_network_name": "bedfe9a3-network"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_subnet",
+ "name": "mgmt",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "10.90.0.0/24",
+ "address_prefixes": [
+ "10.90.0.0/24"
+ ],
+ "delegation": [],
+ "enforce_private_link_endpoint_network_policies": false,
+ "enforce_private_link_service_network_policies": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/mgmt",
+ "name": "mgmt",
+ "resource_group_name": "bedfe9a3_rg",
+ "service_endpoints": null,
+ "timeouts": null,
+ "virtual_network_name": "bedfe9a3-network"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_subnet",
+ "name": "vdms",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_prefix": "10.90.3.0/24",
+ "address_prefixes": [
+ "10.90.3.0/24"
+ ],
+ "delegation": [],
+ "enforce_private_link_endpoint_network_policies": false,
+ "enforce_private_link_service_network_policies": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/vdms",
+ "name": "vdms",
+ "resource_group_name": "bedfe9a3_rg",
+ "service_endpoints": null,
+ "timeouts": null,
+ "virtual_network_name": "bedfe9a3-network"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_subnet_route_table_association",
+ "name": "udr_associate",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/vdms",
+ "route_table_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/routeTables/bedfe9a3_vdms_user_defined_route_table",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/vdms",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_route_table.vdms_udr",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "mode": "managed",
+ "type": "azurerm_virtual_network",
+ "name": "main",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "address_space": [
+ "10.90.0.0/16"
+ ],
+ "ddos_protection_plan": [],
+ "dns_servers": null,
+ "guid": "e7cb869d-6f93-40b6-8aa5-bd5c6f9ca9ee",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-network",
+ "resource_group_name": "bedfe9a3_rg",
+ "subnet": [],
+ "tags": null,
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.demo_app[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "app01-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-app01-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.10.101",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/application"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-app01-nic",
+ "private_ip_address": "10.90.10.101",
+ "private_ip_addresses": [
+ "10.90.10.101"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.application",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.demo_app[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "app-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-app01-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-app01-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.application",
+ "azurerm_virtual_network.main",
+ "module.demo_app.azurerm_network_interface.app01-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.demo_app[0]",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine",
+ "name": "app01-vm",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "index_key": 0,
+ "schema_version": 0,
+ "attributes": {
+ "additional_capabilities": [],
+ "availability_set_id": null,
+ "boot_diagnostics": [],
+ "delete_data_disks_on_termination": false,
+ "delete_os_disk_on_termination": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-app01-vm",
+ "identity": [],
+ "license_type": null,
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-app01-vm",
+ "network_interface_ids": [
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-app01-nic"
+ ],
+ "os_profile": [
+ {
+ "admin_password": "pleaseUseVault123!!",
+ "admin_username": "xadmin",
+ "computer_name": "app01",
+ "custom_data": "5c4229b4fe8436c0ebec9e6a52237c8db72212d3"
+ }
+ ],
+ "os_profile_linux_config": [
+ {
+ "disable_password_authentication": false,
+ "ssh_keys": []
+ }
+ ],
+ "os_profile_secrets": [],
+ "os_profile_windows_config": [],
+ "plan": [],
+ "primary_network_interface_id": null,
+ "proximity_placement_group_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "storage_data_disk": [],
+ "storage_image_reference": [
+ {
+ "id": "",
+ "offer": "UbuntuServer",
+ "publisher": "Canonical",
+ "sku": "16.04.0-LTS",
+ "version": "latest"
+ }
+ ],
+ "storage_os_disk": [
+ {
+ "caching": "ReadWrite",
+ "create_option": "FromImage",
+ "disk_size_gb": 30,
+ "image_uri": "",
+ "managed_disk_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/disks/bedfe9a3-appOsDisk",
+ "managed_disk_type": "Premium_LRS",
+ "name": "bedfe9a3-appOsDisk",
+ "os_type": "Linux",
+ "vhd_uri": "",
+ "write_accelerator_enabled": false
+ }
+ ],
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "vm_size": "Standard_DS3_v2",
+ "zones": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.application",
+ "azurerm_virtual_network.main",
+ "module.demo_app.azurerm_network_interface.app01-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "data",
+ "type": "http",
+ "name": "appservice",
+ "provider": "provider[\"registry.terraform.io/hashicorp/http\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "body": "{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"${log_destination}\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"${log_destination}\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"${baseline_waf_policy}\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${transitVipAddress}\",\n \"${transitVipAddress2}\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"${rdp_pool_addresses}\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"${ssh_pool_addresses}\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${mgmtVipAddress}\",\n \"${mgmtVipAddress2}\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${mgmtVipAddress}\",\n \"${mgmtVipAddress2}\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${mgmtVipAddress}\",\n \"${mgmtVipAddress2}\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${exampleVipSubnet}\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${exampleVipSubnet}\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${exampleVipSubnet}\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"${ips_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"${app_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"${log_destination}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"${app_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"${app_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}",
+ "id": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/terraform/latest/sccaSingleTier.json",
+ "request_headers": null,
+ "response_headers": {
+ "Accept-Ranges": "bytes",
+ "Access-Control-Allow-Origin": "*",
+ "Cache-Control": "max-age=300",
+ "Connection": "keep-alive",
+ "Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'; sandbox",
+ "Content-Type": "text/plain; charset=utf-8",
+ "Date": "Mon, 09 Nov 2020 13:44:37 GMT",
+ "Etag": "W/\"3fa9ca0d092de35e2d3734dcb718f319a35e7b5b6f2312425be0357957792713\"",
+ "Expires": "Mon, 09 Nov 2020 13:49:37 GMT",
+ "Source-Age": "16",
+ "Strict-Transport-Security": "max-age=31536000",
+ "Vary": "Authorization,Accept-Encoding",
+ "Via": "1.1 varnish (Varnish/6.0), 1.1 varnish",
+ "X-Cache": "MISS, HIT",
+ "X-Cache-Hits": "0, 1",
+ "X-Content-Type-Options": "nosniff",
+ "X-Fastly-Request-Id": "9491fc19a5239a2ad467bff71968b3bc9f1c517b",
+ "X-Frame-Options": "deny",
+ "X-Github-Request-Id": "7ADE:0B54:55328:650D1:5FA947B4",
+ "X-Served-By": "cache-dca17780-DCA",
+ "X-Timer": "S1604929478.723275,VS0,VE1",
+ "X-Xss-Protection": "1; mode=block"
+ },
+ "url": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/terraform/latest/sccaSingleTier.json"
+ }
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "data",
+ "type": "http",
+ "name": "onboard",
+ "provider": "provider[\"registry.terraform.io/hashicorp/http\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "body": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"${local_host}.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"${log_destination}\",\n \"localIp\": \"${log_localip}\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"${dns_server}\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"${ntp_server}\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"${timezone}\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"${external_selfip}\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"${internal_selfip}\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"${externalGateway}\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"${internalGateway}\",\n \"network\": \"${vdmsSubnet}\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"${internalGateway}\",\n \"network\": \"${vnetSubnet}\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"${host1}.example.com\",\n \"${host2}.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"${admin_user}\",\n \"localPassword\": \"${admin_password}\",\n \"remoteHost\": \"${remote_selfip}\",\n \"remoteUsername\": \"${admin_user}\",\n \"remotePassword\": \"${admin_password}\"\n }\n }\n}",
+ "id": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-DO/master/dist/terraform/latest/payg_cluster.json",
+ "request_headers": null,
+ "response_headers": {
+ "Accept-Ranges": "bytes",
+ "Access-Control-Allow-Origin": "*",
+ "Cache-Control": "max-age=300",
+ "Connection": "keep-alive",
+ "Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'; sandbox",
+ "Content-Type": "text/plain; charset=utf-8",
+ "Date": "Mon, 09 Nov 2020 13:44:37 GMT",
+ "Etag": "W/\"7a7e75a770810d989b541a2739dcdbd1ca470ca603aa70de3ad11215626986db\"",
+ "Expires": "Mon, 09 Nov 2020 13:49:37 GMT",
+ "Source-Age": "16",
+ "Strict-Transport-Security": "max-age=31536000",
+ "Vary": "Authorization,Accept-Encoding",
+ "Via": "1.1 varnish (Varnish/6.0), 1.1 varnish",
+ "X-Cache": "MISS, HIT",
+ "X-Cache-Hits": "0, 1",
+ "X-Content-Type-Options": "nosniff",
+ "X-Fastly-Request-Id": "5ca1d9d3a7232849fc8ace59c38bcb706fcf2062",
+ "X-Frame-Options": "deny",
+ "X-Github-Request-Id": "C50A:60F8:1035A29:12C67C4:5FA9479E",
+ "X-Served-By": "cache-dca17763-DCA",
+ "X-Timer": "S1604929478.725333,VS0,VE1",
+ "X-Xss-Protection": "1; mode=block"
+ },
+ "url": "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-DO/master/dist/terraform/latest/payg_cluster.json"
+ }
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "data",
+ "type": "template_file",
+ "name": "as3_json",
+ "provider": "provider[\"registry.terraform.io/hashicorp/template\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "filename": null,
+ "id": "aa05b5e068ffd2858cd8c9e8707768e9873c05d47b42bb924f3955a64f09e85a",
+ "rendered": "{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"10.90.10.101\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"10.90.10.101\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.2.11\",\n \"10.90.2.12\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"10.90.3.98\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"10.90.3.99\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}",
+ "template": "{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"${log_destination}\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"${log_destination}\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"${baseline_waf_policy}\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${transitVipAddress}\",\n \"${transitVipAddress2}\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"${rdp_pool_addresses}\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"${ssh_pool_addresses}\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${mgmtVipAddress}\",\n \"${mgmtVipAddress2}\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${mgmtVipAddress}\",\n \"${mgmtVipAddress2}\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${mgmtVipAddress}\",\n \"${mgmtVipAddress2}\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${exampleVipSubnet}\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${exampleVipSubnet}\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"${exampleVipSubnet}\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"${ips_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"${app_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"${log_destination}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"${app_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"${app_pool_addresses}\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}",
+ "vars": {
+ "app_pool_addresses": "10.90.10.101",
+ "baseline_waf_policy": "https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml",
+ "exampleVipAddress": "10.90.1.4",
+ "exampleVipSubnet": "10.90.1.0/24",
+ "example_vs_address": "10.90.1.0/24",
+ "ips_pool_addresses": "10.90.10.101",
+ "log_destination": "10.90.10.101",
+ "mgmtVipAddress": "10.90.1.11",
+ "mgmtVipAddress2": "10.90.1.12",
+ "rdp_pool_addresses": "10.90.3.98",
+ "ssh_pool_addresses": "10.90.3.99",
+ "transitVipAddress": "10.90.2.11",
+ "transitVipAddress2": "10.90.2.12",
+ "uuid": "9b082a0e-1692-b7f2-fc4e-14af4581e178"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "data",
+ "type": "template_file",
+ "name": "vm01_do_json",
+ "provider": "provider[\"registry.terraform.io/hashicorp/template\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "filename": null,
+ "id": "e641e484e184c16eb27976937e6154e5d57488d97468658f86938aed3fe8edd0",
+ "rendered": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm01.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.4\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.4/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.4/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.5\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}",
+ "template": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"${local_host}.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"${log_destination}\",\n \"localIp\": \"${log_localip}\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"${dns_server}\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"${ntp_server}\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"${timezone}\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"${external_selfip}\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"${internal_selfip}\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"${externalGateway}\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"${internalGateway}\",\n \"network\": \"${vdmsSubnet}\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"${internalGateway}\",\n \"network\": \"${vnetSubnet}\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"${host1}.example.com\",\n \"${host2}.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"${admin_user}\",\n \"localPassword\": \"${admin_password}\",\n \"remoteHost\": \"${remote_selfip}\",\n \"remoteUsername\": \"${admin_user}\",\n \"remotePassword\": \"${admin_password}\"\n }\n }\n}",
+ "vars": {
+ "admin_password": "pleaseUseVault123!!",
+ "admin_user": "xadmin",
+ "appSubnet": "10.90.10.0/24",
+ "bigip_regKey": "",
+ "dns_server": "168.63.129.16",
+ "externalGateway": "10.90.1.1",
+ "external_selfip": "10.90.1.4/24",
+ "host1": "f5vm01",
+ "host2": "f5vm02",
+ "internalGateway": "10.90.2.1",
+ "internal_selfip": "10.90.2.4/24",
+ "local_host": "f5vm01",
+ "log_destination": "10.90.10.101",
+ "log_localip": "10.90.1.4",
+ "mgmtGateway": "10.90.0.1",
+ "ntp_server": "time.nist.gov",
+ "remote_host": "f5vm02",
+ "remote_selfip": "10.90.1.5",
+ "timezone": "UTC",
+ "vdmsSubnet": "10.90.3.0/24",
+ "vnetSubnet": "10.90.0.0/16"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "data",
+ "type": "template_file",
+ "name": "vm02_do_json",
+ "provider": "provider[\"registry.terraform.io/hashicorp/template\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "filename": null,
+ "id": "86e22404a3d155e58c4e4129c9e30be9f60fabb82c19615366841bab02fa74ac",
+ "rendered": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm02.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.5\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.5/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.5/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.4\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}",
+ "template": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"${local_host}.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"${log_destination}\",\n \"localIp\": \"${log_localip}\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"${dns_server}\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"${ntp_server}\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"${timezone}\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"${external_selfip}\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"${internal_selfip}\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"${externalGateway}\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"${internalGateway}\",\n \"network\": \"${vdmsSubnet}\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"${internalGateway}\",\n \"network\": \"${vnetSubnet}\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"${host1}.example.com\",\n \"${host2}.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"${admin_user}\",\n \"localPassword\": \"${admin_password}\",\n \"remoteHost\": \"${remote_selfip}\",\n \"remoteUsername\": \"${admin_user}\",\n \"remotePassword\": \"${admin_password}\"\n }\n }\n}",
+ "vars": {
+ "admin_password": "pleaseUseVault123!!",
+ "admin_user": "xadmin",
+ "appSubnet": "10.90.10.0/24",
+ "bigip_regKey": "",
+ "dns_server": "168.63.129.16",
+ "externalGateway": "10.90.1.1",
+ "external_selfip": "10.90.1.5/24",
+ "host1": "f5vm01",
+ "host2": "f5vm02",
+ "internalGateway": "10.90.2.1",
+ "internal_selfip": "10.90.2.5/24",
+ "local_host": "f5vm02",
+ "log_destination": "10.90.10.101",
+ "log_localip": "10.90.1.5",
+ "mgmtGateway": "10.90.0.1",
+ "ntp_server": "time.nist.gov",
+ "remote_host": "f5vm01",
+ "remote_selfip": "10.90.1.4",
+ "timezone": "UTC",
+ "vdmsSubnet": "10.90.3.0/24",
+ "vnetSubnet": "10.90.0.0/16"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "data",
+ "type": "template_file",
+ "name": "vm_onboard",
+ "provider": "provider[\"registry.terraform.io/hashicorp/template\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "filename": null,
+ "id": "1eacc86321f222c324a6ba0d5d2dc8909350cef4db3c03475a1e190eaa282ab3",
+ "rendered": "#!/bin/bash\n#\n# vars\n#\n# get device id for do\ndeviceId=$1\n#\nadmin_username='xadmin'\nadmin_password='pleaseUseVault123!!'\nCREDS=\"$admin_username:$admin_password\"\nLOG_FILE=/var/log/startup-script.log\n# constants\nmgmt_port=`tmsh list sys httpd ssl-port | grep ssl-port | sed 's/ssl-port //;s/ //g'`\nauthUrl=\"/mgmt/shared/authn/login\"\nrpmInstallUrl=\"/mgmt/shared/iapp/package-management-tasks\"\nrpmFilePath=\"/var/config/rest/downloads\"\nlocal_host=\"http://localhost:8100\"\n# do\ndoUrl=\"/mgmt/shared/declarative-onboarding\"\ndoCheckUrl=\"/mgmt/shared/declarative-onboarding/info\"\ndoTaskUrl=\"/mgmt/shared/declarative-onboarding/task\"\n# as3\nas3Url=\"/mgmt/shared/appsvcs/declare\"\nas3CheckUrl=\"/mgmt/shared/appsvcs/info\"\nas3TaskUrl=\"/mgmt/shared/appsvcs/task/\"\n# ts\ntsUrl=\"/mgmt/shared/telemetry/declare\"\ntsCheckUrl=\"/mgmt/shared/telemetry/info\"\n# cloud failover ext\ncfUrl=\"/mgmt/shared/cloud-failover/declare\"\ncfCheckUrl=\"/mgmt/shared/cloud-failover/info\"\n# fast\nfastCheckUrl=\"/mgmt/shared/fast/info\"\n# declaration content\ncat \u003e /config/do1.json \u003c\u003cEOF\n{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm01.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.4\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.4/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.4/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.5\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}\nEOF\ncat \u003e /config/do2.json \u003c\u003cEOF\n{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm02.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.5\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.5/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.5/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.4\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}\nEOF\ncat \u003e /config/as3.json \u003c\u003cEOF\n{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"10.90.10.101\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"10.90.10.101\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.2.11\",\n \"10.90.2.12\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"10.90.3.98\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"10.90.3.99\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}\nEOF\n\nDO_BODY_01=\"/config/do1.json\"\nDO_BODY_02=\"/config/do2.json\"\nAS3_BODY=\"/config/as3.json\"\n\nDO_URL_POST=\"/mgmt/shared/declarative-onboarding\"\nAS3_URL_POST=\"/mgmt/shared/appsvcs/declare\"\n# BIG-IPS ONBOARD SCRIPT\n\n\nif [ ! -e $LOG_FILE ]\nthen\n touch $LOG_FILE\n exec \u0026\u003e\u003e$LOG_FILE\nelse\n #if file exists, exit as only want to run once\n exit\nfi\n\nexec 1\u003e$LOG_FILE 2\u003e\u00261\n\nstartTime=$(date +%s)\necho \"start device ID:$deviceId date: $(date)\"\nfunction timer () {\n echo \"Time Elapsed: $(( 1 / 3600 ))h $(( (1 / 60) % 60 ))m $(( 1 % 60 ))s\"\n}\nwaitMcpd () {\nchecks=0\nwhile [[ \"$checks\" -lt 120 ]]; do\n tmsh -a show sys mcp-state field-fmt | grep -q running\n if [ $? == 0 ]; then\n echo \"[INFO: mcpd ready]\"\n break\n fi\n echo \"[WARN: mcpd not ready yet]\"\n let checks=checks+1\n sleep 10\ndone\n}\nwaitActive () {\nchecks=0\nwhile [[ \"$checks\" -lt 30 ]]; do\n tmsh -a show sys ready | grep -q no\n if [ $? == 1 ]; then\n echo \"[INFO: system ready]\"\n break\n fi\n echo \"[WARN: system not ready yet count: $checks]\"\n tmsh -a show sys ready | grep no\n let checks=checks+1\n sleep 10\ndone\n}\n# CHECK TO SEE NETWORK IS READY\ncount=0\nwhile true\ndo\n STATUS=$(curl -s -k -I example.com | grep HTTP)\n if [[ $STATUS == *\"200\"* ]]; then\n echo \"[INFO: internet access check passed]\"\n break\n elif [ $count -le 6 ]; then\n echo \"Status code: $STATUS Not done yet...\"\n count=$[$count+1]\n else\n echo \"[WARN: GIVE UP...]\"\n break\n fi\n sleep 10\ndone\n# download latest atc tools\ntoolsList=$(cat -\u003c\u003cEOF\n{\n \"tools\": [\n {\n \"name\": \"f5-declarative-onboarding\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/do.json\"\n },\n {\n \"name\": \"f5-appsvcs-extension\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/as3.json\"\n },\n {\n \"name\": \"f5-telemetry-streaming\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/ts.json\"\n },\n {\n \"name\": \"f5-cloud-failover-extension\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/cf.json\"\n },\n {\n \"name\": \"f5-appsvcs-templates\",\n \"version\": \"1.0.0\",\n \"url\": \"https://example.domain.com/cf.json\"\n }\n ]\n}\nEOF\n)\nfunction getAtc () {\natc=$(echo $toolsList | jq -r .tools[].name)\nfor tool in $atc\ndo\n version=$(echo $toolsList | jq -r \".tools[]| select(.name| contains (\\\"$tool\\\")).version\")\n if [ $version == \"latest\" ]; then\n path=''\n else\n path='tags/v'\n fi\n echo \"downloading $tool, $version\"\n if [ $tool == \"f5-new-tool\" ]; then\n files=$(/usr/bin/curl -sk --interface mgmt https://api.github.com/repos/f5devcentral/$tool/releases/$path$version | jq -r '.assets[] | select(.name | contains (\".rpm\")) | .browser_download_url')\n else\n files=$(/usr/bin/curl -sk --interface mgmt https://api.github.com/repos/F5Networks/$tool/releases/$path$version | jq -r '.assets[] | select(.name | contains (\".rpm\")) | .browser_download_url')\n fi\n for file in $files\n do\n echo \"download: $file\"\n name=$(basename $file )\n # make download dir\n mkdir -p /var/config/rest/downloads\n result=$(/usr/bin/curl -Lsk $file -o /var/config/rest/downloads/$name)\n done\ndone\n}\necho \"----download ATC tools----\"\ngetAtc\n\n# install atc tools\necho \"----install ATC tools----\"\nrpms=$(find $rpmFilePath -name \"*.rpm\" -type f)\nfor rpm in $rpms\ndo\n filename=$(basename $rpm)\n echo \"installing $filename\"\n if [ -f $rpmFilePath/$filename ]; then\n postBody=\"{\\\"operation\\\":\\\"INSTALL\\\",\\\"packageFilePath\\\":\\\"$rpmFilePath/$filename\\\"}\"\n while true\n do\n iappApiStatus=$(curl -s -i -u \"$CREDS\" $local_host$rpmInstallUrl | grep HTTP | awk '{print $2}')\n case $iappApiStatus in\n 404)\n echo \"[WARN: api not ready status: $iappApiStatus]\"\n sleep 2\n ;;\n 200)\n echo \"[INFO: api ready starting install task $filename]\"\n install=$(restcurl -s -u \"$CREDS\" -X POST -d $postBody $rpmInstallUrl | jq -r .id )\n break\n ;;\n *)\n echo \"[WARN: api error other status: $iappApiStatus]\"\n debug=$(restcurl -u \"$CREDS\" $rpmInstallUrl)\n #echo \"ipp install debug: $debug\"\n ;;\n esac\n done\n else\n echo \"[WARN: file: $filename not found]\"\n fi\n while true\n do\n status=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq -r .status)\n case $status in\n FINISHED)\n # finished\n echo \" rpm: $filename task: $install status: $status\"\n break\n ;;\n STARTED)\n # started\n echo \" rpm: $filename task: $install status: $status\"\n ;;\n RUNNING)\n # running\n echo \" rpm: $filename task: $install status: $status\"\n ;;\n FAILED)\n # failed\n error=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq .errorMessage)\n echo \"failed $filename task: $install error: $error\"\n break\n ;;\n *)\n # other\n debug=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq . )\n echo \"failed $filename task: $install error: $debug\"\n ;;\n esac\n sleep 2\n done\ndone\nfunction getDoStatus() {\n task=$1\n doStatusType=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r type )\n if [ \"$doStatusType\" == \"object\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r .result.status)\n echo $doStatus\n elif [ \"$doStatusType\" == \"array\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r .[].result.status)\n echo \"[INFO: $doStatus]\"\n else\n echo \"[WARN: unknown type:$doStatusType]\"\n fi\n}\nfunction checkDO() {\n # Check DO Ready\n count=0\n while [ $count -le 4 ]\n do\n #doStatus=$(curl -i -u \"$CREDS\" $local_host$doCheckUrl | grep HTTP | awk '{print $2}')\n doStatusType=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r type )\n if [ \"$doStatusType\" == \"object\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .code)\n if [ $? == 1 ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .result.code)\n fi\n elif [ \"$doStatusType\" == \"array\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .[].result.code)\n else\n echo \"[WARN: unknown type:$doStatusType]\"\n fi\n #echo \"status $doStatus\"\n if [[ $doStatus == \"200\" ]]; then\n #version=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .version)\n version=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .[].version)\n echo \"[INFO: Declarative Onboarding $version online]\"\n break\n elif [[ $doStatus == \"404\" ]]; then\n echo \"DO Status: $doStatus\"\n bigstart restart restnoded\n sleep 30\n bigstart status restnoded | grep running\n status=$?\n echo \"restnoded:$status\"\n else\n echo \"[WARN: DO Status $doStatus]\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkAS3() {\n # Check AS3 Ready\n count=0\n while [ $count -le 4 ]\n do\n #as3Status=$(curl -i -u \"$CREDS\" $local_host$as3CheckUrl | grep HTTP | awk '{print $2}')\n as3Status=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r .code)\n if [ \"$as3Status\" == \"null\" ] || [ -z \"$as3Status\" ]; then\n type=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r type )\n if [ \"$type\" == \"object\" ]; then\n as3Status=\"200\"\n fi\n fi\n if [[ $as3Status == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r .version)\n echo \"As3 $version online \"\n break\n elif [[ $as3Status == \"404\" ]]; then\n echo \"AS3 Status $as3Status\"\n bigstart restart restnoded\n sleep 30\n bigstart status restnoded | grep running\n status=$?\n echo \"restnoded:$status\"\n else\n echo \"AS3 Status $as3Status\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkTS() {\n # Check TS Ready\n count=0\n while [ $count -le 4 ]\n do\n tsStatus=$(curl -si -u \"$CREDS\" http://localhost:8100$tsCheckUrl | grep HTTP | awk '{print $2}')\n if [[ $tsStatus == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $tsCheckUrl | jq -r .version)\n echo \"Telemetry Streaming $version online \"\n break\n else\n echo \"TS Status $tsStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkCF() {\n # Check CF Ready\n count=0\n while [ $count -le 4 ]\n do\n cfStatus=$(curl -si -u \"$CREDS\" $local_host$cfCheckUrl | grep HTTP | awk '{print $2}')\n if [[ $cfStatus == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $cfCheckUrl | jq -r .version)\n echo \"Cloud failover $version online \"\n break\n else\n echo \"Cloud Failover Status $tsStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkFAST() {\n # Check FAST Ready\n count=0\n while [ $count -le 4 ]\n do\n fastStatus=$(curl -si -u \"$CREDS\" $local_host$fastCheckUrl | grep HTTP | awk '{print $2}')\n if [[ \"$fastStatus\" == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $fastCheckUrl | jq -r .version)\n echo \"FAST $version online \"\n break\n else\n echo \"FAST Status $fastStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\n### check for apis online\nfunction checkATC() {\n doStatus=$(checkDO)\n as3Status=$(checkAS3)\n tsStatus=$(checkTS)\n cfStatus=$(checkCF)\n fastStatus=$(checkFAST)\n if [[ $doStatus == *\"online\"* ]] \u0026\u0026 [[ \"$as3Status\" = *\"online\"* ]] \u0026\u0026 [[ $tsStatus == *\"online\"* ]] \u0026\u0026 [[ $cfStatus == *\"online\"* ]] \u0026\u0026 [[ $fastStatus == *\"online\"* ]] ; then\n echo \"ATC is ready to accept API calls\"\n else\n echo \"ATC install failed or ATC is not ready to accept API calls\"\n fi\n}\necho \"----checking ATC install----\"\ncheckATC\nfunction runDO() {\ncount=0\nwhile [ $count -le 4 ]\n do\n # make task\n task=$(curl -s -u $CREDS -H \"Content-Type: Application/json\" -H 'Expect:' -X POST $local_host$doUrl -d @/config/$1 | jq -r .id)\n echo \"====== starting DO task: $task ==========\"\n sleep 1\n count=$[$count+1]\n # check task code\n taskCount=0\n while [ $taskCount -le 10 ]\n do\n doCodeType=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq -r type )\n if [[ \"$doCodeType\" == \"object\" ]]; then\n code=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq .result.code)\n echo \"object: $code\"\n elif [ \"$doCodeType\" == \"array\" ]; then\n echo \"array $code check task, breaking\"\n break\n else\n echo \"unknown type: $doCodeType\"\n debug=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task)\n echo \"other debug: $debug\"\n code=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq .result.code)\n fi\n sleep 1\n if jq -e . \u003e/dev/null 2\u003e\u00261 \u003c\u003c\u003c\"$code\"; then\n echo \"Parsed JSON successfully and got something other than false/null count: $taskCount\"\n status=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n sleep 1\n echo \"status: $status code: $code\"\n # 200,202,422,400,404,500,422\n echo \"DO: $task response:$code status:$status\"\n sleep 1\n #FINISHED,STARTED,RUNNING,ROLLING_BACK,FAILED,ERROR,NULL\n case $status in\n FINISHED)\n # finished\n echo \" $task status: $status \"\n # bigstart start dhclient\n break 2\n ;;\n STARTED)\n # started\n echo \" $filename status: $status \"\n sleep 30\n ;;\n RUNNING)\n # running\n echo \"DO Status: $status task: $task Not done yet...count:$taskCount\"\n # wait for active-online-state\n waitMcpd\n if [[ \"$taskCount\" -le 5 ]]; then\n sleep 60\n fi\n waitActive\n #sleep 120\n taskCount=$[$taskCount+1]\n ;;\n FAILED)\n # failed\n error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n echo \"failed $task, $error\"\n #count=$[$count+1]\n break\n ;;\n ERROR)\n # error\n error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n echo \"Error $task, $error\"\n #count=$[$count+1]\n break\n ;;\n ROLLING_BACK)\n # Rolling back\n echo \"Rolling back failed status: $status task: $task\"\n break\n ;;\n OK)\n # complete no change\n echo \"Complete no change status: $status task: $task\"\n break 2\n ;;\n *)\n # other\n echo \"other: $status\"\n echo \"other task: $task count: $taskCount\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"other debug: $debug\"\n case $debug in\n *not*registered*)\n # restnoded response DO api is unresponsive\n echo \"DO endpoint not avaliable waiting...\"\n sleep 30\n ;;\n *resterrorresponse*)\n # restnoded response DO api is unresponsive\n echo \"DO endpoint not avaliable waiting...\"\n sleep 30\n ;;\n *start-limit*)\n # dhclient issue hit\n echo \" do dhclient starting issue hit start another task\"\n break\n ;;\n esac\n sleep 30\n taskCount=$[$taskCount+1]\n ;;\n esac\n else\n echo \"Failed to parse JSON, or got false/null\"\n echo \"DO status code: $code\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"debug DO code: $debug\"\n count=$[$count+1]\n fi\n done\ndone\n}\n# mgmt\necho \"set management\"\necho -e \"create cli transaction;\nmodify sys global-settings mgmt-dhcp disabled;\nsubmit cli transaction\" | tmsh -q\ntmsh save /sys config\n# get as3 values\nexternalVip=$(curl -sf --retry 20 -H Metadata:true \"http://169.254.169.254/metadata/instance/network/interface?api-version=2017-08-01\" | jq -r '.[1].ipv4.ipAddress[1].privateIpAddress')\n\n# end get values\n\n# run DO\necho \"----run do----\"\ncount=0\nwhile [ $count -le 4 ]\n do\n doStatus=$(checkDO)\n echo \"DO check status: $doStatus\"\n if [ $deviceId == 1 ] \u0026\u0026 [[ \"$doStatus\" = *\"online\"* ]]; then\n echo \"running do for id:$deviceId\"\n bigstart stop dhclient\n runDO do1.json\n if [ \"$?\" == 0 ]; then\n echo \"done with do\"\n bigstart start dhclient\n results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')\n echo \"do results: $results\"\n break\n fi\n elif [ $deviceId == 2 ] \u0026\u0026 [[ \"$doStatus\" = *\"online\"* ]]; then\n echo \"running do for id:$deviceId\"\n bigstart stop dhclient\n runDO do2.json\n if [ \"$?\" == 0 ]; then\n echo \"done with do\"\n bigstart start dhclient\n results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')\n echo \"do results: $results\"\n break\n fi\n elif [ $count -le 2 ]; then\n echo \"DeviceID: $deviceId Status code: $doStatus DO not ready yet...\"\n count=$[$count+1]\n sleep 30\n else\n echo \"DO not online status: $doStatus\"\n break\n fi\ndone\nfunction runAS3 () {\n count=0\n while [ $count -le 4 ]\n do\n # wait for do to finish\n waitActive\n # make task\n task=$(curl -s -u $CREDS -H \"Content-Type: Application/json\" -H 'Expect:' -X POST $local_host$as3Url?async=true -d @/config/as3.json | jq -r .id)\n echo \"===== starting as3 task: $task =====\"\n sleep 1\n count=$[$count+1]\n # check task code\n taskCount=0\n while [ $taskCount -le 3 ]\n do\n as3CodeType=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r type )\n if [[ \"$as3CodeType\" == \"object\" ]]; then\n code=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .)\n tenants=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .results[].tenant)\n echo \"object: $code\"\n elif [ \"$as3CodeType\" == \"array\" ]; then\n echo \"array $code check task, breaking\"\n break\n else\n echo \"unknown type:$as3CodeType\"\n fi\n sleep 1\n if jq -e . \u003e/dev/null 2\u003e\u00261 \u003c\u003c\u003c\"$code\"; then\n echo \"Parsed JSON successfully and got something other than false/null\"\n status=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r .items[].results[].message)\n case $status in\n *progress)\n # in progress\n echo -e \"Running: $task status: $status tenants: $tenants count: $taskCount \"\n sleep 120\n taskCount=$[$taskCount+1]\n ;;\n *Error*)\n # error\n echo -e \"Error Task: $task status: $status tenants: $tenants \"\n if [[ \"$status\" = *\"progress\"* ]]; then\n sleep 180\n break\n else\n break\n fi\n ;;\n *failed*)\n # failed\n echo -e \"failed: $task status: $status tenants: $tenants \"\n break\n ;;\n *success*)\n # successful!\n echo -e \"success: $task status: $status tenants: $tenants \"\n break 3\n ;;\n no*change)\n # finished\n echo -e \"no change: $task status: $status tenants: $tenants \"\n break 4\n ;;\n *)\n # other\n echo \"status: $status\"\n debug=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task)\n echo \"debug: $debug\"\n error=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r '.results[].message')\n echo \"Other: $task, $error\"\n break\n ;;\n esac\n else\n echo \"Failed to parse JSON, or got false/null\"\n echo \"AS3 status code: $code\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"debug AS3 code: $debug\"\n count=$[$count+1]\n fi\n done\n done\n}\n\n# modify as3\n#sdToken=$(echo \"$token\" | base64)\nsed -i \"s/-external-virtual-address-/$externalVip/g\" /config/as3.json\n#sed -i \"s/-sd-sa-token-b64-/$token/g\" /config/as3.json\n# end modify as3\n\n# metadata route\necho -e 'create cli transaction;\nmodify sys db config.allow.rfc3927 value enable;\ncreate sys management-route metadata-route network 169.254.169.254/32 gateway 10.90.0.1;\nsubmit cli transaction' | tmsh -q\ntmsh save /sys config\n# add management route with metric 0 for the win\nroute add -net default gw 10.90.0.1 netmask 0.0.0.0 dev mgmt metric 0\n# run as3\ncount=0\nwhile [ $count -le 4 ]\ndo\n as3Status=$(checkAS3)\n echo \"AS3 check status: $as3Status\"\n if [[ \"$as3Status\" == *\"online\"* ]]; then\n if [ $deviceId == 1 ]; then\n echo \"running as3\"\n runAS3\n echo \"done with as3\"\n results=$(restcurl -u $CREDS $as3TaskUrl | jq '.items[] | .id, .results')\n echo \"as3 results: $results\"\n break\n else\n echo \"Not posting as3 device $deviceid not primary\"\n break\n fi\n elif [ $count -le 2 ]; then\n echo \"Status code: $as3Status As3 not ready yet...\"\n count=$[$count+1]\n else\n echo \"As3 API Status $as3Status\"\n break\n fi\ndone\n#\n#\n# cleanup\n## remove declarations\n# rm -f /config/do1.json\n# rm -f /config/do2.json\n# rm -f /config/as3.json\n## disable/replace default admin account\n# echo -e \"create cli transaction;\n# modify /sys db systemauth.primaryadminuser value $admin_username;\n# submit cli transaction\" | tmsh -q\ntmsh save sys config\necho \"timestamp end: $(date)\"\necho \"setup complete $(timer \"$(($(date +%s) - $startTime))\")\"\nexit\n",
+ "template": "#!/bin/bash\n#\n# vars\n#\n# get device id for do\ndeviceId=$1\n#\nadmin_username='${uname}'\nadmin_password='${upassword}'\nCREDS=\"$admin_username:$admin_password\"\nLOG_FILE=${onboard_log}\n# constants\nmgmt_port=`tmsh list sys httpd ssl-port | grep ssl-port | sed 's/ssl-port //;s/ //g'`\nauthUrl=\"/mgmt/shared/authn/login\"\nrpmInstallUrl=\"/mgmt/shared/iapp/package-management-tasks\"\nrpmFilePath=\"/var/config/rest/downloads\"\nlocal_host=\"http://localhost:8100\"\n# do\ndoUrl=\"/mgmt/shared/declarative-onboarding\"\ndoCheckUrl=\"/mgmt/shared/declarative-onboarding/info\"\ndoTaskUrl=\"/mgmt/shared/declarative-onboarding/task\"\n# as3\nas3Url=\"/mgmt/shared/appsvcs/declare\"\nas3CheckUrl=\"/mgmt/shared/appsvcs/info\"\nas3TaskUrl=\"/mgmt/shared/appsvcs/task/\"\n# ts\ntsUrl=\"/mgmt/shared/telemetry/declare\"\ntsCheckUrl=\"/mgmt/shared/telemetry/info\"\n# cloud failover ext\ncfUrl=\"/mgmt/shared/cloud-failover/declare\"\ncfCheckUrl=\"/mgmt/shared/cloud-failover/info\"\n# fast\nfastCheckUrl=\"/mgmt/shared/fast/info\"\n# declaration content\ncat \u003e /config/do1.json \u003c\u003cEOF\n${DO1_Document}\nEOF\ncat \u003e /config/do2.json \u003c\u003cEOF\n${DO2_Document}\nEOF\ncat \u003e /config/as3.json \u003c\u003cEOF\n${AS3_Document}\nEOF\n\nDO_BODY_01=\"/config/do1.json\"\nDO_BODY_02=\"/config/do2.json\"\nAS3_BODY=\"/config/as3.json\"\n\nDO_URL_POST=\"/mgmt/shared/declarative-onboarding\"\nAS3_URL_POST=\"/mgmt/shared/appsvcs/declare\"\n# BIG-IPS ONBOARD SCRIPT\n\n\nif [ ! -e $LOG_FILE ]\nthen\n touch $LOG_FILE\n exec \u0026\u003e\u003e$LOG_FILE\nelse\n #if file exists, exit as only want to run once\n exit\nfi\n\nexec 1\u003e$LOG_FILE 2\u003e\u00261\n\nstartTime=$(date +%s)\necho \"start device ID:$deviceId date: $(date)\"\nfunction timer () {\n echo \"Time Elapsed: $(( ${1} / 3600 ))h $(( (${1} / 60) % 60 ))m $(( ${1} % 60 ))s\"\n}\nwaitMcpd () {\nchecks=0\nwhile [[ \"$checks\" -lt 120 ]]; do\n tmsh -a show sys mcp-state field-fmt | grep -q running\n if [ $? == 0 ]; then\n echo \"[INFO: mcpd ready]\"\n break\n fi\n echo \"[WARN: mcpd not ready yet]\"\n let checks=checks+1\n sleep 10\ndone\n}\nwaitActive () {\nchecks=0\nwhile [[ \"$checks\" -lt 30 ]]; do\n tmsh -a show sys ready | grep -q no\n if [ $? == 1 ]; then\n echo \"[INFO: system ready]\"\n break\n fi\n echo \"[WARN: system not ready yet count: $checks]\"\n tmsh -a show sys ready | grep no\n let checks=checks+1\n sleep 10\ndone\n}\n# CHECK TO SEE NETWORK IS READY\ncount=0\nwhile true\ndo\n STATUS=$(curl -s -k -I example.com | grep HTTP)\n if [[ $STATUS == *\"200\"* ]]; then\n echo \"[INFO: internet access check passed]\"\n break\n elif [ $count -le 6 ]; then\n echo \"Status code: $STATUS Not done yet...\"\n count=$[$count+1]\n else\n echo \"[WARN: GIVE UP...]\"\n break\n fi\n sleep 10\ndone\n# download latest atc tools\ntoolsList=$(cat -\u003c\u003cEOF\n{\n \"tools\": [\n {\n \"name\": \"f5-declarative-onboarding\",\n \"version\": \"${doVersion}\",\n \"url\": \"${doExternalDeclarationUrl}\"\n },\n {\n \"name\": \"f5-appsvcs-extension\",\n \"version\": \"${as3Version}\",\n \"url\": \"${as3ExternalDeclarationUrl}\"\n },\n {\n \"name\": \"f5-telemetry-streaming\",\n \"version\": \"${tsVersion}\",\n \"url\": \"${tsExternalDeclarationUrl}\"\n },\n {\n \"name\": \"f5-cloud-failover-extension\",\n \"version\": \"${cfVersion}\",\n \"url\": \"${cfExternalDeclarationUrl}\"\n },\n {\n \"name\": \"f5-appsvcs-templates\",\n \"version\": \"${fastVersion}\",\n \"url\": \"${cfExternalDeclarationUrl}\"\n }\n ]\n}\nEOF\n)\nfunction getAtc () {\natc=$(echo $toolsList | jq -r .tools[].name)\nfor tool in $atc\ndo\n version=$(echo $toolsList | jq -r \".tools[]| select(.name| contains (\\\"$tool\\\")).version\")\n if [ $version == \"latest\" ]; then\n path=''\n else\n path='tags/v'\n fi\n echo \"downloading $tool, $version\"\n if [ $tool == \"f5-new-tool\" ]; then\n files=$(/usr/bin/curl -sk --interface mgmt https://api.github.com/repos/f5devcentral/$tool/releases/$path$version | jq -r '.assets[] | select(.name | contains (\".rpm\")) | .browser_download_url')\n else\n files=$(/usr/bin/curl -sk --interface mgmt https://api.github.com/repos/F5Networks/$tool/releases/$path$version | jq -r '.assets[] | select(.name | contains (\".rpm\")) | .browser_download_url')\n fi\n for file in $files\n do\n echo \"download: $file\"\n name=$(basename $file )\n # make download dir\n mkdir -p /var/config/rest/downloads\n result=$(/usr/bin/curl -Lsk $file -o /var/config/rest/downloads/$name)\n done\ndone\n}\necho \"----download ATC tools----\"\ngetAtc\n\n# install atc tools\necho \"----install ATC tools----\"\nrpms=$(find $rpmFilePath -name \"*.rpm\" -type f)\nfor rpm in $rpms\ndo\n filename=$(basename $rpm)\n echo \"installing $filename\"\n if [ -f $rpmFilePath/$filename ]; then\n postBody=\"{\\\"operation\\\":\\\"INSTALL\\\",\\\"packageFilePath\\\":\\\"$rpmFilePath/$filename\\\"}\"\n while true\n do\n iappApiStatus=$(curl -s -i -u \"$CREDS\" $local_host$rpmInstallUrl | grep HTTP | awk '{print $2}')\n case $iappApiStatus in\n 404)\n echo \"[WARN: api not ready status: $iappApiStatus]\"\n sleep 2\n ;;\n 200)\n echo \"[INFO: api ready starting install task $filename]\"\n install=$(restcurl -s -u \"$CREDS\" -X POST -d $postBody $rpmInstallUrl | jq -r .id )\n break\n ;;\n *)\n echo \"[WARN: api error other status: $iappApiStatus]\"\n debug=$(restcurl -u \"$CREDS\" $rpmInstallUrl)\n #echo \"ipp install debug: $debug\"\n ;;\n esac\n done\n else\n echo \"[WARN: file: $filename not found]\"\n fi\n while true\n do\n status=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq -r .status)\n case $status in\n FINISHED)\n # finished\n echo \" rpm: $filename task: $install status: $status\"\n break\n ;;\n STARTED)\n # started\n echo \" rpm: $filename task: $install status: $status\"\n ;;\n RUNNING)\n # running\n echo \" rpm: $filename task: $install status: $status\"\n ;;\n FAILED)\n # failed\n error=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq .errorMessage)\n echo \"failed $filename task: $install error: $error\"\n break\n ;;\n *)\n # other\n debug=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq . )\n echo \"failed $filename task: $install error: $debug\"\n ;;\n esac\n sleep 2\n done\ndone\nfunction getDoStatus() {\n task=$1\n doStatusType=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r type )\n if [ \"$doStatusType\" == \"object\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r .result.status)\n echo $doStatus\n elif [ \"$doStatusType\" == \"array\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r .[].result.status)\n echo \"[INFO: $doStatus]\"\n else\n echo \"[WARN: unknown type:$doStatusType]\"\n fi\n}\nfunction checkDO() {\n # Check DO Ready\n count=0\n while [ $count -le 4 ]\n do\n #doStatus=$(curl -i -u \"$CREDS\" $local_host$doCheckUrl | grep HTTP | awk '{print $2}')\n doStatusType=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r type )\n if [ \"$doStatusType\" == \"object\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .code)\n if [ $? == 1 ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .result.code)\n fi\n elif [ \"$doStatusType\" == \"array\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .[].result.code)\n else\n echo \"[WARN: unknown type:$doStatusType]\"\n fi\n #echo \"status $doStatus\"\n if [[ $doStatus == \"200\" ]]; then\n #version=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .version)\n version=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .[].version)\n echo \"[INFO: Declarative Onboarding $version online]\"\n break\n elif [[ $doStatus == \"404\" ]]; then\n echo \"DO Status: $doStatus\"\n bigstart restart restnoded\n sleep 30\n bigstart status restnoded | grep running\n status=$?\n echo \"restnoded:$status\"\n else\n echo \"[WARN: DO Status $doStatus]\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkAS3() {\n # Check AS3 Ready\n count=0\n while [ $count -le 4 ]\n do\n #as3Status=$(curl -i -u \"$CREDS\" $local_host$as3CheckUrl | grep HTTP | awk '{print $2}')\n as3Status=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r .code)\n if [ \"$as3Status\" == \"null\" ] || [ -z \"$as3Status\" ]; then\n type=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r type )\n if [ \"$type\" == \"object\" ]; then\n as3Status=\"200\"\n fi\n fi\n if [[ $as3Status == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r .version)\n echo \"As3 $version online \"\n break\n elif [[ $as3Status == \"404\" ]]; then\n echo \"AS3 Status $as3Status\"\n bigstart restart restnoded\n sleep 30\n bigstart status restnoded | grep running\n status=$?\n echo \"restnoded:$status\"\n else\n echo \"AS3 Status $as3Status\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkTS() {\n # Check TS Ready\n count=0\n while [ $count -le 4 ]\n do\n tsStatus=$(curl -si -u \"$CREDS\" http://localhost:8100$tsCheckUrl | grep HTTP | awk '{print $2}')\n if [[ $tsStatus == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $tsCheckUrl | jq -r .version)\n echo \"Telemetry Streaming $version online \"\n break\n else\n echo \"TS Status $tsStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkCF() {\n # Check CF Ready\n count=0\n while [ $count -le 4 ]\n do\n cfStatus=$(curl -si -u \"$CREDS\" $local_host$cfCheckUrl | grep HTTP | awk '{print $2}')\n if [[ $cfStatus == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $cfCheckUrl | jq -r .version)\n echo \"Cloud failover $version online \"\n break\n else\n echo \"Cloud Failover Status $tsStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkFAST() {\n # Check FAST Ready\n count=0\n while [ $count -le 4 ]\n do\n fastStatus=$(curl -si -u \"$CREDS\" $local_host$fastCheckUrl | grep HTTP | awk '{print $2}')\n if [[ \"$fastStatus\" == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $fastCheckUrl | jq -r .version)\n echo \"FAST $version online \"\n break\n else\n echo \"FAST Status $fastStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\n### check for apis online\nfunction checkATC() {\n doStatus=$(checkDO)\n as3Status=$(checkAS3)\n tsStatus=$(checkTS)\n cfStatus=$(checkCF)\n fastStatus=$(checkFAST)\n if [[ $doStatus == *\"online\"* ]] \u0026\u0026 [[ \"$as3Status\" = *\"online\"* ]] \u0026\u0026 [[ $tsStatus == *\"online\"* ]] \u0026\u0026 [[ $cfStatus == *\"online\"* ]] \u0026\u0026 [[ $fastStatus == *\"online\"* ]] ; then\n echo \"ATC is ready to accept API calls\"\n else\n echo \"ATC install failed or ATC is not ready to accept API calls\"\n fi\n}\necho \"----checking ATC install----\"\ncheckATC\nfunction runDO() {\ncount=0\nwhile [ $count -le 4 ]\n do\n # make task\n task=$(curl -s -u $CREDS -H \"Content-Type: Application/json\" -H 'Expect:' -X POST $local_host$doUrl -d @/config/$1 | jq -r .id)\n echo \"====== starting DO task: $task ==========\"\n sleep 1\n count=$[$count+1]\n # check task code\n taskCount=0\n while [ $taskCount -le 10 ]\n do\n doCodeType=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq -r type )\n if [[ \"$doCodeType\" == \"object\" ]]; then\n code=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq .result.code)\n echo \"object: $code\"\n elif [ \"$doCodeType\" == \"array\" ]; then\n echo \"array $code check task, breaking\"\n break\n else\n echo \"unknown type: $doCodeType\"\n debug=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task)\n echo \"other debug: $debug\"\n code=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq .result.code)\n fi\n sleep 1\n if jq -e . \u003e/dev/null 2\u003e\u00261 \u003c\u003c\u003c\"$code\"; then\n echo \"Parsed JSON successfully and got something other than false/null count: $taskCount\"\n status=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n sleep 1\n echo \"status: $status code: $code\"\n # 200,202,422,400,404,500,422\n echo \"DO: $task response:$code status:$status\"\n sleep 1\n #FINISHED,STARTED,RUNNING,ROLLING_BACK,FAILED,ERROR,NULL\n case $status in\n FINISHED)\n # finished\n echo \" $task status: $status \"\n # bigstart start dhclient\n break 2\n ;;\n STARTED)\n # started\n echo \" $filename status: $status \"\n sleep 30\n ;;\n RUNNING)\n # running\n echo \"DO Status: $status task: $task Not done yet...count:$taskCount\"\n # wait for active-online-state\n waitMcpd\n if [[ \"$taskCount\" -le 5 ]]; then\n sleep 60\n fi\n waitActive\n #sleep 120\n taskCount=$[$taskCount+1]\n ;;\n FAILED)\n # failed\n error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n echo \"failed $task, $error\"\n #count=$[$count+1]\n break\n ;;\n ERROR)\n # error\n error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n echo \"Error $task, $error\"\n #count=$[$count+1]\n break\n ;;\n ROLLING_BACK)\n # Rolling back\n echo \"Rolling back failed status: $status task: $task\"\n break\n ;;\n OK)\n # complete no change\n echo \"Complete no change status: $status task: $task\"\n break 2\n ;;\n *)\n # other\n echo \"other: $status\"\n echo \"other task: $task count: $taskCount\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"other debug: $debug\"\n case $debug in\n *not*registered*)\n # restnoded response DO api is unresponsive\n echo \"DO endpoint not avaliable waiting...\"\n sleep 30\n ;;\n *resterrorresponse*)\n # restnoded response DO api is unresponsive\n echo \"DO endpoint not avaliable waiting...\"\n sleep 30\n ;;\n *start-limit*)\n # dhclient issue hit\n echo \" do dhclient starting issue hit start another task\"\n break\n ;;\n esac\n sleep 30\n taskCount=$[$taskCount+1]\n ;;\n esac\n else\n echo \"Failed to parse JSON, or got false/null\"\n echo \"DO status code: $code\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"debug DO code: $debug\"\n count=$[$count+1]\n fi\n done\ndone\n}\n# mgmt\necho \"set management\"\necho -e \"create cli transaction;\nmodify sys global-settings mgmt-dhcp disabled;\nsubmit cli transaction\" | tmsh -q\ntmsh save /sys config\n# get as3 values\nexternalVip=$(curl -sf --retry 20 -H Metadata:true \"http://169.254.169.254/metadata/instance/network/interface?api-version=2017-08-01\" | jq -r '.[1].ipv4.ipAddress[1].privateIpAddress')\n\n# end get values\n\n# run DO\necho \"----run do----\"\ncount=0\nwhile [ $count -le 4 ]\n do\n doStatus=$(checkDO)\n echo \"DO check status: $doStatus\"\n if [ $deviceId == 1 ] \u0026\u0026 [[ \"$doStatus\" = *\"online\"* ]]; then\n echo \"running do for id:$deviceId\"\n bigstart stop dhclient\n runDO do1.json\n if [ \"$?\" == 0 ]; then\n echo \"done with do\"\n bigstart start dhclient\n results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')\n echo \"do results: $results\"\n break\n fi\n elif [ $deviceId == 2 ] \u0026\u0026 [[ \"$doStatus\" = *\"online\"* ]]; then\n echo \"running do for id:$deviceId\"\n bigstart stop dhclient\n runDO do2.json\n if [ \"$?\" == 0 ]; then\n echo \"done with do\"\n bigstart start dhclient\n results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')\n echo \"do results: $results\"\n break\n fi\n elif [ $count -le 2 ]; then\n echo \"DeviceID: $deviceId Status code: $doStatus DO not ready yet...\"\n count=$[$count+1]\n sleep 30\n else\n echo \"DO not online status: $doStatus\"\n break\n fi\ndone\nfunction runAS3 () {\n count=0\n while [ $count -le 4 ]\n do\n # wait for do to finish\n waitActive\n # make task\n task=$(curl -s -u $CREDS -H \"Content-Type: Application/json\" -H 'Expect:' -X POST $local_host$as3Url?async=true -d @/config/as3.json | jq -r .id)\n echo \"===== starting as3 task: $task =====\"\n sleep 1\n count=$[$count+1]\n # check task code\n taskCount=0\n while [ $taskCount -le 3 ]\n do\n as3CodeType=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r type )\n if [[ \"$as3CodeType\" == \"object\" ]]; then\n code=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .)\n tenants=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .results[].tenant)\n echo \"object: $code\"\n elif [ \"$as3CodeType\" == \"array\" ]; then\n echo \"array $code check task, breaking\"\n break\n else\n echo \"unknown type:$as3CodeType\"\n fi\n sleep 1\n if jq -e . \u003e/dev/null 2\u003e\u00261 \u003c\u003c\u003c\"$code\"; then\n echo \"Parsed JSON successfully and got something other than false/null\"\n status=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r .items[].results[].message)\n case $status in\n *progress)\n # in progress\n echo -e \"Running: $task status: $status tenants: $tenants count: $taskCount \"\n sleep 120\n taskCount=$[$taskCount+1]\n ;;\n *Error*)\n # error\n echo -e \"Error Task: $task status: $status tenants: $tenants \"\n if [[ \"$status\" = *\"progress\"* ]]; then\n sleep 180\n break\n else\n break\n fi\n ;;\n *failed*)\n # failed\n echo -e \"failed: $task status: $status tenants: $tenants \"\n break\n ;;\n *success*)\n # successful!\n echo -e \"success: $task status: $status tenants: $tenants \"\n break 3\n ;;\n no*change)\n # finished\n echo -e \"no change: $task status: $status tenants: $tenants \"\n break 4\n ;;\n *)\n # other\n echo \"status: $status\"\n debug=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task)\n echo \"debug: $debug\"\n error=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r '.results[].message')\n echo \"Other: $task, $error\"\n break\n ;;\n esac\n else\n echo \"Failed to parse JSON, or got false/null\"\n echo \"AS3 status code: $code\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"debug AS3 code: $debug\"\n count=$[$count+1]\n fi\n done\n done\n}\n\n# modify as3\n#sdToken=$(echo \"$token\" | base64)\nsed -i \"s/-external-virtual-address-/$externalVip/g\" /config/as3.json\n#sed -i \"s/-sd-sa-token-b64-/$token/g\" /config/as3.json\n# end modify as3\n\n# metadata route\necho -e 'create cli transaction;\nmodify sys db config.allow.rfc3927 value enable;\ncreate sys management-route metadata-route network 169.254.169.254/32 gateway ${mgmtGateway};\nsubmit cli transaction' | tmsh -q\ntmsh save /sys config\n# add management route with metric 0 for the win\nroute add -net default gw ${mgmtGateway} netmask 0.0.0.0 dev mgmt metric 0\n# run as3\ncount=0\nwhile [ $count -le 4 ]\ndo\n as3Status=$(checkAS3)\n echo \"AS3 check status: $as3Status\"\n if [[ \"$as3Status\" == *\"online\"* ]]; then\n if [ $deviceId == 1 ]; then\n echo \"running as3\"\n runAS3\n echo \"done with as3\"\n results=$(restcurl -u $CREDS $as3TaskUrl | jq '.items[] | .id, .results')\n echo \"as3 results: $results\"\n break\n else\n echo \"Not posting as3 device $deviceid not primary\"\n break\n fi\n elif [ $count -le 2 ]; then\n echo \"Status code: $as3Status As3 not ready yet...\"\n count=$[$count+1]\n else\n echo \"As3 API Status $as3Status\"\n break\n fi\ndone\n#\n#\n# cleanup\n## remove declarations\n# rm -f /config/do1.json\n# rm -f /config/do2.json\n# rm -f /config/as3.json\n## disable/replace default admin account\n# echo -e \"create cli transaction;\n# modify /sys db systemauth.primaryadminuser value $admin_username;\n# submit cli transaction\" | tmsh -q\ntmsh save sys config\necho \"timestamp end: $(date)\"\necho \"setup complete $(timer \"$(($(date +%s) - $startTime))\")\"\nexit\n",
+ "vars": {
+ "AS3_Document": "{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"10.90.10.101\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"10.90.10.101\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.2.11\",\n \"10.90.2.12\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"10.90.3.98\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"10.90.3.99\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}",
+ "DO1_Document": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm01.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.4\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.4/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.4/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.5\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}",
+ "DO2_Document": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm02.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.5\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.5/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.5/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.4\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}",
+ "as3ExternalDeclarationUrl": "https://example.domain.com/as3.json",
+ "as3Version": "latest",
+ "cfExternalDeclarationUrl": "https://example.domain.com/cf.json",
+ "cfVersion": "latest",
+ "doExternalDeclarationUrl": "https://example.domain.com/do.json",
+ "doVersion": "latest",
+ "fastVersion": "1.0.0",
+ "mgmtGateway": "10.90.0.1",
+ "onboard_log": "/var/log/startup-script.log",
+ "tsExternalDeclarationUrl": "https://example.domain.com/ts.json",
+ "tsVersion": "latest",
+ "uname": "xadmin",
+ "upassword": "pleaseUseVault123!!"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_lb",
+ "name": "internalLoadBalancer",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "frontend_ip_configuration": [
+ {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/frontendIPConfigurations/internalLoadBalancerFrontEnd",
+ "inbound_nat_rules": [],
+ "load_balancer_rules": [],
+ "name": "internalLoadBalancerFrontEnd",
+ "outbound_rules": [],
+ "private_ip_address": "10.90.2.10",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "public_ip_prefix_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/internal",
+ "zones": null
+ }
+ ],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer",
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-internalloadbalancer",
+ "private_ip_address": "10.90.2.10",
+ "private_ip_addresses": [
+ "10.90.2.10"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "sku": "Standard",
+ "tags": null,
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_lb_backend_address_pool",
+ "name": "internal_backend_pool",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_ip_configurations": [],
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/backendAddressPools/InternalBackendPool1",
+ "load_balancing_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer",
+ "name": "InternalBackendPool1",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_lb.internalLoadBalancer"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_lb_probe",
+ "name": "internal_tcp_probe",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/probes/bedfe9a3-internal-tcp-probe",
+ "interval_in_seconds": 5,
+ "load_balancer_rules": [],
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer",
+ "name": "bedfe9a3-internal-tcp-probe",
+ "number_of_probes": 2,
+ "port": 34568,
+ "protocol": "Tcp",
+ "request_path": "",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_lb.internalLoadBalancer"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_lb_rule",
+ "name": "internal_all_rule",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/backendAddressPools/InternalBackendPool1",
+ "backend_port": 0,
+ "disable_outbound_snat": false,
+ "enable_floating_ip": true,
+ "enable_tcp_reset": false,
+ "frontend_ip_configuration_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/frontendIPConfigurations/internalLoadBalancerFrontEnd",
+ "frontend_ip_configuration_name": "internalLoadBalancerFrontEnd",
+ "frontend_port": 0,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/loadBalancingRules/all-protocol-ilb",
+ "idle_timeout_in_minutes": 5,
+ "load_distribution": "SourceIPProtocol",
+ "loadbalancer_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer",
+ "name": "all-protocol-ilb",
+ "probe_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/probes/bedfe9a3-internal-tcp-probe",
+ "protocol": "All",
+ "resource_group_name": "bedfe9a3_rg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_lb.internalLoadBalancer",
+ "module.firewall_one.azurerm_lb_backend_address_pool.internal_backend_pool",
+ "module.firewall_one.azurerm_lb_probe.internal_tcp_probe"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "vm01-ext-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.1.4",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/external"
+ },
+ {
+ "name": "secondary",
+ "primary": false,
+ "private_ip_address": "10.90.1.11",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/external"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-vm01-ext-nic",
+ "private_ip_address": "10.90.1.4",
+ "private_ip_addresses": [
+ "10.90.1.4",
+ "10.90.1.11"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "Name": "bedfe9a3-vm01-ext-int",
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "f5_cloud_failover_label": "saca",
+ "f5_cloud_failover_nic_map": "external",
+ "group": "f5group",
+ "owner": "f5owner"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "vm01-int-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-int-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.2.4",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/internal"
+ },
+ {
+ "name": "secondary",
+ "primary": false,
+ "private_ip_address": "10.90.2.11",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/internal"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-vm01-int-nic",
+ "private_ip_address": "10.90.2.4",
+ "private_ip_addresses": [
+ "10.90.2.4",
+ "10.90.2.11"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "vm01-mgmt-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.0.4",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/mgmt"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-vm01-mgmt-nic",
+ "private_ip_address": "10.90.0.4",
+ "private_ip_addresses": [
+ "10.90.0.4"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "vm02-ext-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.1.5",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/external"
+ },
+ {
+ "name": "secondary",
+ "primary": false,
+ "private_ip_address": "10.90.1.12",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/external"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-vm02-ext-nic",
+ "private_ip_address": "10.90.1.5",
+ "private_ip_addresses": [
+ "10.90.1.5",
+ "10.90.1.12"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "Name": "bedfe9a3-vm01-ext-int",
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "f5_cloud_failover_label": "saca",
+ "f5_cloud_failover_nic_map": "external",
+ "group": "f5group",
+ "owner": "f5owner"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "vm02-int-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-int-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.2.5",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/internal"
+ },
+ {
+ "name": "secondary",
+ "primary": false,
+ "private_ip_address": "10.90.2.12",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/internal"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-vm02-int-nic",
+ "private_ip_address": "10.90.2.5",
+ "private_ip_addresses": [
+ "10.90.2.5",
+ "10.90.2.12"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "vm02-mgmt-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.0.5",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/mgmt"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-vm02-mgmt-nic",
+ "private_ip_address": "10.90.0.5",
+ "private_ip_addresses": [
+ "10.90.0.5"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "bpool_assc_vm01",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic/ipConfigurations/secondary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "ip_configuration_name": "secondary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.backend_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "bpool_assc_vm02",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic/ipConfigurations/secondary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/IngressBackendPool",
+ "ip_configuration_name": "secondary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.backend_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "int_bpool_assc_vm01",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/backendAddressPools/InternalBackendPool1",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-int-nic/ipConfigurations/secondary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/backendAddressPools/InternalBackendPool1",
+ "ip_configuration_name": "secondary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-int-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_lb.internalLoadBalancer",
+ "module.firewall_one.azurerm_lb_backend_address_pool.internal_backend_pool",
+ "module.firewall_one.azurerm_network_interface.vm01-int-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "int_bpool_assc_vm02",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/backendAddressPools/InternalBackendPool1",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-int-nic/ipConfigurations/secondary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-internalloadbalancer/backendAddressPools/InternalBackendPool1",
+ "ip_configuration_name": "secondary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-int-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_lb.internalLoadBalancer",
+ "module.firewall_one.azurerm_lb_backend_address_pool.internal_backend_pool",
+ "module.firewall_one.azurerm_network_interface.vm02-int-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "mpool_assc_vm01",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic/ipConfigurations/primary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "ip_configuration_name": "primary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-mgmt-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "mpool_assc_vm02",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic/ipConfigurations/primary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "ip_configuration_name": "primary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-mgmt-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "primary_pool_assc_vm01",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic/ipConfigurations/primary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "ip_configuration_name": "primary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_backend_address_pool_association",
+ "name": "primary_pool_assc_vm02",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "backend_address_pool_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic/ipConfigurations/primary|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/loadBalancers/bedfe9a3-alb/backendAddressPools/EgressPrimaryPool",
+ "ip_configuration_name": "primary",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "bigip01-ext-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "bigip01-int-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-int-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-int-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-int-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "bigip01-mgmt-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-mgmt-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "bigip02-ext-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "bigip02-int-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-int-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-int-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.internal",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-int-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "bigip02-mgmt-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-mgmt-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine",
+ "name": "f5vm01",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "additional_capabilities": [],
+ "availability_set_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourcegroups/bedfe9a3_rg/providers/microsoft.compute/availabilitysets/bedfe9a3-avset",
+ "boot_diagnostics": [],
+ "delete_data_disks_on_termination": true,
+ "delete_os_disk_on_termination": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-f5vm01",
+ "identity": [],
+ "license_type": null,
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-f5vm01",
+ "network_interface_ids": [
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic",
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-ext-nic",
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-int-nic"
+ ],
+ "os_profile": [
+ {
+ "admin_password": "",
+ "admin_username": "xadmin",
+ "computer_name": "bedfe9a3vm01",
+ "custom_data": ""
+ }
+ ],
+ "os_profile_linux_config": [
+ {
+ "disable_password_authentication": false,
+ "ssh_keys": []
+ }
+ ],
+ "os_profile_secrets": [],
+ "os_profile_windows_config": [],
+ "plan": [
+ {
+ "name": "f5-bigip-virtual-edition-1g-best-hourly",
+ "product": "f5-big-ip-best",
+ "publisher": "f5-networks"
+ }
+ ],
+ "primary_network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm01-mgmt-nic",
+ "proximity_placement_group_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "storage_data_disk": [],
+ "storage_image_reference": [
+ {
+ "id": "",
+ "offer": "f5-big-ip-best",
+ "publisher": "f5-networks",
+ "sku": "f5-bigip-virtual-edition-1g-best-hourly",
+ "version": "14.1.202000"
+ }
+ ],
+ "storage_os_disk": [
+ {
+ "caching": "ReadWrite",
+ "create_option": "FromImage",
+ "disk_size_gb": 78,
+ "image_uri": "",
+ "managed_disk_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/disks/bedfe9a3vm01-osdisk",
+ "managed_disk_type": "Standard_LRS",
+ "name": "bedfe9a3vm01-osdisk",
+ "os_type": "Linux",
+ "vhd_uri": "",
+ "write_accelerator_enabled": false
+ }
+ ],
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "vm_size": "Standard_DS5_v2",
+ "zones": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_availability_set.avset",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-ext-nic",
+ "module.firewall_one.azurerm_network_interface.vm01-int-nic",
+ "module.firewall_one.azurerm_network_interface.vm01-mgmt-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine",
+ "name": "f5vm02",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "additional_capabilities": [],
+ "availability_set_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourcegroups/bedfe9a3_rg/providers/microsoft.compute/availabilitysets/bedfe9a3-avset",
+ "boot_diagnostics": [],
+ "delete_data_disks_on_termination": true,
+ "delete_os_disk_on_termination": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-f5vm02",
+ "identity": [],
+ "license_type": null,
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-f5vm02",
+ "network_interface_ids": [
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic",
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-ext-nic",
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-int-nic"
+ ],
+ "os_profile": [
+ {
+ "admin_password": "",
+ "admin_username": "xadmin",
+ "computer_name": "bedfe9a3vm02",
+ "custom_data": ""
+ }
+ ],
+ "os_profile_linux_config": [
+ {
+ "disable_password_authentication": false,
+ "ssh_keys": []
+ }
+ ],
+ "os_profile_secrets": [],
+ "os_profile_windows_config": [],
+ "plan": [
+ {
+ "name": "f5-bigip-virtual-edition-1g-best-hourly",
+ "product": "f5-big-ip-best",
+ "publisher": "f5-networks"
+ }
+ ],
+ "primary_network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-vm02-mgmt-nic",
+ "proximity_placement_group_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "storage_data_disk": [],
+ "storage_image_reference": [
+ {
+ "id": "",
+ "offer": "f5-big-ip-best",
+ "publisher": "f5-networks",
+ "sku": "f5-bigip-virtual-edition-1g-best-hourly",
+ "version": "14.1.202000"
+ }
+ ],
+ "storage_os_disk": [
+ {
+ "caching": "ReadWrite",
+ "create_option": "FromImage",
+ "disk_size_gb": 78,
+ "image_uri": "",
+ "managed_disk_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/disks/bedfe9a3vm02-osdisk",
+ "managed_disk_type": "Standard_LRS",
+ "name": "bedfe9a3vm02-osdisk",
+ "os_type": "Linux",
+ "vhd_uri": "",
+ "write_accelerator_enabled": false
+ }
+ ],
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "vm_size": "Standard_DS5_v2",
+ "zones": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_availability_set.avset",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm02-ext-nic",
+ "module.firewall_one.azurerm_network_interface.vm02-int-nic",
+ "module.firewall_one.azurerm_network_interface.vm02-mgmt-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine_extension",
+ "name": "f5vm01-run-startup-cmd",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "auto_upgrade_minor_version": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-f5vm01/extensions/bedfe9a3-f5vm01-run-startup-cmd",
+ "name": "bedfe9a3-f5vm01-run-startup-cmd",
+ "protected_settings": null,
+ "publisher": "Microsoft.Azure.Extensions",
+ "settings": "{\"commandToExecute\":\"echo 'IyEvYmluL2Jhc2gKIwojIHZhcnMKIwojIGdldCBkZXZpY2UgaWQgZm9yIGRvCmRldmljZUlkPSQxCiMKYWRtaW5fdXNlcm5hbWU9J3hhZG1pbicKYWRtaW5fcGFzc3dvcmQ9J3BsZWFzZVVzZVZhdWx0MTIzISEnCkNSRURTPSIkYWRtaW5fdXNlcm5hbWU6JGFkbWluX3Bhc3N3b3JkIgpMT0dfRklMRT0vdmFyL2xvZy9zdGFydHVwLXNjcmlwdC5sb2cKIyBjb25zdGFudHMKbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAphdXRoVXJsPSIvbWdtdC9zaGFyZWQvYXV0aG4vbG9naW4iCnJwbUluc3RhbGxVcmw9Ii9tZ210L3NoYXJlZC9pYXBwL3BhY2thZ2UtbWFuYWdlbWVudC10YXNrcyIKcnBtRmlsZVBhdGg9Ii92YXIvY29uZmlnL3Jlc3QvZG93bmxvYWRzIgpsb2NhbF9ob3N0PSJodHRwOi8vbG9jYWxob3N0OjgxMDAiCiMgZG8KZG9Vcmw9Ii9tZ210L3NoYXJlZC9kZWNsYXJhdGl2ZS1vbmJvYXJkaW5nIgpkb0NoZWNrVXJsPSIvbWdtdC9zaGFyZWQvZGVjbGFyYXRpdmUtb25ib2FyZGluZy9pbmZvIgpkb1Rhc2tVcmw9Ii9tZ210L3NoYXJlZC9kZWNsYXJhdGl2ZS1vbmJvYXJkaW5nL3Rhc2siCiMgYXMzCmFzM1VybD0iL21nbXQvc2hhcmVkL2FwcHN2Y3MvZGVjbGFyZSIKYXMzQ2hlY2tVcmw9Ii9tZ210L3NoYXJlZC9hcHBzdmNzL2luZm8iCmFzM1Rhc2tVcmw9Ii9tZ210L3NoYXJlZC9hcHBzdmNzL3Rhc2svIgojIHRzCnRzVXJsPSIvbWdtdC9zaGFyZWQvdGVsZW1ldHJ5L2RlY2xhcmUiCnRzQ2hlY2tVcmw9Ii9tZ210L3NoYXJlZC90ZWxlbWV0cnkvaW5mbyIKIyBjbG91ZCBmYWlsb3ZlciBleHQKY2ZVcmw9Ii9tZ210L3NoYXJlZC9jbG91ZC1mYWlsb3Zlci9kZWNsYXJlIgpjZkNoZWNrVXJsPSIvbWdtdC9zaGFyZWQvY2xvdWQtZmFpbG92ZXIvaW5mbyIKIyBmYXN0CmZhc3RDaGVja1VybD0iL21nbXQvc2hhcmVkL2Zhc3QvaW5mbyIKIyBkZWNsYXJhdGlvbiBjb250ZW50CmNhdCA+IC9jb25maWcvZG8xLmpzb24gPDxFT0YKewogICAgInNjaGVtYVZlcnNpb24iOiAiMS45LjAiLAogICAgImNsYXNzIjogIkRldmljZSIsCiAgICAiYXN5bmMiOiB0cnVlLAogICAgImxhYmVsIjogIkJhc2ljIG9uYm9hcmRpbmciLAogICAgIkNvbW1vbiI6IHsKICAgICAgICAiY2xhc3MiOiAiVGVuYW50IiwKICAgICAgICAiaG9zdG5hbWUiOiAiZjV2bTAxLmV4YW1wbGUuY29tIiwKICAgICAgICAiZGJ2YXJzIjogewogICAgICAgIAkiY2xhc3MiOiAiRGJWYXJpYWJsZXMiLAogICAgICAgIAkidWkuYWR2aXNvcnkuZW5hYmxlZCI6IHRydWUsCiAgICAgICAgCSJ1aS5hZHZpc29yeS5jb2xvciI6ICJncmVlbiIsCiAgICAgICAgICAgICJ1aS5hZHZpc29yeS50ZXh0IjogIi8vVU5DTEFTU0lGSUVELy8iLAogICAgICAgICAgICAidWkuc3lzdGVtLnByZWZlcmVuY2VzLmFkdmFuY2Vkc2VsZWN0aW9uIjogICJhZHZhbmNlZCIsCiAgICAgICAgICAgICJ1aS5zeXN0ZW0ucHJlZmVyZW5jZXMucmVjb3Jkc3BlcnNjcmVlbiI6ICIxMDAiLAogICAgICAgICAgICAidWkuc3lzdGVtLnByZWZlcmVuY2VzLnN0YXJ0c2NyZWVuIjogIm5ldHdvcmtfbWFwIiwKICAgICAgICAgICAgInVpLnVzZXJzLnJlZGlyZWN0c3VwZXJ1c2Vyc3RvYXV0aHN1bW1hcnkiOiAidHJ1ZSIsCiAgICAgICAgICAgICJkbnMuY2FjaGUiOiAiZW5hYmxlIiwKICAgICAgICAgICAgImNvbmZpZy5hbGxvdy5yZmMzOTI3IjogImVuYWJsZSIsCiAgICAgICAgICAgICJiaWczZC5taW5pbXVtLnRscy52ZXJzaW9uIjogIlRMU1YxLjIiLAogICAgICAgICAgICAibGl2ZWluc3RhbGwuY2hlY2tzaWciOiAiZW5hYmxlIgogICAgICAgIH0sCiAgICAgICAgIlJlbW90ZVN5c2xvZyI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlN5c2xvZ1JlbW90ZVNlcnZlciIsCiAgICAgICAgICAgICJob3N0IjogIjEwLjkwLjEwLjEwMSIsCiAgICAgICAgICAgICJsb2NhbElwIjogIjEwLjkwLjEuNCIsCiAgICAgICAgICAgICJyZW1vdGVQb3J0IjogNTE0CiAgICAgICAgICB9LAogICAgICAgICJzeXN0ZW0iOnsKICAgICAgICAgICAgImNsYXNzIjogIlN5c3RlbSIsCiAgICAgICAgICAgICJhdXRvQ2hlY2siOiBmYWxzZSwKICAgICAgICAgICAgImF1dG9QaG9uZWhvbWUiOiBmYWxzZSwKICAgICAgICAgICAgImNsaUluYWN0aXZpdHlUaW1lb3V0IjogOTAwLAogICAgICAgICAgICAiY29uc29sZUluYWN0aXZpdHlUaW1lb3V0IjogOTAwLAogICAgICAgICAgICAiZ3VpQXVkaXRMb2ciOiB0cnVlLAogICAgICAgICAgICAibWNwQXVkaXRMb2ciOiAiZW5hYmxlIiwKICAgICAgICAgICAgInRtc2hBdWRpdExvZyI6IHRydWUKICAgICAgICB9LAogICAgICAgICJodHRwZCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIkhUVFBEIiwKICAgICAgICAgICAgIm1heENsaWVudHMiOiAiMTAiLAogICAgICAgICAgICAiYXV0aFBhbUlkbGVUaW1lb3V0IjogIjkwMCIsCiAgICAgICAgICAgICJzc2xDaXBoZXJzdWl0ZSI6IFsiRUNESEUtRUNEU0EtQUVTMjU2LUdDTS1TSEEzODQiLCAiRUNESEUtRUNEU0EtQUVTMjU2LVNIQTM4NCIsICJFQ0RIRS1FQ0RTQS1BRVMyNTYtU0hBIiwiRUNESC1FQ0RTQS1BRVMyNTYtR0NNLVNIQTM4NCIsICJFQ0RILUVDRFNBLUFFUzI1Ni1TSEEzODQiLCAiRUNESC1FQ0RTQS1BRVMyNTYtU0hBIiwgIkFFUzI1Ni1HQ00tU0hBMzg0IiwgIkFFUzI1Ni1TSEEyNTYiLCAiQUVTMjU2LVNIQSIsICJDQU1FTExJQTI1Ni1TSEEiLCAiRUNESEUtUlNBLUFFUzEyOC1HQ00tU0hBMjU2IiwgIkVDREhFLUVDRFNBLUFFUzEyOC1HQ00tU0hBMjU2IiwgIkVDREhFLUVDRFNBLUFFUzEyOC1TSEEyNTYiLCAiRUNESEUtUlNBLUFFUzEyOC1TSEEiLCAiRUNESEUtRUNEU0EtQUVTMTI4LVNIQSIsICJFQ0RILUVDRFNBLUFFUzEyOC1HQ00tU0hBMjU2IiwgIkVDREgtRUNEU0EtQUVTMTI4LVNIQTI1NiIsICJFQ0RILUVDRFNBLUFFUzEyOC1TSEEiLCAiQUVTMTI4LUdDTS1TSEEyNTYiLCAiQUVTMTI4LVNIQTI1NiIsICJBRVMxMjgtU0hBIiwgIlNFRUQtU0hBIiwgIkNBTUVMTElBMTI4LVNIQSJdLAogICAgICAgICAgICAic3NsUHJvdG9jb2wiOiAiYWxsIC1TU0x2MiAtU1NMdjMgLVRMU3YxIgogICAgICAgIH0sCiAgICAgICAgInNzaGQiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJTU0hEIiwKICAgICAgICAgICAgImJhbm5lciI6ICJZb3UgYXJlIGFjY2Vzc2luZyBhIFUuUy4gR292ZXJubWVudCAoVVNHKSBJbmZvcm1hdGlvbiBTeXN0ZW0gKElTKSB0aGF0IGlzIHByb3ZpZGVkIGZvciBVU0ctYXV0aG9yaXplZCB1c2Ugb25seS4gQnkgdXNpbmcgdGhpcyBJUyAod2hpY2ggaW5jbHVkZXMgYW55IGRldmljZSBhdHRhY2hlZCB0byB0aGlzIElTKSwgeW91IGNvbnNlbnQgdG8gdGhlIGZvbGxvd2luZyBjb25kaXRpb25zOiBUaGUgVVNHIHJvdXRpbmVseSBpbnRlcmNlcHRzIGFuZCBtb25pdG9ycyBjb21tdW5pY2F0aW9ucyBvbiB0aGlzIElTIGZvciBwdXJwb3NlcyBpbmNsdWRpbmcsIGJ1dCBub3QgbGltaXRlZCB0bywgcGVuZXRyYXRpb24gdGVzdGluZywgQ09NU0VDIG1vbml0b3JpbmcsIG5ldHdvcmsgb3BlcmF0aW9ucyBhbmQgZGVmZW5zZSwgcGVyc29ubmVsIG1pc2NvbmR1Y3QgKFBNKSwgbGF3IGVuZm9yY2VtZW50IChMRSksIGFuZCBjb3VudGVyaW50ZWxsaWdlbmNlIChDSSkgaW52ZXN0aWdhdGlvbnMuIEF0IGFueSB0aW1lLCB0aGUgVVNHIG1heSBpbnNwZWN0IGFuZCBzZWl6ZSBkYXRhIHN0b3JlZCBvbiB0aGlzIElTLiBDb21tdW5pY2F0aW9ucyB1c2luZywgb3IgZGF0YSBzdG9yZWQgb24sIHRoaXMgSVMgYXJlIG5vdCBwcml2YXRlLCBhcmUgc3ViamVjdCB0byByb3V0aW5lIG1vbml0b3JpbmcsIGludGVyY2VwdGlvbiwgYW5kIHNlYXJjaCwgYW5kIG1heSBiZSBkaXNjbG9zZWQgb3IgdXNlZCBmb3IgYW55IFVTRyBhdXRob3JpemVkIHB1cnBvc2UuIFRoaXMgSVMgaW5jbHVkZXMgc2VjdXJpdHkgbWVhc3VyZXMgKGUuZy4sIGF1dGhlbnRpY2F0aW9uIGFuZCBhY2Nlc3MgY29udHJvbHMpIHRvIHByb3RlY3QgVVNHIGludGVyZXN0cy0tbm90IGZvciB5b3VyIHBlcnNvbmFsIGJlbmVmaXQgb3IgcHJpdmFjeS4gTm90d2l0aHN0YW5kaW5nIHRoZSBhYm92ZSwgdXNpbmcgdGhpcyBJUyBkb2VzIG5vdCBjb25zdGl0dXRlIGNvbnNlbnQgdG8gUE0sIExFIG9yIENJIGludmVzdGlnYXRpdmUgc2VhcmNoaW5nIG9yIG1vbml0b3Jpbmcgb2YgdGhlIGNvbnRlbnQgb2YgcHJpdmlsZWdlZCBjb21tdW5pY2F0aW9ucywgb3Igd29yayBwcm9kdWN0LCByZWxhdGVkIHRvIHBlcnNvbmFsIHJlcHJlc2VudGF0aW9uIG9yIHNlcnZpY2VzIGJ5IGF0dG9ybmV5cywgcHN5Y2hvdGhlcmFwaXN0cywgb3IgY2xlcmd5LCBhbmQgdGhlaXIgYXNzaXN0YW50cy4gU3VjaCBjb21tdW5pY2F0aW9ucyBhbmQgd29yayBwcm9kdWN0IGFyZSBwcml2YXRlIGFuZCBjb25maWRlbnRpYWwuIFNlZSBVc2VyIEFncmVlbWVudCBmb3IgZGV0YWlscy4iLAogICAgICAgICAgICAiaW5hY3Rpdml0eVRpbWVvdXQiOiA5MDAsCiAgICAgICAgICAgICJjaXBoZXJzIjogWwogICAgICAgICAgICAgICAgImFlczEyOC1jdHIiLAogICAgICAgICAgICAgICAgImFlczE5Mi1jdHIiLAogICAgICAgICAgICAgICAgImFlczI1Ni1jdHIiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJsb2dpbkdyYWNlVGltZSI6IDYwLAogICAgICAgICAgICAiTUFDUyI6IFsKICAgICAgICAgICAgICAgICJobWFjLXNoYTEiLAogICAgICAgICAgICAgICAgImhtYWMtcmlwZW1kMTYwIgogICAgICAgICAgICBdLAogICAgICAgICAgICAibWF4QXV0aFRyaWVzIjogMywKICAgICAgICAgICAgIm1heFN0YXJ0dXBzIjogIjUiLAogICAgICAgICAgICAicHJvdG9jb2wiOiAyCiAgICAgICAgfSwKICAgICAgICAibXlEbnMiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJETlMiLAogICAgICAgICAgICAibmFtZVNlcnZlcnMiOiBbCiAgICAgICAgICAgICAgICAiMTY4LjYzLjEyOS4xNiIsCiAgICAgICAgICAgICAgICAiMjAwMTo0ODYwOjQ4NjA6Ojg4NDQiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJzZWFyY2giOiBbCiAgICAgICAgICAgICAgICAiZjUuY29tIgogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAibXlOdHAiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJOVFAiLAogICAgICAgICAgICAic2VydmVycyI6IFsKICAgICAgICAgICAgICAgICJ0aW1lLm5pc3QuZ292IiwKICAgICAgICAgICAgICAgICIwLnBvb2wubnRwLm9yZyIsCiAgICAgICAgICAgICAgICAiMS5wb29sLm50cC5vcmciCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJ0aW1lem9uZSI6ICJVVEMiCiAgICAgICAgfSwKICAgICAgICAibXlQcm92aXNpb25pbmciOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJQcm92aXNpb24iLAogICAgICAgICAgICAibHRtIjogIm5vbWluYWwiLAogICAgICAgICAgICAiYXNtIjogIm5vbWluYWwiLAogICAgICAgICAgICAiYWZtIjogIm5vbWluYWwiCiAgICAgICAgfSwKICAgICAgICAiZXh0ZXJuYWwiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJWTEFOIiwKICAgICAgICAgICAgInRhZyI6IDQwOTQsCiAgICAgICAgICAgICJtdHUiOiAxNTAwLAogICAgICAgICAgICAiaW50ZXJmYWNlcyI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICIxLjEiLAogICAgICAgICAgICAgICAgICAgICJ0YWdnZWQiOiBmYWxzZQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAiaW50ZXJuYWwiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJWTEFOIiwKICAgICAgICAgICAgInRhZyI6IDQwOTMsCiAgICAgICAgICAgICJtdHUiOiAxNTAwLAogICAgICAgICAgICAiaW50ZXJmYWNlcyI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICIxLjIiLAogICAgICAgICAgICAgICAgICAgICJ0YWdnZWQiOiBmYWxzZQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAiZXh0ZXJuYWwtc2VsZiI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlNlbGZJcCIsCiAgICAgICAgICAgICJhZGRyZXNzIjogIjEwLjkwLjEuNC8yNCIsCiAgICAgICAgICAgICJ2bGFuIjogImV4dGVybmFsIiwKICAgICAgICAgICAgImFsbG93U2VydmljZSI6ICJkZWZhdWx0IiwKICAgICAgICAgICAgInRyYWZmaWNHcm91cCI6ICJ0cmFmZmljLWdyb3VwLWxvY2FsLW9ubHkiCiAgICAgICAgfSwKICAgICAgICAiaW50ZXJuYWwtc2VsZiI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlNlbGZJcCIsCiAgICAgICAgICAgICJhZGRyZXNzIjogIjEwLjkwLjIuNC8yNCIsCiAgICAgICAgICAgICJ2bGFuIjogImludGVybmFsIiwKICAgICAgICAgICAgImFsbG93U2VydmljZSI6ICJkZWZhdWx0IiwKICAgICAgICAgICAgInRyYWZmaWNHcm91cCI6ICJ0cmFmZmljLWdyb3VwLWxvY2FsLW9ubHkiCiAgICAgICAgfSwKICAgICAgICAiaW50ZXJuZXQiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJSb3V0ZSIsCiAgICAgICAgICAgICJndyI6ICIxMC45MC4xLjEiLAogICAgICAgICAgICAibmV0d29yayI6ICJkZWZhdWx0IiwKICAgICAgICAgICAgIm10dSI6IDE1MDAKICAgICAgICB9LAogICAgICAgICJ2ZG1zIjogewogICAgICAgICAgICAiY2xhc3MiOiAiUm91dGUiLAogICAgICAgICAgICAiZ3ciOiAiMTAuOTAuMi4xIiwKICAgICAgICAgICAgIm5ldHdvcmsiOiAiMTAuOTAuMy4wLzI0IiwKICAgICAgICAgICAgIm10dSI6IDE1MDAKICAgICAgICB9LAogICAgICAgICJ2ZHNzIjogewogICAgICAgICAgICAiY2xhc3MiOiAiUm91dGUiLAogICAgICAgICAgICAiZ3ciOiAiMTAuOTAuMi4xIiwKICAgICAgICAgICAgIm5ldHdvcmsiOiAiMTAuOTAuMC4wLzE2IiwKICAgICAgICAgICAgIm10dSI6IDE1MDAKICAgICAgICB9LAogICAgICAgICJjb25maWdzeW5jIjogewogICAgICAgICAgICAiY2xhc3MiOiAiQ29uZmlnU3luYyIsCiAgICAgICAgICAgICJjb25maWdzeW5jSXAiOiAiL0NvbW1vbi9leHRlcm5hbC1zZWxmL2FkZHJlc3MiCiAgICAgICAgfSwKICAgICAgICAiZmFpbG92ZXJBZGRyZXNzIjogewogICAgICAgICAgICAiY2xhc3MiOiAiRmFpbG92ZXJVbmljYXN0IiwKICAgICAgICAgICAgImFkZHJlc3MiOiAiL0NvbW1vbi9leHRlcm5hbC1zZWxmL2FkZHJlc3MiCiAgICAgICAgfSwKICAgICAgICAiZmFpbG92ZXJHcm91cCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIkRldmljZUdyb3VwIiwKICAgICAgICAgICAgInR5cGUiOiAic3luYy1mYWlsb3ZlciIsCiAgICAgICAgICAgICJtZW1iZXJzIjogWwogICAgICAgICAgICAgICAgImY1dm0wMS5leGFtcGxlLmNvbSIsCiAgICAgICAgICAgICAgICAiZjV2bTAyLmV4YW1wbGUuY29tIgogICAgICAgICAgICBdLAogICAgICAgICAgICAib3duZXIiOiAiL0NvbW1vbi9mYWlsb3Zlckdyb3VwL21lbWJlcnMvMCIsCiAgICAgICAgICAgICJhdXRvU3luYyI6IHRydWUsCiAgICAgICAgICAgICJzYXZlT25BdXRvU3luYyI6IGZhbHNlLAogICAgICAgICAgICAibmV0d29ya0ZhaWxvdmVyIjogdHJ1ZSwKICAgICAgICAgICAgImZ1bGxMb2FkT25TeW5jIjogZmFsc2UsCiAgICAgICAgICAgICJhc21TeW5jIjogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgInRydXN0IjogewogICAgICAgICAgICAiY2xhc3MiOiAiRGV2aWNlVHJ1c3QiLAogICAgICAgICAgICAibG9jYWxVc2VybmFtZSI6ICJ4YWRtaW4iLAogICAgICAgICAgICAibG9jYWxQYXNzd29yZCI6ICJwbGVhc2VVc2VWYXVsdDEyMyEhIiwKICAgICAgICAgICAgInJlbW90ZUhvc3QiOiAiMTAuOTAuMS41IiwKICAgICAgICAgICAgInJlbW90ZVVzZXJuYW1lIjogInhhZG1pbiIsCiAgICAgICAgICAgICJyZW1vdGVQYXNzd29yZCI6ICJwbGVhc2VVc2VWYXVsdDEyMyEhIgogICAgICAgIH0KICAgIH0KfQpFT0YKY2F0ID4gL2NvbmZpZy9kbzIuanNvbiA8PEVPRgp7CiAgICAic2NoZW1hVmVyc2lvbiI6ICIxLjkuMCIsCiAgICAiY2xhc3MiOiAiRGV2aWNlIiwKICAgICJhc3luYyI6IHRydWUsCiAgICAibGFiZWwiOiAiQmFzaWMgb25ib2FyZGluZyIsCiAgICAiQ29tbW9uIjogewogICAgICAgICJjbGFzcyI6ICJUZW5hbnQiLAogICAgICAgICJob3N0bmFtZSI6ICJmNXZtMDIuZXhhbXBsZS5jb20iLAogICAgICAgICJkYnZhcnMiOiB7CiAgICAgICAgCSJjbGFzcyI6ICJEYlZhcmlhYmxlcyIsCiAgICAgICAgCSJ1aS5hZHZpc29yeS5lbmFibGVkIjogdHJ1ZSwKICAgICAgICAJInVpLmFkdmlzb3J5LmNvbG9yIjogImdyZWVuIiwKICAgICAgICAgICAgInVpLmFkdmlzb3J5LnRleHQiOiAiLy9VTkNMQVNTSUZJRUQvLyIsCiAgICAgICAgICAgICJ1aS5zeXN0ZW0ucHJlZmVyZW5jZXMuYWR2YW5jZWRzZWxlY3Rpb24iOiAgImFkdmFuY2VkIiwKICAgICAgICAgICAgInVpLnN5c3RlbS5wcmVmZXJlbmNlcy5yZWNvcmRzcGVyc2NyZWVuIjogIjEwMCIsCiAgICAgICAgICAgICJ1aS5zeXN0ZW0ucHJlZmVyZW5jZXMuc3RhcnRzY3JlZW4iOiAibmV0d29ya19tYXAiLAogICAgICAgICAgICAidWkudXNlcnMucmVkaXJlY3RzdXBlcnVzZXJzdG9hdXRoc3VtbWFyeSI6ICJ0cnVlIiwKICAgICAgICAgICAgImRucy5jYWNoZSI6ICJlbmFibGUiLAogICAgICAgICAgICAiY29uZmlnLmFsbG93LnJmYzM5MjciOiAiZW5hYmxlIiwKICAgICAgICAgICAgImJpZzNkLm1pbmltdW0udGxzLnZlcnNpb24iOiAiVExTVjEuMiIsCiAgICAgICAgICAgICJsaXZlaW5zdGFsbC5jaGVja3NpZyI6ICJlbmFibGUiCiAgICAgICAgfSwKICAgICAgICAiUmVtb3RlU3lzbG9nIjogewogICAgICAgICAgICAiY2xhc3MiOiAiU3lzbG9nUmVtb3RlU2VydmVyIiwKICAgICAgICAgICAgImhvc3QiOiAiMTAuOTAuMTAuMTAxIiwKICAgICAgICAgICAgImxvY2FsSXAiOiAiMTAuOTAuMS41IiwKICAgICAgICAgICAgInJlbW90ZVBvcnQiOiA1MTQKICAgICAgICAgIH0sCiAgICAgICAgInN5c3RlbSI6ewogICAgICAgICAgICAiY2xhc3MiOiAiU3lzdGVtIiwKICAgICAgICAgICAgImF1dG9DaGVjayI6IGZhbHNlLAogICAgICAgICAgICAiYXV0b1Bob25laG9tZSI6IGZhbHNlLAogICAgICAgICAgICAiY2xpSW5hY3Rpdml0eVRpbWVvdXQiOiA5MDAsCiAgICAgICAgICAgICJjb25zb2xlSW5hY3Rpdml0eVRpbWVvdXQiOiA5MDAsCiAgICAgICAgICAgICJndWlBdWRpdExvZyI6IHRydWUsCiAgICAgICAgICAgICJtY3BBdWRpdExvZyI6ICJlbmFibGUiLAogICAgICAgICAgICAidG1zaEF1ZGl0TG9nIjogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgImh0dHBkIjogewogICAgICAgICAgICAiY2xhc3MiOiAiSFRUUEQiLAogICAgICAgICAgICAibWF4Q2xpZW50cyI6ICIxMCIsCiAgICAgICAgICAgICJhdXRoUGFtSWRsZVRpbWVvdXQiOiAiOTAwIiwKICAgICAgICAgICAgInNzbENpcGhlcnN1aXRlIjogWyJFQ0RIRS1FQ0RTQS1BRVMyNTYtR0NNLVNIQTM4NCIsICJFQ0RIRS1FQ0RTQS1BRVMyNTYtU0hBMzg0IiwgIkVDREhFLUVDRFNBLUFFUzI1Ni1TSEEiLCJFQ0RILUVDRFNBLUFFUzI1Ni1HQ00tU0hBMzg0IiwgIkVDREgtRUNEU0EtQUVTMjU2LVNIQTM4NCIsICJFQ0RILUVDRFNBLUFFUzI1Ni1TSEEiLCAiQUVTMjU2LUdDTS1TSEEzODQiLCAiQUVTMjU2LVNIQTI1NiIsICJBRVMyNTYtU0hBIiwgIkNBTUVMTElBMjU2LVNIQSIsICJFQ0RIRS1SU0EtQUVTMTI4LUdDTS1TSEEyNTYiLCAiRUNESEUtRUNEU0EtQUVTMTI4LUdDTS1TSEEyNTYiLCAiRUNESEUtRUNEU0EtQUVTMTI4LVNIQTI1NiIsICJFQ0RIRS1SU0EtQUVTMTI4LVNIQSIsICJFQ0RIRS1FQ0RTQS1BRVMxMjgtU0hBIiwgIkVDREgtRUNEU0EtQUVTMTI4LUdDTS1TSEEyNTYiLCAiRUNESC1FQ0RTQS1BRVMxMjgtU0hBMjU2IiwgIkVDREgtRUNEU0EtQUVTMTI4LVNIQSIsICJBRVMxMjgtR0NNLVNIQTI1NiIsICJBRVMxMjgtU0hBMjU2IiwgIkFFUzEyOC1TSEEiLCAiU0VFRC1TSEEiLCAiQ0FNRUxMSUExMjgtU0hBIl0sCiAgICAgICAgICAgICJzc2xQcm90b2NvbCI6ICJhbGwgLVNTTHYyIC1TU0x2MyAtVExTdjEiCiAgICAgICAgfSwKICAgICAgICAic3NoZCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlNTSEQiLAogICAgICAgICAgICAiYmFubmVyIjogIllvdSBhcmUgYWNjZXNzaW5nIGEgVS5TLiBHb3Zlcm5tZW50IChVU0cpIEluZm9ybWF0aW9uIFN5c3RlbSAoSVMpIHRoYXQgaXMgcHJvdmlkZWQgZm9yIFVTRy1hdXRob3JpemVkIHVzZSBvbmx5LiBCeSB1c2luZyB0aGlzIElTICh3aGljaCBpbmNsdWRlcyBhbnkgZGV2aWNlIGF0dGFjaGVkIHRvIHRoaXMgSVMpLCB5b3UgY29uc2VudCB0byB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6IFRoZSBVU0cgcm91dGluZWx5IGludGVyY2VwdHMgYW5kIG1vbml0b3JzIGNvbW11bmljYXRpb25zIG9uIHRoaXMgSVMgZm9yIHB1cnBvc2VzIGluY2x1ZGluZywgYnV0IG5vdCBsaW1pdGVkIHRvLCBwZW5ldHJhdGlvbiB0ZXN0aW5nLCBDT01TRUMgbW9uaXRvcmluZywgbmV0d29yayBvcGVyYXRpb25zIGFuZCBkZWZlbnNlLCBwZXJzb25uZWwgbWlzY29uZHVjdCAoUE0pLCBsYXcgZW5mb3JjZW1lbnQgKExFKSwgYW5kIGNvdW50ZXJpbnRlbGxpZ2VuY2UgKENJKSBpbnZlc3RpZ2F0aW9ucy4gQXQgYW55IHRpbWUsIHRoZSBVU0cgbWF5IGluc3BlY3QgYW5kIHNlaXplIGRhdGEgc3RvcmVkIG9uIHRoaXMgSVMuIENvbW11bmljYXRpb25zIHVzaW5nLCBvciBkYXRhIHN0b3JlZCBvbiwgdGhpcyBJUyBhcmUgbm90IHByaXZhdGUsIGFyZSBzdWJqZWN0IHRvIHJvdXRpbmUgbW9uaXRvcmluZywgaW50ZXJjZXB0aW9uLCBhbmQgc2VhcmNoLCBhbmQgbWF5IGJlIGRpc2Nsb3NlZCBvciB1c2VkIGZvciBhbnkgVVNHIGF1dGhvcml6ZWQgcHVycG9zZS4gVGhpcyBJUyBpbmNsdWRlcyBzZWN1cml0eSBtZWFzdXJlcyAoZS5nLiwgYXV0aGVudGljYXRpb24gYW5kIGFjY2VzcyBjb250cm9scykgdG8gcHJvdGVjdCBVU0cgaW50ZXJlc3RzLS1ub3QgZm9yIHlvdXIgcGVyc29uYWwgYmVuZWZpdCBvciBwcml2YWN5LiBOb3R3aXRoc3RhbmRpbmcgdGhlIGFib3ZlLCB1c2luZyB0aGlzIElTIGRvZXMgbm90IGNvbnN0aXR1dGUgY29uc2VudCB0byBQTSwgTEUgb3IgQ0kgaW52ZXN0aWdhdGl2ZSBzZWFyY2hpbmcgb3IgbW9uaXRvcmluZyBvZiB0aGUgY29udGVudCBvZiBwcml2aWxlZ2VkIGNvbW11bmljYXRpb25zLCBvciB3b3JrIHByb2R1Y3QsIHJlbGF0ZWQgdG8gcGVyc29uYWwgcmVwcmVzZW50YXRpb24gb3Igc2VydmljZXMgYnkgYXR0b3JuZXlzLCBwc3ljaG90aGVyYXBpc3RzLCBvciBjbGVyZ3ksIGFuZCB0aGVpciBhc3Npc3RhbnRzLiBTdWNoIGNvbW11bmljYXRpb25zIGFuZCB3b3JrIHByb2R1Y3QgYXJlIHByaXZhdGUgYW5kIGNvbmZpZGVudGlhbC4gU2VlIFVzZXIgQWdyZWVtZW50IGZvciBkZXRhaWxzLiIsCiAgICAgICAgICAgICJpbmFjdGl2aXR5VGltZW91dCI6IDkwMCwKICAgICAgICAgICAgImNpcGhlcnMiOiBbCiAgICAgICAgICAgICAgICAiYWVzMTI4LWN0ciIsCiAgICAgICAgICAgICAgICAiYWVzMTkyLWN0ciIsCiAgICAgICAgICAgICAgICAiYWVzMjU2LWN0ciIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgImxvZ2luR3JhY2VUaW1lIjogNjAsCiAgICAgICAgICAgICJNQUNTIjogWwogICAgICAgICAgICAgICAgImhtYWMtc2hhMSIsCiAgICAgICAgICAgICAgICAiaG1hYy1yaXBlbWQxNjAiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJtYXhBdXRoVHJpZXMiOiAzLAogICAgICAgICAgICAibWF4U3RhcnR1cHMiOiAiNSIsCiAgICAgICAgICAgICJwcm90b2NvbCI6IDIKICAgICAgICB9LAogICAgICAgICJteURucyI6IHsKICAgICAgICAgICAgImNsYXNzIjogIkROUyIsCiAgICAgICAgICAgICJuYW1lU2VydmVycyI6IFsKICAgICAgICAgICAgICAgICIxNjguNjMuMTI5LjE2IiwKICAgICAgICAgICAgICAgICIyMDAxOjQ4NjA6NDg2MDo6ODg0NCIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgInNlYXJjaCI6IFsKICAgICAgICAgICAgICAgICJmNS5jb20iCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgICJteU50cCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIk5UUCIsCiAgICAgICAgICAgICJzZXJ2ZXJzIjogWwogICAgICAgICAgICAgICAgInRpbWUubmlzdC5nb3YiLAogICAgICAgICAgICAgICAgIjAucG9vbC5udHAub3JnIiwKICAgICAgICAgICAgICAgICIxLnBvb2wubnRwLm9yZyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgInRpbWV6b25lIjogIlVUQyIKICAgICAgICB9LAogICAgICAgICJteVByb3Zpc2lvbmluZyI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlByb3Zpc2lvbiIsCiAgICAgICAgICAgICJsdG0iOiAibm9taW5hbCIsCiAgICAgICAgICAgICJhc20iOiAibm9taW5hbCIsCiAgICAgICAgICAgICJhZm0iOiAibm9taW5hbCIKICAgICAgICB9LAogICAgICAgICJleHRlcm5hbCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlZMQU4iLAogICAgICAgICAgICAidGFnIjogNDA5NCwKICAgICAgICAgICAgIm10dSI6IDE1MDAsCiAgICAgICAgICAgICJpbnRlcmZhY2VzIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJuYW1lIjogIjEuMSIsCiAgICAgICAgICAgICAgICAgICAgInRhZ2dlZCI6IGZhbHNlCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgICJpbnRlcm5hbCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlZMQU4iLAogICAgICAgICAgICAidGFnIjogNDA5MywKICAgICAgICAgICAgIm10dSI6IDE1MDAsCiAgICAgICAgICAgICJpbnRlcmZhY2VzIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJuYW1lIjogIjEuMiIsCiAgICAgICAgICAgICAgICAgICAgInRhZ2dlZCI6IGZhbHNlCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgICJleHRlcm5hbC1zZWxmIjogewogICAgICAgICAgICAiY2xhc3MiOiAiU2VsZklwIiwKICAgICAgICAgICAgImFkZHJlc3MiOiAiMTAuOTAuMS41LzI0IiwKICAgICAgICAgICAgInZsYW4iOiAiZXh0ZXJuYWwiLAogICAgICAgICAgICAiYWxsb3dTZXJ2aWNlIjogImRlZmF1bHQiLAogICAgICAgICAgICAidHJhZmZpY0dyb3VwIjogInRyYWZmaWMtZ3JvdXAtbG9jYWwtb25seSIKICAgICAgICB9LAogICAgICAgICJpbnRlcm5hbC1zZWxmIjogewogICAgICAgICAgICAiY2xhc3MiOiAiU2VsZklwIiwKICAgICAgICAgICAgImFkZHJlc3MiOiAiMTAuOTAuMi41LzI0IiwKICAgICAgICAgICAgInZsYW4iOiAiaW50ZXJuYWwiLAogICAgICAgICAgICAiYWxsb3dTZXJ2aWNlIjogImRlZmF1bHQiLAogICAgICAgICAgICAidHJhZmZpY0dyb3VwIjogInRyYWZmaWMtZ3JvdXAtbG9jYWwtb25seSIKICAgICAgICB9LAogICAgICAgICJpbnRlcm5ldCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlJvdXRlIiwKICAgICAgICAgICAgImd3IjogIjEwLjkwLjEuMSIsCiAgICAgICAgICAgICJuZXR3b3JrIjogImRlZmF1bHQiLAogICAgICAgICAgICAibXR1IjogMTUwMAogICAgICAgIH0sCiAgICAgICAgInZkbXMiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJSb3V0ZSIsCiAgICAgICAgICAgICJndyI6ICIxMC45MC4yLjEiLAogICAgICAgICAgICAibmV0d29yayI6ICIxMC45MC4zLjAvMjQiLAogICAgICAgICAgICAibXR1IjogMTUwMAogICAgICAgIH0sCiAgICAgICAgInZkc3MiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJSb3V0ZSIsCiAgICAgICAgICAgICJndyI6ICIxMC45MC4yLjEiLAogICAgICAgICAgICAibmV0d29yayI6ICIxMC45MC4wLjAvMTYiLAogICAgICAgICAgICAibXR1IjogMTUwMAogICAgICAgIH0sCiAgICAgICAgImNvbmZpZ3N5bmMiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJDb25maWdTeW5jIiwKICAgICAgICAgICAgImNvbmZpZ3N5bmNJcCI6ICIvQ29tbW9uL2V4dGVybmFsLXNlbGYvYWRkcmVzcyIKICAgICAgICB9LAogICAgICAgICJmYWlsb3ZlckFkZHJlc3MiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJGYWlsb3ZlclVuaWNhc3QiLAogICAgICAgICAgICAiYWRkcmVzcyI6ICIvQ29tbW9uL2V4dGVybmFsLXNlbGYvYWRkcmVzcyIKICAgICAgICB9LAogICAgICAgICJmYWlsb3Zlckdyb3VwIjogewogICAgICAgICAgICAiY2xhc3MiOiAiRGV2aWNlR3JvdXAiLAogICAgICAgICAgICAidHlwZSI6ICJzeW5jLWZhaWxvdmVyIiwKICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAiZjV2bTAxLmV4YW1wbGUuY29tIiwKICAgICAgICAgICAgICAgICJmNXZtMDIuZXhhbXBsZS5jb20iCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJvd25lciI6ICIvQ29tbW9uL2ZhaWxvdmVyR3JvdXAvbWVtYmVycy8wIiwKICAgICAgICAgICAgImF1dG9TeW5jIjogdHJ1ZSwKICAgICAgICAgICAgInNhdmVPbkF1dG9TeW5jIjogZmFsc2UsCiAgICAgICAgICAgICJuZXR3b3JrRmFpbG92ZXIiOiB0cnVlLAogICAgICAgICAgICAiZnVsbExvYWRPblN5bmMiOiBmYWxzZSwKICAgICAgICAgICAgImFzbVN5bmMiOiB0cnVlCiAgICAgICAgfSwKICAgICAgICAidHJ1c3QiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJEZXZpY2VUcnVzdCIsCiAgICAgICAgICAgICJsb2NhbFVzZXJuYW1lIjogInhhZG1pbiIsCiAgICAgICAgICAgICJsb2NhbFBhc3N3b3JkIjogInBsZWFzZVVzZVZhdWx0MTIzISEiLAogICAgICAgICAgICAicmVtb3RlSG9zdCI6ICIxMC45MC4xLjQiLAogICAgICAgICAgICAicmVtb3RlVXNlcm5hbWUiOiAieGFkbWluIiwKICAgICAgICAgICAgInJlbW90ZVBhc3N3b3JkIjogInBsZWFzZVVzZVZhdWx0MTIzISEiCiAgICAgICAgfQogICAgfQp9CkVPRgpjYXQgPiAvY29uZmlnL2FzMy5qc29uIDw8RU9GCnsKICAgICIkc2NoZW1hIjogImh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9GNU5ldHdvcmtzL2Y1LWFwcHN2Y3MtZXh0ZW5zaW9uL21hc3Rlci9zY2hlbWEvbGF0ZXN0L2FzMy1zY2hlbWEuanNvbiIsCiAgICAiY2xhc3MiOiJBUzMiLAogICAgImFjdGlvbiI6ImRlcGxveSIsCiAgICAicGVyc2lzdCI6dHJ1ZSwKICAgICJkZWNsYXJhdGlvbiI6IHsgCiAgICAgICAgImNsYXNzIjogIkFEQyIsCiAgICAgICAgInNjaGVtYVZlcnNpb24iOiAiMy4xMi4wIiwKICAgICAgICAiaWQiOiAiMDVmYWViNTItNGMxYi05ZmEzLTczYmUtZWNkNzcwYTU3ZGYwIiwKICAgICAgICAibGFiZWwiOiAic2NjYSBiYXNlbGluZSIsCiAgICAgICAgInJlbWFyayI6ICJzY2NhIGJhc2VsaW5lIDMuMTIuMCIsCiAgICAgICAgIkNvbW1vbiI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlRlbmFudCIsCiAgICAgICAgICAgICJTaGFyZWQiOiB7CiAgICAgICAgICAgICAgICAiY2xhc3MiOiAiQXBwbGljYXRpb24iLAogICAgICAgICAgICAgICAgInRlbXBsYXRlIjogInNoYXJlZCIsCiAgICAgICAgICAgICAgICAiZndMb2dEZXN0aW5hdGlvblN5c2xvZyI6IHsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiTG9nX0Rlc3RpbmF0aW9uIiwKICAgICAgICAgICAgICAgICAgICAidHlwZSI6ICJyZW1vdGUtc3lzbG9nIiwKICAgICAgICAgICAgICAgICAgICAicmVtb3RlSGlnaFNwZWVkTG9nIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogImZ3TG9nRGVzdGluYXRpb25Ic2wiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAiZm9ybWF0IjogInJmYzU0MjQiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgImZ3TG9nRGVzdGluYXRpb25Ic2wiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkxvZ19EZXN0aW5hdGlvbiIsCiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAicmVtb3RlLWhpZ2gtc3BlZWQtbG9nIiwKICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJoc2xfcG9vbCIKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgImhzbF9wb29sIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJQb29sIiwKICAgICAgICAgICAgICAgICAgICAibWVtYmVycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJlbmFibGUiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZpY2VQb3J0IjogNTE0CiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdWRwIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJmd0xvZ1B1Ymxpc2hlciI6IHsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiTG9nX1B1Ymxpc2hlciIsCiAgICAgICAgICAgICAgICAgICAgImRlc3RpbmF0aW9ucyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJmd0xvZ0Rlc3RpbmF0aW9uU3lzbG9nIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJmd1NlY3VyaXR5TG9nUHJvZmlsZSI6IHsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiU2VjdXJpdHlfTG9nX1Byb2ZpbGUiLAogICAgICAgICAgICAgICAgICAgICJuZXR3b3JrIjogewogICAgICAgICAgICAgICAgICAgICAgICAicHVibGlzaGVyIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJmd0xvZ1B1Ymxpc2hlciIKICAgICAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAgICAgInN0b3JhZ2VGb3JtYXQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZmllbGRzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhY3Rpb24iLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJkZXN0LWlwIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGVzdC1wb3J0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3JjLWlwIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3JjLXBvcnQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdCiAgICAgICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgICAgICJsb2dUcmFuc2xhdGlvbkZpZWxkcyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgICAgICJsb2dUY3BFdmVudHMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nUnVsZU1hdGNoUmVqZWN0cyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgICAgICJsb2dUY3BFcnJvcnMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nSXBFcnJvcnMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nUnVsZU1hdGNoRHJvcHMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nUnVsZU1hdGNoQWNjZXB0cyI6IHRydWUKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJhcHBsaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImZhY2lsaXR5IjogImxvY2FsMyIsCiAgICAgICAgICAgICAgICAgICAgICAgICJzdG9yYWdlRmlsdGVyIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInJlcXVlc3RUeXBlIjogImlsbGVnYWwtaW5jbHVkaW5nLXN0YWdlZC1zaWduYXR1cmVzIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyZXNwb25zZUNvZGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICI0MDQiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIyMDEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInByb3RvY29scyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHR0cCIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHR0cE1ldGhvZHMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlBBVENIIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiREVMRVRFIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyZXF1ZXN0Q29udGFpbnMiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlYXJjaEluIjogInNlYXJjaC1pbi1yZXF1ZXN0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidmFsdWUiOiAiVGhlIG5ldyB2YWx1ZSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibG9naW5SZXN1bHRzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsb2dpbi1yZXN1bHQtdW5rbm93biIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAgICAgInN0b3JhZ2VGb3JtYXQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZmllbGRzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhdHRhY2tfdHlwZSIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImF2cl9pZCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImhlYWRlcnMiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpc190cnVuY2F0ZWQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgImRlbGltaXRlciI6ICIuIgogICAgICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICAgICAibG9jYWxTdG9yYWdlIjogZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICJtYXhFbnRyeUxlbmd0aCI6ICIxMGsiLAogICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAidWRwIiwKICAgICAgICAgICAgICAgICAgICAgICAgInJlbW90ZVN0b3JhZ2UiOiAicmVtb3RlIiwKICAgICAgICAgICAgICAgICAgICAgICAgInJlcG9ydEFub21hbGllc0VuYWJsZWQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAic2VydmVycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWRkcmVzcyI6ICIxMC45MC4xMC4xMDEiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJwb3J0IjogIjUxNCIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImRvc0FwcGxpY2F0aW9uIjogewogICAgICAgICAgICAgICAgICAgICAgICAicmVtb3RlUHVibGlzaGVyIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJmd0xvZ1B1Ymxpc2hlciIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImRvc05ldHdvcmsiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaXNoZXIiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogImZ3TG9nUHVibGlzaGVyIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJleGFtcGxlX3Jlc3BvbnNlIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJpUnVsZSIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlIjogIndoZW4gSFRUUF9SRVFVRVNUIHtcbiAgICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHtcbiAgICAgICAgPGh0bWw+XG4gICAgICAgIDxoZWFkPlxuICAgICAgICA8dGl0bGU+SGVhbHRoIENoZWNrPC90aXRsZT5cbiAgICAgICAgPC9oZWFkPlxuICAgICAgICA8Ym9keT5cbiAgICAgICAgU3lzdGVtIGlzIG9ubGluZS5cbiAgICAgICAgPC9ib2R5PlxuICAgICAgICA8L2h0bWw+XG4gICAgICAgIH1cbn0iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZVdBRlBvbGljeSI6ewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJXQUZfUG9saWN5IiwKICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9mNWRldmNlbnRyYWwvZjUtYXNtLXBvbGljeS10ZW1wbGF0ZXMvbWFzdGVyL293YXNwX3JlYWR5X3RlbXBsYXRlL293YXNwLWF1dG8tdHVuZS12MS4xLnhtbCIsCiAgICAgICAgICAgICAgICAgICAgImlnbm9yZUNoYW5nZXMiOiBmYWxzZSwKICAgICAgICAgICAgICAgICJlbmZvcmNlbWVudE1vZGUiOiAidHJhbnNwYXJlbnQiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgImNlcnRpZmljYXRlX2RlZmF1bHQiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkNlcnRpZmljYXRlIiwKICAgICAgICAgICAgICAgICAgICAiY2VydGlmaWNhdGUiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RlZmF1bHQuY3J0IgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInByaXZhdGVLZXkiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RlZmF1bHQua2V5IgogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic2NjYUJhc2VsaW5lQ2xpZW50U1NMIjogewogICAgICAgICAgICAgICAgICAgICJjZXJ0aWZpY2F0ZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJjZXJ0aWZpY2F0ZSI6ICJjZXJ0aWZpY2F0ZV9kZWZhdWx0IgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2lwaGVycyI6ICJISUdIIiwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiVExTX1NlcnZlciIKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic2NjYUJhc2VsaW5lQUZNUnVsZUxpc3QiOnsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiRmlyZXdhbGxfUnVsZV9MaXN0IiwKICAgICAgICAgICAgICAgICAgICAicnVsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhY3Rpb24iOiAiYWNjZXB0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuYW1lIjogImFsbG93X2FsbCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAiYW55IgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVBRk1Qb2xpY3kiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkZpcmV3YWxsX1BvbGljeSIsCiAgICAgICAgICAgICAgICAgICAgInJ1bGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWN0aW9uIjogImFjY2VwdCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibG9nZ2luZ0VuYWJsZWQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAiYWxsb3dfYWxsIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJwcm90b2NvbCI6ICJhbnkiCiAgICAgICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhY3Rpb24iOiAiYWNjZXB0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsb2dnaW5nRW5hYmxlZCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJkZW55X2FsbCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAiYW55IgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVBRk1Qb2xpY3lIVFRQIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJGaXJld2FsbF9Qb2xpY3kiLAogICAgICAgICAgICAgICAgICAgICJydWxlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImFjdGlvbiI6ICJhY2NlcHQiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgImxvZ2dpbmdFbmFibGVkIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuYW1lIjogImFsbG93X2FsbCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAiYW55IgogICAgICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWN0aW9uIjogImFjY2VwdCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibG9nZ2luZ0VuYWJsZWQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAiZGVueV9hbGwiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInByb3RvY29sIjogImFueSIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgInRyYW5zaXQiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJUZW5hbnQiLAogICAgICAgICAgICAidHJhbnNpdCI6IHsKICAgICAgICAgICAgICAgICJjbGFzcyI6ICJBcHBsaWNhdGlvbiIsCiAgICAgICAgICAgICAgICAidGVtcGxhdGUiOiAiZ2VuZXJpYyIsCiAgICAgICAgICAgICAgICAidHJhbnNpdF9mb3J3YXJkIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJTZXJ2aWNlX0ZvcndhcmRpbmciLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsQWRkcmVzc2VzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgIjAuMC4wLjAvMCIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlTDQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAicm91dGVfZnJpZW5kbHlfZmFzdGw0IgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxQb3J0IjogMCwKICAgICAgICAgICAgICAgICAgICAiZm9yd2FyZGluZ1R5cGUiOiAiaXAiLAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAiYW55IiwKICAgICAgICAgICAgICAgICAgICAic25hdCI6ICJhdXRvIiwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyQWRkcmVzcyI6IGZhbHNlLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJQb3J0IjogZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgInRyYW5zbGF0ZUNsaWVudFBvcnQiOiAicHJlc2VydmUtc3RyaWN0IgogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJyb3V0ZV9mcmllbmRseV9mYXN0bDQiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkw0X1Byb2ZpbGUiLAogICAgICAgICAgICAgICAgICAgICJpZGxlVGltZW91dCI6IDMwMCwKICAgICAgICAgICAgICAgICAgICAibG9vc2VDbG9zZSI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImxvb3NlSW5pdGlhbGl6YXRpb24iOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICJyZXNldE9uVGltZW91dCI6IGZhbHNlCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInRyYW5zaXRfaGVhbHRoX2lydWxlIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJpUnVsZSIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlIjogIndoZW4gSFRUUF9SRVFVRVNUIHtcbiAgICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHtcbiAgICAgICAgPGh0bWw+XG4gICAgICAgIDxoZWFkPlxuICAgICAgICA8dGl0bGU+SGVhbHRoIENoZWNrPC90aXRsZT5cbiAgICAgICAgPC9oZWFkPlxuICAgICAgICA8Ym9keT5cbiAgICAgICAgU3lzdGVtIGlzIG9ubGluZS5cbiAgICAgICAgPC9ib2R5PlxuICAgICAgICA8L2h0bWw+XG4gICAgICAgIH1cbn0iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInRyYW5zaXRfaGVhbHRoIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJTZXJ2aWNlX0hUVFAiLAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAiaVJ1bGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAidHJhbnNpdF9oZWFsdGhfaXJ1bGUiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZUhUVFAiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2h0dHAiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZVRDUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4yLjExIiwKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjIuMTIiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbFBvcnQiOiAzNDU2OCwKICAgICAgICAgICAgICAgICAgICAic25hdCI6ICJub25lIgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAibWdtdCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlRlbmFudCIsCiAgICAgICAgICAgICJhZG1pbiI6IHsKICAgICAgICAgICAgICAgICJjbGFzcyI6ICJBcHBsaWNhdGlvbiIsCiAgICAgICAgICAgICAgICAidGVtcGxhdGUiOiAiZ2VuZXJpYyIsCiAgICAgICAgICAgICAgICAicmRwX3Bvb2wiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOiAzMzg5LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMy45OCIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1vbml0b3JzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3BfaGFsZl9vcGVuIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic3NoX3Bvb2wiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOiAyMiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzZXJ2ZXJBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjMuOTkiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwX2hhbGZfb3BlbiIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlBvb2wiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfaGVhbHRoX2lydWxlIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJpUnVsZSIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlIjogIndoZW4gSFRUUF9SRVFVRVNUIHtcbiAgICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHtcbiAgICAgICAgPGh0bWw+XG4gICAgICAgIDxoZWFkPlxuICAgICAgICA8dGl0bGU+SGVhbHRoIENoZWNrPC90aXRsZT5cbiAgICAgICAgPC9oZWFkPlxuICAgICAgICA8Ym9keT5cbiAgICAgICAgU3lzdGVtIGlzIG9ubGluZS5cbiAgICAgICAgPC9ib2R5PlxuICAgICAgICA8L2h0bWw+XG4gICAgICAgIH1cbn0iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfaHR0cCI6IHsKICAgICAgICAgICAgICAgICAgICAicG9saWN5RmlyZXdhbGxFbmZvcmNlZCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVBRk1Qb2xpY3kiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAibGF5ZXI0IjogInRjcCIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIm1nbXRfaGVhbHRoX2lydWxlIgogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfSFRUUCIsCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVET1MiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RvcyIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlSFRUUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlVENQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3AiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbEFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMTEiLAogICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMS4xMiIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsUG9ydCI6IDgwLAogICAgICAgICAgICAgICAgICAgICJzbmF0IjogIm5vbmUiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfcmRwIjogewogICAgICAgICAgICAgICAgICAgICJwb2xpY3lGaXJld2FsbEVuZm9yY2VkIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZUFGTVBvbGljeSIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6ICJyZHBfcG9vbCIsCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfVENQIiwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZVRDUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xLjExIiwKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMTIiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbFBvcnQiOiAzMzg5LAogICAgICAgICAgICAgICAgICAgICJzbmF0IjogImF1dG8iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfc3NoIjogewogICAgICAgICAgICAgICAgICAgICJwb2xpY3lGaXJld2FsbEVuZm9yY2VkIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZUFGTVBvbGljeSIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6ICJzc2hfcG9vbCIsCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfVENQIiwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZURPUyI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vZG9zIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVUQ1AiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL3RjcCIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsQWRkcmVzc2VzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMS4xMSIsCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xLjEyIgogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxQb3J0IjogMjIsCiAgICAgICAgICAgICAgICAgICAgInNuYXQiOiAiYXV0byIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIH0sICAgIAogICAgICAgICJFeGFtcGxlIjogewogICAgICAgICAgICAiY2xhc3MiOiAiVGVuYW50IiwKICAgICAgICAgICAgImV4YW1wbGVBcHAiOiB7CiAgICAgICAgICAgICAgICAiY2xhc3MiOiAiQXBwbGljYXRpb24iLAogICAgICAgICAgICAgICAgInRlbXBsYXRlIjogImdlbmVyaWMiLAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZUV4YW1wbGVJUFMiOiB7CiAgICAgICAgICAgICAgICAgICAgInBvbGljeUZpcmV3YWxsRW5mb3JjZWQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvc2NjYUJhc2VsaW5lQUZNUG9saWN5IgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImxheWVyNCI6ICJ0Y3AiLAogICAgICAgICAgICAgICAgICAgICJzZWN1cml0eUxvZ1Byb2ZpbGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL2Z3U2VjdXJpdHlMb2dQcm9maWxlIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyQWRkcmVzcyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgInRyYW5zbGF0ZVNlcnZlclBvcnQiOiBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiU2VydmljZV9UQ1AiLAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlRE9TIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9kb3MiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZUhUVFAiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2h0dHAiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZVRDUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xLjAvMjQiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbFBvcnQiOiAwLAogICAgICAgICAgICAgICAgICAgICJzbmF0IjogImF1dG8iLAogICAgICAgICAgICAgICAgICAgICJwb29sIjogInNjY2FCYXNlbGluZUlQU1Bvb2wiCiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZUV4YW1wbGVIVFRQUyI6IHsKICAgICAgICAgICAgICAgICAgICAicG9saWN5RmlyZXdhbGxFbmZvcmNlZCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVBRk1Qb2xpY3lIVFRQIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImxheWVyNCI6ICJ0Y3AiLAogICAgICAgICAgICAgICAgICAgICJzZWN1cml0eUxvZ1Byb2ZpbGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL2Z3U2VjdXJpdHlMb2dQcm9maWxlIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyQWRkcmVzcyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgInRyYW5zbGF0ZVNlcnZlclBvcnQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJTZXJ2aWNlX0hUVFBTIiwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZURPUyI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vZG9zIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVIVFRQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9odHRwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInNlcnZlclRMUyI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVDbGllbnRTU0wiLAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlVENQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3AiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbEFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMC8yNCIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsUG9ydCI6IDQ0MywKICAgICAgICAgICAgICAgICAgICAic25hdCI6ICJhdXRvIiwKICAgICAgICAgICAgICAgICAgICAicG9saWN5V0FGIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZVdBRlBvbGljeSIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwb29sIjogInNjY2FCYXNlbGluZUp1aWNlU2hvcCIKICAgICAgICAgICAgICAgIH0sICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZUV4YW1wbGVIVFRQIjogewogICAgICAgICAgICAgICAgICAgICJwb2xpY3lGaXJld2FsbEVuZm9yY2VkIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZUFGTVBvbGljeUhUVFAiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAibGF5ZXI0IjogInRjcCIsCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfSFRUUCIsCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVET1MiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RvcyIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlSFRUUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlVENQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3AiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbEFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMC8yNCIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsUG9ydCI6IDgwODAsCiAgICAgICAgICAgICAgICAgICAgInNuYXQiOiAiYXV0byIsCiAgICAgICAgICAgICAgICAgICAgInBvbGljeVdBRiI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVXQUZQb2xpY3kiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6ICJzY2NhQmFzZWxpbmVQaW1wTXlMb2dzIgogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVJUFNQb29sIjogewogICAgICAgICAgICAgICAgICAgICJtZW1iZXJzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWRkcmVzc0Rpc2NvdmVyeSI6ICJzdGF0aWMiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZpY2VQb3J0IjogNDQzLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic2NjYUJhc2VsaW5lSnVpY2VTaG9wIjogewogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOiAzMDAwLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0sCgogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZVBpbXBNeUxvZ3MiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1vbml0b3JzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9odHRwIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAibWVtYmVycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImFkZHJlc3NEaXNjb3ZlcnkiOiAic3RhdGljIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzZXJ2aWNlUG9ydCI6IDgwODAsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmVyQWRkcmVzc2VzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xMC4xMDEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJQb29sIgogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVEZW1vQXBwSHR0cHMiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1vbml0b3JzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9odHRwcyIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOjQ0MywKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzZXJ2ZXJBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEwLjEwMSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlBvb2wiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZURlbW9BcHBIdHRwIjogewogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOjgwLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgfQogICAgfQp9CkVPRgoKRE9fQk9EWV8wMT0iL2NvbmZpZy9kbzEuanNvbiIKRE9fQk9EWV8wMj0iL2NvbmZpZy9kbzIuanNvbiIKQVMzX0JPRFk9Ii9jb25maWcvYXMzLmpzb24iCgpET19VUkxfUE9TVD0iL21nbXQvc2hhcmVkL2RlY2xhcmF0aXZlLW9uYm9hcmRpbmciCkFTM19VUkxfUE9TVD0iL21nbXQvc2hhcmVkL2FwcHN2Y3MvZGVjbGFyZSIKIyBCSUctSVBTIE9OQk9BUkQgU0NSSVBUCgoKaWYgWyAhIC1lICRMT0dfRklMRSBdCnRoZW4KICAgICB0b3VjaCAkTE9HX0ZJTEUKICAgICBleGVjICY+PiRMT0dfRklMRQplbHNlCiAgICAjaWYgZmlsZSBleGlzdHMsIGV4aXQgYXMgb25seSB3YW50IHRvIHJ1biBvbmNlCiAgICBleGl0CmZpCgpleGVjIDE+JExPR19GSUxFIDI+JjEKCnN0YXJ0VGltZT0kKGRhdGUgKyVzKQplY2hvICJzdGFydCBkZXZpY2UgSUQ6JGRldmljZUlkIGRhdGU6ICQoZGF0ZSkiCmZ1bmN0aW9uIHRpbWVyICgpIHsKICAgIGVjaG8gIlRpbWUgRWxhcHNlZDogJCgoIDEgLyAzNjAwICkpaCAkKCggKDEgLyA2MCkgJSA2MCApKW0gJCgoIDEgJSA2MCApKXMiCn0Kd2FpdE1jcGQgKCkgewpjaGVja3M9MAp3aGlsZSBbWyAiJGNoZWNrcyIgLWx0IDEyMCBdXTsgZG8KICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyAiW0lORk86IG1jcGQgcmVhZHldIgogICAgICAgYnJlYWsKICAgZmkKICAgZWNobyAiW1dBUk46IG1jcGQgbm90IHJlYWR5IHlldF0iCiAgIGxldCBjaGVja3M9Y2hlY2tzKzEKICAgc2xlZXAgMTAKZG9uZQp9CndhaXRBY3RpdmUgKCkgewpjaGVja3M9MAp3aGlsZSBbWyAiJGNoZWNrcyIgLWx0IDMwIF1dOyBkbwogICAgdG1zaCAtYSBzaG93IHN5cyByZWFkeSB8IGdyZXAgLXEgbm8KICAgaWYgWyAkPyA9PSAxIF07IHRoZW4KICAgICAgIGVjaG8gIltJTkZPOiBzeXN0ZW0gcmVhZHldIgogICAgICAgYnJlYWsKICAgZmkKICAgZWNobyAiW1dBUk46IHN5c3RlbSBub3QgcmVhZHkgeWV0IGNvdW50OiAkY2hlY2tzXSIKICAgdG1zaCAtYSBzaG93IHN5cyByZWFkeSB8IGdyZXAgbm8KICAgbGV0IGNoZWNrcz1jaGVja3MrMQogICBzbGVlcCAxMApkb25lCn0KIyBDSEVDSyBUTyBTRUUgTkVUV09SSyBJUyBSRUFEWQpjb3VudD0wCndoaWxlIHRydWUKZG8KICBTVEFUVVM9JChjdXJsIC1zIC1rIC1JIGV4YW1wbGUuY29tIHwgZ3JlcCBIVFRQKQogIGlmIFtbICRTVEFUVVMgPT0gKiIyMDAiKiBdXTsgdGhlbgogICAgZWNobyAiW0lORk86IGludGVybmV0IGFjY2VzcyBjaGVjayBwYXNzZWRdIgogICAgYnJlYWsKICBlbGlmIFsgJGNvdW50IC1sZSA2IF07IHRoZW4KICAgIGVjaG8gIlN0YXR1cyBjb2RlOiAkU1RBVFVTICBOb3QgZG9uZSB5ZXQuLi4iCiAgICBjb3VudD0kWyRjb3VudCsxXQogIGVsc2UKICAgIGVjaG8gIltXQVJOOiBHSVZFIFVQLi4uXSIKICAgIGJyZWFrCiAgZmkKICBzbGVlcCAxMApkb25lCiMgZG93bmxvYWQgbGF0ZXN0IGF0YyB0b29scwp0b29sc0xpc3Q9JChjYXQgLTw8RU9GCnsKICAidG9vbHMiOiBbCiAgICAgIHsKICAgICAgICAibmFtZSI6ICJmNS1kZWNsYXJhdGl2ZS1vbmJvYXJkaW5nIiwKICAgICAgICAidmVyc2lvbiI6ICJsYXRlc3QiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vZG8uanNvbiIKICAgICAgfSwKICAgICAgewogICAgICAgICJuYW1lIjogImY1LWFwcHN2Y3MtZXh0ZW5zaW9uIiwKICAgICAgICAidmVyc2lvbiI6ICJsYXRlc3QiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vYXMzLmpzb24iCiAgICAgIH0sCiAgICAgIHsKICAgICAgICAibmFtZSI6ICJmNS10ZWxlbWV0cnktc3RyZWFtaW5nIiwKICAgICAgICAidmVyc2lvbiI6ICJsYXRlc3QiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vdHMuanNvbiIKICAgICAgfSwKICAgICAgewogICAgICAgICJuYW1lIjogImY1LWNsb3VkLWZhaWxvdmVyLWV4dGVuc2lvbiIsCiAgICAgICAgInZlcnNpb24iOiAibGF0ZXN0IiwKICAgICAgICAidXJsIjogImh0dHBzOi8vZXhhbXBsZS5kb21haW4uY29tL2NmLmpzb24iCiAgICAgIH0sCiAgICAgIHsKICAgICAgICAibmFtZSI6ICJmNS1hcHBzdmNzLXRlbXBsYXRlcyIsCiAgICAgICAgInZlcnNpb24iOiAiMS4wLjAiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vY2YuanNvbiIKICAgICAgfQogIF0KfQpFT0YKKQpmdW5jdGlvbiBnZXRBdGMgKCkgewphdGM9JChlY2hvICR0b29sc0xpc3QgfCBqcSAtciAudG9vbHNbXS5uYW1lKQpmb3IgdG9vbCBpbiAkYXRjCmRvCiAgICB2ZXJzaW9uPSQoZWNobyAkdG9vbHNMaXN0IHwganEgLXIgIi50b29sc1tdfCBzZWxlY3QoLm5hbWV8IGNvbnRhaW5zIChcIiR0b29sXCIpKS52ZXJzaW9uIikKICAgIGlmIFsgJHZlcnNpb24gPT0gImxhdGVzdCIgXTsgdGhlbgogICAgICAgIHBhdGg9JycKICAgIGVsc2UKICAgICAgICBwYXRoPSd0YWdzL3YnCiAgICBmaQogICAgZWNobyAiZG93bmxvYWRpbmcgJHRvb2wsICR2ZXJzaW9uIgogICAgaWYgWyAkdG9vbCA9PSAiZjUtbmV3LXRvb2wiIF07IHRoZW4KICAgICAgICBmaWxlcz0kKC91c3IvYmluL2N1cmwgLXNrIC0taW50ZXJmYWNlIG1nbXQgaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mNWRldmNlbnRyYWwvJHRvb2wvcmVsZWFzZXMvJHBhdGgkdmVyc2lvbiB8IGpxIC1yICcuYXNzZXRzW10gfCBzZWxlY3QoLm5hbWUgfCBjb250YWlucyAoIi5ycG0iKSkgfCAuYnJvd3Nlcl9kb3dubG9hZF91cmwnKQogICAgZWxzZQogICAgICAgIGZpbGVzPSQoL3Vzci9iaW4vY3VybCAtc2sgLS1pbnRlcmZhY2UgbWdtdCBodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL0Y1TmV0d29ya3MvJHRvb2wvcmVsZWFzZXMvJHBhdGgkdmVyc2lvbiB8IGpxIC1yICcuYXNzZXRzW10gfCBzZWxlY3QoLm5hbWUgfCBjb250YWlucyAoIi5ycG0iKSkgfCAuYnJvd3Nlcl9kb3dubG9hZF91cmwnKQogICAgZmkKICAgIGZvciBmaWxlIGluICRmaWxlcwogICAgZG8KICAgIGVjaG8gImRvd25sb2FkOiAkZmlsZSIKICAgIG5hbWU9JChiYXNlbmFtZSAkZmlsZSApCiAgICAjIG1ha2UgZG93bmxvYWQgZGlyCiAgICBta2RpciAtcCAvdmFyL2NvbmZpZy9yZXN0L2Rvd25sb2FkcwogICAgcmVzdWx0PSQoL3Vzci9iaW4vY3VybCAtTHNrICAkZmlsZSAtbyAvdmFyL2NvbmZpZy9yZXN0L2Rvd25sb2Fkcy8kbmFtZSkKICAgIGRvbmUKZG9uZQp9CmVjaG8gIi0tLS1kb3dubG9hZCBBVEMgdG9vbHMtLS0tIgpnZXRBdGMKCiMgaW5zdGFsbCBhdGMgdG9vbHMKZWNobyAiLS0tLWluc3RhbGwgQVRDIHRvb2xzLS0tLSIKcnBtcz0kKGZpbmQgJHJwbUZpbGVQYXRoIC1uYW1lICIqLnJwbSIgLXR5cGUgZikKZm9yIHJwbSBpbiAkcnBtcwpkbwogIGZpbGVuYW1lPSQoYmFzZW5hbWUgJHJwbSkKICBlY2hvICJpbnN0YWxsaW5nICRmaWxlbmFtZSIKICBpZiBbIC1mICRycG1GaWxlUGF0aC8kZmlsZW5hbWUgXTsgdGhlbgogICAgIHBvc3RCb2R5PSJ7XCJvcGVyYXRpb25cIjpcIklOU1RBTExcIixcInBhY2thZ2VGaWxlUGF0aFwiOlwiJHJwbUZpbGVQYXRoLyRmaWxlbmFtZVwifSIKICAgICB3aGlsZSB0cnVlCiAgICAgZG8KICAgICAgICBpYXBwQXBpU3RhdHVzPSQoY3VybCAtcyAtaSAtdSAiJENSRURTIiAgJGxvY2FsX2hvc3QkcnBtSW5zdGFsbFVybCB8IGdyZXAgSFRUUCB8IGF3ayAne3ByaW50ICQyfScpCiAgICAgICAgY2FzZSAkaWFwcEFwaVN0YXR1cyBpbgogICAgICAgICAgICA0MDQpCiAgICAgICAgICAgICAgICBlY2hvICJbV0FSTjogYXBpIG5vdCByZWFkeSBzdGF0dXM6ICRpYXBwQXBpU3RhdHVzXSIKICAgICAgICAgICAgICAgIHNsZWVwIDIKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIDIwMCkKICAgICAgICAgICAgICAgIGVjaG8gIltJTkZPOiBhcGkgcmVhZHkgc3RhcnRpbmcgaW5zdGFsbCB0YXNrICRmaWxlbmFtZV0iCiAgICAgICAgICAgICAgICBpbnN0YWxsPSQocmVzdGN1cmwgLXMgLXUgIiRDUkVEUyIgLVggUE9TVCAtZCAkcG9zdEJvZHkgJHJwbUluc3RhbGxVcmwgfCBqcSAtciAuaWQgKQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgKikKICAgICAgICAgICAgICAgIGVjaG8gIltXQVJOOiBhcGkgZXJyb3Igb3RoZXIgc3RhdHVzOiAkaWFwcEFwaVN0YXR1c10iCiAgICAgICAgICAgICAgICBkZWJ1Zz0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiICRycG1JbnN0YWxsVXJsKQogICAgICAgICAgICAgICAgI2VjaG8gImlwcCBpbnN0YWxsIGRlYnVnOiAkZGVidWciCiAgICAgICAgICAgICAgICA7OwogICAgICAgIGVzYWMKICAgIGRvbmUKICBlbHNlCiAgICBlY2hvICJbV0FSTjogZmlsZTogJGZpbGVuYW1lIG5vdCBmb3VuZF0iCiAgZmkKICB3aGlsZSB0cnVlCiAgZG8KICAgIHN0YXR1cz0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiICRycG1JbnN0YWxsVXJsLyRpbnN0YWxsIHwganEgLXIgLnN0YXR1cykKICAgIGNhc2UgJHN0YXR1cyBpbgogICAgICAgIEZJTklTSEVEKQogICAgICAgICAgICAjIGZpbmlzaGVkCiAgICAgICAgICAgIGVjaG8gIiBycG06ICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBzdGF0dXM6ICRzdGF0dXMiCiAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgIDs7CiAgICAgICAgU1RBUlRFRCkKICAgICAgICAgICAgIyBzdGFydGVkCiAgICAgICAgICAgIGVjaG8gIiBycG06ICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBzdGF0dXM6ICRzdGF0dXMiCiAgICAgICAgICAgIDs7CiAgICAgICAgUlVOTklORykKICAgICAgICAgICAgIyBydW5uaW5nCiAgICAgICAgICAgIGVjaG8gIiBycG06ICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBzdGF0dXM6ICRzdGF0dXMiCiAgICAgICAgICAgIDs7CiAgICAgICAgRkFJTEVEKQogICAgICAgICAgICAjIGZhaWxlZAogICAgICAgICAgICBlcnJvcj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiICRycG1JbnN0YWxsVXJsLyRpbnN0YWxsIHwganEgLmVycm9yTWVzc2FnZSkKICAgICAgICAgICAgZWNobyAiZmFpbGVkICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBlcnJvcjogJGVycm9yIgogICAgICAgICAgICBicmVhawogICAgICAgICAgICA7OwogICAgICAgICopCiAgICAgICAgICAgICMgb3RoZXIKICAgICAgICAgICAgZGVidWc9JChyZXN0Y3VybCAtdSAiJENSRURTIiAkcnBtSW5zdGFsbFVybC8kaW5zdGFsbCB8IGpxIC4gKQogICAgICAgICAgICBlY2hvICJmYWlsZWQgJGZpbGVuYW1lIHRhc2s6ICRpbnN0YWxsIGVycm9yOiAkZGVidWciCiAgICAgICAgICAgIDs7CiAgICAgICAgZXNhYwogICAgc2xlZXAgMgogICAgZG9uZQpkb25lCmZ1bmN0aW9uIGdldERvU3RhdHVzKCkgewogICAgdGFzaz0kMQogICAgZG9TdGF0dXNUeXBlPSQocmVzdGN1cmwgLXUgIiRDUkVEUyIgLVggR0VUICRkb1Rhc2tVcmwvJHRhc2sgfCBqcSAtciB0eXBlICkKICAgIGlmIFsgIiRkb1N0YXR1c1R5cGUiID09ICJvYmplY3QiIF07IHRoZW4KICAgICAgICBkb1N0YXR1cz0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZG9UYXNrVXJsLyR0YXNrIHwganEgLXIgLnJlc3VsdC5zdGF0dXMpCiAgICAgICAgZWNobyAkZG9TdGF0dXMKICAgIGVsaWYgWyAiJGRvU3RhdHVzVHlwZSIgPT0gImFycmF5IiBdOyB0aGVuCiAgICAgICAgZG9TdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGRvVGFza1VybC8kdGFzayB8IGpxIC1yIC5bXS5yZXN1bHQuc3RhdHVzKQogICAgICAgIGVjaG8gIltJTkZPOiAkZG9TdGF0dXNdIgogICAgZWxzZQogICAgICAgIGVjaG8gIltXQVJOOiB1bmtub3duIHR5cGU6JGRvU3RhdHVzVHlwZV0iCiAgICBmaQp9CmZ1bmN0aW9uIGNoZWNrRE8oKSB7CiAgICAjIENoZWNrIERPIFJlYWR5CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICBkbwogICAgI2RvU3RhdHVzPSQoY3VybCAtaSAtdSAiJENSRURTIiAkbG9jYWxfaG9zdCRkb0NoZWNrVXJsIHwgZ3JlcCBIVFRQIHwgYXdrICd7cHJpbnQgJDJ9JykKICAgIGRvU3RhdHVzVHlwZT0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZG9DaGVja1VybCB8IGpxIC1yIHR5cGUgKQogICAgaWYgWyAiJGRvU3RhdHVzVHlwZSIgPT0gIm9iamVjdCIgXTsgdGhlbgogICAgICAgIGRvU3RhdHVzPSQocmVzdGN1cmwgLXUgIiRDUkVEUyIgLVggR0VUICRkb0NoZWNrVXJsIHwganEgLXIgLmNvZGUpCiAgICAgICAgaWYgWyAkPyA9PSAxIF07IHRoZW4KICAgICAgICAgICAgZG9TdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGRvQ2hlY2tVcmwgfCBqcSAtciAucmVzdWx0LmNvZGUpCiAgICAgICAgZmkKICAgIGVsaWYgWyAiJGRvU3RhdHVzVHlwZSIgPT0gImFycmF5IiBdOyB0aGVuCiAgICAgICAgZG9TdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGRvQ2hlY2tVcmwgfCBqcSAtciAuW10ucmVzdWx0LmNvZGUpCiAgICBlbHNlCiAgICAgICAgZWNobyAiW1dBUk46IHVua25vd24gdHlwZTokZG9TdGF0dXNUeXBlXSIKICAgIGZpCiAgICAjZWNobyAic3RhdHVzICRkb1N0YXR1cyIKICAgIGlmIFtbICRkb1N0YXR1cyA9PSAiMjAwIiBdXTsgdGhlbgogICAgICAgICN2ZXJzaW9uPSQocmVzdGN1cmwgLXUgIiRDUkVEUyIgLVggR0VUICRkb0NoZWNrVXJsIHwganEgLXIgLnZlcnNpb24pCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZG9DaGVja1VybCB8IGpxIC1yIC5bXS52ZXJzaW9uKQogICAgICAgIGVjaG8gIltJTkZPOiBEZWNsYXJhdGl2ZSBPbmJvYXJkaW5nICR2ZXJzaW9uIG9ubGluZV0iCiAgICAgICAgYnJlYWsKICAgIGVsaWYgW1sgJGRvU3RhdHVzID09ICI0MDQiIF1dOyB0aGVuCiAgICAgICAgZWNobyAiRE8gU3RhdHVzOiAkZG9TdGF0dXMiCiAgICAgICAgYmlnc3RhcnQgcmVzdGFydCByZXN0bm9kZWQKICAgICAgICBzbGVlcCAzMAogICAgICAgIGJpZ3N0YXJ0IHN0YXR1cyByZXN0bm9kZWQgfCBncmVwIHJ1bm5pbmcKICAgICAgICBzdGF0dXM9JD8KICAgICAgICBlY2hvICJyZXN0bm9kZWQ6JHN0YXR1cyIKICAgIGVsc2UKICAgICAgICBlY2hvICJbV0FSTjogRE8gU3RhdHVzICRkb1N0YXR1c10iCiAgICAgICAgY291bnQ9JFskY291bnQrMV0KICAgIGZpCiAgICBzbGVlcCAxMAogICAgZG9uZQp9CmZ1bmN0aW9uIGNoZWNrQVMzKCkgewogICAgIyBDaGVjayBBUzMgUmVhZHkKICAgIGNvdW50PTAKICAgIHdoaWxlIFsgJGNvdW50IC1sZSA0IF0KICAgIGRvCiAgICAjYXMzU3RhdHVzPSQoY3VybCAtaSAtdSAiJENSRURTIiAkbG9jYWxfaG9zdCRhczNDaGVja1VybCB8IGdyZXAgSFRUUCB8IGF3ayAne3ByaW50ICQyfScpCiAgICBhczNTdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGFzM0NoZWNrVXJsIHwganEgLXIgLmNvZGUpCiAgICBpZiAgWyAiJGFzM1N0YXR1cyIgPT0gIm51bGwiIF0gfHwgWyAteiAiJGFzM1N0YXR1cyIgXTsgdGhlbgogICAgICAgIHR5cGU9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGFzM0NoZWNrVXJsIHwganEgLXIgdHlwZSApCiAgICAgICAgaWYgWyAiJHR5cGUiID09ICJvYmplY3QiIF07IHRoZW4KICAgICAgICAgICAgYXMzU3RhdHVzPSIyMDAiCiAgICAgICAgZmkKICAgIGZpCiAgICBpZiBbWyAkYXMzU3RhdHVzID09ICIyMDAiIF1dOyB0aGVuCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkYXMzQ2hlY2tVcmwgfCBqcSAtciAudmVyc2lvbikKICAgICAgICBlY2hvICJBczMgJHZlcnNpb24gb25saW5lICIKICAgICAgICBicmVhawogICAgZWxpZiBbWyAkYXMzU3RhdHVzID09ICI0MDQiIF1dOyB0aGVuCiAgICAgICAgZWNobyAiQVMzIFN0YXR1cyAkYXMzU3RhdHVzIgogICAgICAgIGJpZ3N0YXJ0IHJlc3RhcnQgcmVzdG5vZGVkCiAgICAgICAgc2xlZXAgMzAKICAgICAgICBiaWdzdGFydCBzdGF0dXMgcmVzdG5vZGVkIHwgZ3JlcCBydW5uaW5nCiAgICAgICAgc3RhdHVzPSQ/CiAgICAgICAgZWNobyAicmVzdG5vZGVkOiRzdGF0dXMiCiAgICBlbHNlCiAgICAgICAgZWNobyAiQVMzIFN0YXR1cyAkYXMzU3RhdHVzIgogICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICBmaQogICAgc2xlZXAgMTAKICAgIGRvbmUKfQpmdW5jdGlvbiBjaGVja1RTKCkgewogICAgIyBDaGVjayBUUyBSZWFkeQogICAgY291bnQ9MAogICAgd2hpbGUgWyAkY291bnQgLWxlIDQgXQogICAgZG8KICAgIHRzU3RhdHVzPSQoY3VybCAtc2kgLXUgIiRDUkVEUyIgaHR0cDovL2xvY2FsaG9zdDo4MTAwJHRzQ2hlY2tVcmwgfCBncmVwIEhUVFAgfCBhd2sgJ3twcmludCAkMn0nKQogICAgaWYgW1sgJHRzU3RhdHVzID09ICIyMDAiIF1dOyB0aGVuCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkdHNDaGVja1VybCB8IGpxIC1yIC52ZXJzaW9uKQogICAgICAgIGVjaG8gIlRlbGVtZXRyeSBTdHJlYW1pbmcgJHZlcnNpb24gb25saW5lICIKICAgICAgICBicmVhawogICAgZWxzZQogICAgICAgIGVjaG8gIlRTIFN0YXR1cyAkdHNTdGF0dXMiCiAgICAgICAgY291bnQ9JFskY291bnQrMV0KICAgIGZpCiAgICBzbGVlcCAxMAogICAgZG9uZQp9CmZ1bmN0aW9uIGNoZWNrQ0YoKSB7CiAgICAjIENoZWNrIENGIFJlYWR5CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICBkbwogICAgY2ZTdGF0dXM9JChjdXJsIC1zaSAtdSAiJENSRURTIiAkbG9jYWxfaG9zdCRjZkNoZWNrVXJsIHwgZ3JlcCBIVFRQIHwgYXdrICd7cHJpbnQgJDJ9JykKICAgIGlmIFtbICRjZlN0YXR1cyA9PSAiMjAwIiBdXTsgdGhlbgogICAgICAgIHZlcnNpb249JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGNmQ2hlY2tVcmwgfCBqcSAtciAudmVyc2lvbikKICAgICAgICBlY2hvICJDbG91ZCBmYWlsb3ZlciAkdmVyc2lvbiBvbmxpbmUgIgogICAgICAgIGJyZWFrCiAgICBlbHNlCiAgICAgICAgZWNobyAiQ2xvdWQgRmFpbG92ZXIgU3RhdHVzICR0c1N0YXR1cyIKICAgICAgICBjb3VudD0kWyRjb3VudCsxXQogICAgZmkKICAgIHNsZWVwIDEwCiAgICBkb25lCn0KZnVuY3Rpb24gY2hlY2tGQVNUKCkgewogICAgIyBDaGVjayBGQVNUIFJlYWR5CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICBkbwogICAgZmFzdFN0YXR1cz0kKGN1cmwgLXNpIC11ICIkQ1JFRFMiICRsb2NhbF9ob3N0JGZhc3RDaGVja1VybCB8IGdyZXAgSFRUUCB8IGF3ayAne3ByaW50ICQyfScpCiAgICBpZiBbWyAiJGZhc3RTdGF0dXMiID09ICIyMDAiIF1dOyB0aGVuCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZmFzdENoZWNrVXJsIHwganEgLXIgLnZlcnNpb24pCiAgICAgICAgZWNobyAiRkFTVCAkdmVyc2lvbiBvbmxpbmUgIgogICAgICAgIGJyZWFrCiAgICBlbHNlCiAgICAgICAgZWNobyAiRkFTVCBTdGF0dXMgJGZhc3RTdGF0dXMiCiAgICAgICAgY291bnQ9JFskY291bnQrMV0KICAgIGZpCiAgICBzbGVlcCAxMAogICAgZG9uZQp9CiMjIyBjaGVjayBmb3IgYXBpcyBvbmxpbmUKZnVuY3Rpb24gY2hlY2tBVEMoKSB7CiAgICBkb1N0YXR1cz0kKGNoZWNrRE8pCiAgICBhczNTdGF0dXM9JChjaGVja0FTMykKICAgIHRzU3RhdHVzPSQoY2hlY2tUUykKICAgIGNmU3RhdHVzPSQoY2hlY2tDRikKICAgIGZhc3RTdGF0dXM9JChjaGVja0ZBU1QpCiAgICBpZiBbWyAkZG9TdGF0dXMgPT0gKiJvbmxpbmUiKiBdXSAmJiBbWyAiJGFzM1N0YXR1cyIgPSAqIm9ubGluZSIqIF1dICYmIFtbICR0c1N0YXR1cyA9PSAqIm9ubGluZSIqIF1dICYmIFtbICRjZlN0YXR1cyA9PSAqIm9ubGluZSIqIF1dICYmIFtbICRmYXN0U3RhdHVzID09ICoib25saW5lIiogXV0gOyB0aGVuCiAgICAgICAgZWNobyAiQVRDIGlzIHJlYWR5IHRvIGFjY2VwdCBBUEkgY2FsbHMiCiAgICBlbHNlCiAgICAgICAgZWNobyAiQVRDIGluc3RhbGwgZmFpbGVkIG9yIEFUQyBpcyBub3QgcmVhZHkgdG8gYWNjZXB0IEFQSSBjYWxscyIKICAgIGZpCn0KZWNobyAiLS0tLWNoZWNraW5nIEFUQyBpbnN0YWxsLS0tLSIKY2hlY2tBVEMKZnVuY3Rpb24gcnVuRE8oKSB7CmNvdW50PTAKd2hpbGUgWyAkY291bnQgLWxlIDQgXQogICAgZG8KICAgICMgbWFrZSB0YXNrCiAgICB0YXNrPSQoY3VybCAtcyAtdSAkQ1JFRFMgLUggIkNvbnRlbnQtVHlwZTogQXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1YIFBPU1QgJGxvY2FsX2hvc3QkZG9VcmwgLWQgQC9jb25maWcvJDEgfCBqcSAtciAuaWQpCiAgICBlY2hvICI9PT09PT0gc3RhcnRpbmcgRE8gdGFzazogJHRhc2sgPT09PT09PT09PSIKICAgIHNsZWVwIDEKICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICAjIGNoZWNrIHRhc2sgY29kZQogICAgdGFza0NvdW50PTAKICAgIHdoaWxlIFsgJHRhc2tDb3VudCAtbGUgMTAgXQogICAgZG8KICAgICAgICBkb0NvZGVUeXBlPSQoY3VybCAtcyAtdSAkQ1JFRFMgLVggR0VUICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC1yIHR5cGUgKQogICAgICAgIGlmIFtbICIkZG9Db2RlVHlwZSIgPT0gIm9iamVjdCIgXV07IHRoZW4KICAgICAgICAgICAgY29kZT0kKGN1cmwgLXMgLXUgJENSRURTIC1YIEdFVCAkbG9jYWxfaG9zdCRkb1Rhc2tVcmwvJHRhc2sgfCBqcSAucmVzdWx0LmNvZGUpCiAgICAgICAgICAgIGVjaG8gIm9iamVjdDogJGNvZGUiCiAgICAgICAgZWxpZiBbICIkZG9Db2RlVHlwZSIgPT0gImFycmF5IiBdOyB0aGVuCiAgICAgICAgICAgIGVjaG8gImFycmF5ICRjb2RlIGNoZWNrIHRhc2ssIGJyZWFraW5nIgogICAgICAgICAgICBicmVhawogICAgICAgIGVsc2UKICAgICAgICAgICAgZWNobyAidW5rbm93biB0eXBlOiAkZG9Db2RlVHlwZSIKICAgICAgICAgICAgZGVidWc9JChjdXJsIC1zIC11ICRDUkVEUyAtWCBHRVQgJGxvY2FsX2hvc3QkZG9UYXNrVXJsLyR0YXNrKQogICAgICAgICAgICBlY2hvICJvdGhlciBkZWJ1ZzogJGRlYnVnIgogICAgICAgICAgICBjb2RlPSQoY3VybCAtcyAtdSAkQ1JFRFMgLVggR0VUICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC5yZXN1bHQuY29kZSkKICAgICAgICBmaQogICAgICAgIHNsZWVwIDEKICAgICAgICBpZiBqcSAtZSAuID4vZGV2L251bGwgMj4mMSA8PDwiJGNvZGUiOyB0aGVuCiAgICAgICAgICAgIGVjaG8gIlBhcnNlZCBKU09OIHN1Y2Nlc3NmdWxseSBhbmQgZ290IHNvbWV0aGluZyBvdGhlciB0aGFuIGZhbHNlL251bGwgY291bnQ6ICR0YXNrQ291bnQiCiAgICAgICAgICAgIHN0YXR1cz0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC1yIC5yZXN1bHQuc3RhdHVzKQogICAgICAgICAgICBzbGVlcCAxCiAgICAgICAgICAgIGVjaG8gInN0YXR1czogJHN0YXR1cyBjb2RlOiAkY29kZSIKICAgICAgICAgICAgIyAyMDAsMjAyLDQyMiw0MDAsNDA0LDUwMCw0MjIKICAgICAgICAgICAgZWNobyAiRE86ICR0YXNrIHJlc3BvbnNlOiRjb2RlIHN0YXR1czokc3RhdHVzIgogICAgICAgICAgICBzbGVlcCAxCiAgICAgICAgICAgICNGSU5JU0hFRCxTVEFSVEVELFJVTk5JTkcsUk9MTElOR19CQUNLLEZBSUxFRCxFUlJPUixOVUxMCiAgICAgICAgICAgIGNhc2UgJHN0YXR1cyBpbgogICAgICAgICAgICBGSU5JU0hFRCkKICAgICAgICAgICAgICAgICMgZmluaXNoZWQKICAgICAgICAgICAgICAgIGVjaG8gIiAkdGFzayBzdGF0dXM6ICRzdGF0dXMgIgogICAgICAgICAgICAgICAgIyBiaWdzdGFydCBzdGFydCBkaGNsaWVudAogICAgICAgICAgICAgICAgYnJlYWsgMgogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgU1RBUlRFRCkKICAgICAgICAgICAgICAgICMgc3RhcnRlZAogICAgICAgICAgICAgICAgZWNobyAiICRmaWxlbmFtZSBzdGF0dXM6ICRzdGF0dXMgIgogICAgICAgICAgICAgICAgc2xlZXAgMzAKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIFJVTk5JTkcpCiAgICAgICAgICAgICAgICAjIHJ1bm5pbmcKICAgICAgICAgICAgICAgIGVjaG8gIkRPIFN0YXR1czogJHN0YXR1cyB0YXNrOiAkdGFzayBOb3QgZG9uZSB5ZXQuLi5jb3VudDokdGFza0NvdW50IgogICAgICAgICAgICAgICAgIyB3YWl0IGZvciBhY3RpdmUtb25saW5lLXN0YXRlCiAgICAgICAgICAgICAgICB3YWl0TWNwZAogICAgICAgICAgICAgICAgaWYgW1sgIiR0YXNrQ291bnQiIC1sZSA1IF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgICAgc2xlZXAgNjAKICAgICAgICAgICAgICAgIGZpCiAgICAgICAgICAgICAgICB3YWl0QWN0aXZlCiAgICAgICAgICAgICAgICAjc2xlZXAgMTIwCiAgICAgICAgICAgICAgICB0YXNrQ291bnQ9JFskdGFza0NvdW50KzFdCiAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICBGQUlMRUQpCiAgICAgICAgICAgICAgICAjIGZhaWxlZAogICAgICAgICAgICAgICAgZXJyb3I9JChjdXJsIC1zIC11ICRDUkVEUyAkbG9jYWxfaG9zdCRkb1Rhc2tVcmwvJHRhc2sgfCBqcSAtciAucmVzdWx0LnN0YXR1cykKICAgICAgICAgICAgICAgIGVjaG8gImZhaWxlZCAkdGFzaywgJGVycm9yIgogICAgICAgICAgICAgICAgI2NvdW50PSRbJGNvdW50KzFdCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgRVJST1IpCiAgICAgICAgICAgICAgICAjIGVycm9yCiAgICAgICAgICAgICAgICBlcnJvcj0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC1yIC5yZXN1bHQuc3RhdHVzKQogICAgICAgICAgICAgICAgZWNobyAiRXJyb3IgJHRhc2ssICRlcnJvciIKICAgICAgICAgICAgICAgICNjb3VudD0kWyRjb3VudCsxXQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIFJPTExJTkdfQkFDSykKICAgICAgICAgICAgICAgICMgUm9sbGluZyBiYWNrCiAgICAgICAgICAgICAgICBlY2hvICJSb2xsaW5nIGJhY2sgZmFpbGVkIHN0YXR1czogJHN0YXR1cyB0YXNrOiAkdGFzayIKICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICBPSykKICAgICAgICAgICAgICAgICMgY29tcGxldGUgbm8gY2hhbmdlCiAgICAgICAgICAgICAgICBlY2hvICJDb21wbGV0ZSBubyBjaGFuZ2Ugc3RhdHVzOiAkc3RhdHVzIHRhc2s6ICR0YXNrIgogICAgICAgICAgICAgICAgYnJlYWsgMgogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgKikKICAgICAgICAgICAgICAgICMgb3RoZXIKICAgICAgICAgICAgICAgIGVjaG8gIm90aGVyOiAkc3RhdHVzIgogICAgICAgICAgICAgICAgZWNobyAib3RoZXIgdGFzazogJHRhc2sgY291bnQ6ICR0YXNrQ291bnQiCiAgICAgICAgICAgICAgICBkZWJ1Zz0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzaykKICAgICAgICAgICAgICAgIGVjaG8gIm90aGVyIGRlYnVnOiAkZGVidWciCiAgICAgICAgICAgICAgICBjYXNlICRkZWJ1ZyBpbgogICAgICAgICAgICAgICAgKm5vdCpyZWdpc3RlcmVkKikKICAgICAgICAgICAgICAgICAgICAjIHJlc3Rub2RlZCByZXNwb25zZSBETyBhcGkgaXMgdW5yZXNwb25zaXZlCiAgICAgICAgICAgICAgICAgICAgZWNobyAiRE8gZW5kcG9pbnQgbm90IGF2YWxpYWJsZSB3YWl0aW5nLi4uIgogICAgICAgICAgICAgICAgICAgIHNsZWVwIDMwCiAgICAgICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgICAgICpyZXN0ZXJyb3JyZXNwb25zZSopCiAgICAgICAgICAgICAgICAgICAgIyByZXN0bm9kZWQgcmVzcG9uc2UgRE8gYXBpIGlzIHVucmVzcG9uc2l2ZQogICAgICAgICAgICAgICAgICAgIGVjaG8gIkRPIGVuZHBvaW50IG5vdCBhdmFsaWFibGUgd2FpdGluZy4uLiIKICAgICAgICAgICAgICAgICAgICBzbGVlcCAzMAogICAgICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgICAqc3RhcnQtbGltaXQqKQogICAgICAgICAgICAgICAgICAgICMgZGhjbGllbnQgaXNzdWUgaGl0CiAgICAgICAgICAgICAgICAgICAgZWNobyAiIGRvIGRoY2xpZW50IHN0YXJ0aW5nIGlzc3VlIGhpdCBzdGFydCBhbm90aGVyIHRhc2siCiAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgZXNhYwogICAgICAgICAgICAgICAgc2xlZXAgMzAKICAgICAgICAgICAgICAgIHRhc2tDb3VudD0kWyR0YXNrQ291bnQrMV0KICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIGVzYWMKICAgICAgICBlbHNlCiAgICAgICAgICAgIGVjaG8gIkZhaWxlZCB0byBwYXJzZSBKU09OLCBvciBnb3QgZmFsc2UvbnVsbCIKICAgICAgICAgICAgZWNobyAiRE8gc3RhdHVzIGNvZGU6ICRjb2RlIgogICAgICAgICAgICBkZWJ1Zz0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzaykKICAgICAgICAgICAgZWNobyAiZGVidWcgRE8gY29kZTogJGRlYnVnIgogICAgICAgICAgICBjb3VudD0kWyRjb3VudCsxXQogICAgICAgIGZpCiAgICBkb25lCmRvbmUKfQojIG1nbXQKZWNobyAic2V0IG1hbmFnZW1lbnQiCmVjaG8gIC1lICJjcmVhdGUgY2xpIHRyYW5zYWN0aW9uOwptb2RpZnkgc3lzIGdsb2JhbC1zZXR0aW5ncyBtZ210LWRoY3AgZGlzYWJsZWQ7CnN1Ym1pdCBjbGkgdHJhbnNhY3Rpb24iIHwgdG1zaCAtcQp0bXNoIHNhdmUgL3N5cyBjb25maWcKIyBnZXQgYXMzIHZhbHVlcwpleHRlcm5hbFZpcD0kKGN1cmwgLXNmIC0tcmV0cnkgMjAgLUggTWV0YWRhdGE6dHJ1ZSAiaHR0cDovLzE2OS4yNTQuMTY5LjI1NC9tZXRhZGF0YS9pbnN0YW5jZS9uZXR3b3JrL2ludGVyZmFjZT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxIiB8IGpxIC1yICcuWzFdLmlwdjQuaXBBZGRyZXNzWzFdLnByaXZhdGVJcEFkZHJlc3MnKQoKIyBlbmQgZ2V0IHZhbHVlcwoKIyBydW4gRE8KZWNobyAiLS0tLXJ1biBkby0tLS0iCmNvdW50PTAKd2hpbGUgWyAkY291bnQgLWxlIDQgXQogICAgZG8KICAgICAgICBkb1N0YXR1cz0kKGNoZWNrRE8pCiAgICAgICAgZWNobyAiRE8gY2hlY2sgc3RhdHVzOiAkZG9TdGF0dXMiCiAgICBpZiBbICRkZXZpY2VJZCA9PSAxIF0gJiYgW1sgIiRkb1N0YXR1cyIgPSAqIm9ubGluZSIqIF1dOyB0aGVuCiAgICAgICAgZWNobyAicnVubmluZyBkbyBmb3IgaWQ6JGRldmljZUlkIgogICAgICAgIGJpZ3N0YXJ0IHN0b3AgZGhjbGllbnQKICAgICAgICBydW5ETyBkbzEuanNvbgogICAgICAgIGlmIFsgIiQ/IiA9PSAwIF07IHRoZW4KICAgICAgICAgICAgZWNobyAiZG9uZSB3aXRoIGRvIgogICAgICAgICAgICBiaWdzdGFydCBzdGFydCBkaGNsaWVudAogICAgICAgICAgICByZXN1bHRzPSQocmVzdGN1cmwgLXUgJENSRURTIC1YIEdFVCAkZG9UYXNrVXJsIHwganEgJy5bXSB8IC5pZCwgLnJlc3VsdCcpCiAgICAgICAgICAgIGVjaG8gImRvIHJlc3VsdHM6ICRyZXN1bHRzIgogICAgICAgICAgICBicmVhawogICAgICAgIGZpCiAgICBlbGlmIFsgJGRldmljZUlkID09IDIgXSAmJiBbWyAiJGRvU3RhdHVzIiA9ICoib25saW5lIiogXV07IHRoZW4KICAgICAgICBlY2hvICJydW5uaW5nIGRvIGZvciBpZDokZGV2aWNlSWQiCiAgICAgICAgYmlnc3RhcnQgc3RvcCBkaGNsaWVudAogICAgICAgIHJ1bkRPIGRvMi5qc29uCiAgICAgICAgaWYgWyAiJD8iID09IDAgXTsgdGhlbgogICAgICAgICAgICBlY2hvICJkb25lIHdpdGggZG8iCiAgICAgICAgICAgIGJpZ3N0YXJ0IHN0YXJ0IGRoY2xpZW50CiAgICAgICAgICAgIHJlc3VsdHM9JChyZXN0Y3VybCAtdSAkQ1JFRFMgLVggR0VUICRkb1Rhc2tVcmwgfCBqcSAnLltdIHwgLmlkLCAucmVzdWx0JykKICAgICAgICAgICAgZWNobyAiZG8gcmVzdWx0czogJHJlc3VsdHMiCiAgICAgICAgICAgIGJyZWFrCiAgICAgICAgZmkKICAgIGVsaWYgWyAkY291bnQgLWxlIDIgXTsgdGhlbgogICAgICAgIGVjaG8gIkRldmljZUlEOiAkZGV2aWNlSWQgU3RhdHVzIGNvZGU6ICRkb1N0YXR1cyBETyBub3QgcmVhZHkgeWV0Li4uIgogICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICAgICAgc2xlZXAgMzAKICAgIGVsc2UKICAgICAgICBlY2hvICJETyBub3Qgb25saW5lIHN0YXR1czogJGRvU3RhdHVzIgogICAgICAgIGJyZWFrCiAgICBmaQpkb25lCmZ1bmN0aW9uIHJ1bkFTMyAoKSB7CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICAgICAgZG8KICAgICAgICAgICAgIyB3YWl0IGZvciBkbyB0byBmaW5pc2gKICAgICAgICAgICAgd2FpdEFjdGl2ZQogICAgICAgICAgICAjIG1ha2UgdGFzawogICAgICAgICAgICB0YXNrPSQoY3VybCAtcyAtdSAkQ1JFRFMgLUggIkNvbnRlbnQtVHlwZTogQXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1YIFBPU1QgJGxvY2FsX2hvc3QkYXMzVXJsP2FzeW5jPXRydWUgLWQgQC9jb25maWcvYXMzLmpzb24gfCBqcSAtciAuaWQpCiAgICAgICAgICAgIGVjaG8gIj09PT09IHN0YXJ0aW5nIGFzMyB0YXNrOiAkdGFzayA9PT09PSIKICAgICAgICAgICAgc2xlZXAgMQogICAgICAgICAgICBjb3VudD0kWyRjb3VudCsxXQogICAgICAgICAgICAjIGNoZWNrIHRhc2sgY29kZQogICAgICAgICAgICB0YXNrQ291bnQ9MAogICAgICAgIHdoaWxlIFsgJHRhc2tDb3VudCAtbGUgMyBdCiAgICAgICAgZG8KICAgICAgICAgICAgYXMzQ29kZVR5cGU9JChjdXJsIC1zIC11ICRDUkVEUyAtWCBHRVQgJGxvY2FsX2hvc3QkYXMzVGFza1VybC8kdGFzayB8IGpxIC1yIHR5cGUgKQogICAgICAgICAgICBpZiBbWyAiJGFzM0NvZGVUeXBlIiA9PSAib2JqZWN0IiBdXTsgdGhlbgogICAgICAgICAgICAgICAgY29kZT0kKGN1cmwgLXMgLXUgJENSRURTIC1YIEdFVCAkbG9jYWxfaG9zdCRhczNUYXNrVXJsLyR0YXNrIHwganEgLXIgLikKICAgICAgICAgICAgICAgIHRlbmFudHM9JChjdXJsIC1zIC11ICRDUkVEUyAtWCBHRVQgJGxvY2FsX2hvc3QkYXMzVGFza1VybC8kdGFzayB8IGpxIC1yIC5yZXN1bHRzW10udGVuYW50KQogICAgICAgICAgICAgICAgZWNobyAib2JqZWN0OiAkY29kZSIKICAgICAgICAgICAgZWxpZiBbICIkYXMzQ29kZVR5cGUiID09ICJhcnJheSIgXTsgdGhlbgogICAgICAgICAgICAgICAgZWNobyAiYXJyYXkgJGNvZGUgY2hlY2sgdGFzaywgYnJlYWtpbmciCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICBlY2hvICJ1bmtub3duIHR5cGU6JGFzM0NvZGVUeXBlIgogICAgICAgICAgICBmaQogICAgICAgICAgICBzbGVlcCAxCiAgICAgICAgICAgIGlmIGpxIC1lIC4gPi9kZXYvbnVsbCAyPiYxIDw8PCIkY29kZSI7IHRoZW4KICAgICAgICAgICAgICAgIGVjaG8gIlBhcnNlZCBKU09OIHN1Y2Nlc3NmdWxseSBhbmQgZ290IHNvbWV0aGluZyBvdGhlciB0aGFuIGZhbHNlL251bGwiCiAgICAgICAgICAgICAgICBzdGF0dXM9JChjdXJsIC1zIC11ICRDUkVEUyAkbG9jYWxfaG9zdCRhczNUYXNrVXJsLyR0YXNrIHwganEgLXIgIC5pdGVtc1tdLnJlc3VsdHNbXS5tZXNzYWdlKQogICAgICAgICAgICAgICAgY2FzZSAkc3RhdHVzIGluCiAgICAgICAgICAgICAgICAqcHJvZ3Jlc3MpCiAgICAgICAgICAgICAgICAgICAgIyBpbiBwcm9ncmVzcwogICAgICAgICAgICAgICAgICAgIGVjaG8gLWUgIlJ1bm5pbmc6ICR0YXNrIHN0YXR1czogJHN0YXR1cyB0ZW5hbnRzOiAkdGVuYW50cyBjb3VudDogJHRhc2tDb3VudCAiCiAgICAgICAgICAgICAgICAgICAgc2xlZXAgMTIwCiAgICAgICAgICAgICAgICAgICAgdGFza0NvdW50PSRbJHRhc2tDb3VudCsxXQogICAgICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgICAqRXJyb3IqKQogICAgICAgICAgICAgICAgICAgICMgZXJyb3IKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJFcnJvciBUYXNrOiAkdGFzayBzdGF0dXM6ICRzdGF0dXMgdGVuYW50czogJHRlbmFudHMgIgogICAgICAgICAgICAgICAgICAgIGlmIFtbICIkc3RhdHVzIiA9ICoicHJvZ3Jlc3MiKiBdXTsgdGhlbgogICAgICAgICAgICAgICAgICAgICAgICBzbGVlcCAxODAKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICAgICAgZmkKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgKmZhaWxlZCopCiAgICAgICAgICAgICAgICAgICAgIyBmYWlsZWQKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJmYWlsZWQ6ICR0YXNrIHN0YXR1czogJHN0YXR1cyB0ZW5hbnRzOiAkdGVuYW50cyAiCiAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgKnN1Y2Nlc3MqKQogICAgICAgICAgICAgICAgICAgICMgc3VjY2Vzc2Z1bCEKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJzdWNjZXNzOiAkdGFzayBzdGF0dXM6ICRzdGF0dXMgdGVuYW50czogJHRlbmFudHMgIgogICAgICAgICAgICAgICAgICAgIGJyZWFrIDMKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgbm8qY2hhbmdlKQogICAgICAgICAgICAgICAgICAgICMgZmluaXNoZWQKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJubyBjaGFuZ2U6ICR0YXNrIHN0YXR1czogJHN0YXR1cyB0ZW5hbnRzOiAkdGVuYW50cyAiCiAgICAgICAgICAgICAgICAgICAgYnJlYWsgNAogICAgICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgICAqKQogICAgICAgICAgICAgICAgIyBvdGhlcgogICAgICAgICAgICAgICAgZWNobyAic3RhdHVzOiAkc3RhdHVzIgogICAgICAgICAgICAgICAgZGVidWc9JChjdXJsIC1zIC11ICRDUkVEUyAkbG9jYWxfaG9zdCRhczNUYXNrVXJsLyR0YXNrKQogICAgICAgICAgICAgICAgZWNobyAiZGVidWc6ICRkZWJ1ZyIKICAgICAgICAgICAgICAgIGVycm9yPSQoY3VybCAtcyAtdSAkQ1JFRFMgJGxvY2FsX2hvc3QkYXMzVGFza1VybC8kdGFzayB8IGpxIC1yICcucmVzdWx0c1tdLm1lc3NhZ2UnKQogICAgICAgICAgICAgICAgZWNobyAiT3RoZXI6ICR0YXNrLCAkZXJyb3IiCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgICAgIGVzYWMKICAgICAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgZWNobyAiRmFpbGVkIHRvIHBhcnNlIEpTT04sIG9yIGdvdCBmYWxzZS9udWxsIgogICAgICAgICAgICAgICAgZWNobyAiQVMzIHN0YXR1cyBjb2RlOiAkY29kZSIKICAgICAgICAgICAgICAgIGRlYnVnPSQoY3VybCAtcyAtdSAkQ1JFRFMgJGxvY2FsX2hvc3QkZG9UYXNrVXJsLyR0YXNrKQogICAgICAgICAgICAgICAgZWNobyAiZGVidWcgQVMzIGNvZGU6ICRkZWJ1ZyIKICAgICAgICAgICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICAgICAgICAgIGZpCiAgICAgICAgZG9uZQogICAgZG9uZQp9CgojIG1vZGlmeSBhczMKI3NkVG9rZW49JChlY2hvICIkdG9rZW4iIHwgYmFzZTY0KQpzZWQgLWkgInMvLWV4dGVybmFsLXZpcnR1YWwtYWRkcmVzcy0vJGV4dGVybmFsVmlwL2ciIC9jb25maWcvYXMzLmpzb24KI3NlZCAtaSAicy8tc2Qtc2EtdG9rZW4tYjY0LS8kdG9rZW4vZyIgL2NvbmZpZy9hczMuanNvbgojIGVuZCBtb2RpZnkgYXMzCgojIG1ldGFkYXRhIHJvdXRlCmVjaG8gIC1lICdjcmVhdGUgY2xpIHRyYW5zYWN0aW9uOwptb2RpZnkgc3lzIGRiIGNvbmZpZy5hbGxvdy5yZmMzOTI3IHZhbHVlIGVuYWJsZTsKY3JlYXRlIHN5cyBtYW5hZ2VtZW50LXJvdXRlIG1ldGFkYXRhLXJvdXRlIG5ldHdvcmsgMTY5LjI1NC4xNjkuMjU0LzMyIGdhdGV3YXkgMTAuOTAuMC4xOwpzdWJtaXQgY2xpIHRyYW5zYWN0aW9uJyB8IHRtc2ggLXEKdG1zaCBzYXZlIC9zeXMgY29uZmlnCiMgYWRkIG1hbmFnZW1lbnQgcm91dGUgd2l0aCBtZXRyaWMgMCBmb3IgdGhlIHdpbgpyb3V0ZSBhZGQgLW5ldCBkZWZhdWx0IGd3IDEwLjkwLjAuMSBuZXRtYXNrIDAuMC4wLjAgZGV2IG1nbXQgbWV0cmljIDAKIyAgcnVuIGFzMwpjb3VudD0wCndoaWxlIFsgJGNvdW50IC1sZSA0IF0KZG8KICAgIGFzM1N0YXR1cz0kKGNoZWNrQVMzKQogICAgZWNobyAiQVMzIGNoZWNrIHN0YXR1czogJGFzM1N0YXR1cyIKICAgIGlmIFtbICIkYXMzU3RhdHVzIiA9PSAqIm9ubGluZSIqIF1dOyB0aGVuCiAgICAgICAgaWYgWyAkZGV2aWNlSWQgPT0gMSBdOyB0aGVuCiAgICAgICAgICAgIGVjaG8gInJ1bm5pbmcgYXMzIgogICAgICAgICAgICBydW5BUzMKICAgICAgICAgICAgZWNobyAiZG9uZSB3aXRoIGFzMyIKICAgICAgICAgICAgcmVzdWx0cz0kKHJlc3RjdXJsIC11ICRDUkVEUyAkYXMzVGFza1VybCB8IGpxICcuaXRlbXNbXSB8IC5pZCwgLnJlc3VsdHMnKQogICAgICAgICAgICBlY2hvICJhczMgcmVzdWx0czogJHJlc3VsdHMiCiAgICAgICAgICAgIGJyZWFrCiAgICAgICAgZWxzZQogICAgICAgICAgICBlY2hvICJOb3QgcG9zdGluZyBhczMgZGV2aWNlICRkZXZpY2VpZCBub3QgcHJpbWFyeSIKICAgICAgICAgICAgYnJlYWsKICAgICAgICBmaQogICAgZWxpZiBbICRjb3VudCAtbGUgMiBdOyB0aGVuCiAgICAgICAgZWNobyAiU3RhdHVzIGNvZGU6ICRhczNTdGF0dXMgIEFzMyBub3QgcmVhZHkgeWV0Li4uIgogICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICBlbHNlCiAgICAgICAgZWNobyAiQXMzIEFQSSBTdGF0dXMgJGFzM1N0YXR1cyIKICAgICAgICBicmVhawogICAgZmkKZG9uZQojCiMKIyBjbGVhbnVwCiMjIHJlbW92ZSBkZWNsYXJhdGlvbnMKIyBybSAtZiAvY29uZmlnL2RvMS5qc29uCiMgcm0gLWYgL2NvbmZpZy9kbzIuanNvbgojIHJtIC1mIC9jb25maWcvYXMzLmpzb24KIyMgZGlzYWJsZS9yZXBsYWNlIGRlZmF1bHQgYWRtaW4gYWNjb3VudAojIGVjaG8gIC1lICJjcmVhdGUgY2xpIHRyYW5zYWN0aW9uOwojIG1vZGlmeSAvc3lzIGRiIHN5c3RlbWF1dGgucHJpbWFyeWFkbWludXNlciB2YWx1ZSAkYWRtaW5fdXNlcm5hbWU7CiMgc3VibWl0IGNsaSB0cmFuc2FjdGlvbiIgfCB0bXNoIC1xCnRtc2ggc2F2ZSBzeXMgY29uZmlnCmVjaG8gInRpbWVzdGFtcCBlbmQ6ICQoZGF0ZSkiCmVjaG8gInNldHVwIGNvbXBsZXRlICQodGltZXIgIiQoKCQoZGF0ZSArJXMpIC0gJHN0YXJ0VGltZSkpIikiCmV4aXQK' \\u003e\\u003e ./startup.sh \\u0026\\u0026 cat ./startup.sh | base64 -d \\u003e\\u003e ./startup-script.sh \\u0026\\u0026 chmod +x ./startup-script.sh \\u0026\\u0026 rm ./startup.sh \\u0026\\u0026 bash ./startup-script.sh 1\"}",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "type": "CustomScript",
+ "type_handler_version": "2.0",
+ "virtual_machine_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-f5vm01"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_availability_set.avset",
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-ext-nic",
+ "module.firewall_one.azurerm_network_interface.vm01-int-nic",
+ "module.firewall_one.azurerm_network_interface.vm01-mgmt-nic",
+ "module.firewall_one.azurerm_network_interface.vm02-mgmt-nic",
+ "module.firewall_one.azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01",
+ "module.firewall_one.azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02",
+ "module.firewall_one.azurerm_virtual_machine.f5vm01",
+ "module.firewall_one.data.http.appservice",
+ "module.firewall_one.data.http.onboard",
+ "module.firewall_one.data.template_file.as3_json",
+ "module.firewall_one.data.template_file.vm01_do_json",
+ "module.firewall_one.data.template_file.vm02_do_json",
+ "module.firewall_one.data.template_file.vm_onboard",
+ "module.firewall_one.random_uuid.as3_uuid"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine_extension",
+ "name": "f5vm02-run-startup-cmd",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "auto_upgrade_minor_version": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-f5vm02/extensions/bedfe9a3-f5vm02-run-startup-cmd",
+ "name": "bedfe9a3-f5vm02-run-startup-cmd",
+ "protected_settings": null,
+ "publisher": "Microsoft.Azure.Extensions",
+ "settings": "{\"commandToExecute\":\"echo 'IyEvYmluL2Jhc2gKIwojIHZhcnMKIwojIGdldCBkZXZpY2UgaWQgZm9yIGRvCmRldmljZUlkPSQxCiMKYWRtaW5fdXNlcm5hbWU9J3hhZG1pbicKYWRtaW5fcGFzc3dvcmQ9J3BsZWFzZVVzZVZhdWx0MTIzISEnCkNSRURTPSIkYWRtaW5fdXNlcm5hbWU6JGFkbWluX3Bhc3N3b3JkIgpMT0dfRklMRT0vdmFyL2xvZy9zdGFydHVwLXNjcmlwdC5sb2cKIyBjb25zdGFudHMKbWdtdF9wb3J0PWB0bXNoIGxpc3Qgc3lzIGh0dHBkIHNzbC1wb3J0IHwgZ3JlcCBzc2wtcG9ydCB8IHNlZCAncy9zc2wtcG9ydCAvLztzLyAvL2cnYAphdXRoVXJsPSIvbWdtdC9zaGFyZWQvYXV0aG4vbG9naW4iCnJwbUluc3RhbGxVcmw9Ii9tZ210L3NoYXJlZC9pYXBwL3BhY2thZ2UtbWFuYWdlbWVudC10YXNrcyIKcnBtRmlsZVBhdGg9Ii92YXIvY29uZmlnL3Jlc3QvZG93bmxvYWRzIgpsb2NhbF9ob3N0PSJodHRwOi8vbG9jYWxob3N0OjgxMDAiCiMgZG8KZG9Vcmw9Ii9tZ210L3NoYXJlZC9kZWNsYXJhdGl2ZS1vbmJvYXJkaW5nIgpkb0NoZWNrVXJsPSIvbWdtdC9zaGFyZWQvZGVjbGFyYXRpdmUtb25ib2FyZGluZy9pbmZvIgpkb1Rhc2tVcmw9Ii9tZ210L3NoYXJlZC9kZWNsYXJhdGl2ZS1vbmJvYXJkaW5nL3Rhc2siCiMgYXMzCmFzM1VybD0iL21nbXQvc2hhcmVkL2FwcHN2Y3MvZGVjbGFyZSIKYXMzQ2hlY2tVcmw9Ii9tZ210L3NoYXJlZC9hcHBzdmNzL2luZm8iCmFzM1Rhc2tVcmw9Ii9tZ210L3NoYXJlZC9hcHBzdmNzL3Rhc2svIgojIHRzCnRzVXJsPSIvbWdtdC9zaGFyZWQvdGVsZW1ldHJ5L2RlY2xhcmUiCnRzQ2hlY2tVcmw9Ii9tZ210L3NoYXJlZC90ZWxlbWV0cnkvaW5mbyIKIyBjbG91ZCBmYWlsb3ZlciBleHQKY2ZVcmw9Ii9tZ210L3NoYXJlZC9jbG91ZC1mYWlsb3Zlci9kZWNsYXJlIgpjZkNoZWNrVXJsPSIvbWdtdC9zaGFyZWQvY2xvdWQtZmFpbG92ZXIvaW5mbyIKIyBmYXN0CmZhc3RDaGVja1VybD0iL21nbXQvc2hhcmVkL2Zhc3QvaW5mbyIKIyBkZWNsYXJhdGlvbiBjb250ZW50CmNhdCA+IC9jb25maWcvZG8xLmpzb24gPDxFT0YKewogICAgInNjaGVtYVZlcnNpb24iOiAiMS45LjAiLAogICAgImNsYXNzIjogIkRldmljZSIsCiAgICAiYXN5bmMiOiB0cnVlLAogICAgImxhYmVsIjogIkJhc2ljIG9uYm9hcmRpbmciLAogICAgIkNvbW1vbiI6IHsKICAgICAgICAiY2xhc3MiOiAiVGVuYW50IiwKICAgICAgICAiaG9zdG5hbWUiOiAiZjV2bTAxLmV4YW1wbGUuY29tIiwKICAgICAgICAiZGJ2YXJzIjogewogICAgICAgIAkiY2xhc3MiOiAiRGJWYXJpYWJsZXMiLAogICAgICAgIAkidWkuYWR2aXNvcnkuZW5hYmxlZCI6IHRydWUsCiAgICAgICAgCSJ1aS5hZHZpc29yeS5jb2xvciI6ICJncmVlbiIsCiAgICAgICAgICAgICJ1aS5hZHZpc29yeS50ZXh0IjogIi8vVU5DTEFTU0lGSUVELy8iLAogICAgICAgICAgICAidWkuc3lzdGVtLnByZWZlcmVuY2VzLmFkdmFuY2Vkc2VsZWN0aW9uIjogICJhZHZhbmNlZCIsCiAgICAgICAgICAgICJ1aS5zeXN0ZW0ucHJlZmVyZW5jZXMucmVjb3Jkc3BlcnNjcmVlbiI6ICIxMDAiLAogICAgICAgICAgICAidWkuc3lzdGVtLnByZWZlcmVuY2VzLnN0YXJ0c2NyZWVuIjogIm5ldHdvcmtfbWFwIiwKICAgICAgICAgICAgInVpLnVzZXJzLnJlZGlyZWN0c3VwZXJ1c2Vyc3RvYXV0aHN1bW1hcnkiOiAidHJ1ZSIsCiAgICAgICAgICAgICJkbnMuY2FjaGUiOiAiZW5hYmxlIiwKICAgICAgICAgICAgImNvbmZpZy5hbGxvdy5yZmMzOTI3IjogImVuYWJsZSIsCiAgICAgICAgICAgICJiaWczZC5taW5pbXVtLnRscy52ZXJzaW9uIjogIlRMU1YxLjIiLAogICAgICAgICAgICAibGl2ZWluc3RhbGwuY2hlY2tzaWciOiAiZW5hYmxlIgogICAgICAgIH0sCiAgICAgICAgIlJlbW90ZVN5c2xvZyI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlN5c2xvZ1JlbW90ZVNlcnZlciIsCiAgICAgICAgICAgICJob3N0IjogIjEwLjkwLjEwLjEwMSIsCiAgICAgICAgICAgICJsb2NhbElwIjogIjEwLjkwLjEuNCIsCiAgICAgICAgICAgICJyZW1vdGVQb3J0IjogNTE0CiAgICAgICAgICB9LAogICAgICAgICJzeXN0ZW0iOnsKICAgICAgICAgICAgImNsYXNzIjogIlN5c3RlbSIsCiAgICAgICAgICAgICJhdXRvQ2hlY2siOiBmYWxzZSwKICAgICAgICAgICAgImF1dG9QaG9uZWhvbWUiOiBmYWxzZSwKICAgICAgICAgICAgImNsaUluYWN0aXZpdHlUaW1lb3V0IjogOTAwLAogICAgICAgICAgICAiY29uc29sZUluYWN0aXZpdHlUaW1lb3V0IjogOTAwLAogICAgICAgICAgICAiZ3VpQXVkaXRMb2ciOiB0cnVlLAogICAgICAgICAgICAibWNwQXVkaXRMb2ciOiAiZW5hYmxlIiwKICAgICAgICAgICAgInRtc2hBdWRpdExvZyI6IHRydWUKICAgICAgICB9LAogICAgICAgICJodHRwZCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIkhUVFBEIiwKICAgICAgICAgICAgIm1heENsaWVudHMiOiAiMTAiLAogICAgICAgICAgICAiYXV0aFBhbUlkbGVUaW1lb3V0IjogIjkwMCIsCiAgICAgICAgICAgICJzc2xDaXBoZXJzdWl0ZSI6IFsiRUNESEUtRUNEU0EtQUVTMjU2LUdDTS1TSEEzODQiLCAiRUNESEUtRUNEU0EtQUVTMjU2LVNIQTM4NCIsICJFQ0RIRS1FQ0RTQS1BRVMyNTYtU0hBIiwiRUNESC1FQ0RTQS1BRVMyNTYtR0NNLVNIQTM4NCIsICJFQ0RILUVDRFNBLUFFUzI1Ni1TSEEzODQiLCAiRUNESC1FQ0RTQS1BRVMyNTYtU0hBIiwgIkFFUzI1Ni1HQ00tU0hBMzg0IiwgIkFFUzI1Ni1TSEEyNTYiLCAiQUVTMjU2LVNIQSIsICJDQU1FTExJQTI1Ni1TSEEiLCAiRUNESEUtUlNBLUFFUzEyOC1HQ00tU0hBMjU2IiwgIkVDREhFLUVDRFNBLUFFUzEyOC1HQ00tU0hBMjU2IiwgIkVDREhFLUVDRFNBLUFFUzEyOC1TSEEyNTYiLCAiRUNESEUtUlNBLUFFUzEyOC1TSEEiLCAiRUNESEUtRUNEU0EtQUVTMTI4LVNIQSIsICJFQ0RILUVDRFNBLUFFUzEyOC1HQ00tU0hBMjU2IiwgIkVDREgtRUNEU0EtQUVTMTI4LVNIQTI1NiIsICJFQ0RILUVDRFNBLUFFUzEyOC1TSEEiLCAiQUVTMTI4LUdDTS1TSEEyNTYiLCAiQUVTMTI4LVNIQTI1NiIsICJBRVMxMjgtU0hBIiwgIlNFRUQtU0hBIiwgIkNBTUVMTElBMTI4LVNIQSJdLAogICAgICAgICAgICAic3NsUHJvdG9jb2wiOiAiYWxsIC1TU0x2MiAtU1NMdjMgLVRMU3YxIgogICAgICAgIH0sCiAgICAgICAgInNzaGQiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJTU0hEIiwKICAgICAgICAgICAgImJhbm5lciI6ICJZb3UgYXJlIGFjY2Vzc2luZyBhIFUuUy4gR292ZXJubWVudCAoVVNHKSBJbmZvcm1hdGlvbiBTeXN0ZW0gKElTKSB0aGF0IGlzIHByb3ZpZGVkIGZvciBVU0ctYXV0aG9yaXplZCB1c2Ugb25seS4gQnkgdXNpbmcgdGhpcyBJUyAod2hpY2ggaW5jbHVkZXMgYW55IGRldmljZSBhdHRhY2hlZCB0byB0aGlzIElTKSwgeW91IGNvbnNlbnQgdG8gdGhlIGZvbGxvd2luZyBjb25kaXRpb25zOiBUaGUgVVNHIHJvdXRpbmVseSBpbnRlcmNlcHRzIGFuZCBtb25pdG9ycyBjb21tdW5pY2F0aW9ucyBvbiB0aGlzIElTIGZvciBwdXJwb3NlcyBpbmNsdWRpbmcsIGJ1dCBub3QgbGltaXRlZCB0bywgcGVuZXRyYXRpb24gdGVzdGluZywgQ09NU0VDIG1vbml0b3JpbmcsIG5ldHdvcmsgb3BlcmF0aW9ucyBhbmQgZGVmZW5zZSwgcGVyc29ubmVsIG1pc2NvbmR1Y3QgKFBNKSwgbGF3IGVuZm9yY2VtZW50IChMRSksIGFuZCBjb3VudGVyaW50ZWxsaWdlbmNlIChDSSkgaW52ZXN0aWdhdGlvbnMuIEF0IGFueSB0aW1lLCB0aGUgVVNHIG1heSBpbnNwZWN0IGFuZCBzZWl6ZSBkYXRhIHN0b3JlZCBvbiB0aGlzIElTLiBDb21tdW5pY2F0aW9ucyB1c2luZywgb3IgZGF0YSBzdG9yZWQgb24sIHRoaXMgSVMgYXJlIG5vdCBwcml2YXRlLCBhcmUgc3ViamVjdCB0byByb3V0aW5lIG1vbml0b3JpbmcsIGludGVyY2VwdGlvbiwgYW5kIHNlYXJjaCwgYW5kIG1heSBiZSBkaXNjbG9zZWQgb3IgdXNlZCBmb3IgYW55IFVTRyBhdXRob3JpemVkIHB1cnBvc2UuIFRoaXMgSVMgaW5jbHVkZXMgc2VjdXJpdHkgbWVhc3VyZXMgKGUuZy4sIGF1dGhlbnRpY2F0aW9uIGFuZCBhY2Nlc3MgY29udHJvbHMpIHRvIHByb3RlY3QgVVNHIGludGVyZXN0cy0tbm90IGZvciB5b3VyIHBlcnNvbmFsIGJlbmVmaXQgb3IgcHJpdmFjeS4gTm90d2l0aHN0YW5kaW5nIHRoZSBhYm92ZSwgdXNpbmcgdGhpcyBJUyBkb2VzIG5vdCBjb25zdGl0dXRlIGNvbnNlbnQgdG8gUE0sIExFIG9yIENJIGludmVzdGlnYXRpdmUgc2VhcmNoaW5nIG9yIG1vbml0b3Jpbmcgb2YgdGhlIGNvbnRlbnQgb2YgcHJpdmlsZWdlZCBjb21tdW5pY2F0aW9ucywgb3Igd29yayBwcm9kdWN0LCByZWxhdGVkIHRvIHBlcnNvbmFsIHJlcHJlc2VudGF0aW9uIG9yIHNlcnZpY2VzIGJ5IGF0dG9ybmV5cywgcHN5Y2hvdGhlcmFwaXN0cywgb3IgY2xlcmd5LCBhbmQgdGhlaXIgYXNzaXN0YW50cy4gU3VjaCBjb21tdW5pY2F0aW9ucyBhbmQgd29yayBwcm9kdWN0IGFyZSBwcml2YXRlIGFuZCBjb25maWRlbnRpYWwuIFNlZSBVc2VyIEFncmVlbWVudCBmb3IgZGV0YWlscy4iLAogICAgICAgICAgICAiaW5hY3Rpdml0eVRpbWVvdXQiOiA5MDAsCiAgICAgICAgICAgICJjaXBoZXJzIjogWwogICAgICAgICAgICAgICAgImFlczEyOC1jdHIiLAogICAgICAgICAgICAgICAgImFlczE5Mi1jdHIiLAogICAgICAgICAgICAgICAgImFlczI1Ni1jdHIiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJsb2dpbkdyYWNlVGltZSI6IDYwLAogICAgICAgICAgICAiTUFDUyI6IFsKICAgICAgICAgICAgICAgICJobWFjLXNoYTEiLAogICAgICAgICAgICAgICAgImhtYWMtcmlwZW1kMTYwIgogICAgICAgICAgICBdLAogICAgICAgICAgICAibWF4QXV0aFRyaWVzIjogMywKICAgICAgICAgICAgIm1heFN0YXJ0dXBzIjogIjUiLAogICAgICAgICAgICAicHJvdG9jb2wiOiAyCiAgICAgICAgfSwKICAgICAgICAibXlEbnMiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJETlMiLAogICAgICAgICAgICAibmFtZVNlcnZlcnMiOiBbCiAgICAgICAgICAgICAgICAiMTY4LjYzLjEyOS4xNiIsCiAgICAgICAgICAgICAgICAiMjAwMTo0ODYwOjQ4NjA6Ojg4NDQiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJzZWFyY2giOiBbCiAgICAgICAgICAgICAgICAiZjUuY29tIgogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAibXlOdHAiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJOVFAiLAogICAgICAgICAgICAic2VydmVycyI6IFsKICAgICAgICAgICAgICAgICJ0aW1lLm5pc3QuZ292IiwKICAgICAgICAgICAgICAgICIwLnBvb2wubnRwLm9yZyIsCiAgICAgICAgICAgICAgICAiMS5wb29sLm50cC5vcmciCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJ0aW1lem9uZSI6ICJVVEMiCiAgICAgICAgfSwKICAgICAgICAibXlQcm92aXNpb25pbmciOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJQcm92aXNpb24iLAogICAgICAgICAgICAibHRtIjogIm5vbWluYWwiLAogICAgICAgICAgICAiYXNtIjogIm5vbWluYWwiLAogICAgICAgICAgICAiYWZtIjogIm5vbWluYWwiCiAgICAgICAgfSwKICAgICAgICAiZXh0ZXJuYWwiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJWTEFOIiwKICAgICAgICAgICAgInRhZyI6IDQwOTQsCiAgICAgICAgICAgICJtdHUiOiAxNTAwLAogICAgICAgICAgICAiaW50ZXJmYWNlcyI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICIxLjEiLAogICAgICAgICAgICAgICAgICAgICJ0YWdnZWQiOiBmYWxzZQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAiaW50ZXJuYWwiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJWTEFOIiwKICAgICAgICAgICAgInRhZyI6IDQwOTMsCiAgICAgICAgICAgICJtdHUiOiAxNTAwLAogICAgICAgICAgICAiaW50ZXJmYWNlcyI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICIxLjIiLAogICAgICAgICAgICAgICAgICAgICJ0YWdnZWQiOiBmYWxzZQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAiZXh0ZXJuYWwtc2VsZiI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlNlbGZJcCIsCiAgICAgICAgICAgICJhZGRyZXNzIjogIjEwLjkwLjEuNC8yNCIsCiAgICAgICAgICAgICJ2bGFuIjogImV4dGVybmFsIiwKICAgICAgICAgICAgImFsbG93U2VydmljZSI6ICJkZWZhdWx0IiwKICAgICAgICAgICAgInRyYWZmaWNHcm91cCI6ICJ0cmFmZmljLWdyb3VwLWxvY2FsLW9ubHkiCiAgICAgICAgfSwKICAgICAgICAiaW50ZXJuYWwtc2VsZiI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlNlbGZJcCIsCiAgICAgICAgICAgICJhZGRyZXNzIjogIjEwLjkwLjIuNC8yNCIsCiAgICAgICAgICAgICJ2bGFuIjogImludGVybmFsIiwKICAgICAgICAgICAgImFsbG93U2VydmljZSI6ICJkZWZhdWx0IiwKICAgICAgICAgICAgInRyYWZmaWNHcm91cCI6ICJ0cmFmZmljLWdyb3VwLWxvY2FsLW9ubHkiCiAgICAgICAgfSwKICAgICAgICAiaW50ZXJuZXQiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJSb3V0ZSIsCiAgICAgICAgICAgICJndyI6ICIxMC45MC4xLjEiLAogICAgICAgICAgICAibmV0d29yayI6ICJkZWZhdWx0IiwKICAgICAgICAgICAgIm10dSI6IDE1MDAKICAgICAgICB9LAogICAgICAgICJ2ZG1zIjogewogICAgICAgICAgICAiY2xhc3MiOiAiUm91dGUiLAogICAgICAgICAgICAiZ3ciOiAiMTAuOTAuMi4xIiwKICAgICAgICAgICAgIm5ldHdvcmsiOiAiMTAuOTAuMy4wLzI0IiwKICAgICAgICAgICAgIm10dSI6IDE1MDAKICAgICAgICB9LAogICAgICAgICJ2ZHNzIjogewogICAgICAgICAgICAiY2xhc3MiOiAiUm91dGUiLAogICAgICAgICAgICAiZ3ciOiAiMTAuOTAuMi4xIiwKICAgICAgICAgICAgIm5ldHdvcmsiOiAiMTAuOTAuMC4wLzE2IiwKICAgICAgICAgICAgIm10dSI6IDE1MDAKICAgICAgICB9LAogICAgICAgICJjb25maWdzeW5jIjogewogICAgICAgICAgICAiY2xhc3MiOiAiQ29uZmlnU3luYyIsCiAgICAgICAgICAgICJjb25maWdzeW5jSXAiOiAiL0NvbW1vbi9leHRlcm5hbC1zZWxmL2FkZHJlc3MiCiAgICAgICAgfSwKICAgICAgICAiZmFpbG92ZXJBZGRyZXNzIjogewogICAgICAgICAgICAiY2xhc3MiOiAiRmFpbG92ZXJVbmljYXN0IiwKICAgICAgICAgICAgImFkZHJlc3MiOiAiL0NvbW1vbi9leHRlcm5hbC1zZWxmL2FkZHJlc3MiCiAgICAgICAgfSwKICAgICAgICAiZmFpbG92ZXJHcm91cCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIkRldmljZUdyb3VwIiwKICAgICAgICAgICAgInR5cGUiOiAic3luYy1mYWlsb3ZlciIsCiAgICAgICAgICAgICJtZW1iZXJzIjogWwogICAgICAgICAgICAgICAgImY1dm0wMS5leGFtcGxlLmNvbSIsCiAgICAgICAgICAgICAgICAiZjV2bTAyLmV4YW1wbGUuY29tIgogICAgICAgICAgICBdLAogICAgICAgICAgICAib3duZXIiOiAiL0NvbW1vbi9mYWlsb3Zlckdyb3VwL21lbWJlcnMvMCIsCiAgICAgICAgICAgICJhdXRvU3luYyI6IHRydWUsCiAgICAgICAgICAgICJzYXZlT25BdXRvU3luYyI6IGZhbHNlLAogICAgICAgICAgICAibmV0d29ya0ZhaWxvdmVyIjogdHJ1ZSwKICAgICAgICAgICAgImZ1bGxMb2FkT25TeW5jIjogZmFsc2UsCiAgICAgICAgICAgICJhc21TeW5jIjogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgInRydXN0IjogewogICAgICAgICAgICAiY2xhc3MiOiAiRGV2aWNlVHJ1c3QiLAogICAgICAgICAgICAibG9jYWxVc2VybmFtZSI6ICJ4YWRtaW4iLAogICAgICAgICAgICAibG9jYWxQYXNzd29yZCI6ICJwbGVhc2VVc2VWYXVsdDEyMyEhIiwKICAgICAgICAgICAgInJlbW90ZUhvc3QiOiAiMTAuOTAuMS41IiwKICAgICAgICAgICAgInJlbW90ZVVzZXJuYW1lIjogInhhZG1pbiIsCiAgICAgICAgICAgICJyZW1vdGVQYXNzd29yZCI6ICJwbGVhc2VVc2VWYXVsdDEyMyEhIgogICAgICAgIH0KICAgIH0KfQpFT0YKY2F0ID4gL2NvbmZpZy9kbzIuanNvbiA8PEVPRgp7CiAgICAic2NoZW1hVmVyc2lvbiI6ICIxLjkuMCIsCiAgICAiY2xhc3MiOiAiRGV2aWNlIiwKICAgICJhc3luYyI6IHRydWUsCiAgICAibGFiZWwiOiAiQmFzaWMgb25ib2FyZGluZyIsCiAgICAiQ29tbW9uIjogewogICAgICAgICJjbGFzcyI6ICJUZW5hbnQiLAogICAgICAgICJob3N0bmFtZSI6ICJmNXZtMDIuZXhhbXBsZS5jb20iLAogICAgICAgICJkYnZhcnMiOiB7CiAgICAgICAgCSJjbGFzcyI6ICJEYlZhcmlhYmxlcyIsCiAgICAgICAgCSJ1aS5hZHZpc29yeS5lbmFibGVkIjogdHJ1ZSwKICAgICAgICAJInVpLmFkdmlzb3J5LmNvbG9yIjogImdyZWVuIiwKICAgICAgICAgICAgInVpLmFkdmlzb3J5LnRleHQiOiAiLy9VTkNMQVNTSUZJRUQvLyIsCiAgICAgICAgICAgICJ1aS5zeXN0ZW0ucHJlZmVyZW5jZXMuYWR2YW5jZWRzZWxlY3Rpb24iOiAgImFkdmFuY2VkIiwKICAgICAgICAgICAgInVpLnN5c3RlbS5wcmVmZXJlbmNlcy5yZWNvcmRzcGVyc2NyZWVuIjogIjEwMCIsCiAgICAgICAgICAgICJ1aS5zeXN0ZW0ucHJlZmVyZW5jZXMuc3RhcnRzY3JlZW4iOiAibmV0d29ya19tYXAiLAogICAgICAgICAgICAidWkudXNlcnMucmVkaXJlY3RzdXBlcnVzZXJzdG9hdXRoc3VtbWFyeSI6ICJ0cnVlIiwKICAgICAgICAgICAgImRucy5jYWNoZSI6ICJlbmFibGUiLAogICAgICAgICAgICAiY29uZmlnLmFsbG93LnJmYzM5MjciOiAiZW5hYmxlIiwKICAgICAgICAgICAgImJpZzNkLm1pbmltdW0udGxzLnZlcnNpb24iOiAiVExTVjEuMiIsCiAgICAgICAgICAgICJsaXZlaW5zdGFsbC5jaGVja3NpZyI6ICJlbmFibGUiCiAgICAgICAgfSwKICAgICAgICAiUmVtb3RlU3lzbG9nIjogewogICAgICAgICAgICAiY2xhc3MiOiAiU3lzbG9nUmVtb3RlU2VydmVyIiwKICAgICAgICAgICAgImhvc3QiOiAiMTAuOTAuMTAuMTAxIiwKICAgICAgICAgICAgImxvY2FsSXAiOiAiMTAuOTAuMS41IiwKICAgICAgICAgICAgInJlbW90ZVBvcnQiOiA1MTQKICAgICAgICAgIH0sCiAgICAgICAgInN5c3RlbSI6ewogICAgICAgICAgICAiY2xhc3MiOiAiU3lzdGVtIiwKICAgICAgICAgICAgImF1dG9DaGVjayI6IGZhbHNlLAogICAgICAgICAgICAiYXV0b1Bob25laG9tZSI6IGZhbHNlLAogICAgICAgICAgICAiY2xpSW5hY3Rpdml0eVRpbWVvdXQiOiA5MDAsCiAgICAgICAgICAgICJjb25zb2xlSW5hY3Rpdml0eVRpbWVvdXQiOiA5MDAsCiAgICAgICAgICAgICJndWlBdWRpdExvZyI6IHRydWUsCiAgICAgICAgICAgICJtY3BBdWRpdExvZyI6ICJlbmFibGUiLAogICAgICAgICAgICAidG1zaEF1ZGl0TG9nIjogdHJ1ZQogICAgICAgIH0sCiAgICAgICAgImh0dHBkIjogewogICAgICAgICAgICAiY2xhc3MiOiAiSFRUUEQiLAogICAgICAgICAgICAibWF4Q2xpZW50cyI6ICIxMCIsCiAgICAgICAgICAgICJhdXRoUGFtSWRsZVRpbWVvdXQiOiAiOTAwIiwKICAgICAgICAgICAgInNzbENpcGhlcnN1aXRlIjogWyJFQ0RIRS1FQ0RTQS1BRVMyNTYtR0NNLVNIQTM4NCIsICJFQ0RIRS1FQ0RTQS1BRVMyNTYtU0hBMzg0IiwgIkVDREhFLUVDRFNBLUFFUzI1Ni1TSEEiLCJFQ0RILUVDRFNBLUFFUzI1Ni1HQ00tU0hBMzg0IiwgIkVDREgtRUNEU0EtQUVTMjU2LVNIQTM4NCIsICJFQ0RILUVDRFNBLUFFUzI1Ni1TSEEiLCAiQUVTMjU2LUdDTS1TSEEzODQiLCAiQUVTMjU2LVNIQTI1NiIsICJBRVMyNTYtU0hBIiwgIkNBTUVMTElBMjU2LVNIQSIsICJFQ0RIRS1SU0EtQUVTMTI4LUdDTS1TSEEyNTYiLCAiRUNESEUtRUNEU0EtQUVTMTI4LUdDTS1TSEEyNTYiLCAiRUNESEUtRUNEU0EtQUVTMTI4LVNIQTI1NiIsICJFQ0RIRS1SU0EtQUVTMTI4LVNIQSIsICJFQ0RIRS1FQ0RTQS1BRVMxMjgtU0hBIiwgIkVDREgtRUNEU0EtQUVTMTI4LUdDTS1TSEEyNTYiLCAiRUNESC1FQ0RTQS1BRVMxMjgtU0hBMjU2IiwgIkVDREgtRUNEU0EtQUVTMTI4LVNIQSIsICJBRVMxMjgtR0NNLVNIQTI1NiIsICJBRVMxMjgtU0hBMjU2IiwgIkFFUzEyOC1TSEEiLCAiU0VFRC1TSEEiLCAiQ0FNRUxMSUExMjgtU0hBIl0sCiAgICAgICAgICAgICJzc2xQcm90b2NvbCI6ICJhbGwgLVNTTHYyIC1TU0x2MyAtVExTdjEiCiAgICAgICAgfSwKICAgICAgICAic3NoZCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlNTSEQiLAogICAgICAgICAgICAiYmFubmVyIjogIllvdSBhcmUgYWNjZXNzaW5nIGEgVS5TLiBHb3Zlcm5tZW50IChVU0cpIEluZm9ybWF0aW9uIFN5c3RlbSAoSVMpIHRoYXQgaXMgcHJvdmlkZWQgZm9yIFVTRy1hdXRob3JpemVkIHVzZSBvbmx5LiBCeSB1c2luZyB0aGlzIElTICh3aGljaCBpbmNsdWRlcyBhbnkgZGV2aWNlIGF0dGFjaGVkIHRvIHRoaXMgSVMpLCB5b3UgY29uc2VudCB0byB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6IFRoZSBVU0cgcm91dGluZWx5IGludGVyY2VwdHMgYW5kIG1vbml0b3JzIGNvbW11bmljYXRpb25zIG9uIHRoaXMgSVMgZm9yIHB1cnBvc2VzIGluY2x1ZGluZywgYnV0IG5vdCBsaW1pdGVkIHRvLCBwZW5ldHJhdGlvbiB0ZXN0aW5nLCBDT01TRUMgbW9uaXRvcmluZywgbmV0d29yayBvcGVyYXRpb25zIGFuZCBkZWZlbnNlLCBwZXJzb25uZWwgbWlzY29uZHVjdCAoUE0pLCBsYXcgZW5mb3JjZW1lbnQgKExFKSwgYW5kIGNvdW50ZXJpbnRlbGxpZ2VuY2UgKENJKSBpbnZlc3RpZ2F0aW9ucy4gQXQgYW55IHRpbWUsIHRoZSBVU0cgbWF5IGluc3BlY3QgYW5kIHNlaXplIGRhdGEgc3RvcmVkIG9uIHRoaXMgSVMuIENvbW11bmljYXRpb25zIHVzaW5nLCBvciBkYXRhIHN0b3JlZCBvbiwgdGhpcyBJUyBhcmUgbm90IHByaXZhdGUsIGFyZSBzdWJqZWN0IHRvIHJvdXRpbmUgbW9uaXRvcmluZywgaW50ZXJjZXB0aW9uLCBhbmQgc2VhcmNoLCBhbmQgbWF5IGJlIGRpc2Nsb3NlZCBvciB1c2VkIGZvciBhbnkgVVNHIGF1dGhvcml6ZWQgcHVycG9zZS4gVGhpcyBJUyBpbmNsdWRlcyBzZWN1cml0eSBtZWFzdXJlcyAoZS5nLiwgYXV0aGVudGljYXRpb24gYW5kIGFjY2VzcyBjb250cm9scykgdG8gcHJvdGVjdCBVU0cgaW50ZXJlc3RzLS1ub3QgZm9yIHlvdXIgcGVyc29uYWwgYmVuZWZpdCBvciBwcml2YWN5LiBOb3R3aXRoc3RhbmRpbmcgdGhlIGFib3ZlLCB1c2luZyB0aGlzIElTIGRvZXMgbm90IGNvbnN0aXR1dGUgY29uc2VudCB0byBQTSwgTEUgb3IgQ0kgaW52ZXN0aWdhdGl2ZSBzZWFyY2hpbmcgb3IgbW9uaXRvcmluZyBvZiB0aGUgY29udGVudCBvZiBwcml2aWxlZ2VkIGNvbW11bmljYXRpb25zLCBvciB3b3JrIHByb2R1Y3QsIHJlbGF0ZWQgdG8gcGVyc29uYWwgcmVwcmVzZW50YXRpb24gb3Igc2VydmljZXMgYnkgYXR0b3JuZXlzLCBwc3ljaG90aGVyYXBpc3RzLCBvciBjbGVyZ3ksIGFuZCB0aGVpciBhc3Npc3RhbnRzLiBTdWNoIGNvbW11bmljYXRpb25zIGFuZCB3b3JrIHByb2R1Y3QgYXJlIHByaXZhdGUgYW5kIGNvbmZpZGVudGlhbC4gU2VlIFVzZXIgQWdyZWVtZW50IGZvciBkZXRhaWxzLiIsCiAgICAgICAgICAgICJpbmFjdGl2aXR5VGltZW91dCI6IDkwMCwKICAgICAgICAgICAgImNpcGhlcnMiOiBbCiAgICAgICAgICAgICAgICAiYWVzMTI4LWN0ciIsCiAgICAgICAgICAgICAgICAiYWVzMTkyLWN0ciIsCiAgICAgICAgICAgICAgICAiYWVzMjU2LWN0ciIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgImxvZ2luR3JhY2VUaW1lIjogNjAsCiAgICAgICAgICAgICJNQUNTIjogWwogICAgICAgICAgICAgICAgImhtYWMtc2hhMSIsCiAgICAgICAgICAgICAgICAiaG1hYy1yaXBlbWQxNjAiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJtYXhBdXRoVHJpZXMiOiAzLAogICAgICAgICAgICAibWF4U3RhcnR1cHMiOiAiNSIsCiAgICAgICAgICAgICJwcm90b2NvbCI6IDIKICAgICAgICB9LAogICAgICAgICJteURucyI6IHsKICAgICAgICAgICAgImNsYXNzIjogIkROUyIsCiAgICAgICAgICAgICJuYW1lU2VydmVycyI6IFsKICAgICAgICAgICAgICAgICIxNjguNjMuMTI5LjE2IiwKICAgICAgICAgICAgICAgICIyMDAxOjQ4NjA6NDg2MDo6ODg0NCIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgInNlYXJjaCI6IFsKICAgICAgICAgICAgICAgICJmNS5jb20iCiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgICJteU50cCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIk5UUCIsCiAgICAgICAgICAgICJzZXJ2ZXJzIjogWwogICAgICAgICAgICAgICAgInRpbWUubmlzdC5nb3YiLAogICAgICAgICAgICAgICAgIjAucG9vbC5udHAub3JnIiwKICAgICAgICAgICAgICAgICIxLnBvb2wubnRwLm9yZyIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgInRpbWV6b25lIjogIlVUQyIKICAgICAgICB9LAogICAgICAgICJteVByb3Zpc2lvbmluZyI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlByb3Zpc2lvbiIsCiAgICAgICAgICAgICJsdG0iOiAibm9taW5hbCIsCiAgICAgICAgICAgICJhc20iOiAibm9taW5hbCIsCiAgICAgICAgICAgICJhZm0iOiAibm9taW5hbCIKICAgICAgICB9LAogICAgICAgICJleHRlcm5hbCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlZMQU4iLAogICAgICAgICAgICAidGFnIjogNDA5NCwKICAgICAgICAgICAgIm10dSI6IDE1MDAsCiAgICAgICAgICAgICJpbnRlcmZhY2VzIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJuYW1lIjogIjEuMSIsCiAgICAgICAgICAgICAgICAgICAgInRhZ2dlZCI6IGZhbHNlCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgICJpbnRlcm5hbCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlZMQU4iLAogICAgICAgICAgICAidGFnIjogNDA5MywKICAgICAgICAgICAgIm10dSI6IDE1MDAsCiAgICAgICAgICAgICJpbnRlcmZhY2VzIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJuYW1lIjogIjEuMiIsCiAgICAgICAgICAgICAgICAgICAgInRhZ2dlZCI6IGZhbHNlCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9LAogICAgICAgICJleHRlcm5hbC1zZWxmIjogewogICAgICAgICAgICAiY2xhc3MiOiAiU2VsZklwIiwKICAgICAgICAgICAgImFkZHJlc3MiOiAiMTAuOTAuMS41LzI0IiwKICAgICAgICAgICAgInZsYW4iOiAiZXh0ZXJuYWwiLAogICAgICAgICAgICAiYWxsb3dTZXJ2aWNlIjogImRlZmF1bHQiLAogICAgICAgICAgICAidHJhZmZpY0dyb3VwIjogInRyYWZmaWMtZ3JvdXAtbG9jYWwtb25seSIKICAgICAgICB9LAogICAgICAgICJpbnRlcm5hbC1zZWxmIjogewogICAgICAgICAgICAiY2xhc3MiOiAiU2VsZklwIiwKICAgICAgICAgICAgImFkZHJlc3MiOiAiMTAuOTAuMi41LzI0IiwKICAgICAgICAgICAgInZsYW4iOiAiaW50ZXJuYWwiLAogICAgICAgICAgICAiYWxsb3dTZXJ2aWNlIjogImRlZmF1bHQiLAogICAgICAgICAgICAidHJhZmZpY0dyb3VwIjogInRyYWZmaWMtZ3JvdXAtbG9jYWwtb25seSIKICAgICAgICB9LAogICAgICAgICJpbnRlcm5ldCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlJvdXRlIiwKICAgICAgICAgICAgImd3IjogIjEwLjkwLjEuMSIsCiAgICAgICAgICAgICJuZXR3b3JrIjogImRlZmF1bHQiLAogICAgICAgICAgICAibXR1IjogMTUwMAogICAgICAgIH0sCiAgICAgICAgInZkbXMiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJSb3V0ZSIsCiAgICAgICAgICAgICJndyI6ICIxMC45MC4yLjEiLAogICAgICAgICAgICAibmV0d29yayI6ICIxMC45MC4zLjAvMjQiLAogICAgICAgICAgICAibXR1IjogMTUwMAogICAgICAgIH0sCiAgICAgICAgInZkc3MiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJSb3V0ZSIsCiAgICAgICAgICAgICJndyI6ICIxMC45MC4yLjEiLAogICAgICAgICAgICAibmV0d29yayI6ICIxMC45MC4wLjAvMTYiLAogICAgICAgICAgICAibXR1IjogMTUwMAogICAgICAgIH0sCiAgICAgICAgImNvbmZpZ3N5bmMiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJDb25maWdTeW5jIiwKICAgICAgICAgICAgImNvbmZpZ3N5bmNJcCI6ICIvQ29tbW9uL2V4dGVybmFsLXNlbGYvYWRkcmVzcyIKICAgICAgICB9LAogICAgICAgICJmYWlsb3ZlckFkZHJlc3MiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJGYWlsb3ZlclVuaWNhc3QiLAogICAgICAgICAgICAiYWRkcmVzcyI6ICIvQ29tbW9uL2V4dGVybmFsLXNlbGYvYWRkcmVzcyIKICAgICAgICB9LAogICAgICAgICJmYWlsb3Zlckdyb3VwIjogewogICAgICAgICAgICAiY2xhc3MiOiAiRGV2aWNlR3JvdXAiLAogICAgICAgICAgICAidHlwZSI6ICJzeW5jLWZhaWxvdmVyIiwKICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAiZjV2bTAxLmV4YW1wbGUuY29tIiwKICAgICAgICAgICAgICAgICJmNXZtMDIuZXhhbXBsZS5jb20iCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJvd25lciI6ICIvQ29tbW9uL2ZhaWxvdmVyR3JvdXAvbWVtYmVycy8wIiwKICAgICAgICAgICAgImF1dG9TeW5jIjogdHJ1ZSwKICAgICAgICAgICAgInNhdmVPbkF1dG9TeW5jIjogZmFsc2UsCiAgICAgICAgICAgICJuZXR3b3JrRmFpbG92ZXIiOiB0cnVlLAogICAgICAgICAgICAiZnVsbExvYWRPblN5bmMiOiBmYWxzZSwKICAgICAgICAgICAgImFzbVN5bmMiOiB0cnVlCiAgICAgICAgfSwKICAgICAgICAidHJ1c3QiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJEZXZpY2VUcnVzdCIsCiAgICAgICAgICAgICJsb2NhbFVzZXJuYW1lIjogInhhZG1pbiIsCiAgICAgICAgICAgICJsb2NhbFBhc3N3b3JkIjogInBsZWFzZVVzZVZhdWx0MTIzISEiLAogICAgICAgICAgICAicmVtb3RlSG9zdCI6ICIxMC45MC4xLjQiLAogICAgICAgICAgICAicmVtb3RlVXNlcm5hbWUiOiAieGFkbWluIiwKICAgICAgICAgICAgInJlbW90ZVBhc3N3b3JkIjogInBsZWFzZVVzZVZhdWx0MTIzISEiCiAgICAgICAgfQogICAgfQp9CkVPRgpjYXQgPiAvY29uZmlnL2FzMy5qc29uIDw8RU9GCnsKICAgICIkc2NoZW1hIjogImh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9GNU5ldHdvcmtzL2Y1LWFwcHN2Y3MtZXh0ZW5zaW9uL21hc3Rlci9zY2hlbWEvbGF0ZXN0L2FzMy1zY2hlbWEuanNvbiIsCiAgICAiY2xhc3MiOiJBUzMiLAogICAgImFjdGlvbiI6ImRlcGxveSIsCiAgICAicGVyc2lzdCI6dHJ1ZSwKICAgICJkZWNsYXJhdGlvbiI6IHsgCiAgICAgICAgImNsYXNzIjogIkFEQyIsCiAgICAgICAgInNjaGVtYVZlcnNpb24iOiAiMy4xMi4wIiwKICAgICAgICAiaWQiOiAiMDVmYWViNTItNGMxYi05ZmEzLTczYmUtZWNkNzcwYTU3ZGYwIiwKICAgICAgICAibGFiZWwiOiAic2NjYSBiYXNlbGluZSIsCiAgICAgICAgInJlbWFyayI6ICJzY2NhIGJhc2VsaW5lIDMuMTIuMCIsCiAgICAgICAgIkNvbW1vbiI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlRlbmFudCIsCiAgICAgICAgICAgICJTaGFyZWQiOiB7CiAgICAgICAgICAgICAgICAiY2xhc3MiOiAiQXBwbGljYXRpb24iLAogICAgICAgICAgICAgICAgInRlbXBsYXRlIjogInNoYXJlZCIsCiAgICAgICAgICAgICAgICAiZndMb2dEZXN0aW5hdGlvblN5c2xvZyI6IHsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiTG9nX0Rlc3RpbmF0aW9uIiwKICAgICAgICAgICAgICAgICAgICAidHlwZSI6ICJyZW1vdGUtc3lzbG9nIiwKICAgICAgICAgICAgICAgICAgICAicmVtb3RlSGlnaFNwZWVkTG9nIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogImZ3TG9nRGVzdGluYXRpb25Ic2wiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAiZm9ybWF0IjogInJmYzU0MjQiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgImZ3TG9nRGVzdGluYXRpb25Ic2wiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkxvZ19EZXN0aW5hdGlvbiIsCiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAicmVtb3RlLWhpZ2gtc3BlZWQtbG9nIiwKICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJoc2xfcG9vbCIKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgImhzbF9wb29sIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJQb29sIiwKICAgICAgICAgICAgICAgICAgICAibWVtYmVycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJlbmFibGUiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZpY2VQb3J0IjogNTE0CiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdWRwIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJmd0xvZ1B1Ymxpc2hlciI6IHsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiTG9nX1B1Ymxpc2hlciIsCiAgICAgICAgICAgICAgICAgICAgImRlc3RpbmF0aW9ucyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJmd0xvZ0Rlc3RpbmF0aW9uU3lzbG9nIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJmd1NlY3VyaXR5TG9nUHJvZmlsZSI6IHsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiU2VjdXJpdHlfTG9nX1Byb2ZpbGUiLAogICAgICAgICAgICAgICAgICAgICJuZXR3b3JrIjogewogICAgICAgICAgICAgICAgICAgICAgICAicHVibGlzaGVyIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJmd0xvZ1B1Ymxpc2hlciIKICAgICAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAgICAgInN0b3JhZ2VGb3JtYXQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZmllbGRzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhY3Rpb24iLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJkZXN0LWlwIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGVzdC1wb3J0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3JjLWlwIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3JjLXBvcnQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdCiAgICAgICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgICAgICJsb2dUcmFuc2xhdGlvbkZpZWxkcyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgICAgICJsb2dUY3BFdmVudHMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nUnVsZU1hdGNoUmVqZWN0cyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgICAgICJsb2dUY3BFcnJvcnMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nSXBFcnJvcnMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nUnVsZU1hdGNoRHJvcHMiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAibG9nUnVsZU1hdGNoQWNjZXB0cyI6IHRydWUKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJhcHBsaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImZhY2lsaXR5IjogImxvY2FsMyIsCiAgICAgICAgICAgICAgICAgICAgICAgICJzdG9yYWdlRmlsdGVyIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInJlcXVlc3RUeXBlIjogImlsbGVnYWwtaW5jbHVkaW5nLXN0YWdlZC1zaWduYXR1cmVzIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyZXNwb25zZUNvZGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICI0MDQiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIyMDEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInByb3RvY29scyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHR0cCIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiaHR0cE1ldGhvZHMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlBBVENIIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiREVMRVRFIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJyZXF1ZXN0Q29udGFpbnMiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlYXJjaEluIjogInNlYXJjaC1pbi1yZXF1ZXN0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidmFsdWUiOiAiVGhlIG5ldyB2YWx1ZSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibG9naW5SZXN1bHRzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsb2dpbi1yZXN1bHQtdW5rbm93biIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAgICAgInN0b3JhZ2VGb3JtYXQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZmllbGRzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhdHRhY2tfdHlwZSIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImF2cl9pZCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImhlYWRlcnMiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpc190cnVuY2F0ZWQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgImRlbGltaXRlciI6ICIuIgogICAgICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICAgICAibG9jYWxTdG9yYWdlIjogZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICJtYXhFbnRyeUxlbmd0aCI6ICIxMGsiLAogICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAidWRwIiwKICAgICAgICAgICAgICAgICAgICAgICAgInJlbW90ZVN0b3JhZ2UiOiAicmVtb3RlIiwKICAgICAgICAgICAgICAgICAgICAgICAgInJlcG9ydEFub21hbGllc0VuYWJsZWQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAic2VydmVycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWRkcmVzcyI6ICIxMC45MC4xMC4xMDEiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJwb3J0IjogIjUxNCIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImRvc0FwcGxpY2F0aW9uIjogewogICAgICAgICAgICAgICAgICAgICAgICAicmVtb3RlUHVibGlzaGVyIjogewogICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICJmd0xvZ1B1Ymxpc2hlciIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImRvc05ldHdvcmsiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJwdWJsaXNoZXIiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogImZ3TG9nUHVibGlzaGVyIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJleGFtcGxlX3Jlc3BvbnNlIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJpUnVsZSIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlIjogIndoZW4gSFRUUF9SRVFVRVNUIHtcbiAgICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHtcbiAgICAgICAgPGh0bWw+XG4gICAgICAgIDxoZWFkPlxuICAgICAgICA8dGl0bGU+SGVhbHRoIENoZWNrPC90aXRsZT5cbiAgICAgICAgPC9oZWFkPlxuICAgICAgICA8Ym9keT5cbiAgICAgICAgU3lzdGVtIGlzIG9ubGluZS5cbiAgICAgICAgPC9ib2R5PlxuICAgICAgICA8L2h0bWw+XG4gICAgICAgIH1cbn0iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZVdBRlBvbGljeSI6ewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJXQUZfUG9saWN5IiwKICAgICAgICAgICAgICAgICAgICAidXJsIjogImh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9mNWRldmNlbnRyYWwvZjUtYXNtLXBvbGljeS10ZW1wbGF0ZXMvbWFzdGVyL293YXNwX3JlYWR5X3RlbXBsYXRlL293YXNwLWF1dG8tdHVuZS12MS4xLnhtbCIsCiAgICAgICAgICAgICAgICAgICAgImlnbm9yZUNoYW5nZXMiOiBmYWxzZSwKICAgICAgICAgICAgICAgICJlbmZvcmNlbWVudE1vZGUiOiAidHJhbnNwYXJlbnQiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgImNlcnRpZmljYXRlX2RlZmF1bHQiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkNlcnRpZmljYXRlIiwKICAgICAgICAgICAgICAgICAgICAiY2VydGlmaWNhdGUiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RlZmF1bHQuY3J0IgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInByaXZhdGVLZXkiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RlZmF1bHQua2V5IgogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic2NjYUJhc2VsaW5lQ2xpZW50U1NMIjogewogICAgICAgICAgICAgICAgICAgICJjZXJ0aWZpY2F0ZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJjZXJ0aWZpY2F0ZSI6ICJjZXJ0aWZpY2F0ZV9kZWZhdWx0IgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2lwaGVycyI6ICJISUdIIiwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiVExTX1NlcnZlciIKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic2NjYUJhc2VsaW5lQUZNUnVsZUxpc3QiOnsKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiRmlyZXdhbGxfUnVsZV9MaXN0IiwKICAgICAgICAgICAgICAgICAgICAicnVsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhY3Rpb24iOiAiYWNjZXB0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuYW1lIjogImFsbG93X2FsbCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAiYW55IgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVBRk1Qb2xpY3kiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkZpcmV3YWxsX1BvbGljeSIsCiAgICAgICAgICAgICAgICAgICAgInJ1bGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWN0aW9uIjogImFjY2VwdCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibG9nZ2luZ0VuYWJsZWQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAiYWxsb3dfYWxsIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJwcm90b2NvbCI6ICJhbnkiCiAgICAgICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhY3Rpb24iOiAiYWNjZXB0IiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsb2dnaW5nRW5hYmxlZCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibmFtZSI6ICJkZW55X2FsbCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAiYW55IgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVBRk1Qb2xpY3lIVFRQIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJGaXJld2FsbF9Qb2xpY3kiLAogICAgICAgICAgICAgICAgICAgICJydWxlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImFjdGlvbiI6ICJhY2NlcHQiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgImxvZ2dpbmdFbmFibGVkIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuYW1lIjogImFsbG93X2FsbCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAicHJvdG9jb2wiOiAiYW55IgogICAgICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWN0aW9uIjogImFjY2VwdCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAibG9nZ2luZ0VuYWJsZWQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIm5hbWUiOiAiZGVueV9hbGwiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInByb3RvY29sIjogImFueSIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgInRyYW5zaXQiOiB7CiAgICAgICAgICAgICJjbGFzcyI6ICJUZW5hbnQiLAogICAgICAgICAgICAidHJhbnNpdCI6IHsKICAgICAgICAgICAgICAgICJjbGFzcyI6ICJBcHBsaWNhdGlvbiIsCiAgICAgICAgICAgICAgICAidGVtcGxhdGUiOiAiZ2VuZXJpYyIsCiAgICAgICAgICAgICAgICAidHJhbnNpdF9mb3J3YXJkIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJTZXJ2aWNlX0ZvcndhcmRpbmciLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsQWRkcmVzc2VzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgIjAuMC4wLjAvMCIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlTDQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAicm91dGVfZnJpZW5kbHlfZmFzdGw0IgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxQb3J0IjogMCwKICAgICAgICAgICAgICAgICAgICAiZm9yd2FyZGluZ1R5cGUiOiAiaXAiLAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAiYW55IiwKICAgICAgICAgICAgICAgICAgICAic25hdCI6ICJhdXRvIiwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyQWRkcmVzcyI6IGZhbHNlLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJQb3J0IjogZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgInRyYW5zbGF0ZUNsaWVudFBvcnQiOiAicHJlc2VydmUtc3RyaWN0IgogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJyb3V0ZV9mcmllbmRseV9mYXN0bDQiOiB7CiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIkw0X1Byb2ZpbGUiLAogICAgICAgICAgICAgICAgICAgICJpZGxlVGltZW91dCI6IDMwMCwKICAgICAgICAgICAgICAgICAgICAibG9vc2VDbG9zZSI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImxvb3NlSW5pdGlhbGl6YXRpb24iOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICJyZXNldE9uVGltZW91dCI6IGZhbHNlCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInRyYW5zaXRfaGVhbHRoX2lydWxlIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJpUnVsZSIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlIjogIndoZW4gSFRUUF9SRVFVRVNUIHtcbiAgICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHtcbiAgICAgICAgPGh0bWw+XG4gICAgICAgIDxoZWFkPlxuICAgICAgICA8dGl0bGU+SGVhbHRoIENoZWNrPC90aXRsZT5cbiAgICAgICAgPC9oZWFkPlxuICAgICAgICA8Ym9keT5cbiAgICAgICAgU3lzdGVtIGlzIG9ubGluZS5cbiAgICAgICAgPC9ib2R5PlxuICAgICAgICA8L2h0bWw+XG4gICAgICAgIH1cbn0iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInRyYW5zaXRfaGVhbHRoIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJTZXJ2aWNlX0hUVFAiLAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAiaVJ1bGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAidHJhbnNpdF9oZWFsdGhfaXJ1bGUiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZUhUVFAiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2h0dHAiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZVRDUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4yLjExIiwKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjIuMTIiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbFBvcnQiOiAzNDU2OCwKICAgICAgICAgICAgICAgICAgICAic25hdCI6ICJub25lIgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAibWdtdCI6IHsKICAgICAgICAgICAgImNsYXNzIjogIlRlbmFudCIsCiAgICAgICAgICAgICJhZG1pbiI6IHsKICAgICAgICAgICAgICAgICJjbGFzcyI6ICJBcHBsaWNhdGlvbiIsCiAgICAgICAgICAgICAgICAidGVtcGxhdGUiOiAiZ2VuZXJpYyIsCiAgICAgICAgICAgICAgICAicmRwX3Bvb2wiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOiAzMzg5LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMy45OCIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1vbml0b3JzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3BfaGFsZl9vcGVuIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic3NoX3Bvb2wiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOiAyMiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzZXJ2ZXJBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjMuOTkiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwX2hhbGZfb3BlbiIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlBvb2wiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfaGVhbHRoX2lydWxlIjogewogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJpUnVsZSIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlIjogIndoZW4gSFRUUF9SRVFVRVNUIHtcbiAgICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHtcbiAgICAgICAgPGh0bWw+XG4gICAgICAgIDxoZWFkPlxuICAgICAgICA8dGl0bGU+SGVhbHRoIENoZWNrPC90aXRsZT5cbiAgICAgICAgPC9oZWFkPlxuICAgICAgICA8Ym9keT5cbiAgICAgICAgU3lzdGVtIGlzIG9ubGluZS5cbiAgICAgICAgPC9ib2R5PlxuICAgICAgICA8L2h0bWw+XG4gICAgICAgIH1cbn0iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfaHR0cCI6IHsKICAgICAgICAgICAgICAgICAgICAicG9saWN5RmlyZXdhbGxFbmZvcmNlZCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVBRk1Qb2xpY3kiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAibGF5ZXI0IjogInRjcCIsCiAgICAgICAgICAgICAgICAgICAgImlSdWxlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIm1nbXRfaGVhbHRoX2lydWxlIgogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfSFRUUCIsCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVET1MiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RvcyIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlSFRUUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlVENQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3AiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbEFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMTEiLAogICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMS4xMiIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsUG9ydCI6IDgwLAogICAgICAgICAgICAgICAgICAgICJzbmF0IjogIm5vbmUiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfcmRwIjogewogICAgICAgICAgICAgICAgICAgICJwb2xpY3lGaXJld2FsbEVuZm9yY2VkIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZUFGTVBvbGljeSIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6ICJyZHBfcG9vbCIsCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfVENQIiwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZVRDUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xLjExIiwKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMTIiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbFBvcnQiOiAzMzg5LAogICAgICAgICAgICAgICAgICAgICJzbmF0IjogImF1dG8iCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgIm1nbXRfc3NoIjogewogICAgICAgICAgICAgICAgICAgICJwb2xpY3lGaXJld2FsbEVuZm9yY2VkIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZUFGTVBvbGljeSIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJsYXllcjQiOiAidGNwIiwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6ICJzc2hfcG9vbCIsCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfVENQIiwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZURPUyI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vZG9zIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVUQ1AiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL3RjcCIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsQWRkcmVzc2VzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMS4xMSIsCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xLjEyIgogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxQb3J0IjogMjIsCiAgICAgICAgICAgICAgICAgICAgInNuYXQiOiAiYXV0byIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgIH0sICAgIAogICAgICAgICJFeGFtcGxlIjogewogICAgICAgICAgICAiY2xhc3MiOiAiVGVuYW50IiwKICAgICAgICAgICAgImV4YW1wbGVBcHAiOiB7CiAgICAgICAgICAgICAgICAiY2xhc3MiOiAiQXBwbGljYXRpb24iLAogICAgICAgICAgICAgICAgInRlbXBsYXRlIjogImdlbmVyaWMiLAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZUV4YW1wbGVJUFMiOiB7CiAgICAgICAgICAgICAgICAgICAgInBvbGljeUZpcmV3YWxsRW5mb3JjZWQiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvc2NjYUJhc2VsaW5lQUZNUG9saWN5IgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImxheWVyNCI6ICJ0Y3AiLAogICAgICAgICAgICAgICAgICAgICJzZWN1cml0eUxvZ1Byb2ZpbGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL2Z3U2VjdXJpdHlMb2dQcm9maWxlIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyQWRkcmVzcyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgInRyYW5zbGF0ZVNlcnZlclBvcnQiOiBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiU2VydmljZV9UQ1AiLAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlRE9TIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9kb3MiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZUhUVFAiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2h0dHAiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZVRDUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vdGNwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInZpcnR1YWxBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xLjAvMjQiCiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbFBvcnQiOiAwLAogICAgICAgICAgICAgICAgICAgICJzbmF0IjogImF1dG8iLAogICAgICAgICAgICAgICAgICAgICJwb29sIjogInNjY2FCYXNlbGluZUlQU1Bvb2wiCiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZUV4YW1wbGVIVFRQUyI6IHsKICAgICAgICAgICAgICAgICAgICAicG9saWN5RmlyZXdhbGxFbmZvcmNlZCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVBRk1Qb2xpY3lIVFRQIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgImxheWVyNCI6ICJ0Y3AiLAogICAgICAgICAgICAgICAgICAgICJzZWN1cml0eUxvZ1Byb2ZpbGVzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL2Z3U2VjdXJpdHlMb2dQcm9maWxlIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyQWRkcmVzcyI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgInRyYW5zbGF0ZVNlcnZlclBvcnQiOiB0cnVlLAogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJTZXJ2aWNlX0hUVFBTIiwKICAgICAgICAgICAgICAgICAgICAicHJvZmlsZURPUyI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vZG9zIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVIVFRQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9odHRwIgogICAgICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAgICAgInNlcnZlclRMUyI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVDbGllbnRTU0wiLAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlVENQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3AiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbEFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMC8yNCIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsUG9ydCI6IDQ0MywKICAgICAgICAgICAgICAgICAgICAic25hdCI6ICJhdXRvIiwKICAgICAgICAgICAgICAgICAgICAicG9saWN5V0FGIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZVdBRlBvbGljeSIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwb29sIjogInNjY2FCYXNlbGluZUp1aWNlU2hvcCIKICAgICAgICAgICAgICAgIH0sICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZUV4YW1wbGVIVFRQIjogewogICAgICAgICAgICAgICAgICAgICJwb2xpY3lGaXJld2FsbEVuZm9yY2VkIjogewogICAgICAgICAgICAgICAgICAgICAgICAidXNlIjogIi9Db21tb24vU2hhcmVkL3NjY2FCYXNlbGluZUFGTVBvbGljeUhUVFAiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAibGF5ZXI0IjogInRjcCIsCiAgICAgICAgICAgICAgICAgICAgInNlY3VyaXR5TG9nUHJvZmlsZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1c2UiOiAiL0NvbW1vbi9TaGFyZWQvZndTZWN1cml0eUxvZ1Byb2ZpbGUiCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ0cmFuc2xhdGVTZXJ2ZXJBZGRyZXNzIjogdHJ1ZSwKICAgICAgICAgICAgICAgICAgICAidHJhbnNsYXRlU2VydmVyUG9ydCI6IHRydWUsCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlNlcnZpY2VfSFRUUCIsCiAgICAgICAgICAgICAgICAgICAgInByb2ZpbGVET1MiOiB7CiAgICAgICAgICAgICAgICAgICAgICAgICJiaWdpcCI6ICIvQ29tbW9uL2RvcyIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlSFRUUCI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgICAgICJwcm9maWxlVENQIjogewogICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi90Y3AiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAidmlydHVhbEFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEuMC8yNCIKICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJ2aXJ0dWFsUG9ydCI6IDgwODAsCiAgICAgICAgICAgICAgICAgICAgInNuYXQiOiAiYXV0byIsCiAgICAgICAgICAgICAgICAgICAgInBvbGljeVdBRiI6IHsKICAgICAgICAgICAgICAgICAgICAgICAgInVzZSI6ICIvQ29tbW9uL1NoYXJlZC9zY2NhQmFzZWxpbmVXQUZQb2xpY3kiCiAgICAgICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICAgICAicG9vbCI6ICJzY2NhQmFzZWxpbmVQaW1wTXlMb2dzIgogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVJUFNQb29sIjogewogICAgICAgICAgICAgICAgICAgICJtZW1iZXJzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWRkcmVzc0Rpc2NvdmVyeSI6ICJzdGF0aWMiLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZpY2VQb3J0IjogNDQzLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgICAic2NjYUJhc2VsaW5lSnVpY2VTaG9wIjogewogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOiAzMDAwLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0sCgogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZVBpbXBNeUxvZ3MiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1vbml0b3JzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9odHRwIgogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAibWVtYmVycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImFkZHJlc3NEaXNjb3ZlcnkiOiAic3RhdGljIiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzZXJ2aWNlUG9ydCI6IDgwODAsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmVyQWRkcmVzc2VzIjogWwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIxMC45MC4xMC4xMDEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBdCiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBdLAogICAgICAgICAgICAgICAgICAgICJjbGFzcyI6ICJQb29sIgogICAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAgICJzY2NhQmFzZWxpbmVEZW1vQXBwSHR0cHMiOiB7CiAgICAgICAgICAgICAgICAgICAgIm1vbml0b3JzIjogWwogICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYmlnaXAiOiAiL0NvbW1vbi9odHRwcyIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOjQ0MywKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJzZXJ2ZXJBZGRyZXNzZXMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjEwLjkwLjEwLjEwMSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgImNsYXNzIjogIlBvb2wiCiAgICAgICAgICAgICAgICB9LAogICAgICAgICAgICAgICAgInNjY2FCYXNlbGluZURlbW9BcHBIdHRwIjogewogICAgICAgICAgICAgICAgICAgICJtb25pdG9ycyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgImJpZ2lwIjogIi9Db21tb24vaHR0cCIKICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgIF0sCiAgICAgICAgICAgICAgICAgICAgIm1lbWJlcnMiOiBbCiAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhZGRyZXNzRGlzY292ZXJ5IjogInN0YXRpYyIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAic2VydmljZVBvcnQiOjgwLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgInNlcnZlckFkZHJlc3NlcyI6IFsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiMTAuOTAuMTAuMTAxIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgXQogICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgXSwKICAgICAgICAgICAgICAgICAgICAiY2xhc3MiOiAiUG9vbCIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgfQogICAgfQp9CkVPRgoKRE9fQk9EWV8wMT0iL2NvbmZpZy9kbzEuanNvbiIKRE9fQk9EWV8wMj0iL2NvbmZpZy9kbzIuanNvbiIKQVMzX0JPRFk9Ii9jb25maWcvYXMzLmpzb24iCgpET19VUkxfUE9TVD0iL21nbXQvc2hhcmVkL2RlY2xhcmF0aXZlLW9uYm9hcmRpbmciCkFTM19VUkxfUE9TVD0iL21nbXQvc2hhcmVkL2FwcHN2Y3MvZGVjbGFyZSIKIyBCSUctSVBTIE9OQk9BUkQgU0NSSVBUCgoKaWYgWyAhIC1lICRMT0dfRklMRSBdCnRoZW4KICAgICB0b3VjaCAkTE9HX0ZJTEUKICAgICBleGVjICY+PiRMT0dfRklMRQplbHNlCiAgICAjaWYgZmlsZSBleGlzdHMsIGV4aXQgYXMgb25seSB3YW50IHRvIHJ1biBvbmNlCiAgICBleGl0CmZpCgpleGVjIDE+JExPR19GSUxFIDI+JjEKCnN0YXJ0VGltZT0kKGRhdGUgKyVzKQplY2hvICJzdGFydCBkZXZpY2UgSUQ6JGRldmljZUlkIGRhdGU6ICQoZGF0ZSkiCmZ1bmN0aW9uIHRpbWVyICgpIHsKICAgIGVjaG8gIlRpbWUgRWxhcHNlZDogJCgoIDEgLyAzNjAwICkpaCAkKCggKDEgLyA2MCkgJSA2MCApKW0gJCgoIDEgJSA2MCApKXMiCn0Kd2FpdE1jcGQgKCkgewpjaGVja3M9MAp3aGlsZSBbWyAiJGNoZWNrcyIgLWx0IDEyMCBdXTsgZG8KICAgIHRtc2ggLWEgc2hvdyBzeXMgbWNwLXN0YXRlIGZpZWxkLWZtdCB8IGdyZXAgLXEgcnVubmluZwogICBpZiBbICQ/ID09IDAgXTsgdGhlbgogICAgICAgZWNobyAiW0lORk86IG1jcGQgcmVhZHldIgogICAgICAgYnJlYWsKICAgZmkKICAgZWNobyAiW1dBUk46IG1jcGQgbm90IHJlYWR5IHlldF0iCiAgIGxldCBjaGVja3M9Y2hlY2tzKzEKICAgc2xlZXAgMTAKZG9uZQp9CndhaXRBY3RpdmUgKCkgewpjaGVja3M9MAp3aGlsZSBbWyAiJGNoZWNrcyIgLWx0IDMwIF1dOyBkbwogICAgdG1zaCAtYSBzaG93IHN5cyByZWFkeSB8IGdyZXAgLXEgbm8KICAgaWYgWyAkPyA9PSAxIF07IHRoZW4KICAgICAgIGVjaG8gIltJTkZPOiBzeXN0ZW0gcmVhZHldIgogICAgICAgYnJlYWsKICAgZmkKICAgZWNobyAiW1dBUk46IHN5c3RlbSBub3QgcmVhZHkgeWV0IGNvdW50OiAkY2hlY2tzXSIKICAgdG1zaCAtYSBzaG93IHN5cyByZWFkeSB8IGdyZXAgbm8KICAgbGV0IGNoZWNrcz1jaGVja3MrMQogICBzbGVlcCAxMApkb25lCn0KIyBDSEVDSyBUTyBTRUUgTkVUV09SSyBJUyBSRUFEWQpjb3VudD0wCndoaWxlIHRydWUKZG8KICBTVEFUVVM9JChjdXJsIC1zIC1rIC1JIGV4YW1wbGUuY29tIHwgZ3JlcCBIVFRQKQogIGlmIFtbICRTVEFUVVMgPT0gKiIyMDAiKiBdXTsgdGhlbgogICAgZWNobyAiW0lORk86IGludGVybmV0IGFjY2VzcyBjaGVjayBwYXNzZWRdIgogICAgYnJlYWsKICBlbGlmIFsgJGNvdW50IC1sZSA2IF07IHRoZW4KICAgIGVjaG8gIlN0YXR1cyBjb2RlOiAkU1RBVFVTICBOb3QgZG9uZSB5ZXQuLi4iCiAgICBjb3VudD0kWyRjb3VudCsxXQogIGVsc2UKICAgIGVjaG8gIltXQVJOOiBHSVZFIFVQLi4uXSIKICAgIGJyZWFrCiAgZmkKICBzbGVlcCAxMApkb25lCiMgZG93bmxvYWQgbGF0ZXN0IGF0YyB0b29scwp0b29sc0xpc3Q9JChjYXQgLTw8RU9GCnsKICAidG9vbHMiOiBbCiAgICAgIHsKICAgICAgICAibmFtZSI6ICJmNS1kZWNsYXJhdGl2ZS1vbmJvYXJkaW5nIiwKICAgICAgICAidmVyc2lvbiI6ICJsYXRlc3QiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vZG8uanNvbiIKICAgICAgfSwKICAgICAgewogICAgICAgICJuYW1lIjogImY1LWFwcHN2Y3MtZXh0ZW5zaW9uIiwKICAgICAgICAidmVyc2lvbiI6ICJsYXRlc3QiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vYXMzLmpzb24iCiAgICAgIH0sCiAgICAgIHsKICAgICAgICAibmFtZSI6ICJmNS10ZWxlbWV0cnktc3RyZWFtaW5nIiwKICAgICAgICAidmVyc2lvbiI6ICJsYXRlc3QiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vdHMuanNvbiIKICAgICAgfSwKICAgICAgewogICAgICAgICJuYW1lIjogImY1LWNsb3VkLWZhaWxvdmVyLWV4dGVuc2lvbiIsCiAgICAgICAgInZlcnNpb24iOiAibGF0ZXN0IiwKICAgICAgICAidXJsIjogImh0dHBzOi8vZXhhbXBsZS5kb21haW4uY29tL2NmLmpzb24iCiAgICAgIH0sCiAgICAgIHsKICAgICAgICAibmFtZSI6ICJmNS1hcHBzdmNzLXRlbXBsYXRlcyIsCiAgICAgICAgInZlcnNpb24iOiAiMS4wLjAiLAogICAgICAgICJ1cmwiOiAiaHR0cHM6Ly9leGFtcGxlLmRvbWFpbi5jb20vY2YuanNvbiIKICAgICAgfQogIF0KfQpFT0YKKQpmdW5jdGlvbiBnZXRBdGMgKCkgewphdGM9JChlY2hvICR0b29sc0xpc3QgfCBqcSAtciAudG9vbHNbXS5uYW1lKQpmb3IgdG9vbCBpbiAkYXRjCmRvCiAgICB2ZXJzaW9uPSQoZWNobyAkdG9vbHNMaXN0IHwganEgLXIgIi50b29sc1tdfCBzZWxlY3QoLm5hbWV8IGNvbnRhaW5zIChcIiR0b29sXCIpKS52ZXJzaW9uIikKICAgIGlmIFsgJHZlcnNpb24gPT0gImxhdGVzdCIgXTsgdGhlbgogICAgICAgIHBhdGg9JycKICAgIGVsc2UKICAgICAgICBwYXRoPSd0YWdzL3YnCiAgICBmaQogICAgZWNobyAiZG93bmxvYWRpbmcgJHRvb2wsICR2ZXJzaW9uIgogICAgaWYgWyAkdG9vbCA9PSAiZjUtbmV3LXRvb2wiIF07IHRoZW4KICAgICAgICBmaWxlcz0kKC91c3IvYmluL2N1cmwgLXNrIC0taW50ZXJmYWNlIG1nbXQgaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9mNWRldmNlbnRyYWwvJHRvb2wvcmVsZWFzZXMvJHBhdGgkdmVyc2lvbiB8IGpxIC1yICcuYXNzZXRzW10gfCBzZWxlY3QoLm5hbWUgfCBjb250YWlucyAoIi5ycG0iKSkgfCAuYnJvd3Nlcl9kb3dubG9hZF91cmwnKQogICAgZWxzZQogICAgICAgIGZpbGVzPSQoL3Vzci9iaW4vY3VybCAtc2sgLS1pbnRlcmZhY2UgbWdtdCBodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL0Y1TmV0d29ya3MvJHRvb2wvcmVsZWFzZXMvJHBhdGgkdmVyc2lvbiB8IGpxIC1yICcuYXNzZXRzW10gfCBzZWxlY3QoLm5hbWUgfCBjb250YWlucyAoIi5ycG0iKSkgfCAuYnJvd3Nlcl9kb3dubG9hZF91cmwnKQogICAgZmkKICAgIGZvciBmaWxlIGluICRmaWxlcwogICAgZG8KICAgIGVjaG8gImRvd25sb2FkOiAkZmlsZSIKICAgIG5hbWU9JChiYXNlbmFtZSAkZmlsZSApCiAgICAjIG1ha2UgZG93bmxvYWQgZGlyCiAgICBta2RpciAtcCAvdmFyL2NvbmZpZy9yZXN0L2Rvd25sb2FkcwogICAgcmVzdWx0PSQoL3Vzci9iaW4vY3VybCAtTHNrICAkZmlsZSAtbyAvdmFyL2NvbmZpZy9yZXN0L2Rvd25sb2Fkcy8kbmFtZSkKICAgIGRvbmUKZG9uZQp9CmVjaG8gIi0tLS1kb3dubG9hZCBBVEMgdG9vbHMtLS0tIgpnZXRBdGMKCiMgaW5zdGFsbCBhdGMgdG9vbHMKZWNobyAiLS0tLWluc3RhbGwgQVRDIHRvb2xzLS0tLSIKcnBtcz0kKGZpbmQgJHJwbUZpbGVQYXRoIC1uYW1lICIqLnJwbSIgLXR5cGUgZikKZm9yIHJwbSBpbiAkcnBtcwpkbwogIGZpbGVuYW1lPSQoYmFzZW5hbWUgJHJwbSkKICBlY2hvICJpbnN0YWxsaW5nICRmaWxlbmFtZSIKICBpZiBbIC1mICRycG1GaWxlUGF0aC8kZmlsZW5hbWUgXTsgdGhlbgogICAgIHBvc3RCb2R5PSJ7XCJvcGVyYXRpb25cIjpcIklOU1RBTExcIixcInBhY2thZ2VGaWxlUGF0aFwiOlwiJHJwbUZpbGVQYXRoLyRmaWxlbmFtZVwifSIKICAgICB3aGlsZSB0cnVlCiAgICAgZG8KICAgICAgICBpYXBwQXBpU3RhdHVzPSQoY3VybCAtcyAtaSAtdSAiJENSRURTIiAgJGxvY2FsX2hvc3QkcnBtSW5zdGFsbFVybCB8IGdyZXAgSFRUUCB8IGF3ayAne3ByaW50ICQyfScpCiAgICAgICAgY2FzZSAkaWFwcEFwaVN0YXR1cyBpbgogICAgICAgICAgICA0MDQpCiAgICAgICAgICAgICAgICBlY2hvICJbV0FSTjogYXBpIG5vdCByZWFkeSBzdGF0dXM6ICRpYXBwQXBpU3RhdHVzXSIKICAgICAgICAgICAgICAgIHNsZWVwIDIKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIDIwMCkKICAgICAgICAgICAgICAgIGVjaG8gIltJTkZPOiBhcGkgcmVhZHkgc3RhcnRpbmcgaW5zdGFsbCB0YXNrICRmaWxlbmFtZV0iCiAgICAgICAgICAgICAgICBpbnN0YWxsPSQocmVzdGN1cmwgLXMgLXUgIiRDUkVEUyIgLVggUE9TVCAtZCAkcG9zdEJvZHkgJHJwbUluc3RhbGxVcmwgfCBqcSAtciAuaWQgKQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgKikKICAgICAgICAgICAgICAgIGVjaG8gIltXQVJOOiBhcGkgZXJyb3Igb3RoZXIgc3RhdHVzOiAkaWFwcEFwaVN0YXR1c10iCiAgICAgICAgICAgICAgICBkZWJ1Zz0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiICRycG1JbnN0YWxsVXJsKQogICAgICAgICAgICAgICAgI2VjaG8gImlwcCBpbnN0YWxsIGRlYnVnOiAkZGVidWciCiAgICAgICAgICAgICAgICA7OwogICAgICAgIGVzYWMKICAgIGRvbmUKICBlbHNlCiAgICBlY2hvICJbV0FSTjogZmlsZTogJGZpbGVuYW1lIG5vdCBmb3VuZF0iCiAgZmkKICB3aGlsZSB0cnVlCiAgZG8KICAgIHN0YXR1cz0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiICRycG1JbnN0YWxsVXJsLyRpbnN0YWxsIHwganEgLXIgLnN0YXR1cykKICAgIGNhc2UgJHN0YXR1cyBpbgogICAgICAgIEZJTklTSEVEKQogICAgICAgICAgICAjIGZpbmlzaGVkCiAgICAgICAgICAgIGVjaG8gIiBycG06ICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBzdGF0dXM6ICRzdGF0dXMiCiAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgIDs7CiAgICAgICAgU1RBUlRFRCkKICAgICAgICAgICAgIyBzdGFydGVkCiAgICAgICAgICAgIGVjaG8gIiBycG06ICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBzdGF0dXM6ICRzdGF0dXMiCiAgICAgICAgICAgIDs7CiAgICAgICAgUlVOTklORykKICAgICAgICAgICAgIyBydW5uaW5nCiAgICAgICAgICAgIGVjaG8gIiBycG06ICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBzdGF0dXM6ICRzdGF0dXMiCiAgICAgICAgICAgIDs7CiAgICAgICAgRkFJTEVEKQogICAgICAgICAgICAjIGZhaWxlZAogICAgICAgICAgICBlcnJvcj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiICRycG1JbnN0YWxsVXJsLyRpbnN0YWxsIHwganEgLmVycm9yTWVzc2FnZSkKICAgICAgICAgICAgZWNobyAiZmFpbGVkICRmaWxlbmFtZSB0YXNrOiAkaW5zdGFsbCBlcnJvcjogJGVycm9yIgogICAgICAgICAgICBicmVhawogICAgICAgICAgICA7OwogICAgICAgICopCiAgICAgICAgICAgICMgb3RoZXIKICAgICAgICAgICAgZGVidWc9JChyZXN0Y3VybCAtdSAiJENSRURTIiAkcnBtSW5zdGFsbFVybC8kaW5zdGFsbCB8IGpxIC4gKQogICAgICAgICAgICBlY2hvICJmYWlsZWQgJGZpbGVuYW1lIHRhc2s6ICRpbnN0YWxsIGVycm9yOiAkZGVidWciCiAgICAgICAgICAgIDs7CiAgICAgICAgZXNhYwogICAgc2xlZXAgMgogICAgZG9uZQpkb25lCmZ1bmN0aW9uIGdldERvU3RhdHVzKCkgewogICAgdGFzaz0kMQogICAgZG9TdGF0dXNUeXBlPSQocmVzdGN1cmwgLXUgIiRDUkVEUyIgLVggR0VUICRkb1Rhc2tVcmwvJHRhc2sgfCBqcSAtciB0eXBlICkKICAgIGlmIFsgIiRkb1N0YXR1c1R5cGUiID09ICJvYmplY3QiIF07IHRoZW4KICAgICAgICBkb1N0YXR1cz0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZG9UYXNrVXJsLyR0YXNrIHwganEgLXIgLnJlc3VsdC5zdGF0dXMpCiAgICAgICAgZWNobyAkZG9TdGF0dXMKICAgIGVsaWYgWyAiJGRvU3RhdHVzVHlwZSIgPT0gImFycmF5IiBdOyB0aGVuCiAgICAgICAgZG9TdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGRvVGFza1VybC8kdGFzayB8IGpxIC1yIC5bXS5yZXN1bHQuc3RhdHVzKQogICAgICAgIGVjaG8gIltJTkZPOiAkZG9TdGF0dXNdIgogICAgZWxzZQogICAgICAgIGVjaG8gIltXQVJOOiB1bmtub3duIHR5cGU6JGRvU3RhdHVzVHlwZV0iCiAgICBmaQp9CmZ1bmN0aW9uIGNoZWNrRE8oKSB7CiAgICAjIENoZWNrIERPIFJlYWR5CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICBkbwogICAgI2RvU3RhdHVzPSQoY3VybCAtaSAtdSAiJENSRURTIiAkbG9jYWxfaG9zdCRkb0NoZWNrVXJsIHwgZ3JlcCBIVFRQIHwgYXdrICd7cHJpbnQgJDJ9JykKICAgIGRvU3RhdHVzVHlwZT0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZG9DaGVja1VybCB8IGpxIC1yIHR5cGUgKQogICAgaWYgWyAiJGRvU3RhdHVzVHlwZSIgPT0gIm9iamVjdCIgXTsgdGhlbgogICAgICAgIGRvU3RhdHVzPSQocmVzdGN1cmwgLXUgIiRDUkVEUyIgLVggR0VUICRkb0NoZWNrVXJsIHwganEgLXIgLmNvZGUpCiAgICAgICAgaWYgWyAkPyA9PSAxIF07IHRoZW4KICAgICAgICAgICAgZG9TdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGRvQ2hlY2tVcmwgfCBqcSAtciAucmVzdWx0LmNvZGUpCiAgICAgICAgZmkKICAgIGVsaWYgWyAiJGRvU3RhdHVzVHlwZSIgPT0gImFycmF5IiBdOyB0aGVuCiAgICAgICAgZG9TdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGRvQ2hlY2tVcmwgfCBqcSAtciAuW10ucmVzdWx0LmNvZGUpCiAgICBlbHNlCiAgICAgICAgZWNobyAiW1dBUk46IHVua25vd24gdHlwZTokZG9TdGF0dXNUeXBlXSIKICAgIGZpCiAgICAjZWNobyAic3RhdHVzICRkb1N0YXR1cyIKICAgIGlmIFtbICRkb1N0YXR1cyA9PSAiMjAwIiBdXTsgdGhlbgogICAgICAgICN2ZXJzaW9uPSQocmVzdGN1cmwgLXUgIiRDUkVEUyIgLVggR0VUICRkb0NoZWNrVXJsIHwganEgLXIgLnZlcnNpb24pCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZG9DaGVja1VybCB8IGpxIC1yIC5bXS52ZXJzaW9uKQogICAgICAgIGVjaG8gIltJTkZPOiBEZWNsYXJhdGl2ZSBPbmJvYXJkaW5nICR2ZXJzaW9uIG9ubGluZV0iCiAgICAgICAgYnJlYWsKICAgIGVsaWYgW1sgJGRvU3RhdHVzID09ICI0MDQiIF1dOyB0aGVuCiAgICAgICAgZWNobyAiRE8gU3RhdHVzOiAkZG9TdGF0dXMiCiAgICAgICAgYmlnc3RhcnQgcmVzdGFydCByZXN0bm9kZWQKICAgICAgICBzbGVlcCAzMAogICAgICAgIGJpZ3N0YXJ0IHN0YXR1cyByZXN0bm9kZWQgfCBncmVwIHJ1bm5pbmcKICAgICAgICBzdGF0dXM9JD8KICAgICAgICBlY2hvICJyZXN0bm9kZWQ6JHN0YXR1cyIKICAgIGVsc2UKICAgICAgICBlY2hvICJbV0FSTjogRE8gU3RhdHVzICRkb1N0YXR1c10iCiAgICAgICAgY291bnQ9JFskY291bnQrMV0KICAgIGZpCiAgICBzbGVlcCAxMAogICAgZG9uZQp9CmZ1bmN0aW9uIGNoZWNrQVMzKCkgewogICAgIyBDaGVjayBBUzMgUmVhZHkKICAgIGNvdW50PTAKICAgIHdoaWxlIFsgJGNvdW50IC1sZSA0IF0KICAgIGRvCiAgICAjYXMzU3RhdHVzPSQoY3VybCAtaSAtdSAiJENSRURTIiAkbG9jYWxfaG9zdCRhczNDaGVja1VybCB8IGdyZXAgSFRUUCB8IGF3ayAne3ByaW50ICQyfScpCiAgICBhczNTdGF0dXM9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGFzM0NoZWNrVXJsIHwganEgLXIgLmNvZGUpCiAgICBpZiAgWyAiJGFzM1N0YXR1cyIgPT0gIm51bGwiIF0gfHwgWyAteiAiJGFzM1N0YXR1cyIgXTsgdGhlbgogICAgICAgIHR5cGU9JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGFzM0NoZWNrVXJsIHwganEgLXIgdHlwZSApCiAgICAgICAgaWYgWyAiJHR5cGUiID09ICJvYmplY3QiIF07IHRoZW4KICAgICAgICAgICAgYXMzU3RhdHVzPSIyMDAiCiAgICAgICAgZmkKICAgIGZpCiAgICBpZiBbWyAkYXMzU3RhdHVzID09ICIyMDAiIF1dOyB0aGVuCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkYXMzQ2hlY2tVcmwgfCBqcSAtciAudmVyc2lvbikKICAgICAgICBlY2hvICJBczMgJHZlcnNpb24gb25saW5lICIKICAgICAgICBicmVhawogICAgZWxpZiBbWyAkYXMzU3RhdHVzID09ICI0MDQiIF1dOyB0aGVuCiAgICAgICAgZWNobyAiQVMzIFN0YXR1cyAkYXMzU3RhdHVzIgogICAgICAgIGJpZ3N0YXJ0IHJlc3RhcnQgcmVzdG5vZGVkCiAgICAgICAgc2xlZXAgMzAKICAgICAgICBiaWdzdGFydCBzdGF0dXMgcmVzdG5vZGVkIHwgZ3JlcCBydW5uaW5nCiAgICAgICAgc3RhdHVzPSQ/CiAgICAgICAgZWNobyAicmVzdG5vZGVkOiRzdGF0dXMiCiAgICBlbHNlCiAgICAgICAgZWNobyAiQVMzIFN0YXR1cyAkYXMzU3RhdHVzIgogICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICBmaQogICAgc2xlZXAgMTAKICAgIGRvbmUKfQpmdW5jdGlvbiBjaGVja1RTKCkgewogICAgIyBDaGVjayBUUyBSZWFkeQogICAgY291bnQ9MAogICAgd2hpbGUgWyAkY291bnQgLWxlIDQgXQogICAgZG8KICAgIHRzU3RhdHVzPSQoY3VybCAtc2kgLXUgIiRDUkVEUyIgaHR0cDovL2xvY2FsaG9zdDo4MTAwJHRzQ2hlY2tVcmwgfCBncmVwIEhUVFAgfCBhd2sgJ3twcmludCAkMn0nKQogICAgaWYgW1sgJHRzU3RhdHVzID09ICIyMDAiIF1dOyB0aGVuCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkdHNDaGVja1VybCB8IGpxIC1yIC52ZXJzaW9uKQogICAgICAgIGVjaG8gIlRlbGVtZXRyeSBTdHJlYW1pbmcgJHZlcnNpb24gb25saW5lICIKICAgICAgICBicmVhawogICAgZWxzZQogICAgICAgIGVjaG8gIlRTIFN0YXR1cyAkdHNTdGF0dXMiCiAgICAgICAgY291bnQ9JFskY291bnQrMV0KICAgIGZpCiAgICBzbGVlcCAxMAogICAgZG9uZQp9CmZ1bmN0aW9uIGNoZWNrQ0YoKSB7CiAgICAjIENoZWNrIENGIFJlYWR5CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICBkbwogICAgY2ZTdGF0dXM9JChjdXJsIC1zaSAtdSAiJENSRURTIiAkbG9jYWxfaG9zdCRjZkNoZWNrVXJsIHwgZ3JlcCBIVFRQIHwgYXdrICd7cHJpbnQgJDJ9JykKICAgIGlmIFtbICRjZlN0YXR1cyA9PSAiMjAwIiBdXTsgdGhlbgogICAgICAgIHZlcnNpb249JChyZXN0Y3VybCAtdSAiJENSRURTIiAtWCBHRVQgJGNmQ2hlY2tVcmwgfCBqcSAtciAudmVyc2lvbikKICAgICAgICBlY2hvICJDbG91ZCBmYWlsb3ZlciAkdmVyc2lvbiBvbmxpbmUgIgogICAgICAgIGJyZWFrCiAgICBlbHNlCiAgICAgICAgZWNobyAiQ2xvdWQgRmFpbG92ZXIgU3RhdHVzICR0c1N0YXR1cyIKICAgICAgICBjb3VudD0kWyRjb3VudCsxXQogICAgZmkKICAgIHNsZWVwIDEwCiAgICBkb25lCn0KZnVuY3Rpb24gY2hlY2tGQVNUKCkgewogICAgIyBDaGVjayBGQVNUIFJlYWR5CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICBkbwogICAgZmFzdFN0YXR1cz0kKGN1cmwgLXNpIC11ICIkQ1JFRFMiICRsb2NhbF9ob3N0JGZhc3RDaGVja1VybCB8IGdyZXAgSFRUUCB8IGF3ayAne3ByaW50ICQyfScpCiAgICBpZiBbWyAiJGZhc3RTdGF0dXMiID09ICIyMDAiIF1dOyB0aGVuCiAgICAgICAgdmVyc2lvbj0kKHJlc3RjdXJsIC11ICIkQ1JFRFMiIC1YIEdFVCAkZmFzdENoZWNrVXJsIHwganEgLXIgLnZlcnNpb24pCiAgICAgICAgZWNobyAiRkFTVCAkdmVyc2lvbiBvbmxpbmUgIgogICAgICAgIGJyZWFrCiAgICBlbHNlCiAgICAgICAgZWNobyAiRkFTVCBTdGF0dXMgJGZhc3RTdGF0dXMiCiAgICAgICAgY291bnQ9JFskY291bnQrMV0KICAgIGZpCiAgICBzbGVlcCAxMAogICAgZG9uZQp9CiMjIyBjaGVjayBmb3IgYXBpcyBvbmxpbmUKZnVuY3Rpb24gY2hlY2tBVEMoKSB7CiAgICBkb1N0YXR1cz0kKGNoZWNrRE8pCiAgICBhczNTdGF0dXM9JChjaGVja0FTMykKICAgIHRzU3RhdHVzPSQoY2hlY2tUUykKICAgIGNmU3RhdHVzPSQoY2hlY2tDRikKICAgIGZhc3RTdGF0dXM9JChjaGVja0ZBU1QpCiAgICBpZiBbWyAkZG9TdGF0dXMgPT0gKiJvbmxpbmUiKiBdXSAmJiBbWyAiJGFzM1N0YXR1cyIgPSAqIm9ubGluZSIqIF1dICYmIFtbICR0c1N0YXR1cyA9PSAqIm9ubGluZSIqIF1dICYmIFtbICRjZlN0YXR1cyA9PSAqIm9ubGluZSIqIF1dICYmIFtbICRmYXN0U3RhdHVzID09ICoib25saW5lIiogXV0gOyB0aGVuCiAgICAgICAgZWNobyAiQVRDIGlzIHJlYWR5IHRvIGFjY2VwdCBBUEkgY2FsbHMiCiAgICBlbHNlCiAgICAgICAgZWNobyAiQVRDIGluc3RhbGwgZmFpbGVkIG9yIEFUQyBpcyBub3QgcmVhZHkgdG8gYWNjZXB0IEFQSSBjYWxscyIKICAgIGZpCn0KZWNobyAiLS0tLWNoZWNraW5nIEFUQyBpbnN0YWxsLS0tLSIKY2hlY2tBVEMKZnVuY3Rpb24gcnVuRE8oKSB7CmNvdW50PTAKd2hpbGUgWyAkY291bnQgLWxlIDQgXQogICAgZG8KICAgICMgbWFrZSB0YXNrCiAgICB0YXNrPSQoY3VybCAtcyAtdSAkQ1JFRFMgLUggIkNvbnRlbnQtVHlwZTogQXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1YIFBPU1QgJGxvY2FsX2hvc3QkZG9VcmwgLWQgQC9jb25maWcvJDEgfCBqcSAtciAuaWQpCiAgICBlY2hvICI9PT09PT0gc3RhcnRpbmcgRE8gdGFzazogJHRhc2sgPT09PT09PT09PSIKICAgIHNsZWVwIDEKICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICAjIGNoZWNrIHRhc2sgY29kZQogICAgdGFza0NvdW50PTAKICAgIHdoaWxlIFsgJHRhc2tDb3VudCAtbGUgMTAgXQogICAgZG8KICAgICAgICBkb0NvZGVUeXBlPSQoY3VybCAtcyAtdSAkQ1JFRFMgLVggR0VUICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC1yIHR5cGUgKQogICAgICAgIGlmIFtbICIkZG9Db2RlVHlwZSIgPT0gIm9iamVjdCIgXV07IHRoZW4KICAgICAgICAgICAgY29kZT0kKGN1cmwgLXMgLXUgJENSRURTIC1YIEdFVCAkbG9jYWxfaG9zdCRkb1Rhc2tVcmwvJHRhc2sgfCBqcSAucmVzdWx0LmNvZGUpCiAgICAgICAgICAgIGVjaG8gIm9iamVjdDogJGNvZGUiCiAgICAgICAgZWxpZiBbICIkZG9Db2RlVHlwZSIgPT0gImFycmF5IiBdOyB0aGVuCiAgICAgICAgICAgIGVjaG8gImFycmF5ICRjb2RlIGNoZWNrIHRhc2ssIGJyZWFraW5nIgogICAgICAgICAgICBicmVhawogICAgICAgIGVsc2UKICAgICAgICAgICAgZWNobyAidW5rbm93biB0eXBlOiAkZG9Db2RlVHlwZSIKICAgICAgICAgICAgZGVidWc9JChjdXJsIC1zIC11ICRDUkVEUyAtWCBHRVQgJGxvY2FsX2hvc3QkZG9UYXNrVXJsLyR0YXNrKQogICAgICAgICAgICBlY2hvICJvdGhlciBkZWJ1ZzogJGRlYnVnIgogICAgICAgICAgICBjb2RlPSQoY3VybCAtcyAtdSAkQ1JFRFMgLVggR0VUICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC5yZXN1bHQuY29kZSkKICAgICAgICBmaQogICAgICAgIHNsZWVwIDEKICAgICAgICBpZiBqcSAtZSAuID4vZGV2L251bGwgMj4mMSA8PDwiJGNvZGUiOyB0aGVuCiAgICAgICAgICAgIGVjaG8gIlBhcnNlZCBKU09OIHN1Y2Nlc3NmdWxseSBhbmQgZ290IHNvbWV0aGluZyBvdGhlciB0aGFuIGZhbHNlL251bGwgY291bnQ6ICR0YXNrQ291bnQiCiAgICAgICAgICAgIHN0YXR1cz0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC1yIC5yZXN1bHQuc3RhdHVzKQogICAgICAgICAgICBzbGVlcCAxCiAgICAgICAgICAgIGVjaG8gInN0YXR1czogJHN0YXR1cyBjb2RlOiAkY29kZSIKICAgICAgICAgICAgIyAyMDAsMjAyLDQyMiw0MDAsNDA0LDUwMCw0MjIKICAgICAgICAgICAgZWNobyAiRE86ICR0YXNrIHJlc3BvbnNlOiRjb2RlIHN0YXR1czokc3RhdHVzIgogICAgICAgICAgICBzbGVlcCAxCiAgICAgICAgICAgICNGSU5JU0hFRCxTVEFSVEVELFJVTk5JTkcsUk9MTElOR19CQUNLLEZBSUxFRCxFUlJPUixOVUxMCiAgICAgICAgICAgIGNhc2UgJHN0YXR1cyBpbgogICAgICAgICAgICBGSU5JU0hFRCkKICAgICAgICAgICAgICAgICMgZmluaXNoZWQKICAgICAgICAgICAgICAgIGVjaG8gIiAkdGFzayBzdGF0dXM6ICRzdGF0dXMgIgogICAgICAgICAgICAgICAgIyBiaWdzdGFydCBzdGFydCBkaGNsaWVudAogICAgICAgICAgICAgICAgYnJlYWsgMgogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgU1RBUlRFRCkKICAgICAgICAgICAgICAgICMgc3RhcnRlZAogICAgICAgICAgICAgICAgZWNobyAiICRmaWxlbmFtZSBzdGF0dXM6ICRzdGF0dXMgIgogICAgICAgICAgICAgICAgc2xlZXAgMzAKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIFJVTk5JTkcpCiAgICAgICAgICAgICAgICAjIHJ1bm5pbmcKICAgICAgICAgICAgICAgIGVjaG8gIkRPIFN0YXR1czogJHN0YXR1cyB0YXNrOiAkdGFzayBOb3QgZG9uZSB5ZXQuLi5jb3VudDokdGFza0NvdW50IgogICAgICAgICAgICAgICAgIyB3YWl0IGZvciBhY3RpdmUtb25saW5lLXN0YXRlCiAgICAgICAgICAgICAgICB3YWl0TWNwZAogICAgICAgICAgICAgICAgaWYgW1sgIiR0YXNrQ291bnQiIC1sZSA1IF1dOyB0aGVuCiAgICAgICAgICAgICAgICAgICAgc2xlZXAgNjAKICAgICAgICAgICAgICAgIGZpCiAgICAgICAgICAgICAgICB3YWl0QWN0aXZlCiAgICAgICAgICAgICAgICAjc2xlZXAgMTIwCiAgICAgICAgICAgICAgICB0YXNrQ291bnQ9JFskdGFza0NvdW50KzFdCiAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICBGQUlMRUQpCiAgICAgICAgICAgICAgICAjIGZhaWxlZAogICAgICAgICAgICAgICAgZXJyb3I9JChjdXJsIC1zIC11ICRDUkVEUyAkbG9jYWxfaG9zdCRkb1Rhc2tVcmwvJHRhc2sgfCBqcSAtciAucmVzdWx0LnN0YXR1cykKICAgICAgICAgICAgICAgIGVjaG8gImZhaWxlZCAkdGFzaywgJGVycm9yIgogICAgICAgICAgICAgICAgI2NvdW50PSRbJGNvdW50KzFdCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgRVJST1IpCiAgICAgICAgICAgICAgICAjIGVycm9yCiAgICAgICAgICAgICAgICBlcnJvcj0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzayB8IGpxIC1yIC5yZXN1bHQuc3RhdHVzKQogICAgICAgICAgICAgICAgZWNobyAiRXJyb3IgJHRhc2ssICRlcnJvciIKICAgICAgICAgICAgICAgICNjb3VudD0kWyRjb3VudCsxXQogICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIFJPTExJTkdfQkFDSykKICAgICAgICAgICAgICAgICMgUm9sbGluZyBiYWNrCiAgICAgICAgICAgICAgICBlY2hvICJSb2xsaW5nIGJhY2sgZmFpbGVkIHN0YXR1czogJHN0YXR1cyB0YXNrOiAkdGFzayIKICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICBPSykKICAgICAgICAgICAgICAgICMgY29tcGxldGUgbm8gY2hhbmdlCiAgICAgICAgICAgICAgICBlY2hvICJDb21wbGV0ZSBubyBjaGFuZ2Ugc3RhdHVzOiAkc3RhdHVzIHRhc2s6ICR0YXNrIgogICAgICAgICAgICAgICAgYnJlYWsgMgogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgKikKICAgICAgICAgICAgICAgICMgb3RoZXIKICAgICAgICAgICAgICAgIGVjaG8gIm90aGVyOiAkc3RhdHVzIgogICAgICAgICAgICAgICAgZWNobyAib3RoZXIgdGFzazogJHRhc2sgY291bnQ6ICR0YXNrQ291bnQiCiAgICAgICAgICAgICAgICBkZWJ1Zz0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzaykKICAgICAgICAgICAgICAgIGVjaG8gIm90aGVyIGRlYnVnOiAkZGVidWciCiAgICAgICAgICAgICAgICBjYXNlICRkZWJ1ZyBpbgogICAgICAgICAgICAgICAgKm5vdCpyZWdpc3RlcmVkKikKICAgICAgICAgICAgICAgICAgICAjIHJlc3Rub2RlZCByZXNwb25zZSBETyBhcGkgaXMgdW5yZXNwb25zaXZlCiAgICAgICAgICAgICAgICAgICAgZWNobyAiRE8gZW5kcG9pbnQgbm90IGF2YWxpYWJsZSB3YWl0aW5nLi4uIgogICAgICAgICAgICAgICAgICAgIHNsZWVwIDMwCiAgICAgICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgICAgICpyZXN0ZXJyb3JyZXNwb25zZSopCiAgICAgICAgICAgICAgICAgICAgIyByZXN0bm9kZWQgcmVzcG9uc2UgRE8gYXBpIGlzIHVucmVzcG9uc2l2ZQogICAgICAgICAgICAgICAgICAgIGVjaG8gIkRPIGVuZHBvaW50IG5vdCBhdmFsaWFibGUgd2FpdGluZy4uLiIKICAgICAgICAgICAgICAgICAgICBzbGVlcCAzMAogICAgICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgICAqc3RhcnQtbGltaXQqKQogICAgICAgICAgICAgICAgICAgICMgZGhjbGllbnQgaXNzdWUgaGl0CiAgICAgICAgICAgICAgICAgICAgZWNobyAiIGRvIGRoY2xpZW50IHN0YXJ0aW5nIGlzc3VlIGhpdCBzdGFydCBhbm90aGVyIHRhc2siCiAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgZXNhYwogICAgICAgICAgICAgICAgc2xlZXAgMzAKICAgICAgICAgICAgICAgIHRhc2tDb3VudD0kWyR0YXNrQ291bnQrMV0KICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgIGVzYWMKICAgICAgICBlbHNlCiAgICAgICAgICAgIGVjaG8gIkZhaWxlZCB0byBwYXJzZSBKU09OLCBvciBnb3QgZmFsc2UvbnVsbCIKICAgICAgICAgICAgZWNobyAiRE8gc3RhdHVzIGNvZGU6ICRjb2RlIgogICAgICAgICAgICBkZWJ1Zz0kKGN1cmwgLXMgLXUgJENSRURTICRsb2NhbF9ob3N0JGRvVGFza1VybC8kdGFzaykKICAgICAgICAgICAgZWNobyAiZGVidWcgRE8gY29kZTogJGRlYnVnIgogICAgICAgICAgICBjb3VudD0kWyRjb3VudCsxXQogICAgICAgIGZpCiAgICBkb25lCmRvbmUKfQojIG1nbXQKZWNobyAic2V0IG1hbmFnZW1lbnQiCmVjaG8gIC1lICJjcmVhdGUgY2xpIHRyYW5zYWN0aW9uOwptb2RpZnkgc3lzIGdsb2JhbC1zZXR0aW5ncyBtZ210LWRoY3AgZGlzYWJsZWQ7CnN1Ym1pdCBjbGkgdHJhbnNhY3Rpb24iIHwgdG1zaCAtcQp0bXNoIHNhdmUgL3N5cyBjb25maWcKIyBnZXQgYXMzIHZhbHVlcwpleHRlcm5hbFZpcD0kKGN1cmwgLXNmIC0tcmV0cnkgMjAgLUggTWV0YWRhdGE6dHJ1ZSAiaHR0cDovLzE2OS4yNTQuMTY5LjI1NC9tZXRhZGF0YS9pbnN0YW5jZS9uZXR3b3JrL2ludGVyZmFjZT9hcGktdmVyc2lvbj0yMDE3LTA4LTAxIiB8IGpxIC1yICcuWzFdLmlwdjQuaXBBZGRyZXNzWzFdLnByaXZhdGVJcEFkZHJlc3MnKQoKIyBlbmQgZ2V0IHZhbHVlcwoKIyBydW4gRE8KZWNobyAiLS0tLXJ1biBkby0tLS0iCmNvdW50PTAKd2hpbGUgWyAkY291bnQgLWxlIDQgXQogICAgZG8KICAgICAgICBkb1N0YXR1cz0kKGNoZWNrRE8pCiAgICAgICAgZWNobyAiRE8gY2hlY2sgc3RhdHVzOiAkZG9TdGF0dXMiCiAgICBpZiBbICRkZXZpY2VJZCA9PSAxIF0gJiYgW1sgIiRkb1N0YXR1cyIgPSAqIm9ubGluZSIqIF1dOyB0aGVuCiAgICAgICAgZWNobyAicnVubmluZyBkbyBmb3IgaWQ6JGRldmljZUlkIgogICAgICAgIGJpZ3N0YXJ0IHN0b3AgZGhjbGllbnQKICAgICAgICBydW5ETyBkbzEuanNvbgogICAgICAgIGlmIFsgIiQ/IiA9PSAwIF07IHRoZW4KICAgICAgICAgICAgZWNobyAiZG9uZSB3aXRoIGRvIgogICAgICAgICAgICBiaWdzdGFydCBzdGFydCBkaGNsaWVudAogICAgICAgICAgICByZXN1bHRzPSQocmVzdGN1cmwgLXUgJENSRURTIC1YIEdFVCAkZG9UYXNrVXJsIHwganEgJy5bXSB8IC5pZCwgLnJlc3VsdCcpCiAgICAgICAgICAgIGVjaG8gImRvIHJlc3VsdHM6ICRyZXN1bHRzIgogICAgICAgICAgICBicmVhawogICAgICAgIGZpCiAgICBlbGlmIFsgJGRldmljZUlkID09IDIgXSAmJiBbWyAiJGRvU3RhdHVzIiA9ICoib25saW5lIiogXV07IHRoZW4KICAgICAgICBlY2hvICJydW5uaW5nIGRvIGZvciBpZDokZGV2aWNlSWQiCiAgICAgICAgYmlnc3RhcnQgc3RvcCBkaGNsaWVudAogICAgICAgIHJ1bkRPIGRvMi5qc29uCiAgICAgICAgaWYgWyAiJD8iID09IDAgXTsgdGhlbgogICAgICAgICAgICBlY2hvICJkb25lIHdpdGggZG8iCiAgICAgICAgICAgIGJpZ3N0YXJ0IHN0YXJ0IGRoY2xpZW50CiAgICAgICAgICAgIHJlc3VsdHM9JChyZXN0Y3VybCAtdSAkQ1JFRFMgLVggR0VUICRkb1Rhc2tVcmwgfCBqcSAnLltdIHwgLmlkLCAucmVzdWx0JykKICAgICAgICAgICAgZWNobyAiZG8gcmVzdWx0czogJHJlc3VsdHMiCiAgICAgICAgICAgIGJyZWFrCiAgICAgICAgZmkKICAgIGVsaWYgWyAkY291bnQgLWxlIDIgXTsgdGhlbgogICAgICAgIGVjaG8gIkRldmljZUlEOiAkZGV2aWNlSWQgU3RhdHVzIGNvZGU6ICRkb1N0YXR1cyBETyBub3QgcmVhZHkgeWV0Li4uIgogICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICAgICAgc2xlZXAgMzAKICAgIGVsc2UKICAgICAgICBlY2hvICJETyBub3Qgb25saW5lIHN0YXR1czogJGRvU3RhdHVzIgogICAgICAgIGJyZWFrCiAgICBmaQpkb25lCmZ1bmN0aW9uIHJ1bkFTMyAoKSB7CiAgICBjb3VudD0wCiAgICB3aGlsZSBbICRjb3VudCAtbGUgNCBdCiAgICAgICAgZG8KICAgICAgICAgICAgIyB3YWl0IGZvciBkbyB0byBmaW5pc2gKICAgICAgICAgICAgd2FpdEFjdGl2ZQogICAgICAgICAgICAjIG1ha2UgdGFzawogICAgICAgICAgICB0YXNrPSQoY3VybCAtcyAtdSAkQ1JFRFMgLUggIkNvbnRlbnQtVHlwZTogQXBwbGljYXRpb24vanNvbiIgLUggJ0V4cGVjdDonIC1YIFBPU1QgJGxvY2FsX2hvc3QkYXMzVXJsP2FzeW5jPXRydWUgLWQgQC9jb25maWcvYXMzLmpzb24gfCBqcSAtciAuaWQpCiAgICAgICAgICAgIGVjaG8gIj09PT09IHN0YXJ0aW5nIGFzMyB0YXNrOiAkdGFzayA9PT09PSIKICAgICAgICAgICAgc2xlZXAgMQogICAgICAgICAgICBjb3VudD0kWyRjb3VudCsxXQogICAgICAgICAgICAjIGNoZWNrIHRhc2sgY29kZQogICAgICAgICAgICB0YXNrQ291bnQ9MAogICAgICAgIHdoaWxlIFsgJHRhc2tDb3VudCAtbGUgMyBdCiAgICAgICAgZG8KICAgICAgICAgICAgYXMzQ29kZVR5cGU9JChjdXJsIC1zIC11ICRDUkVEUyAtWCBHRVQgJGxvY2FsX2hvc3QkYXMzVGFza1VybC8kdGFzayB8IGpxIC1yIHR5cGUgKQogICAgICAgICAgICBpZiBbWyAiJGFzM0NvZGVUeXBlIiA9PSAib2JqZWN0IiBdXTsgdGhlbgogICAgICAgICAgICAgICAgY29kZT0kKGN1cmwgLXMgLXUgJENSRURTIC1YIEdFVCAkbG9jYWxfaG9zdCRhczNUYXNrVXJsLyR0YXNrIHwganEgLXIgLikKICAgICAgICAgICAgICAgIHRlbmFudHM9JChjdXJsIC1zIC11ICRDUkVEUyAtWCBHRVQgJGxvY2FsX2hvc3QkYXMzVGFza1VybC8kdGFzayB8IGpxIC1yIC5yZXN1bHRzW10udGVuYW50KQogICAgICAgICAgICAgICAgZWNobyAib2JqZWN0OiAkY29kZSIKICAgICAgICAgICAgZWxpZiBbICIkYXMzQ29kZVR5cGUiID09ICJhcnJheSIgXTsgdGhlbgogICAgICAgICAgICAgICAgZWNobyAiYXJyYXkgJGNvZGUgY2hlY2sgdGFzaywgYnJlYWtpbmciCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICBlY2hvICJ1bmtub3duIHR5cGU6JGFzM0NvZGVUeXBlIgogICAgICAgICAgICBmaQogICAgICAgICAgICBzbGVlcCAxCiAgICAgICAgICAgIGlmIGpxIC1lIC4gPi9kZXYvbnVsbCAyPiYxIDw8PCIkY29kZSI7IHRoZW4KICAgICAgICAgICAgICAgIGVjaG8gIlBhcnNlZCBKU09OIHN1Y2Nlc3NmdWxseSBhbmQgZ290IHNvbWV0aGluZyBvdGhlciB0aGFuIGZhbHNlL251bGwiCiAgICAgICAgICAgICAgICBzdGF0dXM9JChjdXJsIC1zIC11ICRDUkVEUyAkbG9jYWxfaG9zdCRhczNUYXNrVXJsLyR0YXNrIHwganEgLXIgIC5pdGVtc1tdLnJlc3VsdHNbXS5tZXNzYWdlKQogICAgICAgICAgICAgICAgY2FzZSAkc3RhdHVzIGluCiAgICAgICAgICAgICAgICAqcHJvZ3Jlc3MpCiAgICAgICAgICAgICAgICAgICAgIyBpbiBwcm9ncmVzcwogICAgICAgICAgICAgICAgICAgIGVjaG8gLWUgIlJ1bm5pbmc6ICR0YXNrIHN0YXR1czogJHN0YXR1cyB0ZW5hbnRzOiAkdGVuYW50cyBjb3VudDogJHRhc2tDb3VudCAiCiAgICAgICAgICAgICAgICAgICAgc2xlZXAgMTIwCiAgICAgICAgICAgICAgICAgICAgdGFza0NvdW50PSRbJHRhc2tDb3VudCsxXQogICAgICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgICAqRXJyb3IqKQogICAgICAgICAgICAgICAgICAgICMgZXJyb3IKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJFcnJvciBUYXNrOiAkdGFzayBzdGF0dXM6ICRzdGF0dXMgdGVuYW50czogJHRlbmFudHMgIgogICAgICAgICAgICAgICAgICAgIGlmIFtbICIkc3RhdHVzIiA9ICoicHJvZ3Jlc3MiKiBdXTsgdGhlbgogICAgICAgICAgICAgICAgICAgICAgICBzbGVlcCAxODAKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICAgICAgZmkKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgKmZhaWxlZCopCiAgICAgICAgICAgICAgICAgICAgIyBmYWlsZWQKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJmYWlsZWQ6ICR0YXNrIHN0YXR1czogJHN0YXR1cyB0ZW5hbnRzOiAkdGVuYW50cyAiCiAgICAgICAgICAgICAgICAgICAgYnJlYWsKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgKnN1Y2Nlc3MqKQogICAgICAgICAgICAgICAgICAgICMgc3VjY2Vzc2Z1bCEKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJzdWNjZXNzOiAkdGFzayBzdGF0dXM6ICRzdGF0dXMgdGVuYW50czogJHRlbmFudHMgIgogICAgICAgICAgICAgICAgICAgIGJyZWFrIDMKICAgICAgICAgICAgICAgICAgICA7OwogICAgICAgICAgICAgICAgbm8qY2hhbmdlKQogICAgICAgICAgICAgICAgICAgICMgZmluaXNoZWQKICAgICAgICAgICAgICAgICAgICBlY2hvIC1lICJubyBjaGFuZ2U6ICR0YXNrIHN0YXR1czogJHN0YXR1cyB0ZW5hbnRzOiAkdGVuYW50cyAiCiAgICAgICAgICAgICAgICAgICAgYnJlYWsgNAogICAgICAgICAgICAgICAgICAgIDs7CiAgICAgICAgICAgICAgICAqKQogICAgICAgICAgICAgICAgIyBvdGhlcgogICAgICAgICAgICAgICAgZWNobyAic3RhdHVzOiAkc3RhdHVzIgogICAgICAgICAgICAgICAgZGVidWc9JChjdXJsIC1zIC11ICRDUkVEUyAkbG9jYWxfaG9zdCRhczNUYXNrVXJsLyR0YXNrKQogICAgICAgICAgICAgICAgZWNobyAiZGVidWc6ICRkZWJ1ZyIKICAgICAgICAgICAgICAgIGVycm9yPSQoY3VybCAtcyAtdSAkQ1JFRFMgJGxvY2FsX2hvc3QkYXMzVGFza1VybC8kdGFzayB8IGpxIC1yICcucmVzdWx0c1tdLm1lc3NhZ2UnKQogICAgICAgICAgICAgICAgZWNobyAiT3RoZXI6ICR0YXNrLCAkZXJyb3IiCiAgICAgICAgICAgICAgICBicmVhawogICAgICAgICAgICAgICAgOzsKICAgICAgICAgICAgICAgIGVzYWMKICAgICAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgZWNobyAiRmFpbGVkIHRvIHBhcnNlIEpTT04sIG9yIGdvdCBmYWxzZS9udWxsIgogICAgICAgICAgICAgICAgZWNobyAiQVMzIHN0YXR1cyBjb2RlOiAkY29kZSIKICAgICAgICAgICAgICAgIGRlYnVnPSQoY3VybCAtcyAtdSAkQ1JFRFMgJGxvY2FsX2hvc3QkZG9UYXNrVXJsLyR0YXNrKQogICAgICAgICAgICAgICAgZWNobyAiZGVidWcgQVMzIGNvZGU6ICRkZWJ1ZyIKICAgICAgICAgICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICAgICAgICAgIGZpCiAgICAgICAgZG9uZQogICAgZG9uZQp9CgojIG1vZGlmeSBhczMKI3NkVG9rZW49JChlY2hvICIkdG9rZW4iIHwgYmFzZTY0KQpzZWQgLWkgInMvLWV4dGVybmFsLXZpcnR1YWwtYWRkcmVzcy0vJGV4dGVybmFsVmlwL2ciIC9jb25maWcvYXMzLmpzb24KI3NlZCAtaSAicy8tc2Qtc2EtdG9rZW4tYjY0LS8kdG9rZW4vZyIgL2NvbmZpZy9hczMuanNvbgojIGVuZCBtb2RpZnkgYXMzCgojIG1ldGFkYXRhIHJvdXRlCmVjaG8gIC1lICdjcmVhdGUgY2xpIHRyYW5zYWN0aW9uOwptb2RpZnkgc3lzIGRiIGNvbmZpZy5hbGxvdy5yZmMzOTI3IHZhbHVlIGVuYWJsZTsKY3JlYXRlIHN5cyBtYW5hZ2VtZW50LXJvdXRlIG1ldGFkYXRhLXJvdXRlIG5ldHdvcmsgMTY5LjI1NC4xNjkuMjU0LzMyIGdhdGV3YXkgMTAuOTAuMC4xOwpzdWJtaXQgY2xpIHRyYW5zYWN0aW9uJyB8IHRtc2ggLXEKdG1zaCBzYXZlIC9zeXMgY29uZmlnCiMgYWRkIG1hbmFnZW1lbnQgcm91dGUgd2l0aCBtZXRyaWMgMCBmb3IgdGhlIHdpbgpyb3V0ZSBhZGQgLW5ldCBkZWZhdWx0IGd3IDEwLjkwLjAuMSBuZXRtYXNrIDAuMC4wLjAgZGV2IG1nbXQgbWV0cmljIDAKIyAgcnVuIGFzMwpjb3VudD0wCndoaWxlIFsgJGNvdW50IC1sZSA0IF0KZG8KICAgIGFzM1N0YXR1cz0kKGNoZWNrQVMzKQogICAgZWNobyAiQVMzIGNoZWNrIHN0YXR1czogJGFzM1N0YXR1cyIKICAgIGlmIFtbICIkYXMzU3RhdHVzIiA9PSAqIm9ubGluZSIqIF1dOyB0aGVuCiAgICAgICAgaWYgWyAkZGV2aWNlSWQgPT0gMSBdOyB0aGVuCiAgICAgICAgICAgIGVjaG8gInJ1bm5pbmcgYXMzIgogICAgICAgICAgICBydW5BUzMKICAgICAgICAgICAgZWNobyAiZG9uZSB3aXRoIGFzMyIKICAgICAgICAgICAgcmVzdWx0cz0kKHJlc3RjdXJsIC11ICRDUkVEUyAkYXMzVGFza1VybCB8IGpxICcuaXRlbXNbXSB8IC5pZCwgLnJlc3VsdHMnKQogICAgICAgICAgICBlY2hvICJhczMgcmVzdWx0czogJHJlc3VsdHMiCiAgICAgICAgICAgIGJyZWFrCiAgICAgICAgZWxzZQogICAgICAgICAgICBlY2hvICJOb3QgcG9zdGluZyBhczMgZGV2aWNlICRkZXZpY2VpZCBub3QgcHJpbWFyeSIKICAgICAgICAgICAgYnJlYWsKICAgICAgICBmaQogICAgZWxpZiBbICRjb3VudCAtbGUgMiBdOyB0aGVuCiAgICAgICAgZWNobyAiU3RhdHVzIGNvZGU6ICRhczNTdGF0dXMgIEFzMyBub3QgcmVhZHkgeWV0Li4uIgogICAgICAgIGNvdW50PSRbJGNvdW50KzFdCiAgICBlbHNlCiAgICAgICAgZWNobyAiQXMzIEFQSSBTdGF0dXMgJGFzM1N0YXR1cyIKICAgICAgICBicmVhawogICAgZmkKZG9uZQojCiMKIyBjbGVhbnVwCiMjIHJlbW92ZSBkZWNsYXJhdGlvbnMKIyBybSAtZiAvY29uZmlnL2RvMS5qc29uCiMgcm0gLWYgL2NvbmZpZy9kbzIuanNvbgojIHJtIC1mIC9jb25maWcvYXMzLmpzb24KIyMgZGlzYWJsZS9yZXBsYWNlIGRlZmF1bHQgYWRtaW4gYWNjb3VudAojIGVjaG8gIC1lICJjcmVhdGUgY2xpIHRyYW5zYWN0aW9uOwojIG1vZGlmeSAvc3lzIGRiIHN5c3RlbWF1dGgucHJpbWFyeWFkbWludXNlciB2YWx1ZSAkYWRtaW5fdXNlcm5hbWU7CiMgc3VibWl0IGNsaSB0cmFuc2FjdGlvbiIgfCB0bXNoIC1xCnRtc2ggc2F2ZSBzeXMgY29uZmlnCmVjaG8gInRpbWVzdGFtcCBlbmQ6ICQoZGF0ZSkiCmVjaG8gInNldHVwIGNvbXBsZXRlICQodGltZXIgIiQoKCQoZGF0ZSArJXMpIC0gJHN0YXJ0VGltZSkpIikiCmV4aXQK' \\u003e\\u003e ./startup.sh \\u0026\\u0026 cat ./startup.sh | base64 -d \\u003e\\u003e ./startup-script.sh \\u0026\\u0026 chmod +x ./startup-script.sh \\u0026\\u0026 rm ./startup.sh \\u0026\\u0026 bash ./startup-script.sh 2\"}",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "type": "CustomScript",
+ "type_handler_version": "2.0",
+ "virtual_machine_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-f5vm02"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_availability_set.avset",
+ "azurerm_lb.lb",
+ "azurerm_lb_backend_address_pool.primary_pool",
+ "azurerm_public_ip.lbpip",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.azurerm_network_interface.vm01-ext-nic",
+ "module.firewall_one.azurerm_network_interface.vm01-int-nic",
+ "module.firewall_one.azurerm_network_interface.vm01-mgmt-nic",
+ "module.firewall_one.azurerm_network_interface.vm02-ext-nic",
+ "module.firewall_one.azurerm_network_interface.vm02-int-nic",
+ "module.firewall_one.azurerm_network_interface.vm02-mgmt-nic",
+ "module.firewall_one.azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01",
+ "module.firewall_one.azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02",
+ "module.firewall_one.azurerm_virtual_machine.f5vm01",
+ "module.firewall_one.azurerm_virtual_machine.f5vm02",
+ "module.firewall_one.data.http.appservice",
+ "module.firewall_one.data.http.onboard",
+ "module.firewall_one.data.template_file.as3_json",
+ "module.firewall_one.data.template_file.vm01_do_json",
+ "module.firewall_one.data.template_file.vm02_do_json",
+ "module.firewall_one.data.template_file.vm_onboard",
+ "module.firewall_one.random_uuid.as3_uuid"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "local_file",
+ "name": "onboard_file",
+ "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "content": "#!/bin/bash\n#\n# vars\n#\n# get device id for do\ndeviceId=$1\n#\nadmin_username='xadmin'\nadmin_password='pleaseUseVault123!!'\nCREDS=\"$admin_username:$admin_password\"\nLOG_FILE=/var/log/startup-script.log\n# constants\nmgmt_port=`tmsh list sys httpd ssl-port | grep ssl-port | sed 's/ssl-port //;s/ //g'`\nauthUrl=\"/mgmt/shared/authn/login\"\nrpmInstallUrl=\"/mgmt/shared/iapp/package-management-tasks\"\nrpmFilePath=\"/var/config/rest/downloads\"\nlocal_host=\"http://localhost:8100\"\n# do\ndoUrl=\"/mgmt/shared/declarative-onboarding\"\ndoCheckUrl=\"/mgmt/shared/declarative-onboarding/info\"\ndoTaskUrl=\"/mgmt/shared/declarative-onboarding/task\"\n# as3\nas3Url=\"/mgmt/shared/appsvcs/declare\"\nas3CheckUrl=\"/mgmt/shared/appsvcs/info\"\nas3TaskUrl=\"/mgmt/shared/appsvcs/task/\"\n# ts\ntsUrl=\"/mgmt/shared/telemetry/declare\"\ntsCheckUrl=\"/mgmt/shared/telemetry/info\"\n# cloud failover ext\ncfUrl=\"/mgmt/shared/cloud-failover/declare\"\ncfCheckUrl=\"/mgmt/shared/cloud-failover/info\"\n# fast\nfastCheckUrl=\"/mgmt/shared/fast/info\"\n# declaration content\ncat \u003e /config/do1.json \u003c\u003cEOF\n{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm01.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.4\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.4/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.4/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.5\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}\nEOF\ncat \u003e /config/do2.json \u003c\u003cEOF\n{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm02.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.5\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.5/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.5/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.4\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}\nEOF\ncat \u003e /config/as3.json \u003c\u003cEOF\n{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"10.90.10.101\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"10.90.10.101\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.2.11\",\n \"10.90.2.12\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"10.90.3.98\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"10.90.3.99\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}\nEOF\n\nDO_BODY_01=\"/config/do1.json\"\nDO_BODY_02=\"/config/do2.json\"\nAS3_BODY=\"/config/as3.json\"\n\nDO_URL_POST=\"/mgmt/shared/declarative-onboarding\"\nAS3_URL_POST=\"/mgmt/shared/appsvcs/declare\"\n# BIG-IPS ONBOARD SCRIPT\n\n\nif [ ! -e $LOG_FILE ]\nthen\n touch $LOG_FILE\n exec \u0026\u003e\u003e$LOG_FILE\nelse\n #if file exists, exit as only want to run once\n exit\nfi\n\nexec 1\u003e$LOG_FILE 2\u003e\u00261\n\nstartTime=$(date +%s)\necho \"start device ID:$deviceId date: $(date)\"\nfunction timer () {\n echo \"Time Elapsed: $(( 1 / 3600 ))h $(( (1 / 60) % 60 ))m $(( 1 % 60 ))s\"\n}\nwaitMcpd () {\nchecks=0\nwhile [[ \"$checks\" -lt 120 ]]; do\n tmsh -a show sys mcp-state field-fmt | grep -q running\n if [ $? == 0 ]; then\n echo \"[INFO: mcpd ready]\"\n break\n fi\n echo \"[WARN: mcpd not ready yet]\"\n let checks=checks+1\n sleep 10\ndone\n}\nwaitActive () {\nchecks=0\nwhile [[ \"$checks\" -lt 30 ]]; do\n tmsh -a show sys ready | grep -q no\n if [ $? == 1 ]; then\n echo \"[INFO: system ready]\"\n break\n fi\n echo \"[WARN: system not ready yet count: $checks]\"\n tmsh -a show sys ready | grep no\n let checks=checks+1\n sleep 10\ndone\n}\n# CHECK TO SEE NETWORK IS READY\ncount=0\nwhile true\ndo\n STATUS=$(curl -s -k -I example.com | grep HTTP)\n if [[ $STATUS == *\"200\"* ]]; then\n echo \"[INFO: internet access check passed]\"\n break\n elif [ $count -le 6 ]; then\n echo \"Status code: $STATUS Not done yet...\"\n count=$[$count+1]\n else\n echo \"[WARN: GIVE UP...]\"\n break\n fi\n sleep 10\ndone\n# download latest atc tools\ntoolsList=$(cat -\u003c\u003cEOF\n{\n \"tools\": [\n {\n \"name\": \"f5-declarative-onboarding\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/do.json\"\n },\n {\n \"name\": \"f5-appsvcs-extension\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/as3.json\"\n },\n {\n \"name\": \"f5-telemetry-streaming\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/ts.json\"\n },\n {\n \"name\": \"f5-cloud-failover-extension\",\n \"version\": \"latest\",\n \"url\": \"https://example.domain.com/cf.json\"\n },\n {\n \"name\": \"f5-appsvcs-templates\",\n \"version\": \"1.0.0\",\n \"url\": \"https://example.domain.com/cf.json\"\n }\n ]\n}\nEOF\n)\nfunction getAtc () {\natc=$(echo $toolsList | jq -r .tools[].name)\nfor tool in $atc\ndo\n version=$(echo $toolsList | jq -r \".tools[]| select(.name| contains (\\\"$tool\\\")).version\")\n if [ $version == \"latest\" ]; then\n path=''\n else\n path='tags/v'\n fi\n echo \"downloading $tool, $version\"\n if [ $tool == \"f5-new-tool\" ]; then\n files=$(/usr/bin/curl -sk --interface mgmt https://api.github.com/repos/f5devcentral/$tool/releases/$path$version | jq -r '.assets[] | select(.name | contains (\".rpm\")) | .browser_download_url')\n else\n files=$(/usr/bin/curl -sk --interface mgmt https://api.github.com/repos/F5Networks/$tool/releases/$path$version | jq -r '.assets[] | select(.name | contains (\".rpm\")) | .browser_download_url')\n fi\n for file in $files\n do\n echo \"download: $file\"\n name=$(basename $file )\n # make download dir\n mkdir -p /var/config/rest/downloads\n result=$(/usr/bin/curl -Lsk $file -o /var/config/rest/downloads/$name)\n done\ndone\n}\necho \"----download ATC tools----\"\ngetAtc\n\n# install atc tools\necho \"----install ATC tools----\"\nrpms=$(find $rpmFilePath -name \"*.rpm\" -type f)\nfor rpm in $rpms\ndo\n filename=$(basename $rpm)\n echo \"installing $filename\"\n if [ -f $rpmFilePath/$filename ]; then\n postBody=\"{\\\"operation\\\":\\\"INSTALL\\\",\\\"packageFilePath\\\":\\\"$rpmFilePath/$filename\\\"}\"\n while true\n do\n iappApiStatus=$(curl -s -i -u \"$CREDS\" $local_host$rpmInstallUrl | grep HTTP | awk '{print $2}')\n case $iappApiStatus in\n 404)\n echo \"[WARN: api not ready status: $iappApiStatus]\"\n sleep 2\n ;;\n 200)\n echo \"[INFO: api ready starting install task $filename]\"\n install=$(restcurl -s -u \"$CREDS\" -X POST -d $postBody $rpmInstallUrl | jq -r .id )\n break\n ;;\n *)\n echo \"[WARN: api error other status: $iappApiStatus]\"\n debug=$(restcurl -u \"$CREDS\" $rpmInstallUrl)\n #echo \"ipp install debug: $debug\"\n ;;\n esac\n done\n else\n echo \"[WARN: file: $filename not found]\"\n fi\n while true\n do\n status=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq -r .status)\n case $status in\n FINISHED)\n # finished\n echo \" rpm: $filename task: $install status: $status\"\n break\n ;;\n STARTED)\n # started\n echo \" rpm: $filename task: $install status: $status\"\n ;;\n RUNNING)\n # running\n echo \" rpm: $filename task: $install status: $status\"\n ;;\n FAILED)\n # failed\n error=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq .errorMessage)\n echo \"failed $filename task: $install error: $error\"\n break\n ;;\n *)\n # other\n debug=$(restcurl -u \"$CREDS\" $rpmInstallUrl/$install | jq . )\n echo \"failed $filename task: $install error: $debug\"\n ;;\n esac\n sleep 2\n done\ndone\nfunction getDoStatus() {\n task=$1\n doStatusType=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r type )\n if [ \"$doStatusType\" == \"object\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r .result.status)\n echo $doStatus\n elif [ \"$doStatusType\" == \"array\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doTaskUrl/$task | jq -r .[].result.status)\n echo \"[INFO: $doStatus]\"\n else\n echo \"[WARN: unknown type:$doStatusType]\"\n fi\n}\nfunction checkDO() {\n # Check DO Ready\n count=0\n while [ $count -le 4 ]\n do\n #doStatus=$(curl -i -u \"$CREDS\" $local_host$doCheckUrl | grep HTTP | awk '{print $2}')\n doStatusType=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r type )\n if [ \"$doStatusType\" == \"object\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .code)\n if [ $? == 1 ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .result.code)\n fi\n elif [ \"$doStatusType\" == \"array\" ]; then\n doStatus=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .[].result.code)\n else\n echo \"[WARN: unknown type:$doStatusType]\"\n fi\n #echo \"status $doStatus\"\n if [[ $doStatus == \"200\" ]]; then\n #version=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .version)\n version=$(restcurl -u \"$CREDS\" -X GET $doCheckUrl | jq -r .[].version)\n echo \"[INFO: Declarative Onboarding $version online]\"\n break\n elif [[ $doStatus == \"404\" ]]; then\n echo \"DO Status: $doStatus\"\n bigstart restart restnoded\n sleep 30\n bigstart status restnoded | grep running\n status=$?\n echo \"restnoded:$status\"\n else\n echo \"[WARN: DO Status $doStatus]\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkAS3() {\n # Check AS3 Ready\n count=0\n while [ $count -le 4 ]\n do\n #as3Status=$(curl -i -u \"$CREDS\" $local_host$as3CheckUrl | grep HTTP | awk '{print $2}')\n as3Status=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r .code)\n if [ \"$as3Status\" == \"null\" ] || [ -z \"$as3Status\" ]; then\n type=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r type )\n if [ \"$type\" == \"object\" ]; then\n as3Status=\"200\"\n fi\n fi\n if [[ $as3Status == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $as3CheckUrl | jq -r .version)\n echo \"As3 $version online \"\n break\n elif [[ $as3Status == \"404\" ]]; then\n echo \"AS3 Status $as3Status\"\n bigstart restart restnoded\n sleep 30\n bigstart status restnoded | grep running\n status=$?\n echo \"restnoded:$status\"\n else\n echo \"AS3 Status $as3Status\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkTS() {\n # Check TS Ready\n count=0\n while [ $count -le 4 ]\n do\n tsStatus=$(curl -si -u \"$CREDS\" http://localhost:8100$tsCheckUrl | grep HTTP | awk '{print $2}')\n if [[ $tsStatus == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $tsCheckUrl | jq -r .version)\n echo \"Telemetry Streaming $version online \"\n break\n else\n echo \"TS Status $tsStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkCF() {\n # Check CF Ready\n count=0\n while [ $count -le 4 ]\n do\n cfStatus=$(curl -si -u \"$CREDS\" $local_host$cfCheckUrl | grep HTTP | awk '{print $2}')\n if [[ $cfStatus == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $cfCheckUrl | jq -r .version)\n echo \"Cloud failover $version online \"\n break\n else\n echo \"Cloud Failover Status $tsStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\nfunction checkFAST() {\n # Check FAST Ready\n count=0\n while [ $count -le 4 ]\n do\n fastStatus=$(curl -si -u \"$CREDS\" $local_host$fastCheckUrl | grep HTTP | awk '{print $2}')\n if [[ \"$fastStatus\" == \"200\" ]]; then\n version=$(restcurl -u \"$CREDS\" -X GET $fastCheckUrl | jq -r .version)\n echo \"FAST $version online \"\n break\n else\n echo \"FAST Status $fastStatus\"\n count=$[$count+1]\n fi\n sleep 10\n done\n}\n### check for apis online\nfunction checkATC() {\n doStatus=$(checkDO)\n as3Status=$(checkAS3)\n tsStatus=$(checkTS)\n cfStatus=$(checkCF)\n fastStatus=$(checkFAST)\n if [[ $doStatus == *\"online\"* ]] \u0026\u0026 [[ \"$as3Status\" = *\"online\"* ]] \u0026\u0026 [[ $tsStatus == *\"online\"* ]] \u0026\u0026 [[ $cfStatus == *\"online\"* ]] \u0026\u0026 [[ $fastStatus == *\"online\"* ]] ; then\n echo \"ATC is ready to accept API calls\"\n else\n echo \"ATC install failed or ATC is not ready to accept API calls\"\n fi\n}\necho \"----checking ATC install----\"\ncheckATC\nfunction runDO() {\ncount=0\nwhile [ $count -le 4 ]\n do\n # make task\n task=$(curl -s -u $CREDS -H \"Content-Type: Application/json\" -H 'Expect:' -X POST $local_host$doUrl -d @/config/$1 | jq -r .id)\n echo \"====== starting DO task: $task ==========\"\n sleep 1\n count=$[$count+1]\n # check task code\n taskCount=0\n while [ $taskCount -le 10 ]\n do\n doCodeType=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq -r type )\n if [[ \"$doCodeType\" == \"object\" ]]; then\n code=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq .result.code)\n echo \"object: $code\"\n elif [ \"$doCodeType\" == \"array\" ]; then\n echo \"array $code check task, breaking\"\n break\n else\n echo \"unknown type: $doCodeType\"\n debug=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task)\n echo \"other debug: $debug\"\n code=$(curl -s -u $CREDS -X GET $local_host$doTaskUrl/$task | jq .result.code)\n fi\n sleep 1\n if jq -e . \u003e/dev/null 2\u003e\u00261 \u003c\u003c\u003c\"$code\"; then\n echo \"Parsed JSON successfully and got something other than false/null count: $taskCount\"\n status=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n sleep 1\n echo \"status: $status code: $code\"\n # 200,202,422,400,404,500,422\n echo \"DO: $task response:$code status:$status\"\n sleep 1\n #FINISHED,STARTED,RUNNING,ROLLING_BACK,FAILED,ERROR,NULL\n case $status in\n FINISHED)\n # finished\n echo \" $task status: $status \"\n # bigstart start dhclient\n break 2\n ;;\n STARTED)\n # started\n echo \" $filename status: $status \"\n sleep 30\n ;;\n RUNNING)\n # running\n echo \"DO Status: $status task: $task Not done yet...count:$taskCount\"\n # wait for active-online-state\n waitMcpd\n if [[ \"$taskCount\" -le 5 ]]; then\n sleep 60\n fi\n waitActive\n #sleep 120\n taskCount=$[$taskCount+1]\n ;;\n FAILED)\n # failed\n error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n echo \"failed $task, $error\"\n #count=$[$count+1]\n break\n ;;\n ERROR)\n # error\n error=$(curl -s -u $CREDS $local_host$doTaskUrl/$task | jq -r .result.status)\n echo \"Error $task, $error\"\n #count=$[$count+1]\n break\n ;;\n ROLLING_BACK)\n # Rolling back\n echo \"Rolling back failed status: $status task: $task\"\n break\n ;;\n OK)\n # complete no change\n echo \"Complete no change status: $status task: $task\"\n break 2\n ;;\n *)\n # other\n echo \"other: $status\"\n echo \"other task: $task count: $taskCount\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"other debug: $debug\"\n case $debug in\n *not*registered*)\n # restnoded response DO api is unresponsive\n echo \"DO endpoint not avaliable waiting...\"\n sleep 30\n ;;\n *resterrorresponse*)\n # restnoded response DO api is unresponsive\n echo \"DO endpoint not avaliable waiting...\"\n sleep 30\n ;;\n *start-limit*)\n # dhclient issue hit\n echo \" do dhclient starting issue hit start another task\"\n break\n ;;\n esac\n sleep 30\n taskCount=$[$taskCount+1]\n ;;\n esac\n else\n echo \"Failed to parse JSON, or got false/null\"\n echo \"DO status code: $code\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"debug DO code: $debug\"\n count=$[$count+1]\n fi\n done\ndone\n}\n# mgmt\necho \"set management\"\necho -e \"create cli transaction;\nmodify sys global-settings mgmt-dhcp disabled;\nsubmit cli transaction\" | tmsh -q\ntmsh save /sys config\n# get as3 values\nexternalVip=$(curl -sf --retry 20 -H Metadata:true \"http://169.254.169.254/metadata/instance/network/interface?api-version=2017-08-01\" | jq -r '.[1].ipv4.ipAddress[1].privateIpAddress')\n\n# end get values\n\n# run DO\necho \"----run do----\"\ncount=0\nwhile [ $count -le 4 ]\n do\n doStatus=$(checkDO)\n echo \"DO check status: $doStatus\"\n if [ $deviceId == 1 ] \u0026\u0026 [[ \"$doStatus\" = *\"online\"* ]]; then\n echo \"running do for id:$deviceId\"\n bigstart stop dhclient\n runDO do1.json\n if [ \"$?\" == 0 ]; then\n echo \"done with do\"\n bigstart start dhclient\n results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')\n echo \"do results: $results\"\n break\n fi\n elif [ $deviceId == 2 ] \u0026\u0026 [[ \"$doStatus\" = *\"online\"* ]]; then\n echo \"running do for id:$deviceId\"\n bigstart stop dhclient\n runDO do2.json\n if [ \"$?\" == 0 ]; then\n echo \"done with do\"\n bigstart start dhclient\n results=$(restcurl -u $CREDS -X GET $doTaskUrl | jq '.[] | .id, .result')\n echo \"do results: $results\"\n break\n fi\n elif [ $count -le 2 ]; then\n echo \"DeviceID: $deviceId Status code: $doStatus DO not ready yet...\"\n count=$[$count+1]\n sleep 30\n else\n echo \"DO not online status: $doStatus\"\n break\n fi\ndone\nfunction runAS3 () {\n count=0\n while [ $count -le 4 ]\n do\n # wait for do to finish\n waitActive\n # make task\n task=$(curl -s -u $CREDS -H \"Content-Type: Application/json\" -H 'Expect:' -X POST $local_host$as3Url?async=true -d @/config/as3.json | jq -r .id)\n echo \"===== starting as3 task: $task =====\"\n sleep 1\n count=$[$count+1]\n # check task code\n taskCount=0\n while [ $taskCount -le 3 ]\n do\n as3CodeType=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r type )\n if [[ \"$as3CodeType\" == \"object\" ]]; then\n code=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .)\n tenants=$(curl -s -u $CREDS -X GET $local_host$as3TaskUrl/$task | jq -r .results[].tenant)\n echo \"object: $code\"\n elif [ \"$as3CodeType\" == \"array\" ]; then\n echo \"array $code check task, breaking\"\n break\n else\n echo \"unknown type:$as3CodeType\"\n fi\n sleep 1\n if jq -e . \u003e/dev/null 2\u003e\u00261 \u003c\u003c\u003c\"$code\"; then\n echo \"Parsed JSON successfully and got something other than false/null\"\n status=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r .items[].results[].message)\n case $status in\n *progress)\n # in progress\n echo -e \"Running: $task status: $status tenants: $tenants count: $taskCount \"\n sleep 120\n taskCount=$[$taskCount+1]\n ;;\n *Error*)\n # error\n echo -e \"Error Task: $task status: $status tenants: $tenants \"\n if [[ \"$status\" = *\"progress\"* ]]; then\n sleep 180\n break\n else\n break\n fi\n ;;\n *failed*)\n # failed\n echo -e \"failed: $task status: $status tenants: $tenants \"\n break\n ;;\n *success*)\n # successful!\n echo -e \"success: $task status: $status tenants: $tenants \"\n break 3\n ;;\n no*change)\n # finished\n echo -e \"no change: $task status: $status tenants: $tenants \"\n break 4\n ;;\n *)\n # other\n echo \"status: $status\"\n debug=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task)\n echo \"debug: $debug\"\n error=$(curl -s -u $CREDS $local_host$as3TaskUrl/$task | jq -r '.results[].message')\n echo \"Other: $task, $error\"\n break\n ;;\n esac\n else\n echo \"Failed to parse JSON, or got false/null\"\n echo \"AS3 status code: $code\"\n debug=$(curl -s -u $CREDS $local_host$doTaskUrl/$task)\n echo \"debug AS3 code: $debug\"\n count=$[$count+1]\n fi\n done\n done\n}\n\n# modify as3\n#sdToken=$(echo \"$token\" | base64)\nsed -i \"s/-external-virtual-address-/$externalVip/g\" /config/as3.json\n#sed -i \"s/-sd-sa-token-b64-/$token/g\" /config/as3.json\n# end modify as3\n\n# metadata route\necho -e 'create cli transaction;\nmodify sys db config.allow.rfc3927 value enable;\ncreate sys management-route metadata-route network 169.254.169.254/32 gateway 10.90.0.1;\nsubmit cli transaction' | tmsh -q\ntmsh save /sys config\n# add management route with metric 0 for the win\nroute add -net default gw 10.90.0.1 netmask 0.0.0.0 dev mgmt metric 0\n# run as3\ncount=0\nwhile [ $count -le 4 ]\ndo\n as3Status=$(checkAS3)\n echo \"AS3 check status: $as3Status\"\n if [[ \"$as3Status\" == *\"online\"* ]]; then\n if [ $deviceId == 1 ]; then\n echo \"running as3\"\n runAS3\n echo \"done with as3\"\n results=$(restcurl -u $CREDS $as3TaskUrl | jq '.items[] | .id, .results')\n echo \"as3 results: $results\"\n break\n else\n echo \"Not posting as3 device $deviceid not primary\"\n break\n fi\n elif [ $count -le 2 ]; then\n echo \"Status code: $as3Status As3 not ready yet...\"\n count=$[$count+1]\n else\n echo \"As3 API Status $as3Status\"\n break\n fi\ndone\n#\n#\n# cleanup\n## remove declarations\n# rm -f /config/do1.json\n# rm -f /config/do2.json\n# rm -f /config/as3.json\n## disable/replace default admin account\n# echo -e \"create cli transaction;\n# modify /sys db systemauth.primaryadminuser value $admin_username;\n# submit cli transaction\" | tmsh -q\ntmsh save sys config\necho \"timestamp end: $(date)\"\necho \"setup complete $(timer \"$(($(date +%s) - $startTime))\")\"\nexit\n",
+ "content_base64": null,
+ "directory_permission": "0777",
+ "file_permission": "0777",
+ "filename": "one_tier/firewall/onboard.sh",
+ "id": "ded29bc74c06c93eb6bf339bb1625c574358fc19",
+ "sensitive_content": null,
+ "source": null
+ },
+ "private": "bnVsbA==",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.data.http.appservice",
+ "module.firewall_one.data.http.onboard",
+ "module.firewall_one.data.template_file.as3_json",
+ "module.firewall_one.data.template_file.vm01_do_json",
+ "module.firewall_one.data.template_file.vm02_do_json",
+ "module.firewall_one.data.template_file.vm_onboard",
+ "module.firewall_one.random_uuid.as3_uuid"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "local_file",
+ "name": "vm01_do_file",
+ "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "content": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm01.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.4\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.4/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.4/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.5\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}",
+ "content_base64": null,
+ "directory_permission": "0777",
+ "file_permission": "0777",
+ "filename": "one_tier/firewall/vm01_do_data.json",
+ "id": "619e38f08d30c2bc5f2ae286a8e080df6e918a9f",
+ "sensitive_content": null,
+ "source": null
+ },
+ "private": "bnVsbA==",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.data.http.onboard",
+ "module.firewall_one.data.template_file.vm01_do_json"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "local_file",
+ "name": "vm02_do_file",
+ "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "content": "{\n \"schemaVersion\": \"1.9.0\",\n \"class\": \"Device\",\n \"async\": true,\n \"label\": \"Basic onboarding\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"hostname\": \"f5vm02.example.com\",\n \"dbvars\": {\n \t\"class\": \"DbVariables\",\n \t\"ui.advisory.enabled\": true,\n \t\"ui.advisory.color\": \"green\",\n \"ui.advisory.text\": \"//UNCLASSIFIED//\",\n \"ui.system.preferences.advancedselection\": \"advanced\",\n \"ui.system.preferences.recordsperscreen\": \"100\",\n \"ui.system.preferences.startscreen\": \"network_map\",\n \"ui.users.redirectsuperuserstoauthsummary\": \"true\",\n \"dns.cache\": \"enable\",\n \"config.allow.rfc3927\": \"enable\",\n \"big3d.minimum.tls.version\": \"TLSV1.2\",\n \"liveinstall.checksig\": \"enable\"\n },\n \"RemoteSyslog\": {\n \"class\": \"SyslogRemoteServer\",\n \"host\": \"10.90.10.101\",\n \"localIp\": \"10.90.1.5\",\n \"remotePort\": 514\n },\n \"system\":{\n \"class\": \"System\",\n \"autoCheck\": false,\n \"autoPhonehome\": false,\n \"cliInactivityTimeout\": 900,\n \"consoleInactivityTimeout\": 900,\n \"guiAuditLog\": true,\n \"mcpAuditLog\": \"enable\",\n \"tmshAuditLog\": true\n },\n \"httpd\": {\n \"class\": \"HTTPD\",\n \"maxClients\": \"10\",\n \"authPamIdleTimeout\": \"900\",\n \"sslCiphersuite\": [\"ECDHE-ECDSA-AES256-GCM-SHA384\", \"ECDHE-ECDSA-AES256-SHA384\", \"ECDHE-ECDSA-AES256-SHA\",\"ECDH-ECDSA-AES256-GCM-SHA384\", \"ECDH-ECDSA-AES256-SHA384\", \"ECDH-ECDSA-AES256-SHA\", \"AES256-GCM-SHA384\", \"AES256-SHA256\", \"AES256-SHA\", \"CAMELLIA256-SHA\", \"ECDHE-RSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-GCM-SHA256\", \"ECDHE-ECDSA-AES128-SHA256\", \"ECDHE-RSA-AES128-SHA\", \"ECDHE-ECDSA-AES128-SHA\", \"ECDH-ECDSA-AES128-GCM-SHA256\", \"ECDH-ECDSA-AES128-SHA256\", \"ECDH-ECDSA-AES128-SHA\", \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES128-SHA\", \"SEED-SHA\", \"CAMELLIA128-SHA\"],\n \"sslProtocol\": \"all -SSLv2 -SSLv3 -TLSv1\"\n },\n \"sshd\": {\n \"class\": \"SSHD\",\n \"banner\": \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\",\n \"inactivityTimeout\": 900,\n \"ciphers\": [\n \"aes128-ctr\",\n \"aes192-ctr\",\n \"aes256-ctr\"\n ],\n \"loginGraceTime\": 60,\n \"MACS\": [\n \"hmac-sha1\",\n \"hmac-ripemd160\"\n ],\n \"maxAuthTries\": 3,\n \"maxStartups\": \"5\",\n \"protocol\": 2\n },\n \"myDns\": {\n \"class\": \"DNS\",\n \"nameServers\": [\n \"168.63.129.16\",\n \"2001:4860:4860::8844\"\n ],\n \"search\": [\n \"f5.com\"\n ]\n },\n \"myNtp\": {\n \"class\": \"NTP\",\n \"servers\": [\n \"time.nist.gov\",\n \"0.pool.ntp.org\",\n \"1.pool.ntp.org\"\n ],\n \"timezone\": \"UTC\"\n },\n \"myProvisioning\": {\n \"class\": \"Provision\",\n \"ltm\": \"nominal\",\n \"asm\": \"nominal\",\n \"afm\": \"nominal\"\n },\n \"external\": {\n \"class\": \"VLAN\",\n \"tag\": 4094,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.1\",\n \"tagged\": false\n }\n ]\n },\n \"internal\": {\n \"class\": \"VLAN\",\n \"tag\": 4093,\n \"mtu\": 1500,\n \"interfaces\": [\n {\n \"name\": \"1.2\",\n \"tagged\": false\n }\n ]\n },\n \"external-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.1.5/24\",\n \"vlan\": \"external\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internal-self\": {\n \"class\": \"SelfIp\",\n \"address\": \"10.90.2.5/24\",\n \"vlan\": \"internal\",\n \"allowService\": \"default\",\n \"trafficGroup\": \"traffic-group-local-only\"\n },\n \"internet\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.1.1\",\n \"network\": \"default\",\n \"mtu\": 1500\n },\n \"vdms\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.3.0/24\",\n \"mtu\": 1500\n },\n \"vdss\": {\n \"class\": \"Route\",\n \"gw\": \"10.90.2.1\",\n \"network\": \"10.90.0.0/16\",\n \"mtu\": 1500\n },\n \"configsync\": {\n \"class\": \"ConfigSync\",\n \"configsyncIp\": \"/Common/external-self/address\"\n },\n \"failoverAddress\": {\n \"class\": \"FailoverUnicast\",\n \"address\": \"/Common/external-self/address\"\n },\n \"failoverGroup\": {\n \"class\": \"DeviceGroup\",\n \"type\": \"sync-failover\",\n \"members\": [\n \"f5vm01.example.com\",\n \"f5vm02.example.com\"\n ],\n \"owner\": \"/Common/failoverGroup/members/0\",\n \"autoSync\": true,\n \"saveOnAutoSync\": false,\n \"networkFailover\": true,\n \"fullLoadOnSync\": false,\n \"asmSync\": true\n },\n \"trust\": {\n \"class\": \"DeviceTrust\",\n \"localUsername\": \"xadmin\",\n \"localPassword\": \"pleaseUseVault123!!\",\n \"remoteHost\": \"10.90.1.4\",\n \"remoteUsername\": \"xadmin\",\n \"remotePassword\": \"pleaseUseVault123!!\"\n }\n }\n}",
+ "content_base64": null,
+ "directory_permission": "0777",
+ "file_permission": "0777",
+ "filename": "one_tier/firewall/vm02_do_data.json",
+ "id": "c6b22181bc2c667ccc7e5d5b445e7c1d094139c9",
+ "sensitive_content": null,
+ "source": null
+ },
+ "private": "bnVsbA==",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.external",
+ "azurerm_subnet.internal",
+ "azurerm_subnet.mgmt",
+ "azurerm_virtual_network.main",
+ "module.firewall_one.data.http.onboard",
+ "module.firewall_one.data.template_file.vm02_do_json"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "local_file",
+ "name": "vm_as3_file",
+ "provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "content": "{\n \"$schema\": \"https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json\",\n \"class\":\"AS3\",\n \"action\":\"deploy\",\n \"persist\":true,\n \"declaration\": { \n \"class\": \"ADC\",\n \"schemaVersion\": \"3.12.0\",\n \"id\": \"05faeb52-4c1b-9fa3-73be-ecd770a57df0\",\n \"label\": \"scca baseline\",\n \"remark\": \"scca baseline 3.12.0\",\n \"Common\": {\n \"class\": \"Tenant\",\n \"Shared\": {\n \"class\": \"Application\",\n \"template\": \"shared\",\n \"fwLogDestinationSyslog\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-syslog\",\n \"remoteHighSpeedLog\": {\n \"use\": \"fwLogDestinationHsl\"\n },\n \"format\": \"rfc5424\"\n },\n \"fwLogDestinationHsl\": {\n \"class\": \"Log_Destination\",\n \"type\": \"remote-high-speed-log\",\n \"protocol\": \"tcp\",\n \"pool\": {\n \"use\": \"hsl_pool\"\n }\n },\n \"hsl_pool\": {\n \"class\": \"Pool\",\n \"members\": [\n {\n \"serverAddresses\": [\n \"10.90.10.101\"\n ],\n \"enable\": true,\n \"servicePort\": 514\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/udp\"\n }\n ]\n },\n \"fwLogPublisher\": {\n \"class\": \"Log_Publisher\",\n \"destinations\": [\n {\n \"use\": \"fwLogDestinationSyslog\"\n }\n ]\n },\n \"fwSecurityLogProfile\": {\n \"class\": \"Security_Log_Profile\",\n \"network\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n },\n \"storageFormat\": {\n \"fields\": [\n \"action\",\n \"dest-ip\",\n \"dest-port\",\n \"src-ip\",\n \"src-port\"\n ]\n },\n \"logTranslationFields\": true,\n \"logTcpEvents\": true,\n \"logRuleMatchRejects\": true,\n \"logTcpErrors\": true,\n \"logIpErrors\": true,\n \"logRuleMatchDrops\": true,\n \"logRuleMatchAccepts\": true\n },\n \"application\": {\n \"facility\": \"local3\",\n \"storageFilter\": {\n \"requestType\": \"illegal-including-staged-signatures\",\n \"responseCodes\": [\n \"404\",\n \"201\"\n ],\n \"protocols\": [\n \"http\"\n ],\n \"httpMethods\": [\n \"PATCH\",\n \"DELETE\"\n ],\n \"requestContains\": {\n \"searchIn\": \"search-in-request\",\n \"value\": \"The new value\"\n },\n \"loginResults\": [\n \"login-result-unknown\"\n ]\n },\n \"storageFormat\": {\n \"fields\": [\n \"attack_type\",\n \"avr_id\",\n \"headers\",\n \"is_truncated\"\n ],\n \"delimiter\": \".\"\n },\n \"localStorage\": false,\n \"maxEntryLength\": \"10k\",\n \"protocol\": \"udp\",\n \"remoteStorage\": \"remote\",\n \"reportAnomaliesEnabled\": true,\n \"servers\": [\n {\n \"address\": \"10.90.10.101\",\n \"port\": \"514\"\n }\n ]\n },\n \"dosApplication\": {\n \"remotePublisher\": {\n \"use\": \"fwLogPublisher\"\n }\n },\n \"dosNetwork\": {\n \"publisher\": {\n \"use\": \"fwLogPublisher\"\n }\n }\n },\n \"example_response\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"sccaBaselineWAFPolicy\":{\n \"class\": \"WAF_Policy\",\n \"url\": \"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml\",\n \"ignoreChanges\": false,\n \"enforcementMode\": \"transparent\"\n },\n \"certificate_default\": {\n \"class\": \"Certificate\",\n \"certificate\": {\n \"bigip\": \"/Common/default.crt\"\n },\n \"privateKey\": {\n \"bigip\": \"/Common/default.key\"\n }\n },\n \"sccaBaselineClientSSL\": {\n \"certificates\": [\n {\n \"certificate\": \"certificate_default\"\n }\n ],\n \"ciphers\": \"HIGH\",\n \"class\": \"TLS_Server\"\n },\n \"sccaBaselineAFMRuleList\":{\n \"class\": \"Firewall_Rule_List\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n }\n ]\n },\n \"sccaBaselineAFMPolicy\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n },\n \"sccaBaselineAFMPolicyHTTP\": {\n \"class\": \"Firewall_Policy\",\n \"rules\": [\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"allow_all\",\n \"protocol\": \"any\"\n },\n {\n \"action\": \"accept\",\n \"loggingEnabled\": true,\n \"name\": \"deny_all\",\n \"protocol\": \"any\"\n }\n ]\n \n }\n }\n },\n \"transit\": {\n \"class\": \"Tenant\",\n \"transit\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"transit_forward\": {\n \"class\": \"Service_Forwarding\",\n \"virtualAddresses\": [\n \"0.0.0.0/0\"\n ],\n \"profileL4\": {\n \"use\": \"route_friendly_fastl4\"\n },\n \"virtualPort\": 0,\n \"forwardingType\": \"ip\",\n \"layer4\": \"any\",\n \"snat\": \"auto\",\n \"translateServerAddress\": false,\n \"translateServerPort\": false,\n \"translateClientPort\": \"preserve-strict\"\n },\n \"route_friendly_fastl4\": {\n \"class\": \"L4_Profile\",\n \"idleTimeout\": 300,\n \"looseClose\": true,\n \"looseInitialization\": true,\n \"resetOnTimeout\": false\n },\n \"transit_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"transit_health\": {\n \"class\": \"Service_HTTP\",\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"transit_health_irule\"\n ],\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.2.11\",\n \"10.90.2.12\"\n ],\n \"virtualPort\": 34568,\n \"snat\": \"none\"\n }\n }\n },\n \"mgmt\": {\n \"class\": \"Tenant\",\n \"admin\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"rdp_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3389,\n \"serverAddresses\": [\n \"10.90.3.98\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"ssh_pool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 22,\n \"serverAddresses\": [\n \"10.90.3.99\"\n ]\n }\n ],\n \"monitors\": [\n {\n \"bigip\": \"/Common/tcp_half_open\"\n }\n ],\n \"class\": \"Pool\"\n },\n \"mgmt_health_irule\": {\n \"class\": \"iRule\",\n \"iRule\": \"when HTTP_REQUEST {\\n HTTP::respond 200 content {\\n \u003chtml\u003e\\n \u003chead\u003e\\n \u003ctitle\u003eHealth Check\u003c/title\u003e\\n \u003c/head\u003e\\n \u003cbody\u003e\\n System is online.\\n \u003c/body\u003e\\n \u003c/html\u003e\\n }\\n}\"\n },\n \"mgmt_http\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"iRules\": [\n \"mgmt_health_irule\"\n ],\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 80,\n \"snat\": \"none\"\n },\n \"mgmt_rdp\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"rdp_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 3389,\n \"snat\": \"auto\"\n },\n \"mgmt_ssh\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"pool\": \"ssh_pool\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.11\",\n \"10.90.1.12\"\n ],\n \"virtualPort\": 22,\n \"snat\": \"auto\"\n }\n }\n }, \n \"Example\": {\n \"class\": \"Tenant\",\n \"exampleApp\": {\n \"class\": \"Application\",\n \"template\": \"generic\",\n \"sccaBaselineExampleIPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicy\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": false,\n \"class\": \"Service_TCP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 0,\n \"snat\": \"auto\",\n \"pool\": \"sccaBaselineIPSPool\"\n \n },\n \"sccaBaselineExampleHTTPS\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTPS\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"serverTLS\": \"/Common/Shared/sccaBaselineClientSSL\",\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 443,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselineJuiceShop\"\n }, \n \"sccaBaselineExampleHTTP\": {\n \"policyFirewallEnforced\": {\n \"use\": \"/Common/Shared/sccaBaselineAFMPolicyHTTP\"\n },\n \"layer4\": \"tcp\",\n \"securityLogProfiles\": [\n {\n \"use\": \"/Common/Shared/fwSecurityLogProfile\"\n }\n ],\n \"translateServerAddress\": true,\n \"translateServerPort\": true,\n \"class\": \"Service_HTTP\",\n \"profileDOS\": {\n \"bigip\": \"/Common/dos\"\n },\n \"profileHTTP\": {\n \"bigip\": \"/Common/http\"\n },\n \"profileTCP\": {\n \"bigip\": \"/Common/tcp\"\n },\n \"virtualAddresses\": [\n \"10.90.1.0/24\"\n ],\n \"virtualPort\": 8080,\n \"snat\": \"auto\",\n \"policyWAF\": {\n \"use\": \"/Common/Shared/sccaBaselineWAFPolicy\"\n },\n \"pool\": \"sccaBaselinePimpMyLogs\"\n },\n \"sccaBaselineIPSPool\": {\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineJuiceShop\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 3000,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n\n \"sccaBaselinePimpMyLogs\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\": 8080,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttps\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/https\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":443,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n },\n \"sccaBaselineDemoAppHttp\": {\n \"monitors\": [\n {\n \"bigip\": \"/Common/http\"\n }\n ],\n \"members\": [\n {\n \"addressDiscovery\": \"static\",\n \"servicePort\":80,\n \"serverAddresses\": [\n \"10.90.10.101\"\n ]\n }\n ],\n \"class\": \"Pool\"\n }\n }\n }\n }\n}",
+ "content_base64": null,
+ "directory_permission": "0777",
+ "file_permission": "0777",
+ "filename": "one_tier/firewall/vm_as3_data.json",
+ "id": "92ef5110bf2762aee590969dd379d79a85692211",
+ "sensitive_content": null,
+ "source": null
+ },
+ "private": "bnVsbA==",
+ "dependencies": [
+ "module.firewall_one.data.http.appservice",
+ "module.firewall_one.data.template_file.as3_json",
+ "module.firewall_one.random_uuid.as3_uuid"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.firewall_one[0]",
+ "mode": "managed",
+ "type": "random_uuid",
+ "name": "as3_uuid",
+ "provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "9b082a0e-1692-b7f2-fc4e-14af4581e178",
+ "keepers": null,
+ "result": "9b082a0e-1692-b7f2-fc4e-14af4581e178"
+ },
+ "private": "bnVsbA=="
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "linuxJump-ext-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-linuxJump-ext-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.3.99",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/vdms"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-linuxJump-ext-nic",
+ "private_ip_address": "10.90.3.99",
+ "private_ip_addresses": [
+ "10.90.3.99"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_network_interface",
+ "name": "winjump-ext-nic",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "applied_dns_servers": [],
+ "dns_servers": [],
+ "enable_accelerated_networking": false,
+ "enable_ip_forwarding": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-winjump-ext-nic",
+ "internal_dns_name_label": "",
+ "internal_domain_name_suffix": "twdmxz2tn41ebcvfxvog5hfj3g.ax.internal.usgovcloudapp.net",
+ "ip_configuration": [
+ {
+ "name": "primary",
+ "primary": true,
+ "private_ip_address": "10.90.3.98",
+ "private_ip_address_allocation": "Static",
+ "private_ip_address_version": "IPv4",
+ "public_ip_address_id": "",
+ "subnet_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/virtualNetworks/bedfe9a3-network/subnets/vdms"
+ }
+ ],
+ "location": "usgovvirginia",
+ "mac_address": "",
+ "name": "bedfe9a3-winjump-ext-nic",
+ "private_ip_address": "10.90.3.98",
+ "private_ip_addresses": [
+ "10.90.3.98"
+ ],
+ "resource_group_name": "bedfe9a3_rg",
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "virtual_machine_id": ""
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "linuxJump-ext-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-linuxJump-ext-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-linuxJump-ext-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main",
+ "module.jump_one.azurerm_network_interface.linuxJump-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_network_interface_security_group_association",
+ "name": "winjump-ext-nsg",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-winjump-ext-nic|/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "network_interface_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-winjump-ext-nic",
+ "network_security_group_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkSecurityGroups/bedfe9a3-nsg",
+ "timeouts": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_network_security_group.main",
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main",
+ "module.jump_one.azurerm_network_interface.winjump-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine",
+ "name": "linuxJump",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "additional_capabilities": [],
+ "availability_set_id": null,
+ "boot_diagnostics": [],
+ "delete_data_disks_on_termination": false,
+ "delete_os_disk_on_termination": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-linuxJump",
+ "identity": [],
+ "license_type": null,
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-linuxJump",
+ "network_interface_ids": [
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-linuxJump-ext-nic"
+ ],
+ "os_profile": [
+ {
+ "admin_password": "pleaseUseVault123!!",
+ "admin_username": "xadmin",
+ "computer_name": "linuxJump",
+ "custom_data": "c6a4ca0f0fb4c95a653875d1a77691a2e902fdca"
+ }
+ ],
+ "os_profile_linux_config": [
+ {
+ "disable_password_authentication": false,
+ "ssh_keys": []
+ }
+ ],
+ "os_profile_secrets": [],
+ "os_profile_windows_config": [],
+ "plan": [],
+ "primary_network_interface_id": null,
+ "proximity_placement_group_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "storage_data_disk": [],
+ "storage_image_reference": [
+ {
+ "id": "",
+ "offer": "UbuntuServer",
+ "publisher": "Canonical",
+ "sku": "16.04.0-LTS",
+ "version": "latest"
+ }
+ ],
+ "storage_os_disk": [
+ {
+ "caching": "ReadWrite",
+ "create_option": "FromImage",
+ "disk_size_gb": 30,
+ "image_uri": "",
+ "managed_disk_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/disks/bedfe9a3-linuxJumpOsDisk",
+ "managed_disk_type": "Premium_LRS",
+ "name": "bedfe9a3-linuxJumpOsDisk",
+ "os_type": "Linux",
+ "vhd_uri": "",
+ "write_accelerator_enabled": false
+ }
+ ],
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "vm_size": "Standard_B2s",
+ "zones": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main",
+ "module.jump_one.azurerm_network_interface.linuxJump-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine",
+ "name": "winJump",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "additional_capabilities": [],
+ "availability_set_id": null,
+ "boot_diagnostics": [],
+ "delete_data_disks_on_termination": false,
+ "delete_os_disk_on_termination": false,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-winJump",
+ "identity": [],
+ "license_type": null,
+ "location": "usgovvirginia",
+ "name": "bedfe9a3-winJump",
+ "network_interface_ids": [
+ "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Network/networkInterfaces/bedfe9a3-winjump-ext-nic"
+ ],
+ "os_profile": [
+ {
+ "admin_password": "pleaseUseVault123!!",
+ "admin_username": "xadmin",
+ "computer_name": "winJump",
+ "custom_data": "d7786bf1275be5b58126a25f5b3b12aa506273be"
+ }
+ ],
+ "os_profile_linux_config": [],
+ "os_profile_secrets": [],
+ "os_profile_windows_config": [
+ {
+ "additional_unattend_config": [],
+ "enable_automatic_upgrades": false,
+ "provision_vm_agent": true,
+ "timezone": "UTC",
+ "winrm": []
+ }
+ ],
+ "plan": [],
+ "primary_network_interface_id": null,
+ "proximity_placement_group_id": null,
+ "resource_group_name": "bedfe9a3_rg",
+ "storage_data_disk": [],
+ "storage_image_reference": [
+ {
+ "id": "",
+ "offer": "WindowsServer",
+ "publisher": "MicrosoftWindowsServer",
+ "sku": "2016-Datacenter",
+ "version": "latest"
+ }
+ ],
+ "storage_os_disk": [
+ {
+ "caching": "ReadWrite",
+ "create_option": "FromImage",
+ "disk_size_gb": 127,
+ "image_uri": "",
+ "managed_disk_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/disks/bedfe9a3-winJump-os",
+ "managed_disk_type": "Premium_LRS",
+ "name": "bedfe9a3-winJump-os",
+ "os_type": "Windows",
+ "vhd_uri": "",
+ "write_accelerator_enabled": false
+ }
+ ],
+ "tags": {
+ "application": "f5app",
+ "costcenter": "f5costcenter",
+ "environment": "f5env",
+ "group": "f5group",
+ "owner": "f5owner",
+ "purpose": "public"
+ },
+ "timeouts": null,
+ "vm_size": "Standard_B2s",
+ "zones": null
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjozNjAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main",
+ "module.jump_one.azurerm_network_interface.winjump-ext-nic"
+ ]
+ }
+ ]
+ },
+ {
+ "module": "module.jump_one",
+ "mode": "managed",
+ "type": "azurerm_virtual_machine_extension",
+ "name": "winJump-run-startup-cmd",
+ "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
+ "instances": [
+ {
+ "schema_version": 0,
+ "attributes": {
+ "auto_upgrade_minor_version": true,
+ "id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-winJump/extensions/bedfe9a3-winJump-run-startup-cmd",
+ "name": "bedfe9a3-winJump-run-startup-cmd",
+ "protected_settings": " {\n \"commandToExecute\": \"powershell -ExecutionPolicy unrestricted -NoProfile -NonInteractive -command \\\"cp c:/azuredata/customdata.bin c:/azuredata/install.ps1; c:/azuredata/install.ps1\\\"; exit 0;\"\n }\n",
+ "publisher": "Microsoft.Compute",
+ "settings": null,
+ "tags": null,
+ "timeouts": null,
+ "type": "CustomScriptExtension",
+ "type_handler_version": "1.9",
+ "virtual_machine_id": "/subscriptions/a0b713be-1237-4769-8647-f0f281a998c9/resourceGroups/bedfe9a3_rg/providers/Microsoft.Compute/virtualMachines/bedfe9a3-winJump"
+ },
+ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxODAwMDAwMDAwMDAwLCJkZWxldGUiOjE4MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjoxODAwMDAwMDAwMDAwfX0=",
+ "dependencies": [
+ "azurerm_resource_group.main",
+ "azurerm_subnet.vdms",
+ "azurerm_virtual_network.main",
+ "module.jump_one.azurerm_network_interface.winjump-ext-nic",
+ "module.jump_one.azurerm_virtual_machine.winJump"
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/three_tier/firewall/bigip.tf b/three_tier/firewall/bigip.tf
new file mode 100644
index 0000000..97188d2
--- /dev/null
+++ b/three_tier/firewall/bigip.tf
@@ -0,0 +1,523 @@
+# # Create a Public IP for the Virtual Machines
+# resource azurerm_public_ip f5vmpip01 {
+# name = "${var.prefix}-vm01-mgmt-pip01-delete-me"
+# location = var.resourceGroup.location
+# resource_group_name = var.resourceGroup.name
+# allocation_method = "Static"
+# sku = "Standard"
+
+# tags = {
+# Name = "${var.prefix}-f5vm-public-ip"
+# }
+# }
+# resource azurerm_public_ip f5vmpip02 {
+# name = "${var.prefix}-vm02-mgmt-pip02-delete-me"
+# location = var.resourceGroup.location
+# resource_group_name = var.resourceGroup.name
+# allocation_method = "Static"
+# sku = "Standard"
+
+# tags = {
+# Name = "${var.prefix}-f5vm-public-ip"
+# }
+# }
+
+# Obtain Gateway IP for each Subnet
+locals {
+ depends_on = [var.subnetMgmt.id, var.subnetExternal.id]
+ mgmt_gw = cidrhost(var.subnetMgmt.address_prefix, 1)
+ ext_gw = cidrhost(var.subnetExternal.address_prefix, 1)
+ int_gw = cidrhost(var.subnetInternal.address_prefix, 1)
+}
+
+# Create the first network interface card for Management
+resource azurerm_network_interface vm01-mgmt-nic {
+ name = "${var.prefix}-vm01-mgmt-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetMgmt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_mgmt["f5vm01mgmt"]
+ #public_ip_address_id = azurerm_public_ip.f5vmpip01.id
+ }
+
+ tags = var.tags
+}
+
+# Associate the Network Interface to the ManagementPool
+resource azurerm_network_interface_backend_address_pool_association mpool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm01-mgmt-nic.id
+ ip_configuration_name = "primary"
+ #backend_address_pool_id = var.managementPool.id
+ backend_address_pool_id = var.primaryPool.id
+}
+# Associate the Network Interface to the ManagementPool
+resource azurerm_network_interface_backend_address_pool_association mpool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm02-mgmt-nic.id
+ ip_configuration_name = "primary"
+ #backend_address_pool_id = var.managementPool.id
+ backend_address_pool_id = var.primaryPool.id
+}
+
+resource azurerm_network_interface_security_group_association bigip01-mgmt-nsg {
+ network_interface_id = azurerm_network_interface.vm01-mgmt-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_network_interface vm02-mgmt-nic {
+ name = "${var.prefix}-vm02-mgmt-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetMgmt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_mgmt["f5vm02mgmt"]
+ #public_ip_address_id = azurerm_public_ip.f5vmpip02.id
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association bigip02-mgmt-nsg {
+ network_interface_id = azurerm_network_interface.vm02-mgmt-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# Create the second network interface card for External
+resource azurerm_network_interface vm01-ext-nic {
+ name = "${var.prefix}-vm01-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetExternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_ext["f5vm01ext"]
+ primary = true
+ }
+
+ ip_configuration {
+ name = "secondary"
+ subnet_id = var.subnetExternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_ext["f5vm01ext_sec"]
+ }
+
+ tags = {
+ Name = "${var.prefix}-vm01-ext-int"
+ environment = var.tags["environment"]
+ owner = var.tags["owner"]
+ group = var.tags["group"]
+ costcenter = var.tags["costcenter"]
+ application = var.tags["application"]
+ f5_cloud_failover_label = "saca"
+ f5_cloud_failover_nic_map = "external"
+ }
+}
+
+resource azurerm_network_interface_security_group_association bigip01-ext-nsg {
+ network_interface_id = azurerm_network_interface.vm01-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_network_interface vm02-ext-nic {
+ name = "${var.prefix}-vm02-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetExternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_ext["f5vm02ext"]
+ primary = true
+ }
+
+ ip_configuration {
+ name = "secondary"
+ subnet_id = var.subnetExternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_ext["f5vm02ext_sec"]
+ }
+
+ tags = {
+ Name = "${var.prefix}-vm01-ext-int"
+ environment = var.tags["environment"]
+ owner = var.tags["owner"]
+ group = var.tags["group"]
+ costcenter = var.tags["costcenter"]
+ application = var.tags["application"]
+ f5_cloud_failover_label = "saca"
+ f5_cloud_failover_nic_map = "external"
+ }
+}
+
+resource azurerm_network_interface_security_group_association bigip02-ext-nsg {
+ network_interface_id = azurerm_network_interface.vm02-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# Create the third network interface card for Internal
+resource azurerm_network_interface vm01-int-nic {
+ name = "${var.prefix}-vm01-int-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetInternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_int["f5vm01int"]
+ primary = true
+ }
+
+ ip_configuration {
+ name = "secondary"
+ subnet_id = var.subnetInternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_int["f5vm01int_sec"]
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association bigip01-int-nsg {
+ network_interface_id = azurerm_network_interface.vm01-int-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_network_interface vm02-int-nic {
+ name = "${var.prefix}-vm02-int-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetInternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_int["f5vm02int"]
+ primary = true
+ }
+
+ ip_configuration {
+ name = "secondary"
+ subnet_id = var.subnetInternal.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t1_int["f5vm02int_sec"]
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association bigip02-int-nsg {
+ network_interface_id = azurerm_network_interface.vm02-int-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# Associate the External Network Interface to the BackendPool
+resource azurerm_network_interface_backend_address_pool_association bpool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm01-ext-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = var.backendPool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association bpool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm02-ext-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = var.backendPool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association primary_pool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm01-ext-nic.id
+ ip_configuration_name = "primary"
+ backend_address_pool_id = var.primaryPool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association primary_pool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm02-ext-nic.id
+ ip_configuration_name = "primary"
+ backend_address_pool_id = var.primaryPool.id
+}
+
+# attach interfaces to backend pool
+resource azurerm_network_interface_backend_address_pool_association int_bpool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm01-int-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = var.internalBackPool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association int_bpool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm02-int-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = var.internalBackPool.id
+}
+
+# Create F5 BIGIP VMs
+resource azurerm_virtual_machine f5vm01 {
+ name = "${var.prefix}-f5vm01"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ primary_network_interface_id = azurerm_network_interface.vm01-mgmt-nic.id
+ network_interface_ids = [azurerm_network_interface.vm01-mgmt-nic.id, azurerm_network_interface.vm01-ext-nic.id, azurerm_network_interface.vm01-int-nic.id]
+ vm_size = var.instanceType
+ availability_set_id = var.availabilitySet.id
+
+ delete_os_disk_on_termination = true
+ delete_data_disks_on_termination = true
+
+ storage_image_reference {
+ publisher = "f5-networks"
+ offer = var.product
+ sku = var.image_name
+ version = var.bigip_version
+ }
+
+ storage_os_disk {
+ name = "${var.prefix}-vm01-osdisk"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ managed_disk_type = "Standard_LRS"
+ }
+
+ os_profile {
+ computer_name = "${var.prefix}vm01"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ }
+
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+
+ plan {
+ name = var.image_name
+ publisher = "f5-networks"
+ product = var.product
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_virtual_machine f5vm02 {
+ name = "${var.prefix}-f5vm02"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ primary_network_interface_id = azurerm_network_interface.vm02-mgmt-nic.id
+ network_interface_ids = [azurerm_network_interface.vm02-mgmt-nic.id, azurerm_network_interface.vm02-ext-nic.id, azurerm_network_interface.vm02-int-nic.id]
+ vm_size = var.instanceType
+ availability_set_id = var.availabilitySet.id
+
+ delete_os_disk_on_termination = true
+ delete_data_disks_on_termination = true
+
+ storage_image_reference {
+ publisher = "f5-networks"
+ offer = var.product
+ sku = var.image_name
+ version = var.bigip_version
+ }
+
+ storage_os_disk {
+ name = "${var.prefix}-vm02-osdisk"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ managed_disk_type = "Standard_LRS"
+ }
+
+ os_profile {
+ computer_name = "${var.prefix}vm02"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ }
+
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+
+ plan {
+ name = var.image_name
+ publisher = "f5-networks"
+ product = var.product
+ }
+
+ tags = var.tags
+}
+
+# Setup Onboarding scripts
+data template_file vm_onboard {
+ template = file("./templates/onboard.tpl")
+ vars = {
+ uname = var.adminUserName
+ upassword = var.adminPassword
+ doVersion = "latest"
+ as3Version = "latest"
+ tsVersion = "latest"
+ cfVersion = "latest"
+ fastVersion = "1.0.0"
+ doExternalDeclarationUrl = "https://example.domain.com/do.json"
+ as3ExternalDeclarationUrl = "https://example.domain.com/as3.json"
+ tsExternalDeclarationUrl = "https://example.domain.com/ts.json"
+ cfExternalDeclarationUrl = "https://example.domain.com/cf.json"
+ onboard_log = var.onboard_log
+ mgmtGateway = local.mgmt_gw
+ DO1_Document = data.template_file.vm01_do_json.rendered
+ DO2_Document = data.template_file.vm02_do_json.rendered
+ AS3_Document = data.template_file.as3_json.rendered
+ }
+}
+
+# as3 uuid generation
+resource random_uuid as3_uuid {}
+
+data http onboard {
+ url = "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-DO/master/dist/terraform/latest/${var.licenses["license1"] != "" ? "byol" : "payg"}_cluster.json"
+}
+
+data template_file vm01_do_json {
+ template = data.http.onboard.body
+ vars = {
+ host1 = var.hosts["host1"]
+ host2 = var.hosts["host2"]
+ local_host = var.hosts["host1"]
+ external_selfip = "${var.f5_t1_ext["f5vm01ext"]}/${element(split("/", var.subnets["external"]), 1)}"
+ internal_selfip = "${var.f5_t1_int["f5vm01int"]}/${element(split("/", var.subnets["internal"]), 1)}"
+ log_localip = var.f5_t1_ext["f5vm01ext"]
+ log_destination = var.app01ip
+ vdmsSubnet = var.subnets["vdms"]
+ appSubnet = var.subnets["application"]
+ vnetSubnet = var.cidr
+ remote_host = var.hosts["host2"]
+ remote_selfip = var.f5_t1_ext["f5vm02ext"]
+ externalGateway = local.ext_gw
+ internalGateway = local.int_gw
+ mgmtGateway = local.mgmt_gw
+ dns_server = var.dns_server
+ ntp_server = var.ntp_server
+ timezone = var.timezone
+ admin_user = var.adminUserName
+ admin_password = var.adminPassword
+ bigip_regKey = var.licenses["license1"] != "" ? var.licenses["license1"] : ""
+ }
+}
+
+data template_file vm02_do_json {
+ template = data.http.onboard.body
+ vars = {
+ host1 = var.hosts["host1"]
+ host2 = var.hosts["host2"]
+ local_host = var.hosts["host2"]
+ external_selfip = "${var.f5_t1_ext["f5vm02ext"]}/${element(split("/", var.subnets["external"]), 1)}"
+ internal_selfip = "${var.f5_t1_int["f5vm02int"]}/${element(split("/", var.subnets["internal"]), 1)}"
+ log_localip = var.f5_t1_ext["f5vm02ext"]
+ log_destination = var.app01ip
+ vdmsSubnet = var.subnets["vdms"]
+ appSubnet = var.subnets["application"]
+ vnetSubnet = var.cidr
+ remote_host = var.hosts["host1"]
+ remote_selfip = var.f5_t1_ext["f5vm01ext"]
+ externalGateway = local.ext_gw
+ internalGateway = local.int_gw
+ mgmtGateway = local.mgmt_gw
+ dns_server = var.dns_server
+ ntp_server = var.ntp_server
+ timezone = var.timezone
+ admin_user = var.adminUserName
+ admin_password = var.adminPassword
+ bigip_regKey = var.licenses["license2"] != "" ? var.licenses["license2"] : ""
+ }
+}
+
+data http appservice {
+ url = "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/terraform/latest/sccaSingleTier.json"
+}
+
+data template_file as3_json {
+ template = data.http.appservice.body
+ vars = {
+ uuid = random_uuid.as3_uuid.result
+ baseline_waf_policy = var.asm_policy
+ exampleVipAddress = var.f5_t1_ext["f5vm01ext"]
+ exampleVipSubnet = var.subnets["external"]
+ ips_pool_addresses = var.ilb03ip
+ rdp_pool_addresses = var.ilb03ip
+ ssh_pool_addresses = var.ilb03ip
+ app_pool_addresses = var.ilb03ip
+ log_destination = var.ilb03ip
+ example_vs_address = var.subnets["external"]
+ mgmtVipAddress = var.f5_t1_ext["f5vm01ext_sec"]
+ mgmtVipAddress2 = var.f5_t1_ext["f5vm02ext_sec"]
+ transitVipAddress = var.f5_t1_int["f5vm01int_sec"]
+ transitVipAddress2 = var.f5_t1_int["f5vm02int_sec"]
+ }
+}
+
+# Run Startup Script
+resource azurerm_virtual_machine_extension f5vm01-run-startup-cmd {
+ name = "${var.prefix}-f5vm01-run-startup-cmd"
+ depends_on = [azurerm_virtual_machine.f5vm01, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02]
+ virtual_machine_id = azurerm_virtual_machine.f5vm01.id
+ publisher = "Microsoft.Azure.Extensions"
+ type = "CustomScript"
+ type_handler_version = "2.0"
+
+ settings = <> ./startup.sh && cat ./startup.sh | base64 -d >> ./startup-script.sh && chmod +x ./startup-script.sh && rm ./startup.sh && bash ./startup-script.sh 1"
+ }
+ SETTINGS
+
+ tags = var.tags
+}
+
+resource azurerm_virtual_machine_extension f5vm02-run-startup-cmd {
+ name = "${var.prefix}-f5vm02-run-startup-cmd"
+ depends_on = [azurerm_virtual_machine.f5vm01, azurerm_virtual_machine.f5vm02, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02]
+ virtual_machine_id = azurerm_virtual_machine.f5vm02.id
+ publisher = "Microsoft.Azure.Extensions"
+ type = "CustomScript"
+ type_handler_version = "2.0"
+
+ settings = <> ./startup.sh && cat ./startup.sh | base64 -d >> ./startup-script.sh && chmod +x ./startup-script.sh && rm ./startup.sh && bash ./startup-script.sh 2"
+ }
+ SETTINGS
+
+ tags = var.tags
+}
+
+
+# Debug Template Outputs
+resource local_file vm01_do_file {
+ content = data.template_file.vm01_do_json.rendered
+ filename = "${path.module}/vm01_do_data.json"
+}
+
+resource local_file vm02_do_file {
+ content = data.template_file.vm02_do_json.rendered
+ filename = "${path.module}/vm02_do_data.json"
+}
+
+resource local_file vm_as3_file {
+ content = data.template_file.as3_json.rendered
+ filename = "${path.module}/vm_as3_data.json"
+}
+
+resource local_file onboard_file {
+ content = data.template_file.vm_onboard.rendered
+ filename = "${path.module}/onboard.sh"
+}
diff --git a/three_tier/firewall/outputs.tf b/three_tier/firewall/outputs.tf
new file mode 100644
index 0000000..0ae24e8
--- /dev/null
+++ b/three_tier/firewall/outputs.tf
@@ -0,0 +1,21 @@
+# data azurerm_public_ip f5vmpip01 {
+# name = azurerm_public_ip.f5vmpip01.name
+# resource_group_name = var.resourceGroup.name
+# depends_on = [azurerm_public_ip.f5vmpip01, azurerm_virtual_machine.f5vm01]
+# }
+# data azurerm_public_ip f5vmpip02 {
+# name = azurerm_public_ip.f5vmpip02.name
+# resource_group_name = var.resourceGroup.name
+# depends_on = [azurerm_public_ip.f5vmpip02, azurerm_virtual_machine.f5vm02]
+# }
+
+
+output f5vm01_id { value = azurerm_virtual_machine.f5vm01.id }
+output f5vm01_mgmt_private_ip { value = azurerm_network_interface.vm01-mgmt-nic.private_ip_address }
+#output f5vm01_mgmt_public_ip { value = data.azurerm_public_ip.f5vmpip01.ip_address }
+output f5vm01_ext_private_ip { value = azurerm_network_interface.vm01-ext-nic.private_ip_address }
+
+output f5vm02_id { value = azurerm_virtual_machine.f5vm02.id }
+output f5vm02_mgmt_private_ip { value = azurerm_network_interface.vm02-mgmt-nic.private_ip_address }
+#output f5vm02_mgmt_public_ip { value = data.azurerm_public_ip.f5vmpip02.ip_address }
+output f5vm02_ext_private_ip { value = azurerm_network_interface.vm02-ext-nic.private_ip_address }
diff --git a/three_tier/firewall/variables.tf b/three_tier/firewall/variables.tf
new file mode 100644
index 0000000..7b7f128
--- /dev/null
+++ b/three_tier/firewall/variables.tf
@@ -0,0 +1,76 @@
+variable resourceGroup {}
+# admin credentials
+variable adminUserName {}
+variable adminPassword {}
+variable sshPublicKey {}
+# cloud info
+variable location {}
+variable region {}
+variable securityGroup {
+ default = "none"
+}
+variable availabilitySet {}
+variable availabilitySet2 {}
+
+variable prefix {}
+# bigip network
+variable subnets {}
+variable subnetMgmt {}
+variable subnetExternal {}
+variable subnetInternal {}
+variable subnetWafExt {}
+variable subnetWafInt {}
+variable app01ip {}
+
+variable backendPool {}
+variable managementPool {}
+variable primaryPool {}
+variable internalBackPool {}
+
+variable f5_mgmt {}
+variable f5_t1_ext {}
+variable f5_t1_int {}
+variable f5_t3_ext {}
+variable f5_t3_int {}
+
+# winjump
+variable winjumpip {}
+
+# linuxjump
+variable linuxjumpip {}
+
+# device
+variable instanceType {}
+
+
+# BIGIP Image
+variable image_name {}
+variable product {}
+variable bigip_version {}
+
+variable cidr {}
+
+variable ilb01ip {}
+variable ilb02ip {}
+variable ilb03ip {}
+
+# BIGIP Setup
+variable licenses {
+ type = map(string)
+ default = {
+ "license1" = ""
+ "license2" = ""
+ "license3" = ""
+ "license4" = ""
+ }
+}
+
+variable hosts {}
+variable dns_server {}
+variable ntp_server {}
+variable timezone {}
+variable onboard_log { default = "/var/log/startup-script.log" }
+variable asm_policy {}
+
+# TAGS
+variable tags {}
diff --git a/three_tier/ips/ips.tf b/three_tier/ips/ips.tf
new file mode 100644
index 0000000..0aef77f
--- /dev/null
+++ b/three_tier/ips/ips.tf
@@ -0,0 +1,205 @@
+resource random_id randomId {
+ keepers = {
+ # Generate a new ID only when a new resource group is defined
+ resource_group = var.resourceGroup.name
+ }
+ byte_length = 8
+}
+
+# # Create a Public IP for the Virtual Machines
+# resource azurerm_public_ip ipspip01 {
+# name = "${var.prefix}-ips-mgmt-pip01-delete-me"
+# location = var.resourceGroup.location
+# resource_group_name = var.resourceGroup.name
+# allocation_method = "Static"
+# sku = "Standard"
+
+# tags = {
+# Name = "${var.prefix}-ips-public-ip"
+# }
+# }
+
+resource azurerm_storage_account ips_storageaccount {
+ name = "diag${random_id.randomId.hex}"
+ resource_group_name = var.resourceGroup.name
+ location = var.resourceGroup.location
+ account_replication_type = "LRS"
+ account_tier = "Standard"
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface ips01-mgmt-nic {
+ name = "${var.prefix}-ips01-mgmt-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ enable_accelerated_networking = true
+ enable_ip_forwarding = true
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetMgmt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.ips01mgmt
+ primary = true
+ #public_ip_address_id = azurerm_public_ip.ipspip01.id
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_backend_address_pool_association mpool_assc_ips01 {
+ network_interface_id = azurerm_network_interface.ips01-mgmt-nic.id
+ ip_configuration_name = "primary"
+ backend_address_pool_id = var.primaryPool.id
+}
+
+resource azurerm_network_interface ips01-ext-nic {
+ name = "${var.prefix}-ips01-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ enable_accelerated_networking = true
+ enable_ip_forwarding = true
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetInspectExt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.ips01ext
+ primary = true
+ }
+
+ tags = var.tags
+}
+
+# internal network interface for ips vm
+resource azurerm_network_interface ips01-int-nic {
+ name = "${var.prefix}-ips01-int-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ enable_accelerated_networking = true
+ enable_ip_forwarding = true
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetInspectInt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.ips01int
+ primary = true
+ }
+
+ tags = var.tags
+}
+
+# Associate the External Network Interface to the BackendPool
+resource azurerm_network_interface_backend_address_pool_association ips_pool_assc_ingress {
+ network_interface_id = azurerm_network_interface.ips01-ext-nic.id
+ ip_configuration_name = "primary"
+ backend_address_pool_id = var.ipsIngressPool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association ips_pool_assc_egress {
+ network_interface_id = azurerm_network_interface.ips01-int-nic.id
+ ip_configuration_name = "primary"
+ backend_address_pool_id = var.ipsEgressPool.id
+}
+
+# network interface for ips vm
+resource azurerm_network_interface_security_group_association ips-ext-nsg {
+ network_interface_id = azurerm_network_interface.ips01-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+# network interface for ips vm
+resource azurerm_network_interface_security_group_association ips-int-nsg {
+ network_interface_id = azurerm_network_interface.ips01-int-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+# network interface for ips vm
+resource azurerm_network_interface_security_group_association ips-mgmt-nsg {
+ network_interface_id = azurerm_network_interface.ips01-mgmt-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# set up proxy config
+
+# Obtain Gateway IP for each Subnet
+locals {
+ depends_on = [var.subnetMgmt, var.internalSubnet, var.wafSubnet]
+ mgmt_gw = cidrhost(var.subnetMgmt.address_prefix, 1)
+ int_gw = cidrhost(var.internalSubnet.address_prefix, 1)
+ int_mask = cidrnetmask(var.internalSubnet.address_prefix)
+ extInspectGw = cidrhost(var.subnetInspectExt.address_prefix, 1)
+ intInspectGw = cidrhost(var.subnetInspectInt.address_prefix, 1)
+ waf_ext_gw = cidrhost(var.wafSubnet.address_prefix, 1)
+ waf_ext_mask = cidrnetmask(var.wafSubnet.address_prefix)
+}
+
+data template_file vm_onboard {
+ template = file("./templates/ips-cloud-init.yaml")
+ vars = {
+ #gateway = gateway
+ internalSubnetPrefix = cidrhost(var.internalSubnet.address_prefix, 0)
+ internalMask = local.int_mask
+ internalGateway = local.extInspectGw
+ wafSubnetPrefix = cidrhost(var.wafSubnet.address_prefix, 0)
+ wafMask = local.waf_ext_mask
+ wafGateway = local.intInspectGw
+ log_destination = var.app01ip
+ }
+}
+
+data template_cloudinit_config config {
+ gzip = true
+ base64_encode = true
+
+ # Main cloud-config configuration file.
+ part {
+ filename = "init.cfg"
+ content_type = "text/cloud-config"
+ content = data.template_file.vm_onboard.rendered
+ }
+}
+
+# ips01-VM
+resource azurerm_linux_virtual_machine ips01-vm {
+ name = "${var.prefix}-ips01-vm"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ depends_on = [azurerm_network_interface_backend_address_pool_association.mpool_assc_ips01]
+
+ network_interface_ids = [azurerm_network_interface.ips01-mgmt-nic.id, azurerm_network_interface.ips01-ext-nic.id, azurerm_network_interface.ips01-int-nic.id]
+ size = var.instanceType
+
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ disable_password_authentication = false
+ computer_name = "${var.prefix}-ips01-vm"
+
+ os_disk {
+ caching = "ReadWrite"
+ storage_account_type = "Premium_LRS"
+ }
+
+ source_image_reference {
+ publisher = "Canonical"
+ offer = "UbuntuServer"
+ sku = "18.04-LTS"
+ version = "latest"
+ }
+
+ custom_data = data.template_cloudinit_config.config.rendered
+
+ boot_diagnostics {
+ storage_account_uri = azurerm_storage_account.ips_storageaccount.primary_blob_endpoint
+ }
+
+ tags = var.tags
+}
+
+resource local_file cloud_init_file {
+ content = data.template_file.vm_onboard.rendered
+ filename = "${path.module}/cloud-init.yml"
+}
diff --git a/three_tier/ips/variables.tf b/three_tier/ips/variables.tf
new file mode 100644
index 0000000..d65d3db
--- /dev/null
+++ b/three_tier/ips/variables.tf
@@ -0,0 +1,38 @@
+# templates directory
+variable templates {
+ default = "/workspace/templates"
+}
+variable location {}
+variable region {}
+variable prefix {}
+variable resourceGroup {}
+variable securityGroup {
+ default = "none"
+}
+
+variable subnets {}
+variable subnetMgmt {}
+variable subnetInspectExt {}
+variable subnetInspectInt {}
+variable internalSubnet {}
+variable wafSubnet {}
+variable virtual_network_name {}
+
+variable ips01ext {}
+variable ips01int {}
+variable ips01mgmt {}
+variable app01ip {}
+variable adminUserName {}
+variable adminPassword {}
+
+variable ipsIngressPool {}
+variable ipsEgressPool {}
+variable primaryPool {}
+
+# device
+variable instanceType {}
+
+# TAGS
+variable tags {}
+
+variable timezone {}
diff --git a/three_tier/waf/bigip.tf b/three_tier/waf/bigip.tf
new file mode 100644
index 0000000..a31c556
--- /dev/null
+++ b/three_tier/waf/bigip.tf
@@ -0,0 +1,483 @@
+# # Create a Public IP for the Virtual Machines
+# resource azurerm_public_ip f5vmpip03 {
+# name = "${var.prefix}-vm03-mgmt-pip03-delete-me"
+# location = var.resourceGroup.location
+# resource_group_name = var.resourceGroup.name
+# allocation_method = "Static"
+# sku = "Standard"
+
+# tags = {
+# Name = "${var.prefix}-f5vm-public-ip"
+# }
+# }
+# resource azurerm_public_ip f5vmpip04 {
+# name = "${var.prefix}-vm04-mgmt-pip04-delete-me"
+# location = var.resourceGroup.location
+# resource_group_name = var.resourceGroup.name
+# allocation_method = "Static"
+# sku = "Standard"
+
+# tags = {
+# Name = "${var.prefix}-f5vm-public-ip"
+# }
+# }
+
+# Obtain Gateway IP for each Subnet
+locals {
+ depends_on = [var.subnetMgmt, var.subnetWafExt, var.subnetWafInt]
+ mgmt_gw = cidrhost(var.subnetMgmt.address_prefix, 1)
+ waf_ext_gw = cidrhost(var.subnetWafExt[0].address_prefix, 1)
+ waf_int_gw = cidrhost(var.subnetWafInt[0].address_prefix, 1)
+}
+
+# Create the first network interface card for Management
+resource azurerm_network_interface vm03-mgmt-nic {
+ name = "${var.prefix}-vm03-mgmt-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetMgmt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_mgmt["f5vm03mgmt"]
+ #public_ip_address_id = azurerm_public_ip.f5vmpip03.id
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface vm04-mgmt-nic {
+ name = "${var.prefix}-vm04-mgmt-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetMgmt.id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_mgmt["f5vm04mgmt"]
+ #public_ip_address_id = azurerm_public_ip.f5vmpip04.id
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association bigip03-mgmt-nsg {
+ network_interface_id = azurerm_network_interface.vm03-mgmt-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_network_interface_security_group_association bigip04-mgmt-nsg {
+ network_interface_id = azurerm_network_interface.vm04-mgmt-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# Associate the Network Interface to the ManagementPool
+resource azurerm_network_interface_backend_address_pool_association mpool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm03-mgmt-nic.id
+ ip_configuration_name = "primary"
+ #backend_address_pool_id = var.managementPool.id
+ backend_address_pool_id = var.primaryPool.id
+}
+# Associate the Network Interface to the ManagementPool
+resource azurerm_network_interface_backend_address_pool_association mpool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm04-mgmt-nic.id
+ ip_configuration_name = "primary"
+ #backend_address_pool_id = var.managementPool.id
+ backend_address_pool_id = var.primaryPool.id
+}
+
+# Create the second network interface card for External
+resource azurerm_network_interface vm03-ext-nic {
+ name = "${var.prefix}-vm03-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetWafExt[0].id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t3_ext["f5vm03ext"]
+ primary = true
+ }
+
+ ip_configuration {
+ name = "secondary"
+ subnet_id = var.subnetWafExt[0].id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t3_ext["f5vm03ext_sec"]
+ }
+
+ tags = {
+ Name = "${var.prefix}-vm03-ext-int"
+ environment = var.tags["environment"]
+ owner = var.tags["owner"]
+ group = var.tags["group"]
+ costcenter = var.tags["costcenter"]
+ application = var.tags["application"]
+ f5_cloud_failover_label = "saca"
+ f5_cloud_failover_nic_map = "external"
+ }
+}
+
+resource azurerm_network_interface_security_group_association bigip03-ext-nsg {
+ network_interface_id = azurerm_network_interface.vm03-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_network_interface vm04-ext-nic {
+ name = "${var.prefix}-vm04-ext-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetWafExt[0].id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t3_ext["f5vm04ext"]
+ primary = true
+ }
+
+ ip_configuration {
+ name = "secondary"
+ subnet_id = var.subnetWafExt[0].id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t3_ext["f5vm04ext_sec"]
+ }
+
+ tags = {
+ Name = "${var.prefix}-vm03-ext-int"
+ environment = var.tags["environment"]
+ owner = var.tags["owner"]
+ group = var.tags["group"]
+ costcenter = var.tags["costcenter"]
+ application = var.tags["application"]
+ f5_cloud_failover_label = "saca"
+ f5_cloud_failover_nic_map = "external"
+ }
+}
+
+resource azurerm_network_interface_security_group_association bigip04-ext-nsg {
+ network_interface_id = azurerm_network_interface.vm04-ext-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# Associate the External Network Interfaces to the Waf Backend Pools
+resource azurerm_network_interface_backend_address_pool_association bpool_assc_vm01 {
+ network_interface_id = azurerm_network_interface.vm03-ext-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = var.wafIngressPool.id
+}
+
+resource azurerm_network_interface_backend_address_pool_association bpool_assc_vm02 {
+ network_interface_id = azurerm_network_interface.vm04-ext-nic.id
+ ip_configuration_name = "secondary"
+ backend_address_pool_id = var.wafIngressPool.id
+}
+
+# Create the third network interface card for Internal
+resource azurerm_network_interface vm03-int-nic {
+ name = "${var.prefix}-vm03-int-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetWafInt[0].id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t3_int["f5vm03int"]
+ primary = true
+ }
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association bigip03-int-nsg {
+ network_interface_id = azurerm_network_interface.vm03-int-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+resource azurerm_network_interface vm04-int-nic {
+ name = "${var.prefix}-vm04-int-nic"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ enable_ip_forwarding = true
+ enable_accelerated_networking = var.bigip_version == "latest" ? true : false
+
+ ip_configuration {
+ name = "primary"
+ subnet_id = var.subnetWafInt[0].id
+ private_ip_address_allocation = "Static"
+ private_ip_address = var.f5_t3_int["f5vm04int"]
+ primary = true
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_network_interface_security_group_association bigip04-int-nsg {
+ network_interface_id = azurerm_network_interface.vm04-int-nic.id
+ network_security_group_id = var.securityGroup.id
+}
+
+# Create F5 BIGIP VMs
+resource azurerm_virtual_machine f5vm03 {
+ name = "${var.prefix}-f5vm03"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ primary_network_interface_id = azurerm_network_interface.vm03-mgmt-nic.id
+ network_interface_ids = [azurerm_network_interface.vm03-mgmt-nic.id, azurerm_network_interface.vm03-ext-nic.id, azurerm_network_interface.vm03-int-nic.id]
+ vm_size = var.instanceType
+ availability_set_id = var.availabilitySet.id
+
+ delete_os_disk_on_termination = true
+ delete_data_disks_on_termination = true
+
+ storage_image_reference {
+ publisher = "f5-networks"
+ offer = var.product
+ sku = var.image_name
+ version = var.bigip_version
+ }
+
+ storage_os_disk {
+ name = "${var.prefix}-vm03-osdisk"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ managed_disk_type = "Standard_LRS"
+ }
+
+ os_profile {
+ computer_name = "${var.prefix}vm03"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ }
+
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+
+ plan {
+ name = var.image_name
+ publisher = "f5-networks"
+ product = var.product
+ }
+
+ tags = var.tags
+}
+
+resource azurerm_virtual_machine f5vm04 {
+ name = "${var.prefix}-f5vm04"
+ location = var.resourceGroup.location
+ resource_group_name = var.resourceGroup.name
+ primary_network_interface_id = azurerm_network_interface.vm04-mgmt-nic.id
+ network_interface_ids = [azurerm_network_interface.vm04-mgmt-nic.id, azurerm_network_interface.vm04-ext-nic.id, azurerm_network_interface.vm04-int-nic.id]
+ vm_size = var.instanceType
+ availability_set_id = var.availabilitySet.id
+
+ delete_os_disk_on_termination = true
+ delete_data_disks_on_termination = true
+
+ storage_image_reference {
+ publisher = "f5-networks"
+ offer = var.product
+ sku = var.image_name
+ version = var.bigip_version
+ }
+
+ storage_os_disk {
+ name = "${var.prefix}-vm04-osdisk"
+ caching = "ReadWrite"
+ create_option = "FromImage"
+ managed_disk_type = "Standard_LRS"
+ }
+
+ os_profile {
+ computer_name = "${var.prefix}vm04"
+ admin_username = var.adminUserName
+ admin_password = var.adminPassword
+ }
+
+ os_profile_linux_config {
+ disable_password_authentication = false
+ }
+
+ plan {
+ name = var.image_name
+ publisher = "f5-networks"
+ product = var.product
+ }
+
+ tags = var.tags
+}
+
+# Setup Onboarding scripts
+
+data template_file vm_onboard {
+ template = file("./templates/onboard.tpl")
+ vars = {
+ uname = var.adminUserName
+ upassword = var.adminPassword
+ doVersion = "latest"
+ as3Version = "latest"
+ tsVersion = "latest"
+ cfVersion = "latest"
+ fastVersion = "1.0.0"
+ doExternalDeclarationUrl = "https://example.domain.com/do.json"
+ as3ExternalDeclarationUrl = "https://example.domain.com/as3.json"
+ tsExternalDeclarationUrl = "https://example.domain.com/ts.json"
+ cfExternalDeclarationUrl = "https://example.domain.com/cf.json"
+ onboard_log = var.onboard_log
+ mgmtGateway = local.mgmt_gw
+ DO1_Document = data.template_file.vm03_do_json.rendered
+ DO2_Document = data.template_file.vm04_do_json.rendered
+ AS3_Document = data.template_file.as3_json.rendered
+ }
+}
+
+# as3 uuid generation
+resource random_uuid as3_uuid {}
+
+data http onboard {
+ url = "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-DO/master/dist/terraform/latest/${var.licenses["license3"] != "" ? "byol" : "payg"}_cluster_waf_tier.json"
+}
+
+data template_file vm03_do_json {
+ template = data.http.onboard.body
+ vars = {
+ host1 = var.hosts["host3"]
+ host2 = var.hosts["host4"]
+ local_host = var.hosts["host3"]
+ external_selfip = "${var.f5_t3_ext["f5vm03ext"]}/${element(split("/", var.subnets["waf_ext"]), 1)}"
+ internal_selfip = "${var.f5_t3_int["f5vm03int"]}/${element(split("/", var.subnets["waf_int"]), 1)}"
+ log_localip = var.f5_t3_ext["f5vm03ext"]
+ log_destination = var.app01ip
+ vdmsSubnet = var.subnets["vdms"]
+ appSubnet = var.subnets["application"]
+ vnetSubnet = var.cidr
+ remote_host = var.hosts["host4"]
+ remote_selfip = var.f5_t3_ext["f5vm04ext"]
+ externalGateway = local.waf_ext_gw
+ internalGateway = local.waf_int_gw
+ mgmtGateway = local.mgmt_gw
+ dns_server = var.dns_server
+ ntp_server = var.ntp_server
+ timezone = var.timezone
+ admin_user = var.adminUserName
+ admin_password = var.adminPassword
+ license = var.licenses["license3"] != "" ? var.licenses["license3"] : ""
+ }
+}
+
+data template_file vm04_do_json {
+ template = data.http.onboard.body
+ vars = {
+ host1 = var.hosts["host3"]
+ host2 = var.hosts["host4"]
+ local_host = var.hosts["host4"]
+ external_selfip = "${var.f5_t3_ext["f5vm04ext"]}/${element(split("/", var.subnets["waf_ext"]), 1)}"
+ internal_selfip = "${var.f5_t3_int["f5vm04int"]}/${element(split("/", var.subnets["waf_int"]), 1)}"
+ log_localip = var.f5_t3_ext["f5vm04ext"]
+ log_destination = var.app01ip
+ vdmsSubnet = var.subnets["vdms"]
+ appSubnet = var.subnets["application"]
+ vnetSubnet = var.cidr
+ remote_host = var.hosts["host3"]
+ remote_selfip = var.f5_t3_ext["f5vm03ext"]
+ externalGateway = local.waf_ext_gw
+ internalGateway = local.waf_int_gw
+ mgmtGateway = local.mgmt_gw
+ dns_server = var.dns_server
+ ntp_server = var.ntp_server
+ timezone = var.timezone
+ admin_user = var.adminUserName
+ admin_password = var.adminPassword
+ license = var.licenses["license4"] != "" ? var.licenses["license4"] : ""
+ }
+}
+
+data http appservice {
+ url = "https://raw.githubusercontent.com/Mikej81/f5-bigip-hardening-AS3/master/dist/terraform/latest/sccaWAFTier.json"
+}
+
+data template_file as3_json {
+ template = data.http.appservice.body
+ vars = {
+ uuid = random_uuid.as3_uuid.result
+ baseline_waf_policy = var.asm_policy
+ exampleVipAddress = var.f5_t3_ext["f5vm03ext"]
+ exampleVipSubnet = var.subnets["waf_ext"]
+ ips_pool_addresses = var.app01ip
+ rdp_pool_addresses = var.winjumpip
+ ssh_pool_addresses = var.linuxjumpip
+ app_pool_addresses = var.app01ip
+ log_destination = var.app01ip
+ mgmtVipAddress = var.f5_t3_ext["f5vm03ext_sec"]
+ mgmtVipAddress2 = var.f5_t3_ext["f5vm04ext_sec"]
+ transitVipAddress = var.f5_t3_int["f5vm03int_sec"]
+ transitVipAddress2 = var.f5_t3_int["f5vm04int_sec"]
+ }
+}
+
+# Run Startup Script
+resource azurerm_virtual_machine_extension f5vm03-run-startup-cmd {
+ name = "${var.prefix}-f5vm03-run-startup-cmd"
+ depends_on = [azurerm_virtual_machine.f5vm03, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02]
+ virtual_machine_id = azurerm_virtual_machine.f5vm03.id
+ publisher = "Microsoft.Azure.Extensions"
+ type = "CustomScript"
+ type_handler_version = "2.0"
+
+ settings = <> ./startup.sh && cat ./startup.sh | base64 -d >> ./startup-script.sh && chmod +x ./startup-script.sh && rm ./startup.sh && bash ./startup-script.sh 1"
+ }
+ SETTINGS
+
+ tags = var.tags
+}
+
+resource azurerm_virtual_machine_extension f5vm04-run-startup-cmd {
+ name = "${var.prefix}-f5vm04-run-startup-cmd"
+ depends_on = [azurerm_virtual_machine.f5vm03, azurerm_virtual_machine.f5vm04, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm01, azurerm_network_interface_backend_address_pool_association.mpool_assc_vm02]
+ virtual_machine_id = azurerm_virtual_machine.f5vm04.id
+ publisher = "Microsoft.Azure.Extensions"
+ type = "CustomScript"
+ type_handler_version = "2.0"
+
+ settings = <> ./startup.sh && cat ./startup.sh | base64 -d >> ./startup-script.sh && chmod +x ./startup-script.sh && rm ./startup.sh && bash ./startup-script.sh 2"
+ }
+ SETTINGS
+
+ tags = var.tags
+}
+
+
+# Debug Template Outputs
+resource local_file vm03_do_file {
+ content = data.template_file.vm03_do_json.rendered
+ filename = "${path.module}/vm03_do_data.json"
+}
+
+resource local_file vm04_do_file {
+ content = data.template_file.vm04_do_json.rendered
+ filename = "${path.module}/vm04_do_data.json"
+}
+
+resource local_file vm_as3_file {
+ content = data.template_file.as3_json.rendered
+ filename = "${path.module}/vm_as3_data.json"
+}
+
+resource local_file onboard_file {
+ content = data.template_file.vm_onboard.rendered
+ filename = "${path.module}/onboard.sh"
+}
diff --git a/three_tier/waf/outputs.tf b/three_tier/waf/outputs.tf
new file mode 100644
index 0000000..8424976
--- /dev/null
+++ b/three_tier/waf/outputs.tf
@@ -0,0 +1,21 @@
+# data azurerm_public_ip f5vmpip03 {
+# name = azurerm_public_ip.f5vmpip03.name
+# resource_group_name = var.resourceGroup.name
+# depends_on = [azurerm_public_ip.f5vmpip03, azurerm_virtual_machine.f5vm03]
+# }
+# data azurerm_public_ip f5vmpip04 {
+# name = azurerm_public_ip.f5vmpip04.name
+# resource_group_name = var.resourceGroup.name
+# depends_on = [azurerm_public_ip.f5vmpip04, azurerm_virtual_machine.f5vm04]
+# }
+
+
+output f5vm03_id { value = azurerm_virtual_machine.f5vm03.id }
+output f5vm03_mgmt_private_ip { value = azurerm_network_interface.vm03-mgmt-nic.private_ip_address }
+#output f5vm03_mgmt_public_ip { value = data.azurerm_public_ip.f5vmpip03.ip_address }
+output f5vm03_ext_private_ip { value = azurerm_network_interface.vm03-ext-nic.private_ip_address }
+
+output f5vm04_id { value = azurerm_virtual_machine.f5vm04.id }
+output f5vm04_mgmt_private_ip { value = azurerm_network_interface.vm04-mgmt-nic.private_ip_address }
+#output f5vm04_mgmt_public_ip { value = data.azurerm_public_ip.f5vmpip04.ip_address }
+output f5vm04_ext_private_ip { value = azurerm_network_interface.vm04-ext-nic.private_ip_address }
diff --git a/three_tier/waf/variables.tf b/three_tier/waf/variables.tf
new file mode 100644
index 0000000..c28563d
--- /dev/null
+++ b/three_tier/waf/variables.tf
@@ -0,0 +1,81 @@
+variable resourceGroup {
+ default = ""
+}
+# admin credentials
+variable adminUserName { default = "" }
+variable adminPassword { default = "" }
+variable sshPublicKey { default = "" }
+# cloud info
+variable location {}
+variable region {}
+variable securityGroup {}
+variable availabilitySet {}
+variable availabilitySet2 {}
+
+variable prefix {}
+# bigip network
+variable subnets {}
+variable subnetMgmt {}
+variable subnetExternal {}
+variable subnetInternal {}
+variable subnetWafExt {}
+variable subnetWafInt {}
+variable app01ip {}
+variable backendPool {
+ description = "azureLB resource pool"
+}
+variable primaryPool {}
+variable managementPool {}
+variable wafEgressPool {}
+variable wafIngressPool {}
+
+variable ilb02ip {}
+
+# bigip networks
+variable f5_mgmt {}
+variable f5_t1_ext {}
+variable f5_t1_int {}
+variable f5_t3_ext {}
+variable f5_t3_int {}
+
+# winjump
+variable winjumpip {}
+
+# linuxjump
+variable linuxjumpip {}
+
+# device
+variable instanceType {}
+
+
+# BIGIP Image
+variable image_name {}
+variable product {}
+variable bigip_version {}
+
+variable vnet {}
+
+# BIGIP Setup
+variable hosts {}
+variable cidr {}
+variable licenses {
+ type = map(string)
+ default = {
+ "license1" = ""
+ "license2" = ""
+ "license3" = ""
+ "license4" = ""
+ }
+}
+
+variable dns_server {}
+variable ntp_server {}
+variable timezone { default = "UTC" }
+variable onboard_log { default = "/var/log/startup-script.log" }
+## ASM Policy
+## -Examples: https://github.com/f5devcentral/f5-asm-policy-templates
+## -Default is using OWASP Ready Autotuning
+variable asm_policy {}
+
+# TAGS
+variable tags {}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..3aa8001
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,256 @@
+# Azure Environment
+variable projectPrefix {
+ type = string
+ description = "REQUIRED: Prefix to prepend to all objects created, minus Windows Jumpbox"
+ default = "bedfe9a3"
+}
+variable adminUserName {
+ type = string
+ description = "REQUIRED: Admin Username for All systems"
+ default = "xadmin"
+}
+variable adminPassword {
+ type = string
+ description = "REQUIRED: Admin Password for all systems"
+ default = "pleaseUseVault123!!"
+}
+variable location {
+ type = string
+ description = "REQUIRED: Azure Region: usgovvirginia, usgovarizona, etc"
+ default = "usgovvirginia"
+}
+variable region {
+ type = string
+ description = "Azure Region: US Gov Virginia, US Gov Arizona, etc"
+ default = "US Gov Virginia"
+}
+variable deploymentType {
+ type = string
+ description = "REQUIRED: This determines the type of deployment; one tier versus three tier: one_tier, three_tier"
+ default = "one_tier"
+}
+variable deployDemoApp {
+ type = string
+ description = "OPTIONAL: Deploy Demo Application with Stack. Recommended to show functionality. Options: deploy, anything else."
+ default = "deploy"
+}
+variable sshPublicKey {
+ type = string
+ description = "OPTIONAL: ssh public key for instances"
+ default = ""
+}
+variable sshPublicKeyPath {
+ type = string
+ description = "OPTIONAL: ssh public key path for instances"
+ default = "/mykey.pub"
+}
+
+# NETWORK
+variable cidr {
+ description = "REQUIRED: VNET Network CIDR"
+ default = "10.90.0.0/16"
+}
+
+variable subnets {
+ type = map(string)
+ description = "REQUIRED: Subnet CIDRs"
+ default = {
+ "management" = "10.90.0.0/24"
+ "external" = "10.90.1.0/24"
+ "internal" = "10.90.2.0/24"
+ "vdms" = "10.90.3.0/24"
+ "inspect_ext" = "10.90.4.0/24"
+ "inspect_int" = "10.90.5.0/24"
+ "waf_ext" = "10.90.6.0/24"
+ "waf_int" = "10.90.7.0/24"
+ "application" = "10.90.10.0/24"
+ }
+}
+
+variable f5_mgmt {
+ description = "F5 BIG-IP Management IPs. These must be in the management subnet."
+ type = map(string)
+ default = {
+ f5vm01mgmt = "10.90.0.4"
+ f5vm02mgmt = "10.90.0.5"
+ f5vm03mgmt = "10.90.0.6"
+ f5vm04mgmt = "10.90.0.7"
+ }
+}
+
+# bigip external private ips, these must be in external subnet
+variable f5_t1_ext {
+ description = "Tier 1 BIG-IP External IPs. These must be in the external subnet."
+ type = map(string)
+ default = {
+ f5vm01ext = "10.90.1.4"
+ f5vm01ext_sec = "10.90.1.11"
+ f5vm02ext = "10.90.1.5"
+ f5vm02ext_sec = "10.90.1.12"
+ }
+}
+
+variable f5_t1_int {
+ description = "Tier 1 BIG-IP Internal IPs. These must be in the internal subnet."
+ type = map(string)
+ default = {
+ f5vm01int = "10.90.2.4"
+ f5vm01int_sec = "10.90.2.11"
+ f5vm02int = "10.90.2.5"
+ f5vm02int_sec = "10.90.2.12"
+ }
+}
+
+variable f5_t3_ext {
+ description = "Tier 3 BIG-IP External IPs. These must be in the waf external subnet."
+ type = map(string)
+ default = {
+ f5vm03ext = "10.90.6.4"
+ f5vm03ext_sec = "10.90.6.11"
+ f5vm04ext = "10.90.6.5"
+ f5vm04ext_sec = "10.90.6.12"
+ }
+}
+
+variable f5_t3_int {
+ description = "Tier 3 BIG-IP Internal IPs. These must be in the waf internal subnet."
+ type = map(string)
+ default = {
+ f5vm03int = "10.90.7.4"
+ f5vm03int_sec = "10.90.7.11"
+ f5vm04int = "10.90.7.5"
+ f5vm04int_sec = "10.90.7.12"
+ }
+}
+
+variable internalILBIPs {
+ description = "REQUIRED: Used by One and Three Tier. Azure internal load balancer ips, these are used for ingress and egress."
+ type = map(string)
+ default = {}
+}
+
+variable ilb01ip {
+ type = string
+ description = "REQUIRED: Used by One and Three Tier. Azure internal load balancer ip, this is used as egress, must be in internal subnet."
+ default = "10.90.2.10"
+}
+
+variable ilb02ip {
+ type = string
+ description = "REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as egress, must be in waf_ext subnet."
+ default = "10.90.6.10"
+}
+
+variable ilb03ip {
+ type = string
+ description = "REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as ingress, must be in waf_ext subnet."
+ default = "10.90.6.13"
+}
+
+variable ilb04ip {
+ type = string
+ description = "REQUIRED: Used by Three Tier only. Azure waf external load balancer ip, this is used as ingress, must be in inspect_external subnet."
+ default = "10.90.4.13"
+}
+
+variable app01ip {
+ type = string
+ description = "OPTIONAL: Example Application used by all use-cases to demonstrate functionality of deploymeny, must reside in the application subnet."
+ default = "10.90.10.101"
+}
+
+# Example IPS private ips
+variable ips01ext { default = "10.90.4.4" }
+variable ips01int { default = "10.90.5.4" }
+variable ips01mgmt { default = "10.90.0.8" }
+
+variable winjumpip {
+ type = string
+ description = "REQUIRED: Used by all use-cases for RDP/Windows Jumpbox, must reside in VDMS subnet."
+ default = "10.90.3.98"
+}
+
+variable linuxjumpip {
+ type = string
+ description = "REQUIRED: Used by all use-cases for SSH/Linux Jumpbox, must reside in VDMS subnet."
+ default = "10.90.3.99"
+}
+
+# BIGIP Instance Type, DS5_v2 is a solid baseline for BEST
+variable instanceType { default = "Standard_DS5_v2" }
+
+# Be careful which instance type selected, jump boxes currently use Premium_LRS managed disks
+variable jumpinstanceType { default = "Standard_B2s" }
+
+# Demo Application Instance Size
+variable appInstanceType { default = "Standard_DS3_v2" }
+
+# BIGIP Image
+variable image_name {
+ type = string
+ description = "REQUIRED: BIG-IP Image Name. 'az vm image list --output table --publisher f5-networks --location [region] --offer f5-big-ip --all' Default f5-bigip-virtual-edition-1g-best-hourly is PAYG Image. For BYOL use f5-big-all-2slot-byol"
+ default = "f5-bigip-virtual-edition-1g-best-hourly"
+}
+variable product {
+ type = string
+ description = "REQUIRED: BYOL = f5-big-ip-byol, PAYG = f5-big-ip-best"
+ default = "f5-big-ip-best"
+}
+variable bigip_version {
+ type = string
+ description = "REQUIRED: BIG-IP Version, 14.1.2 for Compliance. Options: 12.1.502000, 13.1.304000, 14.1.206000, 15.0.104000, latest. Note: verify available versions before using as images can change."
+ default = "14.1.202000"
+}
+
+# BIGIP Setup
+# Licenses are only needed when using BYOL images
+variable licenses {
+ type = map(string)
+ default = {
+ "license1" = ""
+ "license2" = ""
+ "license3" = ""
+ "license4" = ""
+ }
+}
+
+variable hosts {
+ type = map(string)
+ default = {
+ "host1" = "f5vm01"
+ "host2" = "f5vm02"
+ "host3" = "f5vm03"
+ "host4" = "f5vm04"
+ }
+}
+
+variable dns_server {
+ type = string
+ description = "REQUIRED: Default is set to Azure DNS."
+ default = "168.63.129.16"
+}
+
+## ASM Policy
+variable asm_policy {
+ type = string
+ description = "REQUIRED: ASM Policy. Examples: https://github.com/f5devcentral/f5-asm-policy-templates. Default: OWASP Ready Autotuning"
+ default = "https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml"
+}
+
+variable ntp_server { default = "time.nist.gov" }
+variable timezone { default = "UTC" }
+variable onboard_log { default = "/var/log/startup-script.log" }
+
+# TAGS
+variable tags {
+ description = "Environment tags for objects"
+ type = map(string)
+ default = {
+ "purpose" = "public"
+ "environment" = "f5env"
+ "owner" = "f5owner"
+ "group" = "f5group"
+ "costcenter" = "f5costcenter"
+ "application" = "f5app"
+ }
+}