diff --git a/README.md b/README.md index 85f13b2..36c1df9 100644 --- a/README.md +++ b/README.md @@ -215,8 +215,11 @@ These variables have default values and don't have to be set to use this module. | f5\_password | Password of the F5 BIG-IP that will be deployed | `string` | "" | | f5\_hostname | Custom management hostname. Defaults to managemet public dns | `string` | "" | | ec2_instance_type | AWS EC2 instance type | `string` | m5.large | +| ebs_volume_encryption | Whether to enable encryption on the EBS volume | `bool` | false | +| ebs_volume_kms_key_arn | The ARN of the KMS key for volume encryption when using a customer managed key | `string` | | +| ebs_volume_type | The EBS volume type to use for the root volume | `string` | gp2 | | f5_ami_search_name | BIG-IP AMI name to search for | `string` | F5 BIGIP-*PAYG-Best 200Mbps* | -| aws_secretmanager_auth | Whether to use key vault to pass authentication | `bool` | FALSE | +| aws_secretmanager_auth | Whether to use key vault to pass authentication | `bool` | false | | aws_secretmanager_secret_id | AWS Secret Manager Secret ID that stores the BIG-IP password | `string` | | | aws_iam_instance_profile | AWS IAM instance profile that can be associate for BIGIP with required permissions | `string` | | | DO_URL | URL to download the BIG-IP Declarative Onboarding module | `string` | `latest` Note: don't change name of ATC tools rpm file | @@ -235,7 +238,7 @@ These variables have default values and don't have to be set to use this module. | tags | `key:value` tags to apply to resources built by the module | `map` | {} | | externalnic_failover_tags | `key:value` tags to apply to external nic resources built by the module | `map` | {} | | internalnic_failover_tags | `key:value` tags to apply to external nic resources built by the module | `map` | {} | -| cfe_secondary_vip_disable | Disable Externnal Public IP Association to instance based on this flag (Usecase CFE Scenario) | `bool` | FALSE | +| cfe_secondary_vip_disable | Disable Externnal Public IP Association to instance based on this flag (Usecase CFE Scenario) | `bool` | false | | sleep_time | The number of seconds/minutes of delay to build into creation of BIG-IP VMs | `string` | 300s | ~> **NOTE:** For each external interface there will be one primary,secondary private ip will be assigned. @@ -309,4 +312,4 @@ If you are signing as an individual, we recommend that you talk to your employer If your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5. -If you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein. You represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA. +If you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein. You represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA. \ No newline at end of file diff --git a/main.tf b/main.tf index 94fd8ec..796cd6e 100644 --- a/main.tf +++ b/main.tf @@ -50,8 +50,7 @@ resource "aws_network_interface" "mgmt1" { resource "aws_eip" "mgmt" { count = length(local.mgmt_public_subnet_id) > 0 ? (length(local.bigip_map["mgmt_subnet_ids"])) : 0 network_interface = length(compact(local.mgmt_public_private_ip_primary)) > 0 ? aws_network_interface.mgmt[count.index].id : aws_network_interface.mgmt1[count.index].id - # vpc = true - domain = "vpc" + domain = "vpc" tags = merge(local.tags, { Name = format("%s-%d", "BIGIP-Managemt-PublicIp", count.index) } @@ -62,9 +61,8 @@ resource "aws_eip" "mgmt" { # add an elastic IP to the BIG-IP External Public interface # resource "aws_eip" "ext-pub" { - count = length(local.external_public_subnet_id) - network_interface = length(compact(local.external_public_private_ip_primary)) > 0 ? aws_network_interface.public[count.index].id : aws_network_interface.public1[count.index].id - # vpc = true + count = length(local.external_public_subnet_id) + network_interface = length(compact(local.external_public_private_ip_primary)) > 0 ? aws_network_interface.public[count.index].id : aws_network_interface.public1[count.index].id domain = "vpc" associate_with_private_ip = length(compact(local.external_public_private_ip_primary)) > 0 ? aws_network_interface.public[count.index].private_ip : aws_network_interface.public1[count.index].private_ip tags = merge(local.tags, var.externalnic_failover_tags, { @@ -80,8 +78,7 @@ resource "aws_eip" "ext-pub" { resource "aws_eip" "vip" { count = var.cfe_secondary_vip_disable ? 0 : (length(local.external_public_subnet_id) > 0 ? 1 : 0) # count = var.cfe_secondary_vip_disable ? 0 : (length(local.external_public_subnet_id) > 0 ? (length(compact(local.external_public_private_ip_secondary)) > 0 ? 1 : 0) : 0) - network_interface = length(compact(local.external_public_private_ip_primary)) > 0 ? aws_network_interface.public[0].id : aws_network_interface.public1[0].id - # vpc = true + network_interface = length(compact(local.external_public_private_ip_primary)) > 0 ? aws_network_interface.public[0].id : aws_network_interface.public1[0].id domain = "vpc" associate_with_private_ip = length(compact(local.external_public_private_ip_primary)) > 0 ? element(compact([for x in tolist(aws_network_interface.public[0].private_ip_list) : x == aws_network_interface.public[0].private_ip ? "" : x]), 0) : element(compact([for x in tolist(aws_network_interface.public1[0].private_ip_list) : x == aws_network_interface.public1[0].private_ip ? "" : x]), 0) tags = merge(local.tags, var.externalnic_failover_tags, { @@ -195,10 +192,12 @@ resource "aws_instance" "f5_bigip" { instance_type = var.ec2_instance_type ami = data.aws_ami.f5_ami.id key_name = var.ec2_key_name - # availability_zone = root_block_device { delete_on_termination = true + encrypted = var.ebs_volume_encryption + kms_key_id = var.ebs_volume_kms_key_arn + volume_type = var.ebs_volume_type } # set the mgmt interface diff --git a/variables.tf b/variables.tf index d11c62b..3fcf91f 100644 --- a/variables.tf +++ b/variables.tf @@ -37,6 +37,24 @@ variable "ec2_key_name" { type = string } +variable "ebs_volume_encryption" { + description = "Whether to enable encryption on the EBS volume" + type = bool + default = false +} + +variable "ebs_volume_kms_key_arn" { + description = "The ARN of the KMS key for volume encryption when using a customer managed key" + type = string + default = null +} + +variable "ebs_volume_type" { + description = "The EBS volume type to use for the root volume" + type = string + default = "gp2" +} + variable "aws_secretmanager_auth" { description = "Whether to use secret manager to pass authentication" type = bool @@ -117,14 +135,14 @@ variable "internal_securitygroup_ids" { variable "DO_URL" { description = "URL to download the BIG-IP Declarative Onboarding module" type = string - default = "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.38.0/f5-declarative-onboarding-1.38.0-7.noarch.rpm" + default = "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.39.0/f5-declarative-onboarding-1.39.0-4.noarch.rpm" } ## Please check and update the latest AS3 URL from https://github.com/F5Networks/f5-appsvcs-extension/releases/latest # always point to a specific version in order to avoid inadvertent configuration inconsistency variable "AS3_URL" { description = "URL to download the BIG-IP Application Service Extension 3 (AS3) module" type = string - default = "https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.45.0/f5-appsvcs-3.45.0-5.noarch.rpm" + default = "https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.46.0/f5-appsvcs-3.46.0-5.noarch.rpm" } ## Please check and update the latest TS URL from https://github.com/F5Networks/f5-telemetry-streaming/releases/latest @@ -140,7 +158,7 @@ variable "TS_URL" { variable "CFE_URL" { description = "URL to download the BIG-IP Cloud Failover Extension module" type = string - default = "https://github.com/F5Networks/f5-cloud-failover-extension/releases/download/v1.14.0/f5-cloud-failover-1.14.0-0.noarch.rpm" + default = "https://github.com/F5Networks/f5-cloud-failover-extension/releases/download/v1.15.0/f5-cloud-failover-1.15.0-0.noarch.rpm" } ## Please check and update the latest FAST URL from https://github.com/F5Networks/f5-appsvcs-templates/releases/latest @@ -148,14 +166,14 @@ variable "CFE_URL" { variable "FAST_URL" { description = "URL to download the BIG-IP FAST module" type = string - default = "https://github.com/F5Networks/f5-appsvcs-templates/releases/download/v1.24.0/f5-appsvcs-templates-1.24.0-1.noarch.rpm" + default = "https://github.com/F5Networks/f5-appsvcs-templates/releases/download/v1.25.0/f5-appsvcs-templates-1.25.0-1.noarch.rpm" } ## Please check and update the latest runtime init URL from https://github.com/F5Networks/f5-bigip-runtime-init/releases/latest # always point to a specific version in order to avoid inadvertent configuration inconsistency variable "INIT_URL" { description = "URL to download the BIG-IP runtime init" type = string - default = "https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v1.6.1/dist/f5-bigip-runtime-init-1.6.1-1.gz.run" + default = "https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v1.6.2/dist/f5-bigip-runtime-init-1.6.2-1.gz.run" } variable "libs_dir" { description = "Directory on the BIG-IP to download the A&O Toolchain into" @@ -202,4 +220,4 @@ variable "sleep_time" { type = string default = "600s" description = "The number of seconds/minutes of delay to build into creation of BIG-IP VMs; default is 250. BIG-IP requires a few minutes to complete the onboarding process and this value can be used to delay the processing of dependent Terraform resources." -} +} \ No newline at end of file