{"id":20329757,"url":"https://github.com/f5devcentral/volterra-azure-sca","last_synced_at":"2025-03-04T12:19:49.510Z","repository":{"id":41416247,"uuid":"380270380","full_name":"f5devcentral/volterra-azure-sca","owner":"f5devcentral","description":"Volterra version of SCA/SACA","archived":false,"fork":false,"pushed_at":"2022-02-02T23:11:20.000Z","size":1089,"stargazers_count":7,"open_issues_count":2,"forks_count":4,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-01-14T15:18:19.261Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f5devcentral.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-06-25T14:53:11.000Z","updated_at":"2023-04-24T23:41:35.000Z","dependencies_parsed_at":"2022-08-28T13:20:23.477Z","dependency_job_id":null,"html_url":"https://github.com/f5devcentral/volterra-azure-sca","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fvolterra-azure-sca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fvolterra-azure-sca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fvolterra-azure-sca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f5devcentral%2Fvolterra-azure-sca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f5devcentral","download_url":"https://codeload.github.com/f5devcentral/volterra-azure-sca/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241844521,"owners_count":20029666,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T20:13:21.979Z","updated_at":"2025-03-04T12:19:49.486Z","avatar_url":"https://github.com/f5devcentral.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Volterra Azure Secure Cloud Gateway (SCA/SCG)\n\nVolterra version of SCA/SCCA/SACA.  What is that?  An example of a Secure Cloud Architecture using Volterra for Multi-Cloud Networking deployment of Cloud based Services via Volterra Application Delivery Network, with hardening BIG-IP Service Insertion (Azure PAYG BEST; AFM,ASM,APM,LTM) publishing ELK and small demo applications.  The goal of this solution is to provide a working demonstation and prototyping lab for anyone.\n\n\u003c!--TOC--\u003e\n\n- [Volterra Azure Secure Cloud Gateway (SCA/SCG)](#volterra-azure-secure-cloud-gateway-scascg)\n  - [To do](#to-do)\n  - [Requirements](#requirements)\n  - [Providers](#providers)\n  - [Modules](#modules)\n  - [Resources](#resources)\n  - [Inputs](#inputs)\n  - [Outputs](#outputs)\n  - [Deployment](#deployment)\n  - [Troubleshooting](#troubleshooting)\n\n\u003c!--TOC--\u003e\n\n## To do\n\n- hardcoded IP values for testing, fix.\n- flip elastic transport to tcp vs http\n- flip logstash_beats to tcp vs http\n- mgmt partition is leftover from SACA, can destroy.\n- Azure Key Vaults takes 2m to provision. \"module.azure.azurerm_key_vault.keyvault: Creation complete after 2m5s\"\n  - Doesnt work with runtime-init for some reason, troubleshoot later.\n\n![Rough Diagram](/images/sce-azure.png)\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 0.13 |\n| \u003ca name=\"requirement_azurerm\"\u003e\u003c/a\u003e [azurerm](#requirement\\_azurerm) | ~\u003e 2.30.0 |\n| \u003ca name=\"requirement_http\"\u003e\u003c/a\u003e [http](#requirement\\_http) | 2.1.0 |\n| \u003ca name=\"requirement_volterrarm\"\u003e\u003c/a\u003e [volterrarm](#requirement\\_volterrarm) | 0.7.0 |\n\n## Providers\n\nNo providers.\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_util\"\u003e\u003c/a\u003e [util](#module\\_util) | ./util | n/a |\n| \u003ca name=\"module_azure\"\u003e\u003c/a\u003e [azure](#module\\_azure) | ./azure | n/a |\n| \u003ca name=\"module_volterra\"\u003e\u003c/a\u003e [volterra](#module\\_volterra) | ./volterra | n/a |\n| \u003ca name=\"module_firewall\"\u003e\u003c/a\u003e [firewall](#module\\_firewall) | ./firewall | n/a |\n| \u003ca name=\"module_applications\"\u003e\u003c/a\u003e [applications](#module\\_applications) | ./applications | n/a |\n\n## Resources\n\nNo resources.\n\n## Inputs\n\n| Name | Description | Type | Default |\n|------|-------------|------|---------|\n| \u003ca name=\"input_tenant_name\"\u003e\u003c/a\u003e [tenant\\_name](#input\\_tenant\\_name) | REQUIRED:  This is your Volterra Tenant Name:  https://\u003ctenant\\_name\u003e.console.ves.volterra.io/api | `string` | `\"f5-sa\"` |\n| \u003ca name=\"input_adminUserName\"\u003e\u003c/a\u003e [adminUserName](#input\\_adminUserName) | REQUIRED: Admin Username for All systems | `string` | `\"xadmin\"` |\n| \u003ca name=\"input_namespace\"\u003e\u003c/a\u003e [namespace](#input\\_namespace) | REQUIRED:  This is your Volterra Namespace | `string` | `\"m-coleman\"` |\n| \u003ca name=\"input_api_cert\"\u003e\u003c/a\u003e [api\\_cert](#input\\_api\\_cert) | REQUIRED:  This is the path to the Volterra API Key.  See https://volterra.io/docs/how-to/user-mgmt/credentials | `string` | `\"./creds/api2.cer\"` |\n| \u003ca name=\"input_location\"\u003e\u003c/a\u003e [location](#input\\_location) | REQUIRED: Azure Region: usgovvirginia, usgovarizona, etc. For a list of available locations for your subscription use `az account list-locations -o table` | `string` | `\"canadacentral\"` |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | REQUIRED:  This is name for your deployment | `string` | `\"m-coleman\"` |\n| \u003ca name=\"input_api_url\"\u003e\u003c/a\u003e [api\\_url](#input\\_api\\_url) | REQUIRED:  This is your Volterra Namespace | `string` | `\"https://f5-sa.console.ves.volterra.io/api\"` |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | Azure Region: US Gov Virginia, US Gov Arizona, etc | `string` | `\"Canada Central\"` |\n| \u003ca name=\"input_sshPublicKey\"\u003e\u003c/a\u003e [sshPublicKey](#input\\_sshPublicKey) | OPTIONAL: ssh public key for instances | `string` | `\"\"` |\n| \u003ca name=\"input_api_p12_file\"\u003e\u003c/a\u003e [api\\_p12\\_file](#input\\_api\\_p12\\_file) | REQUIRED:  This is the path to the Volterra API Key.  See https://volterra.io/docs/how-to/user-mgmt/credentials | `string` | `\"./creds/f5-sa.console.ves.volterra.io.api-creds.p12\"` |\n| \u003ca name=\"input_sshPublicKeyPath\"\u003e\u003c/a\u003e [sshPublicKeyPath](#input\\_sshPublicKeyPath) | OPTIONAL: ssh public key path for instances | `string` | `\"./creds/id_rsa.pub\"` |\n| \u003ca name=\"input_api_key\"\u003e\u003c/a\u003e [api\\_key](#input\\_api\\_key) | REQUIRED:  This is the path to the Volterra API Key.  See https://volterra.io/docs/how-to/user-mgmt/credentials | `string` | `\"./creds/api.key\"` |\n| \u003ca name=\"input_volterra_tf_action\"\u003e\u003c/a\u003e [volterra\\_tf\\_action](#input\\_volterra\\_tf\\_action) | n/a | `string` | `\"apply\"` |\n| \u003ca name=\"input_delegated_dns_domain\"\u003e\u003c/a\u003e [delegated\\_dns\\_domain](#input\\_delegated\\_dns\\_domain) | n/a | `string` | `\"ves.dimensionc-132.com\"` |\n| \u003ca name=\"input_azure_client_id\"\u003e\u003c/a\u003e [azure\\_client\\_id](#input\\_azure\\_client\\_id) | n/a | `string` | `\"\"` |\n| \u003ca name=\"input_azure_client_secret\"\u003e\u003c/a\u003e [azure\\_client\\_secret](#input\\_azure\\_client\\_secret) | n/a | `string` | `\"\"` |\n| \u003ca name=\"input_azure_tenant_id\"\u003e\u003c/a\u003e [azure\\_tenant\\_id](#input\\_azure\\_tenant\\_id) | n/a | `string` | `\"\"` |\n| \u003ca name=\"input_azure_subscription_id\"\u003e\u003c/a\u003e [azure\\_subscription\\_id](#input\\_azure\\_subscription\\_id) | n/a | `string` | `\"\"` |\n| \u003ca name=\"input_gateway_type\"\u003e\u003c/a\u003e [gateway\\_type](#input\\_gateway\\_type) | n/a | `string` | `\"INGRESS_EGRESS_GATEWAY\"` |\n| \u003ca name=\"input_fleet_label\"\u003e\u003c/a\u003e [fleet\\_label](#input\\_fleet\\_label) | n/a | `string` | `\"fleet_label\"` |\n| \u003ca name=\"input_cidr\"\u003e\u003c/a\u003e [cidr](#input\\_cidr) | REQUIRED: VNET Network CIDR | `string` | `\"10.90.0.0/16\"` |\n| \u003ca name=\"input_azure_subnets\"\u003e\u003c/a\u003e [azure\\_subnets](#input\\_azure\\_subnets) | REQUIRED: Subnet CIDRs | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"application\": \"10.90.10.0/24\",\u003cbr\u003e  \"external\": \"10.90.1.0/24\",\u003cbr\u003e  \"inspect_ext\": \"10.90.3.0/24\",\u003cbr\u003e  \"inspect_int\": \"10.90.4.0/24\",\u003cbr\u003e  \"internal\": \"10.90.2.0/24\",\u003cbr\u003e  \"management\": \"10.90.0.0/24\"\u003cbr\u003e}\u003c/pre\u003e |\n| \u003ca name=\"input_f5_mgmt\"\u003e\u003c/a\u003e [f5\\_mgmt](#input\\_f5\\_mgmt) | F5 BIG-IP Management IPs.  These must be in the management subnet. | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"f5vm01mgmt\": \"10.90.0.14\",\u003cbr\u003e  \"f5vm02mgmt\": \"10.90.0.15\"\u003cbr\u003e}\u003c/pre\u003e |\n| \u003ca name=\"input_f5_t1_ext\"\u003e\u003c/a\u003e [f5\\_t1\\_ext](#input\\_f5\\_t1\\_ext) | Tier 1 BIG-IP External IPs.  These must be in the external subnet. | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"f5vm01ext\": \"10.90.2.14\",\u003cbr\u003e  \"f5vm01ext_fou\": \"10.90.2.13\",\u003cbr\u003e  \"f5vm01ext_sec\": \"10.90.2.11\",\u003cbr\u003e  \"f5vm01ext_thi\": \"10.90.2.12\"\u003cbr\u003e}\u003c/pre\u003e |\n| \u003ca name=\"input_f5_t1_int\"\u003e\u003c/a\u003e [f5\\_t1\\_int](#input\\_f5\\_t1\\_int) | Tier 1 BIG-IP Internal IPs.  These must be in the internal subnet. | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"f5vm01int\": \"10.90.4.14\",\u003cbr\u003e  \"f5vm01int_sec\": \"10.90.4.11\"\u003cbr\u003e}\u003c/pre\u003e |\n| \u003ca name=\"input_app01ip\"\u003e\u003c/a\u003e [app01ip](#input\\_app01ip) | OPTIONAL: Example Application used by all use-cases to demonstrate functionality of deploymeny, must reside in the application subnet. | `string` | `\"10.90.10.101\"` |\n| \u003ca name=\"input_instanceType\"\u003e\u003c/a\u003e [instanceType](#input\\_instanceType) | BIGIP Instance Type, DS5\\_v2 is a solid baseline for BEST | `string` | `\"Standard_DS5_v2\"` |\n| \u003ca name=\"input_jumpinstanceType\"\u003e\u003c/a\u003e [jumpinstanceType](#input\\_jumpinstanceType) | Be careful which instance type selected, jump boxes currently use Premium\\_LRS managed disks | `string` | `\"Standard_B2s\"` |\n| \u003ca name=\"input_appInstanceType\"\u003e\u003c/a\u003e [appInstanceType](#input\\_appInstanceType) | Demo Application Instance Size | `string` | `\"Standard_DS3_v2\"` |\n| \u003ca name=\"input_image_name\"\u003e\u003c/a\u003e [image\\_name](#input\\_image\\_name) | REQUIRED: BIG-IP Image Name.  'az vm image list --output table --publisher f5-networks --location [region] --offer f5-big-ip --all'  Default f5-bigip-virtual-edition-1g-best-hourly is PAYG Image.  For BYOL use f5-big-all-2slot-byol | `string` | `\"f5-bigip-virtual-edition-1g-best-hourly\"` |\n| \u003ca name=\"input_product\"\u003e\u003c/a\u003e [product](#input\\_product) | REQUIRED: BYOL = f5-big-ip-byol, PAYG = f5-big-ip-best | `string` | `\"f5-big-ip-best\"` |\n| \u003ca name=\"input_bigip_version\"\u003e\u003c/a\u003e [bigip\\_version](#input\\_bigip\\_version) | REQUIRED: BIG-IP Version.  Note: verify available versions before using as images can change. | `string` | `\"latest\"` |\n| \u003ca name=\"input_licenses\"\u003e\u003c/a\u003e [licenses](#input\\_licenses) | BIGIP Setup Licenses are only needed when using BYOL images | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"license1\": \"\",\u003cbr\u003e  \"license2\": \"\",\u003cbr\u003e  \"license3\": \"\",\u003cbr\u003e  \"license4\": \"\"\u003cbr\u003e}\u003c/pre\u003e |\n| \u003ca name=\"input_hosts\"\u003e\u003c/a\u003e [hosts](#input\\_hosts) | n/a | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"host1\": \"f5vm01\",\u003cbr\u003e  \"host2\": \"f5vm02\"\u003cbr\u003e}\u003c/pre\u003e |\n| \u003ca name=\"input_dns_server\"\u003e\u003c/a\u003e [dns\\_server](#input\\_dns\\_server) | REQUIRED: Default is set to Azure DNS. | `string` | `\"168.63.129.16\"` |\n| \u003ca name=\"input_asm_policy\"\u003e\u003c/a\u003e [asm\\_policy](#input\\_asm\\_policy) | REQUIRED: ASM Policy.  Examples:  https://github.com/f5devcentral/f5-asm-policy-templates.  Default: OWASP Ready Autotuning | `string` | `\"https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-templates/master/owasp_ready_template/owasp-auto-tune-v1.1.xml\"` |\n| \u003ca name=\"input_ntp_server\"\u003e\u003c/a\u003e [ntp\\_server](#input\\_ntp\\_server) | n/a | `string` | `\"time.nist.gov\"` |\n| \u003ca name=\"input_timezone\"\u003e\u003c/a\u003e [timezone](#input\\_timezone) | n/a | `string` | `\"UTC\"` |\n| \u003ca name=\"input_onboard_log\"\u003e\u003c/a\u003e [onboard\\_log](#input\\_onboard\\_log) | n/a | `string` | `\"/var/log/startup-script.log\"` |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Environment tags for objects | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"application\": \"f5app\",\u003cbr\u003e  \"costcenter\": \"f5costcenter\",\u003cbr\u003e  \"creator\": \"Terraform\",\u003cbr\u003e  \"delete\": \"True\",\u003cbr\u003e  \"environment\": \"azure\",\u003cbr\u003e  \"group\": \"f5group\",\u003cbr\u003e  \"owner\": \"f5owner\",\u003cbr\u003e  \"purpose\": \"public\"\u003cbr\u003e}\u003c/pre\u003e |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_auto_tag\"\u003e\u003c/a\u003e [auto\\_tag](#output\\_auto\\_tag) | n/a |\n| \u003ca name=\"output_deployment_info\"\u003e\u003c/a\u003e [deployment\\_info](#output\\_deployment\\_info) | n/a |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n## Deployment\n\nFor deployment you can do the traditional terraform commands or use the provided scripts.\n\n```bash\n. ./prep.sh\nterraform init\nterraform plan\nterraform apply\n```\n\n## Troubleshooting\n\nAS, DO, and runtime-init are rendered under ./debug for review.  AS3 seems to occasionally fail on example partition, but is easily resolved with postman.  Working on resolution.\n\nCurrently getting 503 from Volterra, LTM shows now traffic reaching it, so probably a UDR issue.  Working on resultion.\n\n## Support\n\nFor support, please open a GitHub issue.  Note, the code in this repository is community supported and is not supported by F5 Networks.  For a complete list of supported projects please reference [SUPPORT.md](SUPPORT.md).\n\n## Community Code of Conduct\n\nPlease refer to the [F5 DevCentral Community Code of Conduct](code_of_conduct.md).\n\n## License\n\n[Apache License 2.0](LICENSE)\n\n## Copyright\n\nCopyright 2014-2020 F5 Networks Inc.\n\n### F5 Networks Contributor License Agreement\n\nBefore you start contributing to any project sponsored by F5 Networks, Inc. (F5) on GitHub, you will need to sign a Contributor License Agreement (CLA).\n\nIf you are signing as an individual, we recommend that you talk to your employer (if applicable) before signing the CLA since some employment agreements may have restrictions on your contributions to other projects.\nOtherwise by submitting a CLA you represent that you are legally entitled to grant the licenses recited therein.\n\nIf your employer has rights to intellectual property that you create, such as your contributions, you represent that you have received permission to make contributions on behalf of that employer, that your employer has waived such rights for your contributions, or that your employer has executed a separate CLA with F5.\n\nIf you are signing on behalf of a company, you represent that you are legally entitled to grant the license recited therein.\nYou represent further that each employee of the entity that submits contributions is authorized to submit such contributions on behalf of the entity pursuant to the CLA.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Fvolterra-azure-sca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5devcentral%2Fvolterra-azure-sca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5devcentral%2Fvolterra-azure-sca/lists"}