IPAM_Application.yaml

---
name: IPAM_Application
version: "2.2.7"
namespace: com.One2Any.stylebooks
display-name: "IPAM StyleBook"
description: "IPAM allocated vserver configuration, L7 HTTP Monitor, Service Group, and servers. Corresponding CS vserver for Host header based HTTP to HTTPS redirection. "
schema-version: "1.0"
author: "R Davis"

# Example of what it does:
#
# add serviceGroup IPAM_<name>-svcgrp HTTP 
# add lb vserver IPAM_<name> SSL 192.168.200.59 443 -persistenceType COOKIEINSERT -lbMethod ROUNDROBIN -httpProfileName nshttp_default_strict_validation
# add responder action IPAM_<name>_TLS_redirect redirect "\"https://\"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL.PATH_AND_QUERY" -comment ADMAutomated -responseStatusCode 301
# add responder policy IPAM_<name>_TLS_redirect true IPAM_<name>_TLS_redirect
# bind lb vserver IPAM_<name> IPAM_<name>-svcgrp
# bind lb vserver IPAM_<name>_TLS_redirect IPAM_<name>-svcgrp
# bind lb vserver IPAM_<name>_TLS_redirect -policyName IPAM_<name>_TLS_redirect -priority 10 -gotoPriorityExpression END -type REQUEST
# add lb monitor IPAM_<name>-http-mon HTTP -respCode 200 -httpRequest "GET /"
# bind serviceGroup IPAM_<name>-svcgrp <ip_addr> <port>
# bind serviceGroup IPAM_<name>-svcgrp -monitorName IPAM_<name>-http-mon
# set ssl vserver IPAM_<name> -sslProfile ns_default_ssl_profile_secure_frontend
#
#
# ADM version: 13.0.47.22
# ADC version: 13.0.52.24
#
# 2.2   20 OCT 2020
# -  IPAM Network uses drop-down list rather then specifying a network   
# -  Profile support for SSL, HTTP
# -  SSL Certificate defined
# -  "redirect_http_to_https" responder policy defined 
# 2.0   09 APR 2020
# - trofs for health montoring
# - enable/disable server is not allowed.  
# - Custom port for servers.
# 1.0   31 MAR 2020
# - SSL/HTTP service type depends on vserver listening port 443/80.
# - Server ip and or names can specified
# - Server names without IP addresses are created as domain based servers
# - Advanced ssl component are: ssl3 DISABLED, tls11 DISABLED
# - Client-ip http header insertion
# - Intelligently changes monitor type from http and http-ecv when a receive string is specified
# -	HTTP type vserver, which relies on the Content Switching Policy
# -	80 to 443 redirect should be done on Content Switch
# -	Defaults to Cookie Insert persistency
# -	Defaults to Roundrobin load balancing algorithm
# -	Service Group Servers can be port 80 or encrypted 443
# -	HTTP health monitor with options for custom headers and send strings
# -	Health monitor changes to secure/non-secure depending on server port selection  
# - WebInsight is enabled by default.

import-stylebooks:
  -
    namespace: netscaler.nitro.config
    version: "11.1"
    prefix: ns
substitutions:
  prefix: "IPAM_"  
  encrypt:
    true: "YES"
    false: "NO"
  servicetype:
    true: "SSL"
    false: "HTTP"
parameters:
  -
    key: true  
    name: name
    type: string
    label: Application FQDN
    description: |
      Name of the application configuration.
      This is a mandatory argument.  Maximum Length: 127 
    pattern: "^[A-z_][ A-z0-9_#.:@=-]+"
    max-length: 120
    required: true
  -
    name: virtual-ip
    label: "Virtual IP Address"
    description: 
    type: ipaddress
    dynamic-allocation: true
    required: true
  -
    name: lb-alg
    type: string
    label: LoadBalancing Algorithm
    description: Choose the loadbalancing algorithm (method) used for loadbalancing client requests between the application servers.
    allowed-values:
     - SRCIPSRCPORTHASH
     - ROUNDROBIN
     - LEASTCONNECTION
    default: ROUNDROBIN
  -
    name: persistence
    label: "Load Balanced App Persistence Type"
    description: "Persistence type used for members of this pool"
    type: string
    allowed-values: 
      - NONE
      - SOURCEIP
      - COOKIEINSERT
      - SRCIPDESTIP
      - DESTIP
    default: COOKIEINSERT
  - 
    name: ssl-settings
    label: Virtual IP Security Settings
    type: object
    required: true
    gui: 
      collapse_pane: true
    parameters:
      -
        name: certkey-name
        label: SSL Certificate Keypair Name
        description: |
          The name of the certificate key pair binding.
        type: string          
        default: "wildcard.example.com"
        required: true  
      -
        name: ssl-profile-name
        label: Frontend SSL Profile
        description: |
          The name of the Profile where client-side enterprise SSL/TLS settings are defined. 
        type: string
        default: "ns_default_ssl_profile_secure_frontend"
        required: true
      -
        name: ssl-profile-backend-name
        label: Backend SSL Profile
        description: |
          The name of the Profile where enterprise server-side SSL/TLS settings are defined. 
        type: string
        #default: "ns_default_ssl_profile_secure_frontend"
        allowed-values: 
          - ns_default_ssl_profile_secure_backend
        required: false
      -
        name: http-profile-name
        label: HTTP Profile
        description: |
          The name of the Profile where enterprise HTTP settings are defined. 
        type: string
        default: "nshttp_default_strict_validation"
        required: true                    
  -
    name: svc-port
    type: tcp-port
    label: Application Server Port
    description: The TCP port open on the Application Servers to receive requests.  Value cannot be changed later.
    updatable: false
    default: 443
  -
    name: secure
    type: boolean
    label: Server Encrypts
    description: Does the application server port use TLS encryption?  Value cannot be changed later. 
    updatable: false
    default: true
  -
    name: svc-servers
    label: Application Servers
    type: object[]
    parameters:
      -
        name: ip
        type: ipaddress
        label: Application Server IP Address*
        description: Never omit the IP address unless the server uses dynamic host protocol assigned addresses and the names are resolvable.
        required: false
        parameters:
      -
        name: name
        type: string
        label: Application Server DNS Name
        description: |
          The fully qualified name of the application server.
        required: false
  -
    name: http-monitor
    label: Web Server Monitor Setting
    type: object
    required: true
    gui: 
      collapse_pane: true 
    parameters:
      -
        name: httprequest
        label: "HTTP Request"
        description: | 
          HTTP Request sent to the web servers.
          Will check for a response code 200 when both Expected Response and TROFS 
          Response are left blank.  
          All response codes are valid when an Expected Response is defined.  
          All response codes are valid when a TROFS Response is defined but Expected Response is blank. 
          Do not use a TROFS response without defining an Expected Response.
        type: string
        default: "GET /"
        required: false
        max-length: 151
      -
        name: customheaders
        label: "Custom HTTP Headers"
        description: | 
          Custom HTTP Headers to send in monitor probe requests.
          Use \r\n at the end of the header and as a seperator
          for multiple headers.
          Requires ADM 12.1.50.0 or newer.
        type: string
        max-length: 163
      -
        name: recv
        label: "Expected Response"
        description: |
          A string in the HTTP Response Body expected back from the web server.
          All response codes are valid when an Expected Response is defined.    
           
        type: string
        max-length: 127
      -
        name: trofs_string
        label: "TROFS Response String"
        description: |
          Use only when an Expected Response is also used.
          When Expected Response is blank and TROFS is used, all http response codes are valid.  
          A Transition out of service (TROFS) string in the 
          HTTP Response Body triggers a graceful shutdown of the server.  
          CTX219926
          MaxLength = 127
        type: string
        max-length: 127
  -
    name: analytics
    label: Web Application Insight Logging
    type: boolean
    default: "YES"
components:
  -
    # SSL vServer
    name: lbvserver-comp
    type: ns::lbvserver
    properties:
      name: $substitutions.prefix + $parameters.name
      servicetype: SSL
      port: 443
      #redirectfromport: 80
      ipv46: $parameters.virtual-ip
      lbmethod: $parameters.lb-alg
      persistencetype: $parameters.persistence
      httpprofilename: $parameters.ssl-settings.http-profile-name  #"nshttp_default_strict_validation"   
    components:
      -
        name: sslvserver_sslcertkey_binding-comp
        type: ns::sslvserver_sslcertkey_binding
        properties:
          vservername: $parent.properties.name
          certkeyname: $parameters.ssl-settings.certkey-name 
        # Bind existing SSL certkey pair "wildcard.example.com"
        #Ref: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslvserver_sslcertkey_binding/
      -
        name: sslvserver-comp
        type: ns::sslvserver
        properties:
          vservername: $parent.properties.name
          sslprofile: $parameters.ssl-settings.ssl-profile-name 
        # Add HTTP Profile "nshttp_default_strict_validation"
        #Ref: https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/ssl/sslprofile_binding/      
      -
        name: svcg-comp
        type: ns::servicegroup
        properties:
          servicegroupname: $substitutions.prefix + $parameters.name + "-svcgrp"
          servicetype: $substitutions.servicetype[$parameters.secure]
          cip: "ENABLED"
          cipheader: "client-ip"
        components:        
          -
            name: lbvserver-svg-binding-comp
            type: ns::lbvserver_servicegroup_binding
            properties:
              name: $parent.parent.properties.name
              servicegroupname: $parent.properties.servicegroupname
          -
            name: members-svcg-server-domain-comp
            type: ns::server
            repeat: $parameters.svc-servers
            repeat-item: servers
            repeat-condition: $servers.name and not $servers.ip  
            properties:
              name: $servers.name
              domain: $servers.name
            components:
              -
                name: members-svcg-bind-dnsserver-comp
                type: ns::servicegroup_servicegroupmember_binding
                properties:
                  servername: $parent.properties.name
                  port: $parameters.svc-port
                  servicegroupname: $parent.parent.properties.servicegroupname
          -
            name: members-svcg-server-comp
            type: ns::server
            repeat: $parameters.svc-servers
            repeat-item: servers
            repeat-condition: $servers.name and $servers.ip
            properties:
              name: $servers.name
              ipaddress: $servers.ip
            components:
              -
                name: members-svcg-bind-namedserver-comp
                type: ns::servicegroup_servicegroupmember_binding
                properties:
                  servername: $parent.properties.name
                  port: $parameters.svc-port
                  servicegroupname: $parent.parent.properties.servicegroupname
          -
            name: members-svcg-serverip-comp
            type: ns::server
            repeat: $parameters.svc-servers
            repeat-item: servers
            repeat-condition: not $servers.name and $servers.ip
            properties:
              name: str($servers.ip)
              ipaddress: $servers.ip
            components:
              -
                name: members-svcg-bind-ipserver-comp
                type: ns::servicegroup_servicegroupmember_binding
                properties:
                  servername: $parent.properties.name
                  port: $parameters.svc-port
                  servicegroupname: $parent.parent.properties.servicegroupname
                  #Ref: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup_servicegroupmember_binding/
  -
    # HTTP Redirect CS vserver
    name: csvserver-80-comp
    type: ns::csvserver
    properties:
      name: $substitutions.prefix + $parameters.name + "_TLS_redirect"
      servicetype: HTTP
      ipv46: $parameters.virtual-ip
      port: 80
    #Ref: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/content-switching/csvserver/
    components:
      -
        name: responderaction-comp
        type: ns::responderaction
        properties:
          name: $parent.properties.name
          type:  redirect
          target?: str("\"https://\"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL.PATH_AND_QUERY")
          comment?: "ADM Automated"
          responsestatuscode?: 301
        #Ref: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/responder/responderaction/
      -
        name: responderpolicy-comp
        type: ns::responderpolicy
        properties:
          name: $parent.properties.name
          rule: str("true")
          action: $parent.properties.name
        #Ref: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/responder/responderpolicy/
      -
        # Redirect 80 to 443
        name: lbvserver_rewritepolicy_binding-comp
        type: ns::lbvserver_rewritepolicy_binding
        properties:
          #bindpoint?: REQUEST
          name: $parent.properties.name
          policyname: $parent.properties.name
          priority: 10
          #labeltype?: reqvserver
        #Ref: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver_rewritepolicy_binding/    
  -
    name: monitors-comp
    type: object
    components:
      -
        name: monitor-ecv-comp
        type: ns::lbmonitor
        condition: $parameters.http-monitor.recv or $parameters.http-monitor.trofs_string
        properties:
          monitorname: $substitutions.prefix + $parameters.name + "-ecv-mon"
          type: str(HTTP-ECV)
          secure: $substitutions.encrypt[$parameters.secure] 
          customheaders?: $parameters.http-monitor.customheaders
          send?: $parameters.http-monitor.httprequest
          recv?: $parameters.http-monitor.recv
          trofsstring?: $parameters.http-monitor.trofs_string
        components:
          -
           name: monitor-ecv-bind-comp
           type: ns::servicegroup_lbmonitor_binding
           properties:
             servicegroupname: $substitutions.prefix + $parameters.name + "-svcgrp"
             monitor_name: $substitutions.prefix + $parameters.name + "-ecv-mon"
      -
        name: monitor-http-comp
        type: ns::lbmonitor
        condition: not $parameters.http-monitor.recv and not $parameters.http-monitor.trofs_string
        properties:
          monitorname: $substitutions.prefix + $parameters.name + "-http-mon"
          type: str(HTTP)
          secure: $substitutions.encrypt[$parameters.secure]
          httprequest?: $parameters.http-monitor.httprequest
          customheaders?: $parameters.http-monitor.customheaders 
          sslprofile?: if-then-else($parameters.secure and $parameters.ssl-settings.ssl-profile-backend-name, $parameters.ssl-settings.ssl-profile-backend-name)
        components:
          -
           name: monitor-http-bind-comp
           type: ns::servicegroup_lbmonitor_binding
           properties:
             servicegroupname: $substitutions.prefix + $parameters.name + "-svcgrp"
             monitor_name: $substitutions.prefix + $parameters.name + "-http-mon"
operations:
  analytics:
    -
      name: lbvserver-ops
      condition: $parameters.analytics == true
      properties:
        target: $components.lbvserver-comp
        filter: "true"
        insights:
          -
            type: webinsight    
outputs:
  -
    name: lbvserver-comp
    value: $components.lbvserver-comp.properties.name
    description: The component that builds the Nitro lbvserver configuration
  -
    name: monitors-comp
    value: $components.monitors-comp
    description: The component that builds and updates the health monitors