ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy
The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cannot find a parameter in this module (bigip_firewall_rule) to set the "rule list" position/order within the Firewall policy
Here are the playbook tasks
- name: CREATE FIREWALL RULE LIST
bigip_firewall_rule_list:
name: RLIST_1
state: present
rules:
- RULE A
- RULE B
provider: "{{ provider }}"
- name: CREATE FIREWALL RULES
bigip_firewall_rule:
parent_rule_list: RLIST_1
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: EXTERNAL
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE B, protocol: tcp, source_address:10.20.10.2 destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
- name: Add rule list to Policy
bigip_firewall_rule:
parent_policy: POL-TEST1
rule_list: RLIST_1
name: RLIST_1
provider: "{{ provider }}"
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost