For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sarlindo's avatar
sarlindo
Icon for Altostratus rankAltostratus
Jan 27, 2021
Solved

F5 APM/LTM Ansible module - which to use for changing apm access profile attached to VS?

I would like to use the ansible f5 modules to basically remove or add an access policy attached to a virtual server list. Which ansible f5 module would I use for that?

 

 

Would it be the bigip_asm_policy module? If so, I don't see where I see the association with the virtual servers access policy drop down list in the GUI.

 

 bigip_asm_policy:

      name: "{{ ans_f5_access_profile }}"

      partition: "{{ ans_f5_partition }}"

      active: yes

      state: present

      provider:

        server: "{{ ans_f5_endpoint_url }}"

        user: "{{ ans_f5_userid }}"

        password: "{{ ans_f5_password }}"

        validate_certs: no

 

 

Ansible
BIG-IP
BIG-IP Access Policy Manager (APM)
devops
  • Dario_Garrido's avatar
    Dario_Garrido
    Jan 29, 2021

    Hello Sarlindo.

    As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.

    In the documentation states this:

    "List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".

    Conclusion:

    • With AP profile: {{ tcp http myaccess-prof }}
    • Without AP profile: {{ tcp http }}

    So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.

    If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).

     

    Regards,

    Dario.

8 Replies

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Jan 28, 2021

    Hello Sarlindo.

     

    You should use bigip_virtual_server and attach your access profile as a regular profile.

    https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_virtual_server_module.html

     

    This is the complete list of Ansible modules available.

    https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/module_index.html

     

    Regards,

    Dario.

    • sarlindo's avatar
      sarlindo
      Icon for Altostratus rankAltostratus
      Jan 28, 2021

      Hello Dario,

       

      Thanks for this, so I should use something like the following to attach the profile I want? And to detach the profile I assume I need to use the "state: absent" ?

       

       - name: Attach policy to VS

          bigip_virtual_server:

            state: present

            partition: "{{ ans_f5_partition }}"

            name: "{{ ans_f5_virtual_server }}"

            profiles:

              - "{{ ans_f5_access_profile }}"

            provider:

              server: "{{ ans_f5_endpoint_url }}"

              user: "{{ ans_f5_userid }}"

              password: "{{ ans_f5_password }}"

              validate_certs: no

       

      • Dario_Garrido's avatar
        Dario_Garrido
        Icon for Noctilucent rankNoctilucent
        Jan 28, 2021

        Just ommit this 'state' option.

         

        Please, let me know if everything works as expected.

         

        Regards,

        Dario.