Forum Discussion
sarlindo
Altostratus
AltostratusF5 APM/LTM Ansible module - which to use for changing apm access profile attached to VS?
I would like to use the ansible f5 modules to basically remove or add an access policy attached to a virtual server list. Which ansible f5 module would I use for that? Would it be the bigi...
Hello Sarlindo.
​
As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.
​
In the documentation states this:
"List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".
​
Conclusion:
- With AP profile: {{ tcp http myaccess-prof }}
- Without AP profile: {{ tcp http }}
​
So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.
​
If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).
Regards,
Dario.
Hello Sarlindo.
You should use bigip_virtual_server and attach your access profile as a regular profile.
https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_virtual_server_module.html
This is the complete list of Ansible modules available.
https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/module_index.html
Regards,
Dario.
sarlindoAltostratus
AltostratusHello Dario,
Thanks for this, so I should use something like the following to attach the profile I want? And to detach the profile I assume I need to use the "state: absent" ?
- name: Attach policy to VS
bigip_virtual_server:
state: present
partition: "{{ ans_f5_partition }}"
name: "{{ ans_f5_virtual_server }}"
profiles:
- "{{ ans_f5_access_profile }}"
provider:
server: "{{ ans_f5_endpoint_url }}"
user: "{{ ans_f5_userid }}"
password: "{{ ans_f5_password }}"
validate_certs: no
Just ommit this 'state' option.
Please, let me know if everything works as expected.
Regards,
Dario.
- sarlindo
ok so to attach profile, keep "state: present" and to detach profile just omit the state option. Is that correct?
Hello Sarlindo.
AFAIR, there is no need to include 'state' option in none of those cases.
When you include 'profiles' option in your ansible is equivalent to execute this line in TMSH:
modify ltm virtual /Sistemas/vs_auro_ssl profiles replace-all-with { tcp http myaccess-prof }If you want to remove your access profile, you should execute the same command without 'myaccess-prof'.
modify ltm virtual /Sistemas/vs_auro_ssl profiles replace-all-with { tcp http }In the case of Ansible, you should do a similar approach.
If you have the chance, try it initially with a dummy VS and then go to production.
Please, let me know if everything works as expected.
Regards,
Dario.
- sarlindo
Hi Dario,
I tried this below to attach the profile, but it doesn't seem to work and getting the error below:
- name: Attach policy to VS
bigip_virtual_server:
partition: "{{ ans_f5_partition }}"
name: "{{ ans_f5_virtual_server }}"
profiles:
- "{{ ans_f5_access_profile }}"
provider:
server: "{{ ans_f5_endpoint_url }}"
user: "{{ ans_f5_userid }}"
password: "{{ ans_f5_password }}"
validate_certs: no
fatal: [dtblxapp-bancs01 -> localhost]: FAILED! => {"changed": false, "msg": "01070734:3: Configuration error: Virtual Server (/CLEARING-BM1/EXWEB.BM.XXX) has profile access attached without http profile"}
complaining about http profile. I just want to change the access profile attached to the VS.
Hello Sarlindo.
​
As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.
​
In the documentation states this:
"List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".
​
Conclusion:
- With AP profile: {{ tcp http myaccess-prof }}
- Without AP profile: {{ tcp http }}
​
So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.
​
If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).
Regards,
Dario.
- sarlindo
Hi Dario,
Yup I just figured this out, as you mentioned you have to list all profiles so I updated to the complete list and it seems to work now. Thanks for that.
example:
profiles:
- rba
- tcp
- websecurity
- websso
- ASM_WAF_EXWEB_XX
- HTTP-WITH-Strict-Transport
- name: WILDCARD.BM.XXX
context: client-side
Thanks again. I will mark it as the best answer.