Exporting and importing ASM/AWAF security policies with Ansible and Terraform
Example of using seperate plays to first play delete the old local asm policy file and then just for group "bigip" the second play exports and imports the ASM policy. If you are using different F5 devices for production and preproduction then just make different host groups and seperate plays (in one play for preprod that exports and one play for prod that imports the ASM policy).
---
- name: Deliting old files
hosts: all
connection: local
vars_prompt:
- name: asm_policy
prompt: What is the name of the ASM policy?
private: no
tasks:
- name: Ansible delete file example
file:
path: "/home/niki/asm_policy/{{ asm_policy }}"
state: absent
when: inventory_hostname in groups['internal']
- set_fact: "asm_fact={{ asm_policy }}"
- name: Import and export the ASM policy
hosts: bigip
connection: local
become: yes
vars:
provider:
password: "{{ bigip_password }}"
server: "{{ ansible_host }}"
user: "{{ bigip_username }}"
validate_certs: no
server_port: 443
tasks:
- name: Export policy in XML format
bigip_asm_policy_fetch:
name: "{{ asm_fact }}_preprod"
file: "{{ asm_fact }}"
dest: /home/niki/asm_policy/
binary: yes
provider: "{{ provider }}"
- name: Override existing ASM policy
bigip_asm_policy_import:
name: "{{ asm_fact }}_prod"
source: "/home/niki/asm_policy/{{ asm_fact }}"
force: yes
provider: "{{ provider }}"
notify:
- Save the running configuration to disk
- name: Task - deactivate policy
bigip_asm_policy_manage:
name: "{{ asm_fact }}_prod"
state: present
provider: "{{ provider }}"
active: no
- name: Task - activate policy
bigip_asm_policy_manage:
name: "{{ asm_fact }}_prod"
state: present
provider: "{{ provider }}"
active: yes
handlers:
- name: Save the running configuration to disk
bigip_config:
save: yes
provider: "{{ provider }}"
Another way to share the policy name variable between hosts again with facts is using a dummy host to attach it and this way you don't need to use "all" in the first play to attach the fact under all the hosts.
---
- name: Deliting old files
hosts: internal
connection: local
vars_prompt:
- name: asm_policy
prompt: What is the name of the ASM policy?
private: no
tasks:
- name: Ansible delete file example
file:
path: "/home/niki/asm_policy/{{ asm_policy }}"
state: absent
- name: set a variable
set_fact:
shared_variable: "{{ asm_policy }}"
- name: add variables to dummy host
add_host:
name: "variable_holder"
shared_variable: "{{ shared_variable }}"
- name: Import and export the ASM policy
hosts: bigip
connection: local
become: yes
vars:
asm_fact: "{{ hostvars['variable_holder']['shared_variable'] }}"
provider:
password: "{{ bigip_password }}"
server: "{{ ansible_host }}"
user: "{{ bigip_username }}"
validate_certs: no
server_port: 443