Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Exporting and importing ASM/AWAF security policies with Ansible and Terraform

Problem this snippet solves:   This ansible playbook and Terraform TF file can be ised to copy the test ASM policy from the dev/preproduction environment to the production environment as this is ...
Updated Dec 23, 2022
Version 5.0
Ansible
ASM Advanced WAF
big-ip
devops
security
Nikoolayy1's avatar
Icon for MVP rankMVP
NGFW and WAF Tech Expert with more than 5 years of experience in the field of Cybersecurity, Automation, Orchestration and over 10 years in IT.
View Profile
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Aug 02, 2021

Example of using seperate plays to first play delete the old local asm policy file and then just for group "bigip" the second play exports and imports the ASM policy. If you are using different F5 devices for production and preproduction then just make different host groups and seperate plays (in one play for preprod that exports and one play for prod that imports the ASM policy).

 

 

---

 

- name: Deliting old files

 hosts: all

 connection: local

 

 

 vars_prompt:

 

   - name: asm_policy

     prompt: What is the name of the ASM policy?

     private: no

 

 

 tasks:

 

 

  - name: Ansible delete file example

    file:

      path: "/home/niki/asm_policy/{{ asm_policy }}"

      state: absent

    when: inventory_hostname in groups['internal']

 

  - set_fact: "asm_fact={{ asm_policy }}"

 

 

- name: Import and export the ASM policy

 hosts: bigip

 connection: local

 become: yes

 

 

 vars:

   provider:

     password: "{{ bigip_password }}"

     server: "{{ ansible_host }}"

     user: "{{ bigip_username }}"

     validate_certs: no

     server_port: 443

 

 

 

 tasks:

 

 

  - name: Export policy in XML format

    bigip_asm_policy_fetch:

      name: "{{ asm_fact }}_preprod"

      file: "{{ asm_fact }}"

      dest: /home/niki/asm_policy/

      binary: yes

      provider: "{{ provider }}"

 

 

  - name: Override existing ASM policy

    bigip_asm_policy_import:

      name: "{{ asm_fact }}_prod"

      source: "/home/niki/asm_policy/{{ asm_fact }}"

      force: yes

      provider: "{{ provider }}"

 

    notify:

       - Save the running configuration to disk

 

 

  - name: Task - deactivate policy

    bigip_asm_policy_manage:

        name: "{{ asm_fact }}_prod"

        state: present

        provider: "{{ provider }}"

        active: no

 

 

  - name: Task - activate policy

    bigip_asm_policy_manage:

        name: "{{ asm_fact }}_prod"

        state: present

        provider: "{{ provider }}"

        active: yes

 

 handlers:

    - name: Save the running configuration to disk

      bigip_config:

       save: yes

       provider: "{{ provider }}"

 

 

 

 

 

 

 

Another way to share the policy name variable between hosts again with facts is using a dummy host to attach it and this way you don't need to use "all" in the first play to attach the fact under all the hosts.

 

 

 

 

 

 

 

---

 

- name: Deliting old files

 hosts: internal

 connection: local

 

 

 vars_prompt:

 

   - name: asm_policy

     prompt: What is the name of the ASM policy?

     private: no

 

 

 tasks:

 

 

  - name: Ansible delete file example

    file:

      path: "/home/niki/asm_policy/{{ asm_policy }}"

      state: absent

 

 

  - name: set a variable

    set_fact:

       shared_variable: "{{ asm_policy }}"

  - name: add variables to dummy host

    add_host:

       name: "variable_holder"

       shared_variable: "{{ shared_variable }}"

 

 

- name: Import and export the ASM policy

 hosts: bigip

 connection: local

 become: yes

 

 

 vars:

   asm_fact: "{{ hostvars['variable_holder']['shared_variable'] }}"

   provider:

     password: "{{ bigip_password }}"

     server: "{{ ansible_host }}"

     user: "{{ bigip_username }}"

     validate_certs: no

     server_port: 443