BIG-IP ASM Automation with Ansible

My Background Back in September I started my Ansible journey, coming from no knowledge about Ansible and its automation capabilities I was asked to develop some code/playbooks to automate some of th...
Published 6 years ago
Version 1.0
Ansible
application delivery
ASM Advanced WAF
Automation
big-ip
security
series-handy-ansible-hacks
Matt_Mabis's avatar
Icon for Employee rankEmployee
I am a Senior Solutions Archtiect at F5 in Business Development. I specialize in VMware integrated solutions, Ansible automation (including F5 Automation Toolchain), and Virtual Edition performance. I have a deep background in troubleshooting. I have multiple VMware VCP Certifications including (Data Center, Desktop and Mobility and NSX)
View Profile
Matt_Bystrzak's avatar
Matt_Bystrzak
Icon for Nimbostratus rankNimbostratus
6 years ago

Thanks Matt. I am currently using ipaddr via a jinja2 template to try to build the list dynamically every time based on the existing list plus the additional entries submitted by the user.

 

It's a two part question I suppose. The ipaddr function solves the part where it's determining whether or not the IP entered is a valid IP and is NOT already in say a range that's already defined, so thanks for that. I'll have to get netaddr installed in our production environment to support this function.

 

The second part to that is maintaining an up to date version of the list in csv format for the AFM IPI function to pull in and parse. I'm attempting to do this all within jinja because of the "advanced" logic but it's becoming unwieldy(as jinja can do) and I was hoping that there was either a different approach to IPI whitelisting / blacklisting based on IP address, or some magical solution via the playbook itself where it might be cleaner. An example might be something like using a data-group on the F5 for the list of whitelisted IP addresses instead of a feedlist(or as the list itself). I think though, because I'm trying to handle file management plus error checking it's getting out of hand. Maybe I have to bust out python and do some pre-processing or something like that. I think I may have taken us down a rabbit hole and for that, I apologize.

 

Thanks!