cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 APM/LTM Ansible module - which to use for changing apm access profile attached to VS?

sarlindo
Altostratus
Altostratus

I would like to use the ansible f5 modules to basically remove or add an access policy attached to a virtual server list. Which ansible f5 module would I use for that?

 

 

Would it be the bigip_asm_policy module? If so, I don't see where I see the association with the virtual servers access policy drop down list in the GUI.

 

 bigip_asm_policy:

      name: "{{ ans_f5_access_profile }}"

      partition: "{{ ans_f5_partition }}"

      active: yes

      state: present

      provider:

        server: "{{ ans_f5_endpoint_url }}"

        user: "{{ ans_f5_userid }}"

        password: "{{ ans_f5_password }}"

        validate_certs: no

 

 

0691T00000BU44VQAT.png

1 ACCEPTED SOLUTION

Hello Sarlindo.

As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.

In the documentation states this:

"List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".

Conclusion:

  • With AP profile: {{ tcp http myaccess-prof }}
  • Without AP profile: {{ tcp http }}

So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.

If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).

 

Regards,

Dario.

Regards,
Dario.

View solution in original post

8 REPLIES 8

Hello Sarlindo.

 

You should use bigip_virtual_server and attach your access profile as a regular profile.

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_virtual_server_module.html

 

This is the complete list of Ansible modules available.

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/module_index.html

 

Regards,

Dario.

Regards,
Dario.

Hello Dario,

 

Thanks for this, so I should use something like the following to attach the profile I want? And to detach the profile I assume I need to use the "state: absent" ?

 

 - name: Attach policy to VS

    bigip_virtual_server:

      state: present

      partition: "{{ ans_f5_partition }}"

      name: "{{ ans_f5_virtual_server }}"

      profiles:

        - "{{ ans_f5_access_profile }}"

      provider:

        server: "{{ ans_f5_endpoint_url }}"

        user: "{{ ans_f5_userid }}"

        password: "{{ ans_f5_password }}"

        validate_certs: no

 

Just ommit this 'state' option.

 

Please, let me know if everything works as expected.

 

Regards,

Dario.

Regards,
Dario.

ok so to attach profile, keep "state: present" and to detach profile just omit the state option. Is that correct?

Hello Sarlindo.

 

AFAIR, there is no need to include 'state' option in none of those cases.

 

When you include 'profiles' option in your ansible is equivalent to execute this line in TMSH:

modify ltm virtual /Sistemas/vs_auro_ssl profiles replace-all-with { tcp http myaccess-prof }

If you want to remove your access profile, you should execute the same command without 'myaccess-prof'.

modify ltm virtual /Sistemas/vs_auro_ssl profiles replace-all-with { tcp http }

In the case of Ansible, you should do a similar approach.

 

If you have the chance, try it initially with a dummy VS and then go to production.

Please, let me know if everything works as expected.

 

Regards,

Dario.

Regards,
Dario.

Hi Dario,

 

I tried this below to attach the profile, but it doesn't seem to work and getting the error below:

 

 - name: Attach policy to VS

    bigip_virtual_server:

      partition: "{{ ans_f5_partition }}"

      name: "{{ ans_f5_virtual_server }}"

      profiles:

        - "{{ ans_f5_access_profile }}"

      provider:

        server: "{{ ans_f5_endpoint_url }}"

        user: "{{ ans_f5_userid }}"

        password: "{{ ans_f5_password }}"

        validate_certs: no

 

fatal: [dtblxapp-bancs01 -> localhost]: FAILED! => {"changed": false, "msg": "01070734:3: Configuration error: Virtual Server (/CLEARING-BM1/EXWEB.BM.XXX) has profile access attached without http profile"}

 

complaining about http profile. I just want to change the access profile attached to the VS.

Hello Sarlindo.

As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.

In the documentation states this:

"List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".

Conclusion:

  • With AP profile: {{ tcp http myaccess-prof }}
  • Without AP profile: {{ tcp http }}

So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.

If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).

 

Regards,

Dario.

Regards,
Dario.

Hi Dario,

 

Yup I just figured this out, as you mentioned you have to list all profiles so I updated to the complete list and it seems to work now. Thanks for that.

 

example:

 

profiles:

  - rba

        - tcp

        - websecurity

        - websso

        - ASM_WAF_EXWEB_XX

        - HTTP-WITH-Strict-Transport

 - name: WILDCARD.BM.XXX

          context: client-side

 

Thanks again. I will mark it as the best answer.