F5 APM/LTM Ansible module - which to use for changing apm access profile attached to VS?

sarlindo · ‎27-Jan-2021

I would like to use the ansible f5 modules to basically remove or add an access policy attached to a virtual server list. Which ansible f5 module would I use for that?

Would it be the bigip_asm_policy module? If so, I don't see where I see the association with the virtual servers access policy drop down list in the GUI.

bigip_asm_policy:

partition: "{{ ans_f5_partition }}"

active: yes

state: present

provider:

server: "{{ ans_f5_endpoint_url }}"

user: "{{ ans_f5_userid }}"

password: "{{ ans_f5_password }}"

validate_certs: no

Dario_Garrido · ‎29-Jan-2021

Hello Sarlindo.

As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.

In the documentation states this:

"List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".

Conclusion:

With AP profile: {{ tcp http myaccess-prof }}
Without AP profile: {{ tcp http }}

So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.

If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).

Regards,

Dario.

Regards,
Dario.

View solution in original post

Dario_Garrido · ‎27-Jan-2021

Hello Sarlindo.

You should use bigip_virtual_server and attach your access profile as a regular profile.

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_virtual_server_module.html

This is the complete list of Ansible modules available.

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/module_index.html

Regards,

Dario.

Regards,
Dario.

sarlindo · ‎28-Jan-2021

Hello Dario,

Thanks for this, so I should use something like the following to attach the profile I want? And to detach the profile I assume I need to use the "state: absent" ?

- name: Attach policy to VS

bigip_virtual_server:

state: present

partition: "{{ ans_f5_partition }}"

profiles:

- "{{ ans_f5_access_profile }}"

provider:

server: "{{ ans_f5_endpoint_url }}"

user: "{{ ans_f5_userid }}"

password: "{{ ans_f5_password }}"

validate_certs: no

Dario_Garrido · ‎28-Jan-2021

Just ommit this 'state' option.

Please, let me know if everything works as expected.

Regards,

Dario.

Regards,
Dario.

sarlindo · ‎28-Jan-2021

ok so to attach profile, keep "state: present" and to detach profile just omit the state option. Is that correct?

Dario_Garrido · ‎28-Jan-2021

Hello Sarlindo.

AFAIR, there is no need to include 'state' option in none of those cases.

When you include 'profiles' option in your ansible is equivalent to execute this line in TMSH:

modify ltm virtual /Sistemas/vs_auro_ssl profiles replace-all-with { tcp http myaccess-prof }

If you want to remove your access profile, you should execute the same command without 'myaccess-prof'.

modify ltm virtual /Sistemas/vs_auro_ssl profiles replace-all-with { tcp http }

In the case of Ansible, you should do a similar approach.

If you have the chance, try it initially with a dummy VS and then go to production.

Please, let me know if everything works as expected.

Regards,

Dario.

Regards,
Dario.

sarlindo · ‎29-Jan-2021

Hi Dario,

I tried this below to attach the profile, but it doesn't seem to work and getting the error below:

- name: Attach policy to VS

bigip_virtual_server:

partition: "{{ ans_f5_partition }}"

profiles:

- "{{ ans_f5_access_profile }}"

provider:

server: "{{ ans_f5_endpoint_url }}"

user: "{{ ans_f5_userid }}"

password: "{{ ans_f5_password }}"

validate_certs: no

fatal: [dtblxapp-bancs01 -> localhost]: FAILED! => {"changed": false, "msg": "01070734:3: Configuration error: Virtual Server (/CLEARING-BM1/EXWEB.BM.XXX) has profile access attached without http profile"}

complaining about http profile. I just want to change the access profile attached to the VS.

Dario_Garrido · ‎29-Jan-2021

Hello Sarlindo.

As I said in my previous response :-), 'profiles' option is a 'replace-all-with' action, so you have to introduce a complete list of profiles to assign on the VS.

In the documentation states this:

"List of profiles (HTTP, ClientSSL, ServerSSL, etc) to apply to both sides of the connection (client-side and server-side) ... If you want to remove a profile from the list of profiles currently active on the virtual, simply remove it from the profiles list".

Conclusion:

With AP profile: {{ tcp http myaccess-prof }}
Without AP profile: {{ tcp http }}

So, your variable "ans_f5_access_profile" should be a complete list with all the profiles assigned to the VS.

If this was helpful, I will appreciate if you mark my answer as 'the best' to help other people to find it ;-).

Regards,

Dario.

Regards,
Dario.

sarlindo · ‎29-Jan-2021

Hi Dario,

Yup I just figured this out, as you mentioned you have to list all profiles so I updated to the complete list and it seems to work now. Thanks for that.

example:

profiles:

- rba

- tcp

- websecurity

- websso

- ASM_WAF_EXWEB_XX

- HTTP-WITH-Strict-Transport

- name: WILDCARD.BM.XXX

context: client-side

Thanks again. I will mark it as the best answer.

DevCentral

F5 APM/LTM Ansible module - which to use for changing apm access profile attached to VS?

Register For AppWorld 2024

DevCentral Podcasts