search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

bigip_sslo_config_policy issue - yaml will fail if security policy already exists #38

Closed kevingstewart closed 1 year ago

kevingstewart commented 1 year ago
COMPONENT NAME

bigip_sslo_config_policy

Environment

ANSIBLE VERSION
ansible [core 2.12.5]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.2
  Build       0.0.4
  Edition     Point Release 2
  Date        Wed Sep 14 08:12:07 PDT 2022
SSL ORCHESTRATOR VERSION
9.3.41
CONFIGURATION

No specific system/ansible configuration changes

OS / ENVIRONMENT
Ubuntu 20.04
Python 3.8.10
SUMMARY

An SSLO security policy yaml will fail if the security policy already exists. This is not the same behavior as other SSLO modules.

fatal: [172.16.1.83]: FAILED! => {"changed": false, "module_stderr": "'conditions'", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"}
STEPS TO REPRODUCE
---
# Reference: https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_sslo_config_policy_module.html#bigip-sslo-config-policy-module-2

- name: Create SSLO Outbound Security Policy Configuration
  hosts: all
  gather_facts: False

  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    #ansible_host: "172.16.1.83"
    ansible_httpapi_port: 443
    ansible_user: "admin"
    ansible_httpapi_password: "admin"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no

  tasks:
    ## Security Policy
    - name: Create an SSLO security policy
      bigip_sslo_config_policy:
        name: "sslopolicy"
        state: "absent"
        policy_consumer: "outbound"

        default_rule:
          allow_block: "allow"
          tls_intercept: "intercept"
          service_chain: "service_chain_2"

        policy_rules:
        - name: "Pinners_Rule"
          match_type: "match_all"
          policy_action: "allow"
          ssl_action: "bypass"
          conditions:
          - condition_type: "ssl_check"
          - condition_type: "category_lookup_sni"
            condition_option_category:
            - "Pinners"

        - name: "bypass_pii_traffic"
          policy_action: "allow"
          ssl_action: "bypass"
          service_chain: "service_chain_1"
          conditions:
          - condition_type: "category_lookup_sni"
            condition_option_category:
            - "Financial Data and Services"
KrithikaChidambaram commented 1 year ago

Hi, internal ID to track this request is: INFRAANO-926, thanks!

pgouband commented 1 year ago

Hi issue fixed in Dec 2022 release, please open new issue if you see any problem.