search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

bigip_asm_policy_import fails when file extension is not 'xml' or 'plc' #60

Closed simonkowallik closed 1 year ago

simonkowallik commented 1 year ago
COMPONENT NAME

f5networks.f5_bigip.bigip_asm_policy_import version 2.0.0

Environment

ANSIBLE VERSION
2.14.1
BIGIP VERSION
16.1.3.3
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

f5networks.f5_bigip.bigip_asm_policy_import fails to import WAF policy when file extension is not .xml or .plc.

The documentation does not mention any requirements of file extension naming: https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_asm_policy_import_module.html#bigip-asm-policy-import-module-2

It seems the iControl REST API of ASM refuses to receive the file due to the file extension.

STEPS TO REPRODUCE
  tasks:
    - name: Fetch WAF policy
      f5networks.f5_bigip.bigip_asm_policy_fetch:
        name: my_waf_policy
        dest: /ansible/
        file: my_waf_policy.file_extension
        binary: True
        #compact: True
      tags:
        - bigip-export-waf

    - name: Import WAF policy
      f5networks.f5_bigip.bigip_asm_policy_import:
        name: my_waf_policy2
        source: /ansible/my_waf_policy.file_extension
        #force: yes
      tags:
        - bigip-import-waf
EXPECTED RESULTS

The file extension should not matter or the error should be clear.

ACTUAL RESULTS
ansible-playbook [core 2.14.1]
  config file = /ansible/ansible.cfg
  configured module search path = ['/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /ansible/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.10.10 (main, Mar 14 2023, 02:37:11) [GCC 10.2.1 20210110] (/usr/local/bin/python)
  jinja version = 3.1.2
  libyaml = True
Using /ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /ansible/inventory/dev/hosts.yml as it did not pass its verify_file() method
script declined parsing /ansible/inventory/dev/hosts.yml as it did not pass its verify_file() method
Parsed /ansible/inventory/dev/hosts.yml inventory source with yaml plugin
Loading collection f5networks.f5_bigip from /ansible/collections/ansible_collections/f5networks/f5_bigip
Loading callback plugin default of type stdout, v2.0 from /ansible/.local/lib/python3.10/site-packages/ansible/plugins/callback/default.py
redirecting (type: callback) ansible.builtin.profile_tasks to ansible.posix.profile_tasks
Loading collection ansible.posix from /usr/local/lib/python3.10/site-packages/ansible_collections/ansible/posix
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Loading callback plugin ansible.posix.profile_tasks of type aggregate, v2.0 from /usr/local/lib/python3.10/site-packages/ansible_collections/ansible/posix/plugins/callback/profile_tasks.py

PLAYBOOK: play-f5waf.yml *************************************************************************************************************************************************************************************************************************************
Positional arguments: play-f5waf.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/ansible/inventory/dev',)
subset: b16b
forks: 5
1 plays in play-f5waf.yml

PLAY [F5 WAF tasks] ******************************************************************************************************************************************************************************************************************************************

TASK [Fetch WAF policy] **************************************************************************************************************************************************************************************************************************************
task path: /ansible/play-f5waf.yml:22
Thursday 16 March 2023  19:47:58 +0000 (0:00:00.038)       0:00:00.038 ******** 
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
Loading collection ansible.netcommon from /ansible/collections/ansible_collections/ansible/netcommon
<10.1.1.5> attempting to start connection
<10.1.1.5> using connection plugin ansible.netcommon.httpapi
Found ansible-connection at path /usr/local/bin/ansible-connection
<10.1.1.5> local domain socket does not exist, starting it
<10.1.1.5> control socket path is /ansible/.ansible/pc/46618b1fcb
<10.1.1.5> redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<10.1.1.5> Loading collection ansible.netcommon from /ansible/collections/ansible_collections/ansible/netcommon
<10.1.1.5> Loading collection f5networks.f5_bigip from /ansible/collections/ansible_collections/f5networks/f5_bigip
<10.1.1.5> local domain socket listeners started successfully
<10.1.1.5> loaded API plugin ansible_collections.f5networks.f5_bigip.plugins.httpapi.bigip from path /ansible/collections/ansible_collections/f5networks/f5_bigip/plugins/httpapi/bigip.py for platform type f5networks.f5_bigip.bigip
<10.1.1.5> 
<10.1.1.5> local domain socket path is /ansible/.ansible/pc/46618b1fcb
<10.1.1.5> Using network group action f5networks.f5_bigip.bigip for f5networks.f5_bigip.bigip_asm_policy_fetch
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: found f5networks.f5_bigip.bigip_asm_policy_fetch  at /ansible/collections/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_asm_policy_fetch.py
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: running f5networks.f5_bigip.bigip_asm_policy_fetch
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: complete
changed: [b16b] => {
    "binary": true,
    "changed": true,
    "dest": "/ansible/",
    "file": "my_waf_policy.file_extension",
    "force": true,
    "gid": 1000,
    "group": "ansible",
    "invocation": {
        "module_args": {
            "base64": null,
            "binary": true,
            "compact": null,
            "dest": "/ansible/",
            "file": "my_waf_policy.file_extension",
            "force": true,
            "inline": null,
            "name": "my_waf_policy",
            "partition": "Common"
        }
    },
    "mode": "0775",
    "name": "my_waf_policy",
    "owner": "ansible",
    "size": 4096,
    "state": "directory",
    "uid": 1000
}

TASK [Import WAF policy] *************************************************************************************************************************************************************************************************************************************
task path: /ansible/play-f5waf.yml:32
Thursday 16 March 2023  19:48:03 +0000 (0:00:05.222)       0:00:05.260 ******** 
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
Loading collection ansible.netcommon from /ansible/collections/ansible_collections/ansible/netcommon
<10.1.1.5> attempting to start connection
<10.1.1.5> using connection plugin ansible.netcommon.httpapi
Found ansible-connection at path /usr/local/bin/ansible-connection
<10.1.1.5> found existing local domain socket, using it!
<10.1.1.5> ESTABLISH HTTP(S) CONNECTFOR USER: admin TO https://10.1.1.5:8443
<10.1.1.5> updating play_context for connection
<10.1.1.5> 
<10.1.1.5> local domain socket path is /ansible/.ansible/pc/46618b1fcb
<10.1.1.5> Using network group action f5networks.f5_bigip.bigip for f5networks.f5_bigip.bigip_asm_policy_import
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: found f5networks.f5_bigip.bigip_asm_policy_import  at /ansible/collections/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_asm_policy_import.py
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: running f5networks.f5_bigip.bigip_asm_policy_import
<{{ provider.server }}> ANSIBLE_NETWORK_IMPORT_MODULES: complete
fatal: [b16b]: FAILED! => {
    "changed": false,
    "module_stderr": "Failed to upload file too many times.",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************
b16b                       : ok=1    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Thursday 16 March 2023  19:48:06 +0000 (0:00:02.565)       0:00:07.826 ******** 
=============================================================================== 
Fetch WAF policy -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5.22s
/ansible/play-f5waf.yml:22 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Import WAF policy ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2.57s
/ansible/play-f5waf.yml:32 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

REST API returns 400 status codes indicating the REST API call is faulty (eg. wrong file extension).

[I][1031][16 Mar 2023 19:48:04 UTC][ForwarderPassThroughWorker] {"user":"tmos/admin","method":"POST","uri":"http://localhost:8100/mgmt/tm/asm/file-transfer/uploads/my_waf_policy.file_extension","status":400,"from":"10.1.1.6"}
[I][1033][16 Mar 2023 19:48:04 UTC][ForwarderPassThroughWorker] {"user":"tmos/admin","method":"POST","uri":"http://localhost:8100/mgmt/tm/asm/file-transfer/uploads/my_waf_policy.file_extension","status":400,"from":"10.1.1.6"}
[I][1035][16 Mar 2023 19:48:04 UTC][ForwarderPassThroughWorker] {"user":"tmos/admin","method":"POST","uri":"http://localhost:8100/mgmt/tm/asm/file-transfer/uploads/my_waf_policy.file_extension","status":400,"from":"10.1.1.6"}
pgouband commented 1 year ago

Hi, internal ID to track this item is: INFRAANO-1144, thanks!

wojtek0806 commented 1 year ago

if you want to import AWAF policies, use bigip_awaf_policy module, you can use it like this:

    - name: Create aWAF policy with json template
      bigip_awaf_policy:
        name: "foobar_awaf"
        policy_in_json: "{{ lookup('file', 'awaf_big_policy.json') }}"
simonkowallik commented 1 year ago

Thanks, I will look into it although this issue is not about declarative waf.

Btw. bigip_awaf_policy is missing in the F5 Module Index on CloudDocs

wojtek0806 commented 1 year ago

docs updated: https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_awaf_policy_module.html#bigip-awaf-policy-module-2

G-gonzalezjimenez commented 1 year ago

closing this one, thanks for the help