search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

Cannot modify SSLO Security Policy via bigip_sslo_config_policy module after adding default_rule #72

Open megamattzilla opened 1 year ago

megamattzilla commented 1 year ago
COMPONENT NAME

bigip_sslo_config_policy

Environment

ANSIBLE VERSION
ansible [core 2.12.2]
  config file = None
  configured module search path = ['/home/azureuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/azureuser/python3.8-ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/azureuser/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/azureuser/python3.8-ansible/bin/ansible
  python version = 3.8.5 (default, Jan 27 2021, 15:41:15) [GCC 9.3.0]
  jinja version = 3.0.3
  libyaml = True
BIGIP VERSION
Sys::Version
Main Package
  Product     BIG-IP
  Version     16.1.3.3
  Build       0.0.3
  Edition     Point Release 3
  Date        Thu Dec 22 12:07:59 PST 2022
CONFIGURATION
OS / ENVIRONMENT

Ubuntu 20.04.3

SUMMARY

After creating an sslo security policy via ansible module bigip_sslo_config_policy, define some policy rules, and then add schema for the `default_rule' you can no longer make changes to your existing rules. Ansible task fails with vague error message.

STEPS TO REPRODUCE

Create the following SSLO security Policy via Ansible (which is successful) 

     - name: Create Explicit HTTP Proxy Security_Policy
      bigip_sslo_config_policy:
        name: "Explicit_proxy"
        server_cert_check: false
        default_rule:
          allow_block: "allow"
          tls_intercept: "intercept"
          service_chain: "Explicit_Proxy"

        policy_rules:
          - name: "Pinners_Rule"
            match_type: "match_all"
            policy_action: "allow"
            ssl_action: "bypass"
            conditions:
              - condition_type: "category_lookup_sni"
                condition_option_category:
                  - "Pinners"
              - condition_type: "ssl_check"

          - name: "Category_Bypass"
            match_type: "match_all"
            policy_action: "allow"
            ssl_action: "bypass"
            conditions:
              - condition_type: "category_lookup_all"
                condition_option_category:
                  - "Financial Data and Services"
                  - "General Email"
                  - "Health and Medicine"
              - condition_type: "ssl_check"

          - name: "Dest_IP_Bypass"
            match_type: "match_all"
            policy_action: "allow"
            ssl_action: "bypass"
            conditions:
              - condition_type: "server_ip_subnet_match"
                condition_option_subnet:
                  - "10.0.0.0/8"
                  - "192.168.1.100/32"
                  - "192.168.1.200/32"
              - condition_type: "ssl_check"

After the security policy has been successfully created via ansible, make a change to one of the security policy rules (change IP or something), rerun the playbook, then ansible task will fail with error message. This issue does not happen if you do not specify default_rule configuration. We noticed if we created the other rules first, we could freely modify them, but after adding the default_rule we can no longer make changes to the policy via ansible.

EXPECTED RESULTS

SSLO makes the requested change to the security policy with no error message.

ACTUAL RESULTS

SSLO ansible module fails with error message and does not make the requested change:

TASK [Create Explicit HTTP Proxy Security_Policy] *******************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: KeyError: 'conditions'
fatal: [bigip01.example.local]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/home/azureuser/.ansible/tmp/ansible-local-184490saj6u1hb/ansible-tmp-1688761505.1110907-184530-281230311970362/AnsiballZ_bigip_sslo_config_policy.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/azureuser/.ansible/tmp/ansible-local-184490saj6u1hb/ansible-tmp-1688761505.1110907-184530-281230311970362/AnsiballZ_bigip_sslo_config_policy.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/azureuser/.ansible/tmp/ansible-local-184490saj6u1hb/ansible-tmp-1688761505.1110907-184530-281230311970362/AnsiballZ_bigip_sslo_config_policy.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.f5networks.f5_bigip.plugins.modules.bigip_sslo_config_policy', init_globals=dict(_module_fqn='ansible_collections.f5networks.f5_bigip.plugins.modules.bigip_sslo_config_policy', _modlib_path=modlib_path),\n  File \"/usr/lib/python3.8/runpy.py\", line 207, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.8/runpy.py\", line 97, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib/python3.8/runpy.py\", line 87, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1523, in <module>\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1516, in main\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1056, in exec_module\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1081, in present\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1111, in update\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1091, in should_update\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 1031, in _update_changed_options\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 948, in compare\n  File \"/tmp/ansible_bigip_sslo_config_policy_payload_hgiecz3v/ansible_bigip_sslo_config_policy_payload.zip/ansible_collections/f5networks/f5_bigip/plugins/modules/bigip_sslo_config_policy.py\", line 981, in policy_rules\nKeyError: 'conditions'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
megamattzilla commented 1 year ago

I actually found after pushing the above security policy, just re-running the playbook with the same config fails with this error message.

pgouband commented 11 months ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1268.