bigip_awaf_policy fails to deploy upon partition

roelsieg commented 5 months ago

COMPONENT NAME

bigip_awaf_policy

Environment

ANSIBLE VERSION

ansible [core 2.13.13]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/roel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/roel/virtualenvs/ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/roel/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/roel/virtualenvs/ansible/bin/ansible
  python version = 3.8.10 (default, Jun  2 2021, 10:49:15) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

BIGIP VERSION

Sys::Version
Main Package
  Product     BIG-IP
  Version     17.1.0.1
  Build       0.0.4
  Edition     Point Release 1
  Date        Fri Apr  7 07:24:51 PDT 2023

CONFIGURATION

OS / ENVIRONMENT

Several environments tested:

WSL running Ubuntu (Linux 4.19.128-microsoft-standard 1 SMP Tue Jun 23 12:58:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux)
Docker container with image summerwind (https://github.com/summerwind)
Github runner Ubuntu (ubuntu-latest)

SUMMARY

Deploying a AWAF policy seems to not deploy proper onto a partition

STEPS TO REPRODUCE

---

- name: 'Unit testing for ASM/AWAF policy creation'
  connection: httpapi
  hosts: local
  gather_facts: false
  vars:
    provider:
      server: "{{ vault.provider_server_ip }}"
      validate_certs: false
      no_f5_teem: false
      server_port: 443
      user: "{{ vault.username }}"
      password: "{{ vault.password }}"
    ansible_user: "{{ vault.username }}"
    ansible_httpapi_password: "{{ vault.password }}"
    ansible_httpapi_port: 443
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false

  tasks:
    - name: Create aWAF/ASM policy
      f5networks.f5_bigip.bigip_awaf_policy:
        name: "Ap-testnode-Web_Rapid"
        partition: "partition"
        server_technologies:
          - "Unix/Linux"
          - "Nginx"
        template: "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
        enforcement_mode: "transparent"
        pb_learning_mode: "automatic"
        # apply_policy: true
        state: "present"
        dump_json: true
      delegate_to: "{{ provider.server }}"

    - name: Create aWAF/ASM policy JSON
      f5networks.f5_bigip.bigip_awaf_policy:
        name: "/partition/Ap-testnode-Web_Rapid"
        partition: "partition"
        policy_in_json: "{{ lookup('file', 'temp_playbook_json_template.json') }}"
        force: true
        # apply_policy: true
        state: "present"
        dump_json: true
      delegate_to: "{{ provider.server }}"

with temp_playbook_json_template.json: (to try and force the json template to fill the right path value)

{
"policy": {
    "name": "Ap-testnode-Web_Rapid",
    "fullPath": "/partition/Ap-testnode-Web_Rapid",
    "applicationLanguage": "auto-detect",
    "enforcementMode": "transparent",
    "template": {
        "name": "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
    },
    "server-technologies": [
        {
            "serverTechnologyName": "Unix/Linux"
        },
        {
            "serverTechnologyName": "Nginx"
        }
    ],
    "policy-builder": {
        "learningMode": "automatic"
    },
    "type": "security"
}
}

EXPECTED RESULTS

On both runs of the task would expect the value of fullPath to represent the desired partition: "fullPath": "/partition/Ap-testnode-Web_Rapid"

ACTUAL RESULTS

When running with apply_policy: true:

 "msg": "Failed to apply aWAF policy with the following message: Could not execute the Apply Policy Task 'Apply Policy Task (1704963040.070072)'.  Policy not found"

When running with dump_json: true you can see the result below being an empty fullPath \"fullPath\": \"\",\n

(ansible) HOST:/mnt/c/Git/Ahold/storm-technl-network-bigip-ansible-roles [feat/asm-policy-j2-template !]$ ansible-playbook temp_playbook_unit_tst.yml -i hosts.ini -e 'ansible_python_interpreter="/usr/bin/env python"' -vv
[WARNING]: Ansible is being run in a world writable directory (/mnt/c/Git/Ahold/storm-technl-network-bigip-ansible-roles), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
ansible-playbook [core 2.13.13]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/roel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/roel/virtualenvs/ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/roel/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/roel/virtualenvs/ansible/bin/ansible-playbook
  python version = 3.8.10 (default, Jun  2 2021, 10:49:15) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: temp_playbook_unit_tst.yml *****************************************************************************************************************************************************************************************************************************************************************1 plays in temp_playbook_unit_tst.yml

PLAY [Unit testing for functions in roles] ***********************************************************************************************************************************************************************************************************************************************************META: ran handlers

TASK [Create aWAF/ASM policy] ************************************************************************************************************************************************************************************************************************************************************************task path: /mnt/c/Git/Ahold/storm-technl-network-bigip-ansible-roles/temp_playbook_unit_tst.yml:27
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
ok: [localhost -> HOST] => {"changed": false, "enforcement_mode": "transparent", "json": "\n{\n   \"policy\" : {\n
      \"name\": \"Ap-testnode-Web_Rapid\",\n      \"fullPath\": \"\",\n     \"applicationLanguage\": \"auto-detect\",\n
      \"caseInsensitive\": false,\n      \"enablePassiveMode\": false,\n      \"protocolIndependent\" : false,\n      \"enforcementMode\": \"transparent\",\n      \"template\": {\"name\": \"POLICY_TEMPLATE_RAPID_DEPLOYMENT\"},\n      \"server-technologies\": [{\"serverTechnologyName\": \"Unix/Linux\"}, {\"serverTechnologyName\": \"Nginx\"}],\n      \"policy-builder\": {\"learningMode\": \"automatic\"},\n      \"type\": \"security\"\n   }\n}", "pb_learning_mode": "automatic", "server_technologies": ["Unix/Linux", "Nginx"], "template": "POLICY_TEMPLATE_RAPID_DEPLOYMENT"}

TASK [Create aWAF/ASM policy JSON] ************************************************************************************************************************************************************************************************************************************************************************task path: /mnt/c/Git/Ahold/storm-technl-network-bigip-ansible-roles/temp_playbook_unit_tst.yml:42
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
ok: [localhost -> HOST] => {"changed": false, "enforcement_mode": "transparent", "json": "\n{\n   \"policy\" : {\n
      \"name\": \"/partition/Ap-testnode-Web_Rapid\",\n      \"fullPath\": \"\",\n      \"applicationLanguage\": \"auto-detect\",\n
      \"caseInsensitive\": false,\n      \"enablePassiveMode\": false,\n      \"protocolIndependent\" : false,\n      \"enforcementMode\": \"transparent\",\n      \"template\": {\"name\": \"POLICY_TEMPLATE_RAPID_DEPLOYMENT\"},\n      \"server-technologies\": [{\"serverTechnologyName\": \"Unix/Linux\"}, {\"serverTechnologyName\": \"Nginx\"}],\n      \"policy-builder\": {\"learningMode\": \"automatic\"},\n      \"type\": \"security\"\n   }\n}", "language": "auto-detect", "pb_learning_mode": "automatic", "server_technologies": ["Unix/Linux", "Nginx"], "template": "POLICY_TEMPLATE_RAPID_DEPLOYMENT", "type": "security"}      
META: ran handlers
META: ran handlers

PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************************************localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

pgouband commented 5 months ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1422.

roelsieg commented 5 months ago

Hi,

@pgouband any forecast you can give on a time-to-fix?

Cheers Roeland

pgouband commented 5 months ago

Hi @roelsieg,

We will work on our next sprint so if there is no blocker a fix should be included in our next release (mid-end Feb)

urohit011 commented 4 months ago

This one has been fixed now. Closing the issue

F5Networks / f5-ansible-bigip