Users with web-application-security-administrator role cannot import ASM policies via bigip_asm_policy_import

[penghon]

ISSUE TYPE

• Bug Report
• Feature Idea

COMPONENT NAME

bigip_asm_policy_import

ANSIBLE VERSION

ansible 2.9.1
  config file = /ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Nov  6 2016, 00:28:07) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)]

PYTHON VERSION

Python 2.7.5

BIGIP VERSION

Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.1.5
  Build       0.0.4
  Edition     Point Release 5
  Date        Wed Apr 24 21:26:13 PDT 2019

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

BIG-IP users with web-application-security-administrator role are able to upload and import asm policies via iControl but unable to do so via F5 Ansible modules. Is this expected? If yes, could an RFE be considered to allow it?

STEPS TO REPRODUCE

---

- name: Test ASM admin ansible viability
  hosts: asm
  connection: local
  gather_facts: no
  roles:
    - role: f5devcentral.f5ansible
  vars:
    asm_policy: Common_pol2__2019-11-14_12-33-11__phltm19.ph.local.plc
  environment:
    F5_USER: asmadmin
    F5_SERVER: "{{ ansible_host }}"
    F5_PASSWORD: asmadmin
    F5_VALIDATE_CERTS: no
    F5_SERVER_PORT: 443

  tasks:
    - name: Upload ASM policy
      bigip_asm_policy_import:
        name: Ansible_did_this_with_asmadmin
        source: "{{ asm_policy }}"

EXPECTED RESULTS

That the ASM policy is uploaded to BIG-IP.

ACTUAL RESULTS

[root@handyman2 ansible]# ansible-playbook -i hosts playbook_C3134081 -vvvv
ansible-playbook 2.9.1
  config file = /ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.5 (default, Nov  6 2016, 00:28:07) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)]
Using /ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /ansible/hosts as it did not pass its verify_file() method
script declined parsing /ansible/hosts as it did not pass its verify_file() method
auto declined parsing /ansible/hosts as it did not pass its verify_file() method
Parsed /ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: playbook_C3134081 *********************************************************************************************************************
Positional arguments: playbook_C3134081
become_method: sudo
inventory: (u'/ansible/hosts',)
forks: 5
tags: (u'all',)
verbosity: 4
connection: smart
timeout: 10
1 plays in playbook_C3134081

PLAY [Test ASM admin ansible viability] *********************************************************************************************************
META: ran handlers

TASK [f5devcentral.f5ansible : Check ansible version] *******************************************************************************************
task path: /ansible/roles/f5devcentral.f5ansible/tasks/main.yaml:2
skipping: [phltm19] => {}

TASK [Upload ASM policy] ************************************************************************************************************************
task path: /ansible/playbook_C3134081:19
<172.28.22.148> connection transport is rest
<172.28.22.148> ESTABLISH LOCAL CONNECTION FOR USER: root
<172.28.22.148> EXEC /bin/sh -c 'echo ~root && sleep 0'
<172.28.22.148> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168 `" && echo ansible-tmp-1573712854.26-214267541291168="` echo /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168 `" ) && sleep 0'
<phltm19> Attempting python interpreter discovery
<172.28.22.148> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<172.28.22.148> EXEC /bin/sh -c '/usr/bin/python && sleep 0'
Using module file /ansible/roles/f5devcentral.f5ansible/library/bigip_asm_policy_import.py
<172.28.22.148> PUT /root/.ansible/tmp/ansible-local-27853UYX6zl/tmpQnV8Zm TO /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168/AnsiballZ_bigip_asm_policy_import.py
<172.28.22.148> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168/ /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168/AnsiballZ_bigip_asm_policy_import.py && sleep 0'
<172.28.22.148> EXEC /bin/sh -c 'F5_VALIDATE_CERTS=False F5_SERVER=172.28.22.148 F5_USER=asmadmin F5_PASSWORD=asmadmin F5_SERVER_PORT=443 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168/AnsiballZ_bigip_asm_policy_import.py && sleep 0'
<172.28.22.148> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1573712854.26-214267541291168/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
  File "/tmp/ansible_bigip_asm_policy_import_payload_nQIHCj/ansible_bigip_asm_policy_import_payload.zip/ansible/modules/bigip_asm_policy_import.py", line 679, in main
  File "/tmp/ansible_bigip_asm_policy_import_payload_nQIHCj/ansible_bigip_asm_policy_import_payload.zip/ansible/modules/bigip_asm_policy_import.py", line 395, in exec_module
  File "/tmp/ansible_bigip_asm_policy_import_payload_nQIHCj/ansible_bigip_asm_policy_import_payload.zip/ansible/modules/bigip_asm_policy_import.py", line 431, in policy_import
  File "/tmp/ansible_bigip_asm_policy_import_payload_nQIHCj/ansible_bigip_asm_policy_import_payload.zip/ansible/modules/bigip_asm_policy_import.py", line 543, in import_file_to_device
  File "/tmp/ansible_bigip_asm_policy_import_payload_nQIHCj/ansible_bigip_asm_policy_import_payload.zip/ansible/modules/bigip_asm_policy_import.py", line 463, in upload_file_to_device
fatal: [phltm19]: FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "invocation": {
        "module_args": {
            "base64": null,
            "encoding": null,
            "force": false,
            "inline": null,
            "name": "Ansible_did_this_with_asmadmin",
            "parent_policy": null,
            "partition": "Common",
            "policy_type": "security",
            "provider": {
                "auth_provider": null,
                "password": null,
                "server": null,
                "server_port": null,
                "ssh_keyfile": null,
                "timeout": null,
                "transport": "rest",
                "user": null,
                "validate_certs": null
            },
            "retain_inheritance_settings": null,
            "source": "Common_pol2__2019-11-14_12-33-11__phltm19.ph.local.plc"
        }
    },
    "msg": "Failed to upload the file."
}

PLAY RECAP **************************************************************************************************************************************
phltm19                    : ok=0    changed=0    unreachable=0    failed=1    skipped=1    rescued=0    ignored=0

[penghon]

The iControl/curl commands are as follows: curl -sku asmadmin:asmadmin -X POST https://172.28.22.148/mgmt/tm/asm/file-transfer/uploads/asmadmin_asmpolicy -H "Content-Type: application/octet-stream" -H "Content-Range: 0-200081/200082" --data-binary "@Common_pol2__2019-11-14_12-33-11__phltm19.ph.local.plc" | jq .

curl -sku asmadmin:asmadmin -X POST -H "Content-Type: application/json" https://172.28.22.148/mgmt/tm/asm/tasks/import-policy -d '{"filename": "asmadmin_asmpolicy", "name": "import_via_curl"}' | jq .

[wojtek0806]

FMFA-404