Closed lorinwyatt closed 4 years ago
Unfortunately this is not possible with the Ansible modules you need to have username and password defined prior to using the modules as that is what the REST interface is using.
@lorinwyatt , I've asked for this same feature. My solution thus far has been to SSH in to the device using an SSH key (via the Ansible 'command' module), then issue a 'tmsh modify auth user admin password xxxx shell tmsh' and a 'passwd root xxxx'.
If the image was created with something like an AWS CFT or the Azure equivalent, there is an SSH key placed on the box during the build. If it's vCMP or VE, you get the additional step of SSH to the device without a key, then using an expect script to go through the root password forced change dialog, then doing the admin password change via CLI as above, creating dependencies on both code version and timing.
It would be nice if this could be done via the CFT by specifying a default password, but as you can't even specify the device name there (also requested), that would be asking a lot. Granted, using the CFT leaves open the possibility that the password could be exposed somewhere, but once it's manageable via automation, we then change it to a "real" password anyway. As it is, there are probably more risks of exposure via hacks like mine than there are via template, but that's what we are left with - bad security in the name of security.
Drop me a PM if you'd like any of that code. Stan
Hello, @lorinwyatt I guess you can use this way to change the password first, then you can move forward.
---
- name: Activate a BigIP device license
hosts: f5-activate
connection: local
vars:
init_provider:
server: "{{ bigip_host }}"
server_port: "{{ bigip_port }}"
user: "{{ bigip_username }}"
password: "{{ old_bigip_password }}"
validate_certs: no
provider:
server: "{{ bigip_host }}"
server_port: "{{ bigip_port }}"
user: "{{ bigip_username }}"
password: "{{ new_bigip_password }}"
validate_certs: "{{ validate_certs }}"
tasks:
# - name: Reset the BIG-IP
# bigip_config:
# reset: yes
# save: True
# provider: "{{ init_provider }}"
- name: After reset, configure the expired admin password
uri:
url: "https://{{ bigip_host }}/mgmt/shared/authz/users/admin"
method: PATCH
body: '{"oldPassword":"{{ old_bigip_password }}","password":"{{ new_bigip_password }}"}'
body_format: json
validate_certs: no
force_basic_auth: yes
user: admin
password: admin
headers:
Content-Type: "application/json"
- name: Last part of config reset - configure the root password
bigip_user:
full_name: root
username_credential: root
password_credential: "{{ new_bigip_root_password }}"
update_password: always
provider: "{{ provider }}"
- name: Activate bigip license
bigip_device_license:
license_key: "{{ bigip_license_key }}"
license_server: "{{ bigip_license_server }}"
accept_eula: yes
provider: "{{ provider }}"
register: action_result
retries: 6
delay: 20
until: action_result is success
Note: the same password only can be changed once.
ISSUE TYPE
COMPONENT NAME
bigip_user
ANSIBLE VERSION
PYTHON VERSION
BIGIP VERSION
CONFIGURATION
N/A
OS / ENVIRONMENT
N/A
SUMMARY
We are attempting to configure a new system from scratch using Ansible without accessing the GUI. If configuring the F5 from scratch the default behavior it to immediately require a password change when logging in. We are simply trying to do this with Ansible and not logging into the GUI.
STEPS TO REPRODUCE
EXPECTED RESULTS
For the default admin password to change
ACTUAL RESULTS
The playbook fails as shown in traceback: