search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
376 stars 229 forks source link

VS with ASM policy failed: requires a profile of type websecurity for ltm policy #1677

Closed amolari closed 4 years ago

amolari commented 4 years ago
ISSUE TYPE
COMPONENT NAME

bigip_virtual_server

collection from f5networks-f5_modules-1.2.0-devel.tar.gz (daily)

ANSIBLE VERSION
ansible 2.9.4
PYTHON VERSION
python version = 2.7.17
BIGIP VERSION
14.1.2.3
CONFIGURATION
OS / ENVIRONMENT

N/A

SUMMARY

I create the LTM policy's default rule (condition ALL Traffic) and the action being enable the asm policy. When I create the VS with attached LTM policy, I get an error (VS not created). If I attach the LTM policy manually (GUI), it works. In the BIGIP audit logs, I see a difference: when I attach manually the LTM policy:

Mar  4 17:59:26 ip-10-100-1-98.eu-west-1.compute.internal notice mcpd[4324]: 01070417:5: AUDIT - client tmui, user my-admin - transaction #728301-3 - object 0 - create { virtual_server_policy { virtual_server_policy_vs_name "/Common/main_HTTP" virtual_server_policy_policy_name "/Common/main_policy" } } [Status=Command OK]

Mar  4 17:59:26 ip-10-100-1-98.eu-west-1.compute.internal notice mcpd[4324]: 01070417:5: AUDIT - client tmui, user my-admin - transaction #728301-4 - object 0 - create { virtual_server_profile { virtual_server_profile_vs_name "/Common/main_HTTP" virtual_server_profile_profile_name "/Common/websecurity" virtual_server_profile_profile_context 0 } } [Status=Command OK]

With the ansible module, I don't see the websecurity profile attached to the VS in the audit logs.

STEPS TO REPRODUCE
bigip_policy:
                provider: "{{ provider }}"
                description: main policy
                name: main_policy
                partition: Common
                state: present
                strategy: best
          delegate_to: localhost

bigip_policy_rule:
                provider: "{{ provider }}"
                name: default
                description: default - do nothing
                policy: main_policy
                partition: Common
                conditions:
                        - type: all_traffic
                actions:
                        - type: enable
                          asm_policy: "asm_policy-default"
                          event: request

                state: present
          delegate_to: localhost

bigip_virtual_server:
                provider: "{{ provider }}"
                name: main_HTTPS
                description: Entry Point HTTPS VS
                state: present
                partition: Common
                destination: 0.0.0.0
                port: '443'
                profiles:
                        - http-xff
                        - name: clientssl
                          context: server-side
                irules:
                        - main_irule
                policies:
                        - main_policy
          delegate_to: localhost
EXPECTED RESULTS

ASM policy attached to the VS

ACTUAL RESULTS
FAILED! => {"changed": false, "msg": "010716d9:3: Virtual server /Common/main_HTTPS requires a profile of type websecurity for ltm policy /Common/main_policy."}
wojtek0806 commented 4 years ago

we won't assign a default profile in ansible, you need to be explicit about what you want the module to do when creating or attaching to existing VS. Ansible modules are imperative not a declarative interface, so you need to do the work of specifying what you want.

amolari commented 4 years ago

All clear, needed to add

profiles:
   - websecurity