search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
376 stars 231 forks source link

Module for configuring management port firewall rules #2336

Open person50002 opened 1 year ago

person50002 commented 1 year ago

Is your feature request related to a problem? Please describe.

It is possible to attach firewall rules to the management port using TMSH, TMUI, IControl REST API and Declarative Onboarding but there is no ansible module for that. https://my.f5.com/manage/s/article/K46122561 https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_security_firewall_management-ip-rules.html https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/declarations/network-objects.html#configuring-firewall-rules-on-the-management-interface

Describe the solution you'd like

We would like to request an ansible module for it.

Describe alternatives you've considered

Declarative Onboarding

pgouband commented 1 year ago

Hi @person50002,

Have you tried to use Ansible tmsh command? https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_command_module.html#bigip-command-module-3

person50002 commented 1 year ago

Yes, but with bigip_command there is no check mode. https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_checkmode.html Also, bigip_command will execute even when the current config already matches the desired config.

pgouband commented 1 year ago

Hi @person50002,

Is there a specific reason why you don't want to use Declarative Onboarding with Ansible? https://clouddocs.f5.com/products/orchestration/ansible/devel/f5_bigip/modules_2_0/bigip_as3_deploy_module.html#bigip-as3-deploy-module-2

person50002 commented 1 year ago

One of the problems with using Declarative Onboarding is this: "protocol property of the ManagementIpFirewall_rules object does not accept ICMP" https://github.com/F5Networks/f5-declarative-onboarding/issues/351