Lab 1.1: Ansible Policy Creation

Task 1 - Using Ansible to create a ASM Policy

All scripts in this module are run from the cli (Terminal Emulator icon on the desktop).

Run the following command to create an ASM policy named ansible1 (this may take a couple of minutes):

ansible-playbook /etc/ansible/playbooks/ansible1.yaml -i /etc/ansible/inventory/  -vvv

Go to the Bigip WebUI and navigate to Security->Application Security->Security Policies->Policies List

You should now see a policy named ansible1

Inspect the policy

Ansible Configuration Explained

First ansible must know which hosts to apply the configuration, here we have defined a group called “bigips”.

ansible1.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---

#### This playbook creates a ASM policy named ansible1

- name: create ansible1 policy
  hosts: bigips
  connection: local
  gather_facts: False
  environment:
      F5_SERVER: "{{ ansible_ssh_host }}"
      F5_USER: "{{ bigip_user }}"
      F5_PASSWORD: "{{ bigip_password }}" 
      F5_SERVER_PORT: "{{ bigip_port }}"
      F5_VALIDATE_CERTS: "{{ validate_certs }}"
 
  tasks:
    - name: Create ASM policy, compact XML file
      bigip_asm_policy:
        name: ansible1
        template: SharePoint 2007 (http)

  post_tasks:
    - name: Save the running BIG-IP configuration to disk
      bigip_config:
        save: True
      register: result

The group bigips is pulled from /etc/ansible/inventory/hosts, here we only have one host defined, more can be added under the [bigips] stanza.

hosts:

1
2
[bigips]
bigip01

The environment variables are pulled from /etc/ansible/inventory/groups_vars/bigips/all.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---

#### This playbook creates a ASM policy named ansible1

- name: create ansible1 policy
  hosts: bigips
  connection: local
  gather_facts: False
  environment:
      F5_SERVER: "{{ ansible_ssh_host }}"
      F5_USER: "{{ bigip_user }}"
      F5_PASSWORD: "{{ bigip_password }}" 
      F5_SERVER_PORT: "{{ bigip_port }}"
      F5_VALIDATE_CERTS: "{{ validate_certs }}"
 
  tasks:
    - name: Create ASM policy, compact XML file
      bigip_asm_policy:
        name: ansible1
        template: SharePoint 2007 (http)

  post_tasks:
    - name: Save the running BIG-IP configuration to disk
      bigip_config:
        save: True
      register: result

all.yaml:

Note

Note that the password variable is masked.

1
2
3
4
5
bigip_user: admin
bigip_password: ****** 
bigip_port: "443"
bigip_partition: "Common"
validate_certs: "false"

In line 18, the bigip_asm_policy directive is used to tell ansible we are going to modify/create a policy. Line 19 is the name of the policy, line 20 is the Rapid Deployment template that we will use.

ansible1.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---

#### This playbook creates a ASM policy named ansible1

- name: create ansible1 policy
  hosts: bigips
  connection: local
  gather_facts: False
  environment:
      F5_SERVER: "{{ ansible_ssh_host }}"
      F5_USER: "{{ bigip_user }}"
      F5_PASSWORD: "{{ bigip_password }}" 
      F5_SERVER_PORT: "{{ bigip_port }}"
      F5_VALIDATE_CERTS: "{{ validate_certs }}"
 
  tasks:
    - name: Create ASM policy, compact XML file
      bigip_asm_policy:
        name: ansible1
        template: SharePoint 2007 (http)

  post_tasks:
    - name: Save the running BIG-IP configuration to disk
      bigip_config:
        save: True
      register: result

Starting with line 22, post tasks are declared. These are tasks that will take place after the policy has been created. Here we will save the policy to disk (otherwise it is only in the running config).

ansible1.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---

#### This playbook creates a ASM policy named ansible1

- name: create ansible1 policy
  hosts: bigips
  connection: local
  gather_facts: False
  environment:
      F5_SERVER: "{{ ansible_ssh_host }}"
      F5_USER: "{{ bigip_user }}"
      F5_PASSWORD: "{{ bigip_password }}" 
      F5_SERVER_PORT: "{{ bigip_port }}"
      F5_VALIDATE_CERTS: "{{ validate_certs }}"
 
  tasks:
    - name: Create ASM policy, compact XML file
      bigip_asm_policy:
        name: ansible1
        template: SharePoint 2007 (http)

  post_tasks:
    - name: Save the running BIG-IP configuration to disk
      bigip_config:
        save: True
      register: result

Why Ansible and Limitations of the F5 ASM Ansible module

More information on F5’s ansible module can be found here F5 and Ansible On GitHub

F5’s SYS and LTM Ansible module are more feature rich (close to covering all features), the ASM module is currently limited to policy import, activation/deactivation and creation. Over time this will change as F5 has a strong partnership with Ansible.

Current F5 ASM Ansible Capabilities


Policy Activation/Deactivation

Blank Policy Creation

XML Policy Import

Binary Policy Import

Policy Creation using Application-Ready Templates

Previous Next