f5networks.f5_modules.bigip_asm_policy_manage module – Manage BIG-IP ASM policies

Note

This module is part of the f5networks.f5_modules collection (version 1.28.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install f5networks.f5_modules.

To use it in a playbook, specify: f5networks.f5_modules.bigip_asm_policy_manage.

New in f5networks.f5_modules 1.0.0

Synopsis

  • Manage BIG-IP ASM policies, create policies from templates, and manage global policy settings.

Parameters

Parameter

Comments

active

boolean

If true, applies and activates the existing inactive policy. If false, it deactivates the existing active policy. Generally should be true only in cases where you want to activate new or existing policy.

In TMOS v14 and later, deactivating the policy causes it to be detached from any other associated objects, therefore the default option of false has been removed in order to prevent accidental disassociation.

Choices:

  • false

  • true

apply

boolean

added in f5networks.f5_modules 1.4.0

If true applies the policy if the policy has pending changes.

This parameter supported on TMOS v14.x and above.

Choices:

  • false

  • true

name

string / required

The ASM policy to manage or create.

partition

string

Device partition to manage resources on.

Default: "Common"

provider

dictionary

added in f5networks.f5_modules 1.0.0

A dict object containing connection details.

auth_provider

string

Configures the auth provider for to obtain authentication tokens from the remote device.

This option is really used when working with BIG-IQ devices.

no_f5_teem

boolean

If yes, TEEM telemetry data is not sent to F5.

You may omit this option by setting the environment variable F5_TELEMETRY_OFF.

Previously used variable F5_TEEM is deprecated as its name was confusing.

Choices:

  • false ← (default)

  • true

password

aliases: pass, pwd

string / required

The password for the user account used to connect to the BIG-IP or the BIG-IQ.

You may omit this option by setting the environment variable F5_PASSWORD.

server

string / required

The BIG-IP host or the BIG-IQ host.

You may omit this option by setting the environment variable F5_SERVER.

server_port

integer

The BIG-IP server port.

You may omit this option by setting the environment variable F5_SERVER_PORT.

Default: 443

timeout

integer

Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.

transport

string

Configures the transport connection to use when connecting to the remote device.

Choices:

  • "rest" ← (default)

user

string / required

The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative privileges on the device.

You may omit this option by setting the environment variable F5_USER.

validate_certs

boolean

If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.

You may omit this option by setting the environment variable F5_VALIDATE_CERTS.

Choices:

  • false

  • true ← (default)

state

string

When state is present, and the template parameter is provided, a new ASM policy is created from the template with the given policy name.

When state is present and no template parameter is provided, a new blank ASM policy is created with the given policy name.

When state is absent, ensures the policy is removed, even if it is currently active.

Choices:

  • "present" ← (default)

  • "absent"

template

string

An ASM policy built-in template. If the template does not exist, an error is raised.

Once the policy has been created, this value cannot change.

The Comprehensive, Drupal, Fundamental, Joomla, Vulnerability Assessment Baseline, and Wordpress templates are only available on BIG-IP versions >= 13.

Choices:

  • "ActiveSync v1.0 v2.0 (http)"

  • "ActiveSync v1.0 v2.0 (https)"

  • "Comprehensive"

  • "Drupal"

  • "Fundamental"

  • "Joomla"

  • "LotusDomino 6.5 (http)"

  • "LotusDomino 6.5 (https)"

  • "OWA Exchange 2003 (http)"

  • "OWA Exchange 2003 (https)"

  • "OWA Exchange 2003 with ActiveSync (http)"

  • "OWA Exchange 2003 with ActiveSync (https)"

  • "OWA Exchange 2007 (http)"

  • "OWA Exchange 2007 (https)"

  • "OWA Exchange 2007 with ActiveSync (http)"

  • "OWA Exchange 2007 with ActiveSync (https)"

  • "OWA Exchange 2010 (http)"

  • "OWA Exchange 2010 (https)"

  • "Oracle 10g Portal (http)"

  • "Oracle 10g Portal (https)"

  • "Oracle Applications 11i (http)"

  • "Oracle Applications 11i (https)"

  • "PeopleSoft Portal 9 (http)"

  • "PeopleSoft Portal 9 (https)"

  • "Rapid Deployment Policy"

  • "SAP NetWeaver 7 (http)"

  • "SAP NetWeaver 7 (https)"

  • "SharePoint 2003 (http)"

  • "SharePoint 2003 (https)"

  • "SharePoint 2007 (http)"

  • "SharePoint 2007 (https)"

  • "SharePoint 2010 (http)"

  • "SharePoint 2010 (https)"

  • "Vulnerability Assessment Baseline"

  • "Wordpress"

Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.

  • Requires BIG-IP software version >= 12.

  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Create ASM policy from template
  bigip_asm_policy:
    name: new_sharepoint_policy
    template: SharePoint 2007 (http)
    state: present
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Create blank ASM policy
  bigip_asm_policy:
    name: new_blank_policy
    state: present
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Create blank ASM policy and activate
  bigip_asm_policy_manage:
    name: new_blank_policy
    active: true
    state: present
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Activate ASM policy
  bigip_asm_policy_manage:
    name: inactive_policy
    active: true
    state: present
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

- name: Deactivate ASM policy
  bigip_asm_policy_manage:
    name: active_policy
    state: present
    provider:
      server: lb.mydomain.com
      user: admin
      password: secret
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

active

boolean

Set when activating/deactivating an ASM policy.

Returned: changed

Sample: true

apply

boolean

Set when applying pending changes to an ASM policy.

Returned: changed when target policy has changes pending

Sample: true

name

string

Name of the ASM policy to be managed/created.

Returned: changed

Sample: "Asm_APP1_Transparent"

state

string

Action performed on the target device.

Returned: changed

Sample: "absent"

template

string

Name of the built-in ASM policy template.

Returned: changed

Sample: "OWA Exchange 2007 (https)"

Authors

  • Wojciech Wypior (@wojtek0806)