f5-ansible
f5-ansible copied to clipboard
F5Networks
How to Add one Single Irule to a Virtual Server using Ansible ?
Please include the data requested in the bug template, Ansible version, collection version, python version, bigip version, etc.
ANSIBLE VERSION
< AWX 16.0.0 >
Ansible Version 2.9.15
Copyright 2019 Red Hat, Inc.
BIGIP VERSION
Sys::Version Main Package Product BIG-IP Version 14.1.4 Build 0.0.11 Edition Final Date Thu Feb 11 19:05:03 PST 2021
OS / ENVIRONMENT
Red Hat Enterprise Linux release 8.3 (Ootpa)
Python Version
Python 3.6.8
Please refer to https://ansible.github.io/workshops/exercises/ansible_f5/1.6-add-irules for detailed info. I tried the below one and it works.
My playbook:
- name: demo lab
hosts: f5-test
gather_facts: no
connection: local
collections:
- f5networks.f5_modules
vars:
irules: ["irule1"]
login_user: "XXXXXX"
login_password: "XXXXXX"
[provider:](url)
server: "{{ ansible_host }}"
server_port: 443
validate_certs: no
user: "{{ login_user }}"
password: "{{ login_password }}"
tasks:
- name: Add single iRule
bigip_irule:
provider: "{{ provider }}"
module: "ltm"
name: "{{item}}"
content: "{{lookup('file','{{item}}')}}"
with_items: "{{irules}}"
- name: ATTACH iRules TO VIRTUAL SERVER
bigip_virtual_server:
provider: "{{ provider }}"
name: "vip"
destination: "{{ ansible_host }}"
all_profiles: ['http', 'clientssl', 'oneconnect']
port: "443"
irules: "{{irules}}"
my simple iRule - irule1
when HTTP_REQUEST {
log local0. "Accessing my single iRule"
}
Hope this helps @hgebrael
Hi @trinaths
Thank you so much for your reply.
I just tried your solution and I was able to attach the iRule to the Virtual Server, however it deleted the previously attached irules to the the same VS which is not the desired behavior.
@hgebrael - the behaviour is expected. can you add that iRule too to the playbook and retry ?
@trinaths in my case there are already 100 irules attached to one virtual server, these irules are created automatically and might change so I cannot add them to my playbook. Do you know if ansible has another idempotent module that might add the new iRules without detaching the existing one?
You can probably use bigip_device_info: https://docs.ansible.com/ansible/2.9/modules/bigip_device_info_module.html#bigip-device-info-module
Gather the facts about the virtual server, register those facts, and then attach those facts to the virtual server you are trying to add the new iRule to. This is what I do with VLAN assignments and it works out pretty well.
@trinaths I hope you are doing well. The suggested approach is not suitable since the F5 irules (around 200) will be deleted from the virtual server and added back which might cause some interruption in the service so we didn't get approval on it.
It is better if the F5 Module can be updated to simply add a new rule to the VS. I don't understand why all rules needs to be overwritten. This is really a strange behavior.
This is done on purpose as arrays in API do not offer atomic updates, also for module idempotency module does not guess what the user wants to do with the given list:
- does the user want us to remove the item on the array from device
- does the user want us to add the item on the array to device
- or maybe does the user want to remove all items in the array bar the ones he provided?
If you have a large list of rules, then utilize bigip_device_info to obtain the state information on the given VS and then use that state information (in this case iRule array) to add to your module input.
