Try SpotterManage remote roles on a BIG-IP
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Tim Rupp (@caphrim007)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manages remote roles on a BIG-IP system. Remote roles are used in situations where user authentication is handled off-box. Local access control to the BIG-IP is controlled by the defined remote role, and authentication (and by extension, assignment to the role) is handled off-box.
- name: Create a remote role
bigip_remote_role:
name: ldap_group
line_order: 1
attribute_string: memberOf=cn=ldap_group,cn=ldap.group,ou=ldap
remote_access: true
assigned_role: administrator
partition_access: all
terminal_access: none
state: present
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
name:
description:
- Specifies the name of the remote role.
required: true
type: str
state:
choices:
- absent
- present
default: present
description:
- When C(present), guarantees the remote role exists.
- When C(absent), removes the remote role from the system.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
line_order:
description:
- Specifies the order of the line in the file C(/config/bigip/auth/remoterole).
- The LDAP and Active Directory servers read this file line by line.
- The order of the information is important; therefore, F5 recommends you set the
first line at 1000. This allows you to insert lines before the first line in the
future.
- When creating a new remote role, this parameter is required.
type: int
assigned_role:
description:
- Specifies the authorization (level of access) for the account.
- When creating a new remote role, if this parameter is not provided, the default
is C(none).
- The C(partition_access) parameter controls which partitions the account can access.
- The role you choose may affect the partitions that one is allowed to specify. Specifically,
roles such as C(administrator), C(auditor) and C(resource-administrator) require
a C(partition_access) of C(all).
- A set of pre-existing roles ship with the system. They are C(none), C(guest), C(operator),
C(application-editor), C(manager), C(certificate-manager), C(irule-manager), C(user-manager),
C(resource-administrator), C(auditor), C(administrator), and C(firewall-manager).
type: str
remote_access:
description:
- Enables or disables remote access for the specified group of remotely authenticated
users.
- When creating a new remote role, if this parameter is not specified, the default
is C(true).
type: bool
terminal_access:
description:
- Specifies terminal-based accessibility for remote accounts not already explicitly
assigned a user role.
- Common values for this include C(tmsh) and C(none), but you can also specify custom
values.
- When creating a new remote role, if this parameter is not specified, the default
is C(none).
type: str
attribute_string:
description:
- Specifies the user account attributes saved in the group, in the format C(cn=, ou=,
dc=).
- When creating a new remote role, this parameter is required.
type: str
partition_access:
description:
- Specifies the accessible partitions for the account.
- This parameter supports the reserved names C(all) and C(Common), as well as specific
partitions a user may access.
- Users who have access to a partition can operate on objects in that partition, as
determined by the permissions conferred by the user's C(assigned_role).
- When creating a new remote role, if this parameter is not specified, the default
is C(all).
type: str
assigned_role: description: System role this remote role is associated with. returned: changed sample: administrator type: str attribute_string: description: The new attribute string of the resource. returned: changed sample: memberOf=cn=ldap_group,cn=ldap.group,ou=ldap type: str line_order: description: Order of the remote role for LDAP and Active Directory servers. returned: changed sample: 1000 type: int partition_access: description: Partition the role has access to. returned: changed sample: all type: str remote_access: description: Whether remote access is allowed or not. returned: changed sample: false type: bool terminal_access: description: The terminal setting of the remote role. returned: changed sample: tmsh type: str