From b2a425210a1814128b277813a46548b5e2620967 Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 10:30:45 +1100 Subject: [PATCH 1/7] chore: Update requires_ansible --- meta/runtime.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/runtime.yml b/meta/runtime.yml index a93c55f..0285551 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -2,7 +2,7 @@ --- # Collections must specify a minimum required ansible version to upload # to galaxy -requires_ansible: ">=2.16" +requires_ansible: ">=2.16.0" # Content that Ansible needs to load from another location or that has # been deprecated/removed From f950300d70c462de3dbfcaf69902c00532bb093c Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 10:33:24 +1100 Subject: [PATCH 2/7] chore: Fix ansible lint in cicd --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d8f002..6c83c54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: run: | cd ansible_collections/paloaltonetworks/panos_policy_automation ls -l - ansible-lint . --offline + ansible-lint --offline - name: Ansible Sanity Tests run: | From ae1c65ac777b443994af472bf5c32d05ade3de99 Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 10:39:18 +1100 Subject: [PATCH 3/7] chore: Fix detached HEAD issue in galaxy file update git ops --- .github/workflows/release_to_galaxy.yml | 2 +- galaxy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_to_galaxy.yml b/.github/workflows/release_to_galaxy.yml index 3e5da06..04cce6d 100644 --- a/.github/workflows/release_to_galaxy.yml +++ b/.github/workflows/release_to_galaxy.yml @@ -43,7 +43,7 @@ jobs: git config --global user.name 'Github Actions Release Pipeline' git config --global user.email 'githubactions@users.noreply.github.com' git commit -am "chore: Update Ansible Galaxy file [skip ci]" - git push + git push origin HEAD:master # This can fail in cases where CI is being re-run but we've already bumped the version, so allow it to fail. continue-on-error: true diff --git a/galaxy.yml b/galaxy.yml index f880c7a..118d080 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -10,7 +10,7 @@ namespace: paloaltonetworks name: panos_policy_automation # The version of the collection. Must be compatible with semantic versioning -version: $VERSION_NUMBER +version: v1.4.4 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md From a980fc87748247fbcae90750e30a92449d866f2b Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 14:08:34 +1100 Subject: [PATCH 4/7] chore: Rename all variables to comply with AAP requirements --- README.md | 2 +- docs/index.md | 2 +- .../add_application_to_preset_group.md | 10 ++--- docs/reference/create_policy.md | 6 +-- docs/reference/get_zone_by_ip.md | 30 ++++++------- docs/reference/lookup_policy.md | 20 ++++----- docs/reference/policy_creation_role.md | 10 ++--- docs/reference/security_policy_match.md | 12 +++--- docs/user_guide/playbook_variables.md | 4 +- docs/user_guide/preset_policy.md | 6 +-- example_outbound_policy_file.yml | 2 +- example_playbook.yml | 2 +- example_vars_file_add_new.yml | 2 +- example_vars_file_trusted_outbound.yml | 2 +- example_vars_file_web_to_db.yml | 2 +- example_web_to_database_policy_file.yml | 2 +- galaxy.yml | 2 +- playbooks/README.md | 4 +- playbooks/examples/lookup_policy.yml | 2 +- playbooks/examples/new_policy.yml | 2 +- .../panos_op_policy_match_result_to_bool.py | 12 +++--- .../panos_op_routing_result_to_interfaces.py | 6 +-- plugins/filter/panos_op_stdout_to_dict.py | 6 +-- roles/lookup_policy/meta/argument_specs.yml | 12 +++--- roles/lookup_policy/tasks/get_zone_by_ip.yml | 42 +++++++++---------- roles/lookup_policy/tasks/main.yml | 32 +++++++------- .../tasks/security_policy_match.yml | 20 ++++----- roles/policy_creation/meta/argument_specs.yml | 4 +- roles/policy_creation/tasks/main.yml | 8 ++-- .../tasks/new/create_policy.yml | 12 +++--- .../add_application_to_preset_group.yml | 4 +- ...r_panos_op_policy_match_result_to_bool.yml | 14 +++---- ..._panos_op_routing_result_to_interfaces.yml | 8 ++-- .../test_filter_panos_op_stdout_to_dict.yml | 8 ++-- 34 files changed, 156 insertions(+), 156 deletions(-) diff --git a/README.md b/README.md index 792ca85..686d735 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ policy_creation_policy_files: tasks: - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result }}" + msg: "{{ lookup_policy_security_policy_match_result }}" ``` ### Execute the playbook diff --git a/docs/index.md b/docs/index.md index a4641f0..523af45 100644 --- a/docs/index.md +++ b/docs/index.md @@ -123,7 +123,7 @@ policy_creation_policy_files: tasks: - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result }}" + msg: "{{ lookup_policy_security_policy_match_result }}" ``` ### Execute the playbook diff --git a/docs/reference/add_application_to_preset_group.md b/docs/reference/add_application_to_preset_group.md index 1c8389b..eba1265 100644 --- a/docs/reference/add_application_to_preset_group.md +++ b/docs/reference/add_application_to_preset_group.md @@ -22,7 +22,7 @@ flowchart TD | Variable | Description | |----------|-------------| -| `policy_creation_application` | The application to add to the group | +| `lookup_policy_application` | The application to add to the group | | `application_group` | The name of the application group to update | | `policy_creation_device_group` | The device group where the application group exists | | `provider` | PAN-OS connection details (ip_address, username, password) | @@ -48,7 +48,7 @@ This returns the existing `value` list of member applications. ### Adding New Member The application is **prepended** to the existing list: ```yaml -value: "{{ [policy_creation_application] + existing_applications }}" +value: "{{ [lookup_policy_application] + existing_applications }}" ``` This places the new application at the beginning of the group's member list. @@ -75,7 +75,7 @@ This file is included from `main.yml` when preset policies match: file: preset/add_application_to_preset_group.yml when: - application_group is defined - - policy_creation_application is defined + - lookup_policy_application is defined ``` ## Preset Policy Integration @@ -92,7 +92,7 @@ Example preset policy task: policy_creation_policy_match: true application_group: "api-applications" when: - - policy_creation_application is match(".*-api") + - lookup_policy_application is match(".*-api") ``` ## Output Display @@ -157,7 +157,7 @@ The task is **partially idempotent**: - ⚠️ Consider adding duplicate detection: ```yaml -when: policy_creation_application not in policy_creation_existing_group.gathered.value +when: lookup_policy_application not in policy_creation_existing_group.gathered.value ``` ## Prerequisites diff --git a/docs/reference/create_policy.md b/docs/reference/create_policy.md index 57410d4..cd356b2 100644 --- a/docs/reference/create_policy.md +++ b/docs/reference/create_policy.md @@ -32,7 +32,7 @@ flowchart TD |----------|-------------| | `policy_creation_source_ip` | Source IP address or CIDR block | | `policy_creation_destination_ip` | Destination IP address or CIDR block | -| `policy_creation_application` | Application name for the rule | +| `lookup_policy_application` | Application name for the rule | | `provider` | PAN-OS connection details (ip_address, username, password) | ## Optional Variables @@ -40,7 +40,7 @@ flowchart TD | Variable | Description | Default | |----------|-------------|---------| | `policy_creation_source_zones` | Source zones | `['any']` | -| `policy_creation_destination_zones` | Destination zones | `['any']` | +| `policy_creation__security_matches_existing_policy` | Destination zones | `['any']` | | `policy_creation_tag` | Policy tag | `default_new_policy_tag` | | `policy_creation_device_group` | Target device group | `default_new_policy_device_group` | | `default_rule_location` | Rule placement (before/after) | N/A | @@ -153,7 +153,7 @@ This file is included from `main.yml`: ansible.builtin.set_fact: policy_creation_config_changed: true when: - - not policy_creation_security_matches_existing_policy + - not lookup_policy_security_matches_existing_policy ``` Only runs when: diff --git a/docs/reference/get_zone_by_ip.md b/docs/reference/get_zone_by_ip.md index 43dd5cd..1a96b45 100644 --- a/docs/reference/get_zone_by_ip.md +++ b/docs/reference/get_zone_by_ip.md @@ -37,14 +37,14 @@ flowchart TD | Variable | Description | |----------|-------------| -| `policy_creation__show_route` | List to accumulate routing table results (persists across loop iterations) | -| `policy_creation__show_route_result` | Raw result from the routing table command | -| `policy_creation__show_route_result_dict` | Parsed JSON dictionary of routing table | -| `policy_creation__virtual_routers` | List of all virtual routers found in the routing table | -| `policy_creation__test_routing_result` | Results from FIB lookup tests on each virtual router | -| `policy_creation_interface_list` | List of outbound interfaces for the target IP | -| `policy_creation__show_interfaces_result` | Raw result from show interface all command | -| `policy_creation_destination_zones` | List of zones associated with the target IP (accumulated across devices) | +| `lookup_policy__show_route` | List to accumulate routing table results (persists across loop iterations) | +| `lookup_policy__show_route_result` | Raw result from the routing table command | +| `lookup_policy__show_route_result_dict` | Parsed JSON dictionary of routing table | +| `lookup_policy__virtual_routers` | List of all virtual routers found in the routing table | +| `lookup_policy__test_routing_result` | Results from FIB lookup tests on each virtual router | +| `lookup_policy_interface_list` | List of outbound interfaces for the target IP | +| `lookup_policy__show_interfaces_result` | Raw result from show interface all command | +| `lookup_policy__destination_zones` | List of zones associated with the target IP (accumulated across devices) | ## Dependencies @@ -94,7 +94,7 @@ This determines which interface would be used to route traffic to the target IP. 1. **Routing Analysis** - Determines outbound interface(s) via FIB lookup 2. **Interface Query** - Gets all interface configurations with `show interface all` 3. **Zone Mapping** - Matches interface names to their assigned zones -4. **Accumulation** - Adds zones to `policy_creation_destination_zones` list +4. **Accumulation** - Adds zones to `lookup_policy__destination_zones` list ## Important Behavior @@ -105,12 +105,12 @@ This determines which interface would be used to route traffic to the target IP. ### Multiple Devices - When called in a loop across multiple devices, zones are accumulated - A single IP may resolve to different zones on different firewalls -- The `policy_creation_destination_zones` variable grows with each device iteration +- The `lookup_policy__destination_zones` variable grows with each device iteration ### Zone List Accumulation The zones are accumulated using this pattern: ```yaml -policy_creation_destination_zones | default([]) + [new_zones] | default([]) +lookup_policy__destination_zones | default([]) + [new_zones] | default([]) ``` This ensures zones from multiple devices are combined into a single list. @@ -124,16 +124,16 @@ This file is included from `lookup_policy.yml`: file: get_zone_by_ip.yml vars: _target_ip: "{{ policy_creation_destination_ip }}" - with_items: "{{ policy_creation___device_list }}" + with_items: "{{ lookup_policy__device_list }}" when: - - not policy_creation_security_matches_existing_policy + - not lookup_policy_security_matches_existing_policy ``` Key points: - Only runs when no existing policy matches - Runs once per device in the device list - The `_target_ip` variable is set to the destination IP -- Results accumulate in `policy_creation_destination_zones` +- Results accumulate in `lookup_policy__destination_zones` ## Example Scenario @@ -144,7 +144,7 @@ Given: - Firewall 2: Routes via interface `ethernet1/2` in zone `internet` Result: -- `policy_creation_destination_zones` = `['untrust', 'internet']` +- `lookup_policy__destination_zones` = `['untrust', 'internet']` ## Performance Notes diff --git a/docs/reference/lookup_policy.md b/docs/reference/lookup_policy.md index 162470e..7400b1e 100644 --- a/docs/reference/lookup_policy.md +++ b/docs/reference/lookup_policy.md @@ -34,9 +34,9 @@ flowchart TD | Variable | Description | Default | |----------|-------------|---------| -| `policy_creation_destination_port` | Destination port for testing | `443` | -| `policy_creation_protocol` | IP protocol number (6=TCP, 17=UDP) | `6` | -| `policy_creation_application` | Application for testing | `ssl` | +| `lookup_policy_destination_port` | Destination port for testing | `443` | +| `lookup_policy_protocol` | IP protocol number (6=TCP, 17=UDP) | `6` | +| `lookup_policy_application` | Application for testing | `ssl` | | `policy_creation_device_group` | Target device group | N/A | | `default_new_policy_device_group` | Fallback device group | N/A | | `default_test_policy_serial_number` | Specific firewall serial for testing | N/A | @@ -45,12 +45,12 @@ flowchart TD | Variable | Description | |----------|-------------| -| `_policy_creation_device_group` | Internal variable for the operating device group | -| `policy_creation__show_devices_output` | Raw output from `show devices connected` command | -| `policy_creation__show_devices_output_dict` | Parsed JSON dictionary of connected devices | -| `policy_creation___device_list` | List of devices to test against | -| `policy_creation_security_matches_existing_policy` | Boolean indicating if traffic is already permitted | -| `policy_creation_destination_zones` | List of calculated destination zones | +| `lookup_policy__device_group` | Internal variable for the operating device group | +| `lookup_policy__show_devices_output` | Raw output from `show devices connected` command | +| `lookup_policy__show_devices_output_dict` | Parsed JSON dictionary of connected devices | +| `lookup_policy__device_list` | List of devices to test against | +| `lookup_policy_security_matches_existing_policy` | Boolean indicating if traffic is already permitted | +| `lookup_policy__destination_zones` | List of calculated destination zones | ## Dependencies @@ -73,7 +73,7 @@ flowchart TD - Improves performance in large environments ### Zone Calculation -- Only runs if `policy_creation_security_matches_existing_policy` is false +- Only runs if `lookup_policy_security_matches_existing_policy` is false - Determines destination zones by: - Getting routing table from each device - Running FIB lookup for the destination IP diff --git a/docs/reference/policy_creation_role.md b/docs/reference/policy_creation_role.md index 066a8f6..606f6bb 100644 --- a/docs/reference/policy_creation_role.md +++ b/docs/reference/policy_creation_role.md @@ -37,8 +37,8 @@ See [argument_specs.yml](../../roles/policy_creation/meta/argument_specs.yml) fo | `source_user` | str | N/A | Source user for the new policy | | `policy_creation_source_ip` | str | N/A | Source IP address or CIDR block | | `policy_creation_destination_ip` | str | N/A | Destination IP address or CIDR block | -| `policy_creation_application` | str | `ssl` | PAN-OS compatible application name | -| `policy_creation_destination_port` | str | `443` | TCP or UDP port used by the traffic | +| `lookup_policy_application` | str | `ssl` | PAN-OS compatible application name | +| `lookup_policy_destination_port` | str | `443` | TCP or UDP port used by the traffic | ### Common Additional Variables @@ -60,7 +60,7 @@ These variables are commonly used but not defined in argument_specs (referenced |----------|-------------| | `policy_creation_config_changed` | Boolean indicating if any configuration changes were made | | `policy_creation_policy_match` | Boolean indicating if a preset policy matched | -| `policy_creation_security_matches_existing_policy` | Boolean indicating if traffic is already permitted | +| `lookup_policy_security_matches_existing_policy` | Boolean indicating if traffic is already permitted | ## Task File Reference @@ -106,8 +106,8 @@ The role is organized into several task files, each handling specific functional - preset_policies/webserver_outbound.yml policy_creation_source_ip: "10.1.1.5/32" policy_creation_destination_ip: "8.8.8.8/32" - policy_creation_application: "dns" - policy_creation_destination_port: "53" + lookup_policy_application: "dns" + lookup_policy_destination_port: "53" provider: ip_address: "{{ panorama_ip }}" username: "{{ panorama_username }}" diff --git a/docs/reference/security_policy_match.md b/docs/reference/security_policy_match.md index d7da8c4..41f7cce 100644 --- a/docs/reference/security_policy_match.md +++ b/docs/reference/security_policy_match.md @@ -35,15 +35,15 @@ flowchart TD | Variable | Description | Default | |----------|-------------|---------| -| `policy_creation_application` | Application to test | `ssl` | +| `lookup_policy_application` | Application to test | `ssl` | ## Generated Variables | Variable | Description | |----------|-------------| -| `policy_creation_test_xml` | XML command for the security-policy-match test | -| `policy_creation_security_policy_match_result` | Raw result from the panos_op command | -| `policy_creation_security_matches_existing_policy` | Boolean indicating if traffic matches an existing policy | +| `lookup_policy_test_xml` | XML command for the security-policy-match test | +| `lookup_policy_security_policy_match_result` | Raw result from the panos_op command | +| `lookup_policy_security_matches_existing_policy` | Boolean indicating if traffic matches an existing policy | ## Test XML Format @@ -97,7 +97,7 @@ This file is included from `lookup_policy.yml` in a loop: - name: Test the security policy - determines if a new policy is needed ansible.builtin.include_tasks: file: security_policy_match.yml - with_items: "{{ policy_creation___device_list }}" + with_items: "{{ lookup_policy__device_list }}" ``` Each iteration tests against a different firewall serial number from the device list. @@ -108,7 +108,7 @@ Each iteration tests against a different firewall serial number from the device - Line 9 contains a typo: `policy_creation_sourcce_ip` (should be `policy_creation_source_ip`) - This may cause the source IP to be undefined in the test - Protocol and port are hardcoded rather than using role variables - - Does not respect `policy_creation_protocol` or `policy_creation_destination_port` + - Does not respect `lookup_policy_protocol` or `lookup_policy_destination_port` ### Behavior - Tests are executed against individual firewalls using their serial numbers diff --git a/docs/user_guide/playbook_variables.md b/docs/user_guide/playbook_variables.md index 6582466..a93bded 100644 --- a/docs/user_guide/playbook_variables.md +++ b/docs/user_guide/playbook_variables.md @@ -21,11 +21,11 @@ - Default: `ssl` - Example: `ssh`, `dns`, `web-browsing` -**`policy_creation_destination_port`** - Destination port number +**`lookup_policy_destination_port`** - Destination port number - Default: `443` - Example: `22`, `53`, `80` -**`policy_creation_protocol`** - IP protocol number +**`lookup_policy_protocol`** - IP protocol number - Default: `6` (TCP) - Example: `17` (UDP), `1` (ICMP) diff --git a/docs/user_guide/preset_policy.md b/docs/user_guide/preset_policy.md index 5704575..1255900 100644 --- a/docs/user_guide/preset_policy.md +++ b/docs/user_guide/preset_policy.md @@ -100,7 +100,7 @@ at runtime. policy_match: true # Set the fact that we did match a policy policy_creation_source_address_group: PRESET_JUMPHOST_INBOUND_SOURCE # In this case, the policy preset is an address_group type policy_creation_destination_address_group: PRESET_JUMPHOST_INBOUND_DESTINATION # In this case, the policy preset is an address_group type - policy_creation_application_group: PRESET_JUMPHOST_APPS # If an application is passed, we should also include it in the policy. + lookup_policy_application_group: PRESET_JUMPHOST_APPS # If an application is passed, we should also include it in the policy. policy_creation_device_group: Lab # Finally, we set the device group! when: - policy_creation_source_ip is defined @@ -133,7 +133,7 @@ in the one file - it's up to you! password: "{{ lookup('env', 'PAN_PASSWORD') }}" policy_creation_source_ip: 8.8.8.8 policy_creation_destination_ip: 10.10.11.5 - policy_creation_application: ssh + lookup_policy_application: ssh policy_creation_policy_files: - ssh_jumpserver_inbound_access.yml # <---- Replace with the path to your policy file, or files @@ -143,7 +143,7 @@ in the one file - it's up to you! tasks: - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result }}" + msg: "{{ lookup_policy_security_policy_match_result }}" ``` ```shell diff --git a/example_outbound_policy_file.yml b/example_outbound_policy_file.yml index c5b6f67..9e835d3 100644 --- a/example_outbound_policy_file.yml +++ b/example_outbound_policy_file.yml @@ -5,7 +5,7 @@ ansible.builtin.set_fact: policy_creation_policy_match: true # Set the fact that we did match a policy policy_creation_source_address_group: PRESET_LAB_TRUSTED_OUTBOUND # In this case, the policy preset is an address_group type - policy_creation_application_group: PRESET_LAB_TRUSTED_OUTBOUND # If an application is passed, we should also include it in the policy. + lookup_policy_application_group: PRESET_LAB_TRUSTED_OUTBOUND # If an application is passed, we should also include it in the policy. policy_creation_device_group: Lab # Finally, we set the device group! when: - policy_creation_source_ip is defined diff --git a/example_playbook.yml b/example_playbook.yml index 7b86435..980f83d 100644 --- a/example_playbook.yml +++ b/example_playbook.yml @@ -16,4 +16,4 @@ tasks: - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result }}" + msg: "{{ lookup_policy_security_policy_match_result }}" diff --git a/example_vars_file_add_new.yml b/example_vars_file_add_new.yml index 435a562..0e21924 100644 --- a/example_vars_file_add_new.yml +++ b/example_vars_file_add_new.yml @@ -1,7 +1,7 @@ --- policy_creation_source_ip: 110.33.122.75 policy_creation_destination_ip: 10.10.10.5 -policy_creation_application: ssh +lookup_policy_application: ssh policy_creation_policy_files: - example_outbound_policy_file.yml - example_web_to_database_policy_file.yml diff --git a/example_vars_file_trusted_outbound.yml b/example_vars_file_trusted_outbound.yml index 9554c9a..4019fed 100644 --- a/example_vars_file_trusted_outbound.yml +++ b/example_vars_file_trusted_outbound.yml @@ -1,7 +1,7 @@ --- policy_creation_source_ip: 10.10.12.11 policy_creation_destination_ip: 8.8.8.8 -policy_creation_application: web-browsing +lookup_policy_application: web-browsing policy_creation_policy_files: - example_outbound_policy_file.yml - example_web_to_database_policy_file.yml diff --git a/example_vars_file_web_to_db.yml b/example_vars_file_web_to_db.yml index 9e6c191..365a98b 100644 --- a/example_vars_file_web_to_db.yml +++ b/example_vars_file_web_to_db.yml @@ -1,7 +1,7 @@ --- policy_creation_source_ip: 10.10.199.5 policy_creation_destination_ip: 10.10.200.20 -policy_creation_application: mysql +lookup_policy_application: mysql policy_creation_policy_files: - ${PWD}/example_outbound_policy_file.yml - ${PWD}/example_web_to_database_policy_file.yml diff --git a/example_web_to_database_policy_file.yml b/example_web_to_database_policy_file.yml index 820e9f1..7f44e68 100644 --- a/example_web_to_database_policy_file.yml +++ b/example_web_to_database_policy_file.yml @@ -6,7 +6,7 @@ policy_creation_policy_match: true # Set the fact that we did match a policy policy_creation_source_address_group: PRESET_WEB_TO_DATABASE_SOURCE # In this case, the policy preset is an address_group type policy_creation_destination_address_group: PRESET_WEB_TO_DATABASE_DESTINATION # Destination addr group - policy_creation_application_group: PRESET_WEB_TO_DATABASE # If an application is passed, we should also include it in the policy. + lookup_policy_application_group: PRESET_WEB_TO_DATABASE # If an application is passed, we should also include it in the policy. policy_creation_device_group: Lab # Finally, we set the device group! when: - policy_creation_source_ip is defined diff --git a/galaxy.yml b/galaxy.yml index 118d080..6c2c8c0 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -10,7 +10,7 @@ namespace: paloaltonetworks name: panos_policy_automation # The version of the collection. Must be compatible with semantic versioning -version: v1.4.4 +version: 1.4.4 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md diff --git a/playbooks/README.md b/playbooks/README.md index b5332b6..772266d 100644 --- a/playbooks/README.md +++ b/playbooks/README.md @@ -15,7 +15,7 @@ Performs a lookup in the security policy based on the given data. --- policy_creation_source_ip: 110.33.122.75 policy_creation_destination_ip: 10.10.10.5 -policy_creation_application: ssh +lookup_policy_application: ssh policy_creation_policy_files: - example_outbound_policy_file.yml - example_web_to_database_policy_file.yml @@ -36,7 +36,7 @@ Creates new policies or adds objects to existing groups based on their preset po --- policy_creation_source_ip: 110.33.122.75 policy_creation_destination_ip: 10.10.10.5 -policy_creation_application: ssh +lookup_policy_application: ssh policy_creation_policy_files: - example_outbound_policy_file.yml - example_web_to_database_policy_file.yml diff --git a/playbooks/examples/lookup_policy.yml b/playbooks/examples/lookup_policy.yml index 0db305e..32bf5dc 100644 --- a/playbooks/examples/lookup_policy.yml +++ b/playbooks/examples/lookup_policy.yml @@ -16,4 +16,4 @@ tasks: - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }}" + msg: "{{ lookup_policy_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }}" diff --git a/playbooks/examples/new_policy.yml b/playbooks/examples/new_policy.yml index b52dba4..d0a3c51 100644 --- a/playbooks/examples/new_policy.yml +++ b/playbooks/examples/new_policy.yml @@ -16,4 +16,4 @@ tasks: - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result }}" + msg: "{{ lookup_policy_security_policy_match_result }}" diff --git a/plugins/filter/panos_op_policy_match_result_to_bool.py b/plugins/filter/panos_op_policy_match_result_to_bool.py index 4843a2b..21a111a 100644 --- a/plugins/filter/panos_op_policy_match_result_to_bool.py +++ b/plugins/filter/panos_op_policy_match_result_to_bool.py @@ -21,12 +21,12 @@ # Check if security policy match found a result - name: Set Test XML ansible.builtin.set_fact: - policy_creation_test_xml: | + lookup_policy_test_xml: | 10.10.11.1 8.8.8.8 - {{ policy_creation_application | default('ssl') }} + {{ lookup_policy_application | default('ssl') }} 6 443 @@ -39,14 +39,14 @@ username: "{{ provider.username }}" password: "{{ provider.password }}" serial_number: "{{ item.serial }}" - cmd: "{{ policy_creation_test_xml }}" + cmd: "{{ lookup_policy_test_xml }}" cmd_is_xml: true - register: policy_creation_security_policy_match_result + register: lookup_policy_security_policy_match_result - name: Set the policy match result ansible.builtin.set_fact: - policy_creation_security_matches_existing_policy: > - {{ policy_creation_security_policy_match_result | + lookup_policy_security_matches_existing_policy: > + {{ lookup_policy_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_policy_match_result_to_bool }} ''' diff --git a/plugins/filter/panos_op_routing_result_to_interfaces.py b/plugins/filter/panos_op_routing_result_to_interfaces.py index ac97ad2..ec078b5 100644 --- a/plugins/filter/panos_op_routing_result_to_interfaces.py +++ b/plugins/filter/panos_op_routing_result_to_interfaces.py @@ -28,12 +28,12 @@ serial_number: "{{ serialno }}" cmd: "default8.8.8.8" cmd_is_xml: true - register: policy_creation__test_routing_result + register: lookup_policy__test_routing_result - name: Get interfaces from results ansible.builtin.set_fact: - policy_creation_interface_list: > - {{ policy_creation__test_routing_result.results | + lookup_policy_interface_list: > + {{ lookup_policy__test_routing_result.results | paloaltonetworks.panos_policy_automation.panos_op_routing_result_to_interfaces }} ''' diff --git a/plugins/filter/panos_op_stdout_to_dict.py b/plugins/filter/panos_op_stdout_to_dict.py index a049a98..aa92a47 100644 --- a/plugins/filter/panos_op_stdout_to_dict.py +++ b/plugins/filter/panos_op_stdout_to_dict.py @@ -23,12 +23,12 @@ paloaltonetworks.panos.panos_op: provider: "{{ provider }}" cmd: "show devices connected" - register: policy_creation__show_devices_output + register: lookup_policy__show_devices_output - name: Set JSON Object for stdout ansible.builtin.set_fact: - policy_creation__show_devices_output_dict: > - {{ policy_creation__show_devices_output | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }} + lookup_policy__show_devices_output_dict: > + {{ lookup_policy__show_devices_output | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }} ''' RETURN = ''' diff --git a/roles/lookup_policy/meta/argument_specs.yml b/roles/lookup_policy/meta/argument_specs.yml index 24a630a..1dce64b 100644 --- a/roles/lookup_policy/meta/argument_specs.yml +++ b/roles/lookup_policy/meta/argument_specs.yml @@ -4,24 +4,24 @@ argument_specs: short_description: Check whether network traffic is permitted or denied within PAN-OS firewalls. description: - >- - Tests a given tuple representative of a network session (source/destination IP, application, etc) against + Tests a given tuple representative of a network session (source/destination IP, application, etc) against PAN-OS NGFW's using the test security-policy match command to determine if it would be blocked or allowed by the configured security policy. options: policy_creation_source_ip: type: "str" required: false - description: "The the source IP for the new policy" + description: "The the source IP to test with" policy_creation_destination_ip: type: "str" required: false - description: "The the destination IP for the new policy" - policy_creation_application: + description: "The the destination IP to test with" + lookup_policy_application: type: "str" required: false default: ssl - description: "The PAN-OS compatible Application for the policy." - policy_creation_destination_port: + description: "The PAN-OS compatible Application to test with." + lookup_policy_destination_port: type: "str" required: false default: "443" diff --git a/roles/lookup_policy/tasks/get_zone_by_ip.yml b/roles/lookup_policy/tasks/get_zone_by_ip.yml index f3d0c8c..73a59e1 100644 --- a/roles/lookup_policy/tasks/get_zone_by_ip.yml +++ b/roles/lookup_policy/tasks/get_zone_by_ip.yml @@ -4,9 +4,9 @@ - name: Set the routing table result list ansible.builtin.set_fact: - policy_creation__show_route: [] + lookup_policy__show_route: [] when: - - policy_creation__show_route is not defined + - lookup_policy__show_route is not defined - name: Get the ROUTING TABLE block: @@ -18,16 +18,16 @@ password: "{{ provider.password }}" serial_number: "{{ item.serial }}" cmd: "show routing route" - register: policy_creation__show_route_result + register: lookup_policy__show_route_result - name: Parse as JSON ansible.builtin.set_fact: - policy_creation__show_route_result_dict: "{{ policy_creation__show_route_result.stdout | from_json }}" + lookup_policy__show_route_result_dict: "{{ lookup_policy__show_route_result.stdout | from_json }}" - name: Set list of virtual routers ansible.builtin.set_fact: - policy_creation__virtual_routers: "{{ policy_creation__virtual_routers | d([]) + [route['virtual-router']] }}" - loop: "{{ policy_creation__show_route_result_dict.response.result.entry }}" + lookup_policy__virtual_routers: "{{ lookup_policy__virtual_routers | d([]) + [route['virtual-router']] }}" + loop: "{{ lookup_policy__show_route_result_dict.response.result.entry }}" loop_control: loop_var: route @@ -40,8 +40,8 @@ serial_number: "{{ item.serial }}" cmd: "{{ vr }}{{ _target_ip }}" cmd_is_xml: true - register: policy_creation__test_routing_result - loop: "{{ policy_creation__virtual_routers | unique }}" + register: lookup_policy__test_routing_result + loop: "{{ lookup_policy__virtual_routers | unique }}" loop_control: loop_var: vr @@ -55,12 +55,12 @@ serial_number: "{{ item.serial }}" cmd: "" cmd_is_xml: true - register: policy_creation__show_route_result + register: lookup_policy__show_route_result - name: Set list of Logical Routers ansible.builtin.set_fact: - policy_creation__virtual_routers: > - {{ policy_creation__show_route_result | + lookup_policy__virtual_routers: > + {{ lookup_policy__show_route_result | paloaltonetworks.panos_policy_automation.panos_op_get_routers_from_dict_or_list }} - name: --- WARNING! SKIPPED DUE TO MISSING API SUPPORT IN PANOS! --- Find the outbound interface(s) (ARE) @@ -72,8 +72,8 @@ serial_number: "{{ item.serial }}" cmd: "{{ vr }}{{ _target_ip }}" cmd_is_xml: true - register: policy_creation__test_routing_result - loop: "{{ policy_creation__virtual_routers | unique }}" + register: lookup_policy__test_routing_result + loop: "{{ lookup_policy__virtual_routers | unique }}" loop_control: loop_var: vr when: @@ -81,15 +81,15 @@ - name: Set skip for zone resolution, unsupported routing engine ansible.builtin.set_fact: - policy_creation_skip_zone_resolution: true + lookup_policy_skip_zone_resolution: true - name: Get interfaces from routing results - when: not policy_creation_skip_zone_resolution + when: not lookup_policy_skip_zone_resolution block: - name: Get interfaces from results ansible.builtin.set_fact: - policy_creation_interface_list: > - {{ policy_creation__test_routing_result.results | + lookup_policy_interface_list: > + {{ lookup_policy__test_routing_result.results | paloaltonetworks.panos_policy_automation.panos_op_routing_result_to_interfaces }} - name: Get the zone @@ -100,12 +100,12 @@ password: "{{ provider.password }}" serial_number: "{{ item.serial }}" cmd: "show interface all" - register: policy_creation__show_interfaces_result + register: lookup_policy__show_interfaces_result - name: Set the ZONE list ansible.builtin.set_fact: - policy_creation_destination_zones: > + lookup_policy__destination_zones: > {{ - policy_creation_destination_zones | default([]) + policy_creation__show_interfaces_result - | paloaltonetworks.panos_policy_automation.panos_op_get_zone_from_interface(policy_creation_interface_list) | default([]) + lookup_policy__destination_zones | default([]) + lookup_policy__show_interfaces_result + | paloaltonetworks.panos_policy_automation.panos_op_get_zone_from_interface(lookup_policy_interface_list) | default([]) }}" diff --git a/roles/lookup_policy/tasks/main.yml b/roles/lookup_policy/tasks/main.yml index 44274bc..4f5d951 100644 --- a/roles/lookup_policy/tasks/main.yml +++ b/roles/lookup_policy/tasks/main.yml @@ -16,19 +16,19 @@ - name: Populate all facts for policy ansible.builtin.set_fact: - policy_creation_destination_port: "{{ policy_creation_destination_port | default('443') }}" - policy_creation_protocol: "{{ policy_creation_protocol | default('6') }}" - policy_creation_application: "{{ policy_creation_application | default('ssl') }}" + lookup_policy_destination_port: "{{ lookup_policy_destination_port | default('443') }}" + lookup_policy_protocol: "{{ lookup_policy_protocol | default('6') }}" + lookup_policy_application: "{{ lookup_policy_application | default('ssl') }}" - name: Set the operating device group ansible.builtin.set_fact: - _policy_creation_device_group: "{{ policy_creation_device_group }}" + lookup_policy__device_group: "{{ policy_creation_device_group }}" when: - policy_creation_device_group is defined - name: Set the operating device group ansible.builtin.set_fact: - _policy_creation_device_group: "{{ default_new_policy_device_group }}" + lookup_policy__device_group: "{{ default_new_policy_device_group }}" when: - default_new_policy_device_group is defined @@ -39,39 +39,39 @@ paloaltonetworks.panos.panos_op: provider: "{{ provider }}" cmd: "show devices connected" - register: policy_creation__show_devices_output + register: lookup_policy__show_devices_output - name: Set JSON Object for stdout ansible.builtin.set_fact: - policy_creation__show_devices_output_dict: > - {{ policy_creation__show_devices_output | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }} + lookup_policy__show_devices_output_dict: > + {{ lookup_policy__show_devices_output | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }} - name: Set the list of items ansible.builtin.set_fact: - policy_creation___device_list: "{{ policy_creation__show_devices_output_dict.response.result.devices.entry }}" + lookup_policy__device_list: "{{ lookup_policy__show_devices_output_dict.response.result.devices.entry }}" - name: Set the list of items (if single item response) ansible.builtin.set_fact: - policy_creation___device_list: - - "{{ policy_creation__show_devices_output_dict.response.result.devices.entry }}" - when: "policy_creation__show_devices_output_dict.response.result.devices.entry is mapping" + lookup_policy__device_list: + - "{{ lookup_policy__show_devices_output_dict.response.result.devices.entry }}" + when: "lookup_policy__show_devices_output_dict.response.result.devices.entry is mapping" - name: Set device_list when we have a serial number for all testing ansible.builtin.set_fact: - policy_creation___device_list: + lookup_policy__device_list: - serial: "{{ default_test_policy_serial_number }}" when: default_test_policy_serial_number is defined - name: Test the security policy - determines if a new policy is needed ansible.builtin.include_tasks: file: security_policy_match.yml - with_items: "{{ policy_creation___device_list }}" + with_items: "{{ lookup_policy__device_list }}" - name: Get the zone for the DESTINATION IP ansible.builtin.include_tasks: file: get_zone_by_ip.yml vars: _target_ip: "{{ policy_creation_destination_ip }}" - with_items: "{{ policy_creation___device_list }}" + with_items: "{{ lookup_policy__device_list }}" when: - - not policy_creation_security_matches_existing_policy + - not lookup_policy_security_matches_existing_policy diff --git a/roles/lookup_policy/tasks/security_policy_match.yml b/roles/lookup_policy/tasks/security_policy_match.yml index 301a1ab..e835a6e 100644 --- a/roles/lookup_policy/tasks/security_policy_match.yml +++ b/roles/lookup_policy/tasks/security_policy_match.yml @@ -3,12 +3,12 @@ - name: Set Test XML ansible.builtin.set_fact: - policy_creation_test_xml: | + lookup_policy_test_xml: | {{ policy_creation_source_ip }} {{ policy_creation_destination_ip }} - {{ policy_creation_application | default('ssl') }} + {{ lookup_policy_application | default('ssl') }} 6 443 @@ -16,7 +16,7 @@ - name: Print the test parameters ansible.builtin.debug: - msg: "{{ policy_creation_test_xml }}" + msg: "{{ lookup_policy_test_xml }}" - name: Test the Current Security policy block: @@ -27,9 +27,9 @@ username: "{{ provider.username }}" password: "{{ provider.password }}" serial_number: "{{ item.serial }}" - cmd: "{{ policy_creation_test_xml }}" + cmd: "{{ lookup_policy_test_xml }}" cmd_is_xml: true - register: policy_creation_security_policy_match_result + register: lookup_policy_security_policy_match_result rescue: - name: Test the current status of the security policy using PLACEHOLDERS paloaltonetworks.panos.panos_op: @@ -38,16 +38,16 @@ username: "{{ provider.username }}" password: "{{ provider.password }}" serial_number: "{{ item.serial }}" - cmd: "{{ policy_creation_test_xml }}" + cmd: "{{ lookup_policy_test_xml }}" cmd_is_xml: true - register: policy_creation_security_policy_match_result + register: lookup_policy_security_policy_match_result - name: Print the result ansible.builtin.debug: - msg: "{{ policy_creation_security_policy_match_result }}" + msg: "{{ lookup_policy_security_policy_match_result }}" - name: Set the policy match result ansible.builtin.set_fact: - policy_creation_security_matches_existing_policy: > - {{ policy_creation_security_policy_match_result | + lookup_policy_security_matches_existing_policy: > + {{ lookup_policy_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_policy_match_result_to_bool }} diff --git a/roles/policy_creation/meta/argument_specs.yml b/roles/policy_creation/meta/argument_specs.yml index 3580d9f..89711b7 100644 --- a/roles/policy_creation/meta/argument_specs.yml +++ b/roles/policy_creation/meta/argument_specs.yml @@ -24,12 +24,12 @@ argument_specs: type: "str" required: false description: "The the destination IP for the new policy" - policy_creation_application: + lookup_policy_application: type: "str" required: false default: ssl description: "The PAN-OS compatible Application for the policy." - policy_creation_destination_port: + lookup_policy_destination_port: type: "str" required: false default: "443" diff --git a/roles/policy_creation/tasks/main.yml b/roles/policy_creation/tasks/main.yml index 9b5d035..6f2cd9e 100644 --- a/roles/policy_creation/tasks/main.yml +++ b/roles/policy_creation/tasks/main.yml @@ -50,7 +50,7 @@ file: preset/add_application_to_preset_group.yml when: - application_group is defined - - policy_creation_application is defined + - lookup_policy_application is defined - name: URL CATEGORY PRESET - Deploy the URL to the given category based on the preset configuration ansible.builtin.include_tasks: @@ -72,7 +72,7 @@ - not policy_creation_policy_match - policy_creation_source_ip is defined and policy_creation_source_ip != "" - policy_creation_destination_ip is defined and policy_creation_destination_ip != "" - - policy_creation_application is defined and policy_creation_application != "" + - lookup_policy_application is defined and lookup_policy_application != "" block: - name: RULE policy lookup ansible.builtin.include_role: @@ -80,7 +80,7 @@ - name: Create Rule Block when: - - not policy_creation_security_matches_existing_policy + - not lookup_policy_security_matches_existing_policy block: - name: RULE creation ansible.builtin.include_tasks: @@ -123,4 +123,4 @@ - name: Print the results ansible.builtin.debug: - msg: "{{ policy_creation_security_matches_existing_policy }}" + msg: "{{ lookup_policy_security_matches_existing_policy }}" diff --git a/roles/policy_creation/tasks/new/create_policy.yml b/roles/policy_creation/tasks/new/create_policy.yml index 7d1fcfa..69e18aa 100644 --- a/roles/policy_creation/tasks/new/create_policy.yml +++ b/roles/policy_creation/tasks/new/create_policy.yml @@ -3,8 +3,8 @@ - name: Populate Defaults ansible.builtin.set_fact: - policy_creation_source_zones: "{{ policy_creation_source_zones | default(['any']) }}" - policy_creation_destination_zones: "{{ policy_creation_destination_zones | default(['any']) }}" + policy_creation_source_zones: "{{ lookup_policy_source_zones | default(['any']) }}" + policy_creation_destination_zones: "{{ lookup_policy_destination_zones | default(['any']) }}" policy_creation_tag: "{{ policy_creation_tag | default(default_new_policy_tag) }}" policy_creation_rule_name: "autogen_{{ ansible_date_time.epoch }}" policy_creation_source_address_name: "addr_{{ policy_creation_source_ip | replace('.', '_') | replace('/', '_') }}" @@ -50,9 +50,9 @@ tag_name: ["{{ policy_creation_tag }}"] source_zone: "{{ policy_creation_source_zones }}" source_ip: ["{{ policy_creation_source_ip }}"] - destination_zone: "{{ policy_creation_destination_zones }}" + destination_zone: "{{ policy_creation__destination_zones }}" destination_ip: ["{{ policy_creation_destination_ip }}"] - application: ["{{ policy_creation_application }}"] + application: ["{{ lookup_policy_application }}"] action: "allow" location: "{{ default_rule_location }}" existing_rule: "{{ default_location_rule_name | default('') }}" @@ -67,9 +67,9 @@ tag_name: ["{{ policy_creation_tag }}"] source_zone: "{{ policy_creation_source_zones }}" source_ip: ["{{ policy_creation_source_ip }}"] - destination_zone: "{{ policy_creation_destination_zones }}" + destination_zone: "{{ lookup_policy__destination_zones }}" destination_ip: ["{{ policy_creation_destination_ip }}"] - application: ["{{ policy_creation_application }}"] + application: ["{{ lookup_policy_application }}"] action: "allow" location: "{{ default_rule_location }}" when: default_location_rule_name is not defined diff --git a/roles/policy_creation/tasks/preset/add_application_to_preset_group.yml b/roles/policy_creation/tasks/preset/add_application_to_preset_group.yml index dac6de2..b77f2f6 100644 --- a/roles/policy_creation/tasks/preset/add_application_to_preset_group.yml +++ b/roles/policy_creation/tasks/preset/add_application_to_preset_group.yml @@ -15,14 +15,14 @@ provider: "{{ provider }}" device_group: "{{ policy_creation_device_group }}" name: "{{ application_group }}" - value: "{{ [policy_creation_application] + policy_creation_existing_group.gathered.value }}" + value: "{{ [lookup_policy_application] + policy_creation_existing_group.gathered.value }}" state: present register: policy_creation_group_addition - name: Display results ansible.builtin.debug: msg: |- - App object: {{ policy_creation_application }} + App object: {{ lookup_policy_application }} Added to group: {{ application_group }} Device group: {{ policy_creation_device_group }} Status: {{ 'SUCCESS' if policy_creation_group_addition is succeeded else 'FAILED' }} diff --git a/test_playbooks/test_filter_panos_op_policy_match_result_to_bool.yml b/test_playbooks/test_filter_panos_op_policy_match_result_to_bool.yml index c9c3fd5..74cef10 100644 --- a/test_playbooks/test_filter_panos_op_policy_match_result_to_bool.yml +++ b/test_playbooks/test_filter_panos_op_policy_match_result_to_bool.yml @@ -15,12 +15,12 @@ # Check if security policy match found a result - name: Set Test XML ansible.builtin.set_fact: - policy_creation_test_xml: | + lookup_policy_test_xml: | 10.10.11.1 8.8.8.8 - {{ policy_creation_application | default('ssl') }} + {{ lookup_policy_application | default('ssl') }} 6 443 @@ -33,16 +33,16 @@ username: "{{ provider.username }}" password: "{{ provider.password }}" serial_number: "{{ serialno }}" - cmd: "{{ policy_creation_test_xml }}" + cmd: "{{ lookup_policy_test_xml }}" cmd_is_xml: true - register: policy_creation_security_policy_match_result + register: lookup_policy_security_policy_match_result - name: Set the policy match result ansible.builtin.set_fact: - policy_creation_security_matches_existing_policy: > - {{ policy_creation_security_policy_match_result | + lookup_policy_security_matches_existing_policy: > + {{ lookup_policy_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_policy_match_result_to_bool }} - name: Print results ansible.builtin.debug: - msg: "{{ policy_creation_security_matches_existing_policy }}" + msg: "{{ lookup_policy_security_matches_existing_policy }}" diff --git a/test_playbooks/test_filter_panos_op_routing_result_to_interfaces.yml b/test_playbooks/test_filter_panos_op_routing_result_to_interfaces.yml index ace2c47..895101e 100644 --- a/test_playbooks/test_filter_panos_op_routing_result_to_interfaces.yml +++ b/test_playbooks/test_filter_panos_op_routing_result_to_interfaces.yml @@ -22,14 +22,14 @@ serial_number: "{{ serialno }}" cmd: "default8.8.8.8" cmd_is_xml: true - register: policy_creation__test_routing_result + register: lookup_policy__test_routing_result - name: Get interfaces from results ansible.builtin.set_fact: - policy_creation_interface_list: > - {{ policy_creation__test_routing_result | + lookup_policy_interface_list: > + {{ lookup_policy__test_routing_result | paloaltonetworks.panos_policy_automation.panos_op_routing_result_to_interfaces }} - name: Print results ansible.builtin.debug: - msg: "{{ policy_creation_interface_list }}" + msg: "{{ lookup_policy_interface_list }}" diff --git a/test_playbooks/test_filter_panos_op_stdout_to_dict.yml b/test_playbooks/test_filter_panos_op_stdout_to_dict.yml index 2eb8e23..614ddb9 100644 --- a/test_playbooks/test_filter_panos_op_stdout_to_dict.yml +++ b/test_playbooks/test_filter_panos_op_stdout_to_dict.yml @@ -17,13 +17,13 @@ paloaltonetworks.panos.panos_op: provider: "{{ provider }}" cmd: "show devices connected" - register: policy_creation__show_devices_output + register: lookup_policy__show_devices_output - name: Set JSON Object for stdout ansible.builtin.set_fact: - policy_creation__show_devices_output_dict: > - {{ policy_creation__show_devices_output | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }} + lookup_policy__show_devices_output_dict: > + {{ lookup_policy__show_devices_output | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }} - name: Print results ansible.builtin.debug: - msg: "{{ policy_creation__show_devices_output_dict }}" + msg: "{{ lookup_policy__show_devices_output_dict }}" From 0f118c260fec026d7b04d72d8d8543c680f409f8 Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 14:52:19 +1100 Subject: [PATCH 5/7] chore: Rename policy creation playbook --- playbooks/examples/{new_policy.yml => create_policy.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename playbooks/examples/{new_policy.yml => create_policy.yml} (100%) diff --git a/playbooks/examples/new_policy.yml b/playbooks/examples/create_policy.yml similarity index 100% rename from playbooks/examples/new_policy.yml rename to playbooks/examples/create_policy.yml From 15daf3fad913d5ee9d872a5a3d750456e4ea26b8 Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 15:13:42 +1100 Subject: [PATCH 6/7] chore: More CI fixes --- .github/workflows/ci.yml | 2 +- .../test_filter_panos_op_get_routers_from_dict_or_list.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c83c54..41d7cba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: run: | cd ansible_collections/paloaltonetworks/panos_policy_automation ls -l - ansible-lint --offline + ansible-lint --profile production - name: Ansible Sanity Tests run: | diff --git a/test_playbooks/test_filter_panos_op_get_routers_from_dict_or_list.yml b/test_playbooks/test_filter_panos_op_get_routers_from_dict_or_list.yml index abdec98..2d3ebc6 100644 --- a/test_playbooks/test_filter_panos_op_get_routers_from_dict_or_list.yml +++ b/test_playbooks/test_filter_panos_op_get_routers_from_dict_or_list.yml @@ -24,7 +24,7 @@ register: result - - name: Print results + - name: Print results of show route command ansible.builtin.debug: msg: "{{ result }}" From 835b33f6d2eff10d46d9644eda52ed7a9e727591 Mon Sep 17 00:00:00 2001 From: abaumeister Date: Fri, 30 Jan 2026 15:30:21 +1100 Subject: [PATCH 7/7] fix: Docs update and force release --- README.md | 30 ++----------------------- example_outbound_policy_file.yml | 2 +- example_vars_file_web_to_db.yml | 4 ++-- example_web_to_database_policy_file.yml | 2 +- 4 files changed, 6 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 686d735..cb3e887 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ ![GitHub Release](https://img.shields.io/github/v/release/adambaumeister/ansible_panos_policy_orchestration) ![Github Pages](https://img.shields.io/badge/github-pages-black?logo=githubpages&link=https%3A%2F%2Fadambaumeister.github.io%2Fansible_panos_policy_orchestration%2F) -Docs: https://paloaltonetworks.github.io/ansible_panos_policy_orchestration/ +[Documentation](https://paloaltonetworks.github.io/ansible_panos_policy_orchestration/) This repository provides a framework and a philosophy for creating PAN-OS security policies via Automation. @@ -125,36 +125,10 @@ policy_creation_policy_files: - example_outbound_policy_file.yml # <---- Note we included your "policy file" here! ``` -### Create your playbook and include the role - -```yaml ---- -- hosts: lab # <---- Replace this with your group - connection: local - gather_facts: false - name: Test the Lookup Policy playbook - - vars: - provider: - ip_address: "{{ ansible_host }}" - username: "{{ lookup('env', 'PAN_USERNAME') }}" - password: "{{ lookup('env', 'PAN_PASSWORD') }}" - - roles: - - paloaltonetworks.panos_policy_automation.policy_creation # Note the included role - - tasks: - - name: Print the results - ansible.builtin.debug: - msg: "{{ lookup_policy_security_policy_match_result }}" -``` - -### Execute the playbook - Note, replace the playbook and vars file names with your versions. ```shell -ansible-playbook your_playbook.yml -i inventory.yml --extra-vars=@vars_file.yml +ansible-playbook -i inventory.yml --extra-vars=@./policy_file.yml paloaltonetworks.panos_policy_automation.examples.create_policy ``` ## Use Cases diff --git a/example_outbound_policy_file.yml b/example_outbound_policy_file.yml index 9e835d3..0488bb6 100644 --- a/example_outbound_policy_file.yml +++ b/example_outbound_policy_file.yml @@ -5,7 +5,7 @@ ansible.builtin.set_fact: policy_creation_policy_match: true # Set the fact that we did match a policy policy_creation_source_address_group: PRESET_LAB_TRUSTED_OUTBOUND # In this case, the policy preset is an address_group type - lookup_policy_application_group: PRESET_LAB_TRUSTED_OUTBOUND # If an application is passed, we should also include it in the policy. + application_group: PRESET_LAB_TRUSTED_OUTBOUND # If an application is passed, we should also include it in the policy. policy_creation_device_group: Lab # Finally, we set the device group! when: - policy_creation_source_ip is defined diff --git a/example_vars_file_web_to_db.yml b/example_vars_file_web_to_db.yml index 365a98b..3592374 100644 --- a/example_vars_file_web_to_db.yml +++ b/example_vars_file_web_to_db.yml @@ -3,5 +3,5 @@ policy_creation_source_ip: 10.10.199.5 policy_creation_destination_ip: 10.10.200.20 lookup_policy_application: mysql policy_creation_policy_files: - - ${PWD}/example_outbound_policy_file.yml - - ${PWD}/example_web_to_database_policy_file.yml + - example_outbound_policy_file.yml + - example_web_to_database_policy_file.yml diff --git a/example_web_to_database_policy_file.yml b/example_web_to_database_policy_file.yml index 7f44e68..02eddc9 100644 --- a/example_web_to_database_policy_file.yml +++ b/example_web_to_database_policy_file.yml @@ -6,7 +6,7 @@ policy_creation_policy_match: true # Set the fact that we did match a policy policy_creation_source_address_group: PRESET_WEB_TO_DATABASE_SOURCE # In this case, the policy preset is an address_group type policy_creation_destination_address_group: PRESET_WEB_TO_DATABASE_DESTINATION # Destination addr group - lookup_policy_application_group: PRESET_WEB_TO_DATABASE # If an application is passed, we should also include it in the policy. + application_group: PRESET_WEB_TO_DATABASE # If an application is passed, we should also include it in the policy. policy_creation_device_group: Lab # Finally, we set the device group! when: - policy_creation_source_ip is defined