Strata Cloud Manager Ansible Collection

Ansible Collection for managing Palo Alto Networks Strata Cloud Manager (SCM) configurations.

NOTE: This collection is designed to provide infrastructure-as-code capabilities for the Strata Cloud Manager platform, enabling efficient management of folders, labels, snippets, variables, and other SCM resources.

Table of Contents

• Features
• Requirements
• Installation
• Available Modules
• Example Usage
• Authentication
• Example Playbooks
• Development
• Contributing
• License
• Author

Features

• Configuration Management: Create, read, update, and delete SCM configuration objects such as folders, labels, snippets, and variables.
• Comprehensive Module Set: Collection includes modules for organizational elements, configuration management, and future support for security objects.
• Idempotent Operations: All modules are designed to be idempotent, ensuring consistent and predictable results.
• Detailed Information Modules: Companion "info" modules for retrieving detailed information about resources.
• OAuth2 Authentication: Securely authenticate with the Strata Cloud Manager API using OAuth2 client credentials.
• Role-Based Automation: Ready-to-use roles for common operational tasks.

Requirements

• Python 3.11 or higher
• Ansible Core 2.17 or higher
• pan-scm-sdk 0.3.33 or higher (installed automatically as a dependency)

Installation

1. Install the collection from Ansible Galaxy:

   ansible-galaxy collection install cdot65.scm

2. Or install directly from GitHub:

   ansible-galaxy collection install git+https://github.com/cdot65/cdot65.scm.git

3. If you're using Poetry for dependency management:

   poetry run ansible-galaxy collection install cdot65.scm

Available Modules

Module Status Legend

Symbol	Status
✅	Complete and available for use
📝	Planned for future release

---

Objects Modules

Module	Description	Status
address	Address object management	✅
address_info	Retrieve address object information	✅
address_group	Address group management	✅
address_group_info	Retrieve address group information	✅
application	Application object management	✅
application_info	Retrieve application object information	✅
application_filter	Application filters management	✅
application_filter_info	Retrieve application filters information	✅
application_group	Application group management	✅
application_group_info	Retrieve application group information	✅
auto_tag_actions	Auto tag actions management	📝
auto_tag_actions_info	Retrieve auto tag actions information	📝
dynamic_user_group	Dynamic user group management	✅
dynamic_user_group_info	Retrieve dynamic user group information	✅
external_dynamic_list	External dynamic lists management	✅
external_dynamic_list_info	Retrieve external dynamic lists information	✅
hip_object	HIP object management	✅
hip_object_info	Retrieve HIP object information	✅
hip_profile	HIP profile management	✅
hip_profile_info	Retrieve HIP profile information	✅
http_server_profile	HTTP server profiles management	✅
http_server_profile_info	Retrieve HTTP server profiles information	✅
log_forwarding_profile	Log forwarding profile management	✅
log_forwarding_profile_info	Retrieve log forwarding profile information	✅
quarantined_devices	Quarantined devices management	✅
quarantined_devices_info	Retrieve quarantined devices information	✅
region	Region object management	✅
region_info	Retrieve region object information	✅
schedules	Schedules management	📝
schedules_info	Retrieve schedules information	📝
service	Service object management	📝
service_info	Retrieve service object information	📝
service_group	Service group management	📝
service_group_info	Retrieve service group information	📝
syslog_server_profiles	Syslog server profiles management	📝
syslog_server_profiles_info	Retrieve syslog server profiles information	📝
tag	Tag management	📝
tag_info	Retrieve tag information	📝

Network Modules

Module	Description	Status
ike_crypto_profile	IKE crypto profile management	📝
ike_crypto_profile_info	Retrieve IKE crypto profile information	📝
ike_gateway	IKE gateway management	📝
ike_gateway_info	Retrieve IKE gateway information	📝
ipsec_crypto_profile	IPsec crypto profile management	📝
ipsec_crypto_profile_info	Retrieve IPsec crypto profile information	📝
nat_rules	NAT rules management	📝
nat_rules_info	Retrieve NAT rules information	📝
security_zone	Security zone management	📝
security_zone_info	Retrieve security zone information	📝

Deployment Modules

Module	Description	Status
bandwidth_allocations	Bandwidth allocations management	📝
bandwidth_allocations_info	Retrieve bandwidth allocations information	📝
bgp_routing	BGP routing management	📝
bgp_routing_info	Retrieve BGP routing information	📝
internal_dns_servers	Internal DNS servers management	📝
internal_dns_servers_info	Retrieve internal DNS servers information	📝
network_locations	Network locations management	📝
network_locations_info	Retrieve network locations information	📝
remote_networks	Remote networks management	📝
remote_networks_info	Retrieve remote networks information	📝
service_connections	Service connections management	📝
service_connections_info	Retrieve service connections information	📝

Security Modules

Module	Description	Status
anti_spyware_profile	Anti-spyware profile management	📝
anti_spyware_profile_info	Retrieve anti-spyware profile information	📝
decryption_profile	Decryption profile management	📝
decryption_profile_info	Retrieve decryption profile information	📝
dns_security_profile	DNS security profile management	📝
dns_security_profile_info	Retrieve DNS security profile information	📝
security_rule	Security rule management	📝
security_rule_info	Retrieve security rule information	📝
url_categories	URL categories management	📝
url_categories_info	Retrieve URL categories information	📝
vulnerability_protection_profile	Vulnerability protection profile management	📝
vulnerability_protection_profile_info	Retrieve vulnerability protection profile information	📝
wildfire_antivirus_profile	WildFire antivirus profile management	📝
wildfire_antivirus_profile_info	Retrieve WildFire antivirus profile information	📝

Setup Modules

Module	Description	Status
device	Device management	📝
device_info	Retrieve device information	✅
folder	Folder management	✅
folder_info	Retrieve folder information	✅
label	Label management	✅
label_info	Retrieve label information	✅
snippet	Snippet management	✅
snippet_info	Retrieve snippet information	✅
variable	Variable management	✅
variable_info	Retrieve variable information	✅

Mobile Agent Modules

Module	Description	Status
agent_versions	Agent versions management	📝
agent_versions_info	Retrieve agent versions information	📝
auth_settings	Auth settings management	📝
auth_settings_info	Retrieve auth settings information	📝

Configuration and Deployment Modules (Planned)

Module	Description	Status
deployment	Trigger configuration push/deployment	📝
job_info	Check job status	📝

Example Usage

Creating a Folder Structure

- name: Create parent folder
  cdot65.scm.folder:
    name: "Network-Objects"
    description: "Parent folder for network objects"
    parent: ""  # Root level folder
    scm_access_token: "{{ scm_access_token }}"
  register: parent_folder

- name: Create a subfolder
  cdot65.scm.folder:
    name: "Address-Objects"
    description: "Folder for address objects"
    parent: "Network-Objects"
    scm_access_token: "{{ scm_access_token }}"

Creating a Variable in a Folder

- name: Create a network variable
  cdot65.scm.variable:
    name: "subnet-variable"
    folder: "Network-Objects"
    value: "10.1.1.0/24"
    type: "ip-netmask"
    description: "Network subnet for department A"
    scm_access_token: "{{ scm_access_token }}"
  register: subnet_variable

Retrieving Folder Information

- name: Get all folders
  cdot65.scm.folder_info:
    scm_access_token: "{{ scm_access_token }}"
  register: all_folders

- name: Get specific folder by name
  cdot65.scm.folder_info:
    name: "Network-Objects"
    scm_access_token: "{{ scm_access_token }}"
  register: network_folder

Filtering Devices by Model

- name: Get VM-series firewalls
  cdot65.scm.device_info:
    model: "PA-VM"
    scm_access_token: "{{ scm_access_token }}"
  register: vm_devices

Authentication

The collection uses OAuth2 authentication with the SCM API. All secrets must be provided via Ansible Vault-encrypted variable files.

Authentication Example

- name: Authenticate with SCM
  hosts: localhost
  gather_facts: no
  vars_files:
    - vault.yml  # Store secrets here (encrypted with Ansible Vault)
  roles:
    - cdot65.scm.auth

A typical vault.yml file should contain:

scm_client_id: "your-client-id"
scm_client_secret: "your-client-secret"
scm_tsg_id: "your-tsg-id"

Security Note: Always use Ansible Vault for storing credentials. Environment variables may be used for development only but are not recommended for production.

Example Playbooks

The collection includes several example playbooks in the examples/ directory:

• auth.yml - Authentication example
• folder.yml - Create and manage folders
• folder_info.yml - Retrieve folder information
• label.yml - Create and manage labels
• label_info.yml - Retrieve label information
• snippet.yml - Create and manage snippets
• snippet_info.yml - Retrieve snippet information
• variable.yml - Create and manage variables
• variable_info.yml - Retrieve variable information
• device_info.yml - Retrieve device information
• address.yml - Create and manage address objects
• address_info.yml - Retrieve address information
• address_group.yml - Create and manage address groups
• address_group_info.yml - Retrieve address group information
• application.yml - Create and manage application objects
• application_info.yml - Retrieve application information
• application_group.yml - Create and manage application groups
• application_group_info.yml - Retrieve application group information
• application_filter.yml - Create and manage application filters
• application_filter_info.yml - Retrieve application filter information
• dynamic_user_group.yml - Create and manage dynamic user groups
• dynamic_user_group_info.yml - Retrieve dynamic user group information
• external_dynamic_list.yml - Create and manage external dynamic lists
• external_dynamic_list_info.yml - Retrieve external dynamic list information
• hip_object.yml - Create and manage host information profile objects
• hip_object_info.yml - Retrieve host information profile object information
• hip_profile.yml - Create and manage host information profiles
• hip_profile_info.yml - Retrieve host information profile information
• http_server_profile.yml - Create and manage HTTP server profiles
• http_server_profile_info.yml - Retrieve HTTP server profile information
• log_forwarding_profile.yml - Create and manage log forwarding profiles
• log_forwarding_profile_info.yml - Retrieve log forwarding profile information
• log_forwarding_profile_minimal.yml - Minimal example for log forwarding profiles
• quarantined_devices.yml - Create and manage quarantined devices
• quarantined_devices_info.yml - Retrieve quarantined device information

Development

This collection is built using poetry for dependency management.

# Setup development environment
make dev-setup

# Build the collection
make build

# Install the collection locally
make install

# Build and install in one step
make all

# Run all linting and formatting checks
make lint-all

# Format code
make format

# Fix linting issues automatically
make lint-fix

# Run all tests
make test

Module Design Patterns

The collection follows consistent design patterns:

• Resource Modules: Perform CRUD operations with idempotent behavior
• Info Modules: Retrieve detailed information with optional filtering
• Standard Parameters: Consistent parameter naming across all modules
• Error Handling: Detailed error reporting with specific error codes
• Check Mode Support: Preview changes without applying them

All modules support:

• Check mode
• Detailed error messages
• Consistent return structures
• Authentication via SCM access token

Contributing

Contributions are welcome! Please see the CONTRIBUTING.md file for guidelines.

License

GNU General Public License v3.0 or later

Author

• Calvin Remsburg (@cdot65)