Strata Cloud Manager Ansible Collection

Ansible Collection for managing Palo Alto Networks Strata Cloud Manager (SCM) configurations.

NOTE: This collection is designed to provide infrastructure-as-code capabilities for the Strata Cloud Manager platform, enabling efficient management of folders, labels, snippets, variables, and other SCM resources.

Table of Contents

• Features
• Requirements
• Installation
• Available Modules
• Example Usage
• Authentication
• Example Playbooks
• Development
• Contributing
• License
• Author

Features

• Configuration Management: Create, read, update, and delete SCM configuration objects such as folders, labels, snippets, and variables.
• Network Objects: Manage address objects, address groups, application objects, application groups, service objects, service groups, and tags.
• Comprehensive Module Set: 69 production-ready modules (34 resource modules + 35 info modules) - expanding SDK object coverage (see DEVELOPMENT_TODO.md).
• Idempotent Operations: All modules are designed to be idempotent, ensuring consistent and predictable results.
• Detailed Information Modules: Companion "info" modules for retrieving detailed information about resources.
• OAuth2 Authentication: Securely authenticate with the Strata Cloud Manager API using OAuth2 client credentials.
• Role-Based Automation: Ready-to-use roles for common operational tasks.
• SDK Integration: Built on the official pan-scm-sdk library for reliable API interactions.

Requirements

• Python 3.11 or higher (Python 3.13 fully supported)
  • This is a hard requirement enforced by the pan-scm-sdk dependency
• Ansible Core 2.18 or higher
• pan-scm-sdk 0.3.44 or higher (installed automatically as a dependency)

Installation

1. Install the collection from Ansible Galaxy:

   ansible-galaxy collection install cdot65.scm

2. Or install directly from GitHub:

   ansible-galaxy collection install git+https://github.com/cdot65/cdot65.scm.git

3. If you're using Poetry for dependency management:

   poetry run ansible-galaxy collection install cdot65.scm

Available Modules

Current Status: 83 production-ready modules (41 resource modules + 42 info modules)

SDK Coverage: 91% of pan-scm-sdk v0.3.44 services (39 of 43 available services implemented)

Coverage: Comprehensive module coverage including VPN, routing, NAT, security profiles, and deployment modules! See DEVELOPMENT_TODO.md for implementation notes, roadmap, and complete SDK service mapping.

SDK Integration Status

This collection integrates with pan-scm-sdk v0.3.44 (latest version). Below is our coverage status:

• ✅ Implemented: 39 SDK services (83 modules total)
• 🟢 Available in SDK, Ready to Implement: 4 SDK services (8 potential modules)
• 🎯 Target: 100% SDK coverage (91 total modules)

Remaining SDK Services Not Yet Implemented:

• Mobile Agent: agent_version, auth_setting
• Automation: auto_tag_action
• Insights: alerts

See DEVELOPMENT_TODO.md for detailed SDK service mapping and implementation priorities.

Module Status Legend

Symbol	Status
✅	Complete and available for use
📝	Planned for future release

Authentication Module

Module	Description	Status
auth	Authenticate and obtain OAuth2 access token	✅

Core Management Modules

Module	Description	Status
folder	Create, update, or delete folders	✅
folder_info	Retrieve folder information with filtering	✅
label	Create, update, or delete labels	✅
label_info	Retrieve label information with filtering	✅
snippet	Create, update, or delete configuration snippets	✅
snippet_info	Retrieve snippet information with filtering	✅
variable	Create, update, or delete variables	✅
variable_info	Retrieve variable information with filtering	✅
device_info	Retrieve device information with filtering	✅

Network Objects Modules

Module	Description	Status
address	Manage address objects	✅
address_info	Retrieve address object information	✅
address_group	Manage address groups	✅
address_group_info	Retrieve address group information	✅
application	Manage application objects	✅
application_info	Retrieve application information	✅
application_group	Manage application groups	✅
application_group_info	Retrieve application group information	✅
application_filter	Manage application filters	✅
application_filter_info	Retrieve application filter information	✅
service	Manage service objects	✅
service_info	Retrieve service object information	✅
service_group	Manage service groups	✅
service_group_info	Retrieve service group information	✅
tag	Manage tags	✅
tag_info	Retrieve tag information	✅

Network & VPN Modules

Module	Description	Status
ike_crypto_profile	Manage IKE crypto profiles for VPN phase 1	✅
ike_crypto_profile_info	Retrieve IKE crypto profile information	✅
ike_gateway	Manage IKE gateways for VPN tunnels	✅
ike_gateway_info	Retrieve IKE gateway information	✅
ipsec_crypto_profile	Manage IPsec crypto profiles for VPN phase 2	✅
ipsec_crypto_profile_info	Retrieve IPsec crypto profile information	✅
nat_rule	Manage NAT rules with source/destination translation	✅
nat_rule_info	Retrieve NAT rule information	✅
security_zone	Manage security zones	✅
security_zone_info	Retrieve security zone information	✅

Routing & BGP Modules

Module	Description	Status
bgp_routing	Manage global BGP routing configuration	✅
bgp_routing_info	Retrieve BGP routing configuration	✅

User & Device Management Modules

Module	Description	Status
dynamic_user_group	Manage dynamic user groups	✅
dynamic_user_group_info	Retrieve dynamic user group information	✅
hip_object	Manage Host Information Profile objects	✅
hip_object_info	Retrieve HIP object information	✅
hip_profile	Manage HIP profiles	✅
hip_profile_info	Retrieve HIP profile information	✅

External Resources & Monitoring Modules

Module	Description	Status
external_dynamic_list	Manage external dynamic lists	✅
external_dynamic_list_info	Retrieve external dynamic list information	✅
http_server_profile	Manage HTTP server profiles	✅
http_server_profile_info	Retrieve HTTP server profile information	✅
region	Manage region objects with geographic locations	✅
region_info	Retrieve region information	✅

Scheduling Modules

Module	Description	Status
schedule	Manage schedule objects (recurring and non-recurring)	✅
schedule_info	Retrieve schedule information	✅

Logging & Monitoring Modules

Module	Description	Status
syslog_server_profile	Manage syslog server profiles	⚠️
syslog_server_profile_info	Retrieve syslog server profile information	⚠️

Note: Syslog modules are implemented but the SCM API endpoint returns errors in some environments. HTTP Server and Log Forwarding profiles are fully functional.

Deployment & Infrastructure Modules

Module	Description	Status
bandwidth_allocation	Manage bandwidth allocation for SD-WAN	⚠️
bandwidth_allocation_info	Retrieve bandwidth allocation information	✅
internal_dns_server	Manage internal DNS server objects	✅
internal_dns_server_info	Retrieve internal DNS server information	✅
network_location_info	Retrieve network location information (read-only)	✅
remote_network	Manage Prisma Access remote networks	✅
remote_network_info	Retrieve remote network information	✅
service_connection	Manage Prisma Access service connections	✅
service_connection_info	Retrieve service connection information	✅

Note: Bandwidth allocation modules have API limitations in SCM v0.3.44. Network locations are read-only resources. Remote networks and service connections require Prisma Access infrastructure (SPN, IPSec tunnels).

Device Management Modules

Module	Description	Status
quarantined_device	Manage quarantined devices	⚠️
quarantined_device_info	Retrieve quarantined device information	⚠️

Note: Quarantined device modules are implemented but require actual firewall devices connected to SCM to function. The API returns errors without connected devices.

Security Policy Modules

Module	Description	Status
security_rule	Manage security rules	✅
security_rule_info	Retrieve security rule information	✅
url_categories	Manage custom URL categories	✅
url_categories_info	Retrieve URL category information	✅

Security Profile Modules

Module	Description	Status
anti_spyware_profile	Manage Anti-Spyware security profiles	✅
anti_spyware_profile_info	Retrieve Anti-Spyware profile information	✅
vulnerability_protection_profile	Manage Vulnerability Protection profiles	✅
vulnerability_protection_profile_info	Retrieve Vulnerability Protection profile information	✅
wildfire_antivirus_profile	Manage WildFire Antivirus profiles	✅
wildfire_antivirus_profile_info	Retrieve WildFire Antivirus profile information	✅
decryption_profile	Manage Decryption profiles	✅
decryption_profile_info	Retrieve Decryption profile information	✅
dns_security_profile	Manage DNS Security profiles	✅
dns_security_profile_info	Retrieve DNS Security profile information	✅

Module Status

Comprehensive module coverage with VPN, routing, and security features! 🚀

• ✅ 83 total modules (41 resource + 42 info modules)
• ✅ 91% SDK coverage - Includes VPN (IKE/IPsec), routing (BGP), NAT rules, security profiles, and deployment modules
• ✅ All Priority 8, 9, and 10 modules complete - Full networking, VPN, and security policy management
• ⚠️ 3 modules with API limitations (syslog_server_profile, quarantined_device, bandwidth_allocation) - see notes above

See DEVELOPMENT_TODO.md for complete implementation details, roadmap, and status of each module.

For complete details on planned features, priorities, and estimated effort, see DEVELOPMENT_TODO.md.

Example Usage

Creating a Folder Structure

- name: Create parent folder
  cdot65.scm.folder:
    name: "Network-Objects"
    description: "Parent folder for network objects"
    parent: ""  # Root level folder
    scm_access_token: "{{ scm_access_token }}"
  register: parent_folder

- name: Create a subfolder
  cdot65.scm.folder:
    name: "Address-Objects"
    description: "Folder for address objects"
    parent: "Network-Objects"
    scm_access_token: "{{ scm_access_token }}"

Creating a Variable in a Folder

- name: Create a network variable
  cdot65.scm.variable:
    name: "subnet-variable"
    folder: "Network-Objects"
    value: "10.1.1.0/24"
    type: "ip-netmask"
    description: "Network subnet for department A"
    scm_access_token: "{{ scm_access_token }}"
  register: subnet_variable

Retrieving Folder Information

- name: Get all folders
  cdot65.scm.folder_info:
    scm_access_token: "{{ scm_access_token }}"
  register: all_folders

- name: Get specific folder by name
  cdot65.scm.folder_info:
    name: "Network-Objects"
    scm_access_token: "{{ scm_access_token }}"
  register: network_folder

Filtering Devices by Model

- name: Get VM-series firewalls
  cdot65.scm.device_info:
    model: "PA-VM"
    scm_access_token: "{{ scm_access_token }}"
  register: vm_devices

Authentication

The collection uses OAuth2 authentication with the SCM API. All secrets must be provided via Ansible Vault-encrypted variable files.

Authentication Methods

You can authenticate using either the auth module or the auth role:

Option 1: Using the auth module

- name: Get OAuth2 token
  cdot65.scm.auth:
    client_id: "{{ scm_client_id }}"
    client_secret: "{{ scm_client_secret }}"
    tsg_id: "{{ scm_tsg_id }}"
  register: auth_result
  no_log: true

- name: Set access token fact
  set_fact:
    scm_access_token: "{{ auth_result.access_token }}"

Option 2: Using the auth role

- name: Authenticate with SCM
  hosts: localhost
  gather_facts: no
  vars_files:
    - vault.yml  # Store secrets here (encrypted with Ansible Vault)
  roles:
    - cdot65.scm.auth

Vault Configuration

A typical vault.yml file should contain:

scm_client_id: "your-client-id"
scm_client_secret: "your-client-secret"
scm_tsg_id: "your-tsg-id"

Security Note: Always use Ansible Vault for storing credentials. Environment variables may be used for development only but are not recommended for production.

Example Playbooks

The collection includes comprehensive example playbooks in the examples/ directory:

Core Management:

• auth.yml - Authentication example
• folder.yml / folder_info.yml - Folder management
• label.yml / label_info.yml - Label management
• snippet.yml / snippet_info.yml - Snippet management
• variable.yml / variable_info.yml - Variable management
• device_info.yml - Device information retrieval

Network Objects:

• address.yml / address_info.yml - Address object management
• address_group.yml / address_group_info.yml - Address group management
• application.yml / application_info.yml - Application object management
• application_group.yml / application_group_info.yml - Application group management
• application_filter.yml / application_filter_info.yml - Application filter management
• service.yml / service_info.yml - Service object management
• service_group.yml / service_group_info.yml - Service group management
• tag.yml / tag_info.yml - Tag management

User & Device Management:

• dynamic_user_group.yml / dynamic_user_group_info.yml - Dynamic user group management
• hip_object.yml / hip_object_info.yml - HIP object management
• hip_profile.yml / hip_profile_info.yml - HIP profile management

External Resources & Monitoring:

• external_dynamic_list.yml / external_dynamic_list_info.yml - External dynamic list management
• http_server_profile.yml / http_server_profile_info.yml - HTTP server profile management

Development

This collection is built using poetry for dependency management.

Quick Start

# Setup development environment
make dev-setup

# Build the collection
make build

# Install the collection locally
make install

# Build and install in one step
make all

# Run all linting and formatting checks
make lint-all

# Format code
make format

# Fix linting issues automatically
make lint-fix

# Run all tests
make test

Development Resources

• CLAUDE.md - Complete development guide and collection overview
• MODULE_DEVELOPMENT_WORKFLOW.md - Quick reference for building new modules
• DEVELOPMENT_TODO.md - Prioritized roadmap for future modules

Creating New Modules

To create a new module, follow the workflow documented in MODULE_DEVELOPMENT_WORKFLOW.md. The process involves:

1. Choose an appropriate template module based on complexity
2. Copy the template to a new module file
3. Update documentation, parameters, and SDK client calls
4. Test thoroughly with example playbooks
5. Run linting and quality checks

All modules must:

• Use the pan-scm-sdk library for API operations
• Support idempotent operations
• Include check mode support
• Follow consistent parameter naming conventions
• Include comprehensive documentation

Module Design Patterns

The collection follows consistent design patterns:

• Resource Modules: Perform CRUD operations with idempotent behavior
• Info Modules: Retrieve detailed information with optional filtering
• Standard Parameters: Consistent parameter naming across all modules
• Error Handling: Detailed error reporting with specific error codes
• Check Mode Support: Preview changes without applying them

All modules support:

• Check mode
• Detailed error messages
• Consistent return structures
• Authentication via SCM access token

Contributing

Contributions are welcome! Please see the CONTRIBUTING.md file for guidelines.

License

GNU General Public License v3.0 or later

Author

• Calvin Remsburg (@cdot65)