Collection Documentation

The Palo Alto Networks Strata Cloud Manager Ansible Collection provides a comprehensive set of modules, roles, and plugins for managing SCM configurations. Built on top of the pan-scm-sdk Python SDK, this collection enables automation of network security objects and policies in Strata Cloud Manager.

Collection Structure

cdot65.scm/
├── docs/                # Documentation
├── meta/                # Collection metadata
├── plugins/             # Collection plugins
│   ├── modules/         # Ansible modules
│   ├── inventory/       # Inventory plugins
│   ├── lookup/          # Lookup plugins
│   └── module_utils/    # Shared utilities
├── roles/               # Ansible roles
│   ├── bootstrap/       # SCM bootstrap role
│   └── deploy_config/   # Configuration deployment role
└── tests/               # Tests for collection

Collection Namespace

All modules in this collection use the cdot65.scm namespace. To use a module:

- name: Create an address object
  cdot65.scm.address:
    provider:
      client_id: "{{ client_id }}"
      client_secret: "{{ client_secret }}"
      tsg_id: "{{ tsg_id }}"
    name: "test-address"
    folder: "Texas"
    ip_netmask: "192.168.1.1/32"
    state: "present"

Authentication

All modules in this collection require authentication to SCM using OAuth2 client credentials. The recommended approach is to store credentials securely using Ansible Vault:

Create a vault-encrypted variables file:

ansible-vault create vault.yaml

Add your credentials to the file:

client_id: "your-client-id"
client_secret: "your-client-secret"
tsg_id: "your-tenant-service-group-id"

Reference the vault file in your playbook:

- name: Configure SCM resources
  hosts: localhost
  vars_files:
    - vault.yaml
  vars:
    provider:
      client_id: "{{ client_id }}"
      client_secret: "{{ client_secret }}"
      tsg_id: "{{ tsg_id }}"
      log_level: "INFO"
  tasks:
    - name: Create address object
      cdot65.scm.address:
        provider: "{{ provider }}"
        name: "web-server"
        folder: "Texas"
        ip_netmask: "10.1.1.1/32"
        state: "present"

Provider Configuration

The provider parameter is required for all modules and contains the following fields:

Parameter	Type	Required	Description
`client_id`	string	Yes	OAuth2 client ID
`client_secret`	string	Yes	OAuth2 client secret
`tsg_id`	string	Yes	Tenant Service Group ID
`log_level`	string	No	SDK log level (default: "INFO")

Key Collection Components

Modules

The collection includes modules for managing various SCM configuration objects:

Network Objects

Module	Description	Info Module
Address	Manage address objects	Address Info
Address Group	Manage address groups	Address Group Info
Application	Manage applications	Application Info
Application Group	Manage application groups	Application Group Info
Dynamic User Group	Manage dynamic user groups	Dynamic User Group Info
External Dynamic Lists	Manage external dynamic lists	External Dynamic Lists Info
HIP Object	Manage Host Information Profile objects	HIP Object Info
HIP Profile	Manage Host Information Profile profiles	HIP Profile Info
HTTP Server Profiles	Manage HTTP server profiles	HTTP Server Profiles Info
Log Forwarding Profile	Manage log forwarding profiles	Log Forwarding Profile Info
Quarantined Devices	Manage quarantined devices	Quarantined Devices Info
Region	Manage geographic region objects	Region Info
Service	Manage service objects	Service Info
Service Group	Manage service groups	Service Group Info
Syslog Server Profiles	Manage syslog server profiles	Syslog Server Profiles Info
Tag	Manage tag objects	Tag Info

Network Configuration

Module	Description	Info Module
Security Zone	Manage security zones
IKE Crypto Profile	Manage IKE crypto profiles	IKE Crypto Profile Info
IKE Gateway	Manage IKE gateways
IPsec Crypto Profile	Manage IPsec crypto profiles
IPsec Tunnel	Manage IPsec tunnels
BGP Routing	Manage BGP routing configuration	BGP Routing Info

Deployment

Module	Description	Info Module
Bandwidth Allocations	Manage bandwidth allocations	Bandwidth Allocations Info
Internal DNS Servers	Manage internal DNS servers	Internal DNS Servers Info
Remote Networks	Manage remote networks	Remote Networks Info
Network Locations	Manage network locations
Service Connections	Manage service connections	Service Connections Info

Security Services

Module	Description	Info Module
Security Rule	Manage security rules	Security Rule Info
Anti-Spyware Profile	Manage anti-spyware profiles	Anti-Spyware Profile Info
Decryption Profile	Manage decryption profiles	Decryption Profile Info
DNS Security Profile	Manage DNS security profiles	DNS Security Profile Info
Security Profiles Group	Manage security profile groups	Security Profiles Group Info
URL Categories	Manage URL categories	URL Categories Info
Vulnerability Protection Profile	Manage vulnerability protection profiles	Vulnerability Protection Profile Info
WildFire Antivirus Profiles	Manage WildFire antivirus profiles	WildFire Antivirus Profiles Info

View All Modules →

Roles

Pre-built roles to simplify common tasks:

bootstrap: Initialize SCM configurations
deploy_config: Deploy configurations to SCM

View All Roles →

Plugins

Additional plugins to extend Ansible functionality:

Inventory Plugin: Build dynamic inventories from SCM
Lookup Plugin: Look up data from SCM

View All Plugins →

Best Practices

Idempotent Operations:
All modules are designed to be idempotent
Running playbooks multiple times won't create duplicate resources
Secure Credential Management:
Always store credentials in Ansible Vault
Never hardcode secrets in playbooks
Organize by Folder:
Group related objects in the same SCM folder
Use consistent folder naming schemes
Testing:
Use check_mode: yes to validate changes before applying them
Create test environments before deploying to production