Application Group Configuration Object

Overview

The application_group Ansible module provides functionality to manage application group objects in Palo Alto Networks' Strata Cloud Manager (SCM). This module allows you to create, update, and delete application groups that can contain multiple application objects. Application groups simplify security policy configuration by allowing you to reference multiple applications as a single object.

Core Methods

Method	Description	Parameters	Return Type
`create()`	Creates a new application group	`data: Dict[str, Any]`	`ApplicationGroupResponseModel`
`update()`	Updates an existing group	`group: ApplicationGroupUpdateModel`	`ApplicationGroupResponseModel`
`delete()`	Removes an application group	`object_id: str`	`None`
`fetch()`	Gets an application group by name	`name: str`, `container: str`	`ApplicationGroupResponseModel`
`list()`	Lists application groups	`folder: str`, `**filters`	`List[ApplicationGroupResponseModel]`

Application Group Model Attributes

Attribute	Type	Required	Description
`name`	str	Yes	The name of the application group
`members`	list	Yes	List of application names to include in the group
`folder`	str	One container	The folder in which the group is defined (max 64 chars)
`snippet`	str	One container	The snippet in which the group is defined (max 64 chars)
`device`	str	One container	The device in which the group is defined (max 64 chars)

Exceptions

Exception	Description
`InvalidObjectError`	Invalid group data or format
`NameNotUniqueError`	Group name already exists
`ObjectNotPresentError`	Group or member application not found
`MissingQueryParameterError`	Missing required parameters
`EmptyMembersError`	Application group cannot be empty
`AuthenticationError`	Authentication failed
`ServerError`	Internal server error

Basic Configuration

The Application Group module requires proper authentication credentials to access the Strata Cloud Manager API.

- name: Basic Application Group Configuration
  hosts: localhost
  gather_facts: false
  vars:
    provider:
      client_id: "your_client_id"
      client_secret: "your_client_secret"
      tsg_id: "your_tsg_id"
      log_level: "INFO"
  tasks:
    - name: Ensure an application group exists
      cdot65.scm.application_group:
        provider: "{{ provider }}"
        name: "web-apps"
        members:
          - "ssl"
          - "web-browsing"
        folder: "Texas"
        state: "present"

Usage Examples

Creating Application Groups

Application groups allow you to organize related applications together for simplified policy management.

Basic Application Group

This example creates a simple application group with a few members.

- name: Create a basic web applications group
  cdot65.scm.application_group:
    provider: "{{ provider }}"
    name: "web-apps"
    members:
      - "ssl"
      - "web-browsing"
    folder: "Texas"
    state: "present"

Comprehensive Application Group

This example creates a more comprehensive application group with multiple related applications.

- name: Create a comprehensive collaboration applications group
  cdot65.scm.application_group:
    provider: "{{ provider }}"
    name: "collaboration-apps"
    members:
      - "ms-teams"
      - "zoom"
      - "webex"
      - "slack"
      - "google-meet"
      - "skype"
      - "whatsapp"
    folder: "Texas"
    state: "present"

Updating Application Groups

When updating an application group, you must provide the complete list of members. Any existing members not included in the update will be removed from the group.

- name: Update web applications group membership
  cdot65.scm.application_group:
    provider: "{{ provider }}"
    name: "web-apps"
    members:
      - "ssl"
      - "web-browsing"
      - "http"
      - "https"
    folder: "Texas"
    state: "present"

Deleting Application Groups

This example removes application groups from the system.

- name: Remove application groups
  cdot65.scm.application_group:
    provider: "{{ provider }}"
    name: "{{ item }}"
    folder: "Texas"
    state: "absent"
  loop:
    - "web-apps"
    - "collaboration-apps"

Managing Configuration Changes

After creating, updating, or deleting application groups, you need to commit your changes to apply them.

- name: Commit changes
  cdot65.scm.commit:
    provider: "{{ provider }}"
    folders: ["Texas"]
    description: "Updated application group definitions"

Error Handling

It's important to handle potential errors when working with application group objects.

- name: Create or update application group with error handling
  block:
    - name: Ensure application group exists
      cdot65.scm.application_group:
        provider: "{{ provider }}"
        name: "web-apps"
        members:
          - "ssl"
          - "web-browsing"
        folder: "Texas"
        state: "present"
      register: group_result

    - name: Commit changes
      cdot65.scm.commit:
        provider: "{{ provider }}"
        folders: ["Texas"]
        description: "Updated application group definitions"

  rescue:
    - name: Handle errors
      debug:
        msg: "An error occurred: {{ ansible_failed_result.msg }}"

    - name: Check if error is due to non-existent application
      cdot65.scm.application_info:
        provider: "{{ provider }}"
        folder: "Texas"
      register: all_applications

    - name: Display available applications
      debug:
        msg: "Available applications: {{ all_applications.applications | map(attribute='name') | list }}"
      when: all_applications is defined

Best Practices

Group Organization

Use descriptive names that indicate the function of the group
Group applications with similar functions or purposes
Use a consistent naming convention across application groups
Limit the number of applications in a group to maintain clarity
Document the purpose of each application group

Member Management

Verify all member applications exist before creating the group
When updating groups, always provide the complete list of members
Consider organizing applications into functional groups (web, database, collaboration, etc.)
Document which applications are included in each group
Regularly review group membership to ensure it remains relevant

Policy Implementation

Use application groups in security policies to improve policy clarity
Review application group membership regularly as part of security audits
Consider the impact on existing policies when modifying group membership
Test policy behavior after making changes to application groups
Create separate groups for different security zones or requirements

Performance Considerations

Balance between using many specific groups versus fewer large groups
Group commonly used applications together to reduce the number of policy rules
Consider the impact on policy processing when designing application groups
Update application groups during maintenance windows if used in active policies
Monitor policy hit counts to optimize application groupings

Security Planning

Create application groups based on risk levels
Use separate groups for critical applications
Design application groups to support least-privilege access
Consider compliance requirements when organizing application groups
Document security rationale for group composition

application - Manage application objects
application_info - Retrieve information about application objects
application_group_info - Retrieve information about application groups
security_rule - Configure security policies that reference application groups
security_profiles_group - Manage security profile groups that may be applied to application traffic