Roles from my ansiblefest 2019 presentation, Automating Firewall Requests with Tower
This is reference material only and the roles are not warranted/supported for any use case.
Use the slides available to ansiblefest attendees and marry with this code to understand my process.
The specific roles for Palo and ACI may be largely reusable if you have those technologies in your environment.
Our F5 Virtual Server, ACI EPG and ACI BD naming conventions in F5 and ACI will help you understand the regex and parsing in the roles a bit more. You'll notice a lot of my code has to do with "unifying" the naming conventions between Palo, ACI and Cherwell. We have naming standards but there is variation between systems.
ACI EPG: "EPG-{{ EPG_NAME }}" ACI BD: "BD-{{ EPG_NAME }}-{{ TENANT_NAME }}"
When we import the EPG/BD and VIPs in Palo Panorama we use the following naming convention:
Object Syntax: [DATACENTER][TENANT][BDNAME][SUBNET][CIDR_MASK] Group Syntax: [TENANT]_[BDNAME]
[DATACENTER][TENANT]VIP[FQDN][IP]_[CIDR_MASK]
Object Syntax: Subnets and Single IP: INTERNET_[SECONDLEVELDOMAIN][TLD][IP][CIDR_MASK] Object Syntax: IP Range: INTERNET[SECONDLEVELDOMAIN][TLD][STARTIP][ENDIP] Group Syntax: INTERNET[SECONDLEVELDOMAIN][TLD][A RECORD]
Service Syntax Single Port: [PROTOCOL][PORT] Service Syntax Port Range: [PROTOCOL][STARTPORT][ENDPORT] Application Objects Application syntax Application Groups syntax: [PROTOCOL][PORT]_[NAME]
Only use security groups in a specific OU which have a name of "sec-ia-{{ ad_group_name }}"