panos_security_rule should allow address groups as source/dest params
ledgley opened this issue · 3 comments
Is your feature request related to a problem?
The panos_security_rule module does not allow using groups as the source and destination parameters. It only accepts IP addresses.
Describe the solution you'd like
Rather than only allowing only IP addresses as the source_ip and destination_ip parameters the panos_security_rule module should allow using address groups as source and destination.
Describe alternatives you've considered
None
Additional context
Using address groups in the source and destination means that when a new IP address is added to an existing service we only need to update the address group and all security rules will be updated as a result. Short of changing the way we manage our firewalls, the limitation is preventing us from automating firewall policy management with Ansible.
🎉 Thanks for opening your first issue here! Welcome to the community!
panos_security_rule.source_ip does accept address groups. Just give the address group name and as long as it's defined in PAN-OS it will work.
Looking at the documentation, it does seem like it has to be an address object or IP address, so I can see how that could be confusing. Will tweak the documentation on these params to make it more clear.
:tada: This issue has been resolved in version 2.9.0 :tada:
The release is available on Ansible Galaxy and GitHub release
Posted by semantic-release bot