An Ansible role that gathers virtual machine IP addresses from vCenter and registers them in PAN-OS Dynamic Address Groups based on an associated VMware tag.
This role utilizes the Python libraries listed below. All are available via PyPI and may be installed using the pip installer. The use of virtualenv is recommended in order to avoid system library conflicts.
In addition, the vSphere Automation SDK is required for dynamic inventory discovery with VMware tag support. This SDK may be installed as follows:
$ git clone https://github.com/vmware/vsphere-automation-sdk-python.git
$ cd vsphere-automation-sdk-python
$ pip install --upgrade --force-reinstall -r requirements.txt --extra-index-url file:///<absolute_path_to_sdk>/lib
Support for TLS 1.0 was dropped in PAN-OS version 8.0. Connecting to platforms running PAN-OS 8.0 or greater may require updates to the OpenSSL and/or Python packages on the Ansible host.
- OpenSSL 1.0.1 or greater
- Python 2.7 or greater
- vCenter 6.0, 6.5 and 6.7
The required variables are listed below, along with default values (see defaults/main.yml):
# VMware variables
vmware_tags:
vmware_datacenter:
vmware_validate_certs: False
# PAN-OS variables
panos_address:
panos_username:
panos_password:
panos_api_key:
---
- name: Synchronize tagged vCenter virtual machines with PAN-OS
hosts: localhost
connection: local
gather_facts: no
roles:
- stealthllama.vmware_dagger
This role leverages the vmware_vm_inventory Dynamic Inventory plugin to inventory vSphere virtual machines and group them by their tag values.
The vmware_vm_inventory plugin utilizes the following environment variables:
$ export VMWARE_SERVER="<vcenter hostname/ip-address>"
$ export VMWARE_USERNAME="<vcenter username>"
$ export VMWARE_PASSWORD="<vcenter password>"
A plugin configuration file called vmware.yml is required and should contain the following:
---
plugin: vmware_vm_inventory
validate_certs: False
with_tags: True
The Dynamic Inventory plugin can be tested using the following command:
ansible-inventory -i vmware.yml --graph
The playbook requires a number of variables to run successfully. These variables may be defined in a separate YAML file, provided on the command line with the --extra-vars flag, or provided via the Ansible Tower API.
Variables file:
$ ansible-playbook -i vmware.yml myplaybook.yml [email protected]
Command line (JSON):
$ ansible-playbook -i vmware.yml myplaybook.yml --extra-vars='{"vm_tag":["Tag1","Tag2"],"vmware_datacenter":"MyLab", \
"panos_address":"10.0.0.1","panos_username":"admin","panos_password":"s3cr3tp@ssw0rd"}'
Command line (YAML):
$ ansible-playbook -i vmware.yml myplaybook.yml --extra-vars='
vm_tags:
- Tag1
- Tag2
vmware_datacenter: MyLab
panos_address: 10.0.0.1
panos_username: admin
panos_password: s3cr3tp@ssw0rd
'
Apache 2.0
Role created by Robert Hagen (@stealthllama).