diff --git a/lib/ansible/module_utils/network/panos/panos.py b/lib/ansible/module_utils/network/panos/panos.py index 47624e04c2c..f50257dcf2a 100644 --- a/lib/ansible/module_utils/network/panos/panos.py +++ b/lib/ansible/module_utils/network/panos/panos.py @@ -34,6 +34,7 @@ HAS_PANDEVICE = True try: import pandevice from pandevice.base import PanDevice + from pandevice.firewall import Firewall from pandevice.panorama import DeviceGroup, Template, TemplateStack from pandevice.policies import PreRulebase, PostRulebase, Rulebase from pandevice.device import Vsys @@ -95,21 +96,32 @@ class ConnectionHelper(object): 'pandevice', pandevice.__version__, _vstr(self.min_pandevice_version))) - d, host_arg = None, None - if module.params['provider'] and module.params['provider']['host']: - d = module.params['provider'] - host_arg = 'host' - elif module.params['ip_address'] is not None: - d = module.params - host_arg = 'ip_address' + pan_device_auth, serial_number = None, None + if module.params['provider'] and module.params['provider']['ip_address']: + pan_device_auth = ( + module.params['provider']['ip_address'], + module.params['provider']['username'], + module.params['provider']['password'], + module.params['provider']['api_key'], + module.params['provider']['port'], + ) + serial_number = module.params['provider']['serial_number'] + elif module.params.get('ip_address', None) is not None: + pan_device_auth = ( + module.params['ip_address'], + module.params['username'], + module.params['password'], + module.params['api_key'], + module.params['port'], + ) + msg = 'Classic provider params are deprecated; use "provider" instead' + module.deprecate(msg, '2.12') else: - module.fail_json(msg='New or classic provider params are required.') + module.fail_json(msg='Provider params are required.') # Create the connection object. try: - self.device = PanDevice.create_from_device( - d[host_arg], d['username'], d['password'], - d['api_key'], d['port']) + self.device = PanDevice.create_from_device(*pan_device_auth) except PanDeviceError as e: module.fail_json(msg='Failed connection: {0}'.format(e)) @@ -120,6 +132,12 @@ class ConnectionHelper(object): 'PAN-OS', _vstr(self.device._version_info), _vstr(self.min_panos_version))) + # Optional: Firewall via Panorama connectivity specified. + if hasattr(self.device, 'refresh_devices') and serial_number: + fw = Firewall(serial=serial_number) + self.device.add(fw) + self.device = fw + parent = self.device not_found = '{0} "{1}" is not present.' pano_mia_param = 'Param "{0}" is required for Panorama but not specified.' @@ -221,7 +239,7 @@ class ConnectionHelper(object): # Spec: vsys or vsys_dg or vsys_importable. vsys_name = self.vsys_dg or self.vsys or self.vsys_importable if vsys_name is not None: - self.device.vsys = module.params[vsys_name] + parent.vsys = module.params[vsys_name] # Spec: rulebase. if self.rulebase is not None: @@ -294,18 +312,19 @@ def get_connection(vsys=None, device_group=None, 'type': 'dict', 'required_one_of': [['password', 'api_key'], ], 'options': { - 'host': {'required': True}, + 'ip_address': {'required': True}, 'username': {'default': 'admin'}, 'password': {'no_log': True}, 'api_key': {'no_log': True}, 'port': {'default': 443, 'type': 'int'}, + 'serial_number': {'no_log': True}, }, }, } if with_classic_provider_spec: spec['provider']['required'] = False - spec['provider']['options']['host']['required'] = False + spec['provider']['options']['ip_address']['required'] = False del(spec['provider']['required_one_of']) spec.update({ 'ip_address': {'required': False},