Ansible problem - The task includes an option with an undefined variable. The error was: 'provider'

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ansible problem - The task includes an option with an undefined variable. The error was: 'provider'

L1 Bithead

So i am very new to using ansible with Panorama/Palo Alto firewall. I am doing a test on my test lab pano to see if i can push test rule over to panorama. Here is my yml file

 

---
- name: Create test new rule playbook
hosts: all
connection: local

roles:
- role: paloaltonetworks.paloaltonetworks

tasks:
- name: Add test pre-rule to panorama
panos_security_rule:
provider: '{{ provider }}'
rule_name: 'Ansible test 1'
description: 'An Ansible test pre-rule'
source_zone: ['Corp']
destination_zone: ['cs-user']
source_ip: ['1.2.3.4']
source_user: ['any']
destination_ip: ['any']
category: ['any']
application: ['any']
service: ['any']
hip_profiles: ['any']
action: 'allow'
device_group: 'test-group'
commit: False

 

When i try to run the playbook this is what i see

 


PLAY [Create test new rule playbook] ***********************************************************************************
TASK [Gathering Facts] *************************************************************************************************[DEPRECATION WARNING]: Distribution Ubuntu 18.04 on host 10.2.3.10 should use /usr/bin/python3, but is using
/usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using
the discovered platform python for this host. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. This feature
will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
ok: [10.2.3.10]

TASK [paloaltonetworks.paloaltonetworks : Install pan-python required library] *****************************************changed: [10.2.3.10]

TASK [paloaltonetworks.paloaltonetworks : Install pandevice required library] ******************************************changed: [10.2.3.10]

TASK [paloaltonetworks.paloaltonetworks : Install xmltodict required library] ******************************************changed: [10.2.3.10]

TASK [Add test pre-rule to panorama] ***********************************************************************************fatal: [10.2.3.10]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'provider' is undefined\n\nThe error appears to be in '/etc/ansible/testbook2.yml': line 10, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Add test pre-rule to panorama\n ^ here\n"}

PLAY RECAP *************************************************************************************************************10.2.3.10 : ok=4 changed=3 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

 

So what could be wrong here? I still don't get the provider setting yet, did i put it wrongly? Also may i ask what does the " provider: '{{ provider }}'" means on the playbook? Is provider some sort of a value i need to add in? I dont get what provider means and what value should i put as i just got this from an example here. 

 

Also is there some library that i am missing form these?

Install pan-python required library

Install pandevice required library

Install xmltodict required library

 

I see some example it should be "PIP" wording instead of the 3 above right?

 

Any help would be greatly appreciated. 

6 REPLIES 6

L5 Sessionator

provider is a param that you're passing in to panos_security_rule, while the '{{ provider }}' part says, "use the variable "provider" that is somehow being brought into this playbook.

 

You can specify credentials a few different ways:

  • Load it from a file; this is fine if you're just playing around.  Just create another YAML file in the same directory as your playbook and do this, except with real values:
    provider:
      ip_address: '10.1.1.1'
      username: 'admin'
      password: 'secret'​
  • Get the credentials from Ansible Vault; this is the preferred way if you're using Ansible in production

 

Just as a side note, the Palo Alto Networks Ansible role is now deprecated in favor of the collection, which is on Ansible Galaxy as paloaltonetworks.panos.  The repo for the new collection is here, and also keep in mind that collections require that you are using Ansible 2.9+.

Hi,

 

So does this mean that i need to create a "provider.yml" file on the same folder as my main playbook. I still need to define the ip address and put in the username and password?

 

Now i am getting this error after changing it to "collections:" from "roles:"

 

TASK [Add test pre-rule to panorama] ***********************************************************************************
fatal: [10.2.3.10]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'provider' is undefined\n\nThe error appears to be in '/etc/ansible/testbook2.yml': line 10, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Add test pre-rule to panorama\n ^ here\n"}

PLAY RECAP *************************************************************************************************************
10.2.3.10 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

I had the same problem, you can call your provider details in from a script as you described but at the moment I have set my ansible playbook up like this. so i call the the '{{ provider }}' from a variable called provider 

 

---

hostslocalhost
  connectionlocal
  gather_factsFalse
 
  roles:
    - rolePaloAltoNetworks.paloaltonetworks

  vars:
   provider:
    ip_address'123.123.123.123'
    username'superuser'
    password'SuperSecretPassword!!'

 

 

If you created a file "provider.yml" that has the auth credentials in it, then you just tell Ansible to load that file at the beginning of your "tasks":

  tasks:
  - name: Grab auth creds
    include_vars:  'provider.yml'
    no_log: 'yes'

Okay the VARS works for me now. Thanks for that and now it all make sense. 

 

On another note, what if i have multiple device group on the same pano that i want to add i new rule, take this for example i have "DG1" an "DG2" i want to craete, some how the line below didnt work for me

 

device_group: 'DG1' 'DG2'

 

Can't i put both device group name on the same task together? Or must this be done on a separate task that specify only single device group?

You can use standard Ansible looping to do this.  You have both Ansible filters and Jinja2 templating functions available to use in playbooks.  This blog post shows a little bit of looping and walks through using facts modules to do updates to existing config:

 

https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/b...

  • 30317 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!