Hi everyone,
My name is Brian Torres-Gil and my team develops the Ansible modules. First off, thanks so much for the candid discussion on this thread. I'll try to collect and respond to the concerns I see.
1. Topic: Ansible modules don't cover all the API functionality we need
True, and we're aware there are several modules needed. The 2.0 module release that came out recently delivered idempotency in the modules, meaning you can now declare the final configuration state in your playbook without worrying about the steps to get there or the current state of the device. This is a significant enhancement and required an overhaul of almost every module, which didn't allow us time to add all the modules we'd like to. Now that it's complete and released, we're considering the highest priority modules that customers have asked for, and we'd greatly value your feedback. The timing is perfect, so share the modules you'd like to see here! Try to be as clear as possible about the firewall configuration you need to modify and the use case for modifying it, so we can better prioritize your request. Thanks!!
2. Topic: The only way to get help is to post anonymously on GitHub, though questions are normally answered quite soon
Since Ansible and our modules are open source, we've found GitHub to be a great way to keep connected with customers. The advantage of this approach is you have direct access to the developers and direct visibility to bugs and fixes. We understand that this can be different from the TAC-based support model you may be used to for paid products. If there are specific suggestions that would get you the help you need more effectively, we are very interested. Please let us know.
3. Topic: External 3rd party modules are not a good fit for enterprise customers
We've been overloading the term "module" since we've used the term for the Ansible modules and the python external modules. So I'll use the term "library" here instead of "module" to avoid confusion. There are 3 python libraries that the Ansible modules depend on:
- pandevice (aka. Palo Alto Networks Device Framework for python)
- pan-python
- xmltodict
I don't completely understand the concern with these libraries, so I have a few question to clarify it.
I see these libraries being referred to as 'external' libraries. Do you mean 'external' as in "not part of the python standard libraries"? Or does external mean something else in this context? Are libraries in the python standard library acceptable (such as the 'logging' module)? I'm having trouble understanding what is different about a non-standard library pulled down by our Ansible modules and a non-standard library pulled down by Ansible itself, since Ansible relies on many libraries that are not part of the python standard library.
I also see these 3 libraries referred to as '3rd party', but to clarify, only xmltodict is 3rd party. The pandevice and pan-python libraries are developed by the same team that develops the Ansible modules, here at Palo Alto Networks.
The 'xmltodict' library is the only 3rd party library, but it's used by thousands of projects in production, so we didn't anticipate a concern with it. Let us know if this library is still a concern.
All three libraries should be installed with 'pip' (just like Ansible is installed with 'pip') so you shouldn't need to install them from GitHub or any website. The install process is consistent with Ansible.
I hope that helps! Very interested in your feedback on the above and continuing the discussion. Thanks!
-Brian
... View more