PaloAltoNetworks · mrichardson03 · Jun 14, 2021 · Jun 2, 2021 · Jun 2, 2021 · Jun 2, 2021
diff --git a/.gitignore b/.gitignore
@@ -74,6 +74,9 @@ ENV/
 # PyCharm / IntelliJ
 .idea
 
+# VS Code
+.vscode
+
 # Configtree diagram generated by sphinx
 docs/_diagrams
 

diff --git a/.vscode/settings.json b/.vscode/settings.json
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@ else ifneq (ansible_collections,$(toplevel))
 endif
 
 python_version := $(shell \
-  python -c 'import sys; print(".".join(map(str, sys.version_info[:2])))' \
+  python3 -c 'import sys; print(".".join(map(str, sys.version_info[:2])))' \
 )
 
 

diff --git a/plugins/modules/panos_security_rule.py b/plugins/modules/panos_security_rule.py
@@ -244,6 +244,10 @@
         description:
             - Exclude this rule from the listed firewalls in Panorama.
         type: bool
+    audit_comment:
+        description:
+            - Add an audit comment to the rule being defined.
+        type: str
 """
 
 EXAMPLES = """
@@ -338,7 +342,7 @@
 
 try:
     from panos.errors import PanDeviceError
-    from panos.policies import SecurityRule
+    from panos.policies import RuleAuditComment, SecurityRule
 except ImportError:
     try:
         from pandevice.errors import PanDeviceError
@@ -410,6 +414,7 @@ def main():
             location=dict(choices=["top", "bottom", "before", "after"]),
             existing_rule=dict(),
             commit=dict(type="bool", default=False),
+            audit_comment=dict(type="str"),
             # TODO(gfreeman) - remove this in the next role release.
             devicegroup=dict(),
         ),
@@ -481,6 +486,7 @@ def main():
     location = module.params["location"]
     existing_rule = module.params["existing_rule"]
     commit = module.params["commit"]
+    audit_comment = module.params["audit_comment"]
 
     # Retrieve the current rules.
     try:
@@ -499,6 +505,10 @@ def main():
     if module.params["state"] == "present":
         changed |= helper.apply_position(new_rule, location, existing_rule, module)
 
+    # Add the audit comment, if applicable.
+    if changed and audit_comment and not module.check_mode:
+        new_rule.opstate.audit_comment.update(audit_comment)
+
     # Optional commit.
     if changed and commit:
         helper.commit(module)

diff --git a/tests/integration/firewall/test_panos_security_rule.yml b/tests/integration/firewall/test_panos_security_rule.yml
@@ -13,6 +13,7 @@
     application: ['ssh']
     action: 'allow'
     device_group: '{{ device_group | default(omit) }}'
+    audit_comment: 'Test audit comment'
   register: result
 
 - name: test_panos_security_rule - Assert create was successful
@@ -33,6 +34,7 @@
     application: ['ssh']
     action: 'allow'
     device_group: '{{ device_group | default(omit) }}'
+    audit_comment: 'Testing audit_comment'
   register: result
 
 - name: test_panos_security_rule - Assert create (idempotence) was successful
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,7 +18,7 @@ else ifneq (ansible_collections,$(toplevel)) @@
     endif
     python_version := $(shell \
-      python -c 'import sys; print(".".join(map(str, sys.version_info[:2])))' \
+      python3 -c 'import sys; print(".".join(map(str, sys.version_info[:2])))' \
     )
@@ Expand Down @@