Example scenarions

Author: ppiwowa-csco

plugins/modules/policy.py

@@ -210,12 +210,14 @@ def run_module():
             object_endpoint = module.session.api.policy.security
             policy_definition = module.params.get("security")
 
-        all_policies: DataSequence[CentralizedPolicyInfo | LocalizedPolicyInfo | AnySecurityPolicyInfo] = module.get_response_safely(object_endpoint.get)
+        all_policies: DataSequence[CentralizedPolicyInfo | LocalizedPolicyInfo | AnySecurityPolicyInfo] = (
+            module.get_response_safely(object_endpoint.get)
+        )
         if module.params.get("security"):
             all_policies = all_policies.security
-        filtered_definitions: Optional[DataSequence[CentralizedPolicyInfo | LocalizedPolicyInfo | AnySecurityPolicyInfo]] = all_policies.filter(
-            policy_name=object_name
-        )
+        filtered_definitions: Optional[
+            DataSequence[CentralizedPolicyInfo | LocalizedPolicyInfo | AnySecurityPolicyInfo]
+        ] = all_policies.filter(policy_name=object_name)
         if filtered_definitions:
             existing_object: DataSequence[CentralizedPolicy | LocalizedPolicy | SecurityPolicy] = [
                 module.get_response_safely(object_endpoint.get, id=filtered_definitions[0].policy_id)
@@ -309,7 +311,7 @@ def run_module():
                         device_action.wait_for_completed()
                     object_endpoint.edit(policy=object_to_create)
                 elif module.params.get("localized") or module.params.get("security"):
-                    object_endpoint.edit(policy=object_to_create)
+                    object_endpoint.edit(id=existing_object_id, policy=object_to_create)
                 elif module.params.get("definition"):
                     object_endpoint.edit(
                         id=existing_object_id,

roles/policies/defaults/main.yml

@@ -0,0 +1,19 @@
+# Copyright 2025 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+
+policies: {}
+default_policy:
+  name: "Ansible Managed centralized policy"
+  hub_and_spoke: []
+  mesh: []
+  acl_policy: []
+  app_route: []
+  geolocation_block: []
+
+combined_policies: "{{ default_policy | combine(policies, recursive=True) }}"
+
+created_centralized_policies: []
+created_localized_policies: []
+created_security_policies: []

roles/policies/meta/main.yml

@@ -0,0 +1,15 @@
+---
+
+galaxy_info:
+  author: Piotr Piwowarski <[email protected]>
+  description: Allow user to configure pre defined policies in Cisco SD-WAN
+  license: GPL-3.0-or-later
+  min_ansible_version: "2.16.6"
+
+  galaxy_tags:
+    - cisco
+    - sdwan
+    - catalystwan
+    - networking
+
+dependencies: []

roles/policies/tasks/acl_policy.yml

@@ -0,0 +1,51 @@
+# Copyright 2025 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+- name: "Create acl policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}"
+    definition:
+      type: "access_control_list"
+      sequences: "{{ _sequences | from_yaml }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_policy
+  vars:
+    _sequences: |
+      - sequenceId: 1
+      {% if "next_hop" in policy_item['action'] %}
+        actions:
+          - type: set
+            parameter:
+              - field: nextHop
+                value: "{{ policy_item['action']['next_hop'] }}"
+      {% endif %}
+        match:
+          entries:
+      {% if "source_port" in policy_item['match'] %}
+            - field: sourcePort
+              value: "{{ policy_item['match']['source_port'] }}"
+      {% endif %}
+      {% if "destination_port" in policy_item['match'] %}
+            - field: destinationPort
+              value: "{{ policy_item['match']['destination_port'] }}"
+      {% endif %}
+      {% if "source_ip" in policy_item['match'] %}
+            - field: sourceIp
+              value: "{{ policy_item['match']['source_ip'] }}"
+      {% endif %}
+      {% if "destination_ip" in policy_item['match'] %}
+            - field: destinationIp
+              value: "{{ policy_item['match']['destination_ip'] }}"
+      {% endif %}
+
+- name: Save policy id
+  ansible.builtin.set_fact:
+    created_localized_policies: "{{ created_localized_policies + [_created_policy] }}"
+  vars:
+    _created_policy:
+      type: acl
+      definitionId: "{{ result_policy['id'] }}"

roles/policies/tasks/app_route.yml

@@ -0,0 +1,73 @@
+# Copyright 2025 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+- name: "Create SLA class list for application route policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}_sla"
+    list:
+      type: "sla"
+      entries:
+        - loss: "{{ policy_item['action']['sla_class']['loss'] }}"
+          latency: "{{ policy_item['action']['sla_class']['latency'] }}"
+          jitter: "{{ policy_item['action']['sla_class']['jitter'] }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  when: "'sla_class' in policy_item['action']"
+  register: result_sla_class
+
+- name: "Create application route policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}"
+    definition:
+      type: "app_route"
+      sequences: "{{ _sequences | from_yaml }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_policy
+  vars:
+    _sequences: |
+      - sequenceId: 1
+        actions:
+      {% if "counter" in policy_item['action'] %}
+          - type: count
+            parameter: "{{ policy_item['action']['counter'] }}"
+      {% endif %}
+      {% if "log" in policy_item['action'] %}
+          - type: log
+            parameter: "{{ policy_item['action']['log'] }}"
+      {% endif %}
+      {% if "log" in policy_item['action'] %}
+          - type: slaClass
+            parameter: "{{ policy_item['action']['sla_class'] }}"
+      {% endif %}
+        match:
+          entries:
+      {% if "source_port" in policy_item['match'] %}
+            - field: sourcePort
+              value: "{{ policy_item['match']['source_port'] }}"
+      {% endif %}
+      {% if "destination_port" in policy_item['match'] %}
+            - field: destinationPort
+              value: "{{ policy_item['match']['destination_port'] }}"
+      {% endif %}
+      {% if "source_ip" in policy_item['match'] %}
+            - field: sourceIp
+              value: "{{ policy_item['match']['source_ip'] }}"
+      {% endif %}
+      {% if "destination_ip" in policy_item['match'] %}
+            - field: destinationIp
+              value: "{{ policy_item['match']['destination_ip'] }}"
+      {% endif %}
+
+- name: Save policy id
+  ansible.builtin.set_fact:
+    created_centralized_policies: "{{ created_centralized_policies + [_created_policy] }}"
+  vars:
+    _created_policy:
+      type: appRoute
+      definitionId: "{{ result_policy['id'] }}"

roles/policies/tasks/example-forwarding-qos.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright 2024 Cisco Systems, Inc. and its affiliates
+# Copyright 2025 Cisco Systems, Inc. and its affiliates
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 # https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/qos/vEdge-20-x/qos-book/forwarding-qos.html#Cisco_Concept.dita_aa3e0d07-462e-463f-8f45-681f38f61ab0

roles/policies/tasks/geolocation_block.yml

@@ -0,0 +1,72 @@
+# Copyright 2025 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+- name: "Create source zone for geolocation block policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}_src"
+    list:
+      type: "zone"
+      entries:
+        - vpn: "{{ policy_item['source_vpn'] }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_source_zone
+
+- name: "Create destination zone for geolocation block policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}_dst"
+    list:
+      type: "zone"
+      entries:
+        - vpn: "{{ policy_item['destination_vpn'] }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_destination_zone
+
+
+- name: "Create security policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}"
+    definition:
+      type: "zone_based_firewall"
+      definition:
+        entries:
+          - sourceZone: "{{ result_source_zone['id'] }}"
+            destinationZone: "{{ result_destination_zone['id'] }}"
+        sequences: "{{ _sequences | from_yaml }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_policy
+  vars:
+    _sequences: |
+      - sequenceId: 1
+        sequenceName: sequence 1
+        match:
+          entries:
+      {% for geolocation in policy_item['geolocations'] %}
+            - field: sourceGeoLocation
+              value: "{{ geolocation }}"
+      {% endfor %}
+      - sequenceId: 2
+        sequenceName: sequence 2
+        match:
+          entries:
+      {% for geolocation in policy_item['geolocations'] %}
+            - field: destinationGeoLocation
+              value: "{{ geolocation }}"
+      {% endfor %}
+
+- name: Save policy id
+  ansible.builtin.set_fact:
+    created_security_policies: "{{ created_security_policies + [_created_policy] }}"
+  vars:
+    _created_policy:
+      type: zoneBasedFW
+      definitionId: "{{ result_policy['id'] }}"

roles/policies/tasks/hub_and_spoke.yml

@@ -0,0 +1,80 @@
+# Copyright 2025 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+- name: "Create vpn list for hub and spoke policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}_vpn"
+    list:
+      type: "vpn"
+      entries: "{{ _entries | from_yaml }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_vpn_list
+  vars:
+    _entries: |
+      {% for id in policy_item['vpns'] %}
+      - vpn: {{ id }}
+      {% endfor %}
+
+- name: "Create hub list for hub and spoke policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}_hub"
+    list:
+      type: "site"
+      entries: "{{ _entries | from_yaml }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_hub_list
+  vars:
+    _entries: |
+      {% for id in policy_item['hubs'] %}
+      - site_id: "{{ id }}"
+      {% endfor %}
+
+- name: "Create spoke list for hub and spoke policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}_spoke"
+    list:
+      type: "site"
+      entries: "{{ _entries | from_yaml }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_spoke_list
+  vars:
+    _entries: |
+      {% for id in policy_item['spokes'] %}
+      - site_id: "{{ id }}"
+      {% endfor %}
+
+- name: "Create hub and spoke policy {{ policy_item['name'] }}"
+  cisco.catalystwan.policy:
+    name: "{{ policy_item['name'] }}"
+    definition:
+      type: "hub_and_spoke"
+      definition:
+        vpnList: "{{ result_vpn_list['id'] }}"
+        subDefinitions:
+          - spokes:
+              - siteList: "{{ result_spoke_list['id'] }}"
+                hubs:
+                  - siteList: "{{ result_spoke_list['id'] }}"
+    manager_credentials:
+      url: "{{ (vmanage_instances | first).mgmt_public_ip }}"
+      username: "{{ (vmanage_instances | first).admin_username }}"
+      password: "{{ (vmanage_instances | first).admin_password }}"
+  register: result_policy
+
+- name: Save policy id
+  ansible.builtin.set_fact:
+    created_centralized_policies: "{{ created_centralized_policies + [_created_policy] }}"
+  vars:
+    _created_policy:
+      type: hubAndSpoke
+      definitionId: "{{ result_policy['id'] }}"