Ansible - central firewall management

Hello,

in our company we want to allow central firewall management all of the ansible code is in git. So the idea is to add a role where we define per host or hostgroup what rules that are applicable.

When the role is added / executed on the host it should check if any rules are appicable.
We are using awx to to the scheduled checking.

Is there any exisiting module that does such a thing.

Tried to fiddle around with it but cant get it to work for multiple hosts bellow my attempt

handlers\main.yml

---
- name: Reload Firewall
  ansible.builtin.service:
    name: firewalld
    state: reloaded

tasks\main.yml

---
- name: Create Firewall rules XML files for each server
  ansible.builtin.template:
    src: "templates/firewall_rules.xml.j2"
    dest: "/etc/firewalld/services/{{ item.key }}.xml"
    mode: "0600"
  loop: "{{ firewall_ports | dict2items }}"
  when: item.key == inventory_hostname
  notify: Reload Firewall

- name: Ensure firewall rules are loaded and applied
  ansible.posix.firewalld:
    service: "{{ item.key }}"
    state: enabled
    permanent: true
    immediate: true
  loop: "{{ firewall_ports | dict2items }}"
  when: item.key == inventory_hostname
  notify: Reload Firewall

templates\firewall_rules.xml.j2

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>{{ item.key }} Rules</short>
  <description>Firewall rules for {{ item.key }}</description>
  {% for port in item.value %}
  <port protocol="{{ port.split('/')[1] }}" port="{{ port.split('/')[0] }}"/>
  {% endfor %}
</service>

vars\main.yml

---
# vars file for firewall-management
firewall_ports:
  alain-test:
    - 443/tcp
    - 25/tcp
  NETBOX-01:
    - 80/tcp
    - 443/tcp
    - 25/tcp

this is the error returnd when running on multiple hosts

failed: [NETBOX-01] (item={'key': 'NETBOX-01', 'value': ['80/tcp', '443/tcp', '25/tcp']}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "NETBOX-01", "value": ["80/tcp", "443/tcp", "25/tcp"]}, "msg": "ERROR: Exception caught: org.fedoraproject.FirewallD1.Exception: INVALID_SERVICE: NETBOX-01 Permanent and Non-Permanent(immediate) operation, Services are defined by port/tcp relationship and named as they are in /etc/services (on most systems)"}