This repository will be archived. It is superseeded by a newer, more simplified Easy ACI, based on a YAML Schema Model.
This Module will be archived in September as I am no longer maintaining it. It is surperseeded above.
The two models were so different I didn't merge them here.
There are two examples in this Repository. The first example is shown in the primary folders:
access-policies/admin/fabric-policies/switch/system_settings/tenants/virtual-networking/
This is to show an example of how the module can be used with a single ACI Fabric.
The more complex example is shown in the ./RICH/ Folder Structure. This is what is being used for our lab in Richfield Ohio. In these examples there are four sub-folders.
RICH/Asgard- The First ACI FabricRICH/Wakanda- The Second ACI FabricRICH/Odin- Nexus Dashboard Orchestrator managing the stretched Tenants Between the two FabricsRICH/shared_settings- YAML Data that is the same between Asgard and Wakanda
The Structure of the YAML Files is very flexible. You can have all the YAML Data in a single file or you can have it in multiple individual folders like is shown in this module. The important part is that the data.utils_yaml_merge.model is configured to read the folders that you put the Data into. In the single Data Center example the data is read from all the folders in the root path described above (access-policies, admin, fabric-policies, switch, system-settings, tenants, virtual-networking). In comparison, the Asgard and Wakanda Fabrics, read files in their respective home directory plus they shared data found in the ./RICH/shared_settings folder.
Additionally because the ./RICH/Odin/ Nexus Dashboard Fabric Only supports pushing configuration with the tenants module, currently, only the built_in_tenants and tenants modules are defined. The additional function for Odin is that it is pulling in the switch_profiles, from both Asgard and Wakanda, to build EPG -> Static Path Bindings in NDO.
variables.auto.tfvars contains Terraform variables that I felt fit better outside of the YAML Data Model. These variables should be configured to be unique to the deployment environment, but examples are shown for the Richfield environemnt in the module.
- APIC Attributes: used if the controller_type is
apic. - NDO Attributes: used if the controller_type is
ndo. - management_epgs: necessary if you are using inband EPG's, and or the ooband EPG is not default. Both true for our use case.
- annotations: helpful, but not required. This is used on Tenant Objects that support the annotations attribute. You can customize this according to anything desired to add, but by default the use case is the version of the easy_aci module is being added.
Note 1: Modules can be added or removed dependent on the use case. The primary example shown is consuming/showing a full environment deployment. But in the ./RICH/Odin/ example, it is just using the tenant modules.
Note 2: The reason for the seperation of built_in_tenants vs tenants is to make sure objects are always created in common/mgmt first. So they can be consumed by user tenants or Admin/Fabric etc (management EPGs for example). If nothing is being configured in common/mgmt/infra the built_in_tenant is not necessary.
If you would like to enable Autocompletion, Help Context, and Error Validation, (HIGHLY RECOMMENDED) perform the following configuration in Visual Studio Code.
Extensions: Search for YAML and Select the 'YAML Language Support by Red Hat'
Settings » Settings: Search for YAML:Schemas.
Click: Edit in settings.json
Configure the following in yaml.schemas
"https://raw.githubusercontent.com/terraform-cisco-modules/easy-aci-complete/main/yaml_schemas/easy_aci.json": [
"easy-aci-complete/*/*.yaml",
"easy-aci-complete/*/*/*/*.yaml"
]- Add variable
apic_passwordwith the value of [your-apic-password] and sensitive set to true
- Add variable
ndo_passwordwith the value of [your-ndo-password] and sensitive set to true
Command line utility to transform environment variables for use with Terraform. (e.g. HOSTNAME → TF_VAR_hostname)
Recently I adopted the tfenv runner to standardize environment variables with multiple orchestration tools. tfenv makes it so you don't need to add TF_VAR_ to the variables when you add them to the environment. But it doesn't work for windows would be the caveat.
In the export examples below, for the Linux Example, the 'TF_VAR_' is excluded because Cloud Posse tfenv is used to insert it during the run.
Additionally to Save time on typing commands I use the following aliases by editing the .bashrc for my environment.
alias tfa='tfenv terraform apply main.plan'
alias tfap='tfenv terraform apply -parallelism=1 main.plan'
alias tfd='terraform destroy'
alias tff='terraform fmt'
alias tfi='terraform init'
alias tfp='tfenv terraform plan -out=main.plan'
alias tfu='terraform init -upgrade'
alias tfv='terraform validate'Password Authentication
export apic_password='<your-apic-password>'Certificate Authentication
export certificate_name='<your-certificate_name>'
export private_key='<your-private_key>'$env:TF_VAR_apic_password='<your-apic-password>'export ndo_password='<your-ndo-password>'$env:TF_VAR_ndo_password='<your-ndo-password>'- MCP Instance Key: If Desire is to Password Protect MCP traffic.
- VMM Password: vCenter Password for VMM Integration.
export mcp_instance_key='<mcp_instance_key>'export vmm_password='<vmm_password>'$env:TF_VAR_mcp_instance_key='<mcp_instance_key>'$env:TF_VAR_vmm_password='<vmm_password>'- remote_password: For Password based Authentication.
- ssh_key_contents and ssh_key_passphrase: for SSH Key Based Authentication.
export remote_password='<remote_password>'export ssh_key_contents='<ssh_key_contents>'
export ssh_key_passphrase='<ssh_key_passphrase>'$env:TF_VAR_remote_password='<remote_password>'$env:TF_VAR_ssh_key_contents='<ssh_key_contents>'
$env:TF_VAR_ssh_key_passphrase='<ssh_key_passphrase>'- radius_key: Key for Protecting RADIUS Server Communication.
- radius_monitoring_password: If Server Monitoring is Enabled, the Password to use with the test user account.
export radius_key='<radius_key>'export radius_monitoring_password='<radius_monitoring_password>'$env:TF_VAR_radius_key='<radius_key>'$env:TF_VAR_radius_monitoring_password='<radius_monitoring_password>'- smtp_password: Only Required if the SMTP Server Requires Authentication.
export smtp_password='<smtp_password>'$env:TF_VAR_smtp_password='<smtp_password>'- tacacs_key: Key for Protecting TACACS Server Communication.
- tacacs_monitoring_password: If Server Monitoring is Enabled, the Password to use with the test user account.
export tacacs_key='<tacacs_key>'
export tacacs_monitoring_password='<tacacs_monitoring_password>'$env:TF_VAR_tacacs_key='<tacacs_key>'
$env:TF_VAR_tacacs_monitoring_password='<tacacs_monitoring_password>'Note that ntp_key, snmp_authorization, snmp_community, snmp_privacy_key have multiple instances. This is only in the event you need multiple values for each variable. If only one value is needed only define one value in the export.
- NTP Authentication Keys
export ntp_key_1='<ntp_key_1>'export ntp_key_2='<ntp_key_2>'export ntp_key_3='<ntp_key_3>'export ntp_key_4='<ntp_key_4>'export ntp_key_5='<ntp_key_5>'- SNMP Communities
export snmp_community_1='<snmp_community_1>'export snmp_community_2='<snmp_community_2>'export snmp_community_3='<snmp_community_3>'export snmp_community_4='<snmp_community_4>'export snmp_community_5='<snmp_community_5>'- SNMP Authorization Keys and Privacy Keys for SNMP Users
export snmp_authorization_key_1='<snmp_authorization_key_1>'export snmp_authorization_key_2='<snmp_authorization_key_2>'export snmp_authorization_key_3='<snmp_authorization_key_3>'export snmp_authorization_key_4='<snmp_authorization_key_4>'export snmp_authorization_key_5='<snmp_authorization_key_5>'export snmp_privacy_key_1='<snmp_privacy_key_1>'export snmp_privacy_key_2='<snmp_privacy_key_2>'export snmp_privacy_key_3='<snmp_privacy_key_3>'export snmp_privacy_key_4='<snmp_privacy_key_4>'export snmp_privacy_key_5='<snmp_privacy_key_5>'Global AES Passphrase Encryption Settings
- aes_passphrase: Used to Encrypt Configuration Backups to protect sensitive attributes.
export aes_passphrase='<aes_passphrase>'export aws_secret_key='<aws_secret_key>'export azure_client_secret='<azure_client_secret>'- bgp_password: Only requried for BGP Neighbor Authentication
- ospf_key: Only required for Neighbor Authentication
export bgp_password_1='<bgp_password_1>'export bgp_password_2='<bgp_password_2>'export bgp_password_3='<bgp_password_3>'export bgp_password_4='<bgp_password_4>'export bgp_password_5='<bgp_password_5>'export ospf_key_1='<ospf_key_1>'export ospf_key_2='<ospf_key_2>'export ospf_key_3='<ospf_key_3>'export ospf_key_4='<ospf_key_4>'export ospf_key_5='<ospf_key_5>'- vrf_snmp_community: Only required if the VRF Should use different Communities than the Global SNMP Values. These Communities, that need to be added to the SNMP client_groups, will only be usable by the VRF when configured.
export vrf_snmp_community_1='<vrf_snmp_community_1>'export vrf_snmp_community_2='<vrf_snmp_community_2>'export vrf_snmp_community_3='<vrf_snmp_community_3>'export vrf_snmp_community_4='<vrf_snmp_community_4>'export vrf_snmp_community_5='<vrf_snmp_community_5>'| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| aci | 2.9.0 |
| mso | 0.11.0 |
| utils | 0.2.5 |
| Name | Version |
|---|---|
| utils | 0.2.5 |
| Name | Source | Version |
|---|---|---|
| access | terraform-cisco-modules/access/aci | 2.1.7 |
| admin | terraform-cisco-modules/admin/aci | 2.1.7 |
| built_in_tenants | terraform-cisco-modules/tenants/aci | 2.2.0 |
| fabric | terraform-cisco-modules/fabric/aci | 2.1.7 |
| switch | terraform-cisco-modules/switch/aci | 2.1.7 |
| system_settings | terraform-cisco-modules/system-settings/aci | 2.1.7 |
| tenants | terraform-cisco-modules/tenants/aci | 2.2.0 |
When the Data is merged from the YAML files, it will run through the modules using for_each loop(s). Sensitive Variables cannot be added to a for_each loop, instead use the variables below to add sensitive values for policies.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| apic_hostname | Cisco APIC Hostname | string |
"apic.example.com" |
no |
| apic_password | Password for User based Authentication. | string |
"dummydummy" |
no |
| apic_user | Username for User based Authentication. | string |
"admin" |
no |
| certificate_name | Cisco ACI Certificate Name for SSL Based Authentication | string |
"" |
no |
| private_key | Cisco ACI Private Key for SSL Based Authentication. | string |
"" |
no |
| apic_version | The Version of ACI Running in the Environment. | string |
"5.2(4e)" |
no |
| ndo_domain | Default is local. Authentication Domain for Nexus Dashboard Orchestrator Authentication. Only required if the Auhthenciation domain is not local. |
string |
"local" |
no |
| ndo_hostname | Cisco Nexus Dashboard Orchestrator Hostname | string |
"ndo.example.com" |
no |
| ndo_password | Password for Nexus Dashboard Orchestrator Authentication. | string |
"dummydummy" |
no |
| ndo_user | Username for Nexus Dashboard Orchestrator Authentication. | string |
"admin" |
no |
| ndo_version | The Version of Nexus Dashboard Orchestrator Running in the Environment. | string |
"5.2(1g)" |
no |
| annotation | Depricated. Removing from Module. | string |
"orchestrator:terraform" |
no |
| annotations | The Version of this Script. | list(object( |
[ |
no |
| controller_type | The Type of Controller for this Site. - apic - ndo |
string |
"apic" |
no |
| management_epgs | The Management EPG's that will be used by the script. - name: Name of the EPG - type: Type of EPG * inb * oob |
list(object( |
[ |
no |
| mcp_instance_key | The key or password to uniquely identify the MCP packets within this fabric. | string |
"" |
no |
| radius_key | RADIUS Key. | string |
"" |
no |
| radius_monitoring_password | RADIUS Monitoring Password. | string |
"" |
no |
| tacacs_key | TACACS Key. | string |
"" |
no |
| tacacs_monitoring_password | TACACS Monitoring Password. | string |
"" |
no |
| smtp_password | Password to use if Secure SMTP is enabled for the Smart CallHome Destination Group Mail Server. | string |
"" |
no |
| remote_password | Remote Host Password. | string |
"" |
no |
| ssh_key_contents | SSH Private Key Based Authentication Contents. | string |
"" |
no |
| ssh_key_passphrase | SSH Private Key Based Authentication Passphrase. | string |
"" |
no |
| apic_certificate_1 | APIC Certificate 1. | string |
"blah.txt" |
no |
| apic_certificate_2 | APIC Certificate 2. | string |
"blah.txt" |
no |
| apic_intermediate_plus_root_ca_1 | Intermediate and Root CA Certificate 1. | string |
"blah.txt" |
no |
| apic_intermediate_plus_root_ca_2 | Intermediate and Root CA Certificate 2. | string |
"blah.txt" |
no |
| apic_private_key_1 | APIC Private Key 1. | string |
"blah.txt" |
no |
| apic_private_key_2 | APIC Private Key 2. | string |
"blah.txt" |
no |
| ntp_key_1 | Key Assigned to NTP id 1. | string |
"" |
no |
| ntp_key_2 | Key Assigned to NTP id 2. | string |
"" |
no |
| ntp_key_3 | Key Assigned to NTP id 3. | string |
"" |
no |
| ntp_key_4 | Key Assigned to NTP id 4. | string |
"" |
no |
| ntp_key_5 | Key Assigned to NTP id 5. | string |
"" |
no |
| snmp_authorization_key_1 | SNMP Authorization Key 1. | string |
"" |
no |
| snmp_authorization_key_2 | SNMP Authorization Key 2. | string |
"" |
no |
| snmp_authorization_key_3 | SNMP Authorization Key 3. | string |
"" |
no |
| snmp_authorization_key_4 | SNMP Authorization Key 4. | string |
"" |
no |
| snmp_authorization_key_5 | SNMP Authorization Key 5. | string |
"" |
no |
| snmp_community_1 | SNMP Community 1. | string |
"" |
no |
| snmp_community_2 | SNMP Community 2. | string |
"" |
no |
| snmp_community_3 | SNMP Community 3. | string |
"" |
no |
| snmp_community_4 | SNMP Community 4. | string |
"" |
no |
| snmp_community_5 | SNMP Community 5. | string |
"" |
no |
| snmp_privacy_key_1 | SNMP Privacy Key 1. | string |
"" |
no |
| snmp_privacy_key_2 | SNMP Privacy Key 2. | string |
"" |
no |
| snmp_privacy_key_3 | SNMP Privacy Key 3. | string |
"" |
no |
| snmp_privacy_key_4 | SNMP Privacy Key 4. | string |
"" |
no |
| snmp_privacy_key_5 | SNMP Privacy Key 5. | string |
"" |
no |
| aes_passphrase | Global AES Passphrase. | string |
"" |
no |
| vmm_password | Password for VMM Credentials Policy. | string |
"" |
no |
| aws_secret_key | AWS Secret Key Id. It must be provided if the AWS account is not trusted. This parameter will only have effect with vendor = aws. | string |
"" |
no |
| azure_client_secret | Azure Client Secret. It must be provided when azure_access_type to credentials. This parameter will only have effect with vendor = azure. | string |
"1" |
no |
| bgp_password_1 | BGP Password 1. | string |
"" |
no |
| bgp_password_2 | BGP Password 2. | string |
"" |
no |
| bgp_password_3 | BGP Password 3. | string |
"" |
no |
| bgp_password_4 | BGP Password 4. | string |
"" |
no |
| bgp_password_5 | BGP Password 5. | string |
"" |
no |
| ospf_key_1 | OSPF Key 1. | string |
"" |
no |
| ospf_key_2 | OSPF Key 2. | string |
"" |
no |
| ospf_key_3 | OSPF Key 3. | string |
"" |
no |
| ospf_key_4 | OSPF Key 4. | string |
"" |
no |
| ospf_key_5 | OSPF Key 5. | string |
"" |
no |
| vrf_snmp_community_1 | SNMP Community 1. | string |
"" |
no |
| vrf_snmp_community_2 | SNMP Community 2. | string |
"" |
no |
| vrf_snmp_community_3 | SNMP Community 3. | string |
"" |
no |
| vrf_snmp_community_4 | SNMP Community 4. | string |
"" |
no |
| vrf_snmp_community_5 | SNMP Community 5. | string |
"" |
no |
| Name | Description |
|---|---|
| access | Access module outputs. |
| admin | Admin module outputs. |
| built_in_tenants | Built-In Tenants module outputs (common|infra|mgmt). |
| fabric | Fabric module outputs. |
| switch | Switch module outputs. |
| system_settings | System Settings module outputs. |
| tenants | Tenants module outputs. |
If you want to see documentation on Variables for Submodules use the links below: