-
Notifications
You must be signed in to change notification settings - Fork 0
/
.terraform-docs.yml
455 lines (326 loc) · 13.9 KB
/
.terraform-docs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
version: '>= 0.14.0'
formatter: markdown table
content: |-
[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
[![Developed by: Cisco](https://img.shields.io/badge/Developed%20by-Cisco-blue)](https://developer.cisco.com)
# Easy ACI - Comprehensive example for ACI & NDO
There are two examples in this Repository. The first example is shown in the primary folders:
* `access-policies/`
* `admin/`
* `fabric-policies/`
* `switch/`
* `system_settings/`
* `tenants/`
* `virtual-networking/`
This is to show an example of how the module can be used with a single ACI Fabric.
The more complex example is shown in the `./RICH/` Folder Structure. This is what is being used for our lab in Richfield Ohio. In these examples there are four sub-folders.
* `RICH/Asgard` - The First ACI Fabric
* `RICH/Wakanda` - The Second ACI Fabric
* `RICH/Odin` - Nexus Dashboard Orchestrator managing the stretched Tenants Between the two Fabrics
* `RICH/shared_settings` - YAML Data that is the same between Asgard and Wakanda
The Structure of the YAML Files is very flexible. You can have all the YAML Data in a single file or you can have it in multiple individual folders like is shown in this module. The important part is that the `data.utils_yaml_merge.model` is configured to read the folders that you put the Data into. In the single Data Center example the data is read from all the folders in the root path described above (`access-policies`, `admin`, `fabric-policies`, `switch`, `system-settings`, `tenants`, `virtual-networking`). In comparison, the Asgard and Wakanda Fabrics, read files in their respective home directory plus they shared data found in the `./RICH/shared_settings` folder.
Additionally because the `./RICH/Odin/` Nexus Dashboard Fabric Only supports pushing configuration with the tenants module, currently, only the `built_in_tenants` and `tenants` modules are defined. The additional function for `Odin` is that it is pulling in the switch_profiles, from both `Asgard` and `Wakanda`, to build `EPG -> Static Path Bindings` in NDO.
### Modify `variables.auto.tfvars` to match environment
`variables.auto.tfvars` contains Terraform variables that I felt fit better outside of the YAML Data Model. These variables should be configured to be unique to the deployment environment, but examples are shown for the Richfield environemnt in the module.
#### Notes for the `variables.auto.tfvars`
* APIC Attributes: used if the controller_type is `apic`.
* NDO Attributes: used if the controller_type is `ndo`.
* management_epgs: necessary if you are using inband EPG's, and or the ooband EPG is not default. Both true for our use case.
* annotations: helpful, but not required. This is used on Tenant Objects that support the annotations attribute. You can customize this according to anything desired to add, but by default the use case is the version of the easy_aci module is being added.
#### Note 1: Modules can be added or removed dependent on the use case. The primary example shown is consuming/showing a full environment deployment. But in the `./RICH/Odin/` example, it is just using the tenant modules.
#### Note 2: The reason for the seperation of `built_in_tenants` vs `tenants` is to make sure objects are always created in common/mgmt first. So they can be consumed by user tenants or Admin/Fabric etc (management EPGs for example). If nothing is being configured in common/mgmt/infra the `built_in_tenant` is not necessary.
## YAML Schema Notes for Autocompletion, Help, and Error Validation:
If you would like to enable Autocompletion, Help Context, and Error Validation, (`HIGHLY RECOMMENDED`) perform the following configuration in Visual Studio Code.
### Install the YAML extension by Red Hat
`Extensions`: Search for YAML and Select the 'YAML Language Support by Red Hat'
### Add the YAML Schema's below to the Visual Studio Code Settings
`Settings` » `Settings`: Search for `YAML:Schemas`.
Click: `Edit in settings.json`
Configure the following in `yaml.schemas`
```bash
"https://raw.githubusercontent.com/terraform-cisco-modules/easy-aci-complete/main/yaml_schemas/easy_aci.json": ["easy-aci-complete/*/*.yaml", "easy-aci-complete/*/*/*/*.yaml"]
```
## Environment Variables
### Terraform Cloud/Enterprise - Workspace Variables
#### At a Minimum for APIC
- Add variable `apic_password` with the value of [your-apic-password] and sensitive set to true
#### At a Minimum for NDO
- Add variable `ndo_password` with the value of [your-ndo-password] and sensitive set to true
#### Add Other Variables as discussed below based on use cases
## [Cloud Posse `tfenv`](https://github.com/cloudposse/tfenv)
Command line utility to transform environment variables for use with Terraform. (e.g. HOSTNAME → TF_VAR_hostname)
Recently I adopted the `tfenv` runner to standardize environment variables with multiple orchestration tools. tfenv makes it so you don't need to add TF_VAR_ to the variables when you add them to the environment. But it doesn't work for windows would be the caveat.
In the export examples below, for the Linux Example, the 'TF_VAR_' is excluded because Cloud Posse tfenv is used to insert it during the run.
### Aliases for `.bashrc`
Additionally to Save time on typing commands I use the following aliases by editing the `.bashrc` for my environment.
```bash
alias tfa='tfenv terraform apply main.plan'
alias tfap='tfenv terraform apply -parallelism=1 main.plan'
alias tfd='terraform destroy'
alias tff='terraform fmt'
alias tfi='terraform init'
alias tfp='tfenv terraform plan -out=main.plan'
alias tfu='terraform init -upgrade'
alias tfv='terraform validate'
```
## IMPORTANT: ALL EXAMPLES BELOW ASSUME USING `tfenv` in LINUX
## Minimum Sensitive Variables for ACI
#### Linux
Password Authentication
```bash
export apic_password='<your-apic-password>'
```
Certificate Authentication
```bash
export certificate_name='<your-certificate_name>'
export private_key='<your-private_key>'
```
## Windows
```powershell
$env:TF_VAR_apic_password='<your-apic-password>'
```
## Minimum Sensitive Variables for NDO
#### Linux
```bash
export ndo_password='<your-ndo-password>'
```
#### Windows
```powershell
$env:TF_VAR_ndo_password='<your-ndo-password>'
```
### Sensitive Variables for the Access Module:
* MCP Instance Key: If Desire is to Password Protect MCP traffic.
* VMM Password: vCenter Password for VMM Integration.
#### Linux
```bash
export mcp_instance_key='<mcp_instance_key>'
```
```bash
export vmm_password='<vmm_password>'
```
#### Windows
```bash
$env:TF_VAR_mcp_instance_key='<mcp_instance_key>'
```
```bash
$env:TF_VAR_vmm_password='<vmm_password>'
```
### Sensitive Variables for the Admin Module:
#### Configuration Backup Sensitive Variables
* remote_password: For Password based Authentication.
* ssh_key_contents and ssh_key_passphrase: for SSH Key Based Authentication.
#### Linux
```bash
export remote_password='<remote_password>'
```
```bash
export ssh_key_contents='<ssh_key_contents>'
export ssh_key_passphrase='<ssh_key_passphrase>'
```
#### Windows
```powershell
$env:TF_VAR_remote_password='<remote_password>'
```
```powershell
$env:TF_VAR_ssh_key_contents='<ssh_key_contents>'
$env:TF_VAR_ssh_key_passphrase='<ssh_key_passphrase>'
```
#### RADIUS Sensitive Variables
* radius_key: Key for Protecting RADIUS Server Communication.
* radius_monitoring_password: If Server Monitoring is Enabled, the Password to use with the test user account.
#### Linux
```bash
export radius_key='<radius_key>'
```
```bash
export radius_monitoring_password='<radius_monitoring_password>'
```
#### Windows
```bash
$env:TF_VAR_radius_key='<radius_key>'
```
```bash
$env:TF_VAR_radius_monitoring_password='<radius_monitoring_password>'
```
#### Smart Callhome Sensitive Variables
* smtp_password: Only Required if the SMTP Server Requires Authentication.
#### Linux
```bash
export smtp_password='<smtp_password>'
```
#### Windows
```bash
$env:TF_VAR_smtp_password='<smtp_password>'
```
#### TACACS+ Sensitive Variables
* tacacs_key: Key for Protecting TACACS Server Communication.
* tacacs_monitoring_password: If Server Monitoring is Enabled, the Password to use with the test user account.
#### Linux
```bash
export tacacs_key='<tacacs_key>'
export tacacs_monitoring_password='<tacacs_monitoring_password>'
```
#### Windows
```bash
$env:TF_VAR_tacacs_key='<tacacs_key>'
$env:TF_VAR_tacacs_monitoring_password='<tacacs_monitoring_password>'
```
## Only Showing Linux Examples for the Rest for brevity
### Sensitive Variables for the Fabric Module:
### Note: Multiple Instances.
Note that ntp_key, snmp_authorization, snmp_community, snmp_privacy_key have multiple instances. This is only in the event you need multiple values for each variable. If only one value is needed only define one value in the export.
* NTP Authentication Keys
```bash
export ntp_key_1='<ntp_key_1>'
```
```bash
export ntp_key_2='<ntp_key_2>'
```
```bash
export ntp_key_3='<ntp_key_3>'
```
```bash
export ntp_key_4='<ntp_key_4>'
```
```bash
export ntp_key_5='<ntp_key_5>'
```
* SNMP Communities
```bash
export snmp_community_1='<snmp_community_1>'
```
```bash
export snmp_community_2='<snmp_community_2>'
```
```bash
export snmp_community_3='<snmp_community_3>'
```
```bash
export snmp_community_4='<snmp_community_4>'
```
```bash
export snmp_community_5='<snmp_community_5>'
```
* SNMP Authorization Keys and Privacy Keys for SNMP Users
```bash
export snmp_authorization_key_1='<snmp_authorization_key_1>'
```
```bash
export snmp_authorization_key_2='<snmp_authorization_key_2>'
```
```bash
export snmp_authorization_key_3='<snmp_authorization_key_3>'
```
```bash
export snmp_authorization_key_4='<snmp_authorization_key_4>'
```
```bash
export snmp_authorization_key_5='<snmp_authorization_key_5>'
```
```bash
export snmp_privacy_key_1='<snmp_privacy_key_1>'
```
```bash
export snmp_privacy_key_2='<snmp_privacy_key_2>'
```
```bash
export snmp_privacy_key_3='<snmp_privacy_key_3>'
```
```bash
export snmp_privacy_key_4='<snmp_privacy_key_4>'
```
```bash
export snmp_privacy_key_5='<snmp_privacy_key_5>'
```
### Sensitive Variables for the System Settings Module:
Global AES Passphrase Encryption Settings
* aes_passphrase: Used to Encrypt Configuration Backups to protect sensitive attributes.
```bash
export aes_passphrase='<aes_passphrase>'
```
### Sensitive Variables for the Tenants Module:
### NDO Secrets for AWS or Azure Site Authetnication
```bash
export aws_secret_key='<aws_secret_key>'
```
```bash
export azure_client_secret='<azure_client_secret>'
```
### Routing Protocol Authentication
* bgp_password: Only requried for BGP Neighbor Authentication
* ospf_key: Only required for Neighbor Authentication
```bash
export bgp_password_1='<bgp_password_1>'
```
```bash
export bgp_password_2='<bgp_password_2>'
```
```bash
export bgp_password_3='<bgp_password_3>'
```
```bash
export bgp_password_4='<bgp_password_4>'
```
```bash
export bgp_password_5='<bgp_password_5>'
```
```bash
export ospf_key_1='<ospf_key_1>'
```
```bash
export ospf_key_2='<ospf_key_2>'
```
```bash
export ospf_key_3='<ospf_key_3>'
```
```bash
export ospf_key_4='<ospf_key_4>'
```
```bash
export ospf_key_5='<ospf_key_5>'
```
* vrf_snmp_community: Only required if the VRF Should use different Communities than the Global SNMP Values. These Communities, that need to be added to the SNMP client_groups, will only be usable by the VRF when configured.
```bash
export vrf_snmp_community_1='<vrf_snmp_community_1>'
```
```bash
export vrf_snmp_community_2='<vrf_snmp_community_2>'
```
```bash
export vrf_snmp_community_3='<vrf_snmp_community_3>'
```
```bash
export vrf_snmp_community_4='<vrf_snmp_community_4>'
```
```bash
export vrf_snmp_community_5='<vrf_snmp_community_5>'
```
{{ .Requirements }}
{{ .Providers }}
{{ .Modules }}
## NOTE:
**When the Data is merged from the YAML files, it will run through the modules using for_each loop(s). Sensitive Variables cannot be added to a for_each loop, instead use the variables below to add sensitive values for policies.**
{{ .Inputs }}
{{ .Outputs }}
# Sub Modules
If you want to see documentation on Variables for Submodules use the links below:
### [access-policies](https://github.com/terraform-cisco-modules/terraform-aci-access)
### [admin](https://github.com/terraform-cisco-modules/terraform-aci-admin)
### [fabric-policies](https://github.com/terraform-cisco-modules/terraform-aci-fabric)
### [switch](https://github.com/terraform-cisco-modules/terraform-aci-switch)
### [system-settings](https://github.com/terraform-cisco-modules/terraform-aci-system-settings)
### [tenants](https://github.com/terraform-cisco-modules/terraform-aci-tenants)
## Terraform Registry
### [access-policies](https://registry.terraform.io/modules/terraform-cisco-modules/access/aci/latest)
### [admin](https://registry.terraform.io/modules/terraform-cisco-modules/admin/aci/latest)
### [fabric-policies](https://registry.terraform.io/modules/terraform-cisco-modules/fabric/aci/latest)
### [switch](https://registry.terraform.io/modules/terraform-cisco-modules/switch/aci/latest)
### [system-settings](https://registry.terraform.io/modules/terraform-cisco-modules/system-settings/aci/latest)
### [tenants](https://registry.terraform.io/modules/terraform-cisco-modules/tenants/aci/latest)
output:
file: README.md
mode: replace
sort:
enabled: false
settings:
read-comments: false