-
Notifications
You must be signed in to change notification settings - Fork 0
/
bridge-domains.tf
294 lines (273 loc) · 15.4 KB
/
bridge-domains.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
/*_____________________________________________________________________________________________________________________
API Information:
- Class: "fvBD"
- Distinguised Name: "uni/tn-{Tenant}/BD-{bridge_domain}"
GUI Location:
- Tenants > {tenant} > Networking > Bridge Domains > {bridge_domain}
_______________________________________________________________________________________________________________________
*/
resource "aci_bridge_domain" "map" {
depends_on = [aci_tenant.map, aci_vrf.map, aci_l3_outside.map]
for_each = { for k, v in local.bridge_domains : k => v if local.controller.type == "apic" }
# General
arp_flood = each.value.general.arp_flooding == true ? "yes" : "no"
bridge_domain_type = each.value.general.type
description = each.value.general.description
host_based_routing = each.value.general.advertise_host_routes == true ? "yes" : "no"
ipv6_mcast_allow = each.value.general.pimv6 == true ? "yes" : "no"
limit_ip_learn_to_subnets = each.value.general.limit_ip_learn_to_subnets == true ? "yes" : "no"
mcast_allow = each.value.general.pim == true ? "yes" : "no"
name = each.value.name
name_alias = each.value.general.alias
multi_dst_pkt_act = each.value.general.multi_destination_flooding
relation_fv_rs_bd_to_ep_ret = length(compact([each.value.general.endpoint_retention_policy])
) > 0 ? "uni/tn-${local.policy_tenant}/epRPol-${each.value.general.endpoint_retention_policy}" : ""
relation_fv_rs_ctx = length(each.value.general.vrf
) > 0 ? "uni/tn-${each.value.general.vrf.tenant}/ctx-${each.value.general.vrf.name}" : ""
relation_fv_rs_igmpsn = length(compact([each.value.general.igmp_snooping_policy])
) > 0 ? "uni/tn-${local.policy_tenant}/snPol-${each.value.general.igmp_snooping_policy}" : ""
relation_fv_rs_mldsn = length(compact([each.value.general.mld_snoop_policy])
) > 0 ? "uni/tn-${local.policy_tenant}/mldsnoopPol-${each.value.general.mld_snoop_policy}" : ""
tenant_dn = "uni/tn-${each.value.general.tenant}"
unk_mac_ucast_act = each.value.general.l2_unknown_unicast
unk_mcast_act = each.value.general.l3_unknown_multicast_flooding
v6unk_mcast_act = each.value.general.ipv6_l3_unknown_multicast
# L3 Configurations
ep_move_detect_mode = each.value.l3_configurations.ep_move_detection_mode == true ? "garp" : "disable"
ll_addr = each.value.l3_configurations.link_local_ipv6_address
mac = each.value.l3_configurations.custom_mac_address
# class: l3extOut
relation_fv_rs_bd_to_out = length(each.value.l3_configurations.associated_l3outs
) > 0 ? [for v in each.value.l3_configurations.associated_l3outs : "uni/tn-${v.tenant}/out-${v.l3out}"] : []
# class: rtctrlProfile
relation_fv_rs_bd_to_profile = join(",", [
for v in each.value.l3_configurations.associated_l3outs : "uni/tn-${v.tenant}/out-${v.l3out}/prof-${v.route_profile}" if v.route_profile != ""
])
# class: monEPGPol
#relation_fv_rs_bd_to_nd_p = length(compact([each.value.nd_policy])
#) > 0 ? "uni/tn-${local.policy_tenant}/ndifpol-${each.value.nd_policy}" : ""
unicast_route = each.value.l3_configurations.unicast_routing == true ? "yes" : "no"
vmac = length(compact([each.value.l3_configurations.virtual_mac_address])
) > 0 ? each.value.l3_configurations.virtual_mac_address : "not-applicable"
# Advanced/Troubleshooting
ep_clear = each.value.advanced_troubleshooting.endpoint_clear == true ? "yes" : "no"
ip_learning = each.value.advanced_troubleshooting.disable_ip_data_plane_learning_for_pbr == true ? "no" : "yes"
intersite_bum_traffic_allow = length(regexall(
true, each.value.advanced_troubleshooting.intersite_l2_stretch)
) > 0 && length(regexall(true, each.value.advanced_troubleshooting.intersite_bum_traffic_allow)) > 0 ? "yes" : "no"
intersite_l2_stretch = each.value.advanced_troubleshooting.intersite_l2_stretch == true ? "yes" : "no"
optimize_wan_bandwidth = length(regexall(true, each.value.advanced_troubleshooting.optimize_wan_bandwidth)) > 0 ? "yes" : "no"
# class: monEPGPol
relation_fv_rs_abd_pol_mon_pol = length(compact([each.value.advanced_troubleshooting.monitoring_policy])
) > 0 ? "uni/tn-${local.policy_tenant}/monepg-${each.value.advanced_troubleshooting.monitoring_policy}" : ""
# class: netflowMonitorPol
dynamic "relation_fv_rs_bd_to_netflow_monitor_pol" {
for_each = each.value.advanced_troubleshooting.netflow_monitor_policies
content {
flt_type = relation_l3ext_rs_l_if_p_to_netflow_monitor_pol.value.filter_type # ipv4|ipv6|ce
tn_netflow_monitor_pol_name = length(compact([relation_l3ext_rs_l_if_p_to_netflow_monitor_pol.value.netflow_policy])
) > 0 ? "uni/tn-${local.policy_tenant}/monitorpol-${relation_l3ext_rs_l_if_p_to_netflow_monitor_pol.value.netflow_policy}" : ""
}
}
# class: fhsBDPol
relation_fv_rs_bd_to_fhs = length(compact([each.value.advanced_troubleshooting.first_hop_security_policy])
) > 0 ? "uni/tn-${local.policy_tenant}/bdpol-${each.value.advanced_troubleshooting.first_hop_security_policy}" : ""
}
/*_____________________________________________________________________________________________________________________
API Information:
- Class: "dhcpLbl"
- Distinguished Name: "uni/tn-{tenant}/BD-{bridge_domain}/dhcplbl-{name}"
GUI Location:
- Tenants > {tenant} > Networking > Bridge Domains > {bridge_domain} > DHCP Relay > {name}
_______________________________________________________________________________________________________________________
*/
resource "aci_bd_dhcp_label" "map" {
depends_on = [aci_bridge_domain.map]
for_each = { for k, v in local.bridge_domain_dhcp_labels : k => v if local.controller.type == "apic" }
bridge_domain_dn = aci_bridge_domain.map[each.value.bridge_domain].id
name = each.value.name
owner = each.value.scope
relation_dhcp_rs_dhcp_option_pol = length(compact([each.value.dhcp_option_policy])
) > 0 ? "uni/tn-${each.value.tenant}/dhcpoptpol-${each.value.dhcp_option_policy}" : ""
}
/*_____________________________________________________________________________________________________________________
API Information:
- Class: "fvSubnet"
- Distinguished Name: "uni/tn-{tenant}/BD-{bridge_domain}/subnet-[{subnet}]"
GUI Location:
- Tenants > {tenant} > Networking > Bridge Domains > {bridge_domain} > Subnets
_______________________________________________________________________________________________________________________
*/
resource "aci_subnet" "bridge_domain_subnets" {
depends_on = [aci_bridge_domain.map, aci_l3_outside.map]
for_each = { for k, v in local.bridge_domain_subnets : k => v if local.controller.type == "apic" && v.create == true }
parent_dn = aci_bridge_domain.map[each.value.bridge_domain].id
ctrl = anytrue([each.value.subnet_control["neighbor_discovery"
], each.value.subnet_control["no_default_svi_gateway"], each.value.subnet_control["querier_ip"]
]) ? compact(concat([
length(regexall(true, each.value.subnet_control["neighbor_discovery"])) > 0 ? "nd" : ""], [
length(regexall(true, each.value.subnet_control["no_default_svi_gateway"])) > 0 ? "no-default-gateway" : ""], [
length(regexall(true, each.value.subnet_control["querier_ip"])) > 0 ? "querier" : ""]
)) : ["unspecified"]
description = each.value.description
ip = each.value.gateway_ip
preferred = each.value.make_this_ip_address_primary == true ? "yes" : "no"
# class: rtctrlProfile
# relation_fv_rs_bd_subnet_to_out = length(compact(
# [each.value.l3out])
# ) > 0 ? "uni/tn-${each.value.tenant}/out-${each.value.l3out}" : ""
# relation_fv_rs_bd_subnet_to_profile = length(compact(
# [each.value.route_profile])
# ) > 0 ? each.value.route_profile : ""
scope = anytrue([each.value.scope["advertise_externally"
], each.value.scope["shared_between_vrfs"]]) ? compact(concat([
length(regexall(true, each.value.scope["advertise_externally"])) > 0 ? "public" : ""], [
length(regexall(true, each.value.scope["shared_between_vrfs"])) > 0 ? "shared" : ""]
)) : ["private"]
virtual = each.value.treat_as_virtual_ip_address == true ? "yes" : "no"
}
/*_____________________________________________________________________________________________________________________
API Information:
- Class: "tagAnnotation"
- Distinguished Name: "uni/tn-{tenant}/BD-{bridge_domain}/annotationKey-[{key}]"
GUI Location:
- Tenants > {tenant} > Networking > Bridge Domains > {bridge_domain}: {annotations}
_______________________________________________________________________________________________________________________
*/
resource "aci_rest_managed" "bridge_domain_annotations" {
depends_on = [aci_bridge_domain.map]
for_each = {
for i in flatten([
for a, b in local.bridge_domains : [
for v in b.general.annotations : { bridge_domain = a, key = v.key, tenant = b.tenant, value = v.value }
]
]) : "${i.bridge_domain}:${i.key}" => i if local.controller.type == "apic"
}
dn = "${aci_bridge_domain.map[each.value.bridge_domain].id}/annotationKey-[${each.value.key}]"
class_name = "tagAnnotation"
content = {
key = each.value.key
value = each.value.value
}
}
/*_____________________________________________________________________________________________________________________
API Information:
- Class: "tagAliasInst"
- Distinguished Name: "uni/tn-{tenant}/BD-{bridge_domain}/alias"
GUI Location:
- Tenants > {tenant} > Networking > Bridge Domains > {bridge_domain}: global_alias
_______________________________________________________________________________________________________________________
*/
resource "aci_rest_managed" "bridge_domain_global_alias" {
depends_on = [aci_bridge_domain.map]
for_each = { for k, v in local.bridge_domains : k => v if v.general.global_alias != "" && local.controller.type == "apic" }
class_name = "tagAliasInst"
dn = "${aci_bridge_domain.map[each.value.bridge_domain].id}/alias"
content = {
name = each.value.general.global_alias
}
}
/*_____________________________________________________________________________________________________________________
API Information:
- Class: "fvRogueExceptionMac"
- Distinguished Name: "uni/tn-{tenant}/BD-{bridge_domain}/rgexpmac-{mac_address}"
GUI Location:
- Tenants > {tenant} > Networking > Bridge Domains > {bridge_domain} > Policy > Advanced/Troubleshooting > Rogue/Coop Exception List.
_______________________________________________________________________________________________________________________
*/
resource "aci_rest_managed" "rogue_coop_exception_list" {
depends_on = [aci_bridge_domain.map]
for_each = local.rogue_coop_exception_list
dn = "${aci_bridge_domain.map[each.value.bridge_domain].id}/rgexpmac-${each.value.mac_address}"
class_name = "fvRogueExceptionMac"
content = {
mac = each.value.mac_address
}
}
/*_____________________________________________________________________________________________________________________
Nexus Dashboard — Tenants
_______________________________________________________________________________________________________________________
*/
resource "mso_schema_template_bd" "map" {
provider = mso
depends_on = [
mso_schema.map,
mso_schema_site.map,
mso_schema_site_vrf.map,
mso_schema_template_vrf.map
]
for_each = { for k, v in local.bridge_domains : k => v if local.controller.type == "ndo" }
arp_flooding = each.value.general.arp_flooding
dynamic "dhcp_policies" {
for_each = each.value.dhcp_relay_labels
content {
name = dhcp_policies.value.name
#version = dhcp_policies.value.version
#dhcp_option_policy_name = dhcp_policies.value.dhcp_option_policy
#dhcp_option_policy_version = dhcp_policies.value.dhcp_option_policy_version
}
}
description = each.value.general.description
display_name = length(each.value.combine_description) > 0 ? "${each.value.name}${each.value.combine_description}${each.value.general.description}" : each.value.name
name = each.value.name
#
intersite_bum_traffic = each.value.advanced_troubleshooting.intersite_bum_traffic_allow
ipv6_unknown_multicast_flooding = each.value.general.ipv6_l3_unknown_multicast
multi_destination_flooding = length(regexall(
each.value.general.multi_destination_flooding, "bd-flood")
) > 0 ? "flood_in_bd" : length(regexall(
each.value.general.multi_destination_flooding, "encap-flood")
) > 0 ? "flood_in_encap" : "drop"
layer2_unknown_unicast = each.value.general.l2_unknown_unicast
layer2_stretch = each.value.advanced_troubleshooting.intersite_l2_stretch
layer3_multicast = each.value.general.pim
optimize_wan_bandwidth = each.value.advanced_troubleshooting.optimize_wan_bandwidth
schema_id = data.mso_schema.map[each.value.ndo.schema].id
template_name = each.value.ndo.template
unknown_multicast_flooding = each.value.general.l3_unknown_multicast_flooding
unicast_routing = each.value.l3_configurations.unicast_routing
virtual_mac_address = each.value.l3_configurations.virtual_mac_address
vrf_name = each.value.general.vrf.name
vrf_schema_id = length(compact([each.value.general.vrf.ndo.schema])
) > 0 ? data.mso_schema.map[each.value.general.vrf.ndo.schema].id : data.mso_schema.map[each.value.ndo.schema].id
vrf_template_name = length(compact([each.value.general.vrf.ndo.template])
) > 0 ? each.value.general.vrf.ndo.template : each.value.ndo.template
lifecycle { ignore_changes = [schema_id] }
}
resource "mso_schema_site_bd" "map" {
provider = mso
depends_on = [mso_schema_template_bd.map]
for_each = { for k, v in local.ndo_bd_sites : k => v if local.controller.type == "ndo" }
bd_name = each.value.bridge_domain
host_route = each.value.advertise_host_routes
schema_id = data.mso_schema.map[each.value.schema].id
site_id = data.mso_site.map[each.value.site].id
template_name = each.value.template
lifecycle { ignore_changes = [schema_id, site_id] }
}
resource "mso_schema_site_bd_l3out" "map" {
provider = mso
depends_on = [mso_schema_site_bd.map]
for_each = { for k, v in local.ndo_bd_sites : k => v if local.controller.type == "ndo" && length(compact([v.l3out])) > 0 }
bd_name = each.value.bridge_domain
l3out_name = each.value.l3out
schema_id = data.mso_schema.map[each.value.schema].id
site_id = data.mso_site.map[each.value.site].id
template_name = each.value.template
lifecycle { ignore_changes = [schema_id, site_id] }
}
resource "mso_schema_template_bd_subnet" "map" {
provider = mso
depends_on = [mso_schema_template_bd.map, mso_schema_site_bd.map]
for_each = { for k, v in local.bridge_domain_subnets : k => v if local.controller.type == "ndo" && v.create == true }
bd_name = each.value.bridge_domain
description = length(each.value.description) > 0 ? length(each.value.description) : each.value.gateway_ip
ip = each.value.gateway_ip
no_default_gateway = each.value.subnet_control.no_default_svi_gateway
schema_id = data.mso_schema.map[each.value.ndo.schema].id
scope = each.value.scope.advertise_externally == true ? "public" : "private"
template_name = each.value.ndo.template
shared = each.value.scope.shared_between_vrfs
querier = each.value.subnet_control.querier_ip
lifecycle { ignore_changes = [schema_id] }
}