Terraform を使って Cisco ACI に「L3out を作成する」サンプルをメモしておきます。
構成
Terraform で以下の構成を設定します。
Terraform の設定ファイル
Terraform の設定ファイルは以下の通りです。
- variables.tf
- main.tf
- aci.tf
variables.tf
variable "aci_url" { default = "https://10.0.0.1" }
variable "aci_username" { default = "admin" }
variable "aci_password" { default = "password" }
variable "tenant" { default = "Tenant1" }
variable "vrf" { default = "VRF" }
variable "contract1" { default = "CT" }
variable "l3dom" { default = "ExtRoutedDom" }
variable "l3out1" { default = "L3out" }
variable "lnode1_tdn" { default = "topology/pod-1/node-201" }
variable "lnode1_rtr_id" { default = "10.0.254.201" }
variable "lnode1_rtr_id_loop_back" { default = "no" }
variable "l3out1_att_addr" { default = "10.0.100.254/24" }
variable "l3out1_att_autostate" { default = "enabled" }
variable "l3out1_att_encap" { default = "vlan-100" }
variable "l3out1_att_ifInstT" { default = "ext-svi" }
variable "l3out1_att_mtu" { default = "1500" }
variable "l3out1_att_tDn" { default = "topology/pod-1/paths-201/pathep-[eth1/1]" }
variable "bd1" { default = "VL101_BD" }
variable "bd1_subnet" { default = "10.0.101.254/24" }
variable "ap1" { default = "AP" }
variable "physdom" { default = "PhysDom" }
variable "epg1" { default = "VL101_EPG" }
variable "egp1_port1_tdn" { default = "topology/pod-1/paths-201/pathep-[eth1/2]" }
variable "egp1_port1_vlan" { default = "vlan-101" }
variable "epg1_contract1_type" { default = "provider" }main.tf
terraform {
required_providers {
aci = {
source = "CiscoDevNet/aci"
version = "0.5.4"
}
}
}
provider "aci" {
username = var.aci_username
password = var.aci_password
url = var.aci_url
insecure = true
}aci.tf
現時点の Terraform には Logical Interface を定義する Resource が無い為、aci_rest Resource を使って REST API を呼び出します。 aci_rest を使うと Terraform が依存関係を自動解決出来なくなってしまう為、aci_rest に depends_on で明示的に依存関係を定義しています。 また、Terraform で作成した Tenant を手動で作成すると terraform.tfstate が意図しない内容で残ってしまうのか、それ以降 aci_rest が上手く実行されなくなります。 こういった場合は「Tenant は terraform destroy で削除する」か、または「terraform.tfstate を手動で削除する」ことで回避出来るようです。
# Tenant
resource "aci_tenant" "tenant" {
name = var.tenant
}
# VRF
resource "aci_vrf" "vrf" {
tenant_dn = aci_tenant.tenant.id
name = var.vrf
}
# Contract / Subject / Filter
resource "aci_filter" "any" {
tenant_dn = aci_tenant.tenant.id
name = "any_Filt"
}
resource "aci_filter_entry" "entry1" {
name = "0010"
filter_dn = aci_filter.any.id
ether_t = "unspecified"
}
resource "aci_contract" "contract1" {
tenant_dn = aci_tenant.tenant.id
name = var.contract1
}
resource "aci_contract_subject" "subject1" {
contract_dn = aci_contract.contract1.id
name = "${var.contract1}_Subj"
relation_vz_rs_subj_filt_att = [aci_filter.any.id]
}
# Domain
data "aci_l3_domain_profile" "l3dom" {
name = var.l3dom
}
# L3Out
resource "aci_l3_outside" "l3out1" {
tenant_dn = aci_tenant.tenant.id
name = var.l3out1
relation_l3ext_rs_ectx = aci_vrf.vrf.id
relation_l3ext_rs_l3_dom_att = data.aci_l3_domain_profile.l3dom.id
}
resource "aci_logical_node_profile" "lnprof1" {
l3_outside_dn = aci_l3_outside.l3out1.id
name = "${var.l3out1}_NodeProf"
}
resource "aci_logical_node_to_fabric_node" "lnode1" {
logical_node_profile_dn = aci_logical_node_profile.lnprof1.id
tdn = var.lnode1_tdn
rtr_id = var.lnode1_rtr_id
rtr_id_loop_back = var.lnode1_rtr_id_loop_back
}
resource "aci_logical_interface_profile" "lifprof1" {
logical_node_profile_dn = aci_logical_node_profile.lnprof1.id
name = "${var.l3out1}_IntProf"
relation_l3ext_rs_path_l3_out_att = toset([var.l3out1_att_tDn])
}
resource "aci_rest" "l3out1_att" {
path = "/api/mo/uni/tn-${var.tenant}/out-${aci_l3_outside.l3out1.name}/lnodep-${aci_logical_node_profile.lnprof1.name}/lifp-${aci_logical_interface_profile.lifprof1.name}.json"
class_name = "l3extRsPathL3OutAtt"
content = {
"addr" = var.l3out1_att_addr
"autostate" = var.l3out1_att_autostate
"encap" = var.l3out1_att_encap
"ifInstT" = var.l3out1_att_ifInstT
"mtu" = var.l3out1_att_mtu
"tDn" = var.l3out1_att_tDn
}
depends_on = [
aci_logical_interface_profile.lifprof1,
]
}
# L3Out1 External EPG
resource "aci_external_network_instance_profile" "l3out1_epg1" {
l3_outside_dn = aci_l3_outside.l3out1.id
name = "${var.l3out1}_L3PEG"
relation_fv_rs_cons = [aci_contract.contract1.id]
}
resource "aci_l3_ext_subnet" "l3out1_subnet1" {
external_network_instance_profile_dn = aci_external_network_instance_profile.l3out1_epg1.id
ip = "0.0.0.0/0"
scope = ["import-security"]
}
# BD1
resource "aci_bridge_domain" "bd1" {
tenant_dn = aci_tenant.tenant.id
name = var.bd1
relation_fv_rs_ctx = aci_vrf.vrf.id
}
resource "aci_subnet" "bd1_subnet" {
parent_dn = aci_bridge_domain.bd1.id
ip = var.bd1_subnet
}
# Application Profile
resource "aci_application_profile" "ap1" {
tenant_dn = aci_tenant.tenant.id
name = var.ap1
}
# Domain
data "aci_physical_domain" "physdom" {
name = var.physdom
}
# EPG1
resource "aci_application_epg" "epg1" {
application_profile_dn = aci_application_profile.ap1.id
name = var.epg1
relation_fv_rs_bd = aci_bridge_domain.bd1.id
}
resource "aci_epg_to_domain" "epg1_physdom" {
application_epg_dn = aci_application_epg.epg1.id
tdn = data.aci_physical_domain.physdom.id
}
resource "aci_epg_to_static_path" "egp1_port1" {
application_epg_dn = aci_application_epg.epg1.id
tdn = var.egp1_port1_tdn
encap = var.egp1_port1_vlan
}
resource "aci_epg_to_contract" "epg1_contract1" {
application_epg_dn = aci_application_epg.epg1.id
contract_dn = aci_contract.contract1.id
contract_type = var.epg1_contract1_type
}
コメント