Terraform で ACI 上に L3out (BGP) を含む Tenant を作成する

Terraform を使って Cisco ACI に「OSPF 設定の L3out を作成する」サンプルをメモしておきます。

構成

Terraform で以下の構成を設定します。

Terraform の設定ファイル

Terraform の設定ファイルは以下の通りです。

1. main.tf
2. aci.tf

main.tf

terraform {
  required_providers {
    aci = {
      source  = "CiscoDevNet/aci"
      version = "0.5.4"
    }
  }
}

provider "aci" {
  username = "admin"
  password = "password"
  url      = "https://10.0.0.1"
  insecure = true
}

aci.tf

# Tenant
resource "aci_tenant" "tenant" {
  name = "Tenant1"
}

# VRF
resource "aci_vrf" "vrf" {
  tenant_dn = aci_tenant.tenant.id
  name      = "Vrf1"
}

# Domain
data "aci_l3_domain_profile" "l3dom" {
  name = "ExtRoutedDom"
}

# L3Out
resource "aci_l3_outside" "l3out1" {
  tenant_dn                    = aci_tenant.tenant.id
  name                         = "L3out1"
  relation_l3ext_rs_ectx       = aci_vrf.vrf.id
  relation_l3ext_rs_l3_dom_att = data.aci_l3_domain_profile.l3dom.id
}

resource "aci_rest" "l3out1_bgp" {
  path       = "/api/mo/uni/tn-Tenant1/out-L3out1.json"
  class_name = "bgpExtP"
  content = {
    "descr" = ""
  }
  depends_on = [aci_l3_outside.l3out1]
}

resource "aci_logical_node_profile" "l3out1_lnprof1" {
  l3_outside_dn = aci_l3_outside.l3out1.id
  name          = "L3out1_NodeProf"
}

resource "aci_logical_node_to_fabric_node" "l3out1_lnode1" {
  logical_node_profile_dn  = aci_logical_node_profile.l3out1_lnprof1.id
  tdn                      = "topology/pod-1/node-201"
  rtr_id                   = "10.0.254.201"
  rtr_id_loop_back         = "no"
}

resource "aci_logical_interface_profile" "l3out1_lifprof1" {
  logical_node_profile_dn           = aci_logical_node_profile.l3out1_lnprof1.id
  name                              = "L3out1_IntProf"
  relation_l3ext_rs_path_l3_out_att = toset(["topology/pod-1/paths-201/pathep-[eth1/1]"])
}

resource "aci_rest" "l3out1_att" {
  path       = "/api/mo/uni/tn-Tenant1/out-L3out1/lnodep-L3out1_NodeProf/lifp-L3out1_IntProf.json"
  class_name = "l3extRsPathL3OutAtt"
  content = {
    "addr"      = "10.0.111.254/24"
    "autostate" = "enabled"
    "encap"     = "vlan-111"
    "ifInstT"   = "ext-svi"
    "mtu"       = "1500"
    "tDn"       = "topology/pod-1/paths-201/pathep-[eth1/1]"
  }
  depends_on = [aci_logical_interface_profile.l3out1_lifprof1]
}

resource "aci_rest" "l3out1_bgpPeerP" {
  path       = "/api/mo/uni/tn-Tenant1/out-L3out1/lnodep-L3out1_NodeProf/lifp-L3out1_IntProf/rspathL3OutAtt-[topology/pod-1/paths-201/pathep-[eth1/1]]/peerP-[10.0.111.1].json"
  class_name = "bgpPeerP"
  content = {
    "addr"             = "10.0.111.1"
    "addrTCtrl"        = "af-ucast"
    "adminSt"          = "enabled"
    "allowedSelfAsCnt" = "3"
    "ttl"              = "1"
    "weight"           = "0"
  }
  depends_on = [aci_logical_interface_profile.l3out1_lifprof1]
}

resource "aci_rest" "l3out1_bgpRsPeerPfxPol" {
  path       = "/api/mo/uni/tn-Tenant1/out-L3out1/lnodep-L3out1_NodeProf/lifp-L3out1_IntProf/rspathL3OutAtt-[topology/pod-1/paths-201/pathep-[eth1/1]]/peerP-[10.0.111.1].json"
  class_name = "bgpRsPeerPfxPol"
  content = {
    "tnBgpPeerPfxPolName" = ""
  }
  depends_on = [aci_rest.l3out1_bgpPeerP]
}

resource "aci_rest" "l3out1_bgpAsP" {
  path       = "/api/mo/uni/tn-Tenant1/out-L3out1/lnodep-L3out1_NodeProf/lifp-L3out1_IntProf/rspathL3OutAtt-[topology/pod-1/paths-201/pathep-[eth1/1]]/peerP-[10.0.111.1].json"
  class_name = "bgpAsP"
  content = {
    "asn" = "65111"
  }
  depends_on = [aci_rest.l3out1_bgpPeerP]
}

# L3Out1 External EPG
resource "aci_external_network_instance_profile" "l3out1_epg1" {
  l3_outside_dn       = aci_l3_outside.l3out1.id
  name                = "ExtEpg1"
}

resource "aci_l3_ext_subnet" "l3out1_subnet1" {
  external_network_instance_profile_dn = aci_external_network_instance_profile.l3out1_epg1.id
  ip                                   = "0.0.0.0/0"
  scope                                = ["import-security"]
}