Terraform で aci_rest を使わずに ACI 上に L3out/OSPF の Tenant を作成する

以前に Terraform で ACI 上に L3out (OSPF) を含む Tenant を作成する というメモを書きました。 このメモでは aci_rest を利用していました。 今回は現時点で最新の ACI 用 Terraform Provider 0.7.1 で aci_rest を使わない .tf ファイルをメモしておきます。

ACI 用 Terraform Provider の変更履歴

ACI 用 Terraform Provider の変更履歴は下記で確認出来ます。

• terraform-provider-aci/CHANGELOG.md

過去のメモでは「Logical Interface に SVI を設定する」や「L3Out への OSPF 設定関連」で aci_rest を使っていましたが、今回は下記などを利用するように変更しました。

• aci_l3out_ospf_external_policy
• aci_l3out_path_attachment
• aci_l3out_ospf_interface_profile

構成図

今回は以下の構成を Terraform で設定します。 尚、VRF で Policy Control Enforcement Preference 設定は Unenforced に設定しています。

.tf ファイル

aci_rest を使わないように書き直した .tf ファイルは以下の通りです。

# Tenant
resource "aci_tenant" "tenant1" {
  name = "Tenant1"
}

# VRF
resource "aci_vrf" "vrf1" {
  tenant_dn   = "${aci_tenant.tenant1.id}"
  name        = "Vrf1"
  pc_enf_pref = "unenforced"
}

# OSPF Interface Policy
resource "aci_ospf_interface_policy" "ospf_if_p2p" {
  tenant_dn    = "${aci_tenant.tenant1.id}"
  name         = "Point-to-Point"
  cost         = "unspecified"
  nw_t         = "p2p"
  prio         = "1"
  pfx_suppress = "inherit"
  hello_intvl  = "10"
  dead_intvl   = "40"
  rexmit_intvl = "5"
  xmit_delay   = "1"
}

# Domain
data "aci_l3_domain_profile" "l3dom" {
  name = "ExtRoutedDom"
}

# L3Out
resource "aci_l3_outside" "l3out1" {
  tenant_dn                    = "${aci_tenant.tenant1.id}"
  name                         = "L3Out1"
  relation_l3ext_rs_ectx       = "${aci_vrf.vrf1.id}"
  relation_l3ext_rs_l3_dom_att = "${data.aci_l3_domain_profile.l3dom.id}"
}

resource "aci_l3out_ospf_external_policy" "l3out1_ospf" {
  l3_outside_dn = "${aci_l3_outside.l3out1.id}"
  area_cost     = "1"
  area_ctrl     = "redistribute,summary"
  area_id       = "0.0.0.0"
  area_type     = "regular"
}

resource "aci_logical_node_profile" "l3out1_lnprof1" {
  l3_outside_dn = "${aci_l3_outside.l3out1.id}"
  name          = "L3Out1_NodeProf"
}

resource "aci_logical_node_to_fabric_node" "l3out1_lnode1" {
  logical_node_profile_dn  = "${aci_logical_node_profile.l3out1_lnprof1.id}"
  tdn                      = "topology/pod-1/node-201"
  rtr_id                   = "10.0.254.201"
  rtr_id_loop_back         = "no"
}

resource "aci_logical_interface_profile" "l3out1_lifprof1" {
  logical_node_profile_dn           = "${aci_logical_node_profile.l3out1_lnprof1.id}"
  name                              = "L3Out1_IntProf"
}

resource "aci_l3out_path_attachment" "lifprof1_port1" {
  logical_interface_profile_dn = "${aci_logical_interface_profile.l3out1_lifprof1.id}"
  target_dn                    = "topology/pod-1/paths-201/pathep-[eth1/1]"
  if_inst_t                    = "ext-svi"
  addr                         = "10.0.101.254/24"
  autostate                    = "enabled"
  encap                        = "vlan-101"
  mtu                          = "1500"
}

resource "aci_l3out_ospf_interface_profile" "ospf_if_prof1" {
  logical_interface_profile_dn = "${aci_logical_interface_profile.l3out1_lifprof1.id}"
  relation_ospf_rs_if_pol      = "${aci_ospf_interface_policy.ospf_if_p2p.id}"
  auth_key                     = ""
}

# L3Out1 External EPG
resource "aci_external_network_instance_profile" "l3out1_epg1" {
  l3_outside_dn       = "${aci_l3_outside.l3out1.id}"
  name                = "ExtEpg1"
}

resource "aci_l3_ext_subnet" "l3out1_subnet1" {
  external_network_instance_profile_dn = "${aci_external_network_instance_profile.l3out1_epg1.id}"
  ip                                   = "0.0.0.0/0"
  scope                                = ["import-security"]
}

# BD
resource "aci_bridge_domain" "bd1" {
  tenant_dn                = "${aci_tenant.tenant1.id}"
  name                     = "Bd1"
  relation_fv_rs_ctx       = "${aci_vrf.vrf1.id}"
  relation_fv_rs_bd_to_out = ["${aci_l3_outside.l3out1.id}"]
}

resource "aci_subnet" "bd1_subnet" {
  parent_dn = "${aci_bridge_domain.bd1.id}"
  ip        = "10.0.102.254/24"
  scope     = ["public"]
}

# Application Profile
resource "aci_application_profile" "ap1" {
  tenant_dn = "${aci_tenant.tenant1.id}"
  name      = "Ap1"
}

# Domain
data "aci_physical_domain" "physdom" {
  name = "PhysDom"
}

# EPG
resource "aci_application_epg" "epg1" {
  application_profile_dn = "${aci_application_profile.ap1.id}"
  name                   = "Epg1"
  relation_fv_rs_bd      = "${aci_bridge_domain.bd1.id}"
}

resource "aci_epg_to_domain" "epg1_physdom" {
  application_epg_dn = "${aci_application_epg.epg1.id}"
  tdn                = "${data.aci_physical_domain.physdom.id}"
}

resource "aci_epg_to_static_path" "egp1_port1" {
  application_epg_dn = "${aci_application_epg.epg1.id}"
  tdn                = "topology/pod-1/paths-202/pathep-[eth1/1]"
  encap              = "vlan-102"
}

L3 Switch 側の設定

L3Out の接続先 L3 Switch の設定例は以下の通りです。

ip vrf 101
!
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 101
 switchport mode trunk
 spanning-tree portfast trunk
 no shutdown
!
interface Vlan101
 ip vrf forwarding 101
 ip address 10.0.101.1 255.255.255.0
 ip mtu 1500
 ip ospf network point-to-point
 ip ospf 101 area 0.0.0.0
!
router ospf 101 vrf 101
 router-id 10.0.101.1
!
end