使用 Ansible 和 Terraform 的 ACI 基礎設施即代碼.pdf

1、#CiscoLive#CiscoLiveThomas Renzy Technical Leader CXThomasRenzyBRKDCN-2906Introduction to Infrastructure as Code for ACI with Ansible and TerraformRafael Muller Principal Engineer CXrafaeljmuller 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes her

2、eCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the

3、speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-29063Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat is Infrastructure as Code?Infrastructure as Code with AnsibleInfrastructure as Code with TerraformNext step

4、sBRKDCN-29064What is Infrastructure as Code?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Infrastructure as Code(IaC)?Most think of building/managing Cloud InfrastructureTraditionally,network operators connect to devices and make changes to the configuration.CLI

5、“finger net”ApplicationAutomation tools Ansible/TerraformDefine intended state of infrastructure should be.Automation tools reads applies changes to devices to match the intended state.(Declarative)The management&provisioning of computer infrastructure through code and data structures instead of dir

6、ect device management.BRKDCN-29066 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExecution SoftwarePipelineSCMInfrastructure as Code ToolsGitGitHubGitLabBitbucketAnsibleAnsibleTerraformTerraformChefPuppetAWS CloudFormationGoogle Cloud Deployment ManagerPulumiVagrantSalts

7、tackJenkinsDroneCircleCITravis CIGitHub ActionsBRKDCN-29067 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInfrastructure as Code for Network Ops1 1User commits changes to data source in SCM that define what the config of the fabric should be.2 2An automated pipeline appl

8、ication notices the change in the SCM and activates a series of actions.3 3An execution runner is triggered by the automation pipeline,reads the data from SCM(git)and configures the devices.BRKDCN-29068Infrastructure as Code with Ansible 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

9、lic#CiscoLiveWhat is Ansible?Automation/Configuration/Orchestration toolOpen SourceAgentless Push ModelProduces the same results no matter how many times it is executed*No programming knowledge requiredRequires only data-structure manipulation knowledgeAPIC/NDO REST API interaction*idempotentBRKDCN-

10、290610 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat makes up Ansible?Ansible CorePythonCollectionsACI ModuleMSO ModuleEnginePlaybooksTasksInventoryRolesIntentWSLPlatformTargetREST APIAPICMSOREST APIBRKDCN-290611 2023 Cisco and/or its affiliates.All rights reserved.

11、Cisco Public#CiscoLiveInstalling AnsibleYou should use a virtual environment.Proper virtual environment allows for installing ansible inside a contained area with a specific version of python.Makes it possible to run different python scripts that require different versions of python and libraries of

12、 python.Detailed steps beyond scope of this session.Python Virtual EnvironmentsvirtualenvBRKDCN-290612 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePyENVPyENV is the best mechanism to control python virtual environmentsAllows control of python version to execute indepen

13、dent of system versionPyENV virtualenv also neededVirtual Environment in Pythonhttps:/ instructions:%pyenv install 3.9.11install a version of python1%pyenv install 3.9.11install a version of python2%pyenv virtualenv 3.9.11 ansiblecreate virtual-environment3%mkdir my_ansible_dircreate directory for y

14、our ansible work4%pyenv local ansibletell PyENV the virtual-env to use here5Reference SlideBRKDCN-290613 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible installAnsible installs only the core componentsCollections must be installed by youSmaller footprint and more c

15、ontrolAssures install of latest collection version released!Core or EverythingAnsible installs all collections with the Ansible installComplete package but consumes much more disk space.Might not install the latest version of the collection!%pip install ansible%pip install ansible-corehttps:/ Collec

16、tions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat are Ansible collections?Introduced in Ansible 2.9Collections allows vendors to de-couple their ansible capabilities(modules)from the core Ansible release scheduleUses Ansible Galaxy as the delivery vehicle.Collecti

17、on can be installed in any location with-p flagACI-https:/ collection install cisco.aci cisco.msoBRKDCN-290616 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInstalling Ansible CollectionsCommandRequired packagesCollection can be installed in any location with-p flagRefer

18、ence SlideBRKDCN-290617 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible ACI/MSOPrimary reason they are called collections is because they are a collection of modulesModules perform specific tasks like create EPGs,Bridge domains and moreActively maintained with regu

19、lar cadence that increases module count and capabilityCollection Moduleshttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible ACI/MSOCollection Modules(CLI)ansible-doc-l|grep cisco.acicisco.aci.aci_aaa_ssh_authcisco.aci.aci_aaa_cisco.aci.aci_aaa_user_certificate

20、ansible-doc cisco.aci.aci_aaa_userManage AAA users on Cisco ACI fabrics.OPTIONS(=is mandatory):-aaa_passwordThe password of the locally-authenticated user.default:nulltype:str-aaa_password_lifetimeThe lifetime of the locally-authenticated user password.default:nulltype:intEXAMPLES:-name:Add a userci

21、sco.aci.aci_aaa_user:host:apicusername:adminpassword:SomeSecretPasswordaaa_user:dagaaa_password:AnotherSecretPasswordexpiration:neverexpires:noemail:phone:1-234-555-678first_name:Daglast_name:Wieersstate:presentdelegate_to:localhostUse the CLI also to reach the module documentation.Use grep to filte

22、r through all the available documentation installed.The command:ansible-doc will present the CLI version of the doc.Will match what is on the webReference SlideBRKDCN-290619 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveModulesAlways use the fully qualified name for the

23、moduleThe modules require values assigned to the parameters that define how you wish to configure ACIDocumentation provides details as to default values and required valuesNo programing knowledge required.Just data structure build out.-name:name:Create a Bridge Domaincisco.aci.aci_bdcisco.aci.aci_bd

24、:hosthost:10.1.1.110.1.1.1usernameusername:adminadminpasswordpassword:passwordt tenantenant:prodvrf:prod_vrfbd_type:ethernetbdbd:web_serversarp_floodingarp_flooding:yesl2_unknown_unicastl2_unknown_unicast:floodvalidate_certsvalidate_certs:nostatestate:presentdelegate_todelegate_to:localhostNamespace

25、Collection NameModule NameParameterValueBRKDCN-290620 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible Collection Naming-ModulesUses Fully Qualified Collection NameName Space-Functional content categoryCollection Name-Characteristics of the collection contentModule

26、Name Name of the moduleBest practice is to always use full qualified name,even for core modulesExample ACI Collection Tenant ModuleName SpaceCollection NameModule Namecisco.aci.aci_bdReference SlideBRKDCN-290621Ansible Concepts 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL

27、iveAnsible Directory StructureBest Practice for growth!rolesplaybooksgroup_varsfilesHow to do it!What to do!Data to do it!inventory.yamlBRKDCN-290623Who to do it!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible Data Structures(YAML)Human Readable Data Serialization

28、LanguageUsed in plays,playbooks and inventory filesBest practice is to use a software focused text editor(e.g.Notepad+)or IDE(e.g.VSCode)with language assistant support of YAML data-structures.Indentation is very important,and the proper editor will simplify this for youYAML Aint Markup LanguageMicr

29、osoft VSCodeATOMPyCharmEclipseNotepad+BRKDCN-290624 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible RolesRoles are content directories that are structured in a conventional way to enable simple reuseRoles let you automatically load related vars,files,tasks,handlers

30、,and other Ansible artifacts based on a known file structure.This allows for better data organization in your repository.You utilize roles to combine tasks the complete and objective.How to do it!%ansible-galaxy init In this example we are creating a role that will configure access policy VLAN pools

31、:ansible-galaxy init ap-vlansBRKDCN-290625 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible PlaybooksPlaybooks define the set of actions that you want Ansible to complete.Can contain specific tasks or reference roles that contain the tasksBest practice is to use rol

32、es!What to do!Example playbook with roles:BRKDCN-290626 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible InventoryAnsible inventory allows you to build data structures that correlate host specific variablesAllows for grouping,variable inheritance to organize your AC

33、I fabric APICsTwo formats are common:INI and YAML.Best practice is to use YAML(less confusing)Who to do it to!Example inventory file:BRKDCN-290627 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJINJA“type”variables Ansible uses Jinja2 to enable dynamic expressions and acc

34、ess to variables and factsDefined by curly backets inside quotes.Similar to how JINJA2 worksVariable substitutionvars:username:johnpassword:doe-name:ansible.builtin.copy:username:usernamepassword:passwordBRKDCN-290628 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePutting

35、 it all togetherplaybooksinventoryrolesBRKDCN-290629 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExecuting Ansibleansible-playbookansible-playbook i BRKDCN-290630Details for ACI 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlaybooksStructu

36、re for ACI-hosts:east-fabricgather_facts:falseconnection:localany_errors_fatal:trueignore_errors:falseroles:-roles/ap-vlans-roles/ap-domains-roles/ap-aepFor ACI we set gather_facts to false as we dont need for Ansible to connect to APIC to get any host data.Ansible uses the REST interface.For ACI co

37、nnection is local,as the computer that is executing the automation starts the connection local to the ACI fabric.Control if faults continue or stopThe roles that this playbook will executeIn Ansible order matters!You cant create a physical domain that points to a VLAN Pool without first creating the

38、 poolBRKDCN-290632 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTasks in RolesStructure for ACI-#tasks file for ap-vlans-name:Create Engineering VLAN Poolcisco.aci.aci_vlan_pool:host:inventory_hostname username:usernamepassword:passwordpoolpool:eng_vlan_poolpool_allocat

39、ion_modepool_allocation_mode:staticdescriptiondescription:(Ans)Engineering Server VLAN Poolsstate:presentvalidate_certs:nouse_ssl:yesdelegate_to:localhostFor each module we must pass the host,username and passwordThese values define how the VLAN Pool will be configuredState is present for creationan

40、d absent for deletionSet validate_certs to no,and use_ssl to yes for self-signed cert-based HTTPS connection to the fabricnamespacecollection namemoduleBRKDCN-290633Task name 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCertificate BasedUsername&PasswordAuthenticationMe

41、thod works with both ACI and NDOEasiest approach after ACI 5.x HTTP throttle changesImportant to avoid username and password stored inside source code repositoryVery hard to remove once added!Ansible Vault is the most secure,but you can get started easily with environment variables.Best PracticesUse

42、d in releases prior to ACI 5.x due to HTTP interface throttleIn ACI 5.x and higher interface throttle is configurable option in ACIAnsible Vault can be used to store the key.Certificate based not an option for MSO today.Requires a local user on APICConfigured with proper user role and security domai

43、nBRKDCN-290634 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUsing Environment VariablesInstead of inserting credentials that are very difficult to remove from an SCM(GIT)you can use environment variables.Set environment variable before ansible-playbook executionReferenc

44、e Slide-#tasks file for ap-vlans-name:Create Engineering VLAN Poolcisco.aci.aci_vlan_pool:host:inventory_hostname username:lookup(env,APIC_USERNAME)password:lookup(env,APIC_PASSWORD)poolpool:eng_vlan_poolpool_allocation_modepool_allocation_mode:staticdescriptiondescription:(Ans)Engineering Server VL

45、AN Poolsstate:presentvalidate_certs:nouse_ssl:yesdelegate_to:localhostbash/zsh%export APIC_USERNAME=admin%export APIC_PASSWORD=passwordBRKDCN-290635 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI REST Fallback ModuleThe module aci_restallows passing an ACI structured

46、object when a module isnt available.This makes it possible that Ansible can accomplish 100%configuration of ACIHow to configure ACI when a module is missing-name:Create Route Map for L3out(rtctrlProfile)cisco.aci.aci_rest:path:/api/node/mo/uni/tn-item.tenant/out-item.l3out/prof-item.name.jsonmethod:

47、postcontent:rtctrlProfile:attributes:dn:uni/tn-item.tenant/out-item.l3out/prof-item.name,name:item.name,descr:item.description,status:created,modified,children:,delegate_to:localhostloop:all_l3out_route_mapswhen:all_l3out_route_maps is definedtags:-never-createAn example 2023 Cisco and/or its affili

48、ates.All rights reserved.Cisco Public#CiscoLiveNon-OptimalIn the previous example we“hard coded”some values to create a VLAN Pool.This would require that we create a new task for every single VLAN pool to be configured.Not optimal for repetitionThere is a better approach through reference and iterat

49、ion!-#tasks file for ap-vlans-name:Create Engineering VLAN Poolcisco.aci.aci_vlan_pool:host:inventory_hostname username:usernamepassword:password”poolpool:eng_vlan_poolpool_allocation_modepool_allocation_mode:staticdescriptiondescription:(Ans)Engineering Server VLAN Poolsstate:presentvalidate_certs:

50、nouse_ssl:yesdelegate_to:localhosthard codedBRKDCN-290638 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVariable listsLists(also known as arrays)are a sequential set of values.These can contain what is known as dictionaries(also known as objects).This allows you to refer

51、encespecific items inside of the task and iterate over these in a repetitive wayLooping through datavlan_pools:-vlan_pool_name:eng_vlan_poolvlan_pool_description:(Ans)Eng VLAN Poolvlan_pool_mode:static”-vlan_pool_name:mkt_vlan_poolvlan_pool_description:(Ans)Mkt VLAN Poolvlan_pool_mode:static”-vlan_p

52、ool_name:hr_vlan_poolvlan_pool_description:(Ans)HR VLAN Poolsvlan_pool_mode:static”-vlan_pool_name:sales_vlan_poolvlan_pool_description:(Ans)Sales VLAN Poolsvlan_pool_mode:static”List of four objectsBRKDCN-290639 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIteration ex

53、plainedLooping through data-#vars file for ap-vlansvlan_pools:-vlan_pool_name:“eng_vlan_poolvlan_pool_description:(Ans)Eng VLAN Poolvlan_pool_mode:static”-vlan_pool_name:”mkt_vlan_poolvlan_pool_description:(Ans)Mkt VLAN Poolvlan_pool_mode:static”-vlan_pool_name:”hr_vlan_poolvlan_pool_description:(An

54、s)HR VLAN Poolsvlan_pool_mode:static”-vlan_pool_name:”sales_vlan_poolvlan_pool_description:(Ans)Sales VLAN Poolsvlan_pool_mode:static”-#tasks file for ap-vlans-name:Create VLAN Poolscisco.aci.aci_vlan_pool:host:inventory_hostname username:usernamepassword:password”poolpool:“item.vlan_pool_name”pool_

55、allocation_modepool_allocation_mode:“item.vlan_pool_mode”descriptiondescription:“item.vlan_pool_description”state:presentvalidate_certs:nouse_ssl:yesdelegate_to:localhostloop:vlan_poolswhen:vlan_pools is definedroles/ap-vlans/tasks/main.yamlroles/ap-vlans/vars/main.yamlBRKDCN-290640 2023 Cisco and/o

56、r its affiliates.All rights reserved.Cisco Public#CiscoLiveExecuting the playbookwith the list of VLANSBRKDCN-290641A word about variables 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBetter variablesIncluding the variables with the role can result in role duplicationA

57、better approach is to move the variables to a location that can be structured with the inventory for better organizationPlacement matters!rolesplaybooksgroup_varsfilesHow to do it!What to do!Information to do it!inventory.yamlBRKDCN-290643Who to do it!2023 Cisco and/or its affiliates.All rights rese

58、rved.Cisco Public#CiscoLiveVariable HierarchyA clean way to organize datagroup_varsrolesdefaultsfileshandlersmetataskstemplatetestsvarsmain.yamlVlan_pools.yamlMove the variable from the roles file structure into the group_var structureBRKDCN-290644 2023 Cisco and/or its affiliates.All rights reserve

59、d.Cisco Public#CiscoLiveThe links between locationsManaged by variable precedencegroup_varseast_fabricVlan_pools.yamlwest_fabricVlan_pools.yamlaeps.yamlpolicy_groups.yamlaeps.yamlpolicy_groups.yamlrolesap_vlansap_domainsap_aepplaybookseast_fabricaccess_policies.yaml1Reads the inventory and playbook.

60、Finds that we are referencing east_fabric2Reads the variables in all the files under the matching hostname directory name east_fabric.3Since we are using the same variable named vlan_pools,the role reads the values that are configured in east_fabricgroup_vars directory and executes the configuration

61、 towards ACIvar:vlan_poolsvar:vlan_poolsBRKDCN-290645 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible Variable PrecedenceAnsible provides variable precedence,which is important when you build your data structure.This allows for having some default behaviour that is

62、 then changed by just including in higher precedence.Using the group_vars folder tied to inventory is very useful.Placement mattershttps:/ vars via CLI(for example,-e user=my_user)include paramsrole(and include_role)paramsset_facts/registered varsinclude_varstask vars(only for the task)block vars(on

63、ly for tasks in block)role vars(defined in role/vars/main.yml)play vars_filesplay vars_promptplay varshost facts/cached set_factsplaybook host_vars/*inventory host_vars/*inventory file or script host vars playbook group_vars/*inventory group_vars/*inventory group_vars/all inventory file or script gr

64、oup vars role defaults(defined in role/defaults/main.yml)command line values(for example,-u my_user,these are not variables)HigherlowerReference SlideBRKDCN-290646 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePutting it all togetherplaybooksinventoryrolesgroup_vars%ansi

65、ble-playbook i inventory/east_fabric playbooks/east-fabric/access-policies.yamlBRKDCN-290647 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExecuting the playbookwith the list of VLANS under group_varsBRKDCN-290648 2023 Cisco and/or its affiliates.All rights reserved.Cisc

66、o Public#CiscoLiveACI 6.x Ansible indicatorsBRKDCN-290649Infrastructure as Code with Terraform 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Terraform?Open SourceInfrastructure ProvisioningSingle Binary(Windows,Mac,Linux,Solaris,FreeBSD)HashiCorp Configuration La

67、nguage(HCL)APIC/NDO REST API interactionNo programming knowledge requiredRequires only data-structure knowledgeBRKDCN-290651 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInstalling TerraformSingle binary installation(version 1.4.6-latest)https:/ OSWindowsBRKDCN-290652Te

68、rraform Concepts 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Plans/Configuration FilesCollection of HCL instructionsWhat do you want to provision.tf extensionTerraform scans directoryCan be in a singular file main.tfCan be broken up into smaller*.tfworkspacem

69、ain.tfvariables.tftenant.tfvrf.tfbridge_domain.tfapp_profile.tfepg.tfBRKDCN-290654 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCreate/Read/Update/Destroy infrastructureRelies on specific vendor plugins Downloaded/installed via initializationTerraform ProvidersUnderstan

70、ds API interactionsAPIC and MSO REST API callsCan write your own providersopen source-written in GoOwned&maintained by HashiCorpEx.AWS,Azure,GCPOwned&maintained by partners.Ex.ACI,MSO,ASAPublished by individual groups or maintainers in the communityhttps:/registry.terraform.io/BRKDCN-290655 2023 Cis

71、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Provider configuration(ACI)Terraform configurationProvider definitionRegistry namespace CiscoDevNet/aciProvider version(2.8 latest)Provider configurationSignature-Based AuthenticationAPIC URLHTTP API requestBRKDCN-290656 20

72、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Provider configuration(MSO/NDO)Registry namespace CiscoDevNet/mso Provider version 0.10.0-latestVariables substitutionMust be defined for Nexus Must be defined for Nexus Dashboard OrchestratorDashboard OrchestratorBRK

73、DCN-290657 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Resources&Data SourcesOver 230 ACI Resources/Data SourcesOver 45 MSO Resources/Data SourcesAllow data to be fetched or computed for use elsewhere in Terraform configurationAlways Read OnlyTerraform apply/

74、destroy does not modify data sourceSpecific to a given provider(ACI/MSO)Accepts argumentsapply/destroy/modifies resourceDescribes your intentintent for a particular infrastructure objectResourcesData SourcesBRKDCN-290658 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerr

75、aform Resource ExampleType of resourceName of the resourceStart of resource blockEnd of resource blockUsed in state fileMust be unique!BRKDCN-290659 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Data Source ExampleRetrieve the data we needBRKDCN-290660 2023 Cis

76、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhen there isnt a Resource aci_rest_managedManages Objects via REST API calls with no resourceCan reconcile state informationAPI calls can be captured via API Inspector/APIC GUIaci_rest can not reconcile informationMSO/NDO mso_restBR

77、KDCN-290661 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Registry ACI&MSOhttps:/registry.terraform.io/providers/CiscoDevNet/aci/latest 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-290662 2023 Cisco and/or its affiliates.All rights re

78、served.Cisco Public#CiscoLiveTerraform Registry Documentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-290663https:/registry.terraform.io/providers/CiscoDevNet/aci/latest 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform StateRecords

79、information about infrastructure it created(terraform.tfstate)Saves locally Can you other backends(Remote,AWS,Terraform Cloud)NoteNote-Do not modify the state fileBRKDCN-290664 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Dependency Mapping Uses Graphs to trac

80、k of dependencies and correct order of deploymentBuilds a graph of relationships(Directional tree without loops)TenantApp ProfileEPGVRFBDBD SubnetBRKDCN-290665 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Graph(Three Tier)Reference SlideBRKDCN-290666 2023 Cisc

81、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVariables in TerraformCan be defined:Command line(-var-var-file)variables.tfterraform.tfvarsDefault configIf you default blank(“),you will be prompted for valueBRKDCN-290667Variable TypesStringNumberBoolAny(default)variables.tfl3out.t

82、f 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIteration(loop)in TerraformcountAdd number of resources based on countBRKDCN-290668for_eachMultiple instances of a set or mapPerforms repetitive tasks-Helps avoid duplicating code 2023 Cisco and/or its affiliates.All rights

83、 reserved.Cisco Public#CiscoLiveTerraform Variables PrecedenceVariables have precedenceVariables can be set,but overriddenReference Slide Command Line Flag run as command line switch Configuration file-set in your terraform.tfvars file Environment variable-part of your shell environment Default Conf

84、ig-default value in variables.tf User manual entry-if not specified,prompt the user for entryHigherlowerhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform Modules-ReusabilityReuse configurations in Terraform.Self-contained components encapsulate a set of res

85、ources,configurations,and dependencies.Create a Specific Modules directoryBRKDCN-290670main.tftenant.tfNoteNote May need to re-initialize Terraform 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCertificate BasedUsername&PasswordTerraform ACI/NDO AuthenticationMethod work

86、s with both ACI and NDOEasiest approach after ACI 5.x HTTP throttle changesNot the most secure approachEnvironment Variables substitutionSet in the provider configurationSimilar to Ansible.Used in releases prior to ACI 5.x due to NGINX HTTP interface throttleIn ACI 5.x and higher interface throttle

87、is configurable option in ACINot an option for MSO/NDORequires a local user on APICMust set user role&security domainBRKDCN-290671Deploying Infrastructure as Code with Terraform 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform commandsterraform init Download and I

88、nstalls plugins for configured providers Must initialize before plan/apply Creates a provider“lock”fileBRKDCN-290673 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveterraform plan Determines what actions are necessary to achieve the desired state Preview your changes Allow

89、s you to review before making any changesTerraform commandsBRKDCN-290674 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveterraform apply(-auto-approve)Scans the current directory for the configuration(.tf&.tfvarsextenstion)Preview your changes Applies the configuration to

90、targetsTerraform commandsBRKDCN-290675 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTerraform ApplyBRKDCN-290676 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveterraform destroy Scans the state file for what to“destroy”Preview your deletions

91、Infrastructure is destroyed Can be specific with“-target”Terraform commands 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdditional Terraform commandsterraform fmtFormat your.tf filesterraform showReads and outputs a Terraform state in a readable formatterraform stateAd

92、vanced State Managementterraform versionVersion of Terraform binaryterraform graphGenerate a Graphviz graph of the steps in an operationReference SlideBRKDCN-290678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnsible and Terraform comparisonBRKDCN-290679 2023 Cisco and

93、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSourceOpen SourceOpen SourceCisco commitmentYes!Yes!IaC TypeConfiguration ManagementProvisioningLanguage TypeProceduralDeclarativeStatefulNoYesACI/MSO Modules/Resources149*/63*230*/45*Written inPythonGoTAC SupportYesYes*At the time of this

94、 presentationAnsible/Terraform comparisonBRKDCN-290680So what?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive82Recent Exercise(N7k to ACI brownfield)BRKDCN-2906Window StartWindow StartManual ConfigurationAutomated ConfigurationCable MovementCable MovementWindow EndWindow

95、End6-8 hours1.5 hoursApplication movesand troubleshootingMOPBuildBookBuildBookTweaking20k lines of YAMLApplication movesand troubleshootingUnhappiness and finding new windows to finish 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNext StepsBRKDCN-290683 2023 Cisco and/o

96、r its affiliates.All rights reserved.Cisco Public#CiscoLiveInfrastructure as Code with Terraform and AnsibleInstall and test Terraform and AnsibleAvailable for most platformsWhich one works better for you?What are you already using?Think big.start smallAutomate the simple,then build into more comple

97、x tasksEase of writing Infrastructure as code with Terraform and AnsibleNo special programming skills neededAnsible Modules/Terraform Resources for most common tasksRobust APIC/MSO REST API makes automation easy and scalableBRKDCN-290684 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

98、lic#CiscoLiveMore information Other sessions/labsLABDCN-1774(Walk in Lab-Ansible and ACI)LABDCN-1776(Walk in Lab-Intro to Terraform with ACI)BRKDCN-2673-Nexus-as-Code-Kickstart your automation with ACIDEVWKS-2931-Making your ACI Automation as modular as LEGO bricks using Terraform ModulesIBODCN-1003

99、-An Interactive Conversation on ACI Automation through Ansible and TerraformBRKDCN-290685 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMore information Ansible/Terraformhttps:/www.terraform.io/https:/registry.terraform.io/providers/CiscoDevNet/aci/latest/docshttps:/regi

100、stry.terraform.io/providers/CiscoDevNet/mso/latesthttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies la

101、st)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKDCN-290687 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educatio

102、nVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco P

103、ublic#CiscoLive90Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123490 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-2906#CiscoLive