Introduction to Terraform with ACI – Part 2

If you haven’t already seen Part 1 of this blog series, please have a read through. This section will cover ACI + Terraform, and we’ll include a couple of new topics – Terraform importing and data resources.

Read More: 200-901: Developing Applications and Automating Workflows using Cisco Core Platforms (DEVASC)  ​​​​​​​

1. Introduction to Terraform

2. Terraform and ACI​​​​​​​

3. Explanation of the Terraform configuration files

4. Terraform Remote State and Team Collaboration

5. Terraform Providers – How are they built?

Code Example

https://github.com/conmurphy/intro-to-terraform-and-aci

Lab Infrastructure

You may already have your own ACI lab to follow along with however if you don’t you might want to use the ACI Simulator in the DevNet Sandbox.

ACI Simulator AlwaysOn – V4

Terraform ACI Provider and Resources

As explained in the previous post, a Terraform provider is responsible for understanding API interactions and exposing resources.

A Terraform resource describes one or more infrastructure objects, for example in an ACI Tenant, EPG, Contract, BD.

This post will cover the ACI Terraform Provider which includes a large number of resources.

The full list of available resources can be found from the following link.

https://www.terraform.io/docs/providers/aci/index.html

800

Terraform Resource vs Data Sources

Until now we’ve only looked at the provider resource, for example “aci_tenant”.

resource "aci_tenant" "my_terraform_tenant" {

  name        = "tenant_for_terraform"   

  description = "This tenant is created by the Terraform ACI provider"

}

Terraform also includes a concept known as data sources.

Data sources allow a Terraform configuration to make use of information defined outside of Terraform, or defined by another separate Terraform configuration.

https://www.terraform.io/docs/configuration/data-sources.html

It’s important to note that while resources are read/write, data sources are read only. This means we can include information in our configuration file for objects that we may not manage.

For example in the case of ACI, perhaps we want to manage our own app profiles and EPGs in a shared tenant however don’t want Terraform to have any control of the tenant itself.

We can define the shared elements (tenant, BD, VRF, contracts etc) as data sources (read only), and the ANP/EPGs as resources which will be created and deleted by Terraform.

provider "aci" {

  # cisco-aci user name

  username = "${var.username}"

  # cisco-aci password

  password = "${var.password}"

  # cisco-aci url

  url      =  "${var.apic_url}"

  insecure = true

}

data "aci_tenant" "my_shared_tenant" {

  name = "my_shared_tenant"

}

data "aci_bridge_domain" "my_shared_bd" {

  tenant_dn   = "${data.aci_tenant. my_shared_tenant.id}"

  name        = "my_shared_bd"

}

resource "aci_application_profile" "terraform_app" {

  tenant_dn = "${data.aci_tenant. my_shared_tenant.id}"

  name       = "demo_app_profile"

}

resource "aci_application_epg" "my_web_epg" {

    application_profile_dn  = "${aci_application_profile.terraform_app.id}"

    name                            = "db_epg"

    description                   = "%s"

    annotation                    = "tag_epg"

    exception_tag               = "0"

    flood_on_encap            = "disabled"

    fwd_ctrl                    = "none"

    has_mcast_source            = "no"

    is_attr_based_e_pg      = "no"

    match_t                         = "AtleastOne"

    name_alias                  = "alias_epg"

    pc_enf_pref                 = "unenforced"

    pref_gr_memb                = "exclude"

    prio                            = "unspecified"

    shutdown                    = "no"

  }

As you can see above we have defined two data sources (my_shared_tenant and my_shared_bd). These are then referenced in the aci_application_profile resource using the format, “${data.aci_tenant. my_shared_tenant.id}“.

Remember from the previous post that some properties such as IDs are computed behind the scenes without the need to hard code values.

NOTE: You’ll need to ensure that any data sources you’re referencing already exist in the ACI fabric. For example the bridge domain, “my_shared_bd”, already exists in the tenant, “my_shared_tenant” in our lab. If these data sources don’t already exists you will receive an error.

So using these two concepts we can build the desired configuration for our ACI fabric. Some Terraform ACI configuration has already been provided above and in the previous post. To help you get started the ACI Business Unit have created a large number of example configuration files which you can find from the following link.

https://github.com/terraform-providers/terraform-provider-aci/tree/master/examples

Additionally, for any customer configuration you may want to create, the following document includes the entire list of available resources for the ACI provider.

https://www.terraform.io/docs/providers/aci/index.html

These resources should give you a good start on your journey to managing ACI with Terraform.

But wait, there’s more! There are a couple of questions that are often asked in relation to the ACI provider.

◉ Is this only for greenfield deployments?

◉ Can I configure everything through Terraform?

◉ What happens if I manually configure ACI?

Importing With Terraform

ACI may already exist in many customer environments when they start to use Terraform. Alternatively, a customer new to ACI and Terraform may not want to learn both at the same time, choosing to first learn ACI and then migrate configuration to Terraform.

Luckily Terraform supports (for some providers) the importing of existing configuration to address these common scenarios.

terraform import

Remember there are two main files we’re working with, the configuration (.tf) and the state (terraform.tfstate) files.

Currently the “Terraform Import” command will only import what it learns about the existing infrastructure into the state (terraform.tfstate) file. It will not automatically append this into the configuration file.

This is a manual process you must complete.

https://www.terraform.io/docs/import/index.html​​​​​​​

Step 1 – Add the new resources to the configuration (.tf) file.

resource "aci_tenant" "myTenant" {

}

You only need to define the resource.

If you configure a property such as a name and then import from an existing resource, the values will be overwritten.

resource "aci_tenant" "myTenant" {

  name = “myTenant1”

}

In this example if the ACI tenant is named “myTenant”, when first importing Terraform will use “myTenant” in the state file. The configuration file is not updated on an import and therefore “myTenant1” will not be changed. Later when you run the apply command, Terraform will update the ACI fabric with the new name, “myTenant1”

Step 2 – Run the import command

Terraform identifies ACI objects with their Distinguished Name (Dn) and the Terraform resource ID is the absolute path of ACI object in the DMIT.

For example, the ID of an ACI tenant, myTenant, is uni/tn-myTenant. The ID of an ACI VRF, vrf1, in myTenant is uni/tn-myTenant/ctx-vrf1

The import command is used as follows:

terraform import <resource name> <resource id>

e.g terraform import aci_tenant.myTenant uni/tn-myTenant

We added the aci_tenant.myTenant resource to the configuration file in Step 1. This command is now assigning an ID, the ACI Tenant Dn (uni/tn-myTenant), to the resource and will also import existing configuration.

Step 3 – Repeat for all required resources

This used the ACI tenant as an example however you may also need to import other resources such as bridge domains, VRFs, EPGs, contract. You would repeat the steps above for each of these resources. First add them all as resources and then run the import command referencing the name of the resource and the ACI Dn as ID.

ACI REST Resource

There are many properties of ACI that can be configured, however not all exist as Terraform resources in the ACI provider. For this reason the aci_rest resource was created and allows you to configure ACI Objects through the REST API. Any Model Object that is not supported by the provider can be created/managed using this resource.

As a result, anything that can be configured through the ACI REST API can be configured and managed by Terraform. Either through a native resource (e.g. aci_tenant), or using the API (aci_rest resource).

Here’s an example of creating an L3Out.

resource "aci_rest" "rest_l3_ext_out" {

  path       = "/api/node/mo/${aci_tenant.tenant_for_rest_example.id}/out-test_ext.json"

  class_name = "l3extOut"​​​​​​​

  content = {

    "name" = "test_ext"

  }

}

These is the same configuration you would find in a Python script making raw calls to the ACI API, only this is wrapped in a Terraform resource.

Note as well that you can still reference existing variables or properties such as the aci_tenant id.

https://www.terraform.io/docs/providers/aci/r/rest.html

Config Drift

“What happens if someone manually configures a resource Terraform is managing?”

This is a common question not only for Terraform but anytime we are using external tools to manage infrastructure.

In the case of ACI we can test it out and see what happens.

Step 1 – First create a tenant, my_terraform_tenant, with the following description.

resource "aci_tenant" "my_terraform_tenant" {

  name        = "tenant_for_terraform"   

  description = "This tenant is created by the Terraform ACI provider"

}

Step 2 –  Login to the GUI and under the Tenant -> Policy, update the description.

Step 3 – Run the terraform plan command and see what will happen

You should see that one change will be made to reconfigure the tenant description.

This validates what we have previously learnt. Terraform will attempt to maintain consistency between the desired configuration (.tf files) and the current state (terraform.tfstate file) of the infrastructure. If it notices that the state has been changed (manually in our case), it will reconfigure the infrastructure.

800800

Modifying Attributes vs Resources

Be aware that the outcome above may not always be the same when working with Terraform and ACI. Let’s run another test and see what happens.

Step 1 – Create a tenant, BD, and subnet with the following configuration.​​​​​​​

resource "aci_tenant" "myTenant" {

  name        = "myTenant"   

}

resource "aci_bridge_domain" "bd_for_subnet" {

  tenant_dn   = "${aci_tenant.myTenant.id}"

  name        = "bd_for_subnet"

  description = "This bridge domain is created by the Terraform ACI provider"

}

resource "aci_subnet" "demosubnet" {

  bridge_domain_dn                    = "${aci_bridge_domain.bd_for_subnet.id}"

  ip                                  = "10.1.1.1/24"

  scope                               = "private"

  description                         = "This subject is created by Terraform"

}

Step 2 – Through the ACI GUI, create a new subnet in the same bridge domain. I’ve used 172.16.1.1/24 as an example.

Step 3 – Run the terraform plan again and have a look at the output. You shouldn’t see any changes.

Step 4 – Delete the 10.1.1.1/24 subnet from the bridge domain, keeping the new subnet.​​​​​​​​​​​​​​

Step 5 – Run another plan and see the output. You should see that Terraform will add back the 10.1.1.1/24 subnet when applied. However it doesn’t know about the new subnet ,172.16.1.1/24, so this is left untouched.

This means we again have two subnets on the bridge domain.

Why is this happening?

Terraform tracks resources by an ID and a name. When it notices that a property (e.g. description) in a resource (e.g. aci_tenant) has changed, it updates the infrastructure to match what is in the configuration file. This is what happened with the description. Note that the ID and name of the resource didn’t change, it was still the same ACI tenant.

If you’ve worked with ACI you’ll know that you can’t rename objects. This is inherent to how ACI stores information. All objects have a unique distinguished name and this name is used when connecting various objects together. You can see this in the configuration above where a subnet points to the distinguished name of the bridge domain in which it resides.

As also previously mentioned, the Terraform ACI provider uses the Dn as the ID for the resource.

In the case of ACI a subnet is an object with a distinguished name. Since we can’t edit the name (10.1.1.1/24) we need to delete it and recreate it with a different name (172.16.1.1/24). This results in a new object and Dn and therefore a new Terraform resource and ID.

However the old subnet resource (10.1.1.1/24) still exists in the Terraform state file, while the new one hasn’t been imported. As a result, Terraform re-implements the 10.1.1.1/24 subnet and nothing happens to the 172.16.1.1/24 subnet.​​​​​​​

If you update the subnet in the Terraform configuration file you’ll see that Terraform takes care of the “renaming”. It will first delete the old subnet and then recreate a new one, making it appear as though it has been renamed.

Final Thoughts

Terraform is an extremely powerful and flexible tool however as you’ve seen so far, there are cases that may result in unexpected behaviour. Like any deployment, it’s always best to understand how you will use Terraform in your environment. The ACI simulator is a great way to learn, test, and plan any changes you wish to make before pushing to production.

Source: cisco.com

Continue reading

Use Success Tracks to Deliver Lifecycle Solutions

As customers look for ways to accelerate their digital transformation journeys, we must have offers and capabilities to help them move faster. Almost every customer is deploying and integrating new technology solutions into their existing infrastructure systems and data sources – and seeking to do this in a shortened timeframe. IT leaders need help to define a clear path to their desired outcomes while minimizing complexity and having access to the right resources at the right time.

Cisco Customer Experience (CX) has introduced a new service portfolio that can help customers find a faster path to value and accelerate their business outcomes.  It’s a new lifecycle-focused services portfolio called Success Tracks that includes a comprehensive suite of capabilities designed for specific use cases.  Success Tracks digitally connects customers to the right expertise, learning, insights, and support at the right time. We’ve introduced Success Track for Campus Network, with additional architectures, such as Security and Data Center, planned for release in 2021 and beyond.

While Success Tracks provides incredible value for customers, it also provides an excellent opportunity for partners to grow their business. How? Partners can access  critical customer insights throughout their technology adoption journey, providing valuable insights they can use to assess their customer’s needs and gaps and promptly address them. In essence, Success Tracks serves as a platform to enable partners to capture more customer opportunities.

Here’s a quick snapshot of what Success Tracks is and the opportunities where you can capitalize on to grow your business.

Success Tracks

CX Success Tracks is a suite of service solutions built from the existing services portfolio, combined with new features that digitally connect customers to the right expertise, learnings, insights, and support at the right time using a use case guided journey.​ Use cases are defined with specific customer outcomes and are essential for outlining and executing a roadmap for achieving success.

The CX Success Track suite of capabilities built from existing services and combined with new features, that provides expert resources, trusted support, insights and analytics, and contextual learning.  and digitally connecting customers through a new Customer Experience (CX) Cloud.

Customers engage and consume these capabilities and manage their technologies all in one place through a new digital platform called CX Cloud.

Opportunities for Partners

Success Tracks leverages automation and machine learning through Cisco intellectual capital and provides valuable customer information to partners via a new Partner Experience (PX) Cloud platform (see below).  It provides a new way to engage with Cisco and with customers.

You can  access information on your customer’s lifecycle, assets and coverage, advisories, cases, and other critical insights and analytics. Leverage this information to  increase your understanding of your customer’s technology adoption journey and  recommend services that can help your customer’s increase the use and adoption of their investments. Let’s review two examples.

The “Personalized Exposure Checks” feature provides information on relevant bugs, PSIRTS, and Field Notices for specific devices. When deploying new devices for the customer, you can access Personalize Exposure Checks, scan the device, detect any known vulnerabilities, and then provide remediation services for known issues to validate new devices have the latest updates and protection.

The “Optimal Software Version” feature provides recommendations to help identify the best version for upgrades and optimal software performance. You can provide services to help customers simplify their networks by configuring a minimum number of software versions across all devices, determine when it is best to schedule and perform software updates, and monitor their devices to ensure software versions are up-to-date across the network.

These examples provide just a fraction of the many potential opportunities you take advantage of to help your customers accelerate their success, while expanding your business growth and profitability.

Continue reading

Become DevNet Professional by Passing Cisco 350-901 DEVCOR Exam

The Cisco Certified DevNet Professional 350-901 DEVCOR exam evaluates your knowledge of software development and design, comprising using APIs, Cisco platforms, application deployment and security, and infrastructure and automation. This exam assesses an applicants' understanding of software development and design, including using APIs, Cisco platforms, application deployment and security, and infrastructure and automation. Cisco Certified DevNet Professional exam enriches your employability and makes your educational records shine.

Who is the Targeted Audience for the Cisco 350-901 DEVCOR Exam?

The Cisco 350-901 DÉCOR exam is intended for those professionals or developers who have some years of experience designing and maintaining custom-designed applications constructed on Cisco technology and employing the Cisco platforms. This Cisco certification will authenticate your skills and knowledge associated with developing, designing, and debugging an application using the Cisco APIs, media, and infrastructure.

The Cisco 350-901 exam is specially designed for the following professional.

• Network engineers: Have a plan to sharpen their skills in software and automation.
• Developers: Have the plan to inflate expertise in automation and DevOps.
• Solution architects: Have the plan to move on Cisco ecosystem.
• Infrastructure developers: Have a plan to design in tough production environments.

Advantages of passing Cisco 350-901 DEVCOR Exam:

Now that you know what you require to do to pass the Cisco 350-901 DEVCOR exam, aren't you interested in knowing the advantages of this certification? As Cisco is an international vendor acknowledged by organizations worldwide, Zachariah z your access to corporations will be more comfortable. Hiring managers will consider you a top applicant when they see the Cisco Certified DevNet Professional certification on your resume since Cisco is considered as a leading IT vendor in the IT field and a reputable provider of the most renowned IT certifications.

Read: What to Expect from Cisco DevNet Professional Certification?

After earning this professional certification, you can anticipate an excellent career boost. You will also have more possibilities to get a higher position in your organization and be acknowledged as a valuable team member. According to the Payscale website, you can earn annually about $95,385 with this professional certification.

Top Tips to Prepare for Cisco 350-901 DEVCOR Exam

Preparing for any Cisco exam demands a great deal of time and hard work. But all that would be put to waste if you don't use it adequately. So here are a few tips you can follow to achieve an excellent score in the actual exam:

1. Know the Exam Objectives

First of all, you have to have a clear idea about the result you want to achieve and determine what topics you should study. Generally, the objectives of a syllabus give thought to what the exam expects of you. So, you can use them as a road map for your preparation. By doing so, you can center your efforts on what is most essential.

2. Get Reliable Study Materials

The internet is huge, and you can discover numerous resources created by people claiming they are legal and authentic. But you must perceive that most of them are fake. And if you obtain them for your exam preparation, they can do more harm than good. To evade this, you have to make sure that whatever study resources you use are valid and updated.

3. Make a Study Schedule and Follow It

Most candidates fail to study all the Cisco 350-901 DEVCOR exam objectives in time and end up cramming the night before the scheduled exam. Even though some argue to remember better when doing that, it's not completely true. You will be successful in recalling little surface details while you blank out most of the basic knowledge. But if you study as per your study schedule, you can be sure to have a solid grasp of all the syllabus topics before the exam and not leave out anything important.

4. Cisco 350-901 Practice Exams

If you wish to excel at what you do, you have to have practiced it. Having way makes it simpler for you to remember whatever you studied, and today you can find several options helping to acquire practical skills in practicing your knowledge. For instance, you can use the practice test for Cisco 350-901 DEVCOR exam.

Practice tests make you familiar with the exam structure and kind of questions you will be asked, so you may identify your weak points and work on them. You'll also be in a position to know how to manage your time intelligently.

5. Correct your Mistakes

Correcting your mistakes is vital if you want to better your score. If you don't completely check where you made a mistake and are not trying to understand the concept in a better way, you will be turn out to make the same mistakes again and again.

6. Actively Participate in Discussions

Try to find a study partner or join online forums or communities. This will present you with different questions that will get you thinking in a wider spectrum. It will show you that you don't know many aspects and will help you strengthen your knowledge. An added benefit of participating in online discussions/communities would be that you can share resources and get guidance from professionals in the field.

7. Develop Interest

Doing something without any interest will only stress your mind and give you unsatisfactory results. The same applies when it comes to studying. So, try to do things in a new and interesting way so that your study time becomes more fruitful. Explore some different types of studies like books, practice tests, youtube videos, etc. Also, you can compensate yourself after completing a chapter or so, for instance.

Conclusion

The world today is very competitive, and the same can be said for Cisco exams. If you want to pass them, you have to be study hard and be smart. So, employ practice tests and other reliable resources to prepare for your 350-901 DEVCOR exam and make use of the tips mentioned above. It's the sure way to breeze through the exam to get yourself Cisco DevNet Professional certification.

Continue reading

Cisco Collaboration Flex Plan Now Includes an all New Comprehensive and Cost-Effective Offer for Education

At Cisco we are pleased to kick off 2021 with an exciting update to the Cisco Collaboration Flex Plan that continues our mission to drive experiences that are 10x better than in-person interactions, help organizations collaborate seamlessly, and transform employee and customer experiences to power an inclusive future for all.

The World of the Classroom has Changed and Webex has Changed with it

To address the changing needs of our Education users, we created the Cisco Collaboration Flex Plan for Education, to be a single platform for all education collaboration technology, regardless of deployment type.  Cisco Collaboration provides schools with comprehensive features and capabilities they need today to support the needs of their administrators, teachers, and students through a cost-effective offer.

It is more vital than ever to keep students engaged and learning in today’s remote school environment. We continue to expand, simplify and differentiate by providing a complete education solution to our customers with an all-new feature rich experience.

There are several new features of Cisco’s Collaboration Flex Plan for Education offering:

◉ Enhanced Secure Messaging for all students and faculty.

◉ Support for Cisco on-premises and Cloud Calling

◉ Webex Meetings with new powerful AI capabilities such as gesture recognition

◉ Unlimited storage for all classroom recordings (archiving included at no charge for one year)

◉ Webex Assistant including closed captioning

◉ Extended Security Solutions

◉ And more!

Cisco offers the most comprehensive and cost-effective collaboration solution for education in the industry.I am extremely excited about the new and improved offer for Education and look forward to sharing future enhancements to the Cisco Collaboration offers throughout the year.

Learn more about our Cisco Collaboration Flex Plan for Education

Source: cisco.com

Continue reading

Your Journey to the All-New Webex

All-New Webex

At WebexOne, we launched new programs to support and work through how current Meetings and Jabber on-premise customers can update to the all-new Webex.

Over the past year, we all experienced how the workplace fundamentally changed, and how connecting with our work colleagues, regardless of where or how you work, is vital to continuity. Today, users need the capabilities to work remotely, collaborate with their teams effortlessly and work together regardless of time zones. Workloads must come together to allow for this seamless collaboration experience.

These new update programs outline steps for how customers can update from Jabber on-premise IM/P to secure Cloud Messaging and move from a standalone Meetings experience to a full modern collaboration solution, all contained within a single application.

For those customers who wish to remain with Jabber on-premise Messaging and in a standalone Meetings application we will continue to offer both these solutions.

Supporting Your Journey

Whether you are updating from Jabber or Meetings, the team at Webex has developed supporting sites to guide you on your journey. Let’s jump in to unpack what is available for you.

Deployment Steps

On these sites, we have published a detailed journey map outlining the steps to update from Jabber or Meetings to Webex. Some steps are mandatory while others will be optional, depending on your organizational needs you can choose which steps are right for you, and our technical guides and deployment documents will support the steps through the update to Webex.

Technical Workshops

Webex experts will lead multiple live technical enablement workshops walking through each step on the update journey. You will gain deep insights from our subject matter experts, who will be on hand to answer your questions throughout the workshops. We appreciate that it can be difficult to take time out of a busy day to join live sessions, so we are recording all workshops and will make them available in short, snackable videos for you to dive into on your own time. 

Gaining Analytical Insight

To help with your update, we have outlined details on how you can use Cloud Connected UC to gain deep analytic insights to your existing on-premise usage. These insights will provide you with the right views to help drive decision making and build a timeline for a move to Cloud.

When you land on Webex, you will see that by using Webex Control Hub as single-pane-of-glass to manage your collaboration portfolio you can gain fresh insights into how your users adopt these innovative solutions to increase productivity and get more done quicker.

End User Adoption

As you begin to rollout Webex to your organization, we recognize that you will want to communicate the update to your users. We have built launch kits to support this announcement to your teams. These packs include project blueprints and digital campaign assets such as email templates, quick start guides, videos & product images. Along with our live adoption masterclasses, you will have all you need to have a successful adoption of Webex.

IT & User Community

Underlying all our support, is a thriving and active IT and User Community. Here you will find the means to engage with and learn directly from Webex experts. You can also collaborate with your peers, hear from thought leaders and learn about exciting new announcements from the Webex team.

Bringing it All Together

By combining Meetings, Calling, Messaging, Whiteboarding, File Sharing, and with our award-winning Room and Desk Devices, Webex offers all the essentials for getting work done together, faster, and easier than ever before.

With enterprise calling backed by Unified Communications Manager, your users will enjoy the same rich calling experience as in Jabber whilst using the calling infrastructure already deployed within your organization. Meetings customers moving to the new Webex, will continue to have all the capabilities and with pre- and post-meetings experience, there will never be a moment to miss a conversation.

Find Out More

Find all the details on these program on our dedicated sites supporting both the Jabber and Meetings journeys to Webex. These pages will provide you with everything you need to get started and to make the move to your new all-in-one Collaboration solution as easy as possible.

Continue reading

Introduction to Terraform with Cisco ACI, Part 1

Many customers are starting to look at third party tools such as Terraform and Ansible to deploy and manage their infrastructure and applications. In this five-part series we’ll introduce Terraform and understand how it’s used with Cisco products such as ACI. Over the coming weeks this blog series will cover:

1. Introduction to Terraform

2. Terraform and ACI​​​​​​​

3. Explanation of the Terraform configuration files

4. Terraform Remote State and Team Collaboration

5. Terraform Providers – How are they built?

Code Example

https://github.com/conmurphy/intro-to-terraform-and-aci 

​​​​​​Infrastructure as Code

Before diving straight in, let’s quickly explore the category of tool in which Terraform resides, Infrastructure as Code (IaC). Rather than directly configuring devices through CLI or GUI, IaC is a way of describing the desired state with text files. These text files are read by the IaC tool (e.g. Terraform) which implements the required configuration.

Imagine a sysadmin needs to configure their VCenter/ESXi cluster including data centres, clusters, networks, and VMs. One option would be to click through the GUI to configure each of the required settings. Not only does this take time, but also may introduce configuration drift as individual settings are configured over the lifetime of the platform.

Recording the desired configuration settings in a file and using an IaC tool eliminates the need to click through a GUI, thus reducing the time to deployment.

Additionally, the tool can monitor the infrastructure (e.g Vcenter) and ensure the desired configuration in the file matches the infrastructure.

Here are a couple of extras benefits provided by Infrastructure as Code:

• Reduced time to deployment
• See above
• Additionally, infrastructure can quickly be re-deployed and configured if a major error occurs.
• Eliminate configuration drift
• See above
• Increase team collaboration
• Since all the configuration is represented in a text file, colleagues can quickly read and understand how the infrastructure has been configured
• Accountability and change visibility
• Text files describing configuration can be stored using version control software such as Git, along with the ability to view the config differences between two versions.
• Manage more than a single product
• Most, if not all, IaC tools would work across multiple products and domains, providing you the above mentioned benefits from a single place.

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.

There are a couple of components of Terraform which we will now walk through.

Configuration Files

When you run commands Terraform will search through the current directory for one or multiple configuration files. These files can either be written in JSON (using the extension .tf.json), or in the Hashicorp Configuration Language (HCL) using the extension .tf.​​​​​​​

The following link provides detailed information regarding Terraform configuration files.

https://www.terraform.io/docs/configuration/index.html

As an example, here is a basic configuration file to configure an ACI Tenant, Bridge Domain, and Subnet.

provider "aci" {

  # cisco-aci user name

  username = "${var.username}"

  # cisco-aci password

  password = "${var.password}"

  # cisco-aci url

  url      =  "${var.apic_url}"

  insecure = true

}

resource "aci_tenant" "terraform_tenant" {

  name        = "tenant_for_terraform"   

  description = "This tenant is created by the Terraform ACI provider"

}

resource "aci_bridge_domain" "bd_for_subnet" {

  tenant_dn   = "${aci_tenant.terraform_tenant.id}"

  name        = "bd_for_subnet"

  description = "This bridge domain is created by the Terraform ACI provider"

}

resource "aci_subnet" "demosubnet" {

  bridge_domain_dn                    = "${aci_bridge_domain.bd_for_subnet.id}"

  ip                                  = "10.1.1.1/24"

  scope                               = "private"

  description                         = "This subject is created by Terraform"

} 

When Terraform runs (commands below), the ACI fabric will be examined to confirm if the three resources (Tenant, BD, subnet) and their properties match what is written in the configuration file.

If everything matches no changes will be made.

When there is a difference between the config file and ACI fabric, for example the subnet does not already exist in ACI, Terraform will configure a new subnet within the BD. Since the Tenant and BD already exist in ACI, no changes will be made to these objects.

Cross checking the configuration file against the resources (e.g. ACI fabric), reduces the amount of configuration drift since Terraform will create/update/delete the infrastructure to match what’s written in the config file.​​​​​​​

Resources and Providers

A provider is responsible for understanding API interactions and exposing resources. Providers generally are an IaaS (e.g. Alibaba Cloud, AWS, GCP, Microsoft Azure, OpenStack), PaaS (e.g. Heroku), or SaaS services (e.g. Terraform Cloud, DNSimple, Cloudflare), however the ones that we’ll be looking at are Cisco ACI and Intersight.

Resources exist within a provider.

A Terraform resource describes one or more infrastructure objects, for example in an ACI Tenant, EPG, Contract, BD.

A resource block in a .tf config file declares a resource of a given type e.g. (“aci_tenant”) with a given local name (“my_terraform_tenant “). The local name can then be referenced elsewhere in the configuration file.

The properties of the resource are specified within the curly braces of the resource block.

Here is an ACI Tenant resource as example.

resource "aci_tenant" "my_terraform_tenant" {

  name        = "tenant_for_terraform"   

  description = "This tenant is created by the Terraform ACI provider"

}

To create a bridge domain within this ACI tenant we can use the resource, aci_bridge_domain, and provide the required properties.

resource "aci_bridge_domain" "my_terraform_bd" {

  tenant_dn   = "${aci_tenant.my_terraform_tenant.id}"

  name        = "bd_for_subnet"

  description = "This bridge domain is created by the Terraform ACI provider"

}

Since a BD exists within a tenant in ACI, we need to link both resources together.

In this case the BD resource can reference a property of the Tenant resource by using the format, “${terraform_resource.given_name_of_resource.property}”

This makes it very easy to connect resources within Terraform configuration files.

Variables and Properties

As we’ve just learnt resources can be linked together using the format, “${}”. When we need to receive input from the user you can use input variables as described in the following link.

https://www.terraform.io/docs/configuration/variables.html

For many resources computed values such as an ID are also available. These are not hard coded in the configuration file but provided by the infrastructure.

They can be accessed in the same way as previously demonstrated. Note that in the following example the ID property is not hard coded in the aci_tenant resource, however this is referenced in the aci_bridge_domain resource. This ID was computed behind the scenes when the tenant was created and made available to any other resource that needs it. ​​​​​​​

resource "aci_tenant" "my_terraform_tenant" {

  name        = "tenant_for_terraform"   

  description = "This tenant is created by the Terraform ACI provider"

}

resource "aci_bridge_domain" "my_terraform_bd" {

  tenant_dn   = "${aci_tenant.my_terraform_tenant.id}"

  name        = "bd_for_subnet"

}

State Files

In order for Terraform to know what changes need to be made to your infrastructure, it must keep track of the environment. This information is stored by default in a local file named “terraform.tfstate“

NOTE: It’s possible to move the state file to a central location and this will be discussed in a later post

As you can see from examining this file Terraform keeps a record of how your infrastructure should be configured. When you run the plan or apply command, your desired config (.tf files) will be cross checked against the current state (.tfstate file) and the difference calculated.

For example if a subnet exists within the config.tf file but not within the terraform.tfstate will configure a new subnet in ACI and update terraform.tfstate.

The opposite is also true. If the subnet exists in terraform.tfstate but not within the config.tf file, Terraform assumes this configuration is not required and will delete the subnet from ACI.

This is a very important point and can result in undesired behaviour if your terraform.tfstate file was to change unexpectedly for some reason.

Here’s a great real world example. ​​​​​​​

https://www.youtube.com/watch?v=ix0Tw8uinWs

Commands

There are many Terraform commands available however the key ones you should know about are as follows:

terraform init

Initializes a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

During init, Terraform searches the configuration for both direct and indirect references to providers and attempts to load the required plugins.

This is important when using the Cisco infrastructure providers (ACI and Intersight)

NOTE: For providers distributed by HashiCorp, init will automatically download and install plugins if necessary. Plugins can also be manually installed in the user plugins directory, located at ~/.terraform.d/plugins on most operating systems and %APPDATA%\terraform.d\plugins on Windows.

https://www.terraform.io/docs/commands/init.html

terraform plan

Used to create an execution plan. Terraform performs a refresh, unless explicitly disabled, and then determines what actions are necessary to achieve the desired state specified in the configuration files.

This command is a convenient way to check whether the execution plan for a set of changes matches your expectations without making any changes to real resources or to the state. For example, terraform plan might be run before committing a change to version control, to create confidence that it will behave as expected.

https://www.terraform.io/docs/commands/plan.html​​​​​​​

terraform apply

The terraform apply command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a terraform plan execution plan.

https://www.terraform.io/docs/commands/apply.html

terraform destroy

Infrastructure managed by Terraform will be destroyed. This will ask for confirmation before destroying.

https://www.terraform.io/docs/commands/destroy.html

Source: cisco.com

Continue reading