Professional Documents
Culture Documents
BRKDCN 2906
BRKDCN 2906
Introduction to Infrastructure
as Code for ACI with Ansible
and Terraform
BRKDCN-2906
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• What is Infrastructure as
Code?
• Infrastructure as Code with
Ansible
Infrastructure as Code with
Agenda
•
Terraform
• Next steps
BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What is Infrastructure
as Code?
What is Infrastructure as Code(IaC)?
• Most think of building/managing Cloud Infrastructure The management &
• Traditionally, network operators connect to devices and provisioning of
make changes to the configuration. computer
CLI – “finger net”
•
infrastructure
• Application
through code and
• Automation tools – Ansible/Terraform
data structures
• Define intended state of infrastructure should be.
instead of direct
• Automation tools reads applies changes to devices to match
the intended state. (Declarative) device
management.
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Infrastructure as Code Tools
• Git
• Ansible
GitHub
SCM
•
Execution Software
• Terraform
• GitLab
• Chef
• Bitbucket • Puppet
• AWS CloudFormation
• Google Cloud Deployment
• Jenkins Manager
Drone Pulumi
Pipeline
• •
• Vagrant
• CircleCI
• Saltstack
• Travis CI
• GitHub Actions
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Infrastructure as Code for Network Ops
1 2 3
User commits changes to An automated pipeline An execution runner is
data source in SCM that application notices the triggered by the
define what the config of change in the SCM and automation pipeline, reads
the fabric should be. activates a series of the data from SCM(git)
actions. and configures the
devices.
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Infrastructure as Code
with Ansible
What is Ansible?
Automation / Configuration / Orchestration tool
Open Source
*idempotent
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
What makes up Ansible?
MSO
Roles
ACI Module
REST API
Tasks
WSL MSO Module Inventory
Ansible Core
REST API
Collections
Python
Playbooks
APIC
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Installing Ansible
Python Virtual Environments virtualenv
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Reference Slide
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Ansible install
Core or Everything
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Ansible Collections
What are Ansible collections?
• Introduced in Ansible 2.9
• Collections allows vendors to de-couple their ansible capabilities
(modules) from the core Ansible release schedule
• Uses Ansible Galaxy as the delivery vehicle.
• Collection can be installed in any location with -p flag
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Reference Slide
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Ansible ACI/MSO
Collection Modules
https://docs.ansible.com/ansible/latest/collections/cisco/aci/index.html
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Reference Slide
Ansible ACI/MSO The command: ansible-doc <module_name> will present the
CLI version of the doc. Will match what is on the web
Collection Modules (CLI) ❯ ansible-doc cisco.aci.aci_aaa_user
Parameter Value
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Reference Slide
cisco.aci.aci_bd
Name Space Collection Name Module Name
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Ansible Concepts
Ansible Directory Structure
Best Practice for growth!
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Ansible Data Structures (YAML)
YAML Ain’t Markup Language Microsoft VSCode
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
In this example we are creating a role that will configure access policy
Ansible Roles
VLAN pools: ansible-galaxy init ap-vlans
How to do it!
• Roles are content directories that are
structured in a conventional way to
enable simple reuse
• Roles let you automatically load related
vars, files, tasks, handlers, and other
Ansible artifacts based on a known file
structure.
• This allows for better data organization
in your repository.
• You utilize roles to combine tasks the
complete and objective.
% ansible-galaxy init <role-name>
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Ansible Playbooks
What to do!
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Ansible Inventory
Who to do it to!
Example inventory file:
• Ansible inventory allows you to
build data structures that
correlate host specific variables
• Allows for grouping, variable
inheritance to organize your ACI
fabric APICs
• Two formats are common: INI
and YAML. Best practice is to
use YAML (less confusing)
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
JINJA “type” variables
Variable substitution
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Putting it all together inventory
playbooks
roles
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Executing Ansible
ansible-playbook
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Details for ACI
Playbooks
Structure for ACI ---
- hosts: east-fabric
For ACI we set gather_facts to gather_facts: false
false as we don’t need for Ansible to connection: local
connect to APIC to get any host
data. Ansible uses the REST any_errors_fatal: true
interface. ignore_errors: false
For ACI connection is local, as the
computer that is executing the
automation starts the connection
local to the ACI fabric.
Control if faults continue or stop
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Tasks in Roles namespace collection name module
Structure for ACI ---
# tasks file for ap-vlans
Task name
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Authentication
Best Practices
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Reference Slide
execution validate_certs: no
use_ssl: yes
delegate_to: localhost
bash / zsh
% export APIC_USERNAME="admin"
% export APIC_PASSWORD="password"
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
ACI REST Fallback Module
How to configure ACI when a module is missing
- name: Create Route Map for L3out (rtctrlProfile)
cisco.aci.aci_rest:
• The module aci_rest path: /api/node/mo/uni/tn-{{item.tenant}}/out-{{item.l3out}}/prof-{{item.name}}.json
method: post
allows passing an ACI content:
structured object when {
"rtctrlProfile":
a module isn’t available. {
"attributes":
{
• This makes it possible "dn": "uni/tn-{{item.tenant}}/out-{{item.l3out}}/prof-{{item.name}}",
that Ansible can "name": "{{item.name}}",
"descr": "{{item.description}}",
accomplish 100% },
"status": "created,modified",
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Variable lists
Looping through data List of four objects
vlan_pools:
- vlan_pool_name: "eng_vlan_pool"
• Lists ( also known as arrays vlan_pool_description: "(Ans)Eng VLAN Pool"
vlan_pool_mode: "static”
) are a sequential set of values.
- vlan_pool_name: "mkt_vlan_pool"
• These can contain what is vlan_pool_description: "(Ans)Mkt VLAN Pool"
vlan_pool_mode: "static”
known as dictionaries (
also known as objects ). - vlan_pool_name: "hr_vlan_pool"
vlan_pool_description: "(Ans)HR VLAN Pools"
• This allows you to reference vlan_pool_mode: "static”
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Iteration explained
Looping through data
roles/ap-vlans/vars/main.yaml
roles/ap-vlans/tasks/main.yaml
---
---
# vars file for ap-vlans
# tasks file for ap-vlans
vlan_pools:
- name: Create VLAN Pools
- vlan_pool_name: “eng_vlan_pool"
cisco.aci.aci_vlan_pool:
vlan_pool_description: "(Ans)Eng VLAN Pool"
host: "{{ inventory_hostname }}"
vlan_pool_mode: "static”
username: "{{username}}"
password: "{{password}}”
- vlan_pool_name: ”mkt_vlan_pool"
vlan_pool_description: "(Ans)Mkt VLAN Pool"
pool: “{{item.vlan_pool_name}}”
vlan_pool_mode: "static”
pool_allocation_mode: “{{item.vlan_pool_mode}}”
description: “{{item.vlan_pool_description}}”
- vlan_pool_name: ”hr_vlan_pool"
state: present
vlan_pool_description: "(Ans)HR VLAN Pools"
vlan_pool_mode: "static”
validate_certs: no
use_ssl: yes
- vlan_pool_name: ”sales_vlan_pool"
delegate_to: localhost
vlan_pool_description: "(Ans)Sales VLAN Pools"
loop: "{{vlan_pools}}" vlan_pool_mode: "static”
when: vlan_pools is defined
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Executing the playbook
with the list of VLANS
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
A word about variables
Better variables
Placement matters!
• Including the variables with the role can result in role duplication
• A better approach is to move the variables to a location that can be
structured with the inventory for better organization
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Variable Hierarchy
A clean way to organize data
roles group_vars
defaults
<host_name>
files
handlers Vlan_pools.yaml
meta
tasks
Move the variable from the
template roles file structure into the
tests
group_var structure
vars
main.yaml
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
The links between locations Reads the inventory and
1 playbook. Finds that we are
Managed by variable precedence referencing east_fabric
aeps.yaml
ap_aep
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Reference Slide
Ansible Variable Precedence • extra vars via CLI (for example, -e "user=my_user")
Placement matters •
•
include params
role (and include_role) params
• set_facts / registered vars
Higher
• include_vars
• Ansible provides variable • task vars (only for the task)
•
precedence, which is important
block vars (only for tasks in block)
• role vars (defined in role/vars/main.yml)
lower
• inventory file or script host vars
just including in higher •
•
playbook group_vars/*
inventory group_vars/*
precedence. •
•
inventory group_vars/all
inventory file or script group vars
• role defaults (defined in role/defaults/main.yml)
• Using the group_vars folder tied • command line values (for example, -u my_user, these are not variables)
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
group_vars
Putting it all together
% ansible-playbook –i inventory/east_fabric playbooks/east-fabric/access-policies.yaml
playbooks
roles
inventory
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Executing the playbook
with the list of VLANS under group_vars
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
ACI 6.x Ansible indicators
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Infrastructure as Code
with Terraform
What is Terraform?
Open Source
Infrastructure Provisioning
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Installing Terraform
Single binary installation (version 1.4.6 -latest)
Mac OS Windows
https://developer.hashicorp.com/terraform/downloads
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Terraform Concepts
Terraform Plans/Configuration Files
• Collection of HCL instructions workspace
• What do you want to provision main.tf
tenant.tf
• Terraform scans directory
vrf.tf
• Can be in a singular file – main.tf
bridge_domain.tf
• Can be broken up into smaller *.tf
app_profile.tf
epg.tf
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
https://registry.terraform.io/
Terraform Providers
• Create/Read/Update/Destroy • Understands API interactions
infrastructure • APIC and MSO REST API calls
• Relies on specific vendor • Can write your own providers
plugins • open source - written in Go
• Downloaded/installed via initialization
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Terraform Provider configuration (ACI)
Terraform configuration
Provider definition
Registry namespace – CiscoDevNet/aci
Provider version (2.8 – latest)
Provider configuration
Signature-Based
Authentication
APIC URL
HTTP API request
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Terraform Provider configuration (MSO/NDO)
Registry namespace –
CiscoDevNet/mso Provider version
0.10.0 - latest
Variables substitution
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Terraform Resources & Data Sources
Resources Data Sources
• Specific to a given provider (ACI/MSO) • Allow data to be fetched or computed
for use elsewhere in Terraform
• Accepts arguments configuration
• apply/destroy/modifies resource • Always Read Only
• Describes your intent for a particular • Terraform apply/destroy does not
infrastructure object modify data source
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Terraform Resource Example
Used in state file
Type of resource Name of the resource Must be unique!
Start of resource
block
End of resource
block
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Terraform Data Source Example
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
When there isn’t a Resource – aci_rest_managed
• Manages Objects via REST API calls with no resource
• Can reconcile state information
• API calls can be captured via API Inspector/APIC GUI
• aci_rest – can not reconcile information
• MSO/NDO – mso_rest
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Terraform Registry – ACI & MSO
https://registry.terraform.io/providers/CiscoDevNet/aci/latest
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Terraform Registry – Documentation
https://registry.terraform.io/providers/CiscoDevNet/aci/latest
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Note - Do not
Terraform State modify the state
file
• Records information about infrastructure it created
(terraform.tfstate)
• Saves locally – Can you other backends (Remote, AWS, Terraform
Cloud)
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Terraform Dependency Mapping
• Uses Graphs to track of dependencies and correct order of
deployment
• Builds a graph of relationships (Directional tree without loops)
Tenant
EPG BD
BD Subnet
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Reference Slide
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Variables in Terraform
• Can be defined: • Variable Types
• Command line (-var -var-file) • String
• variables.tf • Number
• terraform.tfvars • Bool
• Default config • Any (default)
variables.tf l3out.tf
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Iteration (loop) in Terraform
• Performs repetitive tasks - Helps avoid duplicating code
• count • for_each
• Add number of resources based • Multiple instances of a set or map
on count
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Reference Slide
https://developer.hashicorp.com/terraform/language/values/variables
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Note – May need to
Terraform Modules - Reusability re-initialize Terraform
• Reuse configurations in Terraform.
• Self-contained components
• encapsulate a set of resources, configurations, and
dependencies.
• Create a Specific Modules directory
main.tf
tenant.tf
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Terraform ACI/NDO Authentication
Similar to Ansible….
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Deploying Infrastructure
as Code with Terraform
Terraform commands
• terraform init
• Download and Installs plugins
for configured providers
• Must initialize before plan/apply
• Creates a provider “lock” file
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Terraform commands
• terraform plan
• Determines what actions are
necessary to achieve the desired
state
• Preview your changes
• Allows you to review before
making any changes
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Terraform commands
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Terraform Apply
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Terraform commands
• terraform destroy
• Scans the state file for what to
“destroy”
• Preview your deletions
• Infrastructure is destroyed
• Can be specific with “-target”
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reference Slide
• terraform show
• Reads and outputs a Terraform state in a readable format
• terraform state
• Advanced State Management
• terraform version
• Version of Terraform binary
• terraform graph
• Generate a Graphviz graph of the steps in an operation
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Ansible and Terraform comparison
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Ansible/Terraform comparison
Stateful No Yes
ACI/MSO
149*/63* 230*/45*
Modules/Resources
Written in Python Go
Build
MOP Window End
Book
1.5 hours
Automated
Configuration Application moves
Cable Movement and troubleshooting Tweaking Window End
Build
Window Start
Book
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Next Steps
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Infrastructure as Code with Terraform and
Ansible
• Install and test Terraform and Ansible
• Available for most platforms
• Which one works better for you?
• What are you already using?
• Think big…..start small
• Automate the simple, then build into more complex tasks
• Ease of writing Infrastructure as code with Terraform and Ansible
• No special programming skills needed
• Ansible Modules/Terraform Resources for most common tasks
• Robust APIC/MSO REST API makes automation easy and scalable
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
More information – Other sessions/labs
• LABDCN-1774 (Walk in Lab - Ansible and ACI)
• LABDCN-1776 (Walk in Lab - Intro to Terraform with ACI)
• BRKDCN-2673 - Nexus-as-Code - Kickstart your automation with
ACI
• DEVWKS-2931 - Making your ACI Automation as modular as LEGO
bricks using Terraform Modules
• IBODCN-1003 - An Interactive Conversation on ACI Automation
through Ansible and Terraform
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
More information – Ansible/Terraform
• https://www.terraform.io/
• https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs
• https://registry.terraform.io/providers/CiscoDevNet/mso/latest
• https://developer.cisco.com/automation-terraform/
• https://docs.ansible.com/ansible/latest/scenario_guides/guide_aci.
html
• https://developer.cisco.com/docs/aci/#!ansible
• https://github.com/trenzy
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Fill out your session surveys!
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
• Visit the Cisco Showcase
for related demos
BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
#CiscoLive