BRKDCN 2906

#CiscoLive
Introduction to Infrastructure
as Code for ACI with Ansible
and Terraform
BRKDCN-2906
Thomas Renzy – Technical Leader CX

@ThomasRenzy
Rafael Muller – Principal Engineer CX
@rafaeljmuller
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until June 9, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKDCN-2906
#CiscoLive BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• What is Infrastructure as
Code?
• Infrastructure as Code with
Ansible
Infrastructure as Code with
Agenda
•
Terraform
• Next steps
BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What is Infrastructure
as Code?
What is Infrastructure as Code(IaC)?
• Most think of building/managing Cloud Infrastructure The management &
• Traditionally, network operators connect to devices and provisioning of
make changes to the configuration. computer
CLI – “finger net”
•
infrastructure
• Application
through code and
• Automation tools – Ansible/Terraform
data structures
• Define intended state of infrastructure should be.
instead of direct
• Automation tools reads applies changes to devices to match
the intended state. (Declarative) device
management.
Infrastructure as Code Tools
• Git
• Ansible
GitHub
SCM
•
Execution Software
• Terraform
• GitLab
• Chef
• Bitbucket • Puppet
• AWS CloudFormation
• Google Cloud Deployment
• Jenkins Manager
Drone Pulumi
Pipeline
• •
• Vagrant
• CircleCI
• Saltstack
• Travis CI
• GitHub Actions
Infrastructure as Code for Network Ops
1 2 3
User commits changes to An automated pipeline An execution runner is
data source in SCM that application notices the triggered by the
define what the config of change in the SCM and automation pipeline, reads
the fabric should be. activates a series of the data from SCM(git)
actions. and configures the
devices.
Infrastructure as Code
with Ansible
What is Ansible?
Automation / Configuration / Orchestration tool
Open Source
Agentless Push Model
Produces the same results no matter how many times it is executed*
No programming knowledge required
Requires only data-structure manipulation knowledge
APIC/NDO REST API interaction
*idempotent
What makes up Ansible?
MSO
Roles
ACI Module
REST API
Tasks
WSL MSO Module Inventory
Ansible Core
REST API
Collections
Python
Playbooks
APIC
Platform Engine Intent Target
Installing Ansible
Python Virtual Environments virtualenv
• You should use a virtual environment.

• Proper virtual environment allows for installing
ansible inside a contained area with a specific
version of python.
• Makes it possible to run different python scripts that
require different versions of python and libraries of
python.
• Detailed steps beyond scope of this session.
Reference Slide
PyENV 1 install a version of python

% pyenv install 3.9.11
Virtual Environment in Python
• PyENV is the best mechanism to 2 install a version of python

control python virtual environments % pyenv install 3.9.11
• Allows control of python version to

3 create virtual-environment
execute independent of system
% pyenv virtualenv 3.9.11 ansible
version
• PyENV virtualenv also needed 4 create directory for your ansible work
% mkdir my_ansible_dir
5 tell PyENV the virtual-env to use here

Install instructions: % pyenv local ansible
https://github.com/pyenv/pyenv/wiki
https://github.com/pyenv/pyenv-virtualenv
Ansible install
Core or Everything
% pip install ansible-core % pip install ansible
• Ansible installs only the core • Ansible installs all

components collections with the Ansible
install
• Collections must be installed by
you • Complete package but consumes
much more disk space.
• Smaller footprint and more control
• Might not install the latest version
• Assures install of latest collection
of the collection!
version released!
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
Ansible Collections
What are Ansible collections?
• Introduced in Ansible 2.9
• Collections allows vendors to de-couple their ansible capabilities
(modules) from the core Ansible release schedule
• Uses Ansible Galaxy as the delivery vehicle.
• Collection can be installed in any location with -p flag
% ansible-galaxy collection install cisco.aci cisco.mso
ACI - https://galaxy.ansible.com/cisco/aci MSO - https://galaxy.ansible.com/cisco/mso
Reference Slide
Installing Ansible Collections

Command Required packages
Collection can be installed in any location with -p flag
Ansible ACI/MSO
Collection Modules
• Primary reason they are called collections

is because they are a collection of
modules
• Modules perform specific tasks like
create EPG's, Bridge domains and more
• Actively maintained with regular cadence
that increases module count and
capability
https://docs.ansible.com/ansible/latest/collections/cisco/aci/index.html
Reference Slide
Ansible ACI/MSO The command: ansible-doc <module_name> will present the
CLI version of the doc. Will match what is on the web
Collection Modules (CLI) ❯ ansible-doc cisco.aci.aci_aaa_user
Manage AAA users on Cisco ACI fabrics.
Use the CLI also to reach the OPTIONS (= is mandatory):

- aaa_password
module documentation. The password of the locally-authenticated user.
default: null
type: str
- aaa_password_lifetime
Use grep to filter through all the available The lifetime of the locally-authenticated user password.
documentation installed. default: null
type: int
❯ ansible-doc -l | grep cisco.aci EXAMPLES:

cisco.aci.aci_aaa_ssh_auth
cisco.aci.aci_aaa_ - name: Add a user
cisco.aci.aci_aaa_user_certificate cisco.aci.aci_aaa_user:
host: apic
username: admin
password: SomeSecretPassword
aaa_user: dag
aaa_password: AnotherSecretPassword
expiration: never
expires: no
email: dag@wieers.com
phone: 1-234-555-678
first_name: Dag
last_name: Wieers
state: present
delegate_to: localhost
Modules Namespace Collection Name Module Name
- name: Create a Bridge Domain

• Always use the fully qualified name
cisco.aci.aci_bd:
for the module host: 10.1.1.1
username: admin
• The modules require values
password: password
assigned to the parameters that tenant: prod
define how you wish to configure vrf: prod_vrf
ACI bd_type: ethernet
bd: web_servers
• Documentation provides details as to arp_flooding: yes
default values and required values l2_unknown_unicast: flood
validate_certs: no
• No programing knowledge required. state: present
Just data structure build out. delegate_to: localhost
Parameter Value
Reference Slide
Ansible Collection Naming - Modules

• Uses Fully Qualified Collection Name
• Name Space - Functional content category
• Collection Name - Characteristics of the collection content
• Module Name – Name of the module
• Best practice is to always use full qualified name, even for core modules
• Example – ACI Collection Tenant Module
cisco.aci.aci_bd
Name Space Collection Name Module Name
Ansible Concepts
Ansible Directory Structure
Best Practice for growth!
roles playbooks group_vars files

inventory.yaml
How to do it! What to do! Data to do it! Who to do it!
Ansible Data Structures (YAML)
YAML Ain’t Markup Language Microsoft VSCode
• Human Readable Data Serialization Language ATOM

• Used in plays, playbooks and inventory files
• Best practice is to use a software focused PyCharm
text editor (e.g. Notepad++) or IDE (e.g.
VSCode) with language assistant support of
YAML data-structures. Eclipse
• Indentation is very important, and the proper
editor will simplify this for you
Notepad++
In this example we are creating a role that will configure access policy
Ansible Roles
VLAN pools: ansible-galaxy init ap-vlans
How to do it!
• Roles are content directories that are
structured in a conventional way to
enable simple reuse
• Roles let you automatically load related
vars, files, tasks, handlers, and other
Ansible artifacts based on a known file
structure.
• This allows for better data organization
in your repository.
• You utilize roles to combine tasks the
complete and objective.
% ansible-galaxy init <role-name>
Ansible Playbooks
What to do!
• Playbooks define the set of Example playbook with roles:

actions that you want
Ansible to complete.
• Can contain specific tasks
or reference roles that
contain the tasks
• Best practice is to use roles!
Ansible Inventory
Who to do it to!
Example inventory file:
• Ansible inventory allows you to
build data structures that
correlate host specific variables
• Allows for grouping, variable
inheritance to organize your ACI
fabric APICs
• Two formats are common: INI
and YAML. Best practice is to
use YAML (less confusing)
JINJA “type” variables
Variable substitution
• Ansible uses Jinja2 to enable vars:

dynamic expressions and access username: "john"
to variables and facts password: "doe"
• Defined by curly backets "{{ }}"
inside quotes.
• Similar to how JINJA2 works - name:
ansible.builtin.copy:
username:"{{username}}"
password:"{{password}}"
Putting it all together inventory
playbooks
roles
Executing Ansible
ansible-playbook
ansible-playbook –i <inventory file> <playbook file>
Details for ACI
Playbooks
Structure for ACI ---
- hosts: east-fabric
For ACI we set gather_facts to gather_facts: false
false as we don’t need for Ansible to connection: local
connect to APIC to get any host
data. Ansible uses the REST any_errors_fatal: true
interface. ignore_errors: false
For ACI connection is local, as the
computer that is executing the
automation starts the connection
local to the ACI fabric.
Control if faults continue or stop
The roles that this playbook will execute roles:

- roles/ap-vlans
In Ansible order matters! You can't
create a physical domain that points to a
- roles/ap-domains
VLAN Pool without first creating the pool - roles/ap-aep
Tasks in Roles namespace collection name module
Structure for ACI ---
# tasks file for ap-vlans
Task name
- name: Create Engineering VLAN Pool

For each module we must pass the cisco.aci.aci_vlan_pool:
host, username and password host: "{{ inventory_hostname }}"
username: "{{username}}"
These values define how the password: "{{password}}"
VLAN Pool will be configured pool: "eng_vlan_pool"
pool_allocation_mode: "static"
State is present for creation description: "(Ans) Engineering Server VLAN Pools"
and absent for deletion state: present
validate_certs: no
Set validate_certs to no, and use_ssl: yes
use_ssl to yes for self-signed delegate_to: localhost
cert-based HTTPS connection
to the fabric
Authentication
Best Practices
Username & Password Certificate Based

• Method works with both ACI and NDO • Used in releases prior to ACI 5.x due
to HTTP interface throttle
• Easiest approach after ACI 5.x HTTP
throttle changes • In ACI 5.x and higher interface throttle is
configurable option in ACI
• Important to avoid username and
• Ansible Vault can be used to store the
password stored inside source code
key.
repository
• Very hard to remove once added! • Certificate based not an option for
MSO today.
• Ansible Vault is the most secure, but
you can get started easily with • Requires a local user on APIC
environment variables. • Configured with proper user role and
security domain
Reference Slide
Using Environment Variables

---
• Instead of inserting
credentials that are very - name: Create Engineering VLAN Pool
difficult to remove from an cisco.aci.aci_vlan_pool:
host: "{{ inventory_hostname }}"
SCM (GIT) you can use username: '{{ lookup("env", "APIC_USERNAME") }}'
password: '{{ lookup("env", "APIC_PASSWORD") }}'
environment variables. pool: "eng_vlan_pool"
Set environment variable

pool_allocation_mode: "static"
• description: "(Ans) Engineering Server VLAN Pools"
before ansible-playbook state: present
execution validate_certs: no
use_ssl: yes
bash / zsh
% export APIC_USERNAME="admin"
% export APIC_PASSWORD="password"
ACI REST Fallback Module
How to configure ACI when a module is missing
- name: Create Route Map for L3out (rtctrlProfile)
cisco.aci.aci_rest:
• The module aci_rest path: /api/node/mo/uni/tn-{{item.tenant}}/out-{{item.l3out}}/prof-{{item.name}}.json
method: post
allows passing an ACI content:
structured object when {
"rtctrlProfile":
a module isn’t available. {
"attributes":
{
• This makes it possible "dn": "uni/tn-{{item.tenant}}/out-{{item.l3out}}/prof-{{item.name}}",
that Ansible can "name": "{{item.name}}",
"descr": "{{item.description}}",
accomplish 100% },
"status": "created,modified",
configuration of ACI "children": [],

},
}
loop: "{{all_l3out_route_maps}}"
when: all_l3out_route_maps is defined
tags:
- never
- create #CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
An example
Non-Optimal
hard coded
• In the previous example we ---
“hard coded” some values to
create a VLAN Pool. - name: Create Engineering VLAN Pool
cisco.aci.aci_vlan_pool:
• This would require that we host: "{{ inventory_hostname }}"
create a new task for every password: "{{password}}”
single VLAN pool to be pool: "eng_vlan_pool"
configured. pool_allocation_mode: "static"
description: "(Ans) Engineering Server VLAN Pools"
• Not optimal for repetition state: present
• There is a better approach validate_certs: no

use_ssl: yes
through reference and iteration! delegate_to: localhost
Variable lists
Looping through data List of four objects
vlan_pools:
- vlan_pool_name: "eng_vlan_pool"
• Lists ( also known as arrays vlan_pool_description: "(Ans)Eng VLAN Pool"
vlan_pool_mode: "static”
) are a sequential set of values.
- vlan_pool_name: "mkt_vlan_pool"
• These can contain what is vlan_pool_description: "(Ans)Mkt VLAN Pool"
known as dictionaries (
also known as objects ). - vlan_pool_name: "hr_vlan_pool"
vlan_pool_description: "(Ans)HR VLAN Pools"
• This allows you to reference vlan_pool_mode: "static”
specific items inside of the task - vlan_pool_name: "sales_vlan_pool"

and iterate over these in a vlan_pool_description: "(Ans)Sales VLAN Pools"
repetitive way
Iteration explained
Looping through data
roles/ap-vlans/vars/main.yaml
roles/ap-vlans/tasks/main.yaml
---
---
# vars file for ap-vlans
vlan_pools:
- name: Create VLAN Pools
- vlan_pool_name: “eng_vlan_pool"
cisco.aci.aci_vlan_pool:
vlan_pool_description: "(Ans)Eng VLAN Pool"
host: "{{ inventory_hostname }}"
password: "{{password}}”
- vlan_pool_name: ”mkt_vlan_pool"
vlan_pool_description: "(Ans)Mkt VLAN Pool"
pool: “{{item.vlan_pool_name}}”
pool_allocation_mode: “{{item.vlan_pool_mode}}”
description: “{{item.vlan_pool_description}}”
- vlan_pool_name: ”hr_vlan_pool"
state: present
vlan_pool_description: "(Ans)HR VLAN Pools"
validate_certs: no
use_ssl: yes
- vlan_pool_name: ”sales_vlan_pool"
vlan_pool_description: "(Ans)Sales VLAN Pools"
loop: "{{vlan_pools}}" vlan_pool_mode: "static”
when: vlan_pools is defined
Executing the playbook
with the list of VLANS
A word about variables
Better variables
Placement matters!
• Including the variables with the role can result in role duplication
• A better approach is to move the variables to a location that can be
structured with the inventory for better organization
roles playbooks group_vars files

inventory.yaml
How to do it! What to do! Information to do it!

Who to do it!
Variable Hierarchy
A clean way to organize data
roles group_vars
defaults
<host_name>
files
handlers Vlan_pools.yaml
meta
tasks
Move the variable from the
template roles file structure into the
tests
group_var structure
vars
main.yaml
The links between locations Reads the inventory and
1 playbook. Finds that we are
Managed by variable precedence referencing east_fabric
Reads the variables in all playbooks

group_vars 2 the files under the matching
hostname directory name
east_fabric
east_fabric.
east_fabric access_policies.yaml
Vlan_pools.yaml var: vlan_pools
aeps.yaml
policy_groups.yaml Since we are using the

3 same variable named
vlan_pools, the role reads
west_fabric the values that are
configured in east_fabric
Vlan_pools.yaml var: vlan_pools roles group_vars directory and
executes the configuration
aeps.yaml towards ACI
ap_vlans
policy_groups.yaml
ap_domains
ap_aep
Reference Slide
Ansible Variable Precedence • extra vars via CLI (for example, -e "user=my_user")
Placement matters •
•
include params
role (and include_role) params
• set_facts / registered vars
Higher
• include_vars
• Ansible provides variable • task vars (only for the task)
•
precedence, which is important
block vars (only for tasks in block)
• role vars (defined in role/vars/main.yml)
when you build your data structure. •

•
play vars_files
play vars_prompt
• play vars
• This allows for having some default •
•
host facts / cached set_facts
playbook host_vars/*
behaviour that is then changed by • inventory host_vars/*
lower
• inventory file or script host vars
just including in higher •
•
playbook group_vars/*
inventory group_vars/*
precedence. •
•
inventory group_vars/all
inventory file or script group vars
• role defaults (defined in role/defaults/main.yml)
• Using the group_vars folder tied • command line values (for example, -u my_user, these are not variables)
to inventory is very useful.

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html
group_vars
Putting it all together
% ansible-playbook –i inventory/east_fabric playbooks/east-fabric/access-policies.yaml
playbooks
roles
inventory
Executing the playbook
with the list of VLANS under group_vars
ACI 6.x Ansible indicators
Infrastructure as Code
with Terraform
What is Terraform?
Open Source
Infrastructure Provisioning
Single Binary (Windows, Mac, Linux, Solaris, FreeBSD)
HashiCorp Configuration Language(HCL)
APIC/NDO REST API interaction
No programming knowledge required
Requires only data-structure knowledge
Installing Terraform
Single binary installation (version 1.4.6 -latest)
Mac OS Windows
https://developer.hashicorp.com/terraform/downloads
Terraform Concepts
Terraform Plans/Configuration Files
• Collection of HCL instructions workspace
• What do you want to provision main.tf
• .tf extension variables.tf
tenant.tf
• Terraform scans directory
vrf.tf
• Can be in a singular file – main.tf
bridge_domain.tf
• Can be broken up into smaller *.tf
app_profile.tf
epg.tf
https://registry.terraform.io/
Terraform Providers
• Create/Read/Update/Destroy • Understands API interactions
infrastructure • APIC and MSO REST API calls
• Relies on specific vendor • Can write your own providers
plugins • open source - written in Go
• Downloaded/installed via initialization
Owned & maintained by Owned & maintained by Published by individual

HashiCorp partners. groups or maintainers in
the community
Ex. AWS, Azure, GCP Ex. ACI, MSO, ASA
Terraform Provider configuration (ACI)
Terraform configuration
Provider definition
Registry namespace – CiscoDevNet/aci
Provider version (2.8 – latest)
Provider configuration
Signature-Based
Authentication
APIC URL
HTTP API request
Terraform Provider configuration (MSO/NDO)
Registry namespace –
CiscoDevNet/mso Provider version
0.10.0 - latest
Variables substitution
Must be defined for Nexus

Dashboard Orchestrator
Terraform Resources & Data Sources
Resources Data Sources
• Specific to a given provider (ACI/MSO) • Allow data to be fetched or computed
for use elsewhere in Terraform
• Accepts arguments configuration
• apply/destroy/modifies resource • Always Read Only
• Describes your intent for a particular • Terraform apply/destroy does not
infrastructure object modify data source
Over 230 ACI Resources/Data Sources

Over 45 MSO Resources/Data Sources
Terraform Resource Example
Used in state file
Type of resource Name of the resource Must be unique!
Start of resource
block
End of resource
block
Terraform Data Source Example
Retrieve the data we need
When there isn’t a Resource – aci_rest_managed
• Manages Objects via REST API calls with no resource
• Can reconcile state information
• API calls can be captured via API Inspector/APIC GUI
• aci_rest – can not reconcile information
• MSO/NDO – mso_rest
Terraform Registry – ACI & MSO
https://registry.terraform.io/providers/CiscoDevNet/aci/latest
Terraform Registry – Documentation
https://registry.terraform.io/providers/CiscoDevNet/aci/latest
Note - Do not
Terraform State modify the state
file
• Records information about infrastructure it created
(terraform.tfstate)
• Saves locally – Can you other backends (Remote, AWS, Terraform
Cloud)
Terraform Dependency Mapping
• Uses Graphs to track of dependencies and correct order of
deployment
• Builds a graph of relationships (Directional tree without loops)
Tenant
App Profile VRF
EPG BD
BD Subnet
Reference Slide
Terraform Graph (Three Tier)
Variables in Terraform
• Can be defined: • Variable Types
• Command line (-var -var-file) • String
• variables.tf • Number
• terraform.tfvars • Bool
• Default config • Any (default)
variables.tf l3out.tf
If you default blank (“ “), you will be prompted for value
Iteration (loop) in Terraform
• Performs repetitive tasks - Helps avoid duplicating code
• count • for_each
• Add number of resources based • Multiple instances of a set or map
on count
Reference Slide
Terraform Variables Precedence

• Variables have precedence
• Variables can be set, but overridden
• Command Line Flag run as command line switch

Higher • Configuration file - set in your terraform.tfvars file
• Environment variable - part of your shell environment
• Default Config - default value in variables.tf
lower • User manual entry - if not specified, prompt the user
for entry
https://developer.hashicorp.com/terraform/language/values/variables
Note – May need to
Terraform Modules - Reusability re-initialize Terraform
• Reuse configurations in Terraform.
• Self-contained components
• encapsulate a set of resources, configurations, and
dependencies.
• Create a Specific Modules directory
main.tf
tenant.tf
Terraform ACI/NDO Authentication
Similar to Ansible….
Username & Password Certificate Based

• Method works with both ACI and NDO • Used in releases prior to ACI 5.x due
to NGINX HTTP interface throttle
• Easiest approach after ACI 5.x HTTP
throttle changes • In ACI 5.x and higher interface throttle is
configurable option in ACI
• Not the most secure approach
• Not an option for MSO/NDO
• Environment Variables substitution
• Requires a local user on APIC
• Set in the provider configuration • Must set user role & security domain
Deploying Infrastructure
as Code with Terraform
Terraform commands
• terraform init
• Download and Installs plugins
for configured providers
• Must initialize before plan/apply
• Creates a provider “lock” file
Terraform commands
• terraform plan
• Determines what actions are
necessary to achieve the desired
state
• Preview your changes
• Allows you to review before
making any changes
Terraform commands
• terraform apply (-auto-

approve)
• Scans the current directory for the
configuration (.tf & .tfvars
extenstion)
• Preview your changes
• Applies the configuration to targets
Terraform Apply
Terraform commands
• terraform destroy
• Scans the state file for what to
“destroy”
• Preview your deletions
• Infrastructure is destroyed
• Can be specific with “-target”
#CiscoLive © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reference Slide
Additional Terraform commands

• terraform fmt
• Format your .tf files
• terraform show
• Reads and outputs a Terraform state in a readable format
• terraform state
• Advanced State Management
• terraform version
• Version of Terraform binary
• terraform graph
• Generate a Graphviz graph of the steps in an operation
Ansible and Terraform comparison
Ansible/Terraform comparison
Source Open Source Open Source
Cisco commitment Yes! Yes!
IaC Type Configuration Management Provisioning
Language Type Procedural Declarative
Stateful No Yes
ACI/MSO
149*/63* 230*/45*
Modules/Resources
Written in Python Go
TAC Support Yes Yes

* At the time of this presentation
So what?
Recent Exercise (N7k to ACI brownfield)
Unhappiness and
finding new windows
to finish
6 - 8 hours Application moves
Window Start Manual Configuration Cable Movement and troubleshooting
Build
MOP Window End
Book
1.5 hours
Automated
Configuration Application moves
Cable Movement and troubleshooting Tweaking Window End
Build
Window Start
Book
20k lines of YAML
Next Steps
Infrastructure as Code with Terraform and
Ansible
• Install and test Terraform and Ansible
• Available for most platforms
• Which one works better for you?
• What are you already using?
• Think big…..start small
• Automate the simple, then build into more complex tasks
• Ease of writing Infrastructure as code with Terraform and Ansible
• No special programming skills needed
• Ansible Modules/Terraform Resources for most common tasks
• Robust APIC/MSO REST API makes automation easy and scalable
More information – Other sessions/labs
• LABDCN-1774 (Walk in Lab - Ansible and ACI)
• LABDCN-1776 (Walk in Lab - Intro to Terraform with ACI)
• BRKDCN-2673 - Nexus-as-Code - Kickstart your automation with
ACI
• DEVWKS-2931 - Making your ACI Automation as modular as LEGO
bricks using Terraform Modules
• IBODCN-1003 - An Interactive Conversation on ACI Automation
through Ansible and Terraform
More information – Ansible/Terraform
• https://www.terraform.io/
• https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs
• https://registry.terraform.io/providers/CiscoDevNet/mso/latest
• https://developer.cisco.com/automation-terraform/
• https://docs.ansible.com/ansible/latest/scenario_guides/guide_aci.
html
• https://developer.cisco.com/docs/aci/#!ansible
• https://github.com/trenzy
Fill out your session surveys!
Attendees who fill out a minimum of four session

surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!
Attendees will also earn 100 points in the

Cisco Live Challenge for every survey completed.
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKDCN-2906 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
2 Click on 'Cisco Live Challenge’ in the side menu.
3 Click on View Your Badges at the top.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive

BRKDCN 2906

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKDCN 2906

Uploaded by

Copyright:

Available Formats

#CiscoLive

Thomas Renzy – Technical Leader CX

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

Agentless Push Model

Produces the same results no matter how many times it is executed*

No programming knowledge required

Requires only data-structure manipulation knowledge

APIC/NDO REST API interaction

Platform Engine Intent Target

• You should use a virtual environment.

PyENV 1 install a version of python

• PyENV is the best mechanism to 2 install a version of python

• Allows control of python version to

5 tell PyENV the virtual-env to use here

% pip install ansible-core % pip install ansible

• Ansible installs only the core • Ansible installs all

% ansible-galaxy collection install cisco.aci cisco.mso

ACI - https://galaxy.ansible.com/cisco/aci MSO - https://galaxy.ansible.com/cisco/mso

Installing Ansible Collections

Collection can be installed in any location with -p flag

• Primary reason they are called collections

Manage AAA users on Cisco ACI fabrics.

Use the CLI also to reach the OPTIONS (= is mandatory):

❯ ansible-doc -l | grep cisco.aci EXAMPLES:

- name: Create a Bridge Domain

Ansible Collection Naming - Modules

roles playbooks group_vars files

How to do it! What to do! Data to do it! Who to do it!

• Human Readable Data Serialization Language ATOM

• Playbooks define the set of Example playbook with roles:

• Ansible uses Jinja2 to enable vars:

ansible-playbook –i <inventory file> <playbook file>

The roles that this playbook will execute roles:

- name: Create Engineering VLAN Pool

Username & Password Certificate Based

Using Environment Variables

Set environment variable

before ansible-playbook state: present

configuration of ACI "children": [],

• There is a better approach validate_certs: no

specific items inside of the task - vlan_pool_name: "sales_vlan_pool"

roles playbooks group_vars files

How to do it! What to do! Information to do it!

Reads the variables in all playbooks

Vlan_pools.yaml var: vlan_pools

policy_groups.yaml Since we are using the

when you build your data structure. •

to inventory is very useful.

Single Binary (Windows, Mac, Linux, Solaris, FreeBSD)

HashiCorp Configuration Language(HCL)

APIC/NDO REST API interaction

No programming knowledge required

Requires only data-structure knowledge

• .tf extension variables.tf

Owned & maintained by Owned & maintained by Published by individual

Must be defined for Nexus

Over 230 ACI Resources/Data Sources

Retrieve the data we need

App Profile VRF

Terraform Graph (Three Tier)