This is an example terraform manifest that uses the terraform resource aws_cloudformation_stack to deploy the Cisco Cloud Application Policy Infrastructure Controller (cAPIC) using the provided CloudFormation template published on the AWS Marketplace.
Cisco Cloud APIC requires the following AWS accounts:
As part of the deployment a EC2 Key pair is required. Create this key pair prior to executing the terraform deploy. As part of the step-by-step instructions this key pair will be referenced in the variables. For instructions on creating a key pair refer to the following AWS support article.
Create a key pair using Amazon EC2
Note: AWS Key Pairs are region specific so be sure to create the key pair in the same AWS region you plan to deploy the cAPIC.
The Terraform AWS Provider has various configuration for authentication. Refer to the following for configuring authentation for the AWS provider. Terraform AWS Provider Documentation.
This example uses named profiles configured with the AWS CLI. This allows the credentials for the AWS account to be stored away from the repo and makes it easy to pick the tenant based on the named profile. Refer to this link for details, Named Profiles for AWS CLI.
To use this CloudFormation stack you must access the AWS Marketplace and subscribe and accept the terms and conditions prior to executing the apply, failure to do so will cause the execution to run for approximately 10 minutes then fail on deployment of the cAPIC Instance and roll back the stack deployment.
Visit the following url to view details about Cisco cAPIC on the AWS Marketplace to subscribe.
AWS Marketplace - Cisco Cloud Application Policy Infrastructure Controller
Clone or fork the repository to the local machine.
git clone https://github.com/rjohnston6/aws_capic_tf_example.git
Once the repository is cloned complete the following to create a variables file to be used during execution. Included in the repository is an example tfvars
file terrafrom.tfvars.example
.
Note: As part of the .gitignore
files with a .tfvars
are ignored to ensure variables are note stored in version control. If the .gitignore
is updated or changed or removed special care must be taken to ensure secrets such as passwords are not stored in version control.
The following steps outline how to update the file for use during execution.
terraform.tfvars.example
to terraform.tfvars
aws_credential_profile
with the name of the profile defined using the aws cli for the infrastructure tenant.aws_region
for the AWS region where cAPIC will be deployed, for example us-west-2
for the Oregon region.pAvailabilityZone
for the Availability Zone to deploy cAPIC to, as per installation instructions for cAPIC if the region has multiple availability zones choose the lowest availability zone this will normally be a
for example us-west-2a
the Oregon region.pPassword
to the desired password for authentication to cAPIC web interface.pKeyName
to the name of the previously defined EC2 key pair as outlined in the pre-requirments. Remember the Key Pair must be present in the intended region where cAPIC will be deployed.pExtNw
to the subnet permitted to access the cAPIC. For demonstarations a value of "0.0.0.0/0"
will allow access from any IP address globably. This may be sufficent for demonstations but ensure to follow your organizations CyberSecurity requirements that may dictate differently workloads.terraform.tfvars
file.Use the following steps to initalize, plan and deploy using terraform cli. Once deployed the assigned public IP address for the cAPIC will be provided.
terraform init
terraform validate
terraform plan
terraform apply
optionally to skip answering yes 'terraform apply -auto-approve` can be used.At this point cAPIC is deployed and can the GUI can be accessed at:
https://<outputed_CAPICElasticIP>
In the event you would like to undeploy cAPIC, using terraform destroy
from the directories root will cause terraform to delete the cloud formation stack used during deployment. This will remove a majority of the cloud deployed resources in the AWS tenant. It does NOT remove all resources. As part of the cAPICs start up there are additional resources configured and must be removed either using the AWS Console, aws cli or other means. These resources are as follows:
NOTE:
There are known occurances when issuing terraform destroy
, the destroy will fail at approximately 15 minutes. The failure reason will be displayed and in most cases will be related to being unable to delete the VPC that was initially created. To resolve this manually, access the AWS console and remove the VPC context-[overlay-1]-addr-[<vpc_cidr>]
then re-run the terraform destroy.
Special thank you goes to Marina Ferreira for testing and providing feedback along the way! 🏆
Name | Version |
---|---|
terraform | ~>1.1.0 |
aws | ~> 3.65.0 |
Name | Version |
---|---|
aws | 3.65.0 |
No modules.
Name | Type |
---|---|
aws_cloudformation_stack.capic_stack | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_credential_profile | Set credential profile for aws cli if not using default | string |
"default" |
no |
aws_region | AWS Region for resource deployment | string |
"us-east-1" |
no |
capic_stack_name | CloudFormation deployment stack name | string |
"capic-stack" |
no |
capic_template_url | CloudFormation template URL for CAPIC | string |
"https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/6cad9a0e-821a-4f03-881e-fb1f66f4dc1f/c636799095224e63a6074ca3308fe27f.template" |
no |
pAssignOOBIntfEIP | Select whether to assign public IP address to oob management interface or not. | string |
"true" |
no |
pAvailabilityZone | Availability zone for Cloud APIC (Must select lexicographically lowest Availability zone) | string |
"us-east-1a" |
no |
pExtNw | External network allowed to access Cloud APIC (x.x.x.x/x). Configuring external subnet with 0.0.0.0/0 is a SECURITY RISK, it is advisable to use specific subnet. | string |
n/a | yes |
pFabricName | Fabric Name (must be only alphanumeric chars separated by '-') | string |
"ACI-Cloud-Fabric" |
no |
pInfraVPCPool | IP address pool for Infra VPCs (must be a /24 prefix) | string |
"10.10.0.0/24" |
no |
pInstanceType | Select one of the possible EC2 instance types | string |
"m5.2xlarge" |
no |
pKeyName | Name of an existing SSH KeyPair to enable SSH access to Cloud APIC | string |
n/a | yes |
pPassword | Admin Password for Cloud APIC | string |
n/a | yes |
Name | Description |
---|---|
stack_outputs | Outputs from the Stack execution |
Owner
Contributors
Categories
Products
Application Centric Infrastructure (ACI)Programming Languages
HCLLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community