- Recommended Module Versions
- Updates
- Examples
- Important Notes
- YAML Schema Notes
- Cloud Posse
tfenv
- Recommended Firmware
- Environment Variables
- Sensitive Variables for the Policies Module
- Execute Terraform Apply/Plan
- Terraform Requirements
- Terraform Providers
- Terraform Modules
- Terraform Inputs
- Terraform Outputs
- Sub Modules - Terraform Registry
Module | API Version | Provider Version | Appliance Version | Module Notes |
---|---|---|---|---|
pools | >=1.0.11-17769 | >=1.0.51 | Not Supported | Adds IP Pool Block Level IP Configuration. |
policies | >=1.0.11-17769 | >=1.0.51 | Not Supported | adapter_config - Add physical_nic_mode_settings; bios - M8 AMD BIOS attributes; ethernet_network - QnQ capabilities; vnics - sriov; vnic/vhba templates |
profiles | >=1.0.11-17769 | >=1.0.51 | Not Supported | Adds Chassis/Domain Templates. |
Module | API Version | Provider Version | Appliance Version | Module Notes |
---|---|---|---|---|
pools | >=1.0.11-16711 | 1.0.47 | >=1.1.0-0 | With IP Pools use Configuration outside IP Block. |
policies | >=1.0.11-16711 | 1.0.47 | >=1.1.0-0 | Anything supported by YAML Schema Outside of New Features in 17769 |
profiles | >=1.0.11-16711 | 1.0.47 | >=1.1.0-0 | Doesn't support Chassis and Domain Templates |
- 2024-07-23: 2024-07-23: Recommended releases are 4.2.11-17769 or 4.2.11-16711. See Notes for modules above.
- 2024-07-16: Terraform Provider 1.0.48, 1.0.49, and 1.0.50 depricated due to breaking BIOS changes and bulk_merger problems. Do not use these provider versions.
Examples are shown in the following directories:
policies
pools
profiles
recommended_firmware
- This is used to get the latest recommended firmware releases from Intersighttemplates
Wakanda
- To Show profiles using pools/policies/templates as Data Sources (Mostly)
policies/pools/profiles/templates
Folders are the common/default/Asgard
organizations in our lab environment.
Wakanda
Folder is the Wakanda organization in our lab environment.
Take notice of the ezi.yaml
extension on the files. This is how the data.utils_yaml_merge.model
, in the main.tf
, is configured to recognize the files that should be imported with the module.
The Structure of the YAML files is very flexible. You can have all the YAML Data in a single file or you can have it in multiple individual folders like is shown in this module. The important part is that the data.utils_yaml_merge.model
is configured to read the folders that you put the Data into.
When defining Identity reservations under a server profile, see example in profiles
folder, note the flag in the example with ignore_reservations
. Reservation records are ephimeral. Meaning that as soon as the reservation is assigned to a server profile, the identity reservation record is removed from the API. Thus, after you run the first plan and the identities are created, this flag should be configured to true
or you need to remove the reservations from the server_profiles
. Either way the reservations will only work on the first apply. Subsequent applies with the reservations defined will cause the plan/apply to fail due to the identity being consumed.
If you would like to utilize Autocomple, Help Context, and Error Validation, (HIGHLY RECOMMENDED)
make sure the files all utilize the .ezi.yaml
file extension.
Add the Following to YAML: Schemas
. In Visual Studio Code: Settings > Settings > Search for YAML: Schema
: Click edit in settings.json
. In the yaml.schemas
section:
"https://raw.githubusercontent.com/terraform-cisco-modules/easy-imm/main/yaml_schema/easy-imm.json": "*.ezi.yaml"
Soon the Schema for these YAML Files have been registered with SchemaStore via utilizing this .ezi.yaml
file extension. But until that is complete, need to still add to settings.
global_settings.ezi.yamls
contains variable intersight_fqdn
.
intersight_fqdn
: SaaS will by default beintersight.com
. Available in the event of CVA or PVA deployments.tags
: Not Required, but by default the version of the script is being flagged here.
Note: Modules can be added or removed dependent on the use case. The primary example in this repository is consuming/showing a full environment deployment.
Command line utility to transform environment variables for use with Terraform. (e.g. HOSTNAME → TF_VAR_hostname)
Recently I adopted the tfenv
runner to standardize environment variables with multiple orchestration tools. tfenv makes it so you don't need to add TF_VAR_ to the variables when you add them to the environment. But it doesn't work for windows would be the caveat.
In the export examples below, for the Linux Example, the 'TF_VAR_' is excluded because Cloud Posse tfenv is used to insert it during the run.
go install github.com/cloudposse/tfenv@latest
GOPATH="$HOME/go"
PATH="$GOPATH/bin:$PATH"
Additionally to Save time on typing commands I use the following aliases by editing the .bashrc
for my environment.
alias tfa='tfenv terraform apply main.plan'
alias tfap='tfenv terraform apply -parallelism=1 main.plan'
alias tfd='tfenv terraform destroy'
alias tff='terraform fmt'
alias tfi='terraform init'
alias tfim='tfenv terraform import'
alias tfp='tfenv terraform plan -out=main.plan'
alias tfu='terraform init -upgrade'
alias tfv='terraform validate'
In the recommended_firmware
folder is a simple terraform setup that you can use to query Intersight for the latest recommended firmware for servers. Following is an example output:
If you want to create server profiles from templates use the flag create_from_template
under the server profile in :profiles:server. See examples in ./profiles
.
Do not create from template if you want to assign identity reservations to a server profile. Instead set the attach_template
flag in the server profile. This will also attach the template to the profile but will reserve the identities to the profile prior to template attachement.
Note that all the variables in variables.tf
are marked as sensitive. Meaning these are variables that shouldn't be exposed due to the sensitive nature of them.
Take note of the locals.tf
that currently has the following sensitive variables defined:
certificate_management
drive_security
firmware
ipmi_over_lan
iscsi_boot
ldap
local_user
persistent_memory
snmp
virtual_media
The Reason to add these variables as maps of string is to allow the flexibility to add or remove iterations of these sensitive variables as needed. Sensitive Variables cannot be iterated with a for_each
loop. Thus instead of adding these variables to the YAML schema, directly, they are added to these seperate maps to allow lookup of the variable index.
In example, if you needed to add 100 iterations of the certificate_management
variables you can do that, and simply reference the index in the map of the iteration that will consume that instance.
- Add variable
intersight_api_key_id
with the value of - Add variable
intersight_secret_key
with the value of
Take note of the locals.tf
that currently has all the sensitive variables mapped.
This is the default sensitive variable mappings. You can add or remove to these according to the needs of your environment.
The important point is that if you need more than is added by default you can expand the locals.tf and variables.tf to accomodate your environment.
ALL EXAMPLES BELOW ASSUME USING tfenv
in LINUX
export intersight_api_key_id="<your-api-key>"
export intersight_secret_key="<secret-key-file-location>"
$env:TF_VAR_intersight_api_key_id="<your-api-key>"
$env:TF_VAR_intersight_secret_key="<secret-key-file-location>"
cert_mgmt_certificate
: Options are by default 1-5 for Up to 5 Certificates. Variable Should Point to the File Location of the PEM Certificate or be the value of the PEM certificate.cert_mgmt_private_key
: Options are by default 1-5 for Up to 5 Private Keys. Variable Should Point to the File Location of the PEM Private Key or be the value of the PEM Private Key.
export cert_mgmt_certificate_1='<cert_mgmt_certificate_file_location>'
export cert_mgmt_private_key_1='<cert_mgmt_private_key_file_location>'
$env:TF_VAR_cert_mgmt_certificate_1='<cert_mgmt_certificate_file_location>'
$env:TF_VAR_cert_mgmt_private_key_1='<cert_mgmt_private_key_file_location>'
drive_security_password
: If Authentication is supported/used by the KMIP Server, This is the User Password to Configure.drive_security_server_ca_certificate
: KMIP Server CA Certificate Contents.
export drive_security_password='<drive_security_password>'
export drive_security_server_ca_certificate='<drive_security_server_ca_certificate_file_location>'
$env:TF_VAR_drive_security_password='<drive_security_password>'
$env:TF_VAR_drive_security_server_ca_certificate='<drive_security_server_ca_certificate_file_location>'
cco_user
: If Configuring Firmware Policies, the CCO User for Firmware Downloads.cco_password
: If Configuring Firmware Policies, the CCO Password for Firmware Downloads.
export cco_user='<cco_user>'
export cco_password='<cco_password>'
$env:TF_VAR_cco_user='<cco_user>'
$env:TF_VAR_cco_password='<cco_password>'
When running in Terraform Cloud with VCS Integration the first Plan will need to be run from the UI but subsiqent runs should trigger automatically
- Execute the Plan - Linux
# First time execution requires initialization. Not needed on subsequent runs.
terraform init
terraform plan -out="main.plan"
terraform apply "main.plan"
- Execute the Plan - Windows
# First time execution requires initialization. Not needed on subsequent runs.
terraform.exe init
terraform.exe plan -out="main.plan"
terraform.exe apply "main.plan"
Name | Version |
---|---|
terraform | >=1.3.0 |
intersight | 1.0.51 |
time | 0.9.1 |
utils | >= 0.1.3 |
Name | Version |
---|---|
intersight | 1.0.51 |
utils | 0.2.6 |
Name | Source | Version |
---|---|---|
pools | terraform-cisco-modules/pools/intersight | 4.2.11-17769 |
policies | terraform-cisco-modules/policies/intersight | 4.2.11-17769 |
profiles | terraform-cisco-modules/profiles/intersight | 4.2.11-17769 |
NOTE: When the Data is merged from the YAML files, it will run through the modules using for_each loop(s). Sensitive Variables cannot be added to a for_each loop, instead use the variables below to add sensitive values for policies.
Name | Description | Type | Default | Required |
---|---|---|---|---|
intersight_api_key_id | Intersight API Key. | string |
n/a | yes |
intersight_secret_key | Intersight Secret Key. | string |
"blah.txt" |
no |
cert_mgmt_certificate_1 | The Server Certificate, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_certificate_2 | The Server Certificate, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_certificate_3 | The Server Certificate, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_certificate_4 | The Server Certificate, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_certificate_5 | The Server Certificate, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_private_key_1 | The Server Private Key, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_private_key_2 | The Server Private Key, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_private_key_3 | The Server Private Key, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_private_key_4 | The Server Private Key, in PEM Format, File Location. | string |
"blah.txt" |
no |
cert_mgmt_private_key_5 | The Server Private Key, in PEM Format, File Location. | string |
"blah.txt" |
no |
drive_security_password | Drive Security User Password. | string |
"" |
no |
drive_security_server_ca_certificate | Drive Security Server CA Certificate, in PEM Format, File Location. | string |
"blah.txt" |
no |
cco_password | CCO User Account Password. | string |
"" |
no |
cco_user | CCO User Account Email for Firmware Policies. | string |
"cco_user" |
no |
ipmi_key | Encryption key 1 to use for IPMI communication. It should have an even number of hexadecimal characters and not exceed 40 characters. | string |
"" |
no |
iscsi_boot_password | Password to Assign to the iSCSI Boot Policy if doing Authentication. | string |
"" |
no |
binding_parameters_password | The password of the user for initial bind process with an LDAP Policy. It can be any string that adheres to the following constraints. It can have character except spaces, tabs, line breaks. It cannot be more than 254 characters. | string |
"" |
no |
local_user_password_1 | Password to assign to a Local User Policy -> user. | string |
"" |
no |
local_user_password_2 | Password to assign to a Local User Policy -> user. | string |
"" |
no |
local_user_password_3 | Password to assign to a Local User Policy -> user. | string |
"" |
no |
local_user_password_4 | Password to assign to a Local User Policy -> user. | string |
"" |
no |
local_user_password_5 | Password to assign to a Local User Policy -> user. | string |
"" |
no |
persistent_passphrase | Secure passphrase to be applied on the Persistent Memory Modules on the server. The allowed characters are: - a-z, A-Z, 0-9 and special characters: \u0021, &, #, $, %, +, ^, @, _, *, -. |
string |
"" |
no |
access_community_string_1 | The default SNMPv1, SNMPv2c community name or SNMPv3 username to include on any trap messages sent to the SNMP host. The name can be 18 characters long. | string |
"" |
no |
access_community_string_2 | The default SNMPv1, SNMPv2c community name or SNMPv3 username to include on any trap messages sent to the SNMP host. The name can be 18 characters long. | string |
"" |
no |
access_community_string_3 | The default SNMPv1, SNMPv2c community name or SNMPv3 username to include on any trap messages sent to the SNMP host. The name can be 18 characters long. | string |
"" |
no |
access_community_string_4 | The default SNMPv1, SNMPv2c community name or SNMPv3 username to include on any trap messages sent to the SNMP host. The name can be 18 characters long. | string |
"" |
no |
access_community_string_5 | The default SNMPv1, SNMPv2c community name or SNMPv3 username to include on any trap messages sent to the SNMP host. The name can be 18 characters long. | string |
"" |
no |
snmp_auth_password_1 | SNMPv3 User Authentication Password. | string |
"" |
no |
snmp_auth_password_2 | SNMPv3 User Authentication Password. | string |
"" |
no |
snmp_auth_password_3 | SNMPv3 User Authentication Password. | string |
"" |
no |
snmp_auth_password_4 | SNMPv3 User Authentication Password. | string |
"" |
no |
snmp_auth_password_5 | SNMPv3 User Authentication Password. | string |
"" |
no |
snmp_privacy_password_1 | SNMPv3 User Privacy Password. | string |
"" |
no |
snmp_privacy_password_2 | SNMPv3 User Privacy Password. | string |
"" |
no |
snmp_privacy_password_3 | SNMPv3 User Privacy Password. | string |
"" |
no |
snmp_privacy_password_4 | SNMPv3 User Privacy Password. | string |
"" |
no |
snmp_privacy_password_5 | SNMPv3 User Privacy Password. | string |
"" |
no |
snmp_trap_community_1 | Community for a Trap Destination. | string |
"" |
no |
snmp_trap_community_2 | Community for a Trap Destination. | string |
"" |
no |
snmp_trap_community_3 | Community for a Trap Destination. | string |
"" |
no |
snmp_trap_community_4 | Community for a Trap Destination. | string |
"" |
no |
snmp_trap_community_5 | Community for a Trap Destination. | string |
"" |
no |
vmedia_password_1 | Password for a Virtual Media Policy -> mapping target. | string |
"" |
no |
vmedia_password_2 | Password for a Virtual Media Policy -> mapping target. | string |
"" |
no |
vmedia_password_3 | Password for a Virtual Media Policy -> mapping target. | string |
"" |
no |
vmedia_password_4 | Password for a Virtual Media Policy -> mapping target. | string |
"" |
no |
vmedia_password_5 | Password for a Virtual Media Policy -> mapping target. | string |
"" |
no |
Name | Description |
---|---|
orgs | Organization Moids |
policies | The Name of Each Policy Created with it's respective Moid. |
pools | The Name of Each Pool Created with it's respective Moid. |
profiles | The Name of Each Profile Created with it's respective Moid. |
If you want to see documentation on Variables for Submodules use the links below: