This is an example terraform manifest that uses the terraform resource aws_cloudformation_stack to deploy the Cisco Cloud Application Policy Infrastructure Controller (cAPIC) using the provided CloudFormation template published on the AWS Marketplace.
Cisco Cloud APIC requires the following AWS accounts:
- AWS Account to host Cloud APIC EC2 instances
- An AWS Accout for each tenant to be deployed with Cloud APIC. Configuration of these tenants are not in the scope of this example but to see the full operation of cAPIC supporting user tenants this requirement is needed.
As part of the deployment a EC2 Key pair is required. Create this key pair prior to executing the terraform deploy. As part of the step-by-step instructions this key pair will be referenced in the variables. For instructions on creating a key pair refer to the following AWS support article.
Create a key pair using Amazon EC2
Note: AWS Key Pairs are region specific so be sure to create the key pair in the same AWS region you plan to deploy the cAPIC.
The Terraform AWS Provider has various configuration for authentication. Refer to the following for configuring authentation for the AWS provider. Terraform AWS Provider Documentation.
This example uses named profiles configured with the AWS CLI. This allows the credentials for the AWS account to be stored away from the repo and makes it easy to pick the tenant based on the named profile. Refer to this link for details, Named Profiles for AWS CLI.
To use this CloudFormation stack you must access the AWS Marketplace and subscribe and accept the terms and conditions prior to executing the apply, failure to do so will cause the execution to run for approximately 10 minutes then fail on deployment of the cAPIC Instance and roll back the stack deployment.
Visit the following url to view details about Cisco cAPIC on the AWS Marketplace to subscribe.
AWS Marketplace - Cisco Cloud Application Policy Infrastructure Controller
- Terraform 1.1.0 or later must be installed HashiCorp - Install Terraform
Clone or fork the repository to the local machine.
git clone https://github.com/rjohnston6/aws_capic_tf_example.git
Once the repository is cloned complete the following to create a variables file to be used during execution. Included in the repository is an example tfvars file terrafrom.tfvars.example.
Note: As part of the .gitignore files with a .tfvars are ignored to ensure variables are note stored in version control. If the .gitignore is updated or changed or removed special care must be taken to ensure secrets such as passwords are not stored in version control.
The following steps outline how to update the file for use during execution.
- Rename
terraform.tfvars.exampletoterraform.tfvars - Edit the renamed file with the following
- Set the
aws_credential_profilewith the name of the profile defined using the aws cli for the infrastructure tenant. - Set the
aws_regionfor the AWS region where cAPIC will be deployed, for exampleus-west-2for the Oregon region. - Set the
pAvailabilityZonefor the Availability Zone to deploy cAPIC to, as per installation instructions for cAPIC if the region has multiple availability zones choose the lowest availability zone this will normally beafor exampleus-west-2athe Oregon region. - Set the
pPasswordto the desired password for authentication to cAPIC web interface. - Set the
pKeyNameto the name of the previously defined EC2 key pair as outlined in the pre-requirments. Remember the Key Pair must be present in the intended region where cAPIC will be deployed. - (Optional) Set the
pExtNwto the subnet permitted to access the cAPIC. For demonstarations a value of"0.0.0.0/0"will allow access from any IP address globably. This may be sufficent for demonstations but ensure to follow your organizations CyberSecurity requirements that may dictate differently workloads.
- Set the
- Additional variables can be added to the tfvars to override the defaults defined in the variable defaults. See the section "Terrafrom Details - Inputs" for all variables and thier defaults.
- Save the updated
terraform.tfvarsfile.
Use the following steps to initalize, plan and deploy using terraform cli. Once deployed the assigned public IP address for the cAPIC will be provided.
- From a terminal change directories to the root of the cloned repo.
- Initialize the working directory for terraform by entering
terraform init - Validate the terraform files for any syntax errors by entering
terraform validate - Run a plan to see what will be created by entering
terraform plan - Apply the terraform configuration by entering
terraform applyoptionally to skip answering yes 'terraform apply -auto-approve` can be used. - The apply will take a couple minutes to execute, once the complete the IP address for the cAPIC will be displayed. IMPORTANT At this point the apply is complete and the instances and resources are deployed and starting up. Wait approximately 10 minutes to allow cAPIC to startup.
At this point cAPIC is deployed and can the GUI can be accessed at:
https://<outputed_CAPICElasticIP>
In the event you would like to undeploy cAPIC, using terraform destroy from the directories root will cause terraform to delete the cloud formation stack used during deployment. This will remove a majority of the cloud deployed resources in the AWS tenant. It does NOT remove all resources. As part of the cAPICs start up there are additional resources configured and must be removed either using the AWS Console, aws cli or other means. These resources are as follows:
- S3 Bucket (capic-xxxx)
- SQS
- CloudTrail
- CloudWatch
- EventBridge
NOTE:
There are known occurances when issuing terraform destroy, the destroy will fail at approximately 15 minutes. The failure reason will be displayed and in most cases will be related to being unable to delete the VPC that was initially created. To resolve this manually, access the AWS console and remove the VPC context-[overlay-1]-addr-[<vpc_cidr>] then re-run the terraform destroy.
Special thank you goes to Marina Ferreira for testing and providing feedback along the way! 🏆
| Name | Version |
|---|---|
| terraform | ~>1.1.0 |
| aws | ~> 3.65.0 |
| Name | Version |
|---|---|
| aws | 3.65.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudformation_stack.capic_stack | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_credential_profile | Set credential profile for aws cli if not using default | string |
"default" |
no |
| aws_region | AWS Region for resource deployment | string |
"us-east-1" |
no |
| capic_stack_name | CloudFormation deployment stack name | string |
"capic-stack" |
no |
| capic_template_url | CloudFormation template URL for CAPIC | string |
"https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/6cad9a0e-821a-4f03-881e-fb1f66f4dc1f/c636799095224e63a6074ca3308fe27f.template" |
no |
| pAssignOOBIntfEIP | Select whether to assign public IP address to oob management interface or not. | string |
"true" |
no |
| pAvailabilityZone | Availability zone for Cloud APIC (Must select lexicographically lowest Availability zone) | string |
"us-east-1a" |
no |
| pExtNw | External network allowed to access Cloud APIC (x.x.x.x/x). Configuring external subnet with 0.0.0.0/0 is a SECURITY RISK, it is advisable to use specific subnet. | string |
n/a | yes |
| pFabricName | Fabric Name (must be only alphanumeric chars separated by '-') | string |
"ACI-Cloud-Fabric" |
no |
| pInfraVPCPool | IP address pool for Infra VPCs (must be a /24 prefix) | string |
"10.10.0.0/24" |
no |
| pInstanceType | Select one of the possible EC2 instance types | string |
"m5.2xlarge" |
no |
| pKeyName | Name of an existing SSH KeyPair to enable SSH access to Cloud APIC | string |
n/a | yes |
| pPassword | Admin Password for Cloud APIC | string |
n/a | yes |
| Name | Description |
|---|---|
| stack_outputs | Outputs from the Stack execution |