-
Notifications
You must be signed in to change notification settings - Fork 2
/
mso_contracts.yml
188 lines (171 loc) · 6.94 KB
/
mso_contracts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
---
# This play verifies that the connection details are defined
# in the hostvars (e.g. host_vars/mso1.yml) and it then loads
# the data model for the new tenant (vars/tenant_name.yml).
- name: PRE-DEPLOYMENT SETUP AND VALIDATION
hosts: mso1
tasks:
# All of these should be defined:
# host_vars: ansible_host, ansible_user, ansible_password, validate_certs
# group_vars/all: customer_name
- name: Test that connection details are defined
assert:
that:
- "ansible_host is defined"
- "ansible_user is defined"
- "ansible_password is defined"
- "validate_certs is defined"
- "customer_name is defined"
fail_msg: "Please ensure that these variables exist: ansible_host,
ansible_user, ansible_password, validate_certs and customer_name!"
quiet: true
# These variables represent the data model and are used by
# the rest of the playbook to deploy the policy. Refer to the file for
# more details about each variable.
- name: Load Infrastructure Definition
include_vars:
file: "{{ customer_name }}.yml"
# This play optionally removes all relevant
# pre-existing policy in preparation for deploying configuration.
- name: PRE-DEPLOYMENT OPTIONAL CLEANUP
hosts: mso1
vars:
# This dictionary is provided to each MSO module so that
# it knows how to connect to the orchestrator itself.
connection_details: &connection_details
hostname: "{{ ansible_host }}"
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
validate_certs: "{{ validate_certs }}"
tasks:
# This block simply removes any relevant configuration to provide
# a clean slate. If 'cleanup_before_deploy' is set to true, the play
# will remove the objects together with all of their dependents.
- block:
- name: Remove a contract from an EPG
mso_schema_template_anp_epg_contract:
<<: *connection_details
schema: "{{ schema.name }}"
template: "{{ binding.template }}"
anp: "{{ binding.anp }}"
epg: "{{ binding.epg }}"
contract:
name: "{{ binding.contract }}"
type: "{{ binding.type }}"
state: absent
delegate_to: localhost
loop: "{{ schema.contract_bindings }}"
loop_control:
loop_var: binding
label: "{{ binding.contract }} for {{ binding.template }}"
# This module will remove the contract object once the last filter
# has been deleted from it.
- name: Remove Contract if it already exists
mso_schema_template_contract_filter:
<<: *connection_details
schema: "{{ schema.name }}"
template: "{{ contract.template }}"
contract: "{{ contract.name }}"
filter: "{{ contract.filter }}"
filter_type: "{{ contract.filter_type }}"
state: absent
delegate_to: localhost
loop: "{{ schema.contracts }}"
loop_control:
loop_var: contract
label: "{{ contract.name }} for {{ contract.template }}"
# This module will remove the filter object once the last entry
# has been deleted from it.
- name: Remove Filter and Entry if it already exists
mso_schema_template_filter_entry:
<<: *connection_details
schema: "{{ schema.name }}"
filter: "{{ filter.name }}"
template: "{{ filter.template }}"
entry: "{{ filter.entry }}"
ethertype: "{{ filter.ethertype }}"
ip_protocol: "{{ filter.ip_protocol }}"
destination_from: "{{ filter.destination_from }}"
destination_to: "{{ filter.destination_to }}"
state: absent
delegate_to: localhost
loop: "{{ schema.filters }}"
loop_control:
loop_var: filter
label: "{{ filter.name }} for {{ filter.template }}"
# This block is only executed if 'cleanup_before_deploy' is true
when: "cleanup_before_deploy"
# This play creates the necessary policy on the MSO for the
# provisioning of a new Contracts and Filters.
# All tenant data comes from our data model and is not hardcoded
# in any way in the playbook to make our playbook modular and
# data source agnostic.
- name: PROVISION ENDPOINT GROUPS
hosts: mso1
tasks:
# This task creates the filters with their entries on the MSO.
# Each entry matches a particular type of flow (like an ACL line).
- name: Create Filter object and its Entries
mso_schema_template_filter_entry:
<<: *connection_details
schema: "{{ schema.name }}"
filter: "{{ filter.name }}"
template: "{{ filter.template }}"
entry: "{{ filter.entry }}"
ethertype: "{{ filter.ethertype }}"
ip_protocol: "{{ filter.ip_protocol }}"
destination_from: "{{ filter.destination_from }}"
destination_to: "{{ filter.destination_to }}"
state: present
delegate_to: localhost
loop: "{{ schema.filters }}"
loop_control:
loop_var: filter
label: "{{ filter.name }} for {{ filter.template }}"
# This task creates the contracts with their filters on the MSO.
- name: Create Contract with Filter
mso_schema_template_contract_filter:
<<: *connection_details
schema: "{{ schema.name }}"
template: "{{ contract.template }}"
contract: "{{ contract.name }}"
filter: "{{ contract.filter }}"
filter_type: "{{ contract.filter_type }}"
state: present
delegate_to: localhost
loop: "{{ schema.contracts }}"
loop_control:
loop_var: contract
label: "{{ contract.name }} for {{ contract.template }}"
# This module bind a contract to an EPG defining the relationship:
# either consumer or provider.
- name: Bind a Contract to an EPG
mso_schema_template_anp_epg_contract:
<<: *connection_details
schema: "{{ schema.name }}"
template: "{{ binding.template }}"
anp: "{{ binding.anp }}"
epg: "{{ binding.epg }}"
contract:
name: "{{ binding.contract }}"
type: "{{ binding.type }}"
state: present
delegate_to: localhost
loop: "{{ schema.contract_bindings }}"
loop_control:
loop_var: binding
label: "{{ binding.contract }} for {{ binding.template }}"
# Finally, we deploy each schema template to its fabrics.
# This operation actually creates the Contracts, Filters and
# EPG bindings on the ACI fabrics.
- name: Deploy a schema template
mso_schema_template_deploy:
<<: *connection_details
schema: "{{ schema.name }}"
template: "{{ template.name }}"
state: deploy
delegate_to: localhost
loop: "{{ schema.templates }}"
loop_control:
loop_var: template
label: "{{ template.name }} for {{ template.site }}"