search

CiscoDevNet / terraform-provider-nxos

Terraform Cisco NX-OS Provider
https://registry.terraform.io/providers/netascode/nxos
Mozilla Public License 2.0
7 stars 10 forks source link

Missing resources in generic bgp configuration #228

Closed StevenHolm closed 1 month ago

StevenHolm commented 2 months ago

Usecase

I've been looking into deploying some nexus switching using terraform as the orchestration tool. I found the following resources were missing from the available resources

Ability to set local as on bgp peer

resource "nxos_rest" "bgp_localas" {
    for_each = local.bgp_neighbor
    dn = "sys/bgp/inst/dom-[${nxos_bgp_address_family.address_family.vrf}]/peer-[${nxos_bgp_peer.peer[each.key].address}]/localasn"
    class_name = "bgpLocalAsn"
    content = {
      localAsn = each.value.local_as
    }
}

Ability to set BFD, TTL (eBGP multihop) and password og bgp peer

resource "nxos_rest" "system_interface_default_shutdown" {
    for_each = local.bgp_neighbor
    dn = "sys/bgp/inst/dom-[${nxos_bgp_address_family.address_family.vrf}]/peer-[${nxos_bgp_peer.peer[each.key].address}]"
    class_name = "bgpPeer"
    content  = {
      passwdType = 0
      password = each.value.password
      ctrl = each.value.bfd
      ttl = each.value.ebgp_multihop 
    }
}

The password seems to be returned in the encrypted state - is there a way to encrypt the password prior to deploying it? and then in turn deploy it using passwdType 3?

Ability to set passive-interface default and bfd on ospf instance

resource "nxos_rest" "ospf_ctrl" {
    for_each = local.bgp_neighbor
    dn = "sys/ospf/inst-${var.ospf_name}/dom-${nxos_ospf_vrf.vrf.name}"
    class_name = "ospfDom"
    content = {
      ctrl = 5
    }
}

General security, ability to change the default state of physical ports

resource "nxos_rest" "system_interface_default_shutdown" {
    dn = "sys/ethpm/inst"
    class_name = "ethpmInst"
    content = {
      systemDefaultAdminSt = "down"
    }

}
alxgarder commented 2 months ago

+1

Nije-PCH commented 2 months ago

+1

moskrive commented 1 month ago

As the configuration of a BGP password using a unencrypted password returns the encrypted version of the password is it required to add the following lifecycle statement to the nxos_bgp_peer resource.

lifecycle { ignore_changes = [ password_type ] }

This instructs Terraform to ignore that the desired value is not identical to the one returned by the Nexus device