Note: This repository has been archived and new versions are now available on the Terraform registry at https://registry.terraform.io/modules/vmware/avi-alb-deployment-aws/aws/latest or Github at https://github.com/vmware/terraform-aws-avi-alb-deployment-aws. Please use the new repository going forward.
This Terraform module creates and configures an AVI (NSX Advanced Load-Balancer) Controller on AWS
The module is meant to be modular and can create all or none of the prerequiste resources needed for the AVI AWS Deployment including:
- VPC and Subnets for the Controller and SEs (configured with create_networking variable)
- IAM Roles, Policy, and Instance Profile (configured with create_iam variable)
- Security Groups for AVI Controller and SE communication
- AWS EC2 Instance using an official AVI AMI
- High Availability AVI Controller Deployment (configured with controller_ha variable)
During the creation of the Controller instance the following initialization steps are performed:
- Copy Ansible playbook to controller using the assigned public IP
- Run Ansible playbook to configure initial settings and AWS Full Access Cloud
The Ansible playbook can optionally add these configurations:
- Create Avi DNS Profile (configured with configure_dns_profile and dns_service_domain variables)
- Create Avi DNS Virtual Service (configured with configure_dns_vs and dns_vs_settings variables)
- Configure GSLB (configured with configure_gslb, gslb_site_name, gslb_domains, and configure_gslb_additional_sites variables)
This is an example of a controller deployment that leverages an existing VPC (with a cidr_block of 10.154.0.0/16) and 3 subnets. The public key is already created in EC2 and the private key found in the "/home//.ssh/id_rsa" will be used to copy and run the Ansible playbook to configure the Controller.
terraform {
backend "local" {
}
}
module "avi_controller_aws" {
source = "slarimore02/avi-controller-aws/aws"
version = "1.0.x"
region = "us-west-1"
aws_access_key = "<access-key>"
aws_secret_key = "<secret-key>"
create_networking = "false"
create_iam = "false"
avi_version = "20.1.5"
custom_vpc_id = "vpc-<id>"
custom_subnet_ids = ["subnet-<id>","subnet-<id>","subnet-<id>"]
avi_cidr_block = "10.154.0.0/16"
controller_password = "<newpassword>"
key_pair_name = "<key>"
private_key_path = "/home/<user>/.ssh/id_rsa"
name_prefix = "<name>"
custom_tags = { "Role" : "Avi-Controller", "Owner" : "admin", "Department" : "IT", "shutdown_policy" : "noshut" }
}
output "controller_info" {
value = module.avi_controller_aws.controllers
}The example below shows a GSLB deployment with 2 regions utilized.
terraform {
backend "local" {
}
}
module "avi_controller_aws_west2" {
source = "slarimore02/avi-controller-aws/aws"
version = "1.0.x"
region = "us-west-2"
aws_access_key = "<access-key>"
aws_secret_key = "<secret-key>"
create_networking = "false"
create_iam = "false"
controller_ha = true
avi_version = "20.1.6"
custom_vpc_id = "vpc-<id>"
custom_subnet_ids = ["subnet-<id>","subnet-<id>","subnet-<id>"]
avi_cidr_block = "10.154.0.0/16"
controller_password = "<newpassword>"
key_pair_name = "<key>"
private_key_path = "/home/<user>/.ssh/id_rsa"
name_prefix = "<name>"
custom_tags = { "Role" : "Avi-Controller", "Owner" : "admin", "Department" : "IT" }
se_ha_mode = "active/active"
configure_dns_profile = "true"
dns_service_domain = "west1.avidemo.net"
configure_dns_vs = "true"
dns_vs_settings = { allocate_public_ip = "true", subnet_name = "companyname-avi-subnet" }
}
module "avi_controller_aws_east1" {
source = "slarimore02/avi-controller-aws/aws"
version = "1.0.x"
region = "us-east-1"
aws_access_key = "<access-key>"
aws_secret_key = "<secret-key>"
create_networking = "false"
create_iam = "false"
controller_ha = true
avi_version = "20.1.6"
custom_vpc_id = "vpc-<id>"
custom_subnet_ids = ["subnet-<id>","subnet-<id>","subnet-<id>"]
avi_cidr_block = "10.155.0.0/16"
controller_password = "<newpassword>"
key_pair_name = "<key>"
private_key_path = "/home/<user>/.ssh/id_rsa"
name_prefix = "<name>"
custom_tags = { "Role" : "Avi-Controller", "Owner" : "admin", "Department" : "IT", "shutdown_policy" : "noshut" }
se_ha_mode = "active/active"
configure_dns_profile = "true"
dns_service_domain = "east1.avidemo.net"
configure_dns_vs = "true"
dns_vs_settings = { allocate_public_ip = "true", subnet_name = "companyname-avi-subnet" }
configure_gslb = "true"
gslb_site_name = "East1"
gslb_domains = ["gslb.avidemo.net"]
configure_gslb_additional_sites = "true"
additional_gslb_sites = [{name = "West2", ip_address_list = module.avi_controller_aws_west2.controllers[*].private_ip_address, dns_vs_name = "DNS-VS"}]
}
output "east1_controller_info" {
value = module.avi_controller_aws_east1.controllers
}
output "westus2_controller_info" {
value = module.avi_controller_aws_west2.controllers
}The module copies and runs an Ansible play for configuring the initial day 1 Avi config. The plays listed below can be reviewed by connecting to the Avi Controller by SSH. In an HA setup the first controller will have these files.
This play will configure the Avi Cloud, Network, IPAM/DNS profiles, DNS Virtual Service, GSLB depending on the variables used by the module. The initial run of this play will be output into the ansible-playbook.log file which can be reviewed to determine what tasks were ran.
Example run (appropriate variables should be used):
~$ ansible-playbook avi-controller-aws-all-in-one-play.yml -e password=${var.controller_password} -e aws_access_key_id=${var.aws_access_key} -e aws_secret_access_key=${var.aws_secret_key} > ansible-playbook-run.logThis play will disable all Virtual Services and delete all existing Avi service engines. This playbook should be ran before deleting the controller with terraform destroy to clean up the resources created by the Avi Controller.
Example run (appropriate variables should be used):
~$ ansible-playbook avi-cleanup.yml -e password=${var.controller_password}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | ~> 4.9.0 |
| null | 3.1.1 |
| Name | Version |
|---|---|
| aws | 4.9.0 |
| null | 3.1.1 |
No modules.
| Name | Type |
|---|---|
| aws_ec2_tag.custom_controller_1 | resource |
| aws_ec2_tag.custom_controller_2 | resource |
| aws_ec2_tag.custom_controller_3 | resource |
| aws_iam_instance_profile.avi | resource |
| aws_iam_role.avi | resource |
| aws_iam_role_policy.avi_asg_notification | resource |
| aws_iam_role_policy.avi_autoscaling | resource |
| aws_iam_role_policy.avi_ec2 | resource |
| aws_iam_role_policy.avi_iam | resource |
| aws_iam_role_policy.avi_kms | resource |
| aws_iam_role_policy.avi_r53 | resource |
| aws_iam_role_policy.avi_sns | resource |
| aws_iam_role_policy.avi_sqs | resource |
| aws_instance.avi_controller | resource |
| aws_internet_gateway.avi | resource |
| aws_route.default_route | resource |
| aws_security_group.avi_controller_sg | resource |
| aws_security_group.avi_data_sg | resource |
| aws_security_group.avi_se_mgmt_sg | resource |
| aws_subnet.avi | resource |
| aws_vpc.avi | resource |
| null_resource.ansible_provisioner | resource |
| aws_ami.avi | data source |
| aws_availability_zones.azs | data source |
| aws_subnet.custom | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_gslb_sites | The Names and IP addresses of the GSLB Sites that will be configured. | list(object({ name = string, ip_address_list = list(string), dns_vs_name = string })) |
[ |
no |
| avi_cidr_block | The CIDR that will be used for creating a subnet in the AVI VPC - a /16 should be provided | string |
"10.255.0.0/16" |
no |
| avi_version | The AVI Controller version that will be deployed | string |
n/a | yes |
| aws_access_key | The Access Key that will be used to deploy AWS resources | string |
n/a | yes |
| aws_secret_key | The Secret Key that will be used to deploy AWS resources | string |
n/a | yes |
| boot_disk_size | The boot disk size for the Avi controller | number |
128 |
no |
| configure_cloud | Configure the Avi Cloud via Ansible after controller deployment. If not set to true this must be done manually with the desired config | bool |
"true" |
no |
| configure_dns_profile | Configure Avi DNS Profile for DNS Record Creation for Virtual Services. If set to true the dns_service_domain variable must also be set | bool |
"false" |
no |
| configure_dns_route_53 | Configures Avi Cloud with Route53 DNS Provider. The following variables must be set to false if enabled: configure_dns_profile, configure_dns_vs, configure_gslb | bool |
"false" |
no |
| configure_dns_vs | Create Avi DNS Virtual Service. The configure_dns_profile variable must also be set to true | bool |
"false" |
no |
| configure_gslb | Configure GSLB. The gslb_site_name, gslb_domains, and configure_dns_vs variables must also be set. Optionally the additional_gslb_sites variable can be used to add active GSLB sites | bool |
"false" |
no |
| configure_gslb_additional_sites | Configure Additional GSLB Sites. The additional_gslb_sites, gslb_site_name, gslb_domains, and configure_dns_vs variables must also be set. Optionally the additional_gslb_sites variable can be used to add active GSLB sites | bool |
"false" |
no |
| controller_ha | If true a HA controller cluster is deployed and configured | bool |
"false" |
no |
| controller_password | The password that will be used authenticating with the AVI Controller. This password be a minimum of 8 characters and contain at least one each of uppercase, lowercase, numbers, and special characters | string |
n/a | yes |
| controller_public_address | This variable controls if the Controller has a Public IP Address. When set to false the Ansible provisioner will connect to the private IP of the Controller. | bool |
"false" |
no |
| create_gslb_se_group | Create a SE group for GSLB. This option only applies when configure_gslb is set to true | bool |
"true" |
no |
| create_iam | Create IAM Service Account, Roles, and Role Bindings for Avi GCP Full Access Cloud | bool |
"false" |
no |
| create_networking | This variable controls the VPC and subnet creation for the AVI Controller. When set to false the custom-vpc-name and custom-subnetwork-name must be set. | bool |
"true" |
no |
| custom_subnet_ids | This field can be used to specify a list of existing VPC Subnets for the controller and SEs. The create-networking variable must also be set to false for this network to be used. | list(string) |
null |
no |
| custom_tags | Custom tags added to AWS Resources created by the module | map(string) |
{} |
no |
| custom_vpc_id | This field can be used to specify an existing VPC for the controller and SEs. The create-networking variable must also be set to false for this network to be used. | string |
null |
no |
| dns_search_domain | The optional DNS search domain that will be used by the controller | string |
null |
no |
| dns_servers | The optional DNS servers that will be used for local DNS resolution by the controller. Example ["8.8.4.4", "8.8.8.8"] | list(string) |
null |
no |
| dns_service_domain | The DNS Domain that will be available for Virtual Services. Avi will be the Authorative Nameserver for this domain and NS records may need to be created pointing to the Avi Service Engine addresses. An example is demo.Avi.com | string |
"" |
no |
| dns_vs_settings | Settings for the DNS Virtual Service. The subnet_name must be an existing AWS Subnet. If the allocate_public_ip option is set to true a EIP will be allocated for the VS. The VS IP address will automatically be allocated via the AWS IPAM. Example:{ subnet_name = "subnet-dns", allocate_public_ip = "true" } | object({ subnet_name = string, allocate_public_ip = bool }) |
null |
no |
| email_config | The Email settings that will be used for sending password reset information or for trigged alerts. The default setting will send emails directly from the Avi Controller | object({ smtp_type = string, from_email = string, mail_server_name = string, mail_server_port = string, auth_username = string, auth_password = string }) |
{ |
no |
| gslb_domains | A list of GSLB domains that will be configured | list(string) |
[ |
no |
| gslb_site_name | The name of the GSLB site the deployed Controller(s) will be a member of. | string |
"" |
no |
| instance_type | The EC2 instance type for the Avi Controller | string |
"m5.2xlarge" |
no |
| key_pair_name | The name of the existing EC2 Key pair that will be used to authenticate to the Avi Controller | string |
n/a | yes |
| name_prefix | This prefix is appended to the names of the Controller and SEs | string |
n/a | yes |
| ntp_servers | The NTP Servers that the Avi Controllers will use. The server should be a valid IP address (v4 or v6) or a DNS name. Valid options for type are V4, DNS, or V6 | list(object({ addr = string, type = string })) |
[ |
no |
| private_key_path | The local private key path for the EC2 Key pair used for authenticating to the Avi Controller | string |
n/a | yes |
| region | The Region that the AVI controller and SEs will be deployed to | string |
n/a | yes |
| se_ha_mode | The HA mode of the Service Engine Group. Possible values active/active, n+m, or active/standby | string |
"active/active" |
no |
| Name | Description |
|---|---|
| controller_private_addresses | The Private IP Addresses allocated for the Avi Controller(s) |
| controller_public_addresses | Public IP Addresses for the AVI Controller(s) |
| controllers | The AVI Controller(s) Information |