Deploy a Secure Device Connector to vSphere Using Terraform

Before you begin

This procedure details how you can use the Security Cloud Control SDC Terraform module for vSphere in conjunction with the Security Cloud Control Terraform Provider to deploy an SDC to your vSphere. Ensure you review the following prerequisites before attempting to perform this task procedure:

  • You have vSphere datacenter version 7 and above

  • You have an admin account on the datacenter with permissions to do the following:

    • Create VMs

    • Create folders

    • Create content libraries

    • Upload files to content libraries

  • Terraform knowledge

Procedure

Step 1

Create an API-only user in Security Cloud Control and copy the API token. To know how to create an API-only user, see Create API Only Users.

Step 2

Configure the Security Cloud Control Terraform provider in your Terraform repository by following the instructions in Security Cloud Control Terraform Provider.

Example:

terraform { 
  required_providers { 
    cdo = { 
      source = "CiscoDevNet/cdo" 
      version = "0.7.0" 
    } 
  } 
} 
 
provider "cdo" { 
  base_url = “<the CDO URL you use to access CDO>” 
  api_token = “<the API Token generated in step 1>” 
}

Step 3

Write Terraform code to create a cdo_sdc resource using the Security Cloud Control Terraform provider. See the Terraform registry for Security Cloud Control-sdc resource for more information.

Example:

Resource “cdo_sdc” “my-sdc” { 
  name = “my-sdc-in-vsphere” 
}

The bootstrap_data attribute of this resource is populated with the value of the Security Cloud Control bootstrap data and is provided to the cdo_sdc Terraform module in the next step.

Step 4

Write Terraform code to create the SDC in vSphere using Security Cloud Control_sdc Terraform module.

Example:

data "cdo_tenant" "current" {} 
 
module "vsphere-cdo-sdc" { 
  source               = "CiscoDevNet/cdo-sdc/vsphere" 
  version              = "1.0.0" 
  vsphere_username     = "<replace-with-username-with-admin-privileges>" 
  vsphere_password     = "<super-secure-password>" 
  vsphere_server       = "<replace-with-address-of-vsphere-server>" 
  datacenter           = "<replace-with-datacenter-name>" 
  resource_pool        = "<replace-with-resource-pool-name>" 
  cdo_tenant_name      = data.cdo_tenant.current.human_readable_name 
  datastore            = "<replace-with-name-of-datastore-to-deploy-vm-in>" 
  network              = "<replace-with-name-of-network-to-deploy-vm-in>" 
  host                 = "<replace-with-esxi-host-address>" 
  allow_unverified_ssl = <boolean; set to true if your vsphere server does not have a valid SSL certificate> 
  ip_address           = "<sdc-vm-ip-address; must be in the subnet of the assigned network for the VM>" 
  gateway              = "<replace-with-network-gateway-address>" 
  cdo_user_password    = "<replace-with-password-for-cdo-user-in-sdc-vm>" 
  root_user_password   = "<replace-with-password-for-root-user-in-sdc-vm>" 
  cdo_bootstrap_data   = cdo_sdc.sdc-in-vsphere.bootstrap_data 
}

Note that the VM created has two users—a root user and a user called cdo—and the IP Address of the VM is configured statically. The cdo_bootstrap_data attribute is given the value of the bootstrap_data attribute generated when the cdo_sdc resource is created.

Step 5

Plan and apply your Terraform using terraform plan and terraform apply, as you would normally.

See the Security Cloud Control Automation Repository in the CiscoDevNet for a complete example.

If your SDC stays in the onboarding state, connect to the vSphere VM using remote console, log in as the CDO user, and execute the following command:

sdc host status

Depending on the readout, you may need to manually run:

sdc host configure
Note

The Security Cloud Control Terraform modules are published as Open Source Software under the Apache 2.0 license. You can file issues on GitHub if you require support.