Add ability to select monitoring policies

aci_access_policies.tf

@@ -133,6 +133,7 @@ module "aci_access_leaf_switch_policy_group" {
   forwarding_scale_policy = try("${each.value.forwarding_scale_policy}${local.defaults.apic.access_policies.switch_policies.forwarding_scale_policies.name_suffix}", "")
   bfd_ipv4_policy         = try("${each.value.bfd_ipv4_policy}${local.defaults.apic.access_policies.switch_policies.bfd_ipv4_policies.name_suffix}", "")
   bfd_ipv6_policy         = try("${each.value.bfd_ipv6_policy}${local.defaults.apic.access_policies.switch_policies.bfd_ipv6_policies.name_suffix}", "")
+  monitoring_policy       = try("${each.value.monitoring_policy}${local.defaults.apic.access_policies.switch_policies.monitoring_policies.name_suffix}", "")
 
   depends_on = [
     module.aci_forwarding_scale_policy,
@@ -401,7 +402,8 @@ module "aci_access_leaf_interface_policy_group" {
     name           = "${monitor.name}${local.defaults.apic.access_policies.interface_policies.netflow_monitors.name_suffix}"
     ip_filter_type = try(monitor.ip_filter_type, local.defaults.apic.access_policies.leaf_interface_policy_groups.netflow_monitor_policies.ip_filter_type)
   }]
-  aaep = try("${each.value.aaep}${local.defaults.apic.access_policies.aaeps.name_suffix}", "")
+  aaep              = try("${each.value.aaep}${local.defaults.apic.access_policies.aaeps.name_suffix}", "")
+  monitoring_policy = try("${each.value.monitoring_policy}${local.defaults.apic.access_policies.interface_policies.monitoring_policies.name_suffix}", "")
 
   depends_on = [
     module.aci_link_level_policy,

aci_fabric_policies.tf

@@ -321,6 +321,7 @@ module "aci_fabric_leaf_switch_policy_group" {
   name                = "${each.value.name}${local.defaults.apic.fabric_policies.leaf_switch_policy_groups.name_suffix}"
   psu_policy          = try("${each.value.psu_policy}${local.defaults.apic.fabric_policies.switch_policies.psu_policies.name_suffix}", "")
   node_control_policy = try("${each.value.node_control_policy}${local.defaults.apic.fabric_policies.switch_policies.node_control_policies.name_suffix}", "")
+  monitoring_policy   = try("${each.value.monitoring_policy}${local.defaults.apic.fabric_policies.switch_policies.monitoring_policies.name_suffix}", "")
 
   depends_on = [
     module.aci_psu_policy,
@@ -335,6 +336,7 @@ module "aci_fabric_spine_switch_policy_group" {
   name                = "${each.value.name}${local.defaults.apic.fabric_policies.spine_switch_policy_groups.name_suffix}"
   psu_policy          = try("${each.value.psu_policy}${local.defaults.apic.fabric_policies.switch_policies.psu_policies.name_suffix}", "")
   node_control_policy = try("${each.value.node_control_policy}${local.defaults.apic.fabric_policies.switch_policies.node_control_policies.name_suffix}", "")
+  monitoring_policy   = try("${each.value.monitoring_policy}${local.defaults.apic.fabric_policies.switch_policies.monitoring_policies.name_suffix}", "")
 
   depends_on = [
     module.aci_psu_policy,
@@ -560,6 +562,7 @@ module "aci_vmware_vmm_domain" {
     statistics        = try(vc.statistics, local.defaults.apic.fabric_policies.vmware_vmm_domains.vcenters.statistics)
     mgmt_epg_type     = try(vc.mgmt_epg, local.defaults.apic.fabric_policies.vmware_vmm_domains.vcenters.mgmt_epg)
     mgmt_epg_name     = try(vc.mgmt_epg, local.defaults.apic.fabric_policies.vmware_vmm_domains.vcenters.mgmt_epg) == "oob" ? try(local.node_policies.oob_endpoint_group, local.defaults.apic.node_policies.oob_endpoint_group) : try(local.node_policies.inb_endpoint_group, local.defaults.apic.node_policies.inb_endpoint_group)
+    monitoring_policy = try("${vc.monitoring_policy}${local.defaults.apic.fabric_policies.vmware_vmm_domains.monitoring_policies.name_suffix}", "")
   }]
   vswitch_enhanced_lags = [for vel in try(each.value.vswitch.enhanced_lags, []) : {
     name      = "${vel.name}${local.defaults.apic.fabric_policies.vmware_vmm_domains.vswitch.enhanced_lags.name_suffix}"

aci_tenants.tf

@@ -1,12 +1,13 @@
 module "aci_tenant" {
   source = "./modules/terraform-aci-tenant"
 
-  for_each         = { for tenant in local.tenants : tenant.name => tenant if try(tenant.managed, local.defaults.apic.tenants.managed, true) && local.modules.aci_tenant && var.manage_tenants }
-  name             = each.value.name
-  annotation       = try(each.value.ndo_managed, local.defaults.apic.tenants.ndo_managed) ? "orchestrator:msc" : null
-  alias            = try(each.value.alias, "")
-  description      = try(each.value.description, "")
-  security_domains = try(each.value.security_domains, [])
+  for_each          = { for tenant in local.tenants : tenant.name => tenant if try(tenant.managed, local.defaults.apic.tenants.managed, true) && local.modules.aci_tenant && var.manage_tenants }
+  name              = each.value.name
+  annotation        = try(each.value.ndo_managed, local.defaults.apic.tenants.ndo_managed) ? "orchestrator:msc" : null
+  alias             = try(each.value.alias, "")
+  description       = try(each.value.description, "")
+  security_domains  = try(each.value.security_domains, [])
+  monitoring_policy = try("${each.value.monitoring_policy}${local.defaults.apic.tenants.monitoring_policies.name_suffix}", "")
 }
 
 locals {
@@ -27,6 +28,7 @@ locals {
         contract_imported_consumers             = try([for contract in vrf.contracts.imported_consumers : "${contract}${local.defaults.apic.tenants.imported_contracts.name_suffix}"], [])
         preferred_group                         = try(vrf.preferred_group, local.defaults.apic.tenants.vrfs.preferred_group)
         transit_route_tag_policy                = try(vrf.transit_route_tag_policy, null) != null ? "${vrf.transit_route_tag_policy}${local.defaults.apic.tenants.policies.route_tag_policies.name_suffix}" : ""
+        monitoring_policy                       = try("${vrf.monitoring_policy}${local.defaults.apic.tenants.vrfs.monitoring_policies.name_suffix}", "")
         ospf_timer_policy                       = try("${vrf.ospf.timer_policy}${local.defaults.apic.tenants.policies.ospf_timer_policies.name_suffix}", "")
         ospf_ipv4_address_family_context_policy = try("${vrf.ospf.ipv4_address_family_context_policy}${local.defaults.apic.tenants.policies.ospf_timer_policies.name_suffix}", "")
         ospf_ipv6_address_family_context_policy = try("${vrf.ospf.ipv6_address_family_context_policy}${local.defaults.apic.tenants.policies.ospf_timer_policies.name_suffix}", "")
@@ -116,6 +118,7 @@ module "aci_vrf" {
   contract_imported_consumers              = each.value.contract_imported_consumers
   preferred_group                          = each.value.preferred_group
   transit_route_tag_policy                 = each.value.transit_route_tag_policy
+  monitoring_policy                        = each.value.monitoring_policy
   ospf_timer_policy                        = each.value.ospf_timer_policy
   ospf_ipv4_address_family_context_policy  = each.value.ospf_ipv4_address_family_context_policy
   ospf_ipv6_address_family_context_policy  = each.value.ospf_ipv6_address_family_context_policy
@@ -191,6 +194,7 @@ locals {
         igmp_interface_policy      = try("${bd.igmp_interface_policy}${local.defaults.apic.tenants.policies.igmp_interface_policies.name_suffix}", "")
         igmp_snooping_policy       = try("${bd.igmp_snooping_policy}${local.defaults.apic.tenants.policies.igmp_snooping_policies.name_suffix}", "")
         nd_interface_policy        = try("${bd.nd_interface_policy}${local.defaults.apic.tenants.policies.nd_interface_policies.name_suffix}", "")
+        monitoring_policy          = try("${bd.monitoring_policy}${local.defaults.apic.tenants.bridge_domains.monitoring_policies.name_suffix}", "")
         subnets = [for subnet in try(bd.subnets, []) : {
           ip                    = subnet.ip
           description           = try(subnet.description, "")
@@ -247,6 +251,7 @@ module "aci_bridge_domain" {
   subnets                    = each.value.subnets
   l3outs                     = each.value.l3outs
   dhcp_labels                = each.value.dhcp_labels
+  monitoring_policy          = each.value.monitoring_policy
 
   depends_on = [
     module.aci_tenant,
@@ -261,12 +266,13 @@ locals {
   application_profiles = flatten([
     for tenant in local.tenants : [
       for ap in try(tenant.application_profiles, []) : {
-        key         = format("%s/%s", tenant.name, ap.name)
-        tenant      = tenant.name
-        name        = "${ap.name}${local.defaults.apic.tenants.application_profiles.name_suffix}"
-        annotation  = try(ap.ndo_managed, local.defaults.apic.tenants.application_profiles.ndo_managed) ? "orchestrator:msc-shadow:no" : null
-        alias       = try(ap.alias, "")
-        description = try(ap.description, "")
+        key               = format("%s/%s", tenant.name, ap.name)
+        tenant            = tenant.name
+        name              = "${ap.name}${local.defaults.apic.tenants.application_profiles.name_suffix}"
+        annotation        = try(ap.ndo_managed, local.defaults.apic.tenants.application_profiles.ndo_managed) ? "orchestrator:msc-shadow:no" : null
+        alias             = try(ap.alias, "")
+        description       = try(ap.description, "")
+        monitoring_policy = try("${ap.monitoring_policy}${local.defaults.apic.tenants.application_profiles.monitoring_policies.name_suffix}", "")
       } if try(ap.managed, local.defaults.apic.tenants.application_profiles.managed, true)
     ]
   ])
@@ -275,12 +281,13 @@ locals {
 module "aci_application_profile" {
   source = "./modules/terraform-aci-application-profile"
 
-  for_each    = { for ap in local.application_profiles : ap.key => ap if local.modules.aci_application_profile && var.manage_tenants }
-  tenant      = each.value.tenant
-  name        = each.value.name
-  annotation  = each.value.annotation
-  alias       = each.value.alias
-  description = each.value.description
+  for_each          = { for ap in local.application_profiles : ap.key => ap if local.modules.aci_application_profile && var.manage_tenants }
+  tenant            = each.value.tenant
+  name              = each.value.name
+  annotation        = each.value.annotation
+  alias             = each.value.alias
+  description       = each.value.description
+  monitoring_policy = each.value.monitoring_policy
 
   depends_on = [
     module.aci_tenant
@@ -314,6 +321,7 @@ locals {
           contract_imported_consumers = try([for contract in epg.contracts.imported_consumers : "${contract}${local.defaults.apic.tenants.imported_contracts.name_suffix}"], [])
           contract_intra_epgs         = try([for contract in epg.contracts.intra_epgs : "${contract}${local.defaults.apic.tenants.contracts.name_suffix}"], [])
           physical_domains            = try([for domain in epg.physical_domains : "${domain}${local.defaults.apic.access_policies.physical_domains.name_suffix}"], [])
+          monitoring_policy           = try("${epg.monitoring_policy}${local.defaults.apic.tenants.application_profiles.endpoint_groups.monitoring_policies.name_suffix}", "")
           contract_masters = [for master in try(epg.contracts.masters, []) : {
             endpoint_group      = master.endpoint_group
             application_profile = try(master.application_profile, "${ap.name}${local.defaults.apic.tenants.application_profiles.name_suffix}")
@@ -447,6 +455,7 @@ module "aci_endpoint_group" {
   physical_domains            = each.value.physical_domains
   subnets                     = each.value.subnets
   vmware_vmm_domains          = each.value.vmware_vmm_domains
+  monitoring_policy           = each.value.monitoring_policy
   static_ports = [for sp in try(each.value.static_ports, []) : {
     description          = sp.description
     node_id              = sp.node_id
@@ -527,6 +536,7 @@ locals {
           contract_intra_epgs         = try([for contract in useg_epg.contracts.intra_epgs : "${contract}${local.defaults.apic.tenants.contracts.name_suffix}"], [])
           physical_domains            = try([for domain in useg_epg.physical_domains : "${domain}${local.defaults.apic.access_policies.physical_domains.name_suffix}"], [])
           useg_attributes_match_type  = try(useg_epg.useg_attributes.match_type, local.defaults.apic.tenants.application_profiles.useg_endpoint_groups.useg_attributes.match_type)
+          monitoring_policy           = try("${useg_epg.monitoring_policy}${local.defaults.apic.tenants.application_profiles.useg_endpoint_groups.monitoring_policies.name_suffix}", "")
           contract_masters = [for master in try(useg_epg.contracts.masters, []) : {
             endpoint_group      = master.endpoint_group
             application_profile = try(master.application_profile, "${ap.name}${local.defaults.apic.tenants.application_profiles.name_suffix}")
@@ -616,6 +626,7 @@ module "aci_useg_endpoint_group" {
   mac_statements              = each.value.useg_attributes_mac_statements
   subnets                     = each.value.subnets
   vmware_vmm_domains          = each.value.vmware_vmm_domains
+  monitoring_policy           = each.value.monitoring_policy
   static_leafs = [for sl in try(each.value.static_leafs, []) : {
     pod_id  = sl.pod_id == null ? try([for node in try(local.node_policies.nodes, []) : node.pod if node.id == sl.node_id][0], local.defaults.apic.node_policies.nodes.pod) : sl.pod_id
     node_id = sl.node_id

defaults/defaults.yaml

@@ -167,6 +167,8 @@ defaults:
           dom: true
         psu_policies:
           name_suffix: ""
+        monitoring_policies:
+          name_suffix: ""
       leaf_switch_policy_groups:
         name_suffix: ""
       spine_switch_policy_groups:
@@ -230,6 +232,8 @@ defaults:
           mgmt_epg: inb
           dvs_version: unmanaged
           statistics: false
+        monitoring_policies:
+          name_suffix: ""
       aaa:
         remote_user_login_policy: no-login
         default_fallback_check: false
@@ -468,6 +472,8 @@ defaults:
           slow_timer_interval: 2000
           echo_receive_interval: 50
           echo_frame_source_address: 0.0.0.0
+        monitoring_policies:
+          name_suffix: ""
       spine_switch_policy_groups:
         name_suffix: ""
       leaf_switch_policy_groups:
@@ -549,6 +555,8 @@ defaults:
           name_suffix: ""
         netflow_records:
           name_suffix: ""
+        monitoring_policies:
+          name_suffix: ""
       leaf_interface_policy_groups:
         name_suffix: ""
         map: none
@@ -760,6 +768,8 @@ defaults:
     tenants:
       managed: true
       ndo_managed: false
+      monitoring_policies:
+        name_suffix: ""
       vrfs:
         name_suffix: ""
         ndo_managed: false
@@ -782,6 +792,8 @@ defaults:
           asm_traffic_registry_max_rate: 65535
           asm_traffic_registry_source_ip: "0.0.0.0"
         preferred_group: false
+        monitoring_policies:
+          name_suffix: ""
       bridge_domains:
         name_suffix: ""
         ndo_managed: false
@@ -808,6 +820,8 @@ defaults:
           igmp_querier: false
           nd_ra_prefix: true
           no_default_gateway: false
+        monitoring_policies:
+          name_suffix: ""
       l3outs:
         name_suffix: ""
         ndo_managed: false
@@ -1009,6 +1023,8 @@ defaults:
         name_suffix: ""
         ndo_managed: false
         managed: true
+        monitoring_policies:
+          name_suffix: ""
         endpoint_groups:
           name_suffix: ""
           ndo_managed: false
@@ -1055,6 +1071,8 @@ defaults:
               name_suffix: ""
               start_ip: 0.0.0.0
               end_ip: 0.0.0.0
+          monitoring_policies:
+            name_suffix: ""
         useg_endpoint_groups:
           name_suffix: ""
           flood_in_encap: false
@@ -1083,6 +1101,8 @@ defaults:
               name_suffix: ""
               start_ip: 0.0.0.0
               end_ip: 0.0.0.0
+          monitoring_policies:
+            name_suffix: ""
         endpoint_security_groups:
           name_suffix: ""
           shutdown: false

modules/terraform-aci-access-leaf-interface-policy-group/README.md

@@ -26,6 +26,7 @@ module "aci_access_leaf_interface_policy_group" {
   port_channel_policy        = "LACP"
   port_channel_member_policy = "FAST"
   aaep                       = "AAEP1"
+  monitoring_policy          = "MON1"
 }
 ```
 
@@ -61,6 +62,7 @@ module "aci_access_leaf_interface_policy_group" {
 | <a name="input_port_channel_member_policy"></a> [port\_channel\_member\_policy](#input\_port\_channel\_member\_policy) | Port channel member policy name. | `string` | `""` | no |
 | <a name="input_aaep"></a> [aaep](#input\_aaep) | Attachable access entity profile name. | `string` | `""` | no |
 | <a name="input_netflow_monitor_policies"></a> [netflow\_monitor\_policies](#input\_netflow\_monitor\_policies) | List of Netflow Monitor policies. Choices `ip_filter_type`: `ipv4, `ipv6`, `ce`, `unspecified`.` | <pre>list(object({<br>    name           = string<br>    ip_filter_type = optional(string, "ipv4")<br>  }))</pre> | `[]` | no |
+| <a name="input_monitoring_policy"></a> [monitoring\_policy](#input\_monitoring\_policy) | Leaf interface monitoring policy name. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -83,6 +85,7 @@ module "aci_access_leaf_interface_policy_group" {
 | [aci_rest_managed.infraRsLacpPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.infraRsLldpIfPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.infraRsMcpIfPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
+| [aci_rest_managed.infraRsMonIfInfraPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.infraRsNetflowMonitorPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.infraRsStormctrlIfPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.infraRsStpIfPol](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |

modules/terraform-aci-access-leaf-interface-policy-group/examples/complete/README.md

@@ -29,6 +29,7 @@ module "aci_access_leaf_interface_policy_group" {
   port_channel_policy        = "LACP"
   port_channel_member_policy = "FAST"
   aaep                       = "AAEP1"
+  monitoring_policy          = "MON1"
 }
 ```
 <!-- END_TF_DOCS -->

modules/terraform-aci-access-leaf-interface-policy-group/examples/complete/main.tf

@@ -15,4 +15,5 @@ module "aci_access_leaf_interface_policy_group" {
   port_channel_policy        = "LACP"
   port_channel_member_policy = "FAST"
   aaep                       = "AAEP1"
+  monitoring_policy          = "MON1"
 }

modules/terraform-aci-access-leaf-interface-policy-group/main.tf

@@ -117,3 +117,12 @@ resource "aci_rest_managed" "infraRsNetflowMonitorPol" {
     tnNetflowMonitorPolName = each.value.name
   }
 }
+
+resource "aci_rest_managed" "infraRsMonIfInfraPol" {
+  count      = (var.type == "access" || var.type == "vpc" || var.type == "pc") && var.monitoring_policy != "" ? 1 : 0
+  dn         = "${aci_rest_managed.infraAccGrp.dn}/rsmonIfInfraPol"
+  class_name = "infraRsMonIfInfraPol"
+  content = {
+    tnMonInfraPolName = var.monitoring_policy
+  }
+}

modules/terraform-aci-access-leaf-interface-policy-group/variables.tf

@@ -165,4 +165,14 @@ variable "netflow_monitor_policies" {
     ])
     error_message = "`ip_filter_type`: Allowed values: `ipv4, `ipv6`, `ce`, `unspecified`"
   }
+}
+
+variable "monitoring_policy" {
+  description = "Leaf interface monitoring policy name."
+  type        = string
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.:-]{0,64}$", var.monitoring_policy))
+    error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `-`, `:`. Maximum characters: 64."
+  }
 }