What is this article about?

The article documents a hands-on project where Terraform, Vault, and GitLab CI are used to automate the deployment of Cisco ACI resources in a secure and repeatable way as part of CCIE Automation exam preparation.

Why is Terraform well suited for Cisco ACI automation?

Terraform makes it possible to define network infrastructure declaratively, automatically manage dependencies, and track state, enabling predictable and repeatable network changes.

How is GitLab CI used in the solution?

GitLab CI orchestrates Terraform executions in a controlled pipeline with separate plan and deploy stages, allowing changes to be reviewed before they are applied.

What role does Vault play in the architecture?

Vault is used to securely manage credentials and secrets, ensuring sensitive information is not stored in code or configuration files but retrieved dynamically when needed.

What are the benefits of a staged plan/apply pipeline?

This approach improves control, reduces risk, and enables validation of changes before they affect the live network environment.

Sicra helps organizations design and implement secure, scalable network and infrastructure automation solutions based on principles such as Infrastructure as Code, strong access management, and reliable monitoring. Read more about "Network" here > Read more about "Access management – Identity and access management (IAM)" here > Read more about "Zero Trust architecture" here > Read more about "Monitoring, troubleshooting, and logging" here >

Blog

01.10.2025

min read

[My journey to CCIE Automation #6] Automating Cisco ACI Deployments with Terraform, Vault, and GitLab CI

In blog #6 of the CCIE Automation journey, Terraform, Vault, and GitLab CI are used to automate Cisco ACI deployments. By combining infrastructure as code, secure secret management, and pipeline-driven orchestration, a repeatable and stateful approach to network provisioning is implemented.

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >[My journey to CCIE Automation #6] Automating Cisco ACI Deployments with Terraform, Vault, and GitLab CI</span>

(This article was originally published on Bluetree.no. Following the merger of Sicra and Bluetree, content from Bluetree has now been migrated to Sicra.)

[My journey to CCIE Automation #6] Automating Cisco ACI deployments with Terraform, Vault and GitLab CI is part of a series documenting my CCIE Automation journey. In the previous post, I worked with pipelines for network verification and deployment. In this post, I focus on automating Cisco ACI deployments using Terraform and Vault.

Blog #6

After working with pyATS and CI/CD in blog #5, I wanted to dive deeper into infrastructure as code using Terraform, and integrate it with GitLab CI.

This time I explored Terraform to deploy and manage Cisco ACI fabric resources in a stateful and repeatable way, and integrated Vault to manage secrets in my Nautix app.

Why Terraform?

Terraform allows us to describe infrastructure declaratively. It’s perfect for:

Managing ACI tenants, VRFs, and EPGs as code
Handling dependencies between resources automatically
Tracking state to know exactly what’s deployed
Using loops and variables for repeatable, parameterized deployments
Integrating secrets securely (Vault)

Instead of manually pushing configurations, Terraform lets your code understand and manage the network state.

Why Vault?

Vault provides a secure way to manage secrets and credentials in automation pipelines. In this project, it allows us to:

Store ACI usernames and passwords securely
Provide credentials dynamically to Terraform without hardcoding them
Rotate secrets easily without touching code
Control access to sensitive information per environment or service

Instead of storing credentials in .tfvars or Git, Vault makes sure secrets never leak and automation pipelines can safely access what they need.

The project in this post

I created a Terraform project to deploy ACI resources, integrated into GitLab CI:

Variables (aci.auto.tfvars) – Centralized definitions for tenants, VRFs, application profiles, and endpoint
GitLab CI (.gitlab-ci.yml) – Orchestrates Terraform runs in a pipeline.
Vault-tjeneste – Docker Compose file spins up Vault and other required services locally.

Pipeline flow:

1. The pipeline is triggered by creating a pipeline

With the required JOB_METHOD and environment variables.

image-png-Oct-01-2025-08-16-36-9740-PM

2. Terraform plan stage

Runs automatically if JOB_METHOD is set to "terraform"
Initializes Terraform
Generates a plan file (tfplan) showing what will be created or updated

3. Terraform deploy stage

Runs manually after verifying the plan
Applies the plan and provisions the Cisco ACI infrastructure

This staged approach ensures safe deployments and gives you an opportunity to review changes before they are applied.

Implementation

Here’s the folder structure:

pipelines/jobs/setup_aci/

main.tf – Terraform resources, loops, and dependencies
aci.auto.tfvars – Variables and credentials for ACI deployment

Also updated:

.gitlab-ci.yml – Orchestrates Terraform in CI/CD pipeline
docker-compose.yml – Spins up Vault and other services for local testing

How it works

Let’s break it down step by step.

1. GitLab CI

The .gitlab-ci.yml ties the workflow together and determines which stages run based on the JOB_METHOD variable.

image-png-Oct-01-2025-08-28-17-3758-PM

image-png-Oct-01-2025-08-29-07-9419-PM

Ensure that Terraform is installed in the Gitlab runner.

image-png-Oct-01-2025-08-34-34-6759-PM

The first stage runs automatically (terraform plan) and produces a plan file.

image-png-Oct-01-2025-08-35-49-3622-PM

The deploy stage (terraform apply) runs manually and provisions the ACI resources based on the plan.

2. Terraform

The project consists of main.tf and aci.auto.tfvars.

image-png-Oct-01-2025-08-40-17-8051-PM

Providers: Cisco ACI provider for resource creation and Vault provider for secure credentials.

image-png-Oct-01-2025-08-45-34-1038-PM

Vault integration: Use VAULT_TOKEN environment variable (export TF_VAR_VAULT_TOKEN=root-token) to fetch secrets dynamically.

image-png-Oct-01-2025-08-50-36-9011-PM

Variables:

TENANT_NAME – Name of the ACI tenant ("NAUTIX")
APPLICATIONS – List of applications with names, descriptions, and endpoint groups
VRFS – List of VRFs to create under the tenant (["RED", "BLUE"])

image-png-Oct-01-2025-08-50-53-6109-PM

image-png-Oct-01-2025-08-54-40-3623-PM

Tenant

Creates an ACI tenant with the name "NAUTIX".

Application profiles

Creates one application profile per application in the tenant.
Uses the for_each loop so Terraform dynamically creates profiles for:
- bluetree.no
- upstacked.com

Endpoint groups

Creates EPGs for each application.
Loops through all endpoint_groups from locals.endpoint_groups.
Uses a key combining app_name and epg_name to ensure unique map keys for for_each

VRFs

Creates VRFs for the tenant, one for each name in VRFS.
Converts the list to a set to ensure unique entries.

3. Vault

A new Vault service is added to the Docker Compose file to provide secure credentials to Nautix without exposing them in code.

image-png-Oct-01-2025-09-04-41-0784-PM

Why this matters

Instead of manually configuring ACI:

Deployments are repeatable and version-controlled
Loops and variables make scaling easy
Secrets are protected with Vault
Dependencies between tenants, VRFs, and EPGs are automatically handled
Terraform and GitLab CI now manage infrastructure safely

Nautix architecture

image-png-Sep-18-2025-08-11-55-2259-AM (1)

What's next

In blog #7 I will focus on Model-driven-telemetry:

Blueprint item 3.4 Design a model-driven telemetry solution based on given business and technical requirements by using gNMI dial-in, gRPC dial-out, and NETCONF dial-in

Blueprint item 3.5 Create YANG model-driven telemetry subscriptions
    3.5.a Identify model elements and cadence
    3.5.b On-change or event drive
    3.5.c Optimize frequency
    3.5.d Dial-out subscription
    3.5.e Secure telemetry streams
    3.5.f Confirm data transmission
    3.5.g Identify network issues and make changes

Useful links

Blog series

Need Assistance?

We are happy to have a non-binding conversation.

Explore more