Separate Data from Code

In order to ease maintenance we separate data (desired state of the network) from code (that applies the data), where one can be updated independently from the other. ‘Network as Code’ enforces a strict separation of data and code, by relying on a community developed data model and codebase, which can then be reused by multiple users, each with their very own specific configuration data.

Taking Cisco ISE as an example, a typical directory structure could look like this:

$ tree -L 2
.
├── data
│   ├── system.nac.yaml
│   ├── identity_management.nac.yaml
│   ├── network_resources.nac.yaml
│   ├── network_access.nac.yaml
│   └── trust_sec.nac.yaml
└── main.tf

The data directory contains the configuration data, while the main.tf file contains the glue to link the data to the code, whereas the code (ie. the Terraform module) is only referenced in main.tf, while being maintained in a central place and published to the public Terraform registry. This allows for a clear separation of concerns and makes it easier to manage the configuration data.

A sample main.tf file could look as simple as this:

module "ise" {
  source  = "netascode/nac-ise/ise"
  version = "0.1.2"

  yaml_directories = ["data/"]
}

This main.tf file references the ise module from the public Terraform registry, and specifies the data directory as the source of the configuration data. The yaml_directories argument is a list of directories that contain YAML files with the configuration data. The content of this main.tf file typically does not change and would only be touched if the module version is updated or if the directory structure changes. The data directory, on the other hand, contains the configuration data that is specific to the environment and can be updated independently from the code.