I wasn't sure where to open this discussion but this one seems appropriate. So we have been preparing to deploy Cisco infrastructure (WLC, ISE) in AWS with Terraform for the last few months and are now getting close to production so we need to decide which approach to take. Our initial idea was to deploy instances which would use marketplace images as base image and then to load user data script at boot up which would configure the instance with the right commands every time it is destroyed and rebuilt. We are also using auto scaling groups which have health checks and rebuild the instance every time something is wrong with it. It sounded great at the beginning but as time passed we kept hitting obstacles in our way. For start, we had issue with passing through 0 day config via terraform run CLI commands and later any command that has some kind of extra prompts requested that we reinvent the wheel to apply the command. Also, every time the instance got destroyed we had to reapply the license again. So we steered to have some "basic" config clicked through initially, made custom aws ami (image), then used that one as base and side loaded rest of config. This is working mostly fine so far with WLC.
ISE on the other hand doesn't have classic cli config commands so we managed to keep terraform only for basic config and bringing up instance. We tested some Ansible for initial config and it's ok but we would like to keep this simple and robust, not include another automation tool if not needed. Also there is the question of license, currently we are still in evaluation so we can rebuild the instance how much we want. But what happens when you have it in production, is the "automation" part from Cisco even considered in this regards or every time you do this there is a lengthy procedure of revoking/reapplying license manually? Or upgrading fw on those, you cannot just upload firmware file and make a new base image, you have to subscribe to another version of the appliance, repeat whole initial config, add license and then maybe restore backup or configure with Ansible playbook. Generally speaking what approach is recommended for long term stability of this kind of system in production? Also we have a physical DNA appliance which we want to integrate with both WLC and ISE but if we add those to the DNA, every time the instance is refreshed you lose everything and need to add them again.
I'm really not sure what I want to ask, maybe if someone deployed some of these with Terraform/Ansible, what kind of deployment is it and how are you handling manipulation with VMs, fw upgrades, licenses, etc. after those kind of actions? How do you keep HA and perfect uptime on one side but profit from automating. Right now it seems that the technology is far from mature and the time invested in making it work is exponentially higher then the gain from automation?