Quick Tip: How to Master NSX-ALB (AVI) Resources in Terraform

Using the Terraform AVI Provider can be quite challenging because it required you to understand complex object definitions. All resources in the AVI Provider are mapped directly to the corresponding Avi Vantage API which you can find here. The problem is that some objects have a huge amount of attributes, some of them even have a nested depth of 5.

I'll show you a little trick to quickly get the required information to write NSX-ALB / AVI resources.

Four reasons that made working with the AVI Provider challenging

Number of Arguments
A good example is the resource to manage Service Engine Groups: avi_serviceenginegroup. With over 250 arguments that are listed in alphabetical order, it is nearly impossible to define the object just from the documentation (which I usually do when writing resources). On top of that, many arguments do only work in conjunction with others or are dependent on product versions or the Cloud type. The API documentation itself isn't less challenging.

Nested Arguments
The documentation of nested arguments is limited in Terraform. Arguments with a depth deeper than one are completely unreadable in the documentation. The AVI provider doesn't even list the content of nested arguments, which you can see in the Avi Cloud Resource: avi_cloud. The full definition in only visible in the API documentation.

Dependent Resources
The configuration workflow for some objects differs from the UI. The NSX-T Cloud configuration for example is one configuration step in the UI but requires two resources in Terraform: avi_cloud and avi_vcenterserver.

Different Names for Options
Names and options in arguments are sometimes completely different from the UI. The "Elastic HA - N+M Buffer" configuration in Service Engine Groups for example is called "HA_MODE_SHARED" and the "VS Placement across SE: Compact" configuration is configured with "algo = PLACEMENT_ALGO_PACKED".

Grab NSX-ALB API Calls with Chrome Dev Tools

The method is not new and works with many modern API-driven web configuration interfaces. With NSX-ALB just using a 1:1 mapping from the API in its Terraform Provider, writing resources is very close to copy-paste.

  1. Open NSX-ALB Webinterface in Chrome
  2. Navigate to the configuration option you want to write the Resource for
  3. Press F12 to open Dev Tools.
  4. In Dev Tools, navigate to "Network".
  5. It should automatically start recording

While Dev Tools is capturing, just start with the configuration.

Example - Create NSX-T Cloud in NSX-ALB with Terraform

I'm creating "my-cloud" using NSX-ALB UI while recording with Dev Tools. The moment when you press "SAVE", quickly change to DevTools and search the request. For the NSX-T Cloud, you should find a request named "macrostack". If you can't find the request, just press "CTRL+F" and search for some names that you've configured. In the corresponding POST request, copy the Request Payload JSON.

With the JSON you can easily identify how you have to configure the resource in Terraform:


resource "avi_cloudconnectoruser" "vcenter" {
  name = var.vsphere_server
  vcenter_credentials {
    username = var.vsphere_user
    password = var.vsphere_password
  lifecycle { ignore_changes = [vcenter_credentials] }
resource "avi_cloudconnectoruser" "nsx" {
  name = var.nsx_manager
  nsxt_credentials {
    username = var.nsx_user
    password = var.nsx_password
  lifecycle { ignore_changes = [nsxt_credentials] }
resource "avi_cloud" "nsx" {
  name            = var.nsx_manager
  vtype           = "CLOUD_NSXT"
  dhcp_enabled    = true
  obj_name_prefix = split(".", var.nsx_manager)[0]
  nsxt_configuration {
    nsxt_url             = var.nsx_manager
    nsxt_credentials_ref = avi_cloudconnectoruser.nsx.id
    management_network_config {
      transport_zone = data.nsxt_policy_transport_zone.overlay.path
      tz_type        = "OVERLAY"
      overlay_segment {
        tier1_lr_id = nsxt_policy_tier1_gateway.alb.path
        segment_id  = nsxt_policy_segment.alb_se.path
    data_network_config {
      transport_zone = data.nsxt_policy_transport_zone.overlay.path
      tz_type        = "OVERLAY"
      tier1_segment_config {
        segment_config_mode = "TIER1_SEGMENT_MANUAL"
        manual {
          tier1_lrs {
            tier1_lr_id = nsxt_policy_tier1_gateway.dummy.path
            segment_id  = nsxt_policy_segment.dummy.path
resource "avi_vcenterserver" "vcenter" {
  name = var.vsphere_server
  content_lib {
    id = vsphere_content_library.library.id
  vcenter_url             = var.vsphere_server
  vcenter_credentials_ref = avi_cloudconnectoruser.vcenter.id
  cloud_ref               = avi_cloud.nsx.id

See GitHub for a working example.

Example - Create Service Engine Group in NSX-ALB with Terraform

The Request to look for when creating Service Engine Groups is POST /api/serviceenginegroup

There is a lot of information in the payload. However, I've just copied the values that I've configured in the GUI.

resource "avi_serviceenginegroup" "sseg_01" {
  name           = "${split(".", var.nsx_manager)[0]}-seg-01"
  se_name_prefix = split(".", var.nsx_manager)[0]
  ha_mode        = "HA_MODE_SHARED" # (Elastic HA N+M Buffer)
  algo           = "PLACEMENT_ALGO_PACKED"
  max_se         = 10
  max_vs_per_se  = 10
  cloud_ref      = avi_cloud.nsx.id
  vcenters {
    vcenter_ref = avi_vcenterserver.vcenter.id
    nsxt_datastores {
      include = true
      ds_ids  = [data.vsphere_datastore.datastore.id]
    nsxt_clusters {
      include     = true
      cluster_ids = [data.vsphere_compute_cluster.cluster.id]

See GitHub for a working example.

1 thought on “Quick Tip: How to Master NSX-ALB (AVI) Resources in Terraform”

  1. Hi Florian,

    love your blog articles and use/mention these always in my VMware classes (i'm a VCI).

    I do have one ALB related question:
    - are you aware of a way to provide custom certificates for virtual servers (for instance: Workload Cluster API access)?



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.