NetFoundry now provides a dedicated Terraform provider for managing resources within its NetFoundry Cloud v8 platform. The ziti provider is available on the Terraform Registry - it enables our customers to automate the deployment and management of their zero-trust network infrastructure using Infrastructure as Code (IaC) principles.
With this integration, you can define, version, and manage your NetFoundry environments entirely through Terraform — bringing the same reliability and repeatability to network automation that DevOps teams already apply to cloud infrastructure.
Key Features
Automated Network Provisioning: Programmatically create and manage NetFoundry Cloud v8 resources such as networks, identities, edge routers, services, and policies.
Infrastructure as Code (IaC): Maintain consistent, repeatable, and version-controlled configurations for your network.
DevOps Workflow Integration: Seamlessly integrate Terraform plans into pipelines with tools like Jenkins, Ansible, or CloudFormation for full automation.
Getting Started with the NetFoundry Terraform Provider
1. Create an Admin Identity
Before configuring the Terraform provider, you’ll need to set up an admin identity in your NetFoundry Cloud v8 Console. This identity will be used by Terraform to authenticate with the NetFoundry Cloud management APIs and manage your NetFoundry resources.
A. Create the Admin Identity in the Console
In your NetFoundry Cloud v8 Console, create a new identity
- Give the Identity a relevant name. (for example,
terraform-admin) - Toggle Show more Options to 'ON'
- Select the Enrollment Type from the dropdown to UPDB and fill in the UPDB Username of your choice.
- Toggle the 'Is Admin' section to 'YES'
- Click SAVE.
- Download its enrollment JWT file
terraform-admin.jwt
B. Enroll the jwt obtained from the console and generate the password
- Use the
ziti edge enrollcommand to enroll your admin JWT
$ziti edge enroll terraform-admin.jwt
$updb enrollment requires a password, please enter one:
please confirm what you entered:
INFO enrollment successful username=terraform-admin- When you enroll the identity using the ziti edge enroll, you will prompted to enter the pasword.
- Do not forget to save the username and password - securely.
2. Identify the Host URL (Management API Endpoint)
Terraform connects to your NetFoundry Network Controller via its management API endpoint.
You can arrive at the the Host URL based on the NetFoundry Network Controller doamin that you ontain from your NetFoundry v8 console.
- In your NetFoundry v8 console dashboard page, look for 'Managed Components' from the right side menu.
- Click on 'Managed Components' and the select 'Network Controllers'
- Under 'Network Controllers', look for the Domain Name of your Controller.
The host URL will be like -
host = "https://<domain-name>:443/edge/management/v1"
3. Configure the Terraform Provider
To begin using the provider, ensure that the latest Terraform version is installed on your system.
A. How to use ziti provider
To install ziti provider, copy and paste this code into your Terraform configuration. Then, run terraform init.
Terraform 0.13+
terraform {
required_providers {
ziti = {
source = "netfoundry/ziti"
version = "0.0.5"
}
}
}
provider "ziti" {
# Configuration options
}B. Install the Ziti CLI
The Ziti CLI is required to enroll the identity. You can install it using one of the appropriate binaries depending on your operating system - https://github.com/openziti/ziti/releases
C. Configure Provider Authentication
You can authenticate either by defining credentials directly in the provider block or by using environment variables.
The environmental variables ZITI_API_USERNAME, ZITI_API_PASSWORD and ZITI_API_HOST should be set, based on the values obtained from the steps 1 and 2.
## using values inside provider
provider "ziti" {
username = "ziti_username"
password = "ziti_password"
host = "https://<domain>:443/edge/management/v1"
}
4. Manage NetFoundry Cloud v8 Resources
Once your provider is configured, you can begin defining and managing your NetFoundry resources through Terraform configuration files. Apply the configuraion with terraform apply.
Example: Add an Identity
resource "ziti_identity" "cslab-v8-sheik" {
name = "cslab-v8-sheik"
role_attributes = ["CS-engineer"]
is_admin = false
}Example: Add a a Service
resource "ziti_service" "Splash" {
name = "Splash"
configs = [
ziti_intercept_v1_config.Splash_Intercept.id,
ziti_host_v1_config.Splash_Host.id
]
role_attributes = ["splash"]
}
resource "ziti_host_v1_config" "Splash_Host" {
name = "Splash_Host"
address = "splash.tools.netfoundry.io"
port = var.https
protocol = var.tcp
}
resource "ziti_intercept_v1_config" "Splash_Intercept" {
name = "Splash_Intercept"
addresses = ["demo.splash.netfoundry"]
port_ranges = [
{
low = var.https
high = var.https
}
]
protocols = [var.tcp]
}
5. Ziti Provider Reference: Resources & Data Sources
The Ziti Terraform provider exposes a number of resources (which Terraform can create, update and delete) and corresponding data sources (which allow Terraform to query existing objects).
Support is also provided for OpenTofu — refer to the NetFoundry ziti provider in the OpenTofu registry at https://search.opentofu.org/provider/netfoundry/ziti/latest