Terraform Integration
For supported software information, click here.
Terraform is an open-source infrastructure-as-code software tool developed by HashiCorp. Users define and provide data center infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL), or optionally using JSON. Terraform allows users to create, manage, and provision infrastructure resources acrossa wide range of cloud providers and services, such as AWS, Azure, and Google platforms.
The Versa provider plugin for Terraform, terraform-provider-versa, makes a collection of related resources available. It is responsible for API interactions with the Versa orchestration services provided by Versa Director and Concerto. By exposing resources based on the API, Versa Terraform providers programmatic control over the entire VOS ecosystem from campus to cloud. The terraform-provider-versa plugin manages logic for creating, reading, updating, and deleting (CRUD) all Versa resources. Using the terraform-provider-versa plugin, Terraform can handle the entire lifecycle and state management.
Versa exposes declarative modules to accomplish different tasks, including the following:
- Creation of a basic (master) profile, workflow templates, and service templates
- Creation of predefined and custom objects, including address, address groups, applications, URL categories, ATP (sandboxing), vulnerability, IP-filtering profile, IP reputations, antivirus profiles, file-filtering profiles, CASB applications , proxy applications, DNS filters, and EIP objects
- Lifecycle management and operations—Upgrades, OSS pack updates, security package updates, real-time updates, patching, and alarm notification
- Managing role-based access control, appliance user management, and custom permissions
Terraform Integration for SASE Policy Automation
Versa Networks continues to deliver innovation in Secure Access Service Edge (SASE) and cloud-managed network security. As enterprise customers increasingly adopt Infrastructure-as-Code (IaC) for operational agility, Versa has developed robust Terraform support to enable seamless integration of security policy automation within DevOps workflows.
Key Capabilities and Support Covered In This Document
Versa’s Terraform-based automation framework empowers customers and partners to programmatically interact with the Versa Concerto SASE platform using a declarative approach. The current implementation supports key lifecycle tasks essential to enterprise policy deployment, including:
- Dynamic Token-Based Authentication
Versa’s Terraform module initiates a secure API session using credential-based OAuth2 authentication. The access token is dynamically retrieved and passed through subsequent steps, ensuring secure and streamlined authentication without manual intervention. - Version Control Retrieval
After successful authentication, the Terraform workflow queries the versionControl object associated with policy definitions. This ensures that all configuration changes are validated and deployed against the latest committed version, aligning with enterprise-grade configuration management best practices. - Policy Insertion via API
Leveraging Terraform’s extensibility and the power of the Versa Concerto API, the module supports direct insertion of real-time internet protection rules. This enables precise, automated deployment of security policies such as rule creation, zone matching, and action specification (e.g., “Allow”), complete with version control metadata. - Declarative, Auditable Infrastructure Changes
The integration supports execution via standard Terraform commands, such as terraform apply --auto-approve, allowing for CI/CD integration, auditability, and repeatability of network security changes within a controlled environment.
Use Case and Benefits
This Terraform integration is ideal for customers seeking:
- Policy as Code: Define, review, and apply security rules through code for better compliance and peer collaboration.
- DevSecOps Automation: Integrate policy deployment within automated pipelines for secure application delivery.
- Multi-Tenant Management: Manage policies across tenants and zones programmatically, at scale.
- Operational Efficiency: Reduce manual configuration errors, accelerate change cycles, and align with modern IT practices.
Sample Terraform Policy and Execution
admin@devops$ cat main.tf
variable "output_file" {
description = "Output JSON filename"
type = string
default = "access_token.json"
}
variable "api_url_auth" {
description = "API URL endpoint token generation, e.g. https://x.x.x.x/portalapi/v1/auth/token"
type = string
default = "https://concerto.versa-poc.com/portalapi/v1/auth/token"
}
variable "api_url" {
description = "API URL endpoint for rule change, e.g. https://x.x.x.x/portalapi/v1/auth/token"
type = string
default = "https://concerto.versa-poc.com/portalapi/v1/tenants/397561cd-6f76-4c89-b684-dacedbbf36a9/sase/real-time/
internet-protection"
}
variable "rule_id" {
description = "rule-name, e.g. FW-Rule-100-Corp"
type = string
}
variable "username" {
description = "admin username
type = string
default = "demo-user"
}
variable "password" {
description = "admin password, e.g. versa123"
type = string
default = "V@r5@!23"
sensitive = true
}
variable "client_id" {
description = "client_id, e.g. Concerto"
type = string
default = "voae_rest"
}
variable "client_secret" {
description = "client_secret, e.g. Concert123@"
type = string
sensitive = true
default = " V@r5@!23"
}
resource "null_resource" "http_post" {
triggers = {
always_run = timestamp()
}
provisioner "local-exec" {
command = <<EOT
set -x
curl -X POST '${var.api_url_auth}' \
-H 'accept: application/json, text/plain, */*' \
-H 'content-type: application/x-www-form-urlencoded' \
--data-raw 'grant_type=password&username=${var.username}&password=${var.password}&client_id=${var.client_id}&
client_secret=${var.client_secret}' \
-o ${var.output_file} 2>curl_error_token_gen.log
EOT
}
}
data "local_file" "response" {
filename = "${var.output_file}"
depends_on = [null_resource.http_post]
}
locals {
token_data = jsondecode(data.local_file.response.content)
}
output "access_token" {
value = local.token_data.access_token
}
####################### get version control number #################################
resource "null_resource" "version_control" {
triggers = {
always_run = timestamp()
}
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = <<-EOT
set +x
set +e
curl -X GET '${var.api_url_auth}/summarize?nextWindowNumber=0&windowSize=10' \
-H 'Authorization: Bearer ${local.token_data.access_token}' \
-H 'accept: application/json' \
-o version_control.json 2>curl_error_version_control.log
EOT
}
}
data "local_file" "version" {
filename = "version_control.json"
depends_on = [null_resource.version_control]
}
locals {
version_control = jsondecode(data.local_file.version.content)
}
output "version_control" {
value = local.version_control.versionControl
}
########################################################
resource "null_resource" "second_request" {
triggers = {
always_run = timestamp()
}
#depends_on = [data.local_file.token_response]
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = <<-EOT
curl -vvv -X POST '${var.api_url}' \
-H 'Authorization: Bearer ${local.token_data.access_token}' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{"name":"${var.rule_id}","version":"1","attributes":{"match":{"value":{"zone":{"source":
["remote-client","ptvi"],"destination":["internet"]}}},"set":{"value":{"action":"Allow"}}},"isEdited":
false,"initialFormMode":"CREATE","enabled":true,"showRulePlacementOptions":false,"shemaIndex":6,"subtype":"
INTERNET_PROTECTION","type":"REAL_TIME_PROTECTION","formMode":"CREATE","deploy":false,"versionControl":
${local.version_control.versionControl}}' \
-o protection_rule_api_response.json 2>curl_error_api_call_vsia_rule.log
EOT
}
}
Terraform Execution
admin@devops$ terraform apply --auto-approve\ -var="api_url=https://concerto.versa-poc.com/portalapi/v1/auth/token" \ -var="username=demo-user" \ -var="password=<password>" \ -var="client_id=<client_id>" \ -var="client_secret=<client_secret>" \ -var="rule_id=TEST9998" \ -var="api_url_2=https://concerto.versa-poc.com/portalapi/v1/tenants/397561cd-6f76-4c89-b684-dacedbbf36a9/sase/real-time/ internet-protection" Result:
Software Release Information
Releases 11.1.1 and later support all content described in this article.