ZeroTier Central now integrates with HashiCorp Terraform

Sean OMeara
October 13, 2021

Managing network settings with a webUI can be tedious. Taking full advantage of ZeroTier means enrolling large numbers of devices, segmenting networks, and utilizing the rules engine. At scale, manual management quickly breaks down. Describing ZeroTier networks as code can make life much easier. Code lets you dynamically generate settings, keep things in version control, and integrate with automated workflows.

The HashiCorp Terraform verified provider for ZeroTier lets you do just that. It drives the ZeroTier Central API, allowing you to manipulate ZeroTier in a declarative way.

To help you get started, we have written not one, but two interactive quickstart tutorials using GithubZeroTier Central, and Terraform Cloud. With these tutorials, you will learn how to manage ZeroTier networks with Terraform, bootstrap cloud instances with ZeroTier, and learn about ZeroTier’s Layer 2 SD-WAN capabilities.

What you need to get started:

  1. GitHub account

  2. ZeroTier Central account

  3. Terraform Cloud account

Both tutorials use Terraform Cloud and Github’s in-browser code editor.

Hello World

The ZeroTier Terraform Quickstart is for ZeroTier users new to Terraform. It shows how to describe ZeroTier Networks as code, featuring tutorial classics, like “Hello World!”.

resource "zerotier_network" "hello" {
  name        = "hello"
  description = "Hello World"
  assignment_pool {
    start = "192.168.42.1"
    end   = "192.168.42.254"
  }
  route {
    target = "192.168.42.0/24"
  }
}

resource "zerotier_member" "alice" {
  name        = "alice"
  member_id   = "a11c3411ce"
  description = "Alice's laptop"
  network_id  = zerotier_network.hello.id
}

resource "zerotier_member" "bob" {
  name        = "bob"
  member_id   = "b0bd0bb0bb"
  description = "Bob's laptop"
  network_id  = zerotier_network.hello.id
}

Multi-Cloud Zero Trust Network Access

The ZeroTier Terraform Multi-Cloud quickstart goes much deeper. It contains modules for ***nine ***different cloud providers, with Just Enough Infrastructure to bring up a compute node, each bootstrapped with an ephemeral ZeroTier Identity and client. It yields a networking lab environment, using ZeroTier’s Layer 2 SD-WAN overlay to manipulate interfaces, monitor traffic with tshark, and enable dual-stacked native container routing across clouds.

The lab features ZeroNSD to serve internal DNS, and ZeroTier Systemd Manager to enable per-interface name resolution on Linux.

# ZeroTier Central

resource "zerotier_identity" "instances" {
  for_each = { for k, v in var.instances : k => (v) if v.enabled }
}

resource "zerotier_network" "demolab" {
  name        = "demo.lab"
  description = "ZeroTier Terraform Demolab"
  assign_ipv6 {
    zerotier = true
    sixplane = true
    rfc4193  = true
  }
  assignment_pool {
    start = "10.0.0.1"
    end   = "10.0.0.254"
  }
  route {
    target = "10.0.0.0/16"
  }
  flow_rules = templatefile("${path.module}/flow_rules.tpl", {
    ethertap = zerotier_identity.instances["aws"].id
  })
}

resource "zerotier_member" "devices" {
  for_each    = var.devices
  name        = each.key
  member_id   = each.value.member_id
  description = each.value.description
  network_id  = zerotier_network.demolab.id
}

resource "zerotier_member" "instances" {
  for_each           = { for k, v in var.instances : k => (v) if v.enabled }
  name               = each.key
  member_id          = zerotier_identity.instances[each.key].id
  description        = each.value.description
  network_id         = zerotier_network.demolab.id
  no_auto_assign_ips = false
  ip_assignments     = [each.value.ip_assignment]
}

resource "zerotier_token" "this" {
  name = "demolab"
}

# Digital Ocean

module "do" {
  source      = "./modules/do"
  for_each    = { for k, v in var.instances : k => v if k == "do" && v.enabled }
  name        = "do"
  image       = "ubuntu-20-04-x64"
  region      = "nyc1"
  size        = "s-1vcpu-1gb-amd"
  dnsdomain   = zerotier_network.demolab.name
  pod_cidr    = "10.42.1.1/24"
  script      = "init-demolab.tpl"
  svc         = var.users
  zeronsd     = true
  zt_identity = zerotier_identity.instances["do"]
  zt_network  = zerotier_network.demolab.id
  zt_token    = zerotier_token.this.token
}

The full-blown Multi-Cloud environment uses:

– Digital Ocean

– Amazon Web Services

– Google Compute Engine

– Microsoft Azure

– Oracle Cloud Infrastructure

– Alibaba Cloud

– IBM Cloud

– Vultr

– Equinix Metal

We aim to add even more in the future.

Stay informed!

If you’d like to keep up to date with ZeroTier, please be sure to subscribe to our newsletter and follow us on Twitter.