[VIDEO] ZPA Terraform provider Video Series Ep3 - Provisioning Keys

The provisioning key functions like an ID for the App Connector, enabling the ZPA cloud to verify the App Connector’s authenticity and complete the deployment process. Furthermore, each key is associated to a specific App Connector group, so the key allows the ZPA cloud to identify the App Connector group to which an App Connector must be deployed.

Provisioning keys are designed to enable auto-scaling so that you can easily deploy additional App Connectors and respond optimally to increases in required capacity. When you generate a provisioning key you can specify the number of times a key can be used to deploy App Connectors.

ZPA tracks the number of times a key is used to deploy an App Connector and displays it on the App Connector Provisioning Keys page. Once a key is used the maximum number of times, you cannot use it to deploy more App Connectors. However, you can always edit the maximum number of times a key can be used. You also have the option of associating multiple provisioning keys to a single App Connector group.

Terraform Registry Example: Terraform Registry

In this video, we’ll explore

0:00:00;00 - 0:00:15;00 - Introduction
0:00:15;00 – 0:01:45;00 – Provisioning Key Concepts
0:02:00;00 – 0:03:00;00 – Provisioning Key Terraform Registry Documentation
0:03:15;00 - 0:04:30;00 – Configuring the ZPA Provisioning Key
0:04:30;00 – 0:05:14;00 - Running Terraform
0:05:15;00 – 0:05:45;00 – Summary


Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.

In this video, we’ll go through how to create a provisioning key, and how to associate that key with an app connector group.

A provisioning key is a text string that is generated during the provision of a new app connector.

The ZPA cloud uses that provisioning key in order to verify the authenticity of an app connector as well as to identify a connector group.

When you configure a provisioning key, it can be set to be used for a maximum number of times and it must always be associated with an app connector group or a service edge group.

A Service Edge group is a different construct similar to an app connector group, which we will see later in this video series.

When you create a provisioning key, you may choose to perform a 1-1 association between a single provisioning key and an app connector group;

however, there may be specific scenarios where you may want to associate multiple provisioning keys with a single app connector group.

A provisioning key cannot be created by itself, and it requires a few parameters for successful creation. As it can be seen here, a provisioning key is always associated with an Enrolment certificate and an app connector group.

A provisioning key must also have an association_type. The following association_types are supported when creating a provisioning key: CONNECTOR_GRP AND SERVICE_EDGE_GRP.

When you execute Terraform, it will first query the ID of an enrolment certificate of type “Connector”, and second it will verify if the ID of an app connector group exists. It will also verify if the association_type has been provided.

Once the ID of these two resources is retrieved, and the association_type confirmed, Terraform will then initiate the creation of the provisioning key.
To start with the provisioning key configuration using Terraform, navigate to the Terraform registry documentation. Then type ZPA in the search bar and navigate to the documentation tab.

Then scroll down to the Provisioning Key section on the left-hand side.

Click in the zpa_provisioning_key resource. On this page, you will find examples of how to configure both app connector group and service edge group provisioning keys. You can then copy one of the examples and paste in your configuration file.

You also need to configure Terraform to retrieve the ID of the appropriate enrolment certificate.

To see an example of an enrolment certificate data source, navigate to the enrolment Certificate section, and click in: zpa_enrolment_cert.

ZPA provides several types of enrolment certificates, but purpose of this video, we will focus on the Enrolment certificate of type “Connector”;

however, it is important to note that a certificate of type “Service Edge” is also available in case you need to configure a provisioning key of type Service Edge Group.

To configure a provisioning key open your preferred text editor.

As previously mentioned, an App Connector Group is required when creating a provisioning key. For this reason, we must have the zpa_app_connector_group resource block setup.

Second, we must set the data source zpa_enrollment_cert to retrieve the enrolment certificate of type Connector.

Finally, we can then start with the provisioning key resource block configuration.

Differently from some other ZPA resources, in which only a few parameters are considered required, in a provisioning key resource, all parameters are mandatory/

A few important parameters to understand are:
• Association_type: which as previously mentioned, this parameter accepts 2 types: CONNECTOR_GROUP and SERVICE_EDGE_GROUP

• max_usage: You can specify the maximum number of times the provisioning key can be used

• enrollment_cert_id: This is the ID of the enrollment certificate

• zcomponent_id: This is the ID of the App Connector Group or Service Edge Group, with which this provisioning key will be associated.

Finally, we can initialize the configuration directory by running the command terraform init. Then run the command terraform apply to start the configuration of the provisioning key resource in the ZPA cloud. In this example, I am using the optional flag called --auto-approve, which will prevent Terraform from asking for confirmation.

Notice that the provisioning_key value is not displayed on the screen, as it is considered a sensitive value; however, this value can still be found in the Terraform state file.

Finally, we have a provisioning key, which can now be used to onboard multiple app connector appliances in ZPA Cloud.

In summary:
A provisioning key is a text string generated during the provisioning of new app connectors and is used to verify the authenticity of an app connector appliance.

A provisioning key is used to identify a connector group or service edge group

It can be configured to be used a max number of times.

A provisioning key must always be associated with a Connector Group or Service Edge Group

There are two types of provisioning keys: “CONNECTOR_GRP” and “SERVICE_EDGE_GRP”

A Connector Group or Service Edge Group can be associated with multiple provisioning keys.

All parameters in a provisioning key resource are required.