ZPA and ZIA Terraform Providers (Now Verified)

Demo Video - Migrating ZPA and ZIA Providers to the Verified Version

The Zscaler Private Access (ZPA) and Zscaler Internet Access Terraform Providers (ZIA) are now verified official providers in the Terraform registry.

Both providers were introduced as community based providers in an unofficial capacity in 2021 with the intent of supporting organizations adopting a DevOps mindset and make them more agile and secure. You can read the previous articles by clicking in the below links.

Fast forward 8 months later, we have seen a wide adoption of both providers among many customers, and have worked diligently to publish the providers in the official Terraform Registry which became available this past week.

Using Providers From the Registry

The Registry is directly integrated with Terraform. To use any provider from the Registry, all you need to do is require it within your Terraform configuration; Terraform can then automatically install that provider when initializing a working directory, and your configuration can take advantage of any resources implemented by that provider.

Migrating to the Verified Provider

For those customers who have being utilizing the custom community version of either one of these providers, they can migrate to the verified version without any impact to their existing state file, by following the steps described in this article.

To achieve that, Terraform provides a native command called terraform state replace-provider.
The terraform state replace-provider command is used to replace the provider for resources in a Terraform state.

This command will update all resources using the “from” provider, setting the provider to the specified “to” provider. This allows changing the source of a provider which currently has resources in state.

:exclamation::warning::exclamation: This command will output a backup copy of the state prior to saving any changes. The backup cannot be disabled. Due to the destructive nature of this command, backups are required.

For more details on the utilization of this command, refer to the following Terraform CLI article Command: state replace-provider

Migration Steps

Step 1: Navigate to your terraform configuration directory
Step 2: Run the following command:

terraform state replace-provider zscaler.com/zpa/zpa zscaler/zpa

The above command can be broken down in 3 parts:

  1. terraform state replace-provider - This is the actual terraform command used to replace the provider for resources in a Terraform state.
  2. Current Provider path zscaler.com/zpa/zpa - This is the source “From” path where Terraform searches for the custom provider by default
  3. New Provider registry zscaler/zpa - This is the destination provider “To” which we want to migrate to or the namespace path in the Terraform registry.

The output of this command is displayed below in the screenshot.

The new Provider Path in the Terraform State File

In the final state file output you can see the result, which basically indicates the provider path in the Terraform registry

Running Terraform Plan and Apply

Once you complete steps previously described, you can run terraform plan and then terraform apply, as well as start creating new resources in ZPA or ZIA without impact to your existing Terraform State file.

Interested in exploring the providers, contribute or open an issue? To get started check out the projects in the GitHub repositories here: