Introducing Zscaler Zero Trust Cloud Terraform Provider

Why Automate Zero Trust Cloud?

Modern cloud environments demand automation. Infrastructure changes constantly as workloads scale up, scale down, and shift across regions and accounts. Security controls need to follow that motion automatically — not through manual UI work or ad-hoc scripts.

Zscaler Zero Trust Cloud (ZTC) brings inline inspection, egress control, and workload-to-internet isolation directly into cloud-native environments. To operate ZTC at scale across dozens or hundreds of accounts, teams need an automation model that matches the speed of the cloud. Terraform Deployment Templates for Zscaler Cloud Connector have always been the recommended, cloud agnostic approach for zero touch infrastructure provisioning automation with Terraform Modules for all supported clouds. Enhancing support for the full automation lifecycle beyond just deployments to include administration, configuration, and policy control for ZTC is a natural fit.

Meet the Terraform Provider for Zscaler Zero Trust Cloud 

We’re excited to introduce the Zscaler Zero Trust Cloud (ZTC) Terraform Provider, a powerful way for cloud, platform, and security teams to automate Zero Trust Cloud at scale. In addition to configuring gateways, onboarding accounts, or creating forwarding policies through the UI, teams can now declare ZTC environments as code — fully version-controlled, peer-reviewed, and deployed through CI/CD pipelines.

The provider exposes a rich set of resources that map directly to Zero Trust Cloud configuration objects, enabling consistent, repeatable deployments across every cloud environment:

Core ZTC Resources

• Account Groups
• Activation & Status
• DNS Forwarding Gateways
• ZIA Forwarding Gateway (Proxy)
• Public Cloud Info
• IP Destination Groups
• IP Source Groups
• IP Pools Groups
• Network Services
• Network Services Groups
• Location Template
• Provisioning URL
• Traffic Forwarding DNS Rule
• Traffic Forwarding Log Rules
• Traffic Forwarding Rules

Data Sources

The provider also includes data sources to help modules dynamically adapt to cloud regions, cloud providers, and existing tenant configuration:

• Account Groups
• Activation & Status
• DNS Forwarding Gateways
• ZIA Forwarding Gateway (Proxy)
• Edge Connector Groups
• Supported Regions
• Public Cloud Info
• IP Destination Groups
• IP Source Groups
• IP Pools Groups
• Network Services
• Network Services Groups
• Location Management
• Location Template
• Provisioning URL
• Traffic Forwarding DNS Rule
• Traffic Forwarding Log Rules

Together, these resources and data sources allow teams to automate Zero Trust Cloud the same way they automate VPCs, VNets, IAM, and network firewalls — with repeatable, testable, and scalable infrastructure-as-code workflows.

Getting Started in Minutes

Before using the ZTC Terraform Provider, make sure you have the required authentication method configured for your tenant. The provider supports both OneAPI OAuth 2.0 clients and ZTC legacy API credentials, depending on your environment. Zscaler recommends that all customers use OneAPI.

Prerequisites

You’ll need the following before running your first Terraform plan:

1. A Zscaler Zero Trust Cloud (ZTC) tenant with API access enabled.
2. Terraform 1.3+ installed.
3. Either of the following authentication methods:

Option 1 — OneAPI (Recommended)

Create a OneAPI OAuth client in ZIdentity with the required scopes for Zero Trust Cloud.

• OneAPI uses the OAuth 2.0 Client Credentials flow.
• Your Terraform provider will authenticate by exchanging the client_id and client_secret for access tokens.
• This is the preferred method for tenants already migrated to the OneAPI and ZIdentity framework.

Documentation:

• OneAPI Overview
• ZTC API (Cloud Branch Connector API)

Option 2 — Legacy ZTC Authentication

For tenants not yet migrated to OneAPI or ZIdentity:

• Use a native ZTC API key along with admin credentials (legacy framework).
• This provider maintains backward compatibility for organizations using legacy Cloud Connector authentication.

Documentation:

• Legacy API Authentication

Zscaler OneAPI Support

The Zscaler Zero Trust Cloud Terraform Provider is built to support both Zscaler OneAPI, the unified API framework for the Zscaler platform, and the existing legacy authentication method. This flexibility allows teams to begin automating immediately — regardless of their current tenant configuration — while giving them a clear path toward Zscaler’s long-term OneAPI direction.

Why OneAPI Matters for Terraform Automation

OneAPI provides a congruent, modern and standard based programming interface to all Zscaler products and services. For Terraform users, that means a more predictable and scalable automation experience.

Instead of managing different authentication models or product-specific endpoints, OneAPI provides a single, consistent control plane for interacting with ZIA, ZPA, ZDX, ZCC, and ZTC.

OneAPI also brings OAuth 2.0 based authentication and integration with ZIdentity, enabling API clients to be treated as fully managed identities with complete audit trails, behavioral visibility, and support for enterprise IAM standards. This greatly improves governance and aligns automation with modern CI/CD security practices.

Enhanced Terraform Automation with OneAPI

Enabling OneAPI allows the ZTC Terraform Provider to take advantage of:

• A unified endpoint across Zscaler services
• Consistent API patterns as new capabilities are introduced
• Reduced operational overhead by eliminating mixed authentication schemes
• Stronger attribution and auditability for Terraform plan/apply operations

This makes OneAPI the strategic foundation for long-term Zscaler automation at scale.

Legacy Authentication Support (For Non-OneAPI Tenants)

Some organizations may still rely on product-specific legacy API keys or portal-scoped credentials. The provider fully supports this model, allowing teams to automate today without restructuring existing workflows. This is beneficial for tenants not yet migrated to ZIdentity or environments where API key pipelines are already well established.

Choosing an Authentication Model

Most teams follow one of two paths:

• New deployments: Start with OneAPI to align with Zscaler’s long-term model.
• Existing deployments: Continue with legacy authentication while evaluating readiness for OAuth 2.0 based automation.

Transitioning to OneAPI

Shifting from legacy API keys to OneAPI typically requires only an update to Terraform provider credentials — not a rewrite of Terraform modules. Teams configure OAuth 2.0, validate in staging, rotate keys, and adopt ZIdentity for long-term governance.

The Bottom Line

OneAPI provides a more secure, scalable, and maintainable automation foundation across the Zscaler platform. The ZTC Terraform Provider supports both models, giving teams flexibility today and a clear upgrade path for tomorrow.

Set up ZTC Terraform Configuration

Let’s test one of the pre-built sample configurations from ZTC Terraform Provider GitHub Repository

The main.tf file contains the following ZTC Terraform resources:

• ztc_forwarding_gateway
• ztc_traffic_forwarding_rule

This configuration will create a Forwarding Gateway and a Direct Forwarding Rule

Now let’s actually apply the Terraform configurations!

1. Download and install the provider defined in the configuration with this command:

terraform init

2. Run this command to see a plan of what resources are going to be created:

terraform plan

3. Apply the configuration:

terraform apply

Clean up deployment

Run the following command to destroy all the resources you created:

terraform destroy

This command destroys all the resources specified in your Terraform state. Terraform destroy doesn’t destroy resources running elsewhere that aren’t managed by the current Terraform project.

Core Automation Patterns That Matter

Whether you're a platform engineer, cloud architect, or security practitioner, the provider accelerates several high-impact workflows.

1. Multi-account onboarding: Cloud teams often manage tens or hundreds of AWS/Azure accounts. Terraform lets them declare account metadata once, and the provider handles the onboarding for each environment.

   Example Patterns:

   1. Combine ztc_public_cloud_info + ztc_account_groups
   2. Enforce consistent external IDs and regions
   3. Push tagging standards for workload discovery
       
2. Traffic engineering as code: Model internet egress, private application, and DNS inspection behavior through ztc_forwarding_gateway, ztc_dns_forwarding_gateway, and the various traffic forwarding rule resources so that every VPC/VNet inherits the right next hop without manual portal edits.
    
3. Shared guardrails for edge connectors: Use ztc_location_template and ztc_location_management to predefine
   transit gateway vs. decentralized Gateway Load Balancer (GWLBe)
   patterns described in the Zero Trust Gateway architecture then stamp them out per environment Zscaler Zero Trust Gateway.
    
4. Operational resilience through deterministic state: Terraform’s state file becomes your source of truth, enabling teams to:
    
   1. Detect drift instantly
   2. Prevent unreviewed console edits
   3. Accelerate troubleshooting with consistent artifacts
   4. Integrate change management (e.g., ServiceNow approval flows)
   5. In large organizations where multiple teams operate in the same tenant, this enforcement layer becomes essential.

Bring Existing Deployments Under Control with Zscaler-Terraformer

Already deployed Cloud Connector or Zero Trust Gateway (ZTGW) manually? No problem.

The Zscaler-Terraformer CLI reverse-engineers your existing ZTC configuration into:

• Terraform (HCL) files
• State file
• Provider scaffolding
• Module-ready directory structure

This eliminates the painful “rewrite everything from scratch” phase most Infrastructure as Code (IaC) projects require.

Use Terraformer to:

• Import forwarding gateways, IP pools, rules, objects
• Bootstrap version control
• Run an immediate terraform plan to understand drift
• Gradually transition teams from UI → Infrastructure as Code (IaC) one resource at a time

For more details on Zscaler-Terraform refer to our previous blog Introducing Zscaler Terraformer Tool

Best Practices Before You Hit "Apply"

• Adopt Git-based workflows: Use PRs, reviewers, and pre-merge checks so networking/security changes follow the same rigor as application deployments.
   
• Treat ZTC as part of your SDLC: Embed changes into your existing release workflows so networking updates follow the same review, testing, and approval standards as application deployments.
   
• Modularize by topology: Separate modules for transit-gateway hubs, decentralized VPC endpoints, and hybrid patterns make it easier to mix architectures based on account overlap or partner connectivity, mirroring the models outlined in the Zero Trust Gateway blog Zscaler Zero Trust Gateway.
   
• Leverage dynamic data sources: Feed ztc_supported_regions into modules to avoid hardcoding AWS regions or cloud types, especially as Zscaler continues to add Azure and GCP support.
   
• Align with operations: Surface Terraform outputs—such as provisioning URLs, activation status, and log forwarding settings—into runbooks so day-2 operators have a single source of truth.

Zscaler + Terraform: Practical Use Cases

Zscaler customers already automate ZPA and ZIA using existing Terraform providers. With Zero Trust Cloud now added to the ecosystem, teams can extend the exact same IaC patterns across all three platforms — with consistent workflows and shared modules.

Use Case 1: Replace UI clicks with declarative automation

Terraform provides:

• Deterministic configuration
• Reduced manual errors
• Repeatable application and onboarding workflows
• Consistency across clouds and accounts

Use Case 2: Drift elimination

Terraform highlights:

• Any unexpected changes
• Any UI-based edits
• Any inconsistencies across environments

This is critical for compliance-driven teams.

Use Case 3: Policy compliance & least privilege

Terraform lets teams:

• Create workspaces per domain (ZIA FW, ZPA access policies, ZTC forwarding)
• Restrict admins to only the modules they own
• Enforce policy via Sentinel or OPA
• Integrate with ITSM workflows

The result? A scalable, automated zero trust ecosystem that aligns with your SDLC and cloud deployment model.

The Terraform provider for Zscaler Zero Trust Cloud brings predictable, scalable, and automated security to cloud environments where agility is non-negotiable. Whether you're onboarding dozens of AWS/Azure accounts, enforcing forwarding policies, or eliminating drift, Terraform makes ZTC adoption consistent and code-driven — exactly how modern cloud teams prefer to work.

And for teams with existing deployments, Zscaler-Terraformer accelerates the transition by converting your current configuration into Terraform-ready files and state.

The result is a unified, Git-based workflow that strengthens security, accelerates deployment, and aligns cloud networking with DevOps best practices.

To get started, explore the provider on the Terraform Registry or try the Terraformer tool to bring your existing deployment under code in minutes.

Additional Resources

• Terraform Provider for Zero Trust Cloud (ZTC)
• Terraform Provider for Zscaler Private Access (ZPA)
• Terraform Provider for Zscaler Internet Access (ZIA)
• Terraform Provider for Zscaler Private Access (ZPA) - Introduction
• Terraform Provider for Zscaler Internet Access (ZIA) - Introduction
• Zscaler Cloud Connector AWS Module
• Zscaler Cloud Connector Azure Module
• Zscaler Cloud Connector GCP Module
• Terraform Providers Project on GitHub
• HashiCorp Partner Site