Managing Netskope Private Access Using Terraform

November 17, 2022

Prior to June 2022, deploying and managing Netskope’s Private Access Publishers and defining Netskope private applications for users to access, was mostly a manual process, especially within the public cloud providers. With the release of the Netskope Terraform provider, complete end to end management of publishers and private applications can be integrated into an organization’s CI/CD pipeline and infrastructure as code methodology.

 

While this blog is about the official Netskope supported Terraform provider, Netskope offers APIs that can be utilized in additional infrastructure automation tools. The available APIs are documented at the Netskope Knowledge Portal and usage details for these APIs can be found within your Netskope tenant under Settings -> Tools -> REST API v2.

 

In this post, I’ll be demonstrating how quick it is to deploy a private access use case into AWS using the official Netskope Terraform Provider.

 

 

What is Terraform?

If you were like me, you may have heard of Terraform and thought it was a complex and magical utility. I will validate it is magical, but I had a misconception about it being complex after getting over the initial learning curve.

 

Terraform defines itself as “an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.”

 

Ultimately Terraform provides a framework to manage infrastructure across multiple providers like AWS, VMWare, GCP, Docker, etc. For those who are not familiar with Terraform, this article is a recommend read.

 

 

What is Netskope Private Access?

Netskope Private Access is a product within Netskope’s SASE portfolio that allows organizations to transition away from legacy client VPN deployments to a seamless Zero Trust Network Access model using least privileged access to access applications and services both inside corporate data centers and public cloud environments.

 

 

Using the Netskope Terraform Provider and Modules

I have created sample Terraform files that can be downloaded from Github and edited to include details specific to your environment. Additional usage details for the provider and modules can be found at the Terraform registry: https://registry.terraform.io/providers/netskopeoss/netskope/0.2.1

 

Before we go any further, I want to set the stage for what the Netskope Terraform provider supports today. The Netskope Terraform provider supports deploying and registering Netskope Private Access Publishers within AWS and GCP and creating private applications within Netskope. What this means is if Terraform is used to deploy and manage private applications, the Netskope administrator still needs to provide users access to the application(s) via a real-time policy within the UI. There is currently no way to automate the creation or updates of real-time policies.

 

Prior to writing any Terraform files, it is imperative that the correct access scope is defined in both Netskope’s API and the public cloud infrastructure you will be deploying the Netskope Publisher into.

 

Netskope API
Within my Netskope environment, I created a new API token with Read/Write access to the /api/v2/infrastructure/publishers and /api/vs/steering/private.

 

Image
netskope_terraform_img1.png

 

Note, to simplify testing there is a section within the main.tf file for this API key, however it is highly recommended to manage secrets in production deployments with tools such as HashiCorp Vault. At minimum secrets should be accessed with Terraform environment variables using the format below. Additional information on how to use environment variables within Terraform can be found at: https://www.terraform.io/cli/config/environment-variables.

 

Mac / Linux

export NS_BaseURL=<Base URL>
export NS_ApiToke<API Token>

 

Windows

set NS_BaseURL=<Base URL>
set NS_ApiToken<API Token>

 

AWS API/CLI
In my example video below, I am using the AWS CLI to authenticate via the API and a predefined IAM role. Depending on your organization’s governance of AWS and IAM roles, this role provisioning may vary. For additional information on how to use the AWS CLI, visit: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

 

 

Working with the Sample Terraform Files
Within the files I provided, you’ll want to edit the main.tf and terraform.tfvars file to input the specific values based on your use case. While these sample files deploy a single publisher into AWS and define a single application within Netskope, these files can be used as a base to automate and manage more complex deployments.

 

Once edited, you’ll use the terraform init and terraform apply commands from your command line to deploy the infrastructure.

 

 

Let’s see it in action!

 

 

 

Management after initial deployment

As demonstrated in the video, administrators will need to manually create a new real-time policy or update an existing real- time policy to provide the Zero Trust access to the private application created using Terraform. This manual step is required, due to Netskope currently not exposing real-time policy methods via their REST API. As Netskope’s API matures, the manual steps surrounding real-time policies, may be able to be addressed using Terraform.

 

While Terraform can be used for initial deployment, it can also be used for ongoing CRUD (create, update, and delete) operations. Terraform can perform these ongoing operations by keeping track of what has been acted on within the code logic. It is important to decide how and where the publishers and applications created by Terraform will be managed, whether continuing with Terraform or directly in the Netskope IU. Terraform has awareness and state of what actions the code performed but is unaware of changes made within the Netskope UI. Attempting to utilize both Terraform and the Netskope UI for ongoing management of publishers and private applications, can lead to a potential sync condition within Terraform and cause future updates using Terraform to error or fail.

 

 

Wrapping Up

As you saw in the video, utilizing the new Netskope Terraform provider allows organizations to bring Netskope Private Access into the world of deploying and managing infrastructure as code. Terraform also allows you to remove the manual deployment and configuration processes that may take 5-10 minutes and automate the entire process that deploys in a fraction of that time. While this writing focuses on AWS, Netskope also has a Terraform module for GCP and is currently in process of developing one for VMWare vSphere. Keep an eye on the GitHub repository, where I’ll be publishing sample GCP Terraform files shortly.

Matt Frank
Partner Architect for Netskope | Optiv
Matt is Optiv’s Partner Architect for Netskope, specializing on how Optiv helps customers move to a Secure Access Service Edge (SASE) / Security Service Edge (SSE) architecture utilizing Netskope’s platform.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.