Streamline your Akamai deployment with production-ready Terraform templates for delivery and security configurations, certificates and more. This repository provides automated, best-practice implementations for such configurations.
For standalone snippets, individual examples, and additional tooling, visit the terraform-examples repository instead.
The contents of this repository enables rapid deployment of Akamai configurations through:
- ✅ Pre-built, validated Terraform modules
- ✅ Automated deployment scripts with built-in validation
- ✅ Multi-environment support (e.g. dev, qa, prod)
- ✅ Drift detection before every deployment
- ✅ Product ID validation for security configurations
- ✅ Integrated activation workflows
System Requirements:
- Terraform >= 1.9.0
- PowerShell 7+ (for deployment automation)
- Akamai PowerShell module 2.2.0
- Git
ps-terraform-templates/
├── deploy.ps1 # Automated deployment script
├── new-aap-configuration/ # AAP security template
│ ├── environments/ # Support for multiple environments
│ │ ├── dev/
│ │ ├── qa/
│ │ └── prod/
│ ├── main.tf
│ ├── variables.tf
│ └── README.md
├── new-aapasm-configuration/ # AAP+ASM security template
├── new-property/ # Delivery configuration template
├── new-bmp-endpoints/ # Bot Manager Premier template
│ ├── environments/ # Support for multiple environments
│ │ ├── dev/
│ │ ├── qa/
│ │ └── prod/
│ ├── main.tf
│ ├── variables.tf
│ └── README.md
├── new-edns/ # Edge DNS template
│ ├── backends/ # Environment + zone type backend configs
│ ├── environments/ # Support for multiple environments
│ │ ├── dev/
│ │ ├── qa/
│ │ └── prod/
│ ├── main.tf
│ ├── variables.tf
│ └── README.md
└── README.md
Navigate to Akamai Control Center → Identity & Access Management:
- Create an API client with appropriate permissions:
- Property Manager API (PAPI) (for delivery configurations)
- Application Security API (for AAP/AAP+ASM)
- Bot Manager API (for bot management features)
- Client Lists API (for client lists)
- Edge DNS API (for DNS zone management)
- Generate credentials:
client_secret,access_token,client_token,host
For multi-account access, retrieve your account switch key:
Get-AccountSwitchKey "<Account Name>"Note: Requires Akamai PowerShell module version >= 2.2.0
Create or update ~/.edgerc with your credentials and account switch key:
[default]
client_secret = your_client_secret
access_token = your_access_token
client_token = your_client_token
host = your_api_host
account_key = your_account_switch_key # Optional, for account switchinggit clone https://github.com/akamai/terraform-templates.git
cd terraform-templatesApp & API Protector:
- All AAP features
- Bot Management (BVM/BMS)
- Client Lists
Valid Product IDs: M-LC-169584, M-LC-169585
App & API Protector with Advanced Security Management:
- All AAP features
- Bot Management (BVM/BMS)
- Client Reputation Protection
- Client Lists
Valid Product IDs: M-LC-169586, M-LC-169587
Bot Manager Premier:
- API Definition management (schema + operations)
- Transactional endpoint protection
- Security configuration activation
- Two-phase deployment model (API Definition → Security Config)
Delivery configuration templates for:
- DSA (Dynamic Site Accelerator)
- ION
Certificate Provisioning System for:
- DV San Certificate
Certificate Provisioning System for:
- Third Party Certificate
Edge DNS zone management:
- Primary zone creation and management (A, AAAA, CNAME, TXT, NS, MX, SRV, CAA, PTR, LOC, SPF, RP)
- Optional SOA management and Akamai authoritative NS discovery
- Secondary zone creation with configurable master servers and optional TSIG authentication
- Safe multi-phase destroy workflow (records emptied, NS/SOA detached, zone destroyed)
The deploy.ps1 script automates the entire deployment lifecycle with built-in validation:
| Parameter | Description |
|---|---|
| First Argument | Template to deploy: aap, aapasm, or pm |
-Env |
Target environment: dev, qa, prod, etc. |
-Save |
Save configuration without activation |
-ActivateStaging |
Activate to Akamai staging network |
-ActivateProduction |
Activate to Akamai production network |
-Notes |
Version/activation notes (prompted if not provided) |
-Dry |
Show Terraform plan without applying changes |
-Force |
Skip the drift-detection prompt and continue automatically |
-Destroy |
Deactivate and remove all resources |
-Debug |
Enable detailed logging to akamai_tf.log |
-SkipValidation |
Skip product ID validation |
-Help |
Display detailed help information |
| Parameter | Description |
|---|---|
| First Argument | cps - Certificate Provisioning System |
-CpsType |
Certificate type: dv-san-cert or third-party-cert |
-CreateCert |
Certificate identifier to create |
-UploadCert |
Certificate identifier to upload (third-party only) |
-DestroyCert |
Certificate identifier to destroy |
-Dry |
Show Terraform plan without applying changes |
-Force |
Skip the drift-detection prompt and continue automatically |
-Debug |
Enable detailed logging to akamai_tf.log |
-Help |
Display detailed help information |
Note: CPS templates do not use
-Env,-Save,-ActivateStaging,-ActivateProduction,-Notes, or-SkipValidationparameters.
BMP uses a two-phase deployment model. Save and Activate are always separate commands.
| Parameter | Phase | Description |
|---|---|---|
bmp |
— | Template type for Bot Manager Premier |
-Env |
— | Target environment: dev, qa, prod, etc. |
-SaveApi |
Phase 1 | Save the API definition without activating |
-ActivateStagingApi |
Phase 1 | Activate API definition to staging. Can combine with -ActivateProductionApi |
-ActivateProductionApi |
Phase 1 | Activate API definition to production. Can combine with -ActivateStagingApi |
-SaveSec |
Phase 2 | Save security config (requires Phase 1 activated first) |
-ActivateStagingSec |
Phase 2 | Activate security config to staging (requires API activated to staging) |
-ActivateProductionSec |
Phase 2 | Activate security config to production (requires API activated to production) |
-Notes |
Phase 2 | Version/activation notes (prompted if not provided) |
-Dry |
Both | Show Terraform plan without applying changes |
-Force |
Both | Skip the drift-detection prompt and continue automatically |
-Destroy |
— | Deactivate and remove all BMP resources |
-Debug |
Both | Enable detailed logging |
| Parameter | Description |
|---|---|
| First Argument | edns - Edge DNS |
-Env |
Target environment: dev, qa, prod, etc. |
-ZoneType |
DNS zone type: primary or secondary |
-Save |
Save zone configuration without destroying |
-Dry |
Show Terraform plan without applying changes |
-Force |
Skip the drift-detection prompt and continue automatically |
-Destroy |
Safely remove the DNS zone (records cleaned up first) |
-Debug |
Enable detailed logging to akamai_tf.log |
-Help |
Display detailed help information |
Note: EDNS destroy is a 3-phase operation: (1) all DNS records are force-emptied, (2) NS and SOA records are detached from Terraform state to prevent conflicts, (3) the zone itself is destroyed.
Note: EDNS templates do not use
-ActivateStaging,-ActivateProduction,-Notes, or-SkipValidationparameters. Drift detection is skipped automatically for EDNS zones, as NS/SOA data sources trigger false-positive drift on every refresh.
Each template has environment-specific configurations in environments/{env}/{env}.tfvars (or environments/{env}/{zone_type}.tfvars for EDNS):
# Common variables
edgerc_path = "~/.edgerc"
edgerc_section = "tf-aap"
environment = "dev"
group_name = "Your-Group-Name"
config_name = "dev-security-config"
hostnames = ["dev.example.com"]
# Enable/disable features
enable_waf = true
enable_botman = true
enable_rate = true
...Further environments can be created by replicating and adjusting each environments/{env}/{env}.tfvars.
Refer to each template's README.md for detailed configuration options.
# Basic syntax
.\deploy.ps1 <template> -Env <environment> [options]
# --- AAP & AAP+ASM ---
# Save configuration without activation
.\deploy.ps1 aap -Env dev -Save -Notes "Initial WAF rules"
# Activate to staging
.\deploy.ps1 aapasm -Env qa -ActivateStaging -Notes "QA validation"
# Activate to production
.\deploy.ps1 aap -Env prod -ActivateProduction -Notes "Production release"
# Activate to both networks
.\deploy.ps1 aapasm -Env prod -ActivateStaging -ActivateProduction
# Dry run (plan only, no changes)
.\deploy.ps1 aap -Env dev -Save -Dry
# Skip product ID validation
.\deploy.ps1 aapasm -Env qa -Save -SkipValidation
# Skip drift-detection prompt
.\deploy.ps1 aap -Env prod -Save -Force
# --- CPS (Certificate Provisioning System) ---
# Create a DV SAN certificate
.\deploy.ps1 cps -CpsType dv-san-cert -CreateCert cert1
# Create a third-party certificate
.\deploy.ps1 cps -CpsType third-party-cert -CreateCert cert1
# Upload a third-party certificate (after creating)
.\deploy.ps1 cps -CpsType third-party-cert -UploadCert cert1
# Destroy a certificate
.\deploy.ps1 cps -CpsType dv-san-cert -DestroyCert cert1
# --- BMP (Bot Manager Premier) ---
# Phase 1: Save the API definition
.\deploy.ps1 bmp -Env dev -SaveApi
# Phase 1: Activate API definition to staging
.\deploy.ps1 bmp -Env dev -ActivateStagingApi
# Phase 1: Activate to both networks simultaneously
.\deploy.ps1 bmp -Env dev -ActivateStagingApi -ActivateProductionApi
# Phase 2: Save the security config (Phase 1 must be activated first)
.\deploy.ps1 bmp -Env dev -SaveSec -Notes "Initial BMP setup"
# Phase 2: Activate security config to staging
.\deploy.ps1 bmp -Env dev -ActivateStagingSec
# Phase 2: Activate security config to production
.\deploy.ps1 bmp -Env dev -ActivateProductionSec
# Destroy all BMP resources
.\deploy.ps1 bmp -Env dev -Destroy
# --- Edge DNS (EDNS) ---
# Create or update a PRIMARY zone in dev
.\deploy.ps1 edns -Env dev -ZoneType primary -Save
# Create or update a SECONDARY zone in qa
.\deploy.ps1 edns -Env qa -ZoneType secondary -Save
# Dry run for a PRIMARY zone
.\deploy.ps1 edns -Env dev -ZoneType primary -Save -Dry
# Safely destroy a SECONDARY zone in qa
.\deploy.ps1 edns -Env qa -ZoneType secondary -DestroyProduct validation fails:
Product validation failed: No valid product ID found
- Verify your contract has the correct product entitlement.
- Check
edgerc_sectionmatches your.edgercconfiguration - Confirm account switch key is correct
Terraform init fails:
Error: Failed to query available provider packages
- Check internet connectivity
- Verify Terraform version >= 1.9.0
- Run
terraform init -upgrade
API authentication errors:
Error: API authentication failed
- Verify
.edgerccredentials are correct - Check API client permissions in Identity & Access Management
- Ensure
edgerc_pathin tfvars points to correct file
State file conflicts:
- Each environment maintains separate state files
- Never manually edit state files
- Use
terraform statecommands for state management in necessary only
Enable detailed logging:
.\deploy.ps1 aap -Env dev -Save -DebugLogs are written to: environments/{env}/{env}-akamai_tf.log
For EDNS, the zone type is included in the log filename: environments/{env}/{env}-{zone_type}-akamai_tf.log (e.g., environments/dev/dev-primary-akamai_tf.log)
This repository uses:
terraform {
required_providers {
akamai = {
source = "akamai/akamai"
version = "~> 9.0"
}
}
required_version = ">= 1.9.0"
}- ✅ Use meaningful, descriptive variable names
- ✅ Keep modules focused and reusable
- ✅ Document complex logic with inline comments
- ✅ Use
.gitignoreto exclude.terraform/and*.tfstatefiles - ✅ Store state files securely (not in version control)
- ✅ Test in
devenvironment first - ✅ Use
-Dryflag to preview changes - ✅ Promote through environments (e.g. dev → qa → prod)
- ✅ Include descriptive activation notes
- ✅ Monitor activations in Control Center
- ✅ Protect
.edgercwith appropriate file permissions - ✅ Use separate API credentials per environment when possible
- ✅ Rotate API credentials regularly
- ✅ Never commit credentials to version control
See CONTRIBUTING.md for guidelines on collaborating to this repository.
See CHANGELOG.md for version history and release notes.
Maintained by: Akamai Professional Services - Terraform Templates Team