TerraformPilot

DevOps

Terraform for Juniper Junos Network Automation

Automate Juniper Junos devices with Terraform: junipernetworks/junos provider, NETCONF, commit-confirmed workflows, and EVPN-VXLAN fabrics.

LLuca Berton1 min read

Juniper Junos runs MX, QFX, EX, SRX, and PTX. Junos's commit confirmed is the safest network change model in the industry, and the junipernetworks/junos Terraform provider exposes it cleanly.

For multi-vendor overview see Cisco / Junos / Arista combined automation.

Provider

# 
terraform {
  required_providers {
    junos = {
      source  = "Juniper/junos"
      version = "~> 1.4"
    }
  }
}
 
provider "junos" {
  alias    = "leaf1"
  ip       = var.device_ip
  username = var.username
  sshkey_file = var.ssh_key
}

VLAN + Interface

# 
resource "junos_vlan" "users" {
  provider = junos.leaf1
  name     = "users"
  vlan_id  = 100
}
 
resource "junos_interface_logical" "ge_0_0_5_0" {
  provider = junos.leaf1
  name     = "ge-0/0/5.0"
  description = "user-port"
 
  family_ethernet_switching {
    interface_mode = "access"
    vlan {
      members = ["users"]
    }
  }
}

EVPN VRF

# 
resource "junos_routing_instance" "tenant_blue" {
  provider = junos.leaf1
  name     = "tenant-blue"
  type     = "vrf"
 
  route_distinguisher = "65001:100"
  vrf_target          = "target:65001:100"
}

Commit Confirmed

# 
provider "junos" {
  alias = "leaf1-confirm"
  ip    = var.device_ip
  username = var.username
  sshkey_file = var.ssh_key
  commit_confirmed = 5 # auto-rollback in 5 min if not re-committed
}

Best Practices

#
  • Always use commit_confirmed in production — saves you from your own typos.
  • Pre-stage configs with commit_check before apply.
  • One Terraform workspace per device or fabric — blast radius matters.
  • Hold the SSH key in HCP Vault Secrets, not on disk.
#
#Terraform#Juniper Junos#NETCONF#MX Series#QFX

Share this article

Related articles