VNet IQ / Docs

Terraform & the allocation API

Allocate right-sized, non-overlapping CIDRs straight from your pipeline — declaratively with the Terraform provider, or imperatively with the REST allocation API. Both are transactional and idempotent.

Before you start

Plan: Pro Plus or Enterprise. Role: Owner (to create API tokens).

Allocations are carved from a reservation, so create one first. Then everything below allocates child CIDRs from it without ever overlapping what's already deployed.

1. Create an API token

  1. In the left sidebar, open Settings, then click the API Tokens tab.
  2. Click New token.
  3. Give it a name (e.g. terraform-prod), tick the scopes you need, and optionally set an expiry.
  4. Click create, then copy the secret.
The secret is shown once

VNet IQ stores only a hash, so the plaintext token (it starts with vniq_live_) is displayed a single time. Copy it into your secret store immediately. To rotate, create a new token and revoke the old one. Token scopes are reservations:read, allocations:read, allocations:create, and allocations:release.

Plan & role

API tokens are Owner-only and require a Pro Plus or Enterprise plan. The allocation API is on the same tier.

2. Allocate with Terraform

The provider is published on the Terraform Registry as vnetiq/vnetiq. A minimal configuration looks up a reservation by name and carves a child CIDR from it: 

terraform {
  required_providers {
    vnetiq = {
      source  = "vnetiq/vnetiq"
      version = "~> 0.2"
    }
  }
}

provider "vnetiq" {
  api_token = var.vnetiq_api_token   # or set VNETIQ_API_TOKEN; must start with vniq_live_
  # api_url defaults to https://api.vnetiq.com
}

# Look up the parent reservation by name (defaults to status = "active")
data "vnetiq_reservation" "prod" {
  organization_id = var.vnetiq_org_id
  name            = "EU Production Block"
}

# Carve a non-overlapping /22 out of it at `terraform apply`
resource "vnetiq_allocation" "app" {
  organization_id = var.vnetiq_org_id
  reservation_id  = data.vnetiq_reservation.prod.id
  prefix_len      = 22
  label           = "app-tier"
}

output "app_cidr" {
  value = vnetiq_allocation.app.cidr   # e.g. "10.32.4.0/22"
}

Key points: api_token is set on the provider (or via the VNETIQ_API_TOKEN environment variable); organization_id is required on each resource and data source; prefix_len (8–32 in the provider; the REST API accepts 1–32) is the child size you want; and cidr / status are computed outputs. Re-running apply is safe — the provider keys each allocation idempotently.

3. Or call the REST API

Prefer plain HTTP from CI? Allocate against the same endpoint:

curl -X POST \
  "https://api.vnetiq.com/v1/orgs/$ORG_ID/reservations/$RESERVATION_ID/allocations" \
  -H "Authorization: Bearer $VNETIQ_API_TOKEN" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{"prefix_len": 22, "label": "app-tier"}'

# -> 201 {"id":"...","cidr":"10.32.4.0/22","status":"allocated"}

Other endpoints under /v1/orgs/{org}:

  • GET /allocations/{id} — fetch one allocation.
  • GET /reservations/{rid}/allocations — list allocations in a reservation.
  • DELETE /allocations/{id} — release a range (add ?force=true to release one that's already been observed in your cloud).
  • GET /reservations and GET /reservations/{rid} — list / fetch reservations.
Idempotency-Key is required on allocate

Every POST …/allocations must send a unique Idempotency-Key header (1–255 characters — a CI run ID or UUID works well). Replaying the same key returns the same allocation instead of carving a new one, so a retried pipeline never double-allocates. If a reservation is full you get 422 no_space with the largest range still available.

Reservation creation itself stays in the app (owner-controlled) — the token API is scoped to allocating from and releasing within reservations you've already set up.

Ready to try it?

Start free — connect a read-only role and see your whole IP estate.

Start free