ZTP is about provisioning. Can this include configuration as well?
You could argue that provisioning is a form of configuration and in that sense, provisioning can certainly include configuration. If your ZTP solution is good at configuration management is another question.
I would say that the goal of the ZTP system should be to get the device in a state so that it can be handed over to the configuration management system. It might be that you use the same tool for everything. There are rather few tools out there, however, which are a master of all trades.
ZTP can be used internally connecting to an internal provisioning server, and it can be used externally connecting to an external provisioning server. Some commercial products use ZTP in connection with a vendor-controlled cloud-based provisioning server. What are the security risks if a vendor can push data to customer equipment?
Microsoft had a great article many years ago called Ten Immutable Laws of Security, in which one of those laws state that a computer is only as secure as the administrator is trustworthy. I'm not trying to say that the operators behind these solutions are untrustworthy, just that each organization has to take into account who they trust with what.
There will always be security risks involved regardless of what we do. The attack surface will be different against a service like this; on the other hand, it doesn't mean that it is worse than what most companies have today. A cloud-based service can be helpful to set up a new office where you don't have a network in place. However, as mentioned hereinabove, it still requires that the Internet connection uses DHCP, if we want to keep it as a ZTP install that is.
What tools are available to develop a ZTP solution?
If we are talking about creating a custom solution, there are a lot of open source tools that can serve as a base. DHCP will be needed, so ISC DHCP or Kea are good alternatives. For devices that support ZTP using a web server, Nginx could be helpful to serve files, but you can also write your web application using Flask or Django.
I would, however, recommend starting by stepping away from all of the tools and instead look at the process that you currently use to install devices. Not just getting the initial configuration on the box after it has powered up. Look at what steps need to get done for the new device to work as intended. That the device has the correct configuration is one thing, but it might also mean that it gets added to a network monitoring system. Start by writing all the steps that need to get done and then look at what tools can solve those problems.
Are there any standards yet?
While DHCP and TFTP have been around a long time as regards ZTP, there has as far as I know never been a standard discussion specifically about how to provision devices. However, looking into the future, there is an IETF draft called Zero Touch Provisioning for Network Devices (https://ift.tt/2EEblm9) that looks interesting. I wouldn't dare to guess as to when we might have devices that would support that concept.
How would you start and structure a ZTP project?
I would start by writing down all the manual steps needed to install a new device and integrate it into the network. Hopefully, I would have colleagues to talk to about this as I'm bound to miss some of the steps.
Then, I would look at each task and try to find a solution that could automate that step. If I couldn't get my hands on a tool for a specific part, I would write my own. I would start by trying to solve the easy problems first and be happy even if the ZTP solution would require a few manual steps to begin with and then work from there to improve it.
Thanks to Ivan Pepelnjak (see source)