This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new VPC with test workload VMs. Full set of resources provisioned listed below, but this will effectively create all network infrastructure dependencies for an AWS environment. Everything from "Base_1cc" deployment type (Creates 1 new VPC with 1 public subnet and 1 private/workload subnet; 1 IGW; 1 NAT Gateway; 1 Amazon Linux 2023 server workload in the private subnet routing to NAT Gateway; 1 Bastion Host in the public subnet assigned an Elastic IP and routing to the IGW; generates local key pair .pem file for ssh access)
Additionally: Creates 4 Cloud Connectors (2 per subnet/AZ) routing to NAT Gateway; Gateway Load Balancer auto registers service IPs to target group with health checks; VPC Endpoint Service; 2 GWLB Endpoints (1 in each Cloud Connector subnet); workload private subnet routes pointing to the GWLB Endpoint in their same AZ
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_cc_gwlb"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_cc_gwlb/terraform.tfvars file and save.
From base_cc_gwlb directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From base_cc_gwlb directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| bastion | ../../modules/terraform-zscc-bastion-aws | n/a |
| cc_iam | ../../modules/terraform-zscc-iam-aws | n/a |
| cc_sg | ../../modules/terraform-zscc-sg-aws | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-aws | n/a |
| gwlb | ../../modules/terraform-zscc-gwlb-aws | n/a |
| gwlb_endpoint | ../../modules/terraform-zscc-gwlbendpoint-aws | n/a |
| network | ../../modules/terraform-zscc-network-aws | n/a |
| workload | ../../modules/terraform-zscc-workload-aws | n/a |
| Name | Type |
|---|---|
| aws_key_pair.deployer | resource |
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| null_resource.cc_error_checker | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| aws_ami.cloudconnector | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acceptance_required | Whether to require manual acceptance of any VPC Endpoint registration attempts to the Endpoint Service or not. Default is false | bool |
false |
no |
| all_ports_egress_enabled | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| allowed_principals | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. ["arn:aws:iam::1234567890:root"]. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests |
list(string) |
[] |
no |
| ami_id | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index | list(string) |
[ |
no |
| aws_region | The AWS region. | string |
"us-west-2" |
no |
| az_count | Default number of subnets to create based on availability zone | number |
2 |
no |
| bastion_nsg_source_prefix | CIDR blocks of trusted networks for bastion host ssh access | list(string) |
[ |
no |
| byo_kms_key_alias | Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | string |
null |
no |
| cc_count | Default number of Cloud Connector appliances to create | number |
4 |
no |
| cc_instance_size | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | string |
"small" |
no |
| cc_subnets | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_instance_type | Cloud Connector Instance Type | string |
"m6i.large" |
no |
| cloud_tags_enabled | Determines whether or not to create the cc_tags_policy IAM Policy and attach it to the CC IAM Role | bool |
false |
no |
| cross_zone_lb_enabled | Determines whether GWLB cross zone load balancing should be enabled or not | bool |
false |
no |
| deregistration_delay | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | number |
0 |
no |
| ebs_encryption_enabled | true/false whether to enable EBS encryption on the root volume. Default is true | bool |
true |
no |
| ebs_volume_type | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | string |
"gp3" |
no |
| flow_stickiness | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | string |
"5-tuple" |
no |
| gwlb_enabled | Default is true. Workload/Route 53 subnet Route Tables will point to network_interface_id via var.cc_service_enis. If true, Route Tables will point to vpc_endpoint_id via var.gwlb_endpoint_ids input. | bool |
true |
no |
| health_check_interval | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | number |
10 |
no |
| healthy_threshold | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | number |
2 |
no |
| hostname_type | Type of hostname for Amazon EC2 instances | string |
"resource-name" |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | number |
50000 |
no |
| mgmt_ssh_enabled | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| owner_tag | populate custom owner tag attribute | string |
"zscc-admin" |
no |
| public_subnets | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| rebalance_enabled | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no_rebalance. Default: true | bool |
true |
no |
| resource_name_dns_a_record_enabled | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | bool |
false |
no |
| reuse_iam | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | bool |
false |
no |
| reuse_security_group | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | bool |
false |
no |
| secret_name | AWS Secrets Manager Secret Name for Cloud Connector provisioning | string |
n/a | yes |
| support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| unhealthy_threshold | The number of unsuccessful health checks required before an healthy target becomes unhealthy. Minimum 2 and maximum 10 | number |
3 |
no |
| vpc_cidr | VPC IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VPC smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables | string |
"10.1.0.0/16" |
no |
| workload_count | Default number of workload VMs to create | number |
2 |
no |
| workloads_subnets | Workload Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101/32" |
no |
| Name | Description |
|---|---|
| testbedconfig | AWS Testbed results |