This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new VPC with test workload VMs. Full set of resources provisioned listed below, but this will effectively create all network infrastructure dependencies for an AWS environment. By default, it will create 1 new VPC with 2 public subnets and 2 Cloud Connector private subnets; 1 IGW; 2 NAT Gateways; Cloud Connector Autoscaling Group + Launch Template spanning all CC subnets routing to the NAT Gateway in their same AZ; generates local key pair .pem file for ssh access; Customizable minimum/maximum number of Cloud Connectors and subnets deployed; generates local key pair .pem file for ssh access; Gateway Load Balancer with Instance based target group and health checks; VPC Endpoint Service; 2 GWLB Endpoints (1 in each Cloud Connector subnet); workload private subnet routes pointing to the GWLB Endpoint in their same AZ.
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_cc_gwlb_asg"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_cc_gwlb_asg/terraform.tfvars file and save.
From base_cc_gwlb_asg directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
- enter "greenfield"
- enter "base_cc_gwlb_asg"
From base_cc_gwlb_asg directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| asg_lambda | ../../modules/terraform-zscc-asg-lambda-aws | n/a |
| bastion | ../../modules/terraform-zscc-bastion-aws | n/a |
| cc_asg | ../../modules/terraform-zscc-asg-aws | n/a |
| cc_iam | ../../modules/terraform-zscc-iam-aws | n/a |
| cc_sg | ../../modules/terraform-zscc-sg-aws | n/a |
| gwlb | ../../modules/terraform-zscc-gwlb-aws | n/a |
| gwlb_endpoint | ../../modules/terraform-zscc-gwlbendpoint-aws | n/a |
| network | ../../modules/terraform-zscc-network-aws | n/a |
| workload | ../../modules/terraform-zscc-workload-aws | n/a |
| Name | Type |
|---|---|
| aws_key_pair.deployer | resource |
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| null_resource.cc_error_checker | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| aws_ami.cloudconnector | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acceptance_required | Whether to require manual acceptance of any VPC Endpoint registration attempts to the Endpoint Service or not. Default is false | bool |
false |
no |
| all_ports_egress_enabled | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| allowed_principals | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. ["arn:aws:iam::1234567890:root"]. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests |
list(string) |
[] |
no |
| ami_id | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a launch template change. | list(string) |
[ |
no |
| asg_enabled | Determines whether or not to create the cc_autoscale_lifecycle_policy IAM Policy and attach it to the CC IAM Role | bool |
true |
no |
| asg_lambda_filename | Name of the lambda zip file without suffix | string |
"zscaler_cc_lambda_service" |
no |
| aws_region | The AWS region. | string |
"us-west-2" |
no |
| az_count | Default number of subnets to create based on availability zone | number |
2 |
no |
| bastion_nsg_source_prefix | CIDR blocks of trusted networks for bastion host ssh access | list(string) |
[ |
no |
| byo_kms_key_alias | Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | string |
null |
no |
| byo_sns_topic | Determine whether or not to create an AWS SNS topic and topic subscription for email alerts. Setting this variable to true implies you should also set variable sns_enabled to true | bool |
false |
no |
| byo_sns_topic_name | Existing SNS Topic friendly name to be used for autoscaling group notifications | string |
"" |
no |
| cc_instance_size | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | string |
"small" |
no |
| cc_subnets | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_instance_type | Cloud Connector Instance Type | string |
"m6i.large" |
no |
| cloud_tags_enabled | Determines whether or not to create the cc_tags_policy IAM Policy and attach it to the CC IAM Role | bool |
false |
no |
| cross_zone_lb_enabled | Determines whether GWLB cross zone load balancing should be enabled or not | bool |
false |
no |
| deregistration_delay | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | number |
0 |
no |
| ebs_encryption_enabled | true/false whether to enable EBS encryption on the root volume. Default is true | bool |
true |
no |
| ebs_volume_type | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | string |
"gp3" |
no |
| flow_stickiness | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | string |
"5-tuple" |
no |
| gwlb_enabled | Default is true. Workload/Route 53 subnet Route Tables will point to network_interface_id via var.cc_service_enis. If true, Route Tables will point to vpc_endpoint_id via var.gwlb_endpoint_ids input. | bool |
true |
no |
| health_check_grace_period | The health check grace period specifies the minimum amount of time (in seconds) to keep a new instance in service before terminating it if it's found to be unhealthy. | number |
900 |
no |
| health_check_interval | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | number |
10 |
no |
| healthy_threshold | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | number |
2 |
no |
| hostname_type | Type of hostname for Amazon EC2 instances | string |
"resource-name" |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | number |
50000 |
no |
| instance_warmup | Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state | number |
0 |
no |
| launch_template_version | Launch template version. Can be version number, $Latest or $Default |
string |
"$Latest" |
no |
| lifecyclehook_instance_launch_wait_time | The maximum amount of time to wait in pending:wait state on instance launch in warmpool | number |
1800 |
no |
| lifecyclehook_instance_terminate_wait_time | The maximum amount of time to wait in terminating:wait state on instance termination | number |
900 |
no |
| max_size | Maxinum number of Cloud Connectors to maintain in Autoscaling group | number |
4 |
no |
| mgmt_ssh_enabled | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| min_size | Mininum number of Cloud Connectors to maintain in Autoscaling group | number |
2 |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| owner_tag | populate custom owner tag attribute | string |
"zscc-admin" |
no |
| protect_from_scale_in | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. For more information about preventing instances from terminating on scale in, see Using instance scale-in protection in the Amazon EC2 Auto Scaling User Guide | bool |
false |
no |
| public_subnets | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| rebalance_enabled | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no_rebalance. Default: true | bool |
true |
no |
| resource_name_dns_a_record_enabled | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | bool |
false |
no |
| reuse_on_scale_in | Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in. Default recommendation is true | bool |
true |
no |
| secret_name | AWS Secrets Manager Secret Name for Cloud Connector provisioning | string |
n/a | yes |
| sns_email_list | List of email addresses to input for sns topic subscriptions for autoscaling group notifications. Required if sns_enabled variable is true and byo_sns_topic false | list(string) |
[ |
no |
| sns_enabled | Determine whether or not to create autoscaling group notifications. Default is false. If setting this value to true, terraform will also create a new sns topic and topic subscription | bool |
false |
no |
| support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| target_cpu_util_value | Target value number for autoscaling policy CPU utilization target tracking. ie: trigger a scale in/out to keep average CPU Utliization percentage across all instances at/under this number | number |
80 |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| unhealthy_threshold | The number of unsuccessful health checks required before an healthy target becomes unhealthy. Minimum 2 and maximum 10 | number |
3 |
no |
| vpc_cidr | VPC IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VPC smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables | string |
"10.1.0.0/16" |
no |
| warm_pool_enabled | If set to true, add a warm pool to the specified Auto Scaling group. See warm_pool. | bool |
false |
no |
| warm_pool_max_group_prepared_capacity | Specifies the total maximum number of instances that are allowed to be in the warm pool or in any state except Terminated for the Auto Scaling group. Ignored when 'warm_pool_enabled' is false | number |
null |
no |
| warm_pool_min_size | Specifies the minimum number of instances to maintain in the warm pool. This helps you to ensure that there is always a certain number of warmed instances available to handle traffic spikes. Ignored when 'warm_pool_enabled' is false | number |
0 |
no |
| warm_pool_state | Sets the instance state to transition to after the lifecycle hooks finish. Valid values are: Stopped (default) or Running. Ignored when 'warm_pool_enabled' is false | string |
"Stopped" |
no |
| workload_count | Default number of workload VMs to create | number |
2 |
no |
| workloads_subnets | Workload Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| zonal_asg_enabled | The number of Auto Scaling Groups to create. By default, Terraform will create a single Auto Scaling Group containing multiple subnets/availability zones. Set to true if you would rather create one Auto Scaling Group per subnet/availability zone (var.az_count) | bool |
false |
no |
| zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101/32" |
no |
| Name | Description |
|---|---|
| testbedconfig | AWS Testbed results |