From 1fabb4681cc69720ed6ba301ee5a4968be7b5541 Mon Sep 17 00:00:00 2001 From: Jameson Molnar Date: Sun, 22 Sep 2024 22:45:14 -0400 Subject: [PATCH] refactor: outbound endpoint security group --- CHANGELOG.md | 13 ++++++++++-- examples/base_1cc_zpa/main.tf | 18 ++++++++--------- examples/base_2cc_zpa/main.tf | 18 ++++++++--------- examples/base_cc_gwlb_asg_zpa/main.tf | 18 ++++++++--------- examples/base_cc_gwlb_zpa/main.tf | 18 ++++++++--------- examples/cc_gwlb/main.tf | 20 +++++++++---------- examples/cc_gwlb_asg/main.tf | 20 +++++++++---------- examples/cc_ha/main.tf | 20 +++++++++---------- modules/terraform-zscc-route53-aws/README.md | 2 +- modules/terraform-zscc-route53-aws/main.tf | 2 +- .../terraform-zscc-route53-aws/variables.tf | 2 +- modules/terraform-zscc-sg-aws/README.md | 10 ++++++++++ 12 files changed, 90 insertions(+), 71 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c2467a..4f43672 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,16 @@ ## UNRELEASED (TBD) ENHANCEMENTS: -* add variable additional_management_security_group_ids to terraform-zscc-ccvm-aws and terraform-zscc-asg-aws - +* Module Changes: + - terraform-zscc-ccvm-aws: + - add variable additional_management_security_group_ids + - terraform-zscc-asg-aws: + - add variable additional_management_security_group_ids + - terraform-zscc-sg-aws: + - add resource aws_security_group.outbound_endpoint_sg + - add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled + - terraform-zscc-route53-aws: + - add variable outbound_endpoint_security_group_ids + - remove default security group usage per AWS best practices ## 1.3.3 (August 30, 2024) ENHANCEMENTS: diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf index 031b1d5..3b8c22b 100755 --- a/examples/base_1cc_zpa/main.tf +++ b/examples/base_1cc_zpa/main.tf @@ -203,15 +203,15 @@ module "cc_sg" { # redirection to facilitate Cloud Connector ZPA service. ################################################################################ module "route53" { - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/examples/base_2cc_zpa/main.tf b/examples/base_2cc_zpa/main.tf index 9ee5350..9ceadfd 100755 --- a/examples/base_2cc_zpa/main.tf +++ b/examples/base_2cc_zpa/main.tf @@ -220,15 +220,15 @@ module "cc_lambda" { # redirection to facilitate Cloud Connector ZPA service. ################################################################################ module "route53" { - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/examples/base_cc_gwlb_asg_zpa/main.tf b/examples/base_cc_gwlb_asg_zpa/main.tf index 0e693c4..1e18568 100755 --- a/examples/base_cc_gwlb_asg_zpa/main.tf +++ b/examples/base_cc_gwlb_asg_zpa/main.tf @@ -260,15 +260,15 @@ module "gwlb_endpoint" { # redirection to facilitate Cloud Connector ZPA service. ################################################################################ module "route53" { - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/examples/base_cc_gwlb_zpa/main.tf b/examples/base_cc_gwlb_zpa/main.tf index f8f9255..c1f7f4f 100755 --- a/examples/base_cc_gwlb_zpa/main.tf +++ b/examples/base_cc_gwlb_zpa/main.tf @@ -243,15 +243,15 @@ module "gwlb_endpoint" { # redirection to facilitate Cloud Connector ZPA service. ################################################################################ module "route53" { - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/examples/cc_gwlb/main.tf b/examples/cc_gwlb/main.tf index 5d3f078..146b2e4 100755 --- a/examples/cc_gwlb/main.tf +++ b/examples/cc_gwlb/main.tf @@ -234,16 +234,16 @@ module "gwlb_endpoint" { # This can optionally be enabled/disabled per variable "zpa_enabled". ################################################################################ module "route53" { - count = var.zpa_enabled == true ? 1 : 0 - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + count = var.zpa_enabled == true ? 1 : 0 + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/examples/cc_gwlb_asg/main.tf b/examples/cc_gwlb_asg/main.tf index 7e680d0..f48dea8 100755 --- a/examples/cc_gwlb_asg/main.tf +++ b/examples/cc_gwlb_asg/main.tf @@ -252,16 +252,16 @@ module "gwlb_endpoint" { # This can optionally be enabled/disabled per variable "zpa_enabled". ################################################################################ module "route53" { - count = var.zpa_enabled == true ? 1 : 0 - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + count = var.zpa_enabled == true ? 1 : 0 + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/examples/cc_ha/main.tf b/examples/cc_ha/main.tf index 24e68dd..544e095 100755 --- a/examples/cc_ha/main.tf +++ b/examples/cc_ha/main.tf @@ -224,16 +224,16 @@ module "cc_lambda" { # This can optionally be enabled/disabled per variable "zpa_enabled". ################################################################################ module "route53" { - count = var.zpa_enabled == true ? 1 : 0 - source = "../../modules/terraform-zscc-route53-aws" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - vpc_id = module.network.vpc_id - r53_subnet_ids = module.network.route53_subnet_ids - outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id - domain_names = var.domain_names - target_address = var.target_address + count = var.zpa_enabled == true ? 1 : 0 + source = "../../modules/terraform-zscc-route53-aws" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + vpc_id = module.network.vpc_id + r53_subnet_ids = module.network.route53_subnet_ids + outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id + domain_names = var.domain_names + target_address = var.target_address } diff --git a/modules/terraform-zscc-route53-aws/README.md b/modules/terraform-zscc-route53-aws/README.md index a5836ec..eb7754e 100644 --- a/modules/terraform-zscc-route53-aws/README.md +++ b/modules/terraform-zscc-route53-aws/README.md @@ -33,7 +33,6 @@ No modules. | [aws_route53_resolver_rule.system](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource | | [aws_route53_resolver_rule_association.r53_rule_association_system](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource | | [aws_route53_resolver_rule_association.r53_rule_association_to_cc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource | -| [aws_security_group.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | ## Inputs @@ -42,6 +41,7 @@ No modules. | [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars step 10 | `map(any)` | n/a | yes | | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | | [name\_prefix](#input\_name\_prefix) | A prefix to associate to all Route 53 module resources | `string` | `null` | no | +| [outbound\_endpoint\_security\_group\_ids](#input\_outbound\_endpoint\_security\_group\_ids) | Route53 DNS Resolver Outbound Endpoint Security Group ID | `list(string)` | n/a | yes | | [r53\_subnet\_ids](#input\_r53\_subnet\_ids) | List of Subnet IDs for the Route53 Endpoint | `list(string)` | n/a | yes | | [resource\_tag](#input\_resource\_tag) | A tag to associate to all Route 53 module resources | `string` | `null` | no | | [target\_address](#input\_target\_address) | Route 53 DNS queries will be forwarded to these Zscaler Global VIP addresses | `list(string)` |
[
"185.46.212.88",
"185.46.212.89"
]
| no | diff --git a/modules/terraform-zscc-route53-aws/main.tf b/modules/terraform-zscc-route53-aws/main.tf index 6dc1365..7ed6ada 100755 --- a/modules/terraform-zscc-route53-aws/main.tf +++ b/modules/terraform-zscc-route53-aws/main.tf @@ -5,7 +5,7 @@ resource "aws_route53_resolver_endpoint" "zpa_r53_ep" { name = "${var.name_prefix}-r53-resolver-ep-${var.resource_tag}" direction = "OUTBOUND" - security_group_ids = var.outbound_endpoint_security_group_id + security_group_ids = var.outbound_endpoint_security_group_ids dynamic "ip_address" { for_each = var.r53_subnet_ids diff --git a/modules/terraform-zscc-route53-aws/variables.tf b/modules/terraform-zscc-route53-aws/variables.tf index 21c88b5..bb04c47 100755 --- a/modules/terraform-zscc-route53-aws/variables.tf +++ b/modules/terraform-zscc-route53-aws/variables.tf @@ -26,7 +26,7 @@ variable "r53_subnet_ids" { description = "List of Subnet IDs for the Route53 Endpoint" } -variable "outbound_endpoint_security_group_id" { +variable "outbound_endpoint_security_group_ids" { type = list(string) description = "Route53 DNS Resolver Outbound Endpoint Security Group ID" } diff --git a/modules/terraform-zscc-sg-aws/README.md b/modules/terraform-zscc-sg-aws/README.md index 3b6a29c..34aca00 100644 --- a/modules/terraform-zscc-sg-aws/README.md +++ b/modules/terraform-zscc-sg-aws/README.md @@ -26,6 +26,7 @@ No modules. |------|------| | [aws_security_group.cc_mgmt_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.cc_service_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.outbound_endpoint_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | @@ -34,13 +35,18 @@ No modules. | [aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_egress_rule.egress_cc_service_udp_123](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_egress_rule.egress_cc_service_udp_443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.egress_outbound_endpoint_tcp_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.egress_outbound_endpoint_udp_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [aws_vpc_security_group_ingress_rule.ingress_cc_service_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.ingress_outbound_endpoint_tcp_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.ingress_outbound_endpoint_udp_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [aws_security_group.cc_mgmt_sg_selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.cc_service_sg_selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.outbound_endpoint_sg_selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -49,6 +55,7 @@ No modules. |------|-------------|------|---------|:--------:| | [all\_ports\_egress\_enabled](#input\_all\_ports\_egress\_enabled) | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no | | [byo\_mgmt\_security\_group\_id](#input\_byo\_mgmt\_security\_group\_id) | Management Security Group ID for Cloud Connector association | `list(string)` | `null` | no | +| [byo\_route53\_resolver\_outbound\_endpoint\_group\_id](#input\_byo\_route53\_resolver\_outbound\_endpoint\_group\_id) | Route53 Resolver Outbound Endpoint Security Group ID | `list(string)` | `null` | no | | [byo\_security\_group](#input\_byo\_security\_group) | Bring your own Security Group for Cloud Connector. Setting this variable to true will effectively instruct this module to not create any resources and only reference data resources from values provided in byo\_mgmt\_security\_group\_id and byo\_service\_security\_group\_id | `bool` | `false` | no | | [byo\_service\_security\_group\_id](#input\_byo\_service\_security\_group\_id) | Service Security Group ID for Cloud Connector association | `list(string)` | `null` | no | | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | @@ -60,6 +67,7 @@ No modules. | [sg\_count](#input\_sg\_count) | Default number of security groups to create | `number` | `1` | no | | [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no | | [vpc\_id](#input\_vpc\_id) | Cloud Connector VPC ID | `string` | n/a | yes | +| [zpa\_enabled](#input\_zpa\_enabled) | Configure Route 53 Security Group for ZPA DNS redirection | `bool` | `false` | no | | [zssupport\_server](#input\_zssupport\_server) | destination IP address of Zscaler Support access server. IP resolution of remotesupport..net | `string` | `"199.168.148.101/32"` | no | ## Outputs @@ -68,6 +76,8 @@ No modules. |------|-------------| | [mgmt\_security\_group\_arn](#output\_mgmt\_security\_group\_arn) | Instance Management Security Group ARN | | [mgmt\_security\_group\_id](#output\_mgmt\_security\_group\_id) | Instance Management Security Group ID | +| [outbound\_endpoint\_security\_group\_arn](#output\_outbound\_endpoint\_security\_group\_arn) | Route53 DNS Resolver Outbound Endpoint Security Group ARN | +| [outbound\_endpoint\_security\_group\_id](#output\_outbound\_endpoint\_security\_group\_id) | Route53 DNS Resolver Outbound Endpoint Security Group ID | | [service\_security\_group\_arn](#output\_service\_security\_group\_arn) | Instance Service Security Group ARN | | [service\_security\_group\_id](#output\_service\_security\_group\_id) | Instance Service Security Group ID |