From 6cd03a1deccb35d1dd37f93a8e3ba9abc5544118 Mon Sep 17 00:00:00 2001
From: jmolnar-zscaler <106208217+jmolnar-zscaler@users.noreply.github.com>
Date: Fri, 6 Oct 2023 11:48:34 -0400
Subject: [PATCH] feat: add ebs encryption resources and brownfield prompts
(#47)
* feat: add ebs encryption resources
* fix: change default ebs gp3
* refactor: add ebs vars to example templates
* chore: add ebs variables to tfvars
* feat: add ebs prompts to zsec
* feat: add zsec brownfield prompts
---
examples/base_1cc/README.md | 3 +
examples/base_1cc/main.tf | 4 +
examples/base_1cc/terraform.tfvars | 17 +-
examples/base_1cc/variables.tf | 18 ++
examples/base_1cc_zpa/README.md | 3 +
examples/base_1cc_zpa/main.tf | 3 +
examples/base_1cc_zpa/terraform.tfvars | 46 +--
examples/base_1cc_zpa/variables.tf | 18 ++
examples/base_2cc/README.md | 3 +
examples/base_2cc/main.tf | 3 +
examples/base_2cc/terraform.tfvars | 17 +-
examples/base_2cc/variables.tf | 18 ++
examples/base_2cc_zpa/README.md | 3 +
examples/base_2cc_zpa/main.tf | 3 +
examples/base_2cc_zpa/terraform.tfvars | 45 +--
examples/base_2cc_zpa/variables.tf | 18 ++
examples/base_cc_gwlb/README.md | 3 +
examples/base_cc_gwlb/main.tf | 3 +
examples/base_cc_gwlb/terraform.tfvars | 17 +-
examples/base_cc_gwlb/variables.tf | 18 ++
examples/base_cc_gwlb_asg/README.md | 3 +
examples/base_cc_gwlb_asg/main.tf | 3 +
examples/base_cc_gwlb_asg/terraform.tfvars | 13 +-
examples/base_cc_gwlb_asg/variables.tf | 18 ++
examples/base_cc_gwlb_asg_zpa/README.md | 3 +
examples/base_cc_gwlb_asg_zpa/main.tf | 3 +
.../base_cc_gwlb_asg_zpa/terraform.tfvars | 41 ++-
examples/base_cc_gwlb_asg_zpa/variables.tf | 18 ++
examples/base_cc_gwlb_zpa/README.md | 3 +
examples/base_cc_gwlb_zpa/main.tf | 3 +
examples/base_cc_gwlb_zpa/terraform.tfvars | 47 +--
examples/base_cc_gwlb_zpa/variables.tf | 18 ++
examples/cc_gwlb/README.md | 3 +
examples/cc_gwlb/main.tf | 3 +
examples/cc_gwlb/terraform.tfvars | 46 +--
examples/cc_gwlb/variables.tf | 18 ++
examples/cc_gwlb_asg/README.md | 3 +
examples/cc_gwlb_asg/main.tf | 3 +
examples/cc_gwlb_asg/terraform.tfvars | 43 ++-
examples/cc_gwlb_asg/variables.tf | 18 ++
examples/cc_ha/README.md | 3 +
examples/cc_ha/main.tf | 3 +
examples/cc_ha/terraform.tfvars | 49 +--
examples/cc_ha/variables.tf | 18 ++
examples/zsec | 283 +++++++++++++++++-
modules/terraform-zscc-asg-aws/README.md | 5 +
modules/terraform-zscc-asg-aws/main.tf | 28 ++
modules/terraform-zscc-asg-aws/variables.tf | 18 ++
modules/terraform-zscc-ccvm-aws/README.md | 5 +
modules/terraform-zscc-ccvm-aws/main.tf | 27 ++
modules/terraform-zscc-ccvm-aws/variables.tf | 18 ++
51 files changed, 882 insertions(+), 148 deletions(-)
diff --git a/examples/base_1cc/README.md b/examples/base_1cc/README.md
index 4c59808b..a5f7937c 100644
--- a/examples/base_1cc/README.md
+++ b/examples/base_1cc/README.md
@@ -89,11 +89,14 @@ From base_1cc directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `1` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `1` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnets](#input\_cc\_subnets) | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
diff --git a/examples/base_1cc/main.tf b/examples/base_1cc/main.tf
index d613bbce..2db91990 100755
--- a/examples/base_1cc/main.tf
+++ b/examples/base_1cc/main.tf
@@ -145,6 +145,10 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+
depends_on = [
local_file.user_data_file,
diff --git a/examples/base_1cc/terraform.tfvars b/examples/base_1cc/terraform.tfvars
index 519c9a19..6f331988 100755
--- a/examples/base_1cc/terraform.tfvars
+++ b/examples/base_1cc/terraform.tfvars
@@ -2,11 +2,10 @@
## Uncomment and change the below variables according to your specific environment
#####################################################################################################################
-##### Variables 1-14 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -128,3 +127,15 @@
## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
#ami_id = ["ami-123456789"]
+
+## 16. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 17. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
\ No newline at end of file
diff --git a/examples/base_1cc/variables.tf b/examples/base_1cc/variables.tf
index 29deaeb7..33e8dca1 100755
--- a/examples/base_1cc/variables.tf
+++ b/examples/base_1cc/variables.tf
@@ -180,3 +180,21 @@ variable "all_ports_egress_enabled" {
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/examples/base_1cc_zpa/README.md b/examples/base_1cc_zpa/README.md
index fb760a09..2dfa7040 100644
--- a/examples/base_1cc_zpa/README.md
+++ b/examples/base_1cc_zpa/README.md
@@ -90,12 +90,15 @@ From base_1cc_zpa directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `1` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `1` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnets](#input\_cc\_subnets) | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf
index 24d1b447..e6ce17dd 100755
--- a/examples/base_1cc_zpa/main.tf
+++ b/examples/base_1cc_zpa/main.tf
@@ -147,6 +147,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/base_1cc_zpa/terraform.tfvars b/examples/base_1cc_zpa/terraform.tfvars
index e7f2c1fd..bec25f4d 100755
--- a/examples/base_1cc_zpa/terraform.tfvars
+++ b/examples/base_1cc_zpa/terraform.tfvars
@@ -1,26 +1,10 @@
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
-
#####################################################################################################################
-##### ZPA/Route 53 specific variables #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-## *** Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
-## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
-## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
-## add any additional appsegXX mappings as needed.
-
-#domain_names = {
-# appseg1 = "app1.com"
-# appseg2 = "app2.com"
-#}
-
-
-#####################################################################################################################
-##### Variables 1-14 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
-#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
@@ -143,3 +127,29 @@
## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
#ami_id = ["ami-123456789"]
+
+## 16. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 17. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
+
+#####################################################################################################################
+##### ZPA/Route 53 specific variables #####
+#####################################################################################################################
+## 18. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
+## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
+## add any additional appsegXX mappings as needed.
+
+#domain_names = {
+# appseg1 = "app1.com"
+# appseg2 = "app2.com"
+#}
diff --git a/examples/base_1cc_zpa/variables.tf b/examples/base_1cc_zpa/variables.tf
index 7f1eb3a8..de0ce0fc 100755
--- a/examples/base_1cc_zpa/variables.tf
+++ b/examples/base_1cc_zpa/variables.tf
@@ -203,3 +203,21 @@ variable "all_ports_egress_enabled" {
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/examples/base_2cc/README.md b/examples/base_2cc/README.md
index feb208be..087e62a9 100644
--- a/examples/base_2cc/README.md
+++ b/examples/base_2cc/README.md
@@ -92,11 +92,14 @@ From base_2cc directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `2` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnets](#input\_cc\_subnets) | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
diff --git a/examples/base_2cc/main.tf b/examples/base_2cc/main.tf
index 33230187..9e5aa95f 100755
--- a/examples/base_2cc/main.tf
+++ b/examples/base_2cc/main.tf
@@ -145,6 +145,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/base_2cc/terraform.tfvars b/examples/base_2cc/terraform.tfvars
index 0a19d029..a4f24fb5 100755
--- a/examples/base_2cc/terraform.tfvars
+++ b/examples/base_2cc/terraform.tfvars
@@ -2,11 +2,10 @@
## Uncomment and change the below variables according to your specific environment
#####################################################################################################################
-##### Variables 1-14 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -110,3 +109,15 @@
## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
#ami_id = ["ami-123456789"]
+
+## 16. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 17. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
diff --git a/examples/base_2cc/variables.tf b/examples/base_2cc/variables.tf
index fa87951e..dd753c05 100755
--- a/examples/base_2cc/variables.tf
+++ b/examples/base_2cc/variables.tf
@@ -180,3 +180,21 @@ variable "all_ports_egress_enabled" {
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/examples/base_2cc_zpa/README.md b/examples/base_2cc_zpa/README.md
index 50592780..dadab004 100644
--- a/examples/base_2cc_zpa/README.md
+++ b/examples/base_2cc_zpa/README.md
@@ -92,12 +92,15 @@ From base_2cc_zpa directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `2` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnets](#input\_cc\_subnets) | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
diff --git a/examples/base_2cc_zpa/main.tf b/examples/base_2cc_zpa/main.tf
index fe033996..42c3e94b 100755
--- a/examples/base_2cc_zpa/main.tf
+++ b/examples/base_2cc_zpa/main.tf
@@ -146,6 +146,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/base_2cc_zpa/terraform.tfvars b/examples/base_2cc_zpa/terraform.tfvars
index c9ce902c..b803897c 100755
--- a/examples/base_2cc_zpa/terraform.tfvars
+++ b/examples/base_2cc_zpa/terraform.tfvars
@@ -1,27 +1,11 @@
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
-
-#####################################################################################################################
-##### ZPA/Route 53 specific variables #####
-#####################################################################################################################
-## *** Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
-## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
-## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
-## add any additional appsegXX mappings as needed.
-
-#domain_names = {
-# appseg1 = "app1.com"
-# appseg2 = "app2.com"
-#}
-
-
#####################################################################################################################
-##### Variables 1-14 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -143,3 +127,28 @@
## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
#ami_id = ["ami-123456789"]
+
+## 16. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 17. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
+#####################################################################################################################
+##### ZPA/Route 53 specific variables #####
+#####################################################################################################################
+## 18. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
+## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
+## add any additional appsegXX mappings as needed.
+
+#domain_names = {
+# appseg1 = "app1.com"
+# appseg2 = "app2.com"
+#}
diff --git a/examples/base_2cc_zpa/variables.tf b/examples/base_2cc_zpa/variables.tf
index 5f32403d..2d66afe2 100755
--- a/examples/base_2cc_zpa/variables.tf
+++ b/examples/base_2cc_zpa/variables.tf
@@ -203,3 +203,21 @@ variable "all_ports_egress_enabled" {
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/examples/base_cc_gwlb/README.md b/examples/base_cc_gwlb/README.md
index e85b47a8..23cf2d66 100644
--- a/examples/base_cc_gwlb/README.md
+++ b/examples/base_cc_gwlb/README.md
@@ -92,6 +92,7 @@ From base_cc_gwlb directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `4` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnets](#input\_cc\_subnets) | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
@@ -99,6 +100,8 @@ From base_cc_gwlb directory execute:
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
| [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [flow\_stickiness](#input\_flow\_stickiness) | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | `string` | `"5-tuple"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
diff --git a/examples/base_cc_gwlb/main.tf b/examples/base_cc_gwlb/main.tf
index cdebc766..9c8bd429 100755
--- a/examples/base_cc_gwlb/main.tf
+++ b/examples/base_cc_gwlb/main.tf
@@ -146,6 +146,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/base_cc_gwlb/terraform.tfvars b/examples/base_cc_gwlb/terraform.tfvars
index 1a893f18..321c90e9 100755
--- a/examples/base_cc_gwlb/terraform.tfvars
+++ b/examples/base_cc_gwlb/terraform.tfvars
@@ -2,11 +2,10 @@
## Uncomment and change the below variables according to your specific environment
#####################################################################################################################
-##### Variables 1-21 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -169,3 +168,15 @@
## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
#ami_id = ["ami-123456789"]
+
+## 23. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 24. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
diff --git a/examples/base_cc_gwlb/variables.tf b/examples/base_cc_gwlb/variables.tf
index 705bb5b6..aa658277 100755
--- a/examples/base_cc_gwlb/variables.tf
+++ b/examples/base_cc_gwlb/variables.tf
@@ -249,3 +249,21 @@ variable "all_ports_egress_enabled" {
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/examples/base_cc_gwlb_asg/README.md b/examples/base_cc_gwlb_asg/README.md
index 9a978791..110f8900 100644
--- a/examples/base_cc_gwlb_asg/README.md
+++ b/examples/base_cc_gwlb_asg/README.md
@@ -95,6 +95,7 @@ From base_cc_gwlb_asg directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [byo\_sns\_topic](#input\_byo\_sns\_topic) | Determine whether or not to create an AWS SNS topic and topic subscription for email alerts. Setting this variable to true implies you should also set variable sns\_enabled to true | `bool` | `false` | no |
| [byo\_sns\_topic\_name](#input\_byo\_sns\_topic\_name) | Existing SNS Topic friendly name to be used for autoscaling group notifications | `string` | `""` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
@@ -103,6 +104,8 @@ From base_cc_gwlb_asg directory execute:
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
| [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [flow\_stickiness](#input\_flow\_stickiness) | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | `string` | `"5-tuple"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service. With lifecycle hooks it is immediate. Otheriwse Default is 15 minutes | `number` | `0` | no |
diff --git a/examples/base_cc_gwlb_asg/main.tf b/examples/base_cc_gwlb_asg/main.tf
index 43c36796..81d45221 100755
--- a/examples/base_cc_gwlb_asg/main.tf
+++ b/examples/base_cc_gwlb_asg/main.tf
@@ -145,6 +145,9 @@ module "cc_asg" {
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
max_size = var.max_size
min_size = var.min_size
diff --git a/examples/base_cc_gwlb_asg/terraform.tfvars b/examples/base_cc_gwlb_asg/terraform.tfvars
index 7b4257f4..d689ca60 100755
--- a/examples/base_cc_gwlb_asg/terraform.tfvars
+++ b/examples/base_cc_gwlb_asg/terraform.tfvars
@@ -6,7 +6,6 @@
##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -188,3 +187,15 @@
## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
#all_ports_egress_enabled = false
+
+## 32. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 33. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
diff --git a/examples/base_cc_gwlb_asg/variables.tf b/examples/base_cc_gwlb_asg/variables.tf
index a85b31f9..15dec387 100755
--- a/examples/base_cc_gwlb_asg/variables.tf
+++ b/examples/base_cc_gwlb_asg/variables.tf
@@ -231,6 +231,24 @@ variable "ami_id" {
default = [""]
}
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
+
# ASG specific variables
variable "min_size" {
type = number
diff --git a/examples/base_cc_gwlb_asg_zpa/README.md b/examples/base_cc_gwlb_asg_zpa/README.md
index 67db2084..12c77371 100644
--- a/examples/base_cc_gwlb_asg_zpa/README.md
+++ b/examples/base_cc_gwlb_asg_zpa/README.md
@@ -96,6 +96,7 @@ From base_cc_gwlb_asg_zpa directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [byo\_sns\_topic](#input\_byo\_sns\_topic) | Determine whether or not to create an AWS SNS topic and topic subscription for email alerts. Setting this variable to true implies you should also set variable sns\_enabled to true | `bool` | `false` | no |
| [byo\_sns\_topic\_name](#input\_byo\_sns\_topic\_name) | Existing SNS Topic friendly name to be used for autoscaling group notifications | `string` | `""` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
@@ -105,6 +106,8 @@ From base_cc_gwlb_asg_zpa directory execute:
| [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [flow\_stickiness](#input\_flow\_stickiness) | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | `string` | `"5-tuple"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service. With lifecycle hooks it is immediate. Otheriwse Default is 15 minutes | `number` | `0` | no |
diff --git a/examples/base_cc_gwlb_asg_zpa/main.tf b/examples/base_cc_gwlb_asg_zpa/main.tf
index 9a76a1b2..b76bd025 100755
--- a/examples/base_cc_gwlb_asg_zpa/main.tf
+++ b/examples/base_cc_gwlb_asg_zpa/main.tf
@@ -147,6 +147,9 @@ module "cc_asg" {
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
max_size = var.max_size
min_size = var.min_size
diff --git a/examples/base_cc_gwlb_asg_zpa/terraform.tfvars b/examples/base_cc_gwlb_asg_zpa/terraform.tfvars
index 4fdd586d..aa488a05 100755
--- a/examples/base_cc_gwlb_asg_zpa/terraform.tfvars
+++ b/examples/base_cc_gwlb_asg_zpa/terraform.tfvars
@@ -1,26 +1,11 @@
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
-#####################################################################################################################
-##### ZPA/Route 53 specific variables #####
-#####################################################################################################################
-## *** Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
-## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
-## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
-## add any additional appsegXX mappings as needed.
-
-#domain_names = {
-# appseg1 = "app1.com"
-# appseg2 = "app2.com"
-#}
-
-
#####################################################################################################################
##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -202,3 +187,29 @@
## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
#all_ports_egress_enabled = false
+
+## 32. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 33. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
+
+#####################################################################################################################
+##### ZPA/Route 53 specific variables #####
+#####################################################################################################################
+## 34. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
+## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
+## add any additional appsegXX mappings as needed.
+
+#domain_names = {
+# appseg1 = "app1.com"
+# appseg2 = "app2.com"
+#}
diff --git a/examples/base_cc_gwlb_asg_zpa/variables.tf b/examples/base_cc_gwlb_asg_zpa/variables.tf
index edd49e7b..898d2c84 100755
--- a/examples/base_cc_gwlb_asg_zpa/variables.tf
+++ b/examples/base_cc_gwlb_asg_zpa/variables.tf
@@ -243,6 +243,24 @@ variable "ami_id" {
default = [""]
}
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
+
# ASG specific variables
variable "min_size" {
type = number
diff --git a/examples/base_cc_gwlb_zpa/README.md b/examples/base_cc_gwlb_zpa/README.md
index c4b6a1e6..3dd9c18a 100644
--- a/examples/base_cc_gwlb_zpa/README.md
+++ b/examples/base_cc_gwlb_zpa/README.md
@@ -93,6 +93,7 @@ From base_cc_gwlb_zpa directory execute:
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
| [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | CIDR blocks of trusted networks for bastion host ssh access | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `4` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnets](#input\_cc\_subnets) | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
@@ -101,6 +102,8 @@ From base_cc_gwlb_zpa directory execute:
| [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [flow\_stickiness](#input\_flow\_stickiness) | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | `string` | `"5-tuple"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
diff --git a/examples/base_cc_gwlb_zpa/main.tf b/examples/base_cc_gwlb_zpa/main.tf
index 579fa8ff..fdd930d4 100755
--- a/examples/base_cc_gwlb_zpa/main.tf
+++ b/examples/base_cc_gwlb_zpa/main.tf
@@ -148,6 +148,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/base_cc_gwlb_zpa/terraform.tfvars b/examples/base_cc_gwlb_zpa/terraform.tfvars
index ae475793..489f2913 100755
--- a/examples/base_cc_gwlb_zpa/terraform.tfvars
+++ b/examples/base_cc_gwlb_zpa/terraform.tfvars
@@ -1,26 +1,10 @@
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
-
#####################################################################################################################
-##### ZPA/Route 53 specific variables #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-## *** Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
-## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
-## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
-## add any additional appsegXX mappings as needed.
-
-#domain_names = {
-# appseg1 = "app1.com"
-# appseg2 = "app2.com"
-#}
-
-
-#####################################################################################################################
-##### Variables 1-21 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
-#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
@@ -184,3 +168,30 @@
## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
#ami_id = ["ami-123456789"]
+
+## 23. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 24. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
+
+#####################################################################################################################
+##### ZPA/Route 53 specific variables #####
+#####################################################################################################################
+## 25. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
+## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
+## add any additional appsegXX mappings as needed.
+
+#domain_names = {
+# appseg1 = "app1.com"
+# appseg2 = "app2.com"
+#}
+
diff --git a/examples/base_cc_gwlb_zpa/variables.tf b/examples/base_cc_gwlb_zpa/variables.tf
index 4a4ac389..dbd1f1ac 100755
--- a/examples/base_cc_gwlb_zpa/variables.tf
+++ b/examples/base_cc_gwlb_zpa/variables.tf
@@ -272,3 +272,21 @@ variable "all_ports_egress_enabled" {
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/examples/cc_gwlb/README.md b/examples/cc_gwlb/README.md
index 969c3117..2e4a4e0f 100644
--- a/examples/cc_gwlb/README.md
+++ b/examples/cc_gwlb/README.md
@@ -93,6 +93,7 @@ From cc_gwlb directory execute:
| [byo\_iam\_instance\_profile\_id](#input\_byo\_iam\_instance\_profile\_id) | IAM Instance Profile ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_igw](#input\_byo\_igw) | Bring your own AWS VPC for Cloud Connector | `bool` | `false` | no |
| [byo\_igw\_id](#input\_byo\_igw\_id) | User provided existing AWS Internet Gateway ID | `string` | `null` | no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [byo\_mgmt\_security\_group\_id](#input\_byo\_mgmt\_security\_group\_id) | Management Security Group ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_ngw](#input\_byo\_ngw) | Bring your own AWS NAT Gateway(s) Cloud Connector | `bool` | `false` | no |
| [byo\_ngw\_ids](#input\_byo\_ngw\_ids) | User provided existing AWS NAT Gateway IDs | `list(string)` | `null` | no |
@@ -110,6 +111,8 @@ From cc_gwlb directory execute:
| [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | `{}` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [flow\_stickiness](#input\_flow\_stickiness) | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | `string` | `"5-tuple"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet route tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. If false, these Route Tables will point to network\_interface\_id via var.cc\_service\_enis | `bool` | `true` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
diff --git a/examples/cc_gwlb/main.tf b/examples/cc_gwlb/main.tf
index 531916cf..d7c89023 100755
--- a/examples/cc_gwlb/main.tf
+++ b/examples/cc_gwlb/main.tf
@@ -126,6 +126,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/cc_gwlb/terraform.tfvars b/examples/cc_gwlb/terraform.tfvars
index 16a2d699..173ba263 100755
--- a/examples/cc_gwlb/terraform.tfvars
+++ b/examples/cc_gwlb/terraform.tfvars
@@ -1,13 +1,11 @@
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
-
#####################################################################################################################
-##### Variables 1-22 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -170,19 +168,31 @@
#ami_id = ["ami-123456789"]
+## 23. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 24. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
#####################################################################################################################
##### ZPA/Route 53 specific variables #####
#####################################################################################################################
-## 23. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC
+## 25. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC
## Enabling will create 1x dedicated subnet per Cloud Connector availability zones in the VPC with Route Tables pointing
## default route to the local AZ GWLB Endpoint. Module will also create a resolver endpoint and rules per the domains
## specified in variable "domain_names". (Default: false)
#zpa_enabled = true
-## 24. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## 26. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
## add any additional appsegXX mappings as needed.
@@ -198,24 +208,24 @@
##### E.g. "cc_ha" #####
#####################################################################################################################
-## 25. By default, this script will create a new AWS VPC.
+## 27. By default, this script will create a new AWS VPC.
## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false)
#byo_vpc = true
-## 26. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
+## 28. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
## Example: byo_vpc_id = "vpc-0588ce674df615334"
#byo_vpc_id = "vpc-0588ce674df615334"
-## 27. By default, this script will create new AWS subnets in the VPC defined based on az_count.
+## 29. By default, this script will create new AWS subnets in the VPC defined based on az_count.
## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false)
## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist.
## Setting byo_subnet to true means byo_vpc must ALSO be set to true.
#byo_subnets = true
-## 28. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
+## 30. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW,
## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC
##
@@ -227,19 +237,19 @@
#byo_subnet_ids = ["subnet-id"]
-## 29. By default, this script will create a new Internet Gateway resource in the VPC.
+## 31. By default, this script will create a new Internet Gateway resource in the VPC.
## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false)
## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist.
## Setting byo_igw to true means byo_vpc must ALSO be set to true.
#byo_igw = true
-## 30. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
+## 32. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
## Example: byo_igw_id = "igw-090313c21ffed44d3"
#byo_igw_id = "igw-090313c21ffed44d3"
-## 31. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
+## 33. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined
## based on the byo_igw variable and associate with the public subnet(s)
## Uncomment if you want to deploy Cloud Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false)
@@ -248,7 +258,7 @@
#byo_ngw = true
-## 32. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true
+## 34. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true
## NAT Gateway IDs must be added as a list with order determining assocations for the CC Route Tables (cc-rt)
## nat_gateway_id next hop
##
@@ -267,23 +277,23 @@
#byo_ngw_ids = ["nat-id"]
-## 33. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector
+## 35. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector
## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false)
#byo_iam = true
-## 34. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
+## 36. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"]
#byo_iam_instance_profile_id = ["instance-profile-1"]
-## 35. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces
+## 37. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces
## Uncomment if you want to use your own existing SGs (true or false. Default: false)
#byo_security_group = true
-## 36. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
+## 38. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
## Example: byo_mgmt_security_group_id = ["mgmt-sg-1","mgmt-sg-2"]
## Example: byo_service_security_group_id = ["service-sg-1","service-sg-2"]
diff --git a/examples/cc_gwlb/variables.tf b/examples/cc_gwlb/variables.tf
index 72907f65..8c53f503 100755
--- a/examples/cc_gwlb/variables.tf
+++ b/examples/cc_gwlb/variables.tf
@@ -262,6 +262,24 @@ variable "all_ports_egress_enabled" {
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
+
# BYO (Bring-your-own) variables list
variable "byo_vpc" {
diff --git a/examples/cc_gwlb_asg/README.md b/examples/cc_gwlb_asg/README.md
index 301c5611..60aefcf8 100644
--- a/examples/cc_gwlb_asg/README.md
+++ b/examples/cc_gwlb_asg/README.md
@@ -95,6 +95,7 @@ From cc_gwlb_asg directory execute:
| [byo\_iam\_instance\_profile\_id](#input\_byo\_iam\_instance\_profile\_id) | IAM Instance Profile ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_igw](#input\_byo\_igw) | Bring your own AWS VPC for Cloud Connector | `bool` | `false` | no |
| [byo\_igw\_id](#input\_byo\_igw\_id) | User provided existing AWS Internet Gateway ID | `string` | `null` | no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [byo\_mgmt\_security\_group\_id](#input\_byo\_mgmt\_security\_group\_id) | Management Security Group ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_ngw](#input\_byo\_ngw) | Bring your own AWS NAT Gateway(s) Cloud Connector | `bool` | `false` | no |
| [byo\_ngw\_ids](#input\_byo\_ngw\_ids) | User provided existing AWS NAT Gateway IDs | `list(string)` | `null` | no |
@@ -113,6 +114,8 @@ From cc_gwlb_asg directory execute:
| [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | `{}` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [flow\_stickiness](#input\_flow\_stickiness) | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | `string` | `"5-tuple"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet route tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. If false, these Route Tables will point to network\_interface\_id via var.cc\_service\_enis | `bool` | `true` | no |
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service. With lifecycle hooks it is immediate. Otheriwse Default is 15 minutes | `number` | `0` | no |
diff --git a/examples/cc_gwlb_asg/main.tf b/examples/cc_gwlb_asg/main.tf
index c0c67b58..344c156f 100755
--- a/examples/cc_gwlb_asg/main.tf
+++ b/examples/cc_gwlb_asg/main.tf
@@ -125,6 +125,9 @@ module "cc_asg" {
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
max_size = var.max_size
min_size = var.min_size
diff --git a/examples/cc_gwlb_asg/terraform.tfvars b/examples/cc_gwlb_asg/terraform.tfvars
index 2b4ccf26..88bbdd64 100755
--- a/examples/cc_gwlb_asg/terraform.tfvars
+++ b/examples/cc_gwlb_asg/terraform.tfvars
@@ -6,7 +6,6 @@
##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -200,18 +199,30 @@
#all_ports_egress_enabled = false
+## 31. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 32. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
#####################################################################################################################
##### ZPA/Route 53 specific variables #####
#####################################################################################################################
-## 31. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC
+## 33. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC
## Enabling will create 1x dedicated subnet per Cloud Connector availability zones in the VPC with Route Tables pointing
## default route to the local AZ GWLB Endpoint. Module will also create a resolver endpoint and rules per the domains
## specified in variable "domain_names". (Default: false)
#zpa_enabled = true
-## 32. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## 34. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
## add any additional appsegXX mappings as needed.
@@ -223,27 +234,27 @@
#####################################################################################################################
##### Custom BYO variables. Only applicable for deployments without "base" resource requirements #####
-##### E.g. "cc_ha, cc_gwlb, cc_gwlb_asg" #####
+##### E.g. "cc_ha, cc_gwlb, cc_gwlb_asg" #####
#####################################################################################################################
-## 33. By default, this script will create a new AWS VPC.
+## 35. By default, this script will create a new AWS VPC.
## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false)
#byo_vpc = true
-## 34. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
+## 36. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
## Example: byo_vpc_id = "vpc-0588ce674df615334"
#byo_vpc_id = "vpc-0588ce674df615334"
-## 35. By default, this script will create new AWS subnets in the VPC defined based on az_count.
+## 37. By default, this script will create new AWS subnets in the VPC defined based on az_count.
## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false)
## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist.
## Setting byo_subnet to true means byo_vpc must ALSO be set to true.
#byo_subnets = true
-## 36. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
+## 38. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW,
## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC
##
@@ -255,19 +266,19 @@
#byo_subnet_ids = ["subnet-id"]
-## 37. By default, this script will create a new Internet Gateway resource in the VPC.
+## 39. By default, this script will create a new Internet Gateway resource in the VPC.
## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false)
## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist.
## Setting byo_igw to true means byo_vpc must ALSO be set to true.
#byo_igw = true
-## 38. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
+## 40. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
## Example: byo_igw_id = "igw-090313c21ffed44d3"
#byo_igw_id = "igw-090313c21ffed44d3"
-## 39. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
+## 41. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined
## based on the byo_igw variable and associate with the public subnet(s)
## Uncomment if you want to deploy Cloud Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false)
@@ -276,7 +287,7 @@
#byo_ngw = true
-## 40. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true
+## 42. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true
## NAT Gateway IDs must be added as a list with order determining assocations for the CC Route Tables (cc-rt)
## nat_gateway_id next hop
##
@@ -295,23 +306,23 @@
#byo_ngw_ids = ["nat-id"]
-## 41. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector
+## 43. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector
## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false)
#byo_iam = true
-## 42. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
+## 44. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"]
#byo_iam_instance_profile_id = ["instance-profile-1"]
-## 43. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces
+## 45. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces
## Uncomment if you want to use your own existing SGs (true or false. Default: false)
#byo_security_group = true
-## 44. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
+## 46. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
## Example: byo_mgmt_security_group_id = ["mgmt-sg-1","mgmt-sg-2"]
## Example: byo_service_security_group_id = ["service-sg-1","service-sg-2"]
diff --git a/examples/cc_gwlb_asg/variables.tf b/examples/cc_gwlb_asg/variables.tf
index 2f26c15e..e9d7cfc2 100755
--- a/examples/cc_gwlb_asg/variables.tf
+++ b/examples/cc_gwlb_asg/variables.tf
@@ -226,6 +226,24 @@ variable "ami_id" {
default = [""]
}
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
+
# ZPA/Route53 specific variables
variable "zpa_enabled" {
type = bool
diff --git a/examples/cc_ha/README.md b/examples/cc_ha/README.md
index aae57cf0..4e0ddbab 100644
--- a/examples/cc_ha/README.md
+++ b/examples/cc_ha/README.md
@@ -94,6 +94,7 @@ From cc_ha directory execute:
| [byo\_iam\_instance\_profile\_id](#input\_byo\_iam\_instance\_profile\_id) | IAM Instance Profile ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_igw](#input\_byo\_igw) | Bring your own AWS VPC for Cloud Connector | `bool` | `false` | no |
| [byo\_igw\_id](#input\_byo\_igw\_id) | User provided existing AWS Internet Gateway ID | `string` | `null` | no |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [byo\_mgmt\_security\_group\_id](#input\_byo\_mgmt\_security\_group\_id) | Management Security Group ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_ngw](#input\_byo\_ngw) | Bring your own AWS NAT Gateway(s) Cloud Connector | `bool` | `false` | no |
| [byo\_ngw\_ids](#input\_byo\_ngw\_ids) | User provided existing AWS NAT Gateway IDs | `list(string)` | `null` | no |
@@ -109,6 +110,8 @@ From cc_ha directory execute:
| [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | `{}` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is false. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `false` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
diff --git a/examples/cc_ha/main.tf b/examples/cc_ha/main.tf
index c0f60648..9fa5a97a 100755
--- a/examples/cc_ha/main.tf
+++ b/examples/cc_ha/main.tf
@@ -126,6 +126,9 @@ module "cc_vm" {
iam_instance_profile = module.cc_iam.iam_instance_profile_id
mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
depends_on = [
local_file.user_data_file,
diff --git a/examples/cc_ha/terraform.tfvars b/examples/cc_ha/terraform.tfvars
index 9c347599..ef82ad3d 100755
--- a/examples/cc_ha/terraform.tfvars
+++ b/examples/cc_ha/terraform.tfvars
@@ -1,13 +1,11 @@
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
-
#####################################################################################################################
-##### Variables 1-12 are populated automically if terraform is ran via ZSEC bash script. #####
-##### Modifying the variables in this file will override any inputs from ZSEC #####
+##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
+##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
-
#####################################################################################################################
##### Cloud Init Userdata Provisioning variables #####
#####################################################################################################################
@@ -129,18 +127,31 @@
#ami_id = ["ami-123456789"]
+## 16. By default, terraform will configure Cloud Connector with EBS encryption enabled.
+## Uncomment if you want to disable ebs encryption.
+
+#ebs_encryption_enabled = false
+
+## 17. By default, EBS encryptions is set to null which uses the AWS default managed/master key.
+## Set as 'alias/' to use an existing customer KMS key"
+
+## Note: this variable is only enforced if ebs_encryption_enabled is set to true
+
+#byo_kms_key_alias = "alias/"
+
+
#####################################################################################################################
##### ZPA/Route 53 specific variables #####
#####################################################################################################################
-## 16. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC
+## 18. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC
## Enabling will create 1x dedicated subnet per Cloud Connector availability zones in the VPC with Route Tables pointing
## default route to the local AZ GWLB Endpoint. Module will also create a resolver endpoint and rules per the domains
## specified in variable "domain_names". (Default: false)
#zpa_enabled = true
-## 17. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
+## 19. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true
## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the
## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and
## add any additional appsegXX mappings as needed.
@@ -156,24 +167,24 @@
##### E.g. "cc_ha" #####
#####################################################################################################################
-## 18. By default, this script will create a new AWS VPC.
+## 20. By default, this script will create a new AWS VPC.
## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false)
#byo_vpc = true
-## 19. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
+## 21. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
## Example: byo_vpc_id = "vpc-0588ce674df615334"
#byo_vpc_id = "vpc-0588ce674df615334"
-## 20. By default, this script will create new AWS subnets in the VPC defined based on az_count.
+## 22. By default, this script will create new AWS subnets in the VPC defined based on az_count.
## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false)
## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist.
## Setting byo_subnet to true means byo_vpc must ALSO be set to true.
#byo_subnets = true
-## 21. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
+## 23. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW,
## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC
##
@@ -185,19 +196,19 @@
#byo_subnet_ids = ["subnet-id"]
-## 22. By default, this script will create a new Internet Gateway resource in the VPC.
+## 24. By default, this script will create a new Internet Gateway resource in the VPC.
## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false)
## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist.
## Setting byo_igw to true means byo_vpc must ALSO be set to true.
#byo_igw = true
-## 23. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
+## 25. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
## Example: byo_igw_id = "igw-090313c21ffed44d3"
#byo_igw_id = "igw-090313c21ffed44d3"
-## 24. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
+## 26. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined
## based on the byo_igw variable and associate with the public subnet(s)
## Uncomment if you want to deploy Cloud Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false)
@@ -206,7 +217,7 @@
#byo_ngw = true
-## 25. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true
+## 27. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true
## NAT Gateway IDs must be added as a list with order determining assocations for the CC Route Tables (cc-rt)
## nat_gateway_id next hop
##
@@ -225,23 +236,23 @@
#byo_ngw_ids = ["nat-id"]
-## 26. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector
+## 28. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector
## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false)
#byo_iam = true
-## 27. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
+## 29. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"]
#byo_iam_instance_profile_id = ["instance-profile-1"]
-## 28. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces
+## 30. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces
## Uncomment if you want to use your own existing SGs (true or false. Default: false)
#byo_security_group = true
-## 29. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
+## 31. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
## Example: byo_mgmt_security_group_id = ["mgmt-sg-1","mgmt-sg-2"]
## Example: byo_service_security_group_id = ["service-sg-1","service-sg-2"]
@@ -257,7 +268,7 @@
##### subnets already exist. Therefore, you must provide at least byo_vpc information #####
#####################################################################################################################
-## 30. Provide your existing Workload Route Table IDs. Route Table IDs must be added as a list and should be paired to
+## 32. Provide your existing Workload Route Table IDs. Route Table IDs must be added as a list and should be paired to
## the primary Cloud Connector each Route Table would be forwarding traffic to in normal operation
##
## Example:
diff --git a/examples/cc_ha/variables.tf b/examples/cc_ha/variables.tf
index 4d079c0a..fe6437d8 100755
--- a/examples/cc_ha/variables.tf
+++ b/examples/cc_ha/variables.tf
@@ -199,6 +199,24 @@ variable "all_ports_egress_enabled" {
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
+
# BYO (Bring-your-own) variables list
variable "byo_vpc" {
diff --git a/examples/zsec b/examples/zsec
index 231d10e3..d14bceb0 100755
--- a/examples/zsec
+++ b/examples/zsec
@@ -29,6 +29,9 @@ if [[ "$oper" == "up" ]]; then
case $deploy in
greenfield)
+ echo ""
+ echo "**Caution** These deployments include test workloads and publicly accessible jump hosts and are intended primarily for lab/test environments"
+ echo ""
break
;;
brownfield)
@@ -477,6 +480,44 @@ else
fi
fi
+while true; do
+ read -r -p "Enable EBS volume encryption? (yes/no) Recommendation is yes: " ebs_encryption_response
+case $ebs_encryption_response in
+ yes|y )
+ echo "EBS encryption will be enabled"
+ echo "export TF_VAR_ebs_encryption_enabled=true" >> .zsecrc
+ ebs_encryption_enabled=true
+ break
+ ;;
+ no|n )
+ echo "EBS encryption will be disabled"
+ echo "export TF_VAR_ebs_encryption_enabled=false" >> .zsecrc
+ ebs_encryption_enabled=false
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+done
+
+if [[ "$ebs_encryption_enabled" == true ]]; then
+ echo "Amazon EBS automatically creates a unique AWS managed key in each Region. By default, Amazon EBS uses this KMS key for encryption"
+ while true; do
+ read -r -p "Use your own customer managed KMS key instead? (yes/no): " byo_kms_key_response
+ case $byo_kms_key_response in
+ yes|y )
+ read -r -p "Enter KMS key alias (e.g. alias/key_name): " byo_kms_key_alias
+ echo "export TF_VAR_byo_kms_key_alias=$byo_kms_key_alias" >> .zsecrc
+ break
+ ;;
+ no|n )
+ echo "Using default Amazon KMS key..."
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
if [[ "$dtype" == *"gwlb"* ]]; then
echo "GWLB deployment detected"
while true; do
@@ -732,25 +773,235 @@ echo "export TF_VAR_sns_email_list=${email_list}" >> .zsecrc
fi
fi
+if [[ "$dtype" == "cc"* ]]; then
+ echo "Configure Networking Infrastructure..."
+ while true; do
+ read -r -p "Are you deploying to an existing VPC in $aws_region? (yes/no): " byo_vpc_response
+ case $byo_vpc_response in
+ yes|y )
+ echo "Using an existing VPC..."
+ echo "export TF_VAR_byo_vpc=true" >> .zsecrc
+ byo_vpc=true
+ read -r -p "Enter existing VPC ID (E.g vpc-0588ce674df615334): " byo_vpc_id
+ echo "You entered $byo_vpc_id"
+ echo "export TF_VAR_byo_vpc_id=$byo_vpc_id" >> .zsecrc
+ break
+ ;;
+ no|n )
+ echo "Terraform will create new VPC, subnets, IGW, and NAT Gateways"
+ echo "export TF_VAR_byo_vpc=false" >> .zsecrc
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
+# Query for existing subnet IDs if byo_vpc true
+if [[ "$byo_vpc" == "true" ]]; then
+ echo "Attemping deployment to existing VPC $byo_vpc_id..."
+ while true; do
+ read -r -p "Are you deploying to existing subnets in $byo_vpc_id? (yes/no): " byo_subnet_response
+ case $byo_subnet_response in
+ yes|y )
+ echo "Using existing subnets for Cloud Connector..."
+ echo "export TF_VAR_byo_subnets=true" >> .zsecrc
+ if [[ "$az_count" == "1" ]]; then
+ read -r -p "$az_count availability zone chosen. Please enter the desired subnet ID (E.g subnet-05c32f4aa6bc02f8f): " byo_subnet_ids
+ echo "You entered $byo_subnet_ids"
+ echo "export TF_VAR_byo_subnet_ids='[\"${byo_subnet_ids}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "2" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first subnet ID (E.g subnet-05c32f4aa6bc02f8f): " subnet_1
+ echo "You entered $subnet_1"
+ read -r -p "Please enter the second subnet ID (E.g subnet-05c32f4aa6bc02f8f): " subnet_2
+ echo "You entered $subnet_2"
+ echo "export TF_VAR_byo_subnet_ids='[\"${subnet_1}\",\"${subnet_2}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "3" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first subnet ID (E.g subnet-05c32f4aa6bc02f8f): " subnet_1
+ echo "You entered $subnet_1"
+ read -r -p "Please enter the second subnet ID (E.g subnet-05c32f4aa6bc02f8f): " subnet_2
+ echo "You entered $subnet_2"
+ read -r -p "Please enter the third subnet ID (E.g subnet-05c32f4aa6bc02f8f): " subnet_3
+ echo "You entered $subnet_3"
+ echo "export TF_VAR_byo_subnet_ids='[\"${subnet_1}\",\"${subnet_2}\",\"${subnet_3}\"]'" >> .zsecrc
+ fi
+ break
+ ;;
+ no|n )
+ echo "Terraform will attempt to create new subnets in $byo_vpc_id"
+ echo "export TF_VAR_byo_subnets=false" >> .zsecrc
+ byo_subnets=false
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
+#Query for subnet creation range override
+if [[ "$byo_subnets" == "false" ]]; then
+ echo "Existing VPC $byo_vpc_id selected, but subnets need created..."
+ echo "By default, Terraform assumeds VPC CIDR is a /16 and will try to create /24 subnets within"
+ while true; do
+ read -r -p "Do you want to manually define the CC subnet ranges? (yes/no): " change_cc_cidr_response
+ case $change_cc_cidr_response in
+ yes|y )
+ echo "Configuring each Cloud Connector subnet range..."
+ if [[ "$az_count" == "1" ]]; then
+ read -r -p "$az_count availability zone chosen. Please enter the desired subnet range that falls within $byo_vpc_id CIDR (E.g 10.2.0.0/24): " cc_subnets_1
+ echo "You entered $cc_subnets_1"
+ echo "export TF_VAR_cc_subnets='[\"${cc_subnets_1}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "2" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first subnet range (E.g 10.2.0.0/24): " cc_subnets_1
+ echo "You entered $cc_subnets_1"
+ read -r -p "Please enter the second subnet range (E.g 10.2.1.0/24): " cc_subnets_2
+ echo "You entered $cc_subnets_2"
+ echo "export TF_VAR_cc_subnets='[\"${cc_subnets_1}\",\"${cc_subnets_2}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "3" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first subnet range (E.g 10.2.0.0/24): " cc_subnets_1
+ echo "You entered $cc_subnets_1"
+ read -r -p "Please enter the second subnet ID (E.g 10.2.1.0/24): " cc_subnets_2
+ echo "You entered $cc_subnets_2"
+ read -r -p "Please enter the third subnet range (E.g 10.2.2.0/24): " cc_subnets_3
+ echo "You entered $cc_subnets_3"
+ echo "export TF_VAR_cc_subnets='[\"${cc_subnets_1}\",\"${cc_subnets_2}\",\"${cc_subnets_3}\"]'" >> .zsecrc
+ fi
+ break
+ ;;
+ no|n )
+ echo "Terraform will attempt to automatically create new subnets in $byo_vpc_id"
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
if [[ "$dtype" == "cc"* ]]; then
while true; do
read -r -p "Enable Route 53 configuration for ZPA? (yes/no): " zpa_response
-case $zpa_response in
- yes|y )
- echo "Enabling Route 53 module..."
- zpa_enabled=true
- echo "export TF_VAR_zpa_enabled=$zpa_enabled" >> .zsecrc
- break
- ;;
- no|n )
- echo "No ZPA enablement..."
- zpa_enabled=false
- echo "export TF_VAR_zpa_enabled=$zpa_enabled" >> .zsecrc
- break
- ;;
- * ) echo "invalid response. Please enter yes or no";;
- esac
-done
+ case $zpa_response in
+ yes|y )
+ echo "Enabling Route 53 module..."
+ zpa_enabled=true
+ echo "export TF_VAR_zpa_enabled=$zpa_enabled" >> .zsecrc
+ break
+ ;;
+ no|n )
+ echo "No ZPA enablement..."
+ zpa_enabled=false
+ echo "export TF_VAR_zpa_enabled=$zpa_enabled" >> .zsecrc
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
+if [[ "$byo_subnets" == "false" && "$zpa_enabled" == "true" ]]; then
+ while true; do
+ read -r -p "Do you want to manually define the Route 53 subnet ranges? (yes/no): " change_r53_cidr_response
+ case $change_r53_cidr_response in
+ yes|y )
+ echo "Configuring each Route 53 subnet range..."
+ if [[ "$az_count" == "1" ]]; then
+ read -r -p "$az_count availability zone chosen. Please enter the desired subnet range that falls within $byo_vpc_id CIDR (E.g 10.2.0.0/24): " r53_subnets_1
+ echo "You entered $r53_subnets_1"
+ echo "export TF_VAR_route53_subnets='[\"${cc_subnets_1}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "2" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first subnet range (E.g 10.2.0.0/24): " r53_subnets_1
+ echo "You entered $r53_subnets_1"
+ read -r -p "Please enter the second subnet range (E.g 10.2.1.0/24): " r53_subnets_2
+ echo "You entered $r53_subnets_2"
+ echo "export TF_VAR_route53_subnets='[\"${r53_subnets_1}\",\"${r53_subnets_2}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "3" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first subnet range (E.g 10.2.0.0/24): " r53_subnets_1
+ echo "You entered $r53_subnets_1"
+ read -r -p "Please enter the second subnet range (E.g 10.2.1.0/24): " r53_subnets_2
+ echo "You entered $r53_subnets_2"
+ read -r -p "Please enter the third subnet range (E.g 10.2.2.0/24): " r53_subnets_3
+ echo "You entered $r53_subnets_3"
+ echo "export TF_VAR_route53_subnets='[\"${r53_subnets_1}\",\"${r53_subnets_2}\",\"${r53_subnets_3}\"]'" >> .zsecrc
+ fi
+ break
+ ;;
+ no|n )
+ echo "Terraform will attempt to automatically create new subnets in $byo_vpc_id"
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
+# Query for existing IGW IDs if byo_vpc true
+if [[ "$byo_vpc" == "true" ]]; then
+ while true; do
+ read -r -p "Does $byo_vpc_id already have an IGW (Internet Gateway)? (yes/no): " byo_igw_response
+ case $byo_igw_response in
+ yes|y )
+ echo "Using an existing IGW..."
+ echo "export TF_VAR_byo_igw=true" >> .zsecrc
+ byo_igw=true
+ read -r -p "Enter existing IGW ID (E.g igw-090313c21ffed44d3): " byo_igw_id
+ echo "export TF_VAR_byo_igw_id=$byo_igw_id" >> .zsecrc
+ break
+ ;;
+ no|n )
+ echo "Terraform will attempt to create a new IGW in $byo_vpc_id"
+ echo "export TF_VAR_byo_igw=false" >> .zsecrc
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
+fi
+
+# Query for existing NAT GW IDs if byo_vpc true
+if [[ "$byo_vpc" == "true" ]]; then
+ while true; do
+ read -r -p "Does $byo_vpc_id already have NAT Gateways in public subnets? (yes/no): " byo_ngw_response
+ case $byo_ngw_response in
+ yes|y )
+ echo "Using existing NAT Gateways for Cloud Connector route tables..."
+ echo "export TF_VAR_byo_ngw=true" >> .zsecrc
+ if [[ "$az_count" == "1" ]]; then
+ read -r -p "$az_count availability zone chosen. Please enter the desired NAT Gateway ID (E.g nat-0e1351f3e8025a30e): " ngw_1
+ echo "You entered $ngw_1"
+ echo "export TF_VAR_byo_ngw_ids='[\"${ngw_1}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "2" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first NAT Gateway ID (E.g nat-0e1351f3e8025a30e): " ngw_1
+ echo "You entered $ngw_1"
+ read -r -p "Please enter the second NAT Gateway ID (E.g nat-0e1351f3e8025a30e): " ngw_2
+ echo "You entered $ngw_2"
+ echo "export TF_VAR_byo_ngw_ids='[\"${ngw_1}\",\"${ngw_2}\"]'" >> .zsecrc
+ elif [[ "$az_count" == "3" ]]; then
+ echo "$az_count availability zones chosen"
+ read -r -p "Please enter the first NAT Gateway ID (E.g nat-0e1351f3e8025a30e): " ngw_1
+ echo "You entered $ngw_1"
+ read -r -p "Please enter the second NAT Gateway ID (E.g nat-0e1351f3e8025a30e): " ngw_2
+ echo "You entered $ngw_2"
+ read -r -p "Please enter the third NAT Gateway ID (E.g nat-0e1351f3e8025a30e): " ngw_3
+ echo "You entered $ngw_3"
+ echo "export TF_VAR_byo_ngw_ids='[\"${ngw_1}\",\"${ngw_2}\",\"${ngw_3}\"]'" >> .zsecrc
+ fi
+ break
+ ;;
+ no|n )
+ echo "Terraform will attempt to create new public subnets and NAT Gateway resources in $byo_vpc_id"
+ echo "export TF_VAR_byo_ngw=false" >> .zsecrc
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+ done
fi
if [[ "$zpa_enabled" == "true" || "$dtype" == *"zpa" ]]; then
diff --git a/modules/terraform-zscc-asg-aws/README.md b/modules/terraform-zscc-asg-aws/README.md
index f71798de..c588391f 100644
--- a/modules/terraform-zscc-asg-aws/README.md
+++ b/modules/terraform-zscc-asg-aws/README.md
@@ -42,6 +42,8 @@ No modules.
| [aws_sns_topic.cc_asg_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_subscription.cc_asg_topic_email_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [null_resource.error_checker](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ebs_default_kms_key.current_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
+| [aws_kms_alias.current_kms_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
| [aws_sns_topic.cc_asg_topic_selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source |
## Inputs
@@ -49,11 +51,14 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a launch template change. | `list(string)` | n/a | yes |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [byo\_sns\_topic](#input\_byo\_sns\_topic) | Determine whether or not to create an AWS SNS topic and topic subscription for email alerts. Setting this variable to true implies you should also set variable sns\_enabled to true | `bool` | `false` | no |
| [byo\_sns\_topic\_name](#input\_byo\_sns\_topic\_name) | Existing SNS Topic friendly name to be used for autoscaling group notifications | `string` | `""` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [cc\_subnet\_ids](#input\_cc\_subnet\_ids) | Cloud Connector EC2 Instance subnet IDs list | `list(string)` | n/a | yes |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service. With lifecycle hooks it is immediate. Otheriwse Default is 15 minutes | `number` | `0` | no |
| [health\_check\_type](#input\_health\_check\_type) | EC2 or ELB. Controls how health checking is done | `string` | `"EC2"` | no |
diff --git a/modules/terraform-zscc-asg-aws/main.tf b/modules/terraform-zscc-asg-aws/main.tf
index 2de2dcb0..e5c3fb19 100755
--- a/modules/terraform-zscc-asg-aws/main.tf
+++ b/modules/terraform-zscc-asg-aws/main.tf
@@ -11,6 +11,22 @@ EOF
}
+################################################################################
+# Retrieve the default AWS KMS key in the current region for EBS encryption
+################################################################################
+data "aws_ebs_default_kms_key" "current_kms_key" {
+ count = var.ebs_encryption_enabled ? 1 : 0
+}
+
+################################################################################
+# Retrieve an alias for the KMS key for EBS encryption
+################################################################################
+data "aws_kms_alias" "current_kms_arn" {
+ count = var.ebs_encryption_enabled ? 1 : 0
+ name = coalesce(var.byo_kms_key_alias, data.aws_ebs_default_kms_key.current_kms_key[0].key_arn)
+}
+
+
################################################################################
# Create launch template for Cloud Connector autoscaling group instance creation.
# Mgmt and service interface device indexes are swapped to support ASG + GWLB
@@ -23,6 +39,7 @@ resource "aws_launch_template" "cc_launch_template" {
instance_type = var.ccvm_instance_type
key_name = var.instance_key
user_data = base64encode(var.user_data)
+ ebs_optimized = true
iam_instance_profile {
name = element(var.iam_instance_profile, count.index)
@@ -58,6 +75,17 @@ resource "aws_launch_template" "cc_launch_template" {
instance_metadata_tags = "enabled"
}
+ block_device_mappings {
+ device_name = "/dev/sda1"
+
+ ebs {
+ delete_on_termination = true
+ encrypted = var.ebs_encryption_enabled
+ kms_key_id = var.ebs_encryption_enabled ? data.aws_kms_alias.current_kms_arn[0].target_key_arn : null
+ volume_type = var.ebs_volume_type
+ }
+ }
+
tags = merge(var.global_tags)
lifecycle {
diff --git a/modules/terraform-zscc-asg-aws/variables.tf b/modules/terraform-zscc-asg-aws/variables.tf
index b932dc6f..15f99eb7 100644
--- a/modules/terraform-zscc-asg-aws/variables.tf
+++ b/modules/terraform-zscc-asg-aws/variables.tf
@@ -240,3 +240,21 @@ variable "imdsv2_enabled" {
description = "true/false whether to force IMDSv2 only for instance bring up. Default is true"
default = true
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}
diff --git a/modules/terraform-zscc-ccvm-aws/README.md b/modules/terraform-zscc-ccvm-aws/README.md
index caf82526..49d98841 100644
--- a/modules/terraform-zscc-ccvm-aws/README.md
+++ b/modules/terraform-zscc-ccvm-aws/README.md
@@ -35,15 +35,20 @@ No modules.
| [aws_network_interface.cc_vm_nic_index_4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface) | resource |
| [aws_network_interface.cc_vm_nic_index_5](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface) | resource |
| [null_resource.error_checker](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ebs_default_kms_key.current_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
+| [aws_kms_alias.current_kms_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `list(string)` | n/a | yes |
+| [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | `string` | `null` | no |
| [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create | `number` | `1` | no |
| [cc\_instance\_size](#input\_cc\_instance\_size) | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | `string` | `"small"` | no |
| [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
+| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
+| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
| [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile ID assigned to Cloud Connector | `list(string)` | n/a | yes |
| [imdsv2\_enabled](#input\_imdsv2\_enabled) | true/false whether to force IMDSv2 only for instance bring up. Default is true | `bool` | `true` | no |
diff --git a/modules/terraform-zscc-ccvm-aws/main.tf b/modules/terraform-zscc-ccvm-aws/main.tf
index c54f56b8..49176771 100755
--- a/modules/terraform-zscc-ccvm-aws/main.tf
+++ b/modules/terraform-zscc-ccvm-aws/main.tf
@@ -11,6 +11,22 @@ EOF
}
+################################################################################
+# Retrieve the default AWS KMS key in the current region for EBS encryption
+################################################################################
+data "aws_ebs_default_kms_key" "current_kms_key" {
+ count = var.ebs_encryption_enabled ? 1 : 0
+}
+
+################################################################################
+# Retrieve an alias for the KMS key for EBS encryption
+################################################################################
+data "aws_kms_alias" "current_kms_arn" {
+ count = var.ebs_encryption_enabled ? 1 : 0
+ name = coalesce(var.byo_kms_key_alias, data.aws_ebs_default_kms_key.current_kms_key[0].key_arn)
+}
+
+
################################################################################
# Create Cloud Connector VM
################################################################################
@@ -21,6 +37,7 @@ resource "aws_instance" "cc_vm" {
iam_instance_profile = element(var.iam_instance_profile, count.index)
key_name = var.instance_key
user_data = base64encode(var.user_data)
+ ebs_optimized = true
metadata_options {
http_endpoint = "enabled"
@@ -32,6 +49,16 @@ resource "aws_instance" "cc_vm" {
network_interface_id = aws_network_interface.cc_vm_nic_index_0[count.index].id
}
+ root_block_device {
+ delete_on_termination = true
+ encrypted = var.ebs_encryption_enabled
+ kms_key_id = var.ebs_encryption_enabled ? data.aws_kms_alias.current_kms_arn[0].target_key_arn : null
+ volume_type = var.ebs_volume_type
+ tags = merge(var.global_tags,
+ { Name = "${var.name_prefix}-cc-vm-${count.index + 1}-ebs-${var.resource_tag}" }
+ )
+ }
+
tags = merge(var.global_tags,
{ Name = "${var.name_prefix}-cc-vm-${count.index + 1}-${var.resource_tag}" }
)
diff --git a/modules/terraform-zscc-ccvm-aws/variables.tf b/modules/terraform-zscc-ccvm-aws/variables.tf
index d8d55fff..4730c5e1 100755
--- a/modules/terraform-zscc-ccvm-aws/variables.tf
+++ b/modules/terraform-zscc-ccvm-aws/variables.tf
@@ -115,3 +115,21 @@ variable "imdsv2_enabled" {
description = "true/false whether to force IMDSv2 only for instance bring up. Default is true"
default = true
}
+
+variable "ebs_volume_type" {
+ type = string
+ description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
+ default = "gp3"
+}
+
+variable "ebs_encryption_enabled" {
+ type = bool
+ description = "true/false whether to enable EBS encryption on the root volume. Default is true"
+ default = true
+}
+
+variable "byo_kms_key_alias" {
+ type = string
+ description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
+ default = null
+}