refactor: outbound endpoint security group

CHANGELOG.md

@@ -1,7 +1,16 @@
 ## UNRELEASED (TBD)
 ENHANCEMENTS:
-* add variable additional_management_security_group_ids to terraform-zscc-ccvm-aws and terraform-zscc-asg-aws
-
+* Module Changes:
+    - terraform-zscc-ccvm-aws:
+        - add variable additional_management_security_group_ids
+    - terraform-zscc-asg-aws:
+        - add variable additional_management_security_group_ids
+    - terraform-zscc-sg-aws:
+        - add resource aws_security_group.outbound_endpoint_sg
+        - add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled
+    - terraform-zscc-route53-aws:
+        - add variable outbound_endpoint_security_group_ids
+        - remove default security group usage per AWS best practices
 
 ## 1.3.3 (August 30, 2024)
 ENHANCEMENTS:

examples/base_1cc_zpa/main.tf

@@ -203,15 +203,15 @@ module "cc_sg" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/base_2cc_zpa/main.tf

@@ -220,15 +220,15 @@ module "cc_lambda" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/base_cc_gwlb_asg_zpa/main.tf

@@ -260,15 +260,15 @@ module "gwlb_endpoint" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/base_cc_gwlb_zpa/main.tf

@@ -243,15 +243,15 @@ module "gwlb_endpoint" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/cc_gwlb/main.tf

@@ -234,16 +234,16 @@ module "gwlb_endpoint" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count                               = var.zpa_enabled == true ? 1 : 0
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/cc_gwlb_asg/main.tf

@@ -252,16 +252,16 @@ module "gwlb_endpoint" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count                               = var.zpa_enabled == true ? 1 : 0
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/cc_ha/main.tf

@@ -224,16 +224,16 @@ module "cc_lambda" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count                               = var.zpa_enabled == true ? 1 : 0
-  source                              = "../../modules/terraform-zscc-route53-aws"
-  name_prefix                         = var.name_prefix
-  resource_tag                        = random_string.suffix.result
-  global_tags                         = local.global_tags
-  vpc_id                              = module.network.vpc_id
-  r53_subnet_ids                      = module.network.route53_subnet_ids
-  outbound_endpoint_security_group_id = module.cc_sg.outbound_endpoint_security_group_id
-  domain_names                        = var.domain_names
-  target_address                      = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

modules/terraform-zscc-route53-aws/README.md

@@ -33,7 +33,6 @@ No modules.
 | [aws_route53_resolver_rule.system](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
 | [aws_route53_resolver_rule_association.r53_rule_association_system](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
 | [aws_route53_resolver_rule_association.r53_rule_association_to_cc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
-| [aws_security_group.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 
 ## Inputs
 
@@ -42,6 +41,7 @@ No modules.
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars step 10 | `map(any)` | n/a | yes |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix to associate to all Route 53 module resources | `string` | `null` | no |
+| <a name="input_outbound_endpoint_security_group_ids"></a> [outbound\_endpoint\_security\_group\_ids](#input\_outbound\_endpoint\_security\_group\_ids) | Route53 DNS Resolver Outbound Endpoint Security Group ID | `list(string)` | n/a | yes |
 | <a name="input_r53_subnet_ids"></a> [r53\_subnet\_ids](#input\_r53\_subnet\_ids) | List of Subnet IDs for the Route53 Endpoint | `list(string)` | n/a | yes |
 | <a name="input_resource_tag"></a> [resource\_tag](#input\_resource\_tag) | A tag to associate to all Route 53 module resources | `string` | `null` | no |
 | <a name="input_target_address"></a> [target\_address](#input\_target\_address) | Route 53 DNS queries will be forwarded to these Zscaler Global VIP addresses | `list(string)` | <pre>[<br>  "185.46.212.88",<br>  "185.46.212.89"<br>]</pre> | no |

modules/terraform-zscc-route53-aws/main.tf

@@ -5,7 +5,7 @@ resource "aws_route53_resolver_endpoint" "zpa_r53_ep" {
   name      = "${var.name_prefix}-r53-resolver-ep-${var.resource_tag}"
   direction = "OUTBOUND"
 
-  security_group_ids = var.outbound_endpoint_security_group_id
+  security_group_ids = var.outbound_endpoint_security_group_ids
 
   dynamic "ip_address" {
     for_each = var.r53_subnet_ids

modules/terraform-zscc-route53-aws/variables.tf

@@ -26,7 +26,7 @@ variable "r53_subnet_ids" {
   description = "List of Subnet IDs for the Route53 Endpoint"
 }
 
-variable "outbound_endpoint_security_group_id" {
+variable "outbound_endpoint_security_group_ids" {
   type        = list(string)
   description = "Route53 DNS Resolver Outbound Endpoint Security Group ID"
 }