docs: update tfvars for new sg vars

zscaler · Sep 22, 2023 · a23a8f2 · a23a8f2
1 parent 6836ed7
commit a23a8f2
Show file tree

Hide file tree

Showing 12 changed files with 216 additions and 74 deletions.
diff --git a/examples/base_1cc/terraform.tfvars b/examples/base_1cc/terraform.tfvars
@@ -95,17 +95,30 @@
 
 #owner_tag                                  = "[email protected]"
 
-## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 12. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

diff --git a/examples/base_1cc_zpa/terraform.tfvars b/examples/base_1cc_zpa/terraform.tfvars
@@ -110,17 +110,30 @@
 
 #owner_tag                                  = "[email protected]"
 
-## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 12. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

diff --git a/examples/base_2cc/terraform.tfvars b/examples/base_2cc/terraform.tfvars
@@ -77,17 +77,30 @@
 
 #owner_tag                                  = "[email protected]"
 
-## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 12. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

diff --git a/examples/base_2cc_zpa/terraform.tfvars b/examples/base_2cc_zpa/terraform.tfvars
@@ -110,17 +110,30 @@
 
 #owner_tag                                  = "[email protected]"
 
-## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 12. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

diff --git a/examples/base_cc_gwlb/terraform.tfvars b/examples/base_cc_gwlb/terraform.tfvars
@@ -126,27 +126,40 @@
 
 #rebalance_enabled                          = false
 
-## 16. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 16. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 17. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 18. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 17. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 19. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 18. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
+## 20. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
 ##     Uncomment if you want to require manual acceptance. (true or false. Default: false)
 
 #acceptance_required                        = true
 
-## 19. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
+## 21. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
 ##     Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests"
 
 #allowed_principals                         = [\"arn:aws:iam::1234567890:root\"]
 
-## 20. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 22. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

diff --git a/examples/base_cc_gwlb_asg/terraform.tfvars b/examples/base_cc_gwlb_asg/terraform.tfvars
@@ -172,3 +172,16 @@
 ## 29. Existing SNS Topic friendly name to be used for autoscaling group notifications assignment
 
 #byo_sns_topic_name                         = "topic-name"
+
+## 30. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 31. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
diff --git a/examples/base_cc_gwlb_asg_zpa/terraform.tfvars b/examples/base_cc_gwlb_asg_zpa/terraform.tfvars
@@ -186,3 +186,16 @@
 ## 29. Existing SNS Topic friendly name to be used for autoscaling group notifications assignment
 
 #byo_sns_topic_name                         = "topic-name"
+
+## 30. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 31. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
diff --git a/examples/base_cc_gwlb_zpa/terraform.tfvars b/examples/base_cc_gwlb_zpa/terraform.tfvars
@@ -141,27 +141,40 @@
 
 #rebalance_enabled                          = false
 
-## 16. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 16. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 17. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 18. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 17. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 19. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 18. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
+## 20. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
 ##     Uncomment if you want to require manual acceptance. (true or false. Default: false)
 
 #acceptance_required                        = true
 
-## 19. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
+## 21. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
 ##     Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests"
 
 #allowed_principals                         = [\"arn:aws:iam::1234567890:root\"]
 
-## 20. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 22. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index