From a23a8f24ee8ca8fc4b74ac6b6f17832112c5ab2b Mon Sep 17 00:00:00 2001 From: Jameson Molnar Date: Fri, 22 Sep 2023 16:44:43 -0400 Subject: [PATCH] docs: update tfvars for new sg vars --- examples/base_1cc/terraform.tfvars | 19 +++++-- examples/base_1cc_zpa/terraform.tfvars | 19 +++++-- examples/base_2cc/terraform.tfvars | 19 +++++-- examples/base_2cc_zpa/terraform.tfvars | 19 +++++-- examples/base_cc_gwlb/terraform.tfvars | 23 +++++++-- examples/base_cc_gwlb_asg/terraform.tfvars | 13 +++++ .../base_cc_gwlb_asg_zpa/terraform.tfvars | 13 +++++ examples/base_cc_gwlb_zpa/terraform.tfvars | 23 +++++++-- examples/cc_gwlb/terraform.tfvars | 51 ++++++++++++------- examples/cc_gwlb_asg/terraform.tfvars | 40 ++++++++++----- examples/cc_ha/terraform.tfvars | 49 +++++++++++------- modules/terraform-zscc-sg-aws/README.md | 2 +- 12 files changed, 216 insertions(+), 74 deletions(-) diff --git a/examples/base_1cc/terraform.tfvars b/examples/base_1cc/terraform.tfvars index 806efb30..6fff8227 100755 --- a/examples/base_1cc/terraform.tfvars +++ b/examples/base_1cc/terraform.tfvars @@ -95,17 +95,30 @@ #owner_tag = "username@company.com" -## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 12. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index diff --git a/examples/base_1cc_zpa/terraform.tfvars b/examples/base_1cc_zpa/terraform.tfvars index 218ce16b..9b5e32ef 100755 --- a/examples/base_1cc_zpa/terraform.tfvars +++ b/examples/base_1cc_zpa/terraform.tfvars @@ -110,17 +110,30 @@ #owner_tag = "username@company.com" -## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 12. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index diff --git a/examples/base_2cc/terraform.tfvars b/examples/base_2cc/terraform.tfvars index ecf863cd..1f7e3300 100755 --- a/examples/base_2cc/terraform.tfvars +++ b/examples/base_2cc/terraform.tfvars @@ -77,17 +77,30 @@ #owner_tag = "username@company.com" -## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 12. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index diff --git a/examples/base_2cc_zpa/terraform.tfvars b/examples/base_2cc_zpa/terraform.tfvars index 7f659a33..68d32735 100755 --- a/examples/base_2cc_zpa/terraform.tfvars +++ b/examples/base_2cc_zpa/terraform.tfvars @@ -110,17 +110,30 @@ #owner_tag = "username@company.com" -## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 12. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index diff --git a/examples/base_cc_gwlb/terraform.tfvars b/examples/base_cc_gwlb/terraform.tfvars index 54fc71f2..5e72986c 100755 --- a/examples/base_cc_gwlb/terraform.tfvars +++ b/examples/base_cc_gwlb/terraform.tfvars @@ -126,27 +126,40 @@ #rebalance_enabled = false -## 16. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 16. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 17. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 18. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 17. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 19. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 18. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts. +## 20. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts. ## Uncomment if you want to require manual acceptance. (true or false. Default: false) #acceptance_required = true -## 19. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account. +## 21. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account. ## Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests" #allowed_principals = [\"arn:aws:iam::1234567890:root\"] -## 20. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 22. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index diff --git a/examples/base_cc_gwlb_asg/terraform.tfvars b/examples/base_cc_gwlb_asg/terraform.tfvars index e58e66d1..a4b344b2 100755 --- a/examples/base_cc_gwlb_asg/terraform.tfvars +++ b/examples/base_cc_gwlb_asg/terraform.tfvars @@ -172,3 +172,16 @@ ## 29. Existing SNS Topic friendly name to be used for autoscaling group notifications assignment #byo_sns_topic_name = "topic-name" + +## 30. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 31. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false diff --git a/examples/base_cc_gwlb_asg_zpa/terraform.tfvars b/examples/base_cc_gwlb_asg_zpa/terraform.tfvars index c73be377..f4692c3a 100755 --- a/examples/base_cc_gwlb_asg_zpa/terraform.tfvars +++ b/examples/base_cc_gwlb_asg_zpa/terraform.tfvars @@ -186,3 +186,16 @@ ## 29. Existing SNS Topic friendly name to be used for autoscaling group notifications assignment #byo_sns_topic_name = "topic-name" + +## 30. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 31. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false diff --git a/examples/base_cc_gwlb_zpa/terraform.tfvars b/examples/base_cc_gwlb_zpa/terraform.tfvars index 9861b0cf..3abc7487 100755 --- a/examples/base_cc_gwlb_zpa/terraform.tfvars +++ b/examples/base_cc_gwlb_zpa/terraform.tfvars @@ -141,27 +141,40 @@ #rebalance_enabled = false -## 16. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 16. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 17. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 18. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 17. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 19. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 18. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts. +## 20. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts. ## Uncomment if you want to require manual acceptance. (true or false. Default: false) #acceptance_required = true -## 19. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account. +## 21. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account. ## Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests" #allowed_principals = [\"arn:aws:iam::1234567890:root\"] -## 20. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 22. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index diff --git a/examples/cc_gwlb/terraform.tfvars b/examples/cc_gwlb/terraform.tfvars index 81460362..4e609131 100755 --- a/examples/cc_gwlb/terraform.tfvars +++ b/examples/cc_gwlb/terraform.tfvars @@ -126,27 +126,40 @@ #rebalance_enabled = false -## 16. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 16. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 17. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 18. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 17. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 19. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 18. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts. +## 20. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts. ## Uncomment if you want to require manual acceptance. (true or false. Default: false) #acceptance_required = true -## 19. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account. +## 21. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account. ## Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests" #allowed_principals = [\"arn:aws:iam::1234567890:root\"] -## 20. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 22. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index @@ -160,14 +173,14 @@ ##### ZPA/Route 53 specific variables ##### ##################################################################################################################### -## 21. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC +## 23. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC ## Enabling will create 1x dedicated subnet per Cloud Connector availability zones in the VPC with Route Tables pointing ## default route to the local AZ GWLB Endpoint. Module will also create a resolver endpoint and rules per the domains ## specified in variable "domain_names". (Default: false) #zpa_enabled = true -## 22. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true +## 24. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true ## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the ## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and ## add any additional appsegXX mappings as needed. @@ -183,24 +196,24 @@ ##### E.g. "cc_ha" ##### ##################################################################################################################### -## 23. By default, this script will create a new AWS VPC. +## 25. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 24. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 26. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 25. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 27. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. #byo_subnets = true -## 26. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 28. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -212,19 +225,19 @@ #byo_subnet_ids = ["subnet-id"] -## 27. By default, this script will create a new Internet Gateway resource in the VPC. +## 29. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. #byo_igw = true -## 28. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 30. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 29. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 31. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy Cloud Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -233,7 +246,7 @@ #byo_ngw = true -## 30. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true +## 32. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true ## NAT Gateway IDs must be added as a list with order determining assocations for the CC Route Tables (cc-rt) ## nat_gateway_id next hop ## @@ -252,23 +265,23 @@ #byo_ngw_ids = ["nat-id"] -## 31. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector +## 33. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 32. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 34. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 33. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces +## 35. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 34. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 36. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_mgmt_security_group_id = ["mgmt-sg-1","mgmt-sg-2"] ## Example: byo_service_security_group_id = ["service-sg-1","service-sg-2"] diff --git a/examples/cc_gwlb_asg/terraform.tfvars b/examples/cc_gwlb_asg/terraform.tfvars index 96628385..43deaea7 100755 --- a/examples/cc_gwlb_asg/terraform.tfvars +++ b/examples/cc_gwlb_asg/terraform.tfvars @@ -184,19 +184,31 @@ #byo_sns_topic_name = "topic-name" +## 29. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 30. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false ##################################################################################################################### ##### ZPA/Route 53 specific variables ##### ##################################################################################################################### -## 29. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC +## 31. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC ## Enabling will create 1x dedicated subnet per Cloud Connector availability zones in the VPC with Route Tables pointing ## default route to the local AZ GWLB Endpoint. Module will also create a resolver endpoint and rules per the domains ## specified in variable "domain_names". (Default: false) #zpa_enabled = true -## 30. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true +## 32. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true ## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the ## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and ## add any additional appsegXX mappings as needed. @@ -211,24 +223,24 @@ ##### E.g. "cc_ha, cc_gwlb, cc_gwlb_asg" ##### ##################################################################################################################### -## 31. By default, this script will create a new AWS VPC. +## 33. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 32. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 34. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 33. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 35. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. #byo_subnets = true -## 34. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 36. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -240,19 +252,19 @@ #byo_subnet_ids = ["subnet-id"] -## 35. By default, this script will create a new Internet Gateway resource in the VPC. +## 37. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. #byo_igw = true -## 36. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 38. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 37. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 39. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy Cloud Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -261,7 +273,7 @@ #byo_ngw = true -## 38. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true +## 40. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true ## NAT Gateway IDs must be added as a list with order determining assocations for the CC Route Tables (cc-rt) ## nat_gateway_id next hop ## @@ -280,23 +292,23 @@ #byo_ngw_ids = ["nat-id"] -## 39. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector +## 41. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 40. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 42. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 41. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces +## 43. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 42. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 44. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_mgmt_security_group_id = ["mgmt-sg-1","mgmt-sg-2"] ## Example: byo_service_security_group_id = ["service-sg-1","service-sg-2"] diff --git a/examples/cc_ha/terraform.tfvars b/examples/cc_ha/terraform.tfvars index 1311fe89..0e09e239 100755 --- a/examples/cc_ha/terraform.tfvars +++ b/examples/cc_ha/terraform.tfvars @@ -95,17 +95,30 @@ #owner_tag = "username@company.com" -## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. +## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you +## want to disable this. +## Note: Cloud Connector will only be accessible via AWS Session Manager SSM + +#mgmt_ssh_enabled = false + +## 12. By default, a security group is created and assigned to the CC service interface(s). +## There is an optional rule that permits Cloud Connector to forward direct traffic out +## on all ports and protocols. (Default: true). Uncomment if you want to restrict +## traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports. + +#all_ports_egress_enabled = false + +## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_security_group = true -## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. +## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false) #reuse_iam = true -## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. +## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available. ## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. ## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index @@ -118,14 +131,14 @@ ##### ZPA/Route 53 specific variables ##### ##################################################################################################################### -## 14. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC +## 16. By default, ZPA dependent resources are not created. Uncomment if you want to enable ZPA configuration in your VPC ## Enabling will create 1x dedicated subnet per Cloud Connector availability zones in the VPC with Route Tables pointing ## default route to the local AZ GWLB Endpoint. Module will also create a resolver endpoint and rules per the domains ## specified in variable "domain_names". (Default: false) #zpa_enabled = true -## 15. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true +## 17. Provide the domain names you want Route53 to redirect to Cloud Connector for ZPA interception. Only applicable for base + zpa or zpa_enabled = true ## deployment types where Route53 subnets, Resolver Rules, and Outbound Endpoints are being created. Two example domains are populated to show the ## mapping structure and syntax. ZPA Module will read through each to create a resolver rule per domain_name entry. Ucomment domain_names variable and ## add any additional appsegXX mappings as needed. @@ -141,24 +154,24 @@ ##### E.g. "cc_ha" ##### ##################################################################################################################### -## 16. By default, this script will create a new AWS VPC. +## 18. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 17. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 19. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 18. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 20. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. #byo_subnets = true -## 19. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 21. Provide your existing Cloud Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -170,19 +183,19 @@ #byo_subnet_ids = ["subnet-id"] -## 20. By default, this script will create a new Internet Gateway resource in the VPC. +## 22. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. #byo_igw = true -## 21. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 23. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 22. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 24. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy Cloud Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -191,7 +204,7 @@ #byo_ngw = true -## 23. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true +## 25. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_cc_subnet to true ## NAT Gateway IDs must be added as a list with order determining assocations for the CC Route Tables (cc-rt) ## nat_gateway_id next hop ## @@ -210,23 +223,23 @@ #byo_ngw_ids = ["nat-id"] -## 24. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector +## 26. By default, this script will create new IAM roles, policy, and Instance Profiles for the Cloud Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 25. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 27. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 26. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces +## 28. By default, this script will create new Security Groups for the Cloud Connector mgmt and service interfaces ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 27. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 29. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_mgmt_security_group_id = ["mgmt-sg-1","mgmt-sg-2"] ## Example: byo_service_security_group_id = ["service-sg-1","service-sg-2"] @@ -242,7 +255,7 @@ ##### subnets already exist. Therefore, you must provide at least byo_vpc information ##### ##################################################################################################################### -## 28. Provide your existing Workload Route Table IDs. Route Table IDs must be added as a list and should be paired to +## 30. Provide your existing Workload Route Table IDs. Route Table IDs must be added as a list and should be paired to ## the primary Cloud Connector each Route Table would be forwarding traffic to in normal operation ## ## Example: diff --git a/modules/terraform-zscc-sg-aws/README.md b/modules/terraform-zscc-sg-aws/README.md index 54650269..1fa68b9a 100644 --- a/modules/terraform-zscc-sg-aws/README.md +++ b/modules/terraform-zscc-sg-aws/README.md @@ -1,6 +1,6 @@ # Zscaler Cloud Connector / AWS Security Groups Module -This module creates Security Rules and Groups resources required for successful Cloud Connector deployments. As part of Zscaler provided deployment templates most resources have conditional create options leveraged "byo" variables should a customer want to leverage the module outputs with data reference to resources that may already exist in their AWS environment. +This module creates Security Rules and Groups resources required for successful Cloud Connector deployments. As part of Zscaler provided deployment templates most resources have conditional create options leveraged "byo" variables should a customer want to leverage the module outputs with data reference to resources that may already exist in their AWS environment. Security Group rules are populated per Zscaler connectivity requirements and minimum access best practices. Please refer to [Zscaler Workload Communications (Cloud/Branch Connector)](https://config.zscaler.com/zscaler.net/cloud-branch-connector). ## Requirements