fix: security group minimal access (#44)

* chore: cleanup unused vars

* refactor: cc security group enhancements

* docs: update tfvars for new sg vars

* chore: update ntp desc

CHANGELOG.md

@@ -23,6 +23,14 @@
     - remove secondary IP address from network interface index #1
     - add interface device index #5 for "large" CC.
 
+
+* module terraform-zscc-sg-aws changes:
+    - refactor management and service security group with more granular/required rules
+    - add variable mgmt_ssh_enabled if customer wants to restrict management access to only SSM
+    - add variable http_probe_port
+    - add gwlb_enabled default to true
+    - add all_ports_egress_enabled default to true
+
 ## v0.2.0 (June 20, 2023)
 * AWS Provider updated from 4.7.x to 4.59.x for all example templates and child modules
 * terraform-zscc-gwlb-aws custom gwlb_name and target_group_name variables added

examples/base_1cc/README.md

@@ -84,6 +84,7 @@ From base_1cc directory execute:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_all_ports_egress_enabled"></a> [all\_ports\_egress\_enabled](#input\_all\_ports\_egress\_enabled) | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `1` | no |
@@ -94,6 +95,7 @@ From base_1cc directory execute:
 | <a name="input_cc_vm_prov_url"></a> [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
+| <a name="input_mgmt_ssh_enabled"></a> [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |

examples/base_1cc/main.tf

@@ -176,12 +176,16 @@ module "cc_iam" {
 #    security group created and assigned to ALL Cloud Connectors instead.
 ################################################################################
 module "cc_sg" {
-  source       = "../../modules/terraform-zscc-sg-aws"
-  sg_count     = var.reuse_security_group == false ? var.cc_count : 1
-  name_prefix  = var.name_prefix
-  resource_tag = random_string.suffix.result
-  global_tags  = local.global_tags
-  vpc_id       = module.network.vpc_id
+  source                   = "../../modules/terraform-zscc-sg-aws"
+  sg_count                 = var.reuse_security_group == false ? var.cc_count : 1
+  name_prefix              = var.name_prefix
+  resource_tag             = random_string.suffix.result
+  global_tags              = local.global_tags
+  vpc_id                   = module.network.vpc_id
+  http_probe_port          = var.http_probe_port
+  mgmt_ssh_enabled         = var.mgmt_ssh_enabled
+  gwlb_enabled             = false
+  all_ports_egress_enabled = var.all_ports_egress_enabled
 }
 
 

examples/base_1cc/terraform.tfvars

@@ -97,17 +97,30 @@
 
 #owner_tag                                  = "[email protected]"
 
-## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 12. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

examples/base_1cc/variables.tf

@@ -168,3 +168,15 @@ variable "ami_id" {
   description = "AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
   default     = [""]
 }
+
+variable "mgmt_ssh_enabled" {
+  type        = bool
+  description = "Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group"
+  default     = true
+}
+
+variable "all_ports_egress_enabled" {
+  type        = bool
+  default     = true
+  description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
+}

examples/base_1cc_zpa/README.md

@@ -85,6 +85,7 @@ From base_1cc_zpa directory execute:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_all_ports_egress_enabled"></a> [all\_ports\_egress\_enabled](#input\_all\_ports\_egress\_enabled) | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `1` | no |
@@ -96,6 +97,7 @@ From base_1cc_zpa directory execute:
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
+| <a name="input_mgmt_ssh_enabled"></a> [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |

examples/base_1cc_zpa/main.tf

@@ -178,12 +178,16 @@ module "cc_iam" {
 #    security group created and assigned to ALL Cloud Connectors instead.
 ################################################################################
 module "cc_sg" {
-  source       = "../../modules/terraform-zscc-sg-aws"
-  sg_count     = var.reuse_security_group == false ? var.cc_count : 1
-  name_prefix  = var.name_prefix
-  resource_tag = random_string.suffix.result
-  global_tags  = local.global_tags
-  vpc_id       = module.network.vpc_id
+  source                   = "../../modules/terraform-zscc-sg-aws"
+  sg_count                 = var.reuse_security_group == false ? var.cc_count : 1
+  name_prefix              = var.name_prefix
+  resource_tag             = random_string.suffix.result
+  global_tags              = local.global_tags
+  vpc_id                   = module.network.vpc_id
+  http_probe_port          = var.http_probe_port
+  mgmt_ssh_enabled         = var.mgmt_ssh_enabled
+  gwlb_enabled             = false
+  all_ports_egress_enabled = var.all_ports_egress_enabled
 }
 
 

examples/base_1cc_zpa/terraform.tfvars

@@ -112,17 +112,30 @@
 
 #owner_tag                                  = "[email protected]"
 
-## 11. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+## 11. SSH management access from the local VPC is enabled by default (true). Uncomment if you
+##     want to disable this.
+##     Note: Cloud Connector will only be accessible via AWS Session Manager SSM
+
+#mgmt_ssh_enabled                           = false
+
+## 12. By default, a security group is created and assigned to the CC service interface(s).
+##     There is an optional rule that permits Cloud Connector to forward direct traffic out
+##     on all ports and protocols. (Default: true). Uncomment if you want to restrict
+##     traffic to only the ZIA/ZPA required HTTPS TCP/UDP ports.
+
+#all_ports_egress_enabled                   = false
+
+## 13. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-## 12. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 14. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
-## 13. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
+## 15. By default, terraform will always query the AWS Marketplace for the latest Cloud Connector AMI available.
 ##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
 ##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select CCs deployed based on the cc_count index
 

examples/base_1cc_zpa/variables.tf

@@ -191,3 +191,15 @@ variable "ami_id" {
   description = "AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
   default     = [""]
 }
+
+variable "mgmt_ssh_enabled" {
+  type        = bool
+  description = "Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group"
+  default     = true
+}
+
+variable "all_ports_egress_enabled" {
+  type        = bool
+  default     = true
+  description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
+}

examples/base_2cc/README.md

@@ -87,6 +87,7 @@ From base_2cc directory execute:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_all_ports_egress_enabled"></a> [all\_ports\_egress\_enabled](#input\_all\_ports\_egress\_enabled) | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
@@ -97,6 +98,7 @@ From base_2cc directory execute:
 | <a name="input_cc_vm_prov_url"></a> [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m6i.large"` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
+| <a name="input_mgmt_ssh_enabled"></a> [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |

examples/base_2cc/main.tf

@@ -176,12 +176,16 @@ module "cc_iam" {
 #    security group created and assigned to ALL Cloud Connectors instead.
 ################################################################################
 module "cc_sg" {
-  source       = "../../modules/terraform-zscc-sg-aws"
-  sg_count     = var.reuse_security_group == false ? var.cc_count : 1
-  name_prefix  = var.name_prefix
-  resource_tag = random_string.suffix.result
-  global_tags  = local.global_tags
-  vpc_id       = module.network.vpc_id
+  source                   = "../../modules/terraform-zscc-sg-aws"
+  sg_count                 = var.reuse_security_group == false ? var.cc_count : 1
+  name_prefix              = var.name_prefix
+  resource_tag             = random_string.suffix.result
+  global_tags              = local.global_tags
+  vpc_id                   = module.network.vpc_id
+  http_probe_port          = var.http_probe_port
+  mgmt_ssh_enabled         = var.mgmt_ssh_enabled
+  gwlb_enabled             = false
+  all_ports_egress_enabled = var.all_ports_egress_enabled
 }