AWS Security Group changes

CHANGELOG.md

@@ -1,7 +1,16 @@
 ## UNRELEASED (TBD)
 ENHANCEMENTS:
-* add variable additional_management_security_group_ids to terraform-zscc-ccvm-aws and terraform-zscc-asg-aws
-
+* Module Changes:
+    - terraform-zscc-ccvm-aws:
+        - add variable additional_management_security_group_ids
+    - terraform-zscc-asg-aws:
+        - add variable additional_management_security_group_ids
+    - terraform-zscc-sg-aws:
+        - add resource aws_security_group.outbound_endpoint_sg
+        - add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled
+    - terraform-zscc-route53-aws:
+        - add variable outbound_endpoint_security_group_ids
+        - remove default security group usage per AWS best practices
 
 ## 1.3.3 (August 30, 2024)
 ENHANCEMENTS:

examples/base_1cc_zpa/main.tf

@@ -188,6 +188,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   gwlb_enabled             = false
@@ -202,14 +203,15 @@ module "cc_sg" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/base_2cc_zpa/main.tf

@@ -187,6 +187,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   gwlb_enabled             = false
@@ -219,14 +220,15 @@ module "cc_lambda" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/base_cc_gwlb_asg_zpa/main.tf

@@ -206,6 +206,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -259,14 +260,15 @@ module "gwlb_endpoint" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/base_cc_gwlb_zpa/main.tf

@@ -189,6 +189,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -242,14 +243,15 @@ module "gwlb_endpoint" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/cc_gwlb/main.tf

@@ -173,6 +173,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -233,15 +234,16 @@ module "gwlb_endpoint" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count          = var.zpa_enabled == true ? 1 : 0
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/cc_gwlb_asg/main.tf

@@ -191,6 +191,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -251,15 +252,16 @@ module "gwlb_endpoint" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count          = var.zpa_enabled == true ? 1 : 0
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

examples/cc_ha/main.tf

@@ -173,6 +173,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   gwlb_enabled             = false
@@ -223,15 +224,16 @@ module "cc_lambda" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count          = var.zpa_enabled == true ? 1 : 0
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

modules/terraform-zscc-route53-aws/README.md

@@ -33,7 +33,6 @@ No modules.
 | [aws_route53_resolver_rule.system](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
 | [aws_route53_resolver_rule_association.r53_rule_association_system](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
 | [aws_route53_resolver_rule_association.r53_rule_association_to_cc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
-| [aws_security_group.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 
 ## Inputs
 
@@ -42,6 +41,7 @@ No modules.
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars step 10 | `map(any)` | n/a | yes |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix to associate to all Route 53 module resources | `string` | `null` | no |
+| <a name="input_outbound_endpoint_security_group_ids"></a> [outbound\_endpoint\_security\_group\_ids](#input\_outbound\_endpoint\_security\_group\_ids) | Route53 DNS Resolver Outbound Endpoint Security Group ID | `list(string)` | n/a | yes |
 | <a name="input_r53_subnet_ids"></a> [r53\_subnet\_ids](#input\_r53\_subnet\_ids) | List of Subnet IDs for the Route53 Endpoint | `list(string)` | n/a | yes |
 | <a name="input_resource_tag"></a> [resource\_tag](#input\_resource\_tag) | A tag to associate to all Route 53 module resources | `string` | `null` | no |
 | <a name="input_target_address"></a> [target\_address](#input\_target\_address) | Route 53 DNS queries will be forwarded to these Zscaler Global VIP addresses | `list(string)` | <pre>[<br>  "185.46.212.88",<br>  "185.46.212.89"<br>]</pre> | no |

modules/terraform-zscc-route53-aws/main.tf

@@ -1,22 +1,11 @@
-################################################################################
-# Pull in default security group information
-################################################################################
-data "aws_security_group" "selected" {
-  vpc_id = var.vpc_id
-  name   = "default"
-}
-
-
 ################################################################################
 # Create Route 53 outbound endpoints per subnet IDs specified
 ################################################################################
 resource "aws_route53_resolver_endpoint" "zpa_r53_ep" {
   name      = "${var.name_prefix}-r53-resolver-ep-${var.resource_tag}"
   direction = "OUTBOUND"
 
-  security_group_ids = [
-    data.aws_security_group.selected.id
-  ]
+  security_group_ids = var.outbound_endpoint_security_group_ids
 
   dynamic "ip_address" {
     for_each = var.r53_subnet_ids

modules/terraform-zscc-route53-aws/variables.tf

@@ -26,6 +26,11 @@ variable "r53_subnet_ids" {
   description = "List of Subnet IDs for the Route53 Endpoint"
 }
 
+variable "outbound_endpoint_security_group_ids" {
+  type        = list(string)
+  description = "Route53 DNS Resolver Outbound Endpoint Security Group ID"
+}
+
 variable "domain_names" {
   type        = map(any)
   description = "Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars step 10"