zscaler · jmolnar-zscaler · Sep 24, 2024 · Sep 20, 2024 · Sep 23, 2024 · Jun 19, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,17 @@
+## UNRELEASED (TBD)
+ENHANCEMENTS:
+* Module Changes:
+    - terraform-zscc-ccvm-aws:
+        - add variable additional_management_security_group_ids
+    - terraform-zscc-asg-aws:
+        - add variable additional_management_security_group_ids
+    - terraform-zscc-sg-aws:
+        - add resource aws_security_group.outbound_endpoint_sg
+        - add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled
+    - terraform-zscc-route53-aws:
+        - add variable outbound_endpoint_security_group_ids
+        - remove default security group usage per AWS best practices
+
 ## 1.3.3 (August 30, 2024)
 ENHANCEMENTS:
 * refactor: add china marketplace specific product-code ("axnpwhsb4facossmbm1h9yad6") lookup 

diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf
@@ -188,6 +188,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   gwlb_enabled             = false
@@ -202,14 +203,15 @@ module "cc_sg" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/examples/base_2cc_zpa/main.tf b/examples/base_2cc_zpa/main.tf
@@ -187,6 +187,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   gwlb_enabled             = false
@@ -219,14 +220,15 @@ module "cc_lambda" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/examples/base_cc_gwlb_asg_zpa/main.tf b/examples/base_cc_gwlb_asg_zpa/main.tf
@@ -206,6 +206,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -259,14 +260,15 @@ module "gwlb_endpoint" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/examples/base_cc_gwlb_zpa/main.tf b/examples/base_cc_gwlb_zpa/main.tf
@@ -189,6 +189,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -242,14 +243,15 @@ module "gwlb_endpoint" {
 #    redirection to facilitate Cloud Connector ZPA service.
 ################################################################################
 module "route53" {
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/examples/cc_gwlb/main.tf b/examples/cc_gwlb/main.tf
@@ -173,6 +173,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -233,15 +234,16 @@ module "gwlb_endpoint" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count          = var.zpa_enabled == true ? 1 : 0
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/examples/cc_gwlb_asg/main.tf b/examples/cc_gwlb_asg/main.tf
@@ -191,6 +191,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   all_ports_egress_enabled = var.all_ports_egress_enabled
@@ -251,15 +252,16 @@ module "gwlb_endpoint" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count          = var.zpa_enabled == true ? 1 : 0
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/examples/cc_ha/main.tf b/examples/cc_ha/main.tf
@@ -173,6 +173,7 @@ module "cc_sg" {
   resource_tag             = random_string.suffix.result
   global_tags              = local.global_tags
   vpc_id                   = module.network.vpc_id
+  zpa_enabled              = var.zpa_enabled
   http_probe_port          = var.http_probe_port
   mgmt_ssh_enabled         = var.mgmt_ssh_enabled
   gwlb_enabled             = false
@@ -223,15 +224,16 @@ module "cc_lambda" {
 #    This can optionally be enabled/disabled per variable "zpa_enabled".
 ################################################################################
 module "route53" {
-  count          = var.zpa_enabled == true ? 1 : 0
-  source         = "../../modules/terraform-zscc-route53-aws"
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  global_tags    = local.global_tags
-  vpc_id         = module.network.vpc_id
-  r53_subnet_ids = module.network.route53_subnet_ids
-  domain_names   = var.domain_names
-  target_address = var.target_address
+  count                                = var.zpa_enabled == true ? 1 : 0
+  source                               = "../../modules/terraform-zscc-route53-aws"
+  name_prefix                          = var.name_prefix
+  resource_tag                         = random_string.suffix.result
+  global_tags                          = local.global_tags
+  vpc_id                               = module.network.vpc_id
+  r53_subnet_ids                       = module.network.route53_subnet_ids
+  outbound_endpoint_security_group_ids = module.cc_sg.outbound_endpoint_security_group_id
+  domain_names                         = var.domain_names
+  target_address                       = var.target_address
 }
 
 

diff --git a/modules/terraform-zscc-asg-aws/README.md b/modules/terraform-zscc-asg-aws/README.md
@@ -58,6 +58,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_additional_mgmt_security_group_ids"></a> [additional\_mgmt\_security\_group\_ids](#input\_additional\_mgmt\_security\_group\_ids) | Optional additional Cloud Connector EC2 Instance management security group ids to be attached to the to the management interface | `list(string)` | `[]` | no |
 | <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a launch template change. | `list(string)` | n/a | yes |
 | <a name="input_byo_kms_key_alias"></a> [byo\_kms\_key\_alias](#input\_byo\_kms\_key\_alias) | Requires var.ebs\_encryption\_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/<key-alias>' to use a custom KMS key | `string` | `null` | no |
 | <a name="input_byo_sns_topic"></a> [byo\_sns\_topic](#input\_byo\_sns\_topic) | Determine whether or not to create an AWS SNS topic and topic subscription for email alerts. Setting this variable to true implies you should also set variable sns\_enabled to true | `bool` | `false` | no |
@@ -78,13 +79,13 @@ No modules.
 | <a name="input_lifecyclehook_instance_launch_wait_time"></a> [lifecyclehook\_instance\_launch\_wait\_time](#input\_lifecyclehook\_instance\_launch\_wait\_time) | The maximum amount of time to wait in pending:wait state on instance launch in warmpool | `number` | `1800` | no |
 | <a name="input_lifecyclehook_instance_terminate_wait_time"></a> [lifecyclehook\_instance\_terminate\_wait\_time](#input\_lifecyclehook\_instance\_terminate\_wait\_time) | The maximum amount of time to wait in terminating:wait state on instance termination | `number` | `900` | no |
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | Maxinum number of Cloud Connectors to maintain in Autoscaling group | `number` | `4` | no |
-| <a name="input_mgmt_security_group_id"></a> [mgmt\_security\_group\_id](#input\_mgmt\_security\_group\_id) | Cloud Connector EC2 Instance management subnet id | `list(string)` | n/a | yes |
+| <a name="input_mgmt_security_group_id"></a> [mgmt\_security\_group\_id](#input\_mgmt\_security\_group\_id) | Cloud Connector EC2 Instance management security group id | `list(string)` | n/a | yes |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Mininum number of Cloud Connectors to maintain in Autoscaling group | `number` | `2` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the Cloud Connector module resources | `string` | `null` | no |
 | <a name="input_protect_from_scale_in"></a> [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. For more information about preventing instances from terminating on scale in, see Using instance scale-in protection in the Amazon EC2 Auto Scaling User Guide | `bool` | `false` | no |
 | <a name="input_resource_tag"></a> [resource\_tag](#input\_resource\_tag) | A tag to associate to all the Cloud Connector module resources | `string` | `null` | no |
 | <a name="input_reuse_on_scale_in"></a> [reuse\_on\_scale\_in](#input\_reuse\_on\_scale\_in) | Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in. | `bool` | `false` | no |
-| <a name="input_service_security_group_id"></a> [service\_security\_group\_id](#input\_service\_security\_group\_id) | Cloud Connector EC2 Instance service subnet id | `list(string)` | n/a | yes |
+| <a name="input_service_security_group_id"></a> [service\_security\_group\_id](#input\_service\_security\_group\_id) | Cloud Connector EC2 Instance service security group id | `list(string)` | n/a | yes |
 | <a name="input_sns_email_list"></a> [sns\_email\_list](#input\_sns\_email\_list) | List of email addresses to input for sns topic subscriptions for autoscaling group notifications. Required if sns\_enabled variable is true and byo\_sns\_topic false | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_sns_enabled"></a> [sns\_enabled](#input\_sns\_enabled) | Determine whether or not to create autoscaling group notifications. Default is false. If setting this value to true, terraform will also create a new sns topic and topic subscription | `bool` | `false` | no |
 | <a name="input_target_cpu_util_value"></a> [target\_cpu\_util\_value](#input\_target\_cpu\_util\_value) | Target value number for autoscaling policy CPU utilization target tracking. ie: trigger a scale in/out to keep average CPU Utliization percentage across all instances at/under this number | `number` | `80` | no |

diff --git a/modules/terraform-zscc-asg-aws/variables.tf b/modules/terraform-zscc-asg-aws/variables.tf
@@ -92,7 +92,7 @@ variable "additional_mgmt_security_group_ids" {
 
 variable "service_security_group_id" {
   type        = list(string)
-  description = "Cloud Connector EC2 Instance service subnet id"
+  description = "Cloud Connector EC2 Instance service security group id"
 }
 
 variable "iam_instance_profile" {