diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea00443..c0a9c15 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,8 +3,16 @@ ENHANCEMENTS:
* Module Changes:
- terraform-zscc-ccvm-aws:
- add variable additional_management_security_group_ids
+ - add variables hostname_type and resource_name_dns_a_record_enabled
+ - change default private_dns_name_options hostname_type to AWS recommended resource-name from ip-name
+ - lifecycle ignore private_dns_name_options on aws_instance resource
+ - **While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not. This change will only apply to newly deployed EC2 instances**
- terraform-zscc-asg-aws:
- add variable additional_management_security_group_ids
+ - add variables hostname_type and resource_name_dns_a_record_enabled
+ - change default private_dns_name_options hostname_type to AWS recommended resource-name from ip-name
+ - lifecycle ignore private_dns_name_options on aws_launch_template resource
+ - **While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not. This change will only apply to newly deployed EC2 instances**
- terraform-zscc-sg-aws:
- add resource aws_security_group.outbound_endpoint_sg
- add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled
@@ -16,7 +24,10 @@ ENHANCEMENTS:
- terraform-zscc-network-aws:
- add variables byo_r53_subnet_ids and r53_route_table_enabled option for custom zpa deployments with existing Route53 subnets and/or Route Tables
- change aws_subnet.route53_subnet resource count from hard coded "2" to the value of var.az_count or minimum 2 (whichever is greater) for more consistent private subnet creations
+ - add variables hostname_type and resource_name_dns_a_record_enabled
+ - change default private_dns_hostname_type_on_launch to AWS recommended resource-name from ip-name for greenfield CC Subnet creations
* refactor: add zsec prompts brownfield zpa network options
+
## 1.3.3 (August 30, 2024)
ENHANCEMENTS:
diff --git a/examples/base_1cc/README.md b/examples/base_1cc/README.md
index 56023a4..9121fc3 100644
--- a/examples/base_1cc/README.md
+++ b/examples/base_1cc/README.md
@@ -98,11 +98,13 @@ From base_1cc directory execute:
| [cloud\_tags\_enabled](#input\_cloud\_tags\_enabled) | Determines whether or not to create the cc\_tags\_policy IAM Policy and attach it to the CC IAM Role | `bool` | `false` | no |
| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |
diff --git a/examples/base_1cc/main.tf b/examples/base_1cc/main.tf
index 300f794..c6a3290 100755
--- a/examples/base_1cc/main.tf
+++ b/examples/base_1cc/main.tf
@@ -131,24 +131,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
diff --git a/examples/base_1cc/variables.tf b/examples/base_1cc/variables.tf
index ee38a2b..fe25eb0 100755
--- a/examples/base_1cc/variables.tf
+++ b/examples/base_1cc/variables.tf
@@ -216,3 +216,23 @@ variable "zssupport_server" {
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport..net"
default = "199.168.148.101/32" #for commercial clouds
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/base_1cc_zpa/README.md b/examples/base_1cc_zpa/README.md
index f969757..a3324f9 100644
--- a/examples/base_1cc_zpa/README.md
+++ b/examples/base_1cc_zpa/README.md
@@ -100,11 +100,13 @@ From base_1cc_zpa directory execute:
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf
index 3b8c22b..202fb30 100755
--- a/examples/base_1cc_zpa/main.tf
+++ b/examples/base_1cc_zpa/main.tf
@@ -133,24 +133,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/base_1cc_zpa/variables.tf b/examples/base_1cc_zpa/variables.tf
index ba7f797..2cbf85a 100755
--- a/examples/base_1cc_zpa/variables.tf
+++ b/examples/base_1cc_zpa/variables.tf
@@ -239,3 +239,23 @@ variable "zssupport_server" {
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport..net"
default = "199.168.148.101/32" #for commercial clouds
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/base_2cc/README.md b/examples/base_2cc/README.md
index 8184ed1..c013e6a 100644
--- a/examples/base_2cc/README.md
+++ b/examples/base_2cc/README.md
@@ -101,11 +101,13 @@ From base_2cc directory execute:
| [cloud\_tags\_enabled](#input\_cloud\_tags\_enabled) | Determines whether or not to create the cc\_tags\_policy IAM Policy and attach it to the CC IAM Role | `bool` | `false` | no |
| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |
diff --git a/examples/base_2cc/main.tf b/examples/base_2cc/main.tf
index 44c7d16..33dbb48 100755
--- a/examples/base_2cc/main.tf
+++ b/examples/base_2cc/main.tf
@@ -131,24 +131,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/base_2cc/variables.tf b/examples/base_2cc/variables.tf
index 3bb9ee5..c8d7f49 100755
--- a/examples/base_2cc/variables.tf
+++ b/examples/base_2cc/variables.tf
@@ -216,3 +216,23 @@ variable "zssupport_server" {
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport..net"
default = "199.168.148.101/32" #for commercial clouds
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/base_2cc_zpa/README.md b/examples/base_2cc_zpa/README.md
index 6724ab5..cb8ae93 100644
--- a/examples/base_2cc_zpa/README.md
+++ b/examples/base_2cc_zpa/README.md
@@ -102,11 +102,13 @@ From base_2cc_zpa directory execute:
| [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
diff --git a/examples/base_2cc_zpa/main.tf b/examples/base_2cc_zpa/main.tf
index 9ceadfd..07fb106 100755
--- a/examples/base_2cc_zpa/main.tf
+++ b/examples/base_2cc_zpa/main.tf
@@ -132,24 +132,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/base_2cc_zpa/variables.tf b/examples/base_2cc_zpa/variables.tf
index f9d6360..daa7952 100755
--- a/examples/base_2cc_zpa/variables.tf
+++ b/examples/base_2cc_zpa/variables.tf
@@ -239,3 +239,23 @@ variable "zssupport_server" {
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport..net"
default = "199.168.148.101/32" #for commercial clouds
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/base_cc_gwlb/README.md b/examples/base_cc_gwlb/README.md
index 9fc82a0..e5f5867 100644
--- a/examples/base_cc_gwlb/README.md
+++ b/examples/base_cc_gwlb/README.md
@@ -107,12 +107,14 @@ From base_cc_gwlb directory execute:
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
| [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |
diff --git a/examples/base_cc_gwlb/main.tf b/examples/base_cc_gwlb/main.tf
index f22db61..09073a8 100755
--- a/examples/base_cc_gwlb/main.tf
+++ b/examples/base_cc_gwlb/main.tf
@@ -132,24 +132,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/base_cc_gwlb/variables.tf b/examples/base_cc_gwlb/variables.tf
index 9ab4d0c..e1e83ab 100755
--- a/examples/base_cc_gwlb/variables.tf
+++ b/examples/base_cc_gwlb/variables.tf
@@ -285,3 +285,23 @@ variable "zssupport_server" {
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport..net"
default = "199.168.148.101/32" #for commercial clouds
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/base_cc_gwlb_asg/README.md b/examples/base_cc_gwlb_asg/README.md
index 80584d6..20e828f 100644
--- a/examples/base_cc_gwlb_asg/README.md
+++ b/examples/base_cc_gwlb_asg/README.md
@@ -112,6 +112,7 @@ From base_cc_gwlb_asg directory execute:
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The health check grace period specifies the minimum amount of time (in seconds) to keep a new instance in service before terminating it if it's found to be unhealthy. | `number` | `900` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
| [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [instance\_warmup](#input\_instance\_warmup) | Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state | `number` | `0` | no |
| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version. Can be version number, `$Latest` or `$Default` | `string` | `"$Latest"` | no |
@@ -125,6 +126,7 @@ From base_cc_gwlb_asg directory execute:
| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. For more information about preventing instances from terminating on scale in, see Using instance scale-in protection in the Amazon EC2 Auto Scaling User Guide | `bool` | `false` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_on\_scale\_in](#input\_reuse\_on\_scale\_in) | Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in. Default recommendation is true | `bool` | `true` | no |
| [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |
| [sns\_email\_list](#input\_sns\_email\_list) | List of email addresses to input for sns topic subscriptions for autoscaling group notifications. Required if sns\_enabled variable is true and byo\_sns\_topic false | `list(string)` | [
""
]
| no |
diff --git a/examples/base_cc_gwlb_asg/main.tf b/examples/base_cc_gwlb_asg/main.tf
index a7afea8..d37395f 100755
--- a/examples/base_cc_gwlb_asg/main.tf
+++ b/examples/base_cc_gwlb_asg/main.tf
@@ -132,23 +132,25 @@ data "aws_ami" "cloudconnector" {
# Create the specified CC VMs via Launch Template and Autoscaling Group
module "cc_asg" {
- source = "../../modules/terraform-zscc-asg-aws"
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- cc_subnet_ids = module.network.cc_subnet_ids
- zonal_asg_enabled = var.zonal_asg_enabled
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-asg-aws"
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ cc_subnet_ids = module.network.cc_subnet_ids
+ zonal_asg_enabled = var.zonal_asg_enabled
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
max_size = var.max_size
min_size = var.min_size
diff --git a/examples/base_cc_gwlb_asg/variables.tf b/examples/base_cc_gwlb_asg/variables.tf
index 82f0f92..5c76179 100755
--- a/examples/base_cc_gwlb_asg/variables.tf
+++ b/examples/base_cc_gwlb_asg/variables.tf
@@ -402,3 +402,23 @@ variable "zonal_asg_enabled" {
description = "The number of Auto Scaling Groups to create. By default, Terraform will create a single Auto Scaling Group containing multiple subnets/availability zones. Set to true if you would rather create one Auto Scaling Group per subnet/availability zone (var.az_count)"
default = false
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/base_cc_gwlb_asg_zpa/README.md b/examples/base_cc_gwlb_asg_zpa/README.md
index a456b9b..25dad2b 100644
--- a/examples/base_cc_gwlb_asg_zpa/README.md
+++ b/examples/base_cc_gwlb_asg_zpa/README.md
@@ -114,6 +114,7 @@ From base_cc_gwlb_asg_zpa directory execute:
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The health check grace period specifies the minimum amount of time (in seconds) to keep a new instance in service before terminating it if it's found to be unhealthy. | `number` | `900` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
| [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [instance\_warmup](#input\_instance\_warmup) | Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state | `number` | `0` | no |
| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version. Can be version number, `$Latest` or `$Default` | `string` | `"$Latest"` | no |
@@ -127,6 +128,7 @@ From base_cc_gwlb_asg_zpa directory execute:
| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. For more information about preventing instances from terminating on scale in, see Using instance scale-in protection in the Amazon EC2 Auto Scaling User Guide | `bool` | `false` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_on\_scale\_in](#input\_reuse\_on\_scale\_in) | Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in. Default recommendation is true | `bool` | `true` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |
diff --git a/examples/base_cc_gwlb_asg_zpa/main.tf b/examples/base_cc_gwlb_asg_zpa/main.tf
index 1e18568..38696e1 100755
--- a/examples/base_cc_gwlb_asg_zpa/main.tf
+++ b/examples/base_cc_gwlb_asg_zpa/main.tf
@@ -134,23 +134,25 @@ data "aws_ami" "cloudconnector" {
# Create the specified CC VMs via Launch Template and Autoscaling Group
module "cc_asg" {
- source = "../../modules/terraform-zscc-asg-aws"
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- cc_subnet_ids = module.network.cc_subnet_ids
- zonal_asg_enabled = var.zonal_asg_enabled
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-asg-aws"
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ cc_subnet_ids = module.network.cc_subnet_ids
+ zonal_asg_enabled = var.zonal_asg_enabled
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
max_size = var.max_size
min_size = var.min_size
diff --git a/examples/base_cc_gwlb_asg_zpa/variables.tf b/examples/base_cc_gwlb_asg_zpa/variables.tf
index ed8b35b..8a6f8d5 100755
--- a/examples/base_cc_gwlb_asg_zpa/variables.tf
+++ b/examples/base_cc_gwlb_asg_zpa/variables.tf
@@ -415,6 +415,27 @@ variable "zonal_asg_enabled" {
default = false
}
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
+
+
# ZPA/Route53 specific variables
variable "domain_names" {
type = map(any)
diff --git a/examples/base_cc_gwlb_zpa/README.md b/examples/base_cc_gwlb_zpa/README.md
index 7562f70..edd3251 100644
--- a/examples/base_cc_gwlb_zpa/README.md
+++ b/examples/base_cc_gwlb_zpa/README.md
@@ -109,12 +109,14 @@ From base_cc_gwlb_zpa directory execute:
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
| [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
diff --git a/examples/base_cc_gwlb_zpa/main.tf b/examples/base_cc_gwlb_zpa/main.tf
index c1f7f4f..26fb860 100755
--- a/examples/base_cc_gwlb_zpa/main.tf
+++ b/examples/base_cc_gwlb_zpa/main.tf
@@ -134,24 +134,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/base_cc_gwlb_zpa/variables.tf b/examples/base_cc_gwlb_zpa/variables.tf
index ce1575d..25a12b6 100755
--- a/examples/base_cc_gwlb_zpa/variables.tf
+++ b/examples/base_cc_gwlb_zpa/variables.tf
@@ -308,3 +308,23 @@ variable "zssupport_server" {
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport..net"
default = "199.168.148.101/32" #for commercial clouds
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/examples/cc_gwlb/README.md b/examples/cc_gwlb/README.md
index d42d2b1..9f32cd2 100644
--- a/examples/cc_gwlb/README.md
+++ b/examples/cc_gwlb/README.md
@@ -121,6 +121,7 @@ From cc_gwlb directory execute:
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet route tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. If false, these Route Tables will point to network\_interface\_id via var.cc\_service\_enis | `bool` | `true` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
| [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
@@ -128,6 +129,7 @@ From cc_gwlb directory execute:
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [r53\_route\_table\_enabled](#input\_r53\_route\_table\_enabled) | For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to ZPA/Route 53 reserved subnet(s). Default is true which means module will try to create new route tables | `bool` | `true` | no |
| [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
diff --git a/examples/cc_gwlb/main.tf b/examples/cc_gwlb/main.tf
index 02920af..fa6b549 100755
--- a/examples/cc_gwlb/main.tf
+++ b/examples/cc_gwlb/main.tf
@@ -116,24 +116,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/cc_gwlb/variables.tf b/examples/cc_gwlb/variables.tf
index dec1f8b..7ff4477 100755
--- a/examples/cc_gwlb/variables.tf
+++ b/examples/cc_gwlb/variables.tf
@@ -298,6 +298,26 @@ variable "zssupport_server" {
default = "199.168.148.101/32" #for commercial clouds
}
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
+
# BYO (Bring-your-own) variables list
diff --git a/examples/cc_gwlb_asg/README.md b/examples/cc_gwlb_asg/README.md
index 832143f..b58c634 100644
--- a/examples/cc_gwlb_asg/README.md
+++ b/examples/cc_gwlb_asg/README.md
@@ -125,6 +125,7 @@ From cc_gwlb_asg directory execute:
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The health check grace period specifies the minimum amount of time (in seconds) to keep a new instance in service before terminating it if it's found to be unhealthy. | `number` | `900` | no |
| [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
| [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [instance\_warmup](#input\_instance\_warmup) | Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state | `number` | `0` | no |
| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version. Can be version number, `$Latest` or `$Default` | `string` | `"$Latest"` | no |
@@ -139,6 +140,7 @@ From cc_gwlb_asg directory execute:
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [r53\_route\_table\_enabled](#input\_r53\_route\_table\_enabled) | For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to ZPA/Route 53 reserved subnet(s). Default is true which means module will try to create new route tables | `bool` | `true` | no |
| [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_on\_scale\_in](#input\_reuse\_on\_scale\_in) | Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in. Default recommendation is true | `bool` | `true` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |
diff --git a/examples/cc_gwlb_asg/main.tf b/examples/cc_gwlb_asg/main.tf
index a4c70e5..0908926 100755
--- a/examples/cc_gwlb_asg/main.tf
+++ b/examples/cc_gwlb_asg/main.tf
@@ -116,23 +116,25 @@ data "aws_ami" "cloudconnector" {
# Create the specified CC VMs via Launch Template and Autoscaling Group
module "cc_asg" {
- source = "../../modules/terraform-zscc-asg-aws"
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- cc_subnet_ids = module.network.cc_subnet_ids
- zonal_asg_enabled = var.zonal_asg_enabled
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-asg-aws"
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ cc_subnet_ids = module.network.cc_subnet_ids
+ zonal_asg_enabled = var.zonal_asg_enabled
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
max_size = var.max_size
min_size = var.min_size
diff --git a/examples/cc_gwlb_asg/variables.tf b/examples/cc_gwlb_asg/variables.tf
index 3e106af..450767b 100755
--- a/examples/cc_gwlb_asg/variables.tf
+++ b/examples/cc_gwlb_asg/variables.tf
@@ -418,6 +418,27 @@ variable "zonal_asg_enabled" {
default = false
}
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
+
+
# BYO (Bring-your-own) variables list
variable "byo_vpc" {
type = bool
diff --git a/examples/cc_ha/README.md b/examples/cc_ha/README.md
index 80200e7..8a30ced 100644
--- a/examples/cc_ha/README.md
+++ b/examples/cc_ha/README.md
@@ -116,12 +116,14 @@ From cc_ha directory execute:
| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is false. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `false` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
| [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
| [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [r53\_route\_table\_enabled](#input\_r53\_route\_table\_enabled) | For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to ZPA/Route 53 reserved subnet(s). Default is true which means module will try to create new route tables | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
| [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
diff --git a/examples/cc_ha/main.tf b/examples/cc_ha/main.tf
index d9b4eeb..a1ab2e7 100755
--- a/examples/cc_ha/main.tf
+++ b/examples/cc_ha/main.tf
@@ -115,24 +115,26 @@ data "aws_ami" "cloudconnector" {
# Create specified number of CC appliances
module "cc_vm" {
- source = "../../modules/terraform-zscc-ccvm-aws"
- cc_count = var.cc_count
- ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- mgmt_subnet_id = module.network.cc_subnet_ids
- service_subnet_id = module.network.cc_subnet_ids
- instance_key = aws_key_pair.deployer.key_name
- user_data = local.userdata
- ccvm_instance_type = var.ccvm_instance_type
- cc_instance_size = var.cc_instance_size
- iam_instance_profile = module.cc_iam.iam_instance_profile_id
- mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
- service_security_group_id = module.cc_sg.service_security_group_id
- ebs_volume_type = var.ebs_volume_type
- ebs_encryption_enabled = var.ebs_encryption_enabled
- byo_kms_key_alias = var.byo_kms_key_alias
+ source = "../../modules/terraform-zscc-ccvm-aws"
+ cc_count = var.cc_count
+ ami_id = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ mgmt_subnet_id = module.network.cc_subnet_ids
+ service_subnet_id = module.network.cc_subnet_ids
+ instance_key = aws_key_pair.deployer.key_name
+ user_data = local.userdata
+ ccvm_instance_type = var.ccvm_instance_type
+ cc_instance_size = var.cc_instance_size
+ iam_instance_profile = module.cc_iam.iam_instance_profile_id
+ mgmt_security_group_id = module.cc_sg.mgmt_security_group_id
+ service_security_group_id = module.cc_sg.service_security_group_id
+ ebs_volume_type = var.ebs_volume_type
+ ebs_encryption_enabled = var.ebs_encryption_enabled
+ byo_kms_key_alias = var.byo_kms_key_alias
+ hostname_type = var.hostname_type
+ resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
depends_on = [
null_resource.cc_error_checker
diff --git a/examples/cc_ha/variables.tf b/examples/cc_ha/variables.tf
index 63b373b..ae0d825 100755
--- a/examples/cc_ha/variables.tf
+++ b/examples/cc_ha/variables.tf
@@ -223,6 +223,25 @@ variable "cloud_tags_enabled" {
default = false
}
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
# BYO (Bring-your-own) variables list
diff --git a/modules/terraform-zscc-asg-aws/README.md b/modules/terraform-zscc-asg-aws/README.md
index 84ff786..32c1a08 100644
--- a/modules/terraform-zscc-asg-aws/README.md
+++ b/modules/terraform-zscc-asg-aws/README.md
@@ -71,6 +71,7 @@ No modules.
| [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The health check grace period specifies the minimum amount of time (in seconds) to keep a new instance in service before terminating it if it's found to be unhealthy. | `number` | `900` | no |
| [health\_check\_type](#input\_health\_check\_type) | EC2 or ELB. Controls how health checking is done | `string` | `"EC2"` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile ID assigned to Cloud Connector | `list(string)` | n/a | yes |
| [imdsv2\_enabled](#input\_imdsv2\_enabled) | true/false whether to force IMDSv2 only for instance bring up. Default is true | `bool` | `true` | no |
| [instance\_key](#input\_instance\_key) | SSH Key for instances | `string` | n/a | yes |
@@ -83,6 +84,7 @@ No modules.
| [min\_size](#input\_min\_size) | Mininum number of Cloud Connectors to maintain in Autoscaling group | `number` | `2` | no |
| [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the Cloud Connector module resources | `string` | `null` | no |
| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Whether newly launched instances are automatically protected from termination by Amazon EC2 Auto Scaling when scaling in. For more information about preventing instances from terminating on scale in, see Using instance scale-in protection in the Amazon EC2 Auto Scaling User Guide | `bool` | `false` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [resource\_tag](#input\_resource\_tag) | A tag to associate to all the Cloud Connector module resources | `string` | `null` | no |
| [reuse\_on\_scale\_in](#input\_reuse\_on\_scale\_in) | Specifies whether instances in the Auto Scaling group can be returned to the warm pool on scale in. | `bool` | `false` | no |
| [service\_security\_group\_id](#input\_service\_security\_group\_id) | Cloud Connector EC2 Instance service security group id | `list(string)` | n/a | yes |
diff --git a/modules/terraform-zscc-asg-aws/main.tf b/modules/terraform-zscc-asg-aws/main.tf
index c963ae1..2c9a792 100755
--- a/modules/terraform-zscc-asg-aws/main.tf
+++ b/modules/terraform-zscc-asg-aws/main.tf
@@ -91,10 +91,19 @@ resource "aws_launch_template" "cc_launch_template" {
}
}
+ private_dns_name_options {
+ enable_resource_name_dns_a_record = var.resource_name_dns_a_record_enabled
+ hostname_type = var.hostname_type
+ }
+
tags = merge(var.global_tags)
lifecycle {
create_before_destroy = true
+ ignore_changes = [private_dns_name_options]
+ #While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not.
+ #Whatever hostname_type value set at deployment will persist the lifetime of the EC2
+ #If you do want to change this, you must destroy and redeploy the instance(s).
}
}
diff --git a/modules/terraform-zscc-asg-aws/variables.tf b/modules/terraform-zscc-asg-aws/variables.tf
index ce68834..87993b2 100644
--- a/modules/terraform-zscc-asg-aws/variables.tf
+++ b/modules/terraform-zscc-asg-aws/variables.tf
@@ -272,3 +272,23 @@ variable "zonal_asg_enabled" {
description = "The number of Auto Scaling Groups to create. By default, Terraform will create a single Auto Scaling Group containing multiple subnets/availability zones. Set to true if you would rather create one Auto Scaling Group per subnet/availability zone (var.az_count)"
default = false
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/modules/terraform-zscc-ccvm-aws/README.md b/modules/terraform-zscc-ccvm-aws/README.md
index 28b5af3..b6e4315 100644
--- a/modules/terraform-zscc-ccvm-aws/README.md
+++ b/modules/terraform-zscc-ccvm-aws/README.md
@@ -62,12 +62,14 @@ No modules.
| [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
| [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
| [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile ID assigned to Cloud Connector | `list(string)` | n/a | yes |
| [imdsv2\_enabled](#input\_imdsv2\_enabled) | true/false whether to force IMDSv2 only for instance bring up. Default is true | `bool` | `true` | no |
| [instance\_key](#input\_instance\_key) | SSH Key for instances | `string` | n/a | yes |
| [mgmt\_security\_group\_id](#input\_mgmt\_security\_group\_id) | Cloud Connector EC2 Instance management security group id | `list(string)` | n/a | yes |
| [mgmt\_subnet\_id](#input\_mgmt\_subnet\_id) | Cloud Connector EC2 Instance management subnet id | `list(string)` | n/a | yes |
| [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the Cloud Connector module resources | `string` | `null` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [resource\_tag](#input\_resource\_tag) | A tag to associate to all the Cloud Connector module resources | `string` | `null` | no |
| [service\_security\_group\_id](#input\_service\_security\_group\_id) | Cloud Connector EC2 Instance service security group id | `list(string)` | n/a | yes |
| [service\_subnet\_id](#input\_service\_subnet\_id) | Cloud Connector EC2 Instance service subnet id | `list(string)` | n/a | yes |
diff --git a/modules/terraform-zscc-ccvm-aws/main.tf b/modules/terraform-zscc-ccvm-aws/main.tf
index 1393b44..1db1073 100755
--- a/modules/terraform-zscc-ccvm-aws/main.tf
+++ b/modules/terraform-zscc-ccvm-aws/main.tf
@@ -59,9 +59,21 @@ resource "aws_instance" "cc_vm" {
)
}
+ private_dns_name_options {
+ enable_resource_name_dns_a_record = var.resource_name_dns_a_record_enabled
+ hostname_type = var.hostname_type
+ }
+
tags = merge(var.global_tags,
{ Name = "${var.name_prefix}-cc-vm-${count.index + 1}-${var.resource_tag}" }
)
+
+ lifecycle {
+ ignore_changes = [private_dns_name_options]
+ #While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not.
+ #Whatever hostname_type value set at deployment will persist the lifetime of the EC2
+ #If you do want to change this, you must destroy and redeploy the instance(s).
+ }
}
diff --git a/modules/terraform-zscc-ccvm-aws/variables.tf b/modules/terraform-zscc-ccvm-aws/variables.tf
index 6e11324..cb6e1de 100755
--- a/modules/terraform-zscc-ccvm-aws/variables.tf
+++ b/modules/terraform-zscc-ccvm-aws/variables.tf
@@ -139,3 +139,23 @@ variable "byo_kms_key_alias" {
description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key"
default = null
}
+
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
diff --git a/modules/terraform-zscc-network-aws/README.md b/modules/terraform-zscc-network-aws/README.md
index 14bc3fd..915623c 100644
--- a/modules/terraform-zscc-network-aws/README.md
+++ b/modules/terraform-zscc-network-aws/README.md
@@ -68,9 +68,11 @@ No modules.
| [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
| [gwlb\_enabled](#input\_gwlb\_enabled) | Default is false. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `false` | no |
| [gwlb\_endpoint\_ids](#input\_gwlb\_endpoint\_ids) | List of GWLB Endpoint IDs for use in private workload and/or Route 53 subnet route tables with GWLB deployments. Utilized if var.gwlb\_enabled is set to true | `list(string)` | [
""
]
| no |
+| [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
| [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the network module resources | `string` | `null` | no |
| [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [r53\_route\_table\_enabled](#input\_r53\_route\_table\_enabled) | For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to ZPA/Route 53 reserved subnet(s). Default is true which means module will try to create new route tables | `bool` | `true` | no |
+| [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
| [resource\_tag](#input\_resource\_tag) | A tag to associate to all the network module resources | `string` | `null` | no |
| [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
| [vpc\_cidr](#input\_vpc\_cidr) | VPC IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VPC smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no |
diff --git a/modules/terraform-zscc-network-aws/main.tf b/modules/terraform-zscc-network-aws/main.tf
index 8070e72..edfd6a6 100755
--- a/modules/terraform-zscc-network-aws/main.tf
+++ b/modules/terraform-zscc-network-aws/main.tf
@@ -169,9 +169,11 @@ resource "aws_route_table_association" "workload_rt_association" {
resource "aws_subnet" "cc_subnet" {
count = var.byo_subnets == false ? var.az_count : 0
- availability_zone = data.aws_availability_zones.available.names[count.index]
- cidr_block = var.cc_subnets != null ? element(var.cc_subnets, count.index) : cidrsubnet(try(data.aws_vpc.vpc_selected[0].cidr_block, aws_vpc.vpc[0].cidr_block), 8, count.index + 200)
- vpc_id = try(data.aws_vpc.vpc_selected[0].id, aws_vpc.vpc[0].id)
+ availability_zone = data.aws_availability_zones.available.names[count.index]
+ cidr_block = var.cc_subnets != null ? element(var.cc_subnets, count.index) : cidrsubnet(try(data.aws_vpc.vpc_selected[0].cidr_block, aws_vpc.vpc[0].cidr_block), 8, count.index + 200)
+ vpc_id = try(data.aws_vpc.vpc_selected[0].id, aws_vpc.vpc[0].id)
+ enable_resource_name_dns_a_record_on_launch = var.resource_name_dns_a_record_enabled
+ private_dns_hostname_type_on_launch = var.hostname_type
tags = merge(var.global_tags,
{ Name = "${var.name_prefix}-cc-subnet-${count.index + 1}-${var.resource_tag}" }
diff --git a/modules/terraform-zscc-network-aws/variables.tf b/modules/terraform-zscc-network-aws/variables.tf
index ea553f8..d0ecec2 100755
--- a/modules/terraform-zscc-network-aws/variables.tf
+++ b/modules/terraform-zscc-network-aws/variables.tf
@@ -94,6 +94,27 @@ variable "base_only" {
description = "Default is falase. Only applicable for base deployment type resulting in workload and bastion hosts, but no Cloud Connector resources. Setting this to true will point workload route able to nat_gateway_id"
}
+variable "hostname_type" {
+ type = string
+ description = "Type of hostname for Amazon EC2 instances"
+ default = "resource-name"
+
+ validation {
+ condition = (
+ var.hostname_type == "resource-name" ||
+ var.hostname_type == "ip-name"
+ )
+ error_message = "Input hostname_type must be set to either resource-name or ip-name."
+ }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+ type = bool
+ description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+ default = false
+}
+
+
# BYO (Bring-your-own) variables list
variable "byo_vpc" {