zscaler · jmolnar-zscaler · Nov 13, 2024 · Oct 30, 2024 · Oct 30, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,8 +3,16 @@ ENHANCEMENTS:
 * Module Changes:
     - terraform-zscc-ccvm-aws:
         - add variable additional_management_security_group_ids
+        - add variables hostname_type and resource_name_dns_a_record_enabled
+        - change default private_dns_name_options hostname_type to AWS recommended resource-name from ip-name
+        - lifecycle ignore private_dns_name_options on aws_instance resource
+            - **While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not. This change will only apply to newly deployed EC2 instances**
     - terraform-zscc-asg-aws:
         - add variable additional_management_security_group_ids
+        - add variables hostname_type and resource_name_dns_a_record_enabled
+        - change default private_dns_name_options hostname_type to AWS recommended resource-name from ip-name
+        - lifecycle ignore private_dns_name_options on aws_launch_template resource
+            - **While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not. This change will only apply to newly deployed EC2 instances**
     - terraform-zscc-sg-aws:
         - add resource aws_security_group.outbound_endpoint_sg
         - add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled
@@ -16,7 +24,10 @@ ENHANCEMENTS:
     - terraform-zscc-network-aws:
         - add variables byo_r53_subnet_ids and r53_route_table_enabled option for custom zpa deployments with existing Route53 subnets and/or Route Tables
         - change aws_subnet.route53_subnet resource count from hard coded "2" to the value of var.az_count or minimum 2 (whichever is greater) for more consistent private subnet creations
+        - add variables hostname_type and resource_name_dns_a_record_enabled
+        - change default private_dns_hostname_type_on_launch to AWS recommended resource-name from ip-name for greenfield CC Subnet creations
 * refactor: add zsec prompts brownfield zpa network options
+
 
 ## 1.3.3 (August 30, 2024)
 ENHANCEMENTS:

diff --git a/examples/base_1cc/README.md b/examples/base_1cc/README.md
@@ -98,11 +98,13 @@ From base_1cc directory execute:
 | <a name="input_cloud_tags_enabled"></a> [cloud\_tags\_enabled](#input\_cloud\_tags\_enabled) | Determines whether or not to create the cc\_tags\_policy IAM Policy and attach it to the CC IAM Role | `bool` | `false` | no |
 | <a name="input_ebs_encryption_enabled"></a> [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
 | <a name="input_ebs_volume_type"></a> [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| <a name="input_hostname_type"></a> [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
 | <a name="input_mgmt_ssh_enabled"></a> [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| <a name="input_resource_name_dns_a_record_enabled"></a> [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
 | <a name="input_reuse_iam"></a> [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
 | <a name="input_reuse_security_group"></a> [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
 | <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |

diff --git a/examples/base_1cc/main.tf b/examples/base_1cc/main.tf
@@ -131,24 +131,26 @@ data "aws_ami" "cloudconnector" {
 
 # Create specified number of CC appliances
 module "cc_vm" {
-  source                    = "../../modules/terraform-zscc-ccvm-aws"
-  cc_count                  = var.cc_count
-  ami_id                    = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
-  name_prefix               = var.name_prefix
-  resource_tag              = random_string.suffix.result
-  global_tags               = local.global_tags
-  mgmt_subnet_id            = module.network.cc_subnet_ids
-  service_subnet_id         = module.network.cc_subnet_ids
-  instance_key              = aws_key_pair.deployer.key_name
-  user_data                 = local.userdata
-  ccvm_instance_type        = var.ccvm_instance_type
-  cc_instance_size          = var.cc_instance_size
-  iam_instance_profile      = module.cc_iam.iam_instance_profile_id
-  mgmt_security_group_id    = module.cc_sg.mgmt_security_group_id
-  service_security_group_id = module.cc_sg.service_security_group_id
-  ebs_volume_type           = var.ebs_volume_type
-  ebs_encryption_enabled    = var.ebs_encryption_enabled
-  byo_kms_key_alias         = var.byo_kms_key_alias
+  source                             = "../../modules/terraform-zscc-ccvm-aws"
+  cc_count                           = var.cc_count
+  ami_id                             = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+  name_prefix                        = var.name_prefix
+  resource_tag                       = random_string.suffix.result
+  global_tags                        = local.global_tags
+  mgmt_subnet_id                     = module.network.cc_subnet_ids
+  service_subnet_id                  = module.network.cc_subnet_ids
+  instance_key                       = aws_key_pair.deployer.key_name
+  user_data                          = local.userdata
+  ccvm_instance_type                 = var.ccvm_instance_type
+  cc_instance_size                   = var.cc_instance_size
+  iam_instance_profile               = module.cc_iam.iam_instance_profile_id
+  mgmt_security_group_id             = module.cc_sg.mgmt_security_group_id
+  service_security_group_id          = module.cc_sg.service_security_group_id
+  ebs_volume_type                    = var.ebs_volume_type
+  ebs_encryption_enabled             = var.ebs_encryption_enabled
+  byo_kms_key_alias                  = var.byo_kms_key_alias
+  hostname_type                      = var.hostname_type
+  resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
 
 
   depends_on = [

diff --git a/examples/base_1cc/variables.tf b/examples/base_1cc/variables.tf
@@ -216,3 +216,23 @@ variable "zssupport_server" {
   description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net"
   default     = "199.168.148.101/32" #for commercial clouds
 }
+
+variable "hostname_type" {
+  type        = string
+  description = "Type of hostname for Amazon EC2 instances"
+  default     = "resource-name"
+
+  validation {
+    condition = (
+      var.hostname_type == "resource-name" ||
+      var.hostname_type == "ip-name"
+    )
+    error_message = "Input hostname_type must be set to either resource-name or ip-name."
+  }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+  type        = bool
+  description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+  default     = false
+}
diff --git a/examples/base_1cc_zpa/README.md b/examples/base_1cc_zpa/README.md
@@ -100,11 +100,13 @@ From base_1cc_zpa directory execute:
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
 | <a name="input_ebs_encryption_enabled"></a> [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
 | <a name="input_ebs_volume_type"></a> [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| <a name="input_hostname_type"></a> [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
 | <a name="input_mgmt_ssh_enabled"></a> [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| <a name="input_resource_name_dns_a_record_enabled"></a> [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
 | <a name="input_reuse_iam"></a> [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
 | <a name="input_reuse_security_group"></a> [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
 | <a name="input_route53_subnets"></a> [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |

diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf
@@ -133,24 +133,26 @@ data "aws_ami" "cloudconnector" {
 
 # Create specified number of CC appliances
 module "cc_vm" {
-  source                    = "../../modules/terraform-zscc-ccvm-aws"
-  cc_count                  = var.cc_count
-  ami_id                    = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
-  name_prefix               = var.name_prefix
-  resource_tag              = random_string.suffix.result
-  global_tags               = local.global_tags
-  mgmt_subnet_id            = module.network.cc_subnet_ids
-  service_subnet_id         = module.network.cc_subnet_ids
-  instance_key              = aws_key_pair.deployer.key_name
-  user_data                 = local.userdata
-  ccvm_instance_type        = var.ccvm_instance_type
-  cc_instance_size          = var.cc_instance_size
-  iam_instance_profile      = module.cc_iam.iam_instance_profile_id
-  mgmt_security_group_id    = module.cc_sg.mgmt_security_group_id
-  service_security_group_id = module.cc_sg.service_security_group_id
-  ebs_volume_type           = var.ebs_volume_type
-  ebs_encryption_enabled    = var.ebs_encryption_enabled
-  byo_kms_key_alias         = var.byo_kms_key_alias
+  source                             = "../../modules/terraform-zscc-ccvm-aws"
+  cc_count                           = var.cc_count
+  ami_id                             = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+  name_prefix                        = var.name_prefix
+  resource_tag                       = random_string.suffix.result
+  global_tags                        = local.global_tags
+  mgmt_subnet_id                     = module.network.cc_subnet_ids
+  service_subnet_id                  = module.network.cc_subnet_ids
+  instance_key                       = aws_key_pair.deployer.key_name
+  user_data                          = local.userdata
+  ccvm_instance_type                 = var.ccvm_instance_type
+  cc_instance_size                   = var.cc_instance_size
+  iam_instance_profile               = module.cc_iam.iam_instance_profile_id
+  mgmt_security_group_id             = module.cc_sg.mgmt_security_group_id
+  service_security_group_id          = module.cc_sg.service_security_group_id
+  ebs_volume_type                    = var.ebs_volume_type
+  ebs_encryption_enabled             = var.ebs_encryption_enabled
+  byo_kms_key_alias                  = var.byo_kms_key_alias
+  hostname_type                      = var.hostname_type
+  resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
 
   depends_on = [
     null_resource.cc_error_checker

diff --git a/examples/base_1cc_zpa/variables.tf b/examples/base_1cc_zpa/variables.tf
@@ -239,3 +239,23 @@ variable "zssupport_server" {
   description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net"
   default     = "199.168.148.101/32" #for commercial clouds
 }
+
+variable "hostname_type" {
+  type        = string
+  description = "Type of hostname for Amazon EC2 instances"
+  default     = "resource-name"
+
+  validation {
+    condition = (
+      var.hostname_type == "resource-name" ||
+      var.hostname_type == "ip-name"
+    )
+    error_message = "Input hostname_type must be set to either resource-name or ip-name."
+  }
+}
+
+variable "resource_name_dns_a_record_enabled" {
+  type        = bool
+  description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
+  default     = false
+}
diff --git a/examples/base_2cc/README.md b/examples/base_2cc/README.md
@@ -101,11 +101,13 @@ From base_2cc directory execute:
 | <a name="input_cloud_tags_enabled"></a> [cloud\_tags\_enabled](#input\_cloud\_tags\_enabled) | Determines whether or not to create the cc\_tags\_policy IAM Policy and attach it to the CC IAM Role | `bool` | `false` | no |
 | <a name="input_ebs_encryption_enabled"></a> [ebs\_encryption\_enabled](#input\_ebs\_encryption\_enabled) | true/false whether to enable EBS encryption on the root volume. Default is true | `bool` | `true` | no |
 | <a name="input_ebs_volume_type"></a> [ebs\_volume\_type](#input\_ebs\_volume\_type) | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | `string` | `"gp3"` | no |
+| <a name="input_hostname_type"></a> [hostname\_type](#input\_hostname\_type) | Type of hostname for Amazon EC2 instances | `string` | `"resource-name"` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
 | <a name="input_mgmt_ssh_enabled"></a> [mgmt\_ssh\_enabled](#input\_mgmt\_ssh\_enabled) | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| <a name="input_resource_name_dns_a_record_enabled"></a> [resource\_name\_dns\_a\_record\_enabled](#input\_resource\_name\_dns\_a\_record\_enabled) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | `bool` | `false` | no |
 | <a name="input_reuse_iam"></a> [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
 | <a name="input_reuse_security_group"></a> [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
 | <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |

diff --git a/examples/base_2cc/main.tf b/examples/base_2cc/main.tf
@@ -131,24 +131,26 @@ data "aws_ami" "cloudconnector" {
 
 # Create specified number of CC appliances
 module "cc_vm" {
-  source                    = "../../modules/terraform-zscc-ccvm-aws"
-  cc_count                  = var.cc_count
-  ami_id                    = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
-  name_prefix               = var.name_prefix
-  resource_tag              = random_string.suffix.result
-  global_tags               = local.global_tags
-  mgmt_subnet_id            = module.network.cc_subnet_ids
-  service_subnet_id         = module.network.cc_subnet_ids
-  instance_key              = aws_key_pair.deployer.key_name
-  user_data                 = local.userdata
-  ccvm_instance_type        = var.ccvm_instance_type
-  cc_instance_size          = var.cc_instance_size
-  iam_instance_profile      = module.cc_iam.iam_instance_profile_id
-  mgmt_security_group_id    = module.cc_sg.mgmt_security_group_id
-  service_security_group_id = module.cc_sg.service_security_group_id
-  ebs_volume_type           = var.ebs_volume_type
-  ebs_encryption_enabled    = var.ebs_encryption_enabled
-  byo_kms_key_alias         = var.byo_kms_key_alias
+  source                             = "../../modules/terraform-zscc-ccvm-aws"
+  cc_count                           = var.cc_count
+  ami_id                             = contains(var.ami_id, "") ? [data.aws_ami.cloudconnector.id] : var.ami_id
+  name_prefix                        = var.name_prefix
+  resource_tag                       = random_string.suffix.result
+  global_tags                        = local.global_tags
+  mgmt_subnet_id                     = module.network.cc_subnet_ids
+  service_subnet_id                  = module.network.cc_subnet_ids
+  instance_key                       = aws_key_pair.deployer.key_name
+  user_data                          = local.userdata
+  ccvm_instance_type                 = var.ccvm_instance_type
+  cc_instance_size                   = var.cc_instance_size
+  iam_instance_profile               = module.cc_iam.iam_instance_profile_id
+  mgmt_security_group_id             = module.cc_sg.mgmt_security_group_id
+  service_security_group_id          = module.cc_sg.service_security_group_id
+  ebs_volume_type                    = var.ebs_volume_type
+  ebs_encryption_enabled             = var.ebs_encryption_enabled
+  byo_kms_key_alias                  = var.byo_kms_key_alias
+  hostname_type                      = var.hostname_type
+  resource_name_dns_a_record_enabled = var.resource_name_dns_a_record_enabled
 
   depends_on = [
     null_resource.cc_error_checker