-
Notifications
You must be signed in to change notification settings - Fork 5
/
variables.tf
executable file
·251 lines (215 loc) · 8.73 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
variable "env_subscription_id" {
type = string
description = "Azure Subscription ID where resources are to be deployed in"
sensitive = true
}
variable "arm_location" {
type = string
description = "The Azure Region where resources are to be deployed"
default = "westus2"
}
variable "name_prefix" {
type = string
description = "The name prefix for all your resources"
default = "zscc"
validation {
condition = length(var.name_prefix) <= 12
error_message = "Variable name_prefix must be 12 or less characters."
}
}
variable "network_address_space" {
type = string
description = "VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables"
default = "10.1.0.0/16"
}
variable "cc_subnets" {
type = list(string)
description = "Cloud Connector Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable."
default = null
}
variable "workloads_subnets" {
type = list(string)
description = "Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable."
default = null
}
variable "public_subnets" {
type = list(string)
description = "Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable."
default = null
}
variable "private_dns_subnet" {
type = string
description = "Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network_address_space variable."
default = null
}
variable "environment" {
type = string
description = "Customer defined environment tag. ie: Dev, QA, Prod, etc."
default = "Development"
}
variable "owner_tag" {
type = string
description = "Customer defined owner tag value. ie: Org, Dept, username, etc."
default = "zscc-admin"
}
variable "tls_key_algorithm" {
type = string
description = "algorithm for tls_private_key resource"
default = "RSA"
}
variable "managed_identity_subscription_id" {
type = string
description = "Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env_subscription_id"
default = null
sensitive = true
}
variable "cc_vm_managed_identity_name" {
type = string
description = "Azure Managed Identity name to attach to the CC VM. E.g zspreview-66117-mi"
}
variable "cc_vm_managed_identity_rg" {
type = string
description = "Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. edgeconnector_rg_1"
}
variable "cc_vm_prov_url" {
type = string
description = "Zscaler Cloud Connector Provisioning URL"
}
variable "azure_vault_url" {
type = string
description = "Azure Vault URL"
}
variable "ccvm_instance_type" {
type = string
description = "Cloud Connector Image size"
default = "Standard_D2s_v3"
validation {
condition = (
var.ccvm_instance_type == "Standard_D2s_v3" ||
var.ccvm_instance_type == "Standard_DS2_v2" ||
var.ccvm_instance_type == "Standard_DS3_v2"
)
error_message = "Input ccvm_instance_type must be set to an approved vm size."
}
}
variable "ccvm_image_publisher" {
type = string
description = "Azure Marketplace Cloud Connector Image Publisher"
default = "zscaler1579058425289"
}
variable "ccvm_image_offer" {
type = string
description = "Azure Marketplace Cloud Connector Image Offer"
default = "zia_cloud_connector"
}
variable "ccvm_image_sku" {
type = string
description = "Azure Marketplace Cloud Connector Image SKU"
default = "zs_ser_gen1_cc_01"
}
variable "ccvm_image_version" {
type = string
description = "Azure Marketplace Cloud Connector Image Version"
default = "latest"
}
variable "ccvm_source_image_id" {
type = string
description = "Custom Cloud Connector Source Image ID. Set this value to the path of a local subscription Microsoft.Compute image to override the Cloud Connector deployment instead of using the marketplace publisher"
default = null
}
variable "http_probe_port" {
type = number
description = "Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB"
default = 50000
validation {
condition = (
tonumber(var.http_probe_port) == 80 ||
(tonumber(var.http_probe_port) >= 1024 && tonumber(var.http_probe_port) <= 65535)
)
error_message = "Input http_probe_port must be set to a single value of 80 or any number between 1024-65535."
}
}
variable "workload_count" {
type = number
description = "The number of Workload VMs to deploy"
default = 1
validation {
condition = var.workload_count >= 1 && var.workload_count <= 250
error_message = "Input workload_count must be a whole number between 1 and 250."
}
}
variable "cc_count" {
type = number
description = "The number of Cloud Connectors to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate"
default = 1
validation {
condition = var.cc_count >= 1 && var.cc_count <= 250
error_message = "Input cc_count must be a whole number between 1 and 250."
}
}
variable "zones_enabled" {
type = bool
description = "Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance"
default = false
}
variable "zones" {
type = list(string)
description = "Specify which availability zone(s) to deploy VM resources in if zones_enabled variable is set to true"
default = ["1"]
validation {
condition = (
!contains([for zones in var.zones : contains(["1", "2", "3"], zones)], false)
)
error_message = "Input zones variable must be a number 1-3."
}
}
variable "reuse_nsg" {
type = bool
description = "Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances"
default = "false"
}
variable "accelerated_networking_enabled" {
type = bool
description = "Enable/Disable accelerated networking support on all Cloud Connector service interfaces"
default = true
}
variable "bastion_nsg_source_prefix" {
type = string
description = "user input for locking down SSH access to bastion to a specific IP or CIDR range"
default = "*"
}
variable "lb_enabled" {
type = bool
description = "Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb_frontend_ip. If false, default route next hop directly to the CC Service IP passed from var.cc_service_ip"
default = false
}
variable "encryption_at_host_enabled" {
type = bool
description = "User input for enabling or disabling host encryption"
default = true
}
variable "support_access_enabled" {
type = bool
description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
default = true
}
variable "zssupport_server" {
type = string
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net"
default = "199.168.148.101" #for commercial clouds
}
# Azure Private DNS specific variables
variable "zpa_enabled" {
type = bool
description = "Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection"
default = true
}
variable "domain_names" {
type = map(any)
description = "Domain names fqdn/wildcard to have Azure Private DNS redirect DNS requests to Cloud Connector"
}
variable "target_address" {
type = list(string)
description = "Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses"
default = ["185.46.212.88", "185.46.212.89"]
}